Post-Quantum Agent Identity: Why Every AI Credential Issued Today Should Survive Quantum Computing
Here's a question nobody in the agent identity space is answering: what happens to your agent credentials when quantum computers arrive?
Every agent identity system shipping today — Microsoft Entra Agent ID, every OAuth-based solution, every JWT-signed token — uses RSA or elliptic curve cryptography. These algorithms will be broken by a sufficiently powerful quantum computer running Shor's algorithm. Not theoretically. Mathematically.
The timeline is debatable. The outcome is not.
CNSA 2.0 mandates post-quantum cryptography for all new national security systems by January 2027. NIST finalized the standards in 2024 after eight years of evaluation. The US government is migrating. The agent identity industry is issuing credentials on algorithms with an expiration date.
We chose not to.
What We Built
The Aethyr Agent Registry issues W3C Verifiable Credentials signed with ML-DSA-65 (NIST FIPS 204) — the post-quantum digital signature standard. Key exchange uses ML-KEM-768 (NIST FIPS 203). Identity derivation uses BLAKE3.
This isn't a research prototype. It's production infrastructure serving registered agents today.
| Component | Algorithm | Standard |
|---|---|---|
| Credential signatures | ML-DSA-65 | NIST FIPS 204 |
| Key exchange | ML-KEM-768 | NIST FIPS 203 |
| Identity derivation | BLAKE3-256 | — |
| Payload encryption | XChaCha20-Poly1305 | — |
| Security level | Level 3 | 192-bit classical, 128-bit quantum |
The Performance Question
The first objection is always performance. "Post-quantum algorithms are too slow for production."
We published our benchmarks. No asterisks. No "up to" numbers. Reproducible from open source.
| Operation | Throughput |
|---|---|
| ML-DSA-65 verify | 9,700 /sec |
| ML-DSA-65 sign | 2,193 /sec |
| ML-KEM-768 full key exchange | 110 µs total |
| BLAKE3 key derivation | 13.7M /sec |
For context: a single LLM inference call takes 500–80,000 ms. An ML-DSA-65 verification takes 0.1 ms. The cryptography is four orders of magnitude faster than the AI call it protects.
At 16,400 key generations per second, we can issue credentials faster than any conceivable demand. The bottleneck is never the cryptography.
$1 Per Agent
Agent identity shouldn't be gated behind enterprise licensing. DNS costs $12/year. SSL certificates are free. We set the floor at $1.
Basic ($1, one-time): Agent DID + signed credential. Post-quantum ML-DSA-65 signature. 1-year validity. Operator-initiated revocation.
Verified ($10/month): Organization verification via DNS TXT record. The credential proves not just who the agent is, but that a verified organization stands behind it.
Attested ($50/month): Hardware attestation. The credential proves the agent runs in a trusted execution environment. The highest trust level.
A weekend project and a defense deployment both deserve cryptographic identity. The tiers exist for organizations that need stronger assurance, not to gatekeep the foundation.
Offline Verification
This is the technical decision that separates us from every competitor.
Microsoft Entra Agent ID requires a network call to Microsoft for every credential verification. That means:
- Latency on every agent interaction
- Availability dependency on Microsoft infrastructure
- Privacy exposure — Microsoft sees every verification request
- Total failure in air-gapped or DDIL environments
Aethyr credentials verify locally. The issuer's public key is bundled in a 10KB MIT-licensed npm package. Verification is pure math:
import { verifyCredential, AETHYR_ISSUER_PUBLIC_KEY } from '@aethyrai/ssi-verify'
const result = verifyCredential(credential, AETHYR_ISSUER_PUBLIC_KEY)
// { valid: true, agentDid: "did:aethyr:...", capabilities: [...] }
No network call. No DNS lookup. No phone home. Works in a submarine. Works on an airplane. Works in a SCIF.
This is the same model as TLS certificates. Your browser doesn't call the certificate authority for every HTTPS connection. It validates the signature locally against a trusted root. Agent identity should work the same way.
W3C Standards, Not Proprietary Protocols
Every credential the Aethyr Registry issues is a W3C Verifiable Credential with a W3C Decentralized Identifier. These are the same standards that power human self-sovereign identity systems worldwide.
Why this matters: when you leave Azure, a Microsoft Entra Agent ID stays behind. When you leave Aethyr, your credential follows. Any system that implements W3C VC verification can validate an Aethyr credential. No vendor SDK. No platform dependency.
Proprietary identity is a feature. Standardized identity is infrastructure.
The Harvest-Now-Decrypt-Later Threat
State-level adversaries are already capturing encrypted traffic and signed credentials for future decryption — a strategy called "harvest now, decrypt later." When quantum computers become capable of running Shor's algorithm at scale, every RSA and ECC signature ever captured becomes forgeable.
Agent credentials are particularly vulnerable because they're long-lived. An agent credential valid for one year, signed with Ed25519 today, could be forged retroactively when quantum arrives. The agent it authenticates could be impersonated. The actions it authorized could be repudiated.
Every credential Aethyr issues today is immune to this attack. ML-DSA-65 signatures remain unforgeable regardless of advances in quantum computing. There's no migration needed later. No emergency re-issuance. No window of vulnerability.
The Key Hierarchy
Every agent's cryptographic keys derive from a single 256-bit master seed, using a deterministic hierarchy:
Master Seed (256-bit)
├── m/0' IDENTITY (ML-DSA-65)
├── m/1' SIGNING (ML-DSA-65)
├── m/2' DID (ML-DSA-65)
├── m/3' BACKUP (ML-KEM-768)
└── m/4'/n SESSION (ephemeral)
Same pattern as BIP32 in cryptocurrency wallets. The entire identity — all keys, all credentials, all derived sessions — recovers from a single seed. No key escrow. No centralized key storage. Backup one seed, recover everything.
Who This Is For
- Indie developers who need agent identity without an enterprise contract
- Startups building multi-agent systems that need inter-agent trust
- Enterprises that need verifiable audit trails for agent actions
- Defense and government organizations that need offline verification and quantum resilience
- Anyone who believes agent identity should be open infrastructure, not a platform play
The window for establishing the identity standard for AI agents is measured in months. Microsoft is pushing Entra Agent ID toward general availability. Enterprise buyers are making platform decisions now.
The question is whether agent identity becomes another proprietary lock-in — or open infrastructure that works everywhere, verifies offline, and survives quantum computing.
registry.aethyr.cloud — $1. Post-quantum. Offline. Open.
Aethyr Research — Salt Lake City, UT