A Framework for Evaluating Cryptographic Agility in Deployed Systems

Cryptographic primitives have finite security lifespans, yet many modern systems—particularly blockchain and zero-knowledge infrastructures—are structurally resistant to change. Existing guidance on cryptographic agility assumes mutable environments and does not account for immutability, governance overhead, or proof system constraints.

This work introduces a framework for evaluating cryptographic agility in deployed systems. We propose the Cryptographic Agility Score (CAS), a nine-dimensional evaluation model that characterizes how and where cryptographic dependencies are embedded, and how these constraints affect migration feasibility.

Applying the framework to TLS and ZK rollup systems reveals a structural distinction: systems that anchor cryptographic primitives at negotiation layers achieve agility, while those that anchor them at execution layers face fundamental constraints. In ZK systems, these constraints are not only architectural but mathematical, arising from the algebraic structure of proof systems.

This preprint presents the framework and its application across case studies. It is intended as a diagnostic and design tool for engineers building systems that must remain resilient under cryptographic change.