KeyPears Goes Hybrid Post-Quantum
April 27, 2026 · Ryan X. Charles
KeyPears is now hybrid post-quantum. Every message, every signature, every account — by default, on the only code path.
This is not a feature flag. It is not an enterprise tier. It is not a compatibility mode for cautious users. The protocol’s cryptographic spine has moved, and the safe path is now the normal path.
What “hybrid” means here
| Purpose | Classical | Post-quantum | Construction |
|---|---|---|---|
| Signatures | Ed25519 | ML-DSA-65 | Both required |
| Key agreement | X25519 | ML-KEM-768 | Shared secrets combined |
| Symmetric crypto | AES-256-GCM | — | Unchanged |
| Hash & KDF | SHA-256 family | — | Unchanged |
Each message is encrypted with a key derived from both an X25519 Diffie-Hellman exchange and an ML-KEM-768 encapsulation, combined through HKDF. Each message is signed with both an Ed25519 signature and an ML-DSA-65 signature over the same canonical envelope. Recovering plaintext or forging a signature requires defeating both halves.
Why hybrid, not pure post-quantum
ML-KEM and ML-DSA are NIST-standard and have been through years of public analysis. But they don’t have the multi-decade deployment history of elliptic curves. New cryptography is new.
Hybrid hedges in both directions:
- If a fault-tolerant quantum computer breaks elliptic curves, the post-quantum half still protects you.
- If a serious flaw is found in the post-quantum algorithms, the classical half still protects you.
- If both hold up, the construction is stronger than either alone.
This is the conservative call, not the exciting one. The goal is not novelty. The goal is defensibility.
What changed for users
Mostly nothing visible. You still have a name@domain address. You still sign in. You still send messages and store secrets in the vault. Federation still works through .well-known/keypears.json.
Under the hood each account now holds four private keys instead of one — Ed25519, X25519, ML-DSA-65, ML-KEM-768 — all client-side encrypted under a key derived from your password. The server still sees only ciphertext.
The tradeoff is size: post-quantum keys and signatures are larger than their elliptic-curve counterparts. KeyPears moves messages, credentials, and notes — not video — so the extra kilobytes are a good trade.
Why this is an Astrohacker move
One of the through-lines of the Astrohacker portfolio is that cryptography is plumbing, not a product category. EarthBucks is the same idea applied to money; KeyPears applies it to identity, secrets, and messaging.
Hybrid post-quantum on the default path is what “plumbing” actually looks like. Not a checkbox, not a tier, not a “secure mode” — just the baseline. The user doesn’t choose it because the user shouldn’t have to.
The baseline should keep moving up. This is one step.
What it doesn’t fix
It doesn’t make a compromised device safe. It doesn’t add forward secrecy to stored messages — KeyPears keeps ciphertext around so users can recover history across devices, which is a deliberate simplicity tradeoff. It doesn’t make implementation bugs impossible.
For the full protocol description, the construction details, and the parts that didn’t fit here, read the KeyPears post on this change and the whitepaper.
Hack the universe.