Cryptographic Health
ACK-ID uses Ed25519 signatures. Ed25519 is quantum-vulnerable. Google's March 2026 paper reduced the attack estimate to <500,000 physical qubits. The question isn't whether ACK-ID needs to migrate — it's when.
The quantum threat operates at two distinct layers: transport layer and application layer. Cloudflare has deployed ML-KEM hybrid key exchange across all traffic channels — the transport layer is quantum-safe. But application-layer signatures remain exposed.
Ed25519 signatures on ACK-ID credentials and ECDSA on Ethereum wallets are vulnerable to Shor's algorithm. The W3C Verifiable Credentials (VC) Working Group's 2026 charter explicitly includes "post-quantum Data Integrity Cryptosuites" — a recognition that the migration is mandatory, not optional.
This section maps the vulnerability landscape and outlines the NIST post-quantum migration path. For the full post-quantum cryptography reference — including the 70-contract admin key panel and ExposureChecker for all stablecoin infrastructure — see StablePQC.com. For most agents, the timeline is 3–5 years before the first quantum computers capable of breaking Ed25519 exist. ACK-ID's migration window is open but closing.
QUANTUM-SAFE
ML-KEM hybrid key exchange
Deployed by Cloudflare across all ACK-Lab traffic since 2024. FIPS 203 compliant. Protects confidentiality of credentials in transit.
QUANTUM-VULNERABLE
Ed25519 signatures on ACK-ID credentials
Vulnerable to Shor's algorithm. ECDSA on Ethereum wallets also exposed. Broken by cryptographically relevant quantum computers (<500,000 physical qubits per Google March 2026 estimate).
Key Encapsulation Mechanism
Status: Already deployed at transport layer (Cloudflare ML-KEM hybrid). FIPS 203 compliant.
Use: Protects TLS/HTTPS key exchange. No action needed for most agents.
Digital Signatures
Urgency: HIGH. Ed25519 replacement for ACK-ID credentials.
Trade-off: 2,420-byte signatures (37× larger than 64-byte Ed25519). Requires schema migration for all VC documents.
Stateless Hash-Based Signatures
Conservatism: No underlying mathematical breakthrough required. Proven secure for 30+ years.
Use: Fallback for long-term archival credentials. Higher overhead; best for low-frequency signing.
Interactive Demo
Enter any Ethereum address to check if the ECDSA public key has been exposed on-chain — making it vulnerable to quantum attack once a cryptographically relevant quantum computer exists.
This tool checks whether an Ethereum address has broadcast a transaction, which permanently reveals its ECDSA public key on-chain. It does not assess when a quantum computer capable of exploiting this will exist — only whether the prerequisite exposure has already occurred. Queried via Cloudflare Ethereum Gateway.
This page represents a compliance Obligation checkpoint — not a blocking gate, but a post-settlement advisory. Quantum migration is not immediate; NIST standards adoption is ongoing (2025–2027). However, ACK-ID operators should monitor this space closely and begin credential rotation planning immediately.
Agents with long-lived credentials (5+ years) should prioritize Ed25519 → ML-DSA migration. For new agent provisioning, dual-signing (Ed25519 + ML-DSA in parallel) is recommended starting Q3 2026.
This page covers quantum risk for agent credentials. The full post-quantum infrastructure reference — covering all stablecoin contracts, admin keys, and migration timelines — lives in the Security Stack.
StablePQC.com →