Post-Quantum Vulnerability Disclosure
Severity: High (regulatory deadline: 2030)
Scanner: QuantumScan — MIT CLI, runs locally:
px quantumscan .
Public scan result: https://quantumscan.io/en/share/b8debd2c-8af8-4052-ab24-134fe4b348a8
Summary
python-ecdsa implements ECDSA and ECDH — algorithms that are broken by Shor's algorithm on a cryptographically-relevant quantum computer (CRQ). The library scored 95/100 on the QuantumScan post-quantum risk index, the highest score in our dataset of 30+ scanned projects.
This is not a vulnerability in the implementation itself — python-ecdsa is well-implemented. The underlying mathematical primitives (elliptic curve discrete logarithm) are what become insecure in the post-quantum era.
Why this matters now
- NIST finalized ML-DSA (CRYSTALS-Dilithium, FIPS 204) and ML-KEM (CRYSTALS-Kyber, FIPS 203) in August 2024 as drop-in replacements for ECDSA/ECDH
- DORA Art. 50 (EU financial sector) and NIST CNSA 2.0 set mandatory migration deadlines of 2030
- Migration typically takes 2–5 years for organizations — the window is now
Affected algorithms
| Algorithm |
Quantum threat |
NIST replacement |
| ECDSA (secp256k1, P-256, P-384) |
Broken by Shor's |
ML-DSA (FIPS 204) |
| ECDH / ECDHE |
Broken by Shor's |
ML-KEM (FIPS 203) |
| Ed25519 / EdDSA |
Broken by Shor's |
ML-DSA or SLH-DSA (FIPS 205) |
Suggested migration path
- Add PQC variants alongside existing ECDSA functions (hybrid approach)
- Document which use-cases require quantum-safe signatures
- Consider a deprecation notice for pure-ECDSA usage in compliance-sensitive contexts
Resources
This issue is filed in good faith for informational purposes. python-ecdsa is a foundational library used by many downstream projects — early awareness helps the ecosystem plan migrations.
Filed by QuantumScan — open-source CLI for PQC readiness scanning.
Post-Quantum Vulnerability Disclosure
Severity: High (regulatory deadline: 2030)
Scanner: QuantumScan — MIT CLI, runs locally:
px quantumscan .
Public scan result: https://quantumscan.io/en/share/b8debd2c-8af8-4052-ab24-134fe4b348a8
Summary
python-ecdsa implements ECDSA and ECDH — algorithms that are broken by Shor's algorithm on a cryptographically-relevant quantum computer (CRQ). The library scored 95/100 on the QuantumScan post-quantum risk index, the highest score in our dataset of 30+ scanned projects.
This is not a vulnerability in the implementation itself — python-ecdsa is well-implemented. The underlying mathematical primitives (elliptic curve discrete logarithm) are what become insecure in the post-quantum era.
Why this matters now
Affected algorithms
Suggested migration path
Resources
This issue is filed in good faith for informational purposes. python-ecdsa is a foundational library used by many downstream projects — early awareness helps the ecosystem plan migrations.
Filed by QuantumScan — open-source CLI for PQC readiness scanning.