python-ecdsa — Post-Quantum Cryptography Analysis
python-ecdsa is a pure-Python ECDSA implementation with 36 million PyPI downloads per month. The library implements the exact algorithm that Shor's quantum attack targets — ECDSA over NIST curves (P-192, P-224, P-256, P-384, P-521) and Brainpool curves. Every signing operation, every key pair, and every verification in 36M monthly downloads is quantum-vulnerable. Scored 95/100: the highest-risk library in our corpus of famous repos.
Findings
ECDSA P-256 / P-384 / P-521ecdsa/keys.pyCore library functionality. 171 ECDSA patterns detected. Every signing key is breakable by Shor's algorithm.
NIST P-192 (deprecated)ecdsa/ecdsa.pyP-192 was deprecated by NIST in 2015. Broken by classical attacks, trivially broken by quantum.
Brainpool curves (BP-256 / BP-384 / BP-512)ecdsa/ecdsa.pyEuropean alternative curves. Same discrete-log assumption — quantum-vulnerable identical to NIST curves.
RFC 6979 deterministic k generationecdsa/rfc6979.pyCorrect classical implementation but doesn't add quantum resistance. Fault attacks possible with ECDSA regardless.
Compliance note
Any Python project importing `from ecdsa import SigningKey` is using quantum-vulnerable cryptography. At 36M downloads/month, python-ecdsa is one of the most widely deployed quantum risks in the Python ecosystem. pip install cryptography && migrate to ml_dsa is the practical migration path.
Is your codebase using any of these algorithms?
QuantumScan checks your repo in ~90 seconds. Free. No account needed. Supports GitHub, GitLab, Bitbucket, and ZIP uploads.
Run a free scan →