What QorTrace defends against
Six institutional threat surfaces drive every audit, scan, and BOM we generate. This page is the canonical reference auditors and regulators link to when they need to know what we model and what we explicitly don't.
qortrace-method-v0.1qortrace:methodology_versionQorTrace assumes the eventual existence of a cryptographically-relevant quantum computer (CRQC) capable of running Shor's algorithm at scale. We do not attempt to predict the year. We do model the consequences as if it happens earlier than vendors admit. Every threat below is scored under that assumption.
Institutional crypto inventory · scored by severity
Harvest Now, Decrypt Later (HNDL)
State-level adversaries are already capturing TLS / VPN / RPC traffic, signed transactions, and encrypted backups. When a cryptographically-relevant quantum computer (CRQC) arrives, today's RSA-2048 / ECDSA / X25519 ciphertexts become retroactively decryptable. Anything with a long secrecy half-life — IP, M&A, custody key recovery, regulatory filings — is exposed today, even before a CRQC exists.
Blockchain Cryptographic Primitives
ECDSA (BTC/ETH/BSC/Tron), EdDSA (Solana/Stellar/Cosmos), Schnorr (Taproot), and BLS (Ethereum consensus, Chia, ZK rollups) are all broken by Shor's algorithm. Hash functions (SHA-256, Keccak-256) are weakened by Grover's to ~128-bit security. Public-key exposure timing varies by address type.
KMS / HSM Key Inventory
Institutions accumulate cryptographic keys across AWS KMS, Azure Key Vault, GCP KMS, on-prem HSMs (Thales, Entrust, AWS CloudHSM), and bespoke key escrow services. Each key has a generation algorithm, key length, rotation cadence, and a downstream blast-radius. We help you inventory which keys protect what, and which ones become quantum-vulnerable on day one of a CRQC.
Certificate / PKI Inventory
Enterprise PKI sprawls across internal CAs, public CAs, mTLS certs, code-signing certs, S/MIME, and IoT device identities — each with its own RSA/ECDSA dependency. We map your certificate inventory against PQ-readiness: which certs need hybrid issuance now, which need pure ML-DSA at next rotation, which can wait until 2030.
Vendor & Supply-Chain Cryptography
Your TLS terminator, payment gateway, identity provider, code-signing toolchain, observability stack, and HSM vendor all bring their own cryptographic primitives. A single vendor still on RSA-2048 in 2031 is a single point of HNDL exposure for your entire institution. We track vendor PQ-readiness publicly and integrate roadmap signals into your inventory.
Migration & Compliance Windows
NSA CNSA 2.0 mandates PQ adoption for NSS by 2030 (software/firmware) and 2035 (hardware). FFIEC examiners expect documented crypto-agility plans now. EU DORA (Jan 2025) requires ICT third-party risk reporting. The window to inventory → migrate → re-certify is shorter than vendors admit; we sequence migration so the highest-risk assets move first.
Schnorr / Ed25519 / BLS are not quantum-safe. All three rely on the discrete-log problem and are broken by Shor's. NIST-finalized replacements (ML-DSA / SLH-DSA / Falcon) are operational today; STARKs are PQ-safe by construction.
What QorTrace does not claim to model
Audit-grade credibility means publishing what we don't cover too.
- Operational security at the user level — social engineering, credential phishing, OS-level malware, insider exfiltration. These are non-cryptographic attack vectors handled by IAM / EDR / SOC vendors.
- Implementation bugs in NIST-finalized algorithms — we audit which algorithms you use, not whether your implementation has a side-channel CVE. Vendor security advisories cover that.
- Quantum-day prediction — we don't tell you when a CRQC will exist. We model the consequences as if it already does.
- Non-cryptographic financial risk — counterparty default, smart-contract economic exploits, market risk. Out of scope.
Want to audit yourself against this model?
Run a free scan — every BOM we generate stampsqortrace:methodology_version=qortrace-method-v0.1so your auditor can verify exactly which threat model the report was generated under.