Key insight

The vulnerable algorithms (RSA, ECC/ECDSA/ECDH, Diffie–Hellman) sit at the bottom of a tower. On top of them sits the trust machinery — PKI, certificates, certificate authorities — whose signatures use those very algorithms. On top of that sit the protocols you use hourly: HTTPS/TLS, VPNs, SSH, code signing, secure email. Break the bottom and the whole tower is compromised in two distinct ways: confidentiality (harvested data read retroactively) and authenticity (forged certificates and signatures in real time).

In one sentence

Almost every “secure” thing you touch — the browser padlock, your VPN, software updates, SSH — is built on the exact algorithms Shor breaks, so one break at the bottom cascades through certificates and protocols to the top.

The previous article established that the clock is already running. This one makes “public-key breaks” concrete by climbing the tower of real systems built on it — from raw algorithms at the bottom to the padlock in your browser at the top.

The tower of trust Three layers stacked: vulnerable algorithms at the bottom, PKI and certificates in the middle, everyday protocols on top. A crack at the bottom rises through all three. Layer 3 · ProtocolsHTTPS/TLS · VPN · SSH · code signing · secure email Layer 2 · Trust machinery (PKI)certificates · certificate authorities · chains Layer 1 · AlgorithmsRSA · ECC (ECDSA/ECDH) · Diffie–Hellman crack rises ↑
Break Layer 1 and the crack rises: forged certificates in Layer 2, broken connections in Layer 3.

Layer 1: the vulnerable algorithms

Three names cover almost everything at risk — all broken completely by Shor’s algorithm:

AlgorithmWhat it doesWhere you meet it
RSAEncryption & signatures (multiply-primes)Certificates, TLS, email, code signing
ECCECDSASignatures on an elliptic curveCertificates, TLS, blockchains, SSH keys
ECCECDHKey exchange on a curveTLS handshake, VPNs, messaging
Diffie–Hellman (DH)Key agreementVPNs, older TLS, SSH

ECC deserves a note: it does the same jobs as RSA with much smaller keys, so it’s everywhere in modern systems. That efficiency doesn’t save it — Shor solves the elliptic-curve problem just as readily as factoring, and in fact needs fewer qubits to break a 256-bit curve than a 2048-bit RSA key.

Layer 2: PKI, certificates & authorities

When your browser connects to a bank, how does it know it’s really the bank? Through PKI — public-key infrastructure — the trust machinery built on those algorithms.

The fatal detail: those certificates are signed with RSA or ECDSA — exactly the vulnerable algorithms. Once Shor can forge those signatures, an attacker can mint a certificate that convincingly claims to be your bank, and your browser will trust it. The entire chain of trust rests on signatures a quantum computer breaks. Worse, root certificates live for decades, so long-lived roots are a harvest-now-style problem for authenticity: they must move to quantum-safe signatures well before Q-day.

Layer 3: the protocols you use hourly

Everything you think of as “secure” leans on Layers 1 and 2:

ProtocolWhat breaks
HTTPS / TLS (the padlock)Public-key handshake sets up the session and certificates prove identity — both fall. Confidentiality (harvested) and authenticity (impersonation).
VPNs (IPsec/IKE, WireGuard)Key exchange (DH/ECDH) recoverable — tunnel traffic decryptable retroactively.
SSHHost keys and key exchange (ECDSA/ECDH) — server impersonation and session decryption.
Code signingRSA/ECDSA signatures forgeable — malicious updates that look authentic. A live authenticity disaster.
Secure email (S/MIME, PGP)Encrypted mail readable (harvested); signatures forgeable.
Blockchains / crypto walletsECDSA account keys — funds tied to exposed public keys at risk.

The two kinds of damage

It’s vital to separate two failure modes, because they have different deadlines and different fixes:

Confidentiality vs authenticity damage Confidentiality is a retroactive risk from harvested data; authenticity is a live real-time risk after Q-day. Confidentiality Harvested data read AFTER Q-day Retroactive — robbed in the past Authenticity Forged certs & signatures in REAL TIME after Q-day Live — robbed in the present
Confidentiality damage is already accruing (harvest now). Authenticity damage switches on at Q-day — but long-lived signing keys must migrate well before then.

Scorecard: what falls, what stands

ThingStatus at Q-day
RSA, ECC, Diffie–HellmanFalls — replace
Certificates & PKI signaturesFalls — re-issue with PQC signatures
TLS/VPN/SSH key exchangeFalls — adopt PQC (hybrid) key exchange
Code signing / firmware trustFalls — migrate signing keys early
AES-256 (bulk encryption)Stands — symmetric, only needs big keys
SHA-384/512 (hashing)Stands — use longer outputs
RSA (Rivest–Shamir–Adleman)
The classic public-key algorithm, named after its inventors; security rests on factoring large numbers. Broken by Shor.
ECC (Elliptic-Curve Cryptography)
Public-key crypto built on elliptic curves — same jobs as RSA with smaller keys. Broken by Shor.
ECDSA / ECDH
The elliptic-curve signature (Elliptic-Curve Digital Signature Algorithm) and key-exchange (Elliptic-Curve Diffie–Hellman) schemes.
Diffie–Hellman (DH)
The classic public-key key-agreement method; broken by Shor.
PKI (public-key infrastructure)
The system of certificates and authorities that binds public keys to identities.
Certificate
A signed file asserting “this public key belongs to this identity.”
Certificate authority (CA)
A trusted party that signs certificates; roots are pre-trusted by devices.
Chain of trust
Certificates signed by higher certificates up to a trusted root.
TLS (Transport Layer Security)
The protocol behind HTTPS; uses public-key to set up, symmetric for data.
HTTPS (HyperText Transfer Protocol Secure)
Web traffic carried over TLS — the browser padlock.
VPN (Virtual Private Network)
An encrypted tunnel over a public network; relies on public-key key exchange.
SSH (Secure Shell)
Remote-login protocol; uses public-key host keys and key exchange.
PQC (Post-Quantum Cryptography)
The new algorithms designed to resist quantum attack — the replacements.
ML-KEM / ML-DSA / SLH-DSA
The NIST post-quantum standards: key exchange (ML-KEM), the default signature (ML-DSA), and the conservative hash-based backup signature (SLH-DSA).
AES / SHA
The symmetric cipher (Advanced Encryption Standard) and hash family (Secure Hash Algorithm) — both stand, needing only larger sizes.

What to carry forward

Next up — The New Rulebook: the replacements. NIST’s post-quantum standards and then deep dives on ML-KEM (key exchange) and ML-DSA / SLH-DSA (signatures). See the series catalogue.

AI-first? This same public-key tower secures every agent-to-agent, tool, and model-endpoint call — see Quantum-Safe AI.

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm learning which real systems break when public-key crypto breaks.
Quiz me one question at a time, correcting me gently:

1. Name the three main vulnerable algorithm families and one place I meet
   each. Why doesn't ECC's smaller key save it?
2. What is a certificate, and why does a quantum computer forging
   signatures let an attacker impersonate my bank?
3. Walk the "tower": algorithms → PKI → protocols. How does a break at the
   bottom reach the browser padlock?
4. Explain the difference between CONFIDENTIALITY damage and AUTHENTICITY
   damage, and which has which deadline.
5. Which fix addresses confidentiality (key exchange) and which addresses
   authenticity (signatures)?

References & further reading

  1. NIST, Post-Quantum Cryptography project — which primitives are affected and the standards replacing them. csrc.nist.gov
  2. NSA, CNSA 2.0 — algorithm-by-algorithm guidance for national security systems. nsa.gov/cybersecurity
  3. CISA/NSA/NIST, Quantum-Readiness: Migration to PQC (2023) — inventorying affected protocols and PKI. cisa.gov/quantum
  4. IETF TLS working group — hybrid post-quantum key exchange for TLS 1.3 (drafts and RFCs). datatracker.ietf.org