We Benchmarked Post-Quantum Crypto for AI Agents. Here Are the Numbers.
Everyone talks about post-quantum cryptography. Almost nobody publishes real benchmarks on production code.
Here are ours. No asterisks. No "up to" numbers. No proprietary hardware. Run on a workstation, measured with Criterion.rs, reproducible from open source. If you don't trust us, run them yourself.
Why This Matters
CNSA 2.0 mandates post-quantum cryptography for all new national security systems by January 2027. Every AI agent that carries an identity — signs actions, proves authorization, authenticates to other agents — needs signatures and key exchange that won't break when quantum computers arrive.
The common objection: "Post-quantum is too slow for production."
That objection is wrong. Here's the proof.
ML-DSA-65 — Digital Signatures (NIST FIPS 204)
This is the algorithm that signs every agent credential, every tool invocation, every delegation approval in the Aethyr stack.
| Operation | Mean Time | Throughput |
|---|---|---|
| Key Generation | 167 µs | 5,983 /sec |
| Sign | 456 µs | 2,193 /sec |
| Verify | 103 µs | 9,700 /sec |
Verification is the hot path. It runs every time a credential is checked, a tool invocation is authorized, or a signed action is audited. At 9,700 verifications per second on a single core, the crypto is never the bottleneck. Your LLM inference takes 100x longer.
Key sizes: 1,952 bytes (public), 3,309 bytes (signature), 32 bytes (seed).
ML-KEM-768 — Key Exchange (NIST FIPS 203)
This is the algorithm that establishes encrypted sessions between AIOS network nodes. Two machines perform a post-quantum key exchange and derive a shared secret — without trusting any third party.
| Operation | Mean Time | Throughput |
|---|---|---|
| Key Generation | 27 µs | 36,940 /sec |
| Encapsulate | 26 µs | 38,023 /sec |
| Decapsulate | 55 µs | 18,009 /sec |
Full key exchange — keygen, encapsulate, decapsulate — completes in under 110 microseconds. That's the total cost of establishing a quantum-resistant encrypted channel between two agents on different machines.
BLAKE3 — Hashing and Key Derivation
Every agent's DID is BLAKE3(ML-DSA-65 verifying key). Every derived key in the hierarchy uses BLAKE3-KDF. Every content-addressable memory operation uses BLAKE3.
| Operation | Mean Time | Throughput |
|---|---|---|
| Hash (15 bytes) | 73 ns | 13.7M /sec |
| Hash (1 KB) | 999 ns | ~1.0 GB/s |
| Hash (1 MB) | 77 µs | ~12.9 GB/s |
| Key Derivation | 73 ns | 13.7M /sec |
At 13.7 million derivations per second, the identity layer adds zero perceptible overhead to any operation.
XChaCha20-Poly1305 — Symmetric Encryption
Payload encryption for the AethyrWire Protocol and credential backup.
| Operation | Size | Mean Time | Throughput |
|---|---|---|---|
| Encrypt | 64 B | 290 ns | ~220 MB/s |
| Encrypt | 1 KB | 680 ns | ~1.5 GB/s |
| Encrypt | 1 MB | 270 µs | ~3.7 GB/s |
| Decrypt | 1 KB | 660 ns | ~1.5 GB/s |
Key Hierarchy Derivation
Every agent's keys derive from a single 256-bit master seed. Same pattern as BIP32 in cryptocurrency wallets, adapted for post-quantum algorithms.
Master Seed (256-bit)
├── m/0' IDENTITY (ML-DSA-65)
├── m/1' SIGNING (ML-DSA-65)
├── m/2' DID (ML-DSA-65)
├── m/3' BACKUP (ML-KEM-768)
└── m/4'/n SESSION (ephemeral)
| Operation | Mean Time | Throughput |
|---|---|---|
| Derive one key | 73 ns | 13.7M /sec |
| Derive 5 session keys | 365 ns | 2.7M sets/sec |
Context strings are identical across Rust, TypeScript, and Python implementations. Cross-language test vectors verify every implementation produces the same output from the same seed.
The "Too Slow" Myth
For context, here's what actually takes time in an AI agent system:
| Operation | Time |
|---|---|
| LLM inference (4B model, simple query) | 500–2,000 ms |
| LLM inference (27B model, complex query) | 5,000–80,000 ms |
| HTTP round-trip to external API | 50–500 ms |
| ML-DSA-65 verify (agent credential check) | 0.1 ms |
| ML-KEM-768 full key exchange | 0.11 ms |
Post-quantum crypto is three to four orders of magnitude faster than the LLM call it's protecting. The "performance overhead" argument was valid for early PQC implementations. It is not valid for optimized Rust implementations on modern hardware.
Security Properties
- NIST Security Level 3 — 192-bit classical, 128-bit quantum equivalent
- No private key export —
SigningKeyhas noClone, noSerialize, noto_bytes(). The key is trapped by Rust's type system. - Auto-zeroize — All sensitive material wrapped in
Zeroizing<T>, cleared on drop - Deterministic keygen — Same seed always produces same keypair. Enables recovery from backup without storing private keys.
Methodology
Benchmarks run using Criterion.rs with 100 samples per operation, release profile with optimizations. Hardware: AMD Ryzen workstation, Linux 6.17 (x86_64), Rust 1.94.1. The underlying cryptographic implementations use the RustCrypto ml-dsa and ml-kem crates — optimized Rust implementations of the NIST FIPS 203/204 standards.
Standards
| Standard | Status |
|---|---|
| NIST FIPS 204 (ML-DSA-65) | Implemented |
| NIST FIPS 203 (ML-KEM-768) | Implemented |
| CNSA 2.0 | Compliant |
| W3C DID v1.0 | Implemented |
| W3C VC 2.0 | Implemented |
The code is open. The benchmarks are reproducible. The deadline is January 2027.
Stop issuing agent credentials on RSA.
Aethyr Research — Salt Lake City, UT