**Traditional Algorithm**:-
An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms or elliptic curve discrete logarithms. **Post-Quantum Algorithm**:-
An asymmetric cryptographic algorithm that is believed to be secure against quantum computers as well as classical computers. **Component Algorithm**:-
Each cryptographic algorithm that forms part of a cryptographic scheme. **Single-Algorithm Scheme**:-
A cryptographic scheme with one component algorithm. A single-algorithm scheme could use either a traditional algorithm or a post-quantum algorithm. **Multi-Algorithm Scheme**:-
A cryptographic scheme with more than one component algorithm. In a multi-algorithm scheme all component algorithms are of the same type, e.g. all are signature algorithms or all are PKE algorithms. **Post-Quantum/Traditional (PQ/T) Hybrid Scheme**:-
A cryptographic scheme made up of two or more component algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm. **PQ/T Hybrid Key Encapsulation Mechanism**:-
A Key Encapsulation Mechanism (KEM) made up of two or more component KEM algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm. **PQ/T Hybrid Public Key Encryption**:-
A Public Key Encryption (PKE) scheme made up of two or more component PKE algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm. **PQ/T Hybrid Digital Signature**:-
A digital signature scheme made up of two or more component digital signature algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm. PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures are all examples of PQ/T hybrid schemes. **PQ/T Hybrid Combiner**:-
A method that takes two or more component algorithms and combines them to form a PQ/T hybrid scheme. **PQ/PQ Hybrid Scheme**:-
A cryptographic scheme made up of two or more component algorithms where all components are post-quantum algorithms. The definitions for types of PQ/T hybrid schemes can adapted to define types of PQ/PQ hybrid schemes in the natural way.

**Cryptographic Element**:-
Any data type (private or public) that contains an input or output value for a cryptographic algorithm or for a function making up a cryptographic algorithm. Types of cryptographic elements include public keys, private keys, plaintexts, ciphertexts, shared secrets, and signature values. **Component Cryptographic Element**:-
A cryptographic element of a component algorithm in a multi-algorithm scheme. **Composite Cryptographic Element**:-
A cryptographic element that incorporates multiple component cryptographic elements of the same type in a multi-algorithm scheme. For example, a composite cryptographic public key is made up of two component public keys. **Cryptographic Element Combiner**:-
A method that takes two or more component cryptographic elements of the same type and combines them to form a composite cryptographic element. A cryptographic element combiner could be concatenation, such as where two component public keys are concatenated to form a composite public key as in , or something more involved such as the dualPRF defined in .

**PQ/T Hybrid Protocol**:-
A protocol that uses two or more component algorithms providing the same cryptographic functionality, where at least one is a post-quantum algorithm and at least one is a traditional algorithm. For example, a PQ/T hybrid protocol providing confidentiality could use a PQ/T hybrid KEM such as in , or it could combine the output of a post-quantum KEM and a traditional KEM at the protocol level, such as in . Similarly, a PQ/T hybrid protocol providing authentication could use a PQ/T hybrid digital signature scheme, or it could include both post-quantum and traditional single-algorithm digital signature schemes. **Composite PQ/T Hybrid Protocol**:-
A protocol that incorporates one or more PQ/T hybrid schemes in such a way that the protocol fields and message flow are the same as those in a version of the protocol that uses single-algorithm schemes. In a composite PQ/T hybrid protocol, changes are primarily made to the formats of the cryptographic elements, while the protocol fields and message flow remain largely unchanged. In implementations most changes are likely to be made to the cryptographic libraries, with minimal changes to the protocol libraries. **Non-composite PQ/T Hybrid Protocol**:-
A protocol that incorporates multiple single-algorithm schemes of the same type, where at least one uses a post-quantum algorithm and at least one uses a traditional algorithm, in such a way that the formats of the component cryptographic elements are the same as when they are used as part of single-algorithm schemes. In a non-composite PQ/T hybrid protocol, changes are primarily made to the protocol fields, the message flow, or both, while changes to cryptographic elements are minimised. In implementations, most changes are likely to be made to the protocol libraries, with minimal changes to the cryptographic libraries.

**PQ/T Hybrid Confidentiality**:-
The property that confidentiality is achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol as long as at least one component encryption algorithm remains secure. **PQ/T Hybrid Authentication**:-
The property that authentication is achieved by a PQ/T hybrid scheme or a PQ/T hybrid protocol as long as at least one component authentication algorithm remains secure.

**PQ/T Hybrid Interoperability**:-
The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can be completed successfully provided that both parties support at least one component algorithm. For example, a PQ/T hybrid digital signature might achieve hybrid interoperability if the signature can be verified by either verifying the traditional or the post-quantum component, such as in the OR modes described in . In the case of a PQ/T hybrid protocol which aims to achieve both authentication and confidentiality then at least one component algorithm for each type of scheme must be supported by both parties. It is not possible for a PQ/T hybrid scheme to achieve both PQ/T hybrid interoperability and PQ/T hybrid confidentiality. For PQ/T hybrid interoperability the scheme needs to work with any one of the component algorithms, while to achieve PQ/T hybrid confidentiality all component algorithms need to be used. However, it is possible for a PQ/T hybrid protocol to achieve PQ/T hybrid interoperability and PQ/T hybrid confidentiality by building in downgrade protection at the protocol level. For example in the client uses the TLS supported groups extension to advertise support for a PQ/T hybrid scheme and the server can select this group if it supports the scheme. This is protected using TLS's existing downgrade protection, so achieves PQ/T hybrid confidentiality, but the connection can still be made if either the client or server does not support the scheme, so PQ/T hybrid interoperability is achieved. The same is true for PQ/T hybrid interoperability and PQ/T hybrid authentication. It is not possible to achieve both with a PQ/T hybrid scheme, but it is possible with a PQ/T hybrid protocol that has appropriate downgrade protection.

**PQ/T Hybrid Certificate**:-
A digital certificate that contains public keys for two or more component algorithms where at least one is a traditional algorithm, and at least one is a post-quantum algorithm. A PQ/T hybrid certificate could be used to facilitate a PQ/T hybrid authentication protocol. However, a PQ/T hybrid authentication protocol does not need to use a PQ/T hybrid certificate; separate certificates could be used for individual component algorithms. The component public keys in a PQ/T hybrid certificate could be included as a composite public key or as individual component public keys. The use of a PQ/T hybrid certificate does not necessarily achieve hybrid authentication of the identity of the sender; this is determined by properties of the chain of trust. For example, an end-entity certificate that contains a composite public key as defined in but which is signed using a single-algorithm digital signature scheme could be used to provide hybrid authentication of the source of a message, but would not achieve hybrid authentication of the identity of the sender.