BACK TO NEWS
offense #quantum #redteam #ttp #grover #shor

The quantum hacker's playbook: what breaks first when Q-day comes

A red-team map of which production systems fall to Shor and Grover, in what order, and what an attacker actually has to do to weaponize a fault-tolerant machine. Inventory and prioritized defenses included.

by · · 5 min read

TL;DR

When Q-day arrives — defined here as the first publicly observable Shor break on a 2048-bit RSA key — the attack does not look like a movie. It looks like TLS sessions from 2019 silently decrypting, signed software updates retroactively forging, and VPN tunnels' long-term keys becoming public. The actual hacking work happens today, in the form of harvest, indexing, and target selection. The quantum machine is a one-shot factoring oracle plugged into a pipeline that already exists.

This post is a triage map: what falls, in what order, with what effort.

1. The two cryptographic axes

Only two quantum algorithms matter in practice for current crypto:

  • Shor breaks asymmetric primitives where security reduces to integer factorization or discrete log. That kills RSA, DSA, ECDSA, ECDH, DH, ElGamal, fully.
  • Grover halves the effective key length of symmetric ciphers and hashes. AES-128 becomes ~64-bit security (broken). AES-256 becomes 128-bit (still fine). SHA-256 becomes ~128-bit preimage (fine for now). The fix is double your key.

Everything else — lattice cryptanalysis, code-based attacks, structured-attack improvements — is research-grade, not pipeline-ready. Plan against Shor and Grover; track the rest.

2. Inventory, by order of pain

This is the merged version of NIST SP 800-208, ENISA's 2024 PQC migration report, and a fair amount of incident-response folklore.

Tier 0 — falls instantly, weaponized within weeks

System Mechanism What happens
TLS 1.2/1.3 with classical KEX (ECDHE, RSA) Shor on the ephemeral key All captured sessions decrypt. Includes most pre-2025 traffic still archived.
Code-signing (Authenticode, Apple notarization, apt/dnf) Shor on the signing key Retroactive forgery: signed malware that validates as Microsoft, Apple, your distro.
SSH key auth (RSA, ECDSA) Shor on the public key Long-term identity compromise. Every server you've ever SSHed to with that key is exposed.
PGP/SMIME email Shor on subkeys Encrypted email archive decrypts. Signed historical email can be re-forged.
Blockchain ECDSA (BTC, ETH legacy) Shor on exposed pubkeys See: shor-bitcoin

Tier 1 — falls instantly, weaponization is logistically harder

System Why it's slower
WPA2/WPA3 enterprise (EAP-TLS) Cert chain forge required, but feasible.
IPSec VPN with IKEv2 + RSA/ECDSA Tunnel keys exposed retroactively. Needs PCAP archive.
DNSSEC Resolver poisoning becomes signed and indistinguishable from authoritative.
Smart cards / hardware tokens (PIV, YubiKey FIDO U2F) RSA-2048 or P-256 inside; physical possession not required to spoof.

Tier 2 — symmetric, only weakened

System Effective bits post-Grover Verdict
AES-128 ~64 Break-soon. Migrate to AES-256.
AES-256 ~128 Safe.
SHA-256 (preimage) ~128 Safe for now.
SHA-256 (collision via BHT) ~85 Risky for long-lived commitments. SHA-384 / SHA3-384.
ChaCha20-Poly1305 ~128 Safe.
HMAC ~half-keysize If keysize ≥ 256 bit, fine.

Tier 3 — falls only if PQ candidate is later broken

System What it depends on
ML-KEM (Kyber) Module-LWE hardness. Best-known classical and quantum attacks are exponential.
ML-DSA (Dilithium) Module-LWE / Module-SIS.
SPHINCS+ Hash function only. Most conservative.
FALCON NTRU lattice. Implementation hazards (floating-point) are the main risk.

3. The actual attacker pipeline

An attacker with Shor capability does not point a quantum computer at the internet. The flow looks like this:

TEXT
1[ARCHIVE] ---> 20 PB of indexed TLS PCAPs, code-signing certs,
2 blockchain tx, VPN handshakes, PGP keys
3 |
4[TRIAGE] ---> rank targets by ROI:
5 - sovereign comms intercepts (top)
6 - software supply chain
7 - executive PGP archive
8 - blockchain UTXOs with exposed pubkeys
9 - long-term VPN tunnels
10 |
11[FACTOR] ---> feed N (RSA modulus) or P (EC pubkey) to Shor
12 ~hours per target on a fault-tolerant machine
13 |
14[REPLAY] ---> use recovered private key out-of-band:
15 - decrypt archive
16 - sign forged update
17 - re-sign forged email
18 - sweep crypto

The bottleneck is not factoring. It is target selection. Adversaries with Shor capacity will be conservative with cycles: each factoring run is a multi-hour, multi-megawatt operation. Operationally, expect a handful of "trophy" decrypts that are publicly attributable, while the bulk of impact stays under the line as classified intel.

4. Detecting "harvest now" today

You cannot stop archival. You can sometimes detect it. Patterns to look for:

  • Long-lived passive collectors on infrastructure paths you don't control — submarine cable taps, ISP peering points, BGP detours.
  • Repeated full handshake captures without session resumption — collectors want the key exchange, not the bulk data.
  • Unexplained TCP RST after handshake on internal services from external IPs — selective capture.
  • Spike in DNSSEC queries for high-value zones without resolution — pre-recording.

Ship harvest-detector.py (in the downloads) on perimeter nodes to flag TLS sessions that look like collection rather than use:

PYTHON
1# excerpt — see downloads for full file
2def looks_like_collection(flow):
3 # full handshake, no resumption ticket honored, no bulk data
4 if not flow.full_handshake: return False
5 if flow.session_resumed: return False
6 if flow.app_data_bytes > 4096: return False
7 if flow.duration_ms < 2000: return False
8 return True

False positives are non-trivial — health checks, scanners, some CDNs. Tune the thresholds.

5. Defenses, ordered by ROI

  1. Stop using AES-128. Trivial. Do it this sprint. AES-256 everywhere.
  2. Hybrid TLS: NIST's draft (X25519MLKEM768) ships in OpenSSL 3.4 and BoringSSL. Enable it on every edge endpoint. Browsers (Chrome 124+, Firefox 132+) already speak it.
  3. Switch code-signing to a hash-based scheme (SPHINCS+ or XMSS). Signatures are 8–40 KB but signing is rare; cost is acceptable.
  4. Rotate every long-lived asymmetric key on a 12-month cycle. Limits the value of harvested past sessions, even classically.
  5. Move SSH user keys to Ed25519 now and to ML-DSA when OpenSSH ships it (in flight). Avoid RSA-2048 for any new key.
  6. For PGP, generate fresh hybrid (ECC + ML-KEM) keys when GnuPG's draft branch lands. Republish.
  7. For blockchains you hold, sweep funds to addresses whose pubkey has never been exposed. Set up an alert for the first PQ-address standard on your chain.
  8. Audit your hardware tokens. RSA-2048 inside YubiKey 5 series is end-of-life. The 5.7 firmware (2024) supports brainpoolP384; the next generation will ship PQ.
  9. Build a key inventory. You cannot rotate what you cannot enumerate. CycloneDX has a CBOM (cryptography BOM) spec — adopt it.
  10. Test PQ in CI now. Liboqs provides drop-ins for OpenSSL. Failure modes you find in CI are failure modes you do not find in incident response.

6. Threat-actor outlook

  • State-level: building or contracting fault-tolerant machines. NSA (CNSA 2.0) and China's MSS both require PQ migration by ~2030 for national security systems. They are not waiting for the public roadmap.
  • Organized crime: not yet quantum-capable. Will rent capacity from state-aligned cloud quantum services within 2-3 years of the first public Q-day.
  • Insider threats: completely unchanged. PQ does not protect you from your sysadmin.
  • Script kiddies: irrelevant for at least a decade. Quantum exploitation will not be downloadable.

7. Reading list

  • ENISA — Post-Quantum Cryptography: Current State and Quantum Mitigation (2024)
  • NSA — CNSA 2.0 Suite (2022, updated 2024)
  • Mosca's theorem (informal): if X + Y > Z, you have a problem, where X is shelf life of secret, Y is time to migrate, Z is time to Q-day.
  • BSI — Migration to Post-Quantum Cryptography (2024)

The attacker does not need a quantum computer to start the attack. They only need to believe one is coming. Treat your current outbound TLS traffic as if it were a postcard. That is the threat model.

// related ops

RELATED OPS