The quantum hacker's playbook: what breaks first when Q-day comes
A red-team map of which production systems fall to Shor and Grover, in what order, and what an attacker actually has to do to weaponize a fault-tolerant machine. Inventory and prioritized defenses included.
TL;DR ¶
When Q-day arrives — defined here as the first publicly observable Shor break on a 2048-bit RSA key — the attack does not look like a movie. It looks like TLS sessions from 2019 silently decrypting, signed software updates retroactively forging, and VPN tunnels' long-term keys becoming public. The actual hacking work happens today, in the form of harvest, indexing, and target selection. The quantum machine is a one-shot factoring oracle plugged into a pipeline that already exists.
This post is a triage map: what falls, in what order, with what effort.
1. The two cryptographic axes ¶
Only two quantum algorithms matter in practice for current crypto:
- Shor breaks asymmetric primitives where security reduces to integer factorization or discrete log. That kills RSA, DSA, ECDSA, ECDH, DH, ElGamal, fully.
- Grover halves the effective key length of symmetric ciphers and hashes. AES-128 becomes ~64-bit security (broken). AES-256 becomes 128-bit (still fine). SHA-256 becomes ~128-bit preimage (fine for now). The fix is double your key.
Everything else — lattice cryptanalysis, code-based attacks, structured-attack improvements — is research-grade, not pipeline-ready. Plan against Shor and Grover; track the rest.
2. Inventory, by order of pain ¶
This is the merged version of NIST SP 800-208, ENISA's 2024 PQC migration report, and a fair amount of incident-response folklore.
Tier 0 — falls instantly, weaponized within weeks ¶
| System | Mechanism | What happens |
|---|---|---|
| TLS 1.2/1.3 with classical KEX (ECDHE, RSA) | Shor on the ephemeral key | All captured sessions decrypt. Includes most pre-2025 traffic still archived. |
| Code-signing (Authenticode, Apple notarization, apt/dnf) | Shor on the signing key | Retroactive forgery: signed malware that validates as Microsoft, Apple, your distro. |
| SSH key auth (RSA, ECDSA) | Shor on the public key | Long-term identity compromise. Every server you've ever SSHed to with that key is exposed. |
| PGP/SMIME email | Shor on subkeys | Encrypted email archive decrypts. Signed historical email can be re-forged. |
| Blockchain ECDSA (BTC, ETH legacy) | Shor on exposed pubkeys | See: shor-bitcoin |
Tier 1 — falls instantly, weaponization is logistically harder ¶
| System | Why it's slower |
|---|---|
| WPA2/WPA3 enterprise (EAP-TLS) | Cert chain forge required, but feasible. |
| IPSec VPN with IKEv2 + RSA/ECDSA | Tunnel keys exposed retroactively. Needs PCAP archive. |
| DNSSEC | Resolver poisoning becomes signed and indistinguishable from authoritative. |
| Smart cards / hardware tokens (PIV, YubiKey FIDO U2F) | RSA-2048 or P-256 inside; physical possession not required to spoof. |
Tier 2 — symmetric, only weakened ¶
| System | Effective bits post-Grover | Verdict |
|---|---|---|
| AES-128 | ~64 | Break-soon. Migrate to AES-256. |
| AES-256 | ~128 | Safe. |
| SHA-256 (preimage) | ~128 | Safe for now. |
| SHA-256 (collision via BHT) | ~85 | Risky for long-lived commitments. SHA-384 / SHA3-384. |
| ChaCha20-Poly1305 | ~128 | Safe. |
| HMAC | ~half-keysize | If keysize ≥ 256 bit, fine. |
Tier 3 — falls only if PQ candidate is later broken ¶
| System | What it depends on |
|---|---|
| ML-KEM (Kyber) | Module-LWE hardness. Best-known classical and quantum attacks are exponential. |
| ML-DSA (Dilithium) | Module-LWE / Module-SIS. |
| SPHINCS+ | Hash function only. Most conservative. |
| FALCON | NTRU lattice. Implementation hazards (floating-point) are the main risk. |
3. The actual attacker pipeline ¶
An attacker with Shor capability does not point a quantum computer at the internet. The flow looks like this:
1 [ARCHIVE] ---> 20 PB of indexed TLS PCAPs, code-signing certs, 2 blockchain tx, VPN handshakes, PGP keys 3 | 4 [TRIAGE] ---> rank targets by ROI: 5 - sovereign comms intercepts (top) 6 - software supply chain 7 - executive PGP archive 8 - blockchain UTXOs with exposed pubkeys 9 - long-term VPN tunnels 10 | 11 [FACTOR] ---> feed N (RSA modulus) or P (EC pubkey) to Shor 12 ~hours per target on a fault-tolerant machine 13 | 14 [REPLAY] ---> use recovered private key out-of-band: 15 - decrypt archive 16 - sign forged update 17 - re-sign forged email 18 - sweep crypto
The bottleneck is not factoring. It is target selection. Adversaries with Shor capacity will be conservative with cycles: each factoring run is a multi-hour, multi-megawatt operation. Operationally, expect a handful of "trophy" decrypts that are publicly attributable, while the bulk of impact stays under the line as classified intel.
4. Detecting "harvest now" today ¶
You cannot stop archival. You can sometimes detect it. Patterns to look for:
- Long-lived passive collectors on infrastructure paths you don't control — submarine cable taps, ISP peering points, BGP detours.
- Repeated full handshake captures without session resumption — collectors want the key exchange, not the bulk data.
- Unexplained TCP RST after handshake on internal services from external IPs — selective capture.
- Spike in DNSSEC queries for high-value zones without resolution — pre-recording.
Ship harvest-detector.py (in the downloads) on perimeter nodes to flag TLS sessions that look like collection rather than use:
1 # excerpt — see downloads for full file 2 def looks_like_collection(flow): 3 # full handshake, no resumption ticket honored, no bulk data 4 if not flow.full_handshake: return False 5 if flow.session_resumed: return False 6 if flow.app_data_bytes > 4096: return False 7 if flow.duration_ms < 2000: return False 8 return True
False positives are non-trivial — health checks, scanners, some CDNs. Tune the thresholds.
5. Defenses, ordered by ROI ¶
- Stop using AES-128. Trivial. Do it this sprint. AES-256 everywhere.
- Hybrid TLS: NIST's draft (
X25519MLKEM768) ships in OpenSSL 3.4 and BoringSSL. Enable it on every edge endpoint. Browsers (Chrome 124+, Firefox 132+) already speak it. - Switch code-signing to a hash-based scheme (SPHINCS+ or XMSS). Signatures are 8–40 KB but signing is rare; cost is acceptable.
- Rotate every long-lived asymmetric key on a 12-month cycle. Limits the value of harvested past sessions, even classically.
- Move SSH user keys to Ed25519 now and to ML-DSA when OpenSSH ships it (in flight). Avoid RSA-2048 for any new key.
- For PGP, generate fresh hybrid (ECC + ML-KEM) keys when GnuPG's draft branch lands. Republish.
- For blockchains you hold, sweep funds to addresses whose pubkey has never been exposed. Set up an alert for the first PQ-address standard on your chain.
- Audit your hardware tokens. RSA-2048 inside YubiKey 5 series is end-of-life. The 5.7 firmware (2024) supports brainpoolP384; the next generation will ship PQ.
- Build a key inventory. You cannot rotate what you cannot enumerate. CycloneDX has a CBOM (cryptography BOM) spec — adopt it.
- Test PQ in CI now. Liboqs provides drop-ins for OpenSSL. Failure modes you find in CI are failure modes you do not find in incident response.
6. Threat-actor outlook ¶
- State-level: building or contracting fault-tolerant machines. NSA (CNSA 2.0) and China's MSS both require PQ migration by ~2030 for national security systems. They are not waiting for the public roadmap.
- Organized crime: not yet quantum-capable. Will rent capacity from state-aligned cloud quantum services within 2-3 years of the first public Q-day.
- Insider threats: completely unchanged. PQ does not protect you from your sysadmin.
- Script kiddies: irrelevant for at least a decade. Quantum exploitation will not be downloadable.
7. Reading list ¶
- ENISA — Post-Quantum Cryptography: Current State and Quantum Mitigation (2024)
- NSA — CNSA 2.0 Suite (2022, updated 2024)
- Mosca's theorem (informal): if X + Y > Z, you have a problem, where X is shelf life of secret, Y is time to migrate, Z is time to Q-day.
- BSI — Migration to Post-Quantum Cryptography (2024)
The attacker does not need a quantum computer to start the attack. They only need to believe one is coming. Treat your current outbound TLS traffic as if it were a postcard. That is the threat model.
RELATED OPS
Inside the NIST PQC suite: ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205)
Four years after the round-3 finalists were named, the standards are signed. Here is what each one does, what parameter set to pick at each security level, and the smallest-possible call into each one from Python and TypeScript.
Q-day: how analysts are pinning the window between 2029 and 2034
The intelligence forecasts converge on a five-year window. We line up six published estimates side by side, show what each one assumes, and ship a Mosca-theorem calculator so you can derive your own shelf-life-aware migration deadline.
Grover bites AES: why 128 is dead and 256 is your new baseline
Grover's algorithm gives a quadratic speed-up on brute-force key search. AES-128 drops to ~64-bit effective security. AES-256 stays at ~128-bit. The fix is one config line — but every place stores cipher state, you need to find.