Post-quantum migration.

The hybrid construction is conservative against two failure modes: a classical break of Ed25519/X25519 (we still hold ML-DSA-65/ML-KEM-768), and a future cryptanalytic break of the lattice schemes (we still hold the classical primitives). Both halves of a hybrid signature must verify; both halves of a hybrid KEM must agree on the shared secret. This is the NIST “PQ + classical” recommendation for transition deployments.

Public-key bytes dispatch on a leading tag byte:

• 0x00 — classical Ed25519
• 0x01 — classical Secp256k1
• 0x02 — hybrid composite

Hybrid layout:

[
  0x02,
  classical_tag (1 byte),
  classical_len (u16 LE),
  classical_bytes,
  ml_dsa_65_vk (1952 bytes)
]

Classical signatures remain raw 64-byte blobs (Ed25519) or DER (Secp256k1). Hybrid signatures follow the public-key pattern:

[
  0x02,
  classical_sig_len (u16 LE),
  classical_sig,
  ml_dsa_65_sig (3309 bytes)
]

verify_tee_zk_signature auto-dispatches by tag and requires both legs of a hybrid signature to validate.

The Caddy reverse proxy fronting *.tenzro.network is already negotiating hybrid post-quantum TLS handshakes for clients that support them, falling back to classical X25519 for older clients. No changes are needed by callers — the upgrade is transparent at the TLS layer.

The ZK proving system (Plonky3 STARKs over KoalaBear) is post-quantum sound (transparent setup, hash-based commitments). On top of that, sign_tee_zk_proof_hybrid co-signs the proof commitment inside the enclave with both an Ed25519 (or Secp256k1) classical leg and an ML-DSA-65 PQ leg. The signing-pubkey wire format dispatches on a leading tag byte (0x00/0x01 classical, 0x02 hybrid), and verify_tee_zk_signature requires both legs of a hybrid signature to validate.

We are pre-alpha. The cutover is a flag day — there is no v1 / v2negotiation, no “legacy classical-only” mode beyond the dispatch tag, no deprecation path. Old keys are rebound at upgrade time by the holder.