Hybrid Cryptography: Using Both PQC and Classical
The belt-and-suspenders approach to quantum security
Hybrid cryptography means using both classical signatures (ECDSA) and post-quantum signatures (Dilithium) on the same transaction. For a transaction to be valid, both signatures must verify. This protects against both quantum computers (if PQC holds) and potential PQC breaks (if classical crypto still works). It’s the cautious approach—and many leading projects are adopting it.
Why Not Just Switch to PQC?
If post-quantum cryptography is the solution, why complicate things with hybrid schemes? Why not just replace ECDSA with Dilithium and call it a day?
Two words: risk management.
Risk #1: What If PQC Gets Broken?
Post-quantum algorithms are new. CRYSTALS-Dilithium was finalized by NIST in 2024. ECDSA has been battle-tested since the 1990s. While Dilithium survived six years of cryptanalysis during the NIST competition, that’s still a fraction of the scrutiny ECDSA has received.
What if someone discovers a classical attack on lattice-based cryptography? What if there’s a subtle implementation flaw? What if quantum computers develop capabilities we didn’t predict?
If you switch entirely to PQC and it breaks, you lose everything.
Risk #2: What If Quantum Timelines Are Wrong?
Consensus estimates put cryptographically-relevant quantum computers 5-10 years away. But what if they’re wrong in the other direction? What if quantum computing hits physical limits and Q-Day is actually 20+ years out?
If you’ve already migrated to PQC-only signatures, you’re stuck with:
- 38× larger signatures (higher fees, slower validation)
- Blockchain bloat (higher storage costs)
- Performance overhead (for a threat that didn’t materialize yet)
If you switch too early and quantum is delayed, you’ve paid a massive efficiency cost for no benefit.
The Hybrid Solution
Use both. Sign every transaction with ECDSA and Dilithium. To spend coins, an attacker must break both schemes:
- If quantum computers arrive and break ECDSA → Dilithium still protects you
- If someone discovers a flaw in Dilithium → ECDSA still protects you
- An attacker needs both a quantum computer and a classical break of PQC
The Trade-Offs
Advantages
- Maximum security: Protected against both quantum and classical attacks
- Conservative approach: Don’t bet everything on new cryptography
- Gradual transition: Can drop classical later once confidence builds
- Buys time: Deploy now, optimize later
Disadvantages
- Double the overhead: Two signatures per transaction
- Larger blocks: ECDSA (64 bytes) + Dilithium (2,420 bytes) = 2,484 bytes total
- Slower validation: Must verify both signatures
- Higher fees: More data = more cost
| Approach | Signature Size | Quantum Protection | Classical Protection |
|---|---|---|---|
| ECDSA only | 64 bytes | ❌ Vulnerable | ✅ Secure |
| Dilithium only | 2,420 bytes | ✅ Secure (probably) | ❌ If Dilithium breaks |
| Hybrid | 2,484 bytes | ✅ Secure | ✅ Secure |
Hybrid cryptography is slightly more expensive than PQC-only, but the security benefit is enormous. Projects adopting hybrid schemes are showing mature risk management—they’re not betting everything on lattice cryptography being perfect.
Look for: Projects implementing hybrid signatures on testnet. This proves they understand both the quantum threat and the uncertainty around PQC.
Who’s Doing Hybrid?
Cardano’s Hybrid Approach
Implementation: Ed25519 (classical) + Dilithium (PQC)
Status: Live on testnet as of 2024
Rationale: “We believe lattice cryptography is sound, but we’re not betting the entire network on it. Hybrid gives us security and time to observe real-world PQC performance.”
Transition plan: Monitor for 3-5 years, then decide whether to drop Ed25519 based on quantum timelines and Dilithium confidence.
Ethereum’s Discussion
Status: Multiple EIPs (Ethereum Improvement Proposals) under discussion
Approaches being considered:
- Hybrid ECDSA + Dilithium for EOAs (Externally Owned Accounts)
- Account Abstraction with pluggable signature schemes (users choose)
- Gradual deprecation timeline (2-5 years of hybrid, then PQC-only)
Rationale: Ethereum’s research community is conservative about cryptographic changes. Hybrid is the consensus “safe” approach.
Related Reading
- NIST Algorithms Explained (Kyber, Dilithium, SPHINCS+)
- Lattice-Based Cryptography Deep Dive
- Cryptocurrency Quantum Readiness Tracker
- When Will Quantum Break Cryptography?
Last updated: January 2025
Sources: Cardano CIP proposals, Ethereum EIP discussions, NIST SP 800-208, hybrid cryptography research papers
Which Projects Are Using Hybrid Cryptography?
See our live rankings tracking hybrid implementations, PQC-only approaches, and projects still using vulnerable classical crypto.