Nested Hybrid Signatures: Why One Algorithm Isn't Enough

The Problem: Single-Algorithm Risk

NIST standardized three post-quantum signature families in 2024: ML-DSA (Dilithium), SLH-DSA (SPHINCS+), and FN-DSA (FALCON). All three are widely respected. But virtually every implementation today picks one and deploys it alone. That's a category error — it's single-algorithm risk, and it's structurally identical to the mistakes made with RSA in the 1990s.

The Core Failure Mode

If you sign with Dilithium-5 only and an MLWE attack is published in 2031 — every document, token, and certificate you signed is retroactively forgeable. No migration path exists because the existing signatures are already broken.

The lattice-based schemes (Dilithium, FALCON, NTRU variants) each rest on different but mathematically related hardness assumptions. Dilithium relies on Module Learning With Errors (MLWE) and Module Short Integer Solution (MSIS). FALCON relies on the NTRU problem and hardness of finding short vectors in NTRU lattices. These are different mathematical families — MLWE and NTRU do not share the same hardness roots — but they are both lattice problems, and advances in lattice cryptanalysis tend to propagate.

There are three independent failure vectors:

Mathematical break — a new algorithm significantly reduces the cost of solving MLWE or the NTRU Short Vector Problem.
Implementation vulnerability — timing side-channels or fault injection exposing secret key material. Highly algorithm-specific.
Algorithmic backdoor — a deliberately weakened parameter set or hidden trapdoor introduced during standardization. Historical precedent exists (Dual EC DRBG).

Classical Ed25519 (Edwards-curve Digital Signature Algorithm, EdDSA, over Edwards25519 — RFC 8032) relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP) — entirely separate mathematics from any lattice assumption. A quantum computer running Shor's algorithm does break ECDLP, which is why it cannot stand alone post-2030. But today, if a lattice family cracks, Ed25519 remains intact. The independence is the point.

The Solution: Lattice-Family Independence

H33's Nested Hybrid Signature uses three algorithms from three independent mathematical families:

Layer	Algorithm	Family	Hardness	NIST Standard	Sig Size
L1 · Inner	Ed25519	Elliptic curve	ECDLP (Curve25519)	Classical — RFC 8032	64 B
L2 · Middle	Dilithium-5	Module lattice	MLWE + MSIS	FIPS 204 (ML-DSA-87)	4,627 B
L3 · Outer	FALCON-512	NTRU lattice	NTRU SVP (SIS)	FIPS 206 (FN-DSA)	666 B

This is not three algorithms in parallel (a concatenated scheme). It is three algorithms in series, where each outer layer signs a message that includes all inner layers. The result is a sequential commitment chain: each outer signature commits to the existence of all inner signatures, creating a dependency ordering that no single-algorithm break can unwind.

Critically, Dilithium and FALCON come from different lattice families. Dilithium's security reduces to MLWE (a ring/module extension of LWE). FALCON's security reduces to the hardness of finding short vectors in NTRU lattices, a distinct problem with a different attack surface. An advance that breaks Dilithium does not automatically transfer to FALCON, and vice versa. This is the meaning of lattice-family independence.

How Nesting Works: The Sequential Commitment Chain

The nesting order matters and is deliberate. Each outer signature commits to all inner material. When Dilithium signs, it signs a message that includes the Ed25519 signature. When FALCON signs, it signs a message that includes both the Ed25519 and Dilithium signatures. The resulting structure is:

LAYER 1
INNER

Ed25519 signs the identity payload

Signs: payload → σ₁ (64 bytes)
The identity payload is the canonical message: biometric commitment, master public keys, guardian recovery commitments, revocation registry root, and creation timestamp. This is the classical anchor that survives any lattice break.

RFC 8032 Curve25519 ECDLP hardness 64 B output ~50µs

↓ composite₁ = payload ‖ σ₁

LAYER 2
MIDDLE

Dilithium-5 signs payload ‖ Ed25519 signature

Signs: payload ‖ σ₁ → σ₂ (4,627 bytes)
By committing to σ₁, the Dilithium signature proves that the classical signature existed at this exact moment. An attacker who later breaks Dilithium can forge σ₂, but only over a composite message containing a valid σ₁ — which still requires breaking Ed25519.

FIPS 204 ML-DSA-87 MLWE + MSIS 4,627 B output ~330µs

↓ composite₂ = payload ‖ σ₁ ‖ σ₂

LAYER 3
OUTER

FALCON-512 signs payload ‖ Ed25519 sig ‖ Dilithium sig

Signs: payload ‖ σ₁ ‖ σ₂ → σ₃ (666 bytes)
The outer FALCON signature commits to the entire prior chain. To forge this document, an adversary must simultaneously forge all three layers — breaking ECDLP, MLWE, and NTRU SVP. No known quantum or classical algorithm achieves all three.

FIPS 206 FN-DSA-512 NTRU SVP 666 B output ~70µs

Verification Pseudocode

Verification reverses the nesting: outer layer first. Any single failure aborts the chain.

Pseudocode nested_hybrid_verify.pseudo

// Inputs
payload       : Bytes          // original identity payload
σ₁           : Ed25519Sig    // 64 bytes — inner classical sig
σ₂           : DilithiumSig  // 4,627 bytes — middle PQ sig
σ₃           : FalconSig    // 666 bytes — outer PQ sig
pk_ed        : Ed25519PK    // 32 bytes
pk_dil       : DilithiumPK  // 2,592 bytes
pk_falcon    : FalconPK     // 897 bytes

fn verify_nested_hybrid(...) → Result<(), VerifyError> {
    // Step 1: Verify outermost layer first
    composite₂ = payload ‖ σ₁ ‖ σ₂
    if !falcon_verify(composite₂, σ₃, pk_falcon) {
        return Err(FalconVerifyFailed)
    }

    // Step 2: Verify middle layer
    composite₁ = payload ‖ σ₁
    if !dilithium_verify(composite₁, σ₂, pk_dil) {
        return Err(DilithiumVerifyFailed)
    }

    // Step 3: Verify innermost classical anchor
    if !ed25519_verify(payload, σ₁, pk_ed) {
        return Err(Ed25519VerifyFailed)
    }

    // All three layers verified — commitment chain intact
    Ok(())
}

Security Property: Sequential Commitment

The outer Dilithium signature doesn't merely attest to the payload — it commits to the payload and a specific Ed25519 signature σ₁ that existed as input to the signing operation. This is an ordering commitment, not a wall-clock time proof (for verifiable timestamps, see RFC 3161 TSP). An attacker who later breaks Dilithium can create a new σ₂, but only over a message that already contains a valid σ₁. They still need to break Ed25519 to forge σ₁. The dependency chain cannot be unwound from the outside in.

Graceful Cryptographic Degradation

If a vulnerability is discovered in any single algorithm, the system can degrade gracefully without token re-issuance. The degradation handler monitors cryptographic vulnerability feeds and transitions verification logic automatically:

FALCON compromised — Fall back to Dilithium + Ed25519 dual-layer verification. Initiate re-signing with an alternative NTRU or hash-based scheme (SPHINCS+).
Dilithium compromised — Fall back to FALCON + Ed25519. Initiate re-signing with an alternative MLWE implementation.
Ed25519 broken by quantum computer — Fall back to FALCON + Dilithium dual post-quantum verification. Initiate re-signing with XMSS or SPHINCS+ for the classical slot.

In all cases, the biometric commitment embedded in the token remains bound to a specific biological identity. Re-issuance is not required — only the affected signature layer is replaced.

Performance: Graviton4 Benchmarks

All measurements on c8g.metal-48xl (96 cores, AWS Graviton4, Neoverse V2, ARM NEON), Criterion.rs v0.5, 100+ samples, February 2026. Timings are per-operation, single-thread, with warm caches.

Sign · ~450µs total

Ed25519 sign~50µs

Dilithium-5 sign (ML-DSA-87)~330µs

FALCON-512 sign~70µs

Total sign~450µs

Verify · ~240µs total

FALCON-512 verify (outermost first)~55µs

Dilithium-5 verify~150µs

Ed25519 verify~35µs

Total verify~240µs

Mode	Sign	Verify	Full Cycle	Sig Size	Use Case
L1 only — Dilithium-3	~80µs	~25µs	~106µs	3,309 B	Standard auth
L2 nested — Ed25519 + Dilithium-5	~140µs	~80µs	~220µs	4,723 B	Identity + biometric
L3 nested — Ed25519 + Dilithium-5 + FALCON-512	~450µs	~240µs	~690µs	5,389 B	SBT mint / legal / supply chain

The ~690µs full cycle fits comfortably within the H33 auth pipeline. SBT minting is a one-time operation per identity — latency here is negligible in practice. For recurring authentication, the standard Dilithium-3 tier at ~106µs remains the default.

Wire Format: Version 0x03

The nested hybrid signature is serialized as a single contiguous blob with a versioned header. Parsers check the version byte first and dispatch to the appropriate verification path. All lengths are fixed at the NIST parameter set — no variable-length fields.

── HEADER (5 bytes) ──────────────────────────────────

offset 0 1 B version 0x03 = Ed25519 + Dilithium-5 + FALCON-512

offset 1 2 B flags bit 0 = has_biometric_commit, bit 1 = revocable

offset 3 2 B payload_len length of the signed payload (u16 LE)

── PUBLIC KEYS (3,521 bytes) ─────────────────────────

offset 5 32 B pk_ed25519 Ed25519 public key

offset 37 2,592 B pk_dilithium5 ML-DSA-87 public key (FIPS 204)

offset 2629897 B pk_falcon512 FN-DSA-512 public key (FIPS 206)

── SIGNATURES (5,357 bytes) ──────────────────────────

offset 352664 B sig_ed25519 σ₁ — inner classical sig over payload

offset 35904,627 B sig_dilithium5 σ₂ — middle sig over payload ‖ σ₁

offset 8217666 B sig_falcon512 σ₃ — outer sig over payload ‖ σ₁ ‖ σ₂

TOTAL FIXED OVERHEAD: ~8,883 bytes (3,526 header+keys + 5,357 sigs) NOTE: payload not included in overhead · typical payload 256–512 B SIGNATURE BLOB ONLY (no keys): ~5,390 bytes

Key Size Breakdown

Public key storage totals 3,521 bytes: Ed25519 (32 B) + Dilithium-5 (2,592 B) + FALCON-512 (897 B). On-chain storage for soulbound NFTs stores all three public keys once at mint time. Per-authentication wire overhead is the signature blob only: ~5,390 bytes. At server-to-server bandwidth, this is under 0.1% of a 25 Gbps link even at 1 million auths/sec.

The API

The nested hybrid signature is available under /hybrid/* endpoints. All three algorithm layers are handled server-side — you provide the payload, we return the composite signature blob.

Generate a Nested Hybrid Key Pair

Shell · curl POST /hybrid/keygen

curl -X POST https://api.h33.ai/v1/hybrid/keygen \
  -H "Authorization: Bearer $H33_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "algorithms": ["ed25519", "dilithium5", "falcon512"],
    "label": "sbt-mint-key-v1"
  }'

// Response — public keys for on-chain storage, secret keys returned once
{
  "key_id": "key_4xQf...",
  "pk_ed25519": "base64...",         // 32 B
  "pk_dilithium5": "base64...",      // 2,592 B
  "pk_falcon512": "base64...",       // 897 B
  "algorithm_version": "0x03"
}

Sign a Payload

Shell · curl POST /hybrid/sign

curl -X POST https://api.h33.ai/v1/hybrid/sign \
  -H "Authorization: Bearer $H33_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "key_id": "key_4xQf...",
    "payload": "base64_encoded_payload",
    "mode": "triple"
  }'

// Response — composite nested signature blob
{
  "signature": "base64...",      // ~5,390 B blob (version 0x03)
  "sig_ed25519": "base64...",   // σ₁ — 64 B, for audit
  "sig_dilithium5": "base64...", // σ₂ — 4,627 B
  "sig_falcon512": "base64...",  // σ₃ — 666 B
  "latency_us": 447,           // measured sign latency
  "algorithm_version": "0x03"
}

Verify a Nested Hybrid Signature

Shell · curl POST /hybrid/verify

curl -X POST https://api.h33.ai/v1/hybrid/verify \
  -H "Authorization: Bearer $H33_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "payload": "base64_encoded_payload",
    "signature": "base64_composite_blob",
    "pk_ed25519": "base64...",
    "pk_dilithium5": "base64...",
    "pk_falcon512": "base64..."
  }'

// Response
{
  "verified": true,
  "layers": {
    "falcon512": true,    // outer — verified first
    "dilithium5": true,   // middle
    "ed25519": true       // inner classical anchor
  },
  "algorithm_version": "0x03",
  "latency_us": 238,
  "commitment_chain_intact": true
}

Rotate a Key Layer

Shell · curl POST /hybrid/rotate

curl -X POST https://api.h33.ai/v1/hybrid/rotate \
  -H "Authorization: Bearer $H33_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "key_id": "key_4xQf...",
    "rotate_layer": "falcon512",
    "reason": "scheduled_rotation"
  }'

// Rotates only the FALCON-512 layer; Ed25519 and Dilithium keys unchanged.
// Returns new pk_falcon512 and re-signs all active tokens with updated outer layer.
{
  "new_key_id": "key_7rNm...",
  "rotated_layer": "falcon512",
  "pk_falcon512": "base64...",
  "tokens_re_signed": 4821,
  "identity_binding_preserved": true
}

Memory Safety: Zeroize-on-Drop

All three secret keys follow a strict zeroize-on-drop protocol. The Rust implementation uses the zeroize crate (Zeroize + ZeroizeOnDrop traits) to guarantee cryptographic erasure from heap and stack memory when key handles go out of scope. This is not optional hygiene — it is enforced at the type level.

Rust nested_hybrid_keys.rs (excerpt)

use zeroize::{Zeroize, ZeroizeOnDrop};

/// Triple nested hybrid signing key.
/// All three secret keys are zeroed from memory on drop.
#[derive(ZeroizeOnDrop)]
pub struct NestedHybridSigningKey {
    /// Ed25519 secret key — 32 bytes, zeroized on drop
    ed25519_sk: Ed25519SigningKey,

    /// Dilithium-5 secret key — 4,032 bytes, zeroized on drop
    dilithium5_sk: Dilithium5SigningKey,

    /// FALCON-512 secret key — 1,281 bytes, zeroized on drop
    falcon512_sk: Falcon512SigningKey,
}

impl NestedHybridSigningKey {
    pub fn sign(&self, payload: &[u8]) → NestedHybridSig {
        // Layer 1: classical inner
        let σ₁ = self.ed25519_sk.sign(payload);

        // Layer 2: commit to payload + σ₁
        let composite1 = [payload, σ₁.as_bytes()].concat();
        let σ₂ = self.dilithium5_sk.sign(&composite1);

        // Layer 3: commit to payload + σ₁ + σ₂
        let composite2 = [payload, σ₁.as_bytes(), σ₂.as_bytes()].concat();
        let σ₃ = self.falcon512_sk.sign(&composite2);

        NestedHybridSig { σ₁, σ₂, σ₃ }
        // composite1, composite2 — dropped and zeroed here
    }
}
// When NestedHybridSigningKey is dropped:
// ed25519_sk, dilithium5_sk, falcon512_sk → zeroed by ZeroizeOnDrop
// No secret key material persists in memory after the handle is released

Intermediate composite buffers (composite1, composite2) are also handled as stack-allocated slices that are erased immediately after signing. The public verification key trio is not sensitive and does not require zeroization.

Use Cases

⛓️

Soulbound NFTs

Non-transferable identity tokens are permanent. If Dilithium is broken in 2035, a token minted today with only Dilithium is retroactively forgeable. Triple nesting ensures the token survives any single-algorithm break throughout the token's lifetime.

Triple-nested required

⚖️

Legal Documents

Contracts, wills, court filings, and title deeds are signed once and must remain valid for decades. Triple nesting provides a dependency-ordered commitment chain that courts can audit even if one algorithm is later deprecated by NIST.

Triple-nested required

📦

Software Supply Chain

Binary attestation and release signing. Software artifacts signed with a single PQ algorithm create a single point of failure for the entire distribution chain. Nested hybrid signing with SBOM attestation closes this gap.

Nested hybrid

🌐

Cross-Border Compliance

Different jurisdictions are standardizing on different PQ algorithm families. A nested signature that satisfies MLWE (EU/NIST preference) and NTRU (alternative jurisdictions) simultaneously eliminates re-signing requirements for cross-border recognition.

Nested hybrid

When to Use Each Tier

Tier	Algorithms	Sign Latency	Recommended For
Standard	Dilithium-3 only	~80µs	Routine per-auth attestation
Nested L2	Ed25519 + Dilithium-5	~140µs	Biometric identity verification, KYC
Nested L3	Ed25519 + Dilithium-5 + FALCON-512	~450µs	SBT minting, legal docs, supply chain, cross-border

The Problem: Single-Algorithm Risk

The Solution: Lattice-Family Independence

How Nesting Works: The Sequential Commitment Chain

Verification Pseudocode

Graceful Cryptographic Degradation

Performance: Graviton4 Benchmarks

Sign · ~450µs total

Verify · ~240µs total

Wire Format: Version 0x03

The API

Generate a Nested Hybrid Key Pair

Sign a Payload

Verify a Nested Hybrid Signature

Rotate a Key Layer

Memory Safety: Zeroize-on-Drop

Use Cases

When to Use Each Tier

Ship Algorithmic Independence Today

Related Articles