Hybrid Signing

Hybrid signing creates a dual attestation that pairs a traditional ECDSA signature with a post-quantum ML-DSA signature. This provides backward compatibility with today’s blockchain infrastructure while establishing a quantum-ready audit trail.
QuantumSafe is built on current NIST-standardized algorithms and does not guarantee absolute security. This is a quantum-readiness tool, not a quantum-proof solution.

What Is Hybrid Signing?

Instead of replacing ECDSA signatures (which blockchains still require), QuantumSafe adds a parallel PQC signature as an off-chain attestation:
ComponentAlgorithmPurpose
Primary signatureECDSA / EdDSAOn-chain validity (required by the blockchain)
PQC attestationML-DSA-44/65/87Off-chain quantum-ready proof
The PQC attestation is stored by QuantumSafe and can be verified independently. When chains eventually support PQC natively, these attestations provide a migration path.

Attestation Flow

  1. You sign a transaction with your existing ECDSA key (as usual)
  2. You also sign the same message with your PQC private key (via the SDK)
  3. You submit both signatures to POST /v1/sign/hybrid
  4. QuantumSafe verifies both signatures server-side
  5. An attestation record is created linking the ECDSA and PQC signatures
// Step 1: Sign with ECDSA (your existing wallet)
const ecdsaSig = await wallet.signMessage(message);

// Step 2: Create hybrid attestation
const attestation = await qs.sign.hybrid({
  message: message,
  ecdsaSignature: ecdsaSig,
  ecdsaPublicKey: wallet.publicKey,
  pqcPrivateKey: keypair.privateKey,
  pqcPublicKey: keypair.publicKey,
  algorithm: "ml-dsa-65",
});

console.log("Attestation ID:", attestation.id);
console.log("Status:", attestation.status); // "verified"

Off-Chain Positioning

Hybrid attestations are off-chain by design:
  • No blockchain changes required
  • No gas costs for PQC attestation
  • Works with any EVM-compatible chain today
  • Attestations are stored in QuantumSafe’s database with cryptographic integrity
The hybrid approach means you can start building quantum readiness today without waiting for blockchain protocol upgrades.

Server-Side Verification

When you submit a hybrid attestation, QuantumSafe performs:
  1. ECDSA verification — Confirms the ECDSA signature matches the message and public key
  2. PQC verification — Confirms the ML-DSA signature matches the message and PQC public key
  3. Cross-linking — Associates the ECDSA identity with the PQC identity
  4. Storage — Persists the attestation with a unique ID
If either signature is invalid, the request is rejected with error code PQC_004.

Verifying Attestations

Anyone can verify a hybrid attestation using the attestation ID: 
const result = await qs.verify({
  attestationId: "att_abc123...",
});

console.log("Valid:", result.valid);
console.log("ECDSA verified:", result.ecdsaValid);
console.log("PQC verified:", result.pqcValid);

Next Steps