Key insight
The vulnerable algorithms (RSA, ECC/ECDSA/ECDH, Diffie–Hellman) sit at the bottom of a tower. On top of them sits the trust machinery — PKI, certificates, certificate authorities — whose signatures use those very algorithms. On top of that sit the protocols you use hourly: HTTPS/TLS, VPNs, SSH, code signing, secure email. Break the bottom and the whole tower is compromised in two distinct ways: confidentiality (harvested data read retroactively) and authenticity (forged certificates and signatures in real time).
Almost every “secure” thing you touch — the browser padlock, your VPN, software updates, SSH — is built on the exact algorithms Shor breaks, so one break at the bottom cascades through certificates and protocols to the top.
The previous article established that the clock is already running. This one makes “public-key breaks” concrete by climbing the tower of real systems built on it — from raw algorithms at the bottom to the padlock in your browser at the top.
Layer 1: the vulnerable algorithms
Three names cover almost everything at risk — all broken completely by Shor’s algorithm:
| Algorithm | What it does | Where you meet it |
|---|---|---|
| RSA | Encryption & signatures (multiply-primes) | Certificates, TLS, email, code signing |
| ECC — ECDSA | Signatures on an elliptic curve | Certificates, TLS, blockchains, SSH keys |
| ECC — ECDH | Key exchange on a curve | TLS handshake, VPNs, messaging |
| Diffie–Hellman (DH) | Key agreement | VPNs, older TLS, SSH |
ECC deserves a note: it does the same jobs as RSA with much smaller keys, so it’s everywhere in modern systems. That efficiency doesn’t save it — Shor solves the elliptic-curve problem just as readily as factoring, and in fact needs fewer qubits to break a 256-bit curve than a 2048-bit RSA key.
Layer 2: PKI, certificates & authorities
When your browser connects to a bank, how does it know it’s really the bank? Through PKI — public-key infrastructure — the trust machinery built on those algorithms.
- A certificate is a small file saying “this public key belongs to bank.example,” signed by a trusted certificate authority (CA).
- Your device ships with a built-in list of CAs it trusts. They vouch for sites in a chain of trust, each certificate signed by the one above it, up to a root.
The fatal detail: those certificates are signed with RSA or ECDSA — exactly the vulnerable algorithms. Once Shor can forge those signatures, an attacker can mint a certificate that convincingly claims to be your bank, and your browser will trust it. The entire chain of trust rests on signatures a quantum computer breaks. Worse, root certificates live for decades, so long-lived roots are a harvest-now-style problem for authenticity: they must move to quantum-safe signatures well before Q-day.
Layer 3: the protocols you use hourly
Everything you think of as “secure” leans on Layers 1 and 2:
| Protocol | What breaks |
|---|---|
| HTTPS / TLS (the padlock) | Public-key handshake sets up the session and certificates prove identity — both fall. Confidentiality (harvested) and authenticity (impersonation). |
| VPNs (IPsec/IKE, WireGuard) | Key exchange (DH/ECDH) recoverable — tunnel traffic decryptable retroactively. |
| SSH | Host keys and key exchange (ECDSA/ECDH) — server impersonation and session decryption. |
| Code signing | RSA/ECDSA signatures forgeable — malicious updates that look authentic. A live authenticity disaster. |
| Secure email (S/MIME, PGP) | Encrypted mail readable (harvested); signatures forgeable. |
| Blockchains / crypto wallets | ECDSA account keys — funds tied to exposed public keys at risk. |
The two kinds of damage
It’s vital to separate two failure modes, because they have different deadlines and different fixes:
- Confidentiality — secrets encrypted today are harvested and read after Q-day. Deadline is driven by data shelf life (Mosca). Fix: quantum-safe key exchange (ML-KEM), sooner for long-lived secrets.
- Authenticity — after Q-day, attackers forge certificates, impersonate services, and fake signed updates live. Deadline for long-lived trust anchors (roots, firmware keys) is before Q-day. Fix: quantum-safe signatures (ML-DSA, SLH-DSA).
Scorecard: what falls, what stands
| Thing | Status at Q-day |
|---|---|
| RSA, ECC, Diffie–Hellman | Falls — replace |
| Certificates & PKI signatures | Falls — re-issue with PQC signatures |
| TLS/VPN/SSH key exchange | Falls — adopt PQC (hybrid) key exchange |
| Code signing / firmware trust | Falls — migrate signing keys early |
| AES-256 (bulk encryption) | Stands — symmetric, only needs big keys |
| SHA-384/512 (hashing) | Stands — use longer outputs |
- RSA (Rivest–Shamir–Adleman)
- The classic public-key algorithm, named after its inventors; security rests on factoring large numbers. Broken by Shor.
- ECC (Elliptic-Curve Cryptography)
- Public-key crypto built on elliptic curves — same jobs as RSA with smaller keys. Broken by Shor.
- ECDSA / ECDH
- The elliptic-curve signature (Elliptic-Curve Digital Signature Algorithm) and key-exchange (Elliptic-Curve Diffie–Hellman) schemes.
- Diffie–Hellman (DH)
- The classic public-key key-agreement method; broken by Shor.
- PKI (public-key infrastructure)
- The system of certificates and authorities that binds public keys to identities.
- Certificate
- A signed file asserting “this public key belongs to this identity.”
- Certificate authority (CA)
- A trusted party that signs certificates; roots are pre-trusted by devices.
- Chain of trust
- Certificates signed by higher certificates up to a trusted root.
- TLS (Transport Layer Security)
- The protocol behind HTTPS; uses public-key to set up, symmetric for data.
- HTTPS (HyperText Transfer Protocol Secure)
- Web traffic carried over TLS — the browser padlock.
- VPN (Virtual Private Network)
- An encrypted tunnel over a public network; relies on public-key key exchange.
- SSH (Secure Shell)
- Remote-login protocol; uses public-key host keys and key exchange.
- PQC (Post-Quantum Cryptography)
- The new algorithms designed to resist quantum attack — the replacements.
- ML-KEM / ML-DSA / SLH-DSA
- The NIST post-quantum standards: key exchange (ML-KEM), the default signature (ML-DSA), and the conservative hash-based backup signature (SLH-DSA).
- AES / SHA
- The symmetric cipher (Advanced Encryption Standard) and hash family (Secure Hash Algorithm) — both stand, needing only larger sizes.
What to carry forward
- A three-layer tower: algorithms → PKI/certificates → protocols. Break the bottom, the whole thing is compromised.
- Two distinct damages: confidentiality (retroactive, harvest-now) and authenticity (live at Q-day; long-lived keys migrate first).
- Fixes split cleanly: PQC key exchange for confidentiality, PQC signatures for authenticity.
- Symmetric (AES-256) and hashing (SHA-384+) stand — the whole job is the public-key tower.
Next up — The New Rulebook: the replacements. NIST’s post-quantum standards and then deep dives on ML-KEM (key exchange) and ML-DSA / SLH-DSA (signatures). See the series catalogue.
⚡ AI-first? This same public-key tower secures every agent-to-agent, tool, and model-endpoint call — see Quantum-Safe AI.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning which real systems break when public-key crypto breaks.
Quiz me one question at a time, correcting me gently:
1. Name the three main vulnerable algorithm families and one place I meet
each. Why doesn't ECC's smaller key save it?
2. What is a certificate, and why does a quantum computer forging
signatures let an attacker impersonate my bank?
3. Walk the "tower": algorithms → PKI → protocols. How does a break at the
bottom reach the browser padlock?
4. Explain the difference between CONFIDENTIALITY damage and AUTHENTICITY
damage, and which has which deadline.
5. Which fix addresses confidentiality (key exchange) and which addresses
authenticity (signatures)?
References & further reading
- NIST, Post-Quantum Cryptography project — which primitives are affected and the standards replacing them. csrc.nist.gov
- NSA, CNSA 2.0 — algorithm-by-algorithm guidance for national security systems. nsa.gov/cybersecurity
- CISA/NSA/NIST, Quantum-Readiness: Migration to PQC (2023) — inventorying affected protocols and PKI. cisa.gov/quantum
- IETF TLS working group — hybrid post-quantum key exchange for TLS 1.3 (drafts and RFCs). datatracker.ietf.org