We are excited to announce the latest Oracle AI Database release, setting a new milestone in enterprise security with support for hybrid key exchange – the latest advancement in securing data both now and in the post-quantum future.

In our October 2025 release update, Oracle AI Database introduced the ability for you to secure your TLS 1.3 database connections with the quantum-resistant ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) algorithm. That update gave you the flexibility to choose well-established algorithms like Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) or newer post-quantum security based on your risk profile and compliance needs.

What’s New: Hybrid Key Exchange

With the January 2026 release, Oracle AI Database now adds the support for hybrid key exchange, combining the strengths of ECDHE and ML-KEM. With hybrid key exchange, session keys come from both an established, proven algorithm (ECDHE) and the latest NIST-approved post-quantum algorithm (ML-KEM).

When a client and server negotiate a secure connection in hybrid mode, the database performs key exchange using both ECDHE and ML-KEM. The process produces two independent keys, which the system then combines to form the final session key. This dual approach helps ensure that neither classical nor post-quantum vulnerabilities alone compromise the security of your encrypted data. As long as at least one of these algorithms remains uncompromised, the encrypted connection is protected.

Why Hybrid Matters: the “cover all bases” approach

Hybrid key exchange does more than simply combine two algorithms – it strategically blends their unique strengths to offer the best of each, increasing resilience against both current and emerging threats.

ECDHE is a foundational algorithm in modern cryptography, with a long history of real-world deployment and extensive security analysis. It is trusted globally by governments and enterprises for establishing secure channels across the internet. Over many years, ECDHE has been thoroughly scrutinized and has proven resistant to all known non-quantum attacks. This makes it a highly reliable choice for helping secure database communications against today’s threats. Even now, the known quantum computers are not yet strong enough to weaken ECDHE because they lack the necessary scale (qubits) and stability (low error rates) to run powerful quantum algorithms needed to break ECDHE effectively.

Our primary concern today is attackers harvesting data now and breaking it with quantum computers sometime in the future, when quantum computers have advanced to the point where they can break ECDHE. There is so much concern over this type of attack that it has its own acronym – HNDL (Harvest Now, Decrypt Later).

ML-KEM, in contrast, represents a new frontier in cryptography. As a post-quantum algorithm, ML-KEM is designed to withstand the power of quantum computers. ML-KEM underwent rigorous cryptanalysis as part of the NIST approval process. However, it has not yet benefited from the same lengthy real-world exposure and testing volume as established algorithms like ECDHE.

By adopting hybrid key exchange, Oracle AI Database enables you to harness the future-proofing power of ML-KEM while maintaining the robust, time-tested security of ECDHE. Here’s why this matters:

  • Layered Security: The session key that protects your connection is only as weak as its weakest component. In hybrid mode, both ECDHE and ML-KEM are used together, so the connection remains secure as long as at least one algorithm withstands attack. If an unexpected vulnerability is discovered in the newer ML-KEM, the mature ECDHE algorithm still shields your data. Conversely, when quantum computers eventually threaten ECDHE, the ML-KEM layer will continue to provide protection.
  • Peace of Mind While Transitioning: Cryptographic migrations are complex, and new algorithms can sometimes reveal issues only after widespread deployment. The hybrid approach lets you confidently start benefiting from post-quantum cryptography now, with the “insurance policy” of a well-understood algorithm running alongside.
  • Proactive Defense Against Harvest Now, Decrypt Later (HNDL): Hybrid key exchange is your defense-in-depth against the HNDL risk, requiring attackers to compromise both ML-KEM and ECDHE in order to read harvested data.

By leveraging both the time-proven security of ECDHE and the advanced capabilities of ML-KEM, hybrid key exchange helps protect your Oracle AI Database connections with the best of today’s and tomorrow’s cryptography—proactively addressing uncertainty and building trust into every transaction.

Getting Started

To start benefiting from hybrid key exchange, follow these steps:

  1. Apply the January, 2026 Release Update
  2. Update your database’s sqlnet.ora to enable hybrid key exchange for all supported connections. You must list hybrid first in TLS_KEY_EXCHANGE_GROUPS. Not setting the parameter (default) causes the database to check client capability, selecting hybrid if the client supports it, and then falling back to ECDHE and finally to ML-KEM. This default setting enables you to leverage hybrid mode with clients that support it, while still permitting older clients to connect.
  3. Monitor future guidance from Oracle as PQC standards and best practices evolve.

For more information and implementation guidance, refer to the Oracle AI Database Security Guide.