Tutorial — Cryptography

Upgrade an identity to post-quantum

Move a Tenzro identity from a classical Ed25519 signing key to the hybrid Ed25519 + ML-DSA-65 composite. Both halves of the resulting signature must validate.

Level: Advanced
Time: ~10 min
Prerequisites: Registered TDIP identity
Stack: CLI

Generate a hybrid keypair

tenzro crypto keygen --hybrid > hybrid.key

Understand the wire format

The public key bytes carry a leading tag:

0x00 Ed25519, 0x01 Secp256k1, 0x02 hybrid composite.

The hybrid layout is [0x02 | classical_tag | classical_len(u16 LE) | classical_bytes | ml_dsa_65_vk(1952)]. Signatures follow the same dispatch.

Rebind the identity

tenzro identity rebind \
  --did did:tenzro:human:... \
  --new-key hybrid.key \
  --sign-with-old-key

Verify

tenzro identity resolve <did> now shows the hybrid public key. From this point, signatures over this DID must satisfy both the Ed25519 and ML-DSA-65 verifications; either half failing rejects the signature.

Single hybrid contract

Tenzro’s wire contract is hybrid by default. There is no version negotiation, no “classical-only” mode beyond the dispatch tag, no separate codepath for non-hybrid signatures. New identities are hybrid from the moment they are created.

← All tutorials