Quandoom
There is a lot of noise about “quantum apocalypse.” Most of it is overstated, but the underlying threat model is real. Below is a concise map of what breaks, how, and what comes next. Treat qubit counts as directional guesses—this field moves fast.
The Two Algorithms That Matter
- Shor’s algorithm → breaks integer factorisation and discrete-log problems (RSA, ECC). Exponential speedup.
- Grover’s algorithm → quadratic speedup searching unstructured spaces. Affects symmetric crypto (AES) and hashes (SHA-2).
General Cryptography Tiers
| Tier | Algorithm | Quantum Vulnerability | Real-World Usage | Rough Barrier |
|---|---|---|---|---|
| F | ECC (ECDH, ECDSA, EdDSA) | Broken by Shor’s. Smaller key sizes mean ECC likely falls before RSA. | TLS handshakes, Bitcoin/Ethereum signatures, Signal/ WhatsApp, SSH, PGP. | ~3k–5k logical (fault-tolerant) qubits; estimates vary widely |
| E | RSA (2048/4096) | Broken by Shor’s. Larger keys than ECC, so more qubits required, but still falls. | Legacy TLS, S/MIME email, code signing, VPNs. Actively phased out. | ~20M logical qubits (highly speculative) |
| D | AES (128/256) | Grover’s halves effective key strength. AES-128 weakened to ~64-bit equivalent; AES-256 remains robust (~128-bit equivalent). | Disk encryption, TLS bulk encryption, data at rest. | ~6k–7k logical qubits to pose practical threat to AES-256 |
| C | SHA-2 / HMAC | Not broken by Shor’s. Preimage resistance drops via Grover’s (2²⁵⁶ → 2¹²⁸). Collision attacks are slightly improved in theory but remain impractical. | Integrity checks, Bitcoin mining, JWTs, AWS signatures, certificates. | Coherent operation time matters more than pure qubit count |
| B | Lattice-Based (ML-KEM, ML-DSA, SLH-DSA) | Resistant to all known quantum algorithms. NIST-standardized replacements for RSA/ECC. | Rolling out in TLS 1.3, messaging, firmware signing. | Billions of ops over extended time; no exponential shortcut known |
| A | QKD (Quantum Key Distribution) | Information-theoretically secure. Protected by the no-cloning theorem, not computational hardness. | Dedicated high-value fiber links (government, finance). Not a drop-in replacement for the public internet. | Infinite — computationally unbreakable |
Note: “Logical qubits” means error-corrected, stable qubits. Today’s hardware has noisy physical qubits; the overhead to reach logical qubits is orders of magnitude larger.
Bitcoin: It’s All About When the Public Key Is Revealed
Bitcoin uses ECC (secp256k1), not RSA. The difference between address types is exposure timing.
| Tier | Address Type | Exposure Model | Notes |
|---|---|---|---|
| F | P2PK | Public key is visible on-chain. | A quantum attacker can derive the private key at leisure and spend immediately. |
| E | P2PKH / P2WPKH (Legacy / Native SegWit) | Public key revealed only when spending (mempool broadcast). | Creates a race: the attacker must front-run the legitimate spend with a higher fee before confirmation. SegWit changes fee/weight math but not the core race. |
| D | P2SH / P2WSH | Depends on the script. | A 1-of-1 signature script is as weak as P2PKH. Multi-sig increases trust but can increase attack surface: compromising any one key may allow script-path forgery, depending on threshold design. |
| C | P2TR (Taproot) | Key path reveals the public key; script path reveals the script. | Not inherently post-quantum. The script path can encode arbitrary conditions, so a future soft fork could enforce lattice-based signatures there. Today, it offers no quantum advantage over P2WPKH. |
| B | P2PQ (Hypothetical) | Post-quantum public key (e.g., CRYSTALS-Dilithium / FALCON) in the locking script. | Requires a consensus change. Trade-offs: massive signature/key size overhead and UTXO bloat. |
| A+ | SHA-256d Mining | Grover’s offers only quadratic speedup on a parallelizable race. | To 51% attack via quantum advantage, an attacker must outpace the entire classical hashrate. This demands millions of specialized, error-corrected qubits—economically and physically far harder than stealing from a single address. |
Threads to Pull (Explore Further)
A short list of concepts to chase when you want to go deeper:
- Logical vs. Physical Qubits — Why a 1,000-qubit chip today is still nowhere near breaking RSA. Look up surface codes and error-correction overhead.
- Harvest Now, Decrypt Later (HNDL) — Adversaries storing ciphertext today to decrypt once quantum arrives. This is why PQC migration matters before the machines exist.
- NIST PQC Standards (2024) — ML-KEM (key encapsulation), ML-DSA and SLH-DSA (signatures). Understand why hash-based signatures (SLH-DSA) are ultra-conservative but enormous in size.
- Grover’s vs. Brassard’s — Grover affects preimage search; Brassard’s algorithm improves collision attacks but requires impractical amounts of quantum RAM (QRAM). Most cryptographers treat hash collision resistance as much harder than naive Grover math suggests.
- QKD Practical Limits — Distance bounds (~100–400 km fiber), trusted-node requirements, and the authentication bootstrap problem (you still need classical crypto to authenticate the QKD channel).
- Bitcoin’s Path to PQC — How a hypothetical upgrade would work: address format changes, signature bloat, witness discount mechanics, and the UTXO set impact.
- Symmetric Crypto Safety Margin — Doubling key length (AES-128 → AES-256) neutralizes Grover’s algorithm, which is why symmetric encryption is the least of our quantum worries.
Migration Checklist: A Timeline
Core principle: You do not need a quantum computer to start migrating. The threat is Harvest Now, Decrypt Later (HNDL). Start with inventory and agility; replace algorithms in waves, not all at once.
🔴 Phase 0: Now (Immediate)
| Actions | Why It Matters |
|---|---|
| Build a cryptography inventory. Scan TLS certificates, VPN configs, code-signing keys, SSH hosts, internal APIs, and databases for RSA/ECC usage. | You cannot migrate what you cannot see. Shadow IT and expired certs are the biggest blind spots. |
| Enable crypto agility. Ensure your TLS stacks, libraries (OpenSSL, BoringSSL, libsodium), and HSMs can accept new algorithm identifiers without a full rebuild. Hard-coded RSA/ECC assumptions will become technical debt overnight. | |
| Classify data by shelf life. Ask: If an adversary recorded this ciphertext today, would it still matter in 10 years? Medical records, state secrets, and long-term identity keys are Phase 1 priorities. Ephemeral cat videos are not. | |
| Stop deploying RSA/ECC for new long-lived roots. If you are spinning up a new CA root, code-signing key, or identity anchor today, design the ceremony with a PQC escape hatch. | Replacing a root trust anchor is the slowest thing in cryptography. |
Milestone: You have a spreadsheet/dashboard of algorithm types, key lifetimes, and data sensitivity tiers.
🟠 Phase 1: 6–12 Months
| Actions | Why It Matters |
|---|---|
| Pilot hybrid key exchange. Test TLS 1.3 with hybrid PQC groups (e.g., X25519Kyber768Draft00 / ML-KEM-768) in non-production environments. Cloudflare, Google, and AWS already support this. | Hybrid modes combine classical ECC with lattice KEM so you are not betting the farm on a brand-new algorithm. |
| Audit firmware and IoT. Embedded devices with burned-in RSA/ECC cannot be over-the-air updated easily. Flag them for replacement or network segmentation. | IoT is where migrations go to die. |
| Map your Bitcoin/crypto exposure. If you hold long-term value in P2PKH/P2WPKH, understand that one spend exposes the public key. Consider multi-sig or custodial solutions that will upgrade transparently. | Personal key management is the weakest link. |
| Train your incident response team on PQC failure modes. A sudden PQC standard change or implementation bug (see: SIKE 2022) is more likely than a quantum computer this decade. |
Milestone: Hybrid TLS is running in staging; IoT audit is complete; executive leadership understands HNDL.
🟡 Phase 2: 1–3 Years
| Actions | Why It Matters |
|---|---|
| Adopt NIST PQC standards for key encapsulation. Deploy ML-KEM (Kyber) for TLS, VPNs, and messaging where possible. | Standards are maturing; interoperability libraries are stabilizing. |
| Rotate high-value long-term keys to hybrid PQC. Prioritize S/MIME, code signing, document encryption, and database encryption keys. | These are the assets most at risk from HNDL. |
| Begin deprecating RSA in internal systems. Set a sunset date for RSA < 3072 and all ECC < 256 bits in internal procurement policies. | Reduces your attack surface and forces vendor accountability. |
| Update DR/BCP plans. If a “Y2Q” announcement drops (a cryptographically relevant quantum computer), do you have a 24-hour plan to force-upgrade TLS ciphersuites or revoke classical certificates? |
Milestone: All external-facing TLS offers hybrid PQC; internal PKI can issue ML-KEM + ECC certificates.
🟢 Phase 3: 3–5 Years
| Actions | Why It Matters |
|---|---|
| Full PQC transition for sensitive systems. Drop the classical half of hybrid modes for high-security enclaves and replace with pure ML-KEM / ML-DSA where risk appetite allows. | This is only safe once you have high confidence in implementation maturity and side-channel resistance. |
| Migrate Bitcoin/crypto custody to PQC-ready schemes. If P2PQ or equivalent soft forks exist, move store-of-value funds. If not, ensure your custody provider has a published PQC roadmap. | Public blockchains move on consensus timescales, not corporate ones. |
| Sunset RSA/ECC for key exchange. Retire RSA key transport and static ECDH entirely. Maintain classical signatures only where backward compatibility is legally/contractually required. | |
| Hash function hygiene. Ensure SHA-256 is still acceptable for your use case; plan for SHA-3 or SHA-256 with truncated outputs if Grover’s-adjacent attacks ever become practical. | SHA-256 is the least urgent item, but long-lived blockchain commitments should use 256+ bits of security. |
Milestone: Zero trusted internal traffic relies solely on RSA/ECC for confidentiality; PQC signatures validate in production.
🔵 Phase 4: 5–10 Years (Quantum-Ready)
| Actions | Why It Matters |
|---|---|
| Full algorithmic sunsetting. RSA and classical ECC are relegated to museum pieces and legacy mainframe bridges. | |
| Monitor cryptanalytic breakthroughs. Lattice security estimates have shifted before (NTRU, GGH). Maintain a red-team capability to evaluate new attacks on ML-KEM/ML-DSA. | PQC is not “set and forget.” |
| Evaluate QKD for fixed high-value links. Where fiber distance and cost permit, layer QKD beneath your PQC keys for defense-in-depth. | QKD is a complement, not a replacement, for algorithmic crypto. |
| Bitcoin/network layer hardening. If the network has adopted PQC address types, legacy P2PKH outputs are either migrated or considered abandoned. |
Milestone: Your organization can survive a sudden public announcement of a 4,000-logical-qubit machine with minimal panic.
🔄 Ongoing (Never Stops)
- Track the qubit roadmaps (IBM, Google, Quantinuum) but ignore marketing physical-qubit counts. Watch for logical-qubit milestones and algorithmic benchmarking (e.g., Shor’s at useful scale).
- Maintain vendor pressure. If your VPN, HSM, or cloud provider does not have a published PQC roadmap, ask why. Vote with procurement budgets.
- Revisit this checklist annually. Quantum timelines are uncertain; your inventory is not.
