Skip to content
Why now

The clock isn't theoretical anymore.

DORA is enforced. SHA-1 collisions are practical. Adversaries are harvesting your encrypted traffic today, betting on quantum computers in a decade. This page is the evidence you can send your CISO.

Start a free scanRead the privacy architecture
On this page:TimelineClassical threats (today)Quantum threats (timeline)What regulators requireWhat we don't knowCost of inaction

Timeline

Eight years of converging signals

The risk isn't a single event in the future. It's a sequence of milestones — already half complete.

  1. 2017Classical

    SHAttered

    Google + CWI publish the first practical SHA-1 collision. Cost: ~US$110k of compute. Today the same attack costs under US$10k.

  2. 2020Classical

    SHA-mbles + Git deprecates SHA-1

    Chosen-prefix collisions become real. Git switches its default object hash to SHA-256.

  3. 2023Quantum

    Chrome ships hybrid ML-KEM in TLS

    Chrome 116 enables X25519+ML-KEM-768 for Google services. Cloudflare and AWS KMS follow. Post-quantum is no longer a research project.

  4. Aug 2024Regulation

    NIST publishes FIPS 203, 204, 205

    ML-KEM, ML-DSA, SLH-DSA become federal standards. They are now mandatory for US federal procurement.

  5. Jan 2025Regulation

    DORA enforcement begins

    EU financial entities must demonstrate ICT risk management — including cryptographic inventory and migration plans. Fines reach 2% of annual revenue.

  6. Dec 2024Quantum

    Google Willow · 105 qubits

    Google demonstrates below-threshold quantum error correction. IBM Heron (156 qubits) follows. Roadmaps target 100k+ qubits by 2033.

  7. 2030–2035Quantum

    Estimated Q-day window

    Best public estimates put cryptanalytically-relevant quantum computers within the working life of code shipped today. Secrets you ship in 2026 may need to outlive that window.

Today

Classical threats — already exploitable

You don't need a quantum computer to break weak crypto. Several patterns QuantumScan flags are vulnerable to attacks that exist in public exploit kits.

SHAttered (2017)

First demonstrated SHA-1 collision. Two PDFs with the same hash, generated for ~US$110k. Public attack code on GitHub. SHA-1 in digital signatures is broken.

Stevens, Bursztein, Karpman et al. — shattered.io

SHA-mbles (2020)

Chosen-prefix SHA-1 collisions. Lets an attacker forge two arbitrary documents with the same hash. Cost: ~US$45k in 2020, well under US$10k today.

Leurent & Peyrin — sha-mbles.github.io

Git deprecation

Git switched its default object hash from SHA-1 to SHA-256 in version 2.29 (October 2020). The maintainers acknowledged SHA-1 was no longer safe for content addressing.

Git release notes 2.29

Harvest now, decrypt later

State-level adversaries are widely understood to be archiving encrypted traffic today, betting on future quantum computers to break RSA/ECDH key exchanges. Any secret with a >10-year lifetime is already at risk.

NSA CNSA 2.0 advisory (2022)

NIST SP 800-131A

SHA-1 has been formally disallowed for digital signature generation since 2013. RSA-1024 disallowed since 2014. These are policy decisions reflecting concrete attack feasibility.

NIST Special Publication 800-131A Rev. 2

Most QuantumScan findings tagged CRITICAL belong to this category — exploitable with classical computers today, not someday.

Tomorrow

Quantum threats — provable math, finite timeline

Shor's algorithm is mathematically proven. The only question is when a quantum computer large enough exists. The major labs say 10–15 years; conservative analysts say less.

Shor's algorithm (1994)

Mathematically proven to factor large integers and compute discrete logs in polynomial time on a quantum computer. RSA, DH, ECDH, ECDSA all fall to it. This is not a hypothesis — it is a 30-year-old proof.

Shor, IEEE FOCS 1994

Resource estimates

Best current estimate to break RSA-2048: ~20 million noisy physical qubits with error correction, in about 8 hours. The number drops every year as algorithms improve.

Gidney & Ekerå, Quantum 5, 433 (2021)

IBM Heron · Google Willow

IBM Heron processor: 156 qubits with improved error rates (2024). Google Willow: 105 qubits demonstrating below-threshold error correction (Dec 2024). The error-correction barrier — long the main obstacle — is starting to fall.

IBM Quantum Roadmap · Google AI Quantum (Nature, 2024)

NIST PQC standardization

After an 8-year open competition with 82 submissions and dozens of cryptanalysis papers, NIST published FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in August 2024.

NIST FIPS 203, 204, 205

Already in production

Chrome 116 (2023), Cloudflare TLS endpoints, AWS KMS, and Signal protocol all run hybrid X25519+ML-KEM-768 today. Post-quantum is shipping; the question is only whether your stack catches up.

Chrome, Cloudflare, AWS, Signal post-quantum blogs

NIST recommends hybrid migration (classical + PQC together) precisely because no single algorithm is invincible. SIKE, a NIST finalist, was broken classically in 2022.

Compliance

What regulators already require

You don't need to prove ML-KEM works. You need to prove to your auditor that you have a documented cryptographic inventory and migration plan. That requirement exists today.

FrameworkScopeRequirementEnforcement
DORA (EU 2022/2554)EU financial entities + ICT third partiesArticle 7: ICT risk management framework. Article 9: cryptographic key management. Article 28: third-party ICT risk register.Active since January 17, 2025. Fines up to 2% of total annual worldwide turnover.
NIS2 (EU 2022/2555)Essential + important entities across 18 sectorsArticle 21: cryptography policies as part of cybersecurity risk-management measures.National transposition deadlines mostly elapsed in 2024. Fines up to €10M or 2% of revenue.
NIST FIPS 203/204/205US federal agencies + their suppliersMandatory standards for key encapsulation and digital signatures. NSA CNSA 2.0 requires migration by 2035, with new systems on PQC by 2027.Federal procurement; cascades to private contractors via FedRAMP, CMMC, and supplier audits.
PCI DSS 4.0Anyone processing card dataSection 12.3.3: documented inventory of cryptographic cipher suites and protocols, with review of industry developments and timelines.Mandatory since March 2025. Loss of PCI status blocks payment processing.
LGPD (Brazil) · Habeas Data (LATAM)Personal-data processors in BR + most LATAMANPD guidance treats outdated cryptography as inadequate security — same logic as GDPR Article 32 (state-of-the-art).Administrative sanctions; in BR up to 2% of revenue capped at R$50M per infraction.

Honest disclosure

What we don't know — and why it doesn't change the math

We sell mapping, documentation, and a migration plan. We don't sell certainty about a quantum future. Here's what is genuinely uncertain.

When Q-day happens

Nobody knows. Public estimates range from 2030 to 2045. The buyer's job isn't to predict Q-day — it's to make sure the systems they're shipping today can be rotated cleanly when the date becomes clearer.

Whether ML-KEM itself holds

SIKE was a NIST finalist broken in 2022 by purely classical math (Castryck–Decru). ML-KEM and ML-DSA have survived more scrutiny, but no algorithm is proven secure forever. This is why NIST mandates hybrid deployments and crypto agility.

Whether your specific finding is exploitable

Not every flagged algorithm in your repo is actually reachable by an attacker. A static scanner cannot know runtime context. Treat findings as priorities, not as proof of compromise.

What it costs to wait

Migration is cheaper before the regulator calls

These are qualitative — every organization is different. But the pattern across past crypto deprecations (SHA-1, RC4, TLS 1.0) is consistent.

Done progressively, over 18–24 months

Inventory → prioritization → library upgrade → hybrid deployment → cutover. Fits into normal release cycles. Engineering cost looks like a tech-debt sprint.

Done reactively, after an audit finding

Multiple teams pulled in parallel, external consultants billed, freeze on shipping features until compliance is restored. Routinely 5–10× the progressive cost.

Done after a breach

Add legal, PR, regulatory disclosure, customer notification, and possible class actions. The migration itself becomes a footnote on a much larger bill.

The audit trail compounds

An organization that has a 2026 CBOM + DORA report on file walks into any future audit with a defensible position. One that doesn't, starts every conversation from scratch.

Next step

See where your stack stands today

A scan of one repository takes about 90 seconds and exports a CBOM (CycloneDX 1.7) plus a DORA-aligned PDF. Free for design partners.

Start a free scanRead the privacy architecture →