Post-Quantum Cryptography: Hybrid Signatures Explained
Quantum computers will break RSA and ECDSA. Hybrid signatures — combining a classical algorithm with a post-quantum scheme like Dilithium — let you prepare now without abandoning today's infrastructure.
Sufficiently large quantum computers running Shor's algorithm will be able to break RSA and elliptic-curve cryptography. Current estimates place cryptographically-relevant quantum computers 10–15 years away, but the threat of "harvest now, decrypt later" attacks — where adversaries store encrypted data today to decrypt it once quantum capability exists — means organizations that handle long-lived sensitive data need to act before quantum computers arrive.
What NIST Standardized
In August 2024, NIST finalized three post-quantum cryptography standards: ML-KEM (CRYSTALS-Kyber) for key encapsulation, ML-DSA (CRYSTALS-Dilithium) for digital signatures, and SLH-DSA (SPHINCS+) as a stateless hash-based signature backup. These algorithms are believed to be resistant to both classical and quantum attacks.
Dilithium, now ML-DSA, is the relevant standard for document signing — the use case at the core of EngineeringID's credential issuance pipeline.
Why Hybrid Signatures Are the Right Transition Strategy
Migrating directly from RSA to Dilithium introduces risk: if a classical vulnerability is found in Dilithium (post-quantum algorithms are newer and less battle-tested), you lose both historical and future signature security. Hybrid signatures — a signature that is valid only if both a classical component (RSA or ECDSA) and a post-quantum component (Dilithium) verify — provide defense in depth. An attacker needs to break both simultaneously.
This is the transition strategy EngineeringID is planning for credential manifest signing. Hybrid signatures are not yet in production: credentials issued today are signed with classical RSA only. The post-quantum primitives are integrated into our cryptography library and undergoing testing, but no production code path emits hybrid signatures yet. We will publish a migration plan before flipping any signing path to hybrid.
Signature Size and Performance
The main practical cost of ML-DSA is signature size. An RSA-4096 signature is 512 bytes. An ML-DSA signature is several kilobytes — roughly an order of magnitude larger. For credential manifests that are verified infrequently, this is not a meaningful constraint. For high-frequency verification flows (e.g., PDF signature validation at document ingestion), the size increase may require pipeline tuning.
Verification performance is better than the size increase suggests: ML-DSA verification is computationally faster than RSA verification at equivalent security levels. Signing is slower, but signing happens once at issuance; verification happens at every trust check.
What This Means for EngineeringID Credentials Today
Credentials issued today carry a classical RSA signature only. Hybrid (RSA + Dilithium) signing is on the roadmap; when it ships, the transition will be additive — historical credentials will remain verifiable under the classical component indefinitely, and new credentials will carry both components so verifiers can opt in to post-quantum verification as the ecosystem migrates.