The Quantum Clock Is Ticking: Why Every Enterprise Needs a Cryptographic Bill of Materials
Case Studies
Shor's algorithm will break RSA, ECDSA, and Diffie-Hellman. The question isn't if — it's whether you'll have visibility into your cryptographic exposure before it happens.
The $4.2 Trillion Blind Spot in Software Security
Your SCA tool knows every npm package in your codebase. Your SBOM catalogues every dependency. But ask a simple question — "Where in our code are we using RSA?" — and you'll get silence.
Enterprise software supply chains have been exhaustively mapped through Software Composition Analysis (SCA) and Software Bills of Materials (SBOMs). We can tell you that your Node.js application uses lodash@4.17.21 and that it has three known CVEs. But we cannot tell you that the same application calls crypto.createHash('md5') on line 47 of your authentication service — or that your firmware signing uses an RSA-2048 key that will be worthless when quantum computers arrive.
This is the cryptographic visibility gap, and it affects every enterprise on the planet.
Today, three forces are converging to make this gap existentially dangerous:
1. The Quantum Threat is no longer theoretical. NIST finalized post-quantum cryptography standards FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) on August 13, 2024. Federal agencies face a 2030 deadline for migration. The NSA's CNSA 2.0 mandates full deprecation of classical asymmetric algorithms by 2035. These deadlines exist because intelligence agencies believe cryptographically relevant quantum computers (CRQCs) are achievable within that window.
2. Harvest Now, Decrypt Later (HNDL) is happening today. State-sponsored adversaries are capturing encrypted communications right now — banking transactions, healthcare records, military communications, vehicle telemetry — with the intent to decrypt them once quantum computing matures. If your data has a shelf life longer than 10 years, it's already at risk.
3. Regulation has arrived. The EU Cyber Resilience Act (CRA), UNECE R155 for automotive, ISO 21434, and U.S. Executive Orders on PQC migration all mandate cryptographic governance. Non-compliance risks market access, type-approval denials, and procurement exclusion.
⚠️ The Core Problem You can't migrate cryptography you can't see. Traditional application security tools — Snyk, Checkmarx, SonarQube — scan dependencies. They have zero visibility into the cryptographic algorithms embedded in your application code. This is the gap that CBOM and QBOM close.
CBOM — The Cryptographic Bill of Materials
A Cryptographic Bill of Materials (CBOM) is a structured, machine-readable inventory of every cryptographic algorithm, hash function, cipher, and key-generation routine found in an application's source code. Think of it as the "nutrition label" for your codebase's cryptographic health.
Just as an SBOM tells you which open-source packages your application uses, a CBOM tells you which cryptographic algorithms your application calls — down to the exact file path, line number, and severity classification.
What a CBOM Detects
| Algorithm | Severity | Why It's Dangerous | Remediation |
|---|---|---|---|
| DES | CRITICAL | 56-bit key. Brute-forcible in hours on commodity hardware. | → AES-256-GCM |
| RC4 | CRITICAL | Stream cipher with known statistical biases. Banned by RFC 7465. | → AES-256-GCM |
| MD5 | HIGH | Collision attacks practical since 2004 (Wang et al.). | → SHA-256 / SHA-3 |
| 3DES | HIGH | 64-bit block size enables Sweet32 attack. NIST deprecated 2023. | → AES-256 |
| SHA-1 | MEDIUM | Collision demonstrated (SHAttered, 2017). Deprecated by NIST. | → SHA-256 / SHA-3 |
| Blowfish | MEDIUM | 64-bit block. Birthday-bound attack after 2³² blocks. | → AES-256 |
| RSA-1024 | HIGH | Below NIST minimum. Factoring with academic resources feasible. | → RSA-2048+ / Ed25519 |
How It Works: The Precogs CBOM Scanner
The Precogs CBOM scanner is a deterministic, rule-based engine that uses curated regex pattern dictionaries to identify deprecated cryptographic usage. No AI. No probability. No hallucination. The same code always produces the same findings.
Here's what a real detection looks like. The scanner finds hashlib.md5 being used for firmware integrity verification — a critical security flaw:
# firmware/verify.py — ECU integrity verification import hashlib def verify_firmware_integrity(firmware_data, expected_hash): """Verify firmware hasn't been tampered with.""" digest = hashlib.md5(firmware_data).hexdigest() # ← CBOM: MD5 HIGH return digest == expected_hash
The finding output is a structured JSON object with exact location, severity, and remediation guidance — ready for CycloneDX CBOM export (ECMA-424 standard):
{ "algorithm": "MD5", "severity": "HIGH", "reason": "Collision-vulnerable hash. Migrate to SHA-256+", "file": "firmware/verify.py", "line": 6 }
QBOM — The Quantum Bill of Materials
While CBOM identifies classically broken cryptography (MD5, DES, RC4), QBOM goes further — it identifies cryptographic algorithms that are secure today but will be completely broken by quantum computers.
In 1994, Peter Shor demonstrated that a sufficiently large quantum computer can solve integer factorisation and the discrete logarithm problem in polynomial time. This single breakthrough invalidates the mathematical hardness assumptions underlying every widely-deployed asymmetric cryptographic system:
| Algorithm | Category | Quantum Status | Attack Vector | Replace With |
|---|---|---|---|---|
| RSA (all sizes) | Asymmetric | BROKEN | Shor's — polynomial-time factoring | ML-KEM (FIPS 203) |
| ECDSA | Signatures | BROKEN | Shor's — discrete log on elliptic curves | ML-DSA (FIPS 204) |
| ECDH | Key Exchange | BROKEN | Shor's — ECDLP | ML-KEM (FIPS 203) |
| Diffie-Hellman | Key Exchange | BROKEN | Shor's — discrete log in Zₚ* | ML-KEM (FIPS 203) |
| DSA | Signatures | BROKEN | Shor's — already deprecated by NIST | ML-DSA (FIPS 204) |
| Ed25519 | Signatures | BROKEN | Shor's — ECDLP on Curve25519 | SLH-DSA (FIPS 205) |
✅ Quantum-Safe Algorithms (Not Flagged) AES-256 remains safe — Grover's algorithm only halves the security to 128-bit, which is still computationally infeasible. SHA-256, SHA-384, SHA-512, and SHA-3 are practically quantum-safe. The NIST PQC standards — ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+) — are quantum-safe by design.
The NIST Post-Quantum Standards
On August 13, 2024, NIST finalized three landmark post-quantum cryptographic standards. These are not theoretical — they are ratified, production-ready replacements for RSA, ECDSA, and Diffie-Hellman:
FIPS 203 — ML-KEM (Kyber)
Module-Lattice-Based Key Encapsulation Mechanism. Replaces RSA key exchange and ECDH for key agreement. Based on the hardness of the Module Learning With Errors (MLWE) problem.
FIPS 204 — ML-DSA (Dilithium)
Module-Lattice-Based Digital Signature Algorithm. Primary replacement for RSA and ECDSA signatures. Fast verification, compact signatures, strong security proofs.
FIPS 205 — SLH-DSA (SPHINCS+)
Stateless Hash-Based Digital Signature Algorithm. Conservative backup for ML-DSA. Security relies only on hash function properties — mathematically simpler trust assumptions.
FIPS 206 — FN-DSA (FALCON) [Draft]
NTRU-lattice-based signature scheme. Currently in draft. Offers the most compact signatures of any PQC scheme — ideal for bandwidth-constrained environments like IoT and automotive.
Post-Quantum Readiness (PQR) Score
The QBOM tells you what is vulnerable. The Post-Quantum Readiness (PQR) Score tells you how ready you are to survive the quantum transition.
Precogs computes a continuous 0–100 PQR Score for every scanned repository. The algorithm is deliberately simple and transparent — designed for board-level reporting and ISO 21434 auditing:
score = 100 score -= quantum_vulnerable_count × 15 # Each quantum-vulnerable algo = major deduction score -= deprecated_classic_count × 5 # Deprecated classic crypto = moderate deduction score = max(0, score) # Risk Classification: # 80-100 → LOW risk (quantum-ready) # 50-79 → MEDIUM risk (migration needed) # 0-49 → HIGH risk (critical exposure)
A typical enterprise codebase with 3 RSA usages and 2 MD5 instances would score: 100 − (3 × 15) − (2 × 5) = 45/100 — HIGH risk.
📊 Why a Simple Score Matters CISOs don't need a PhD in lattice-based cryptography. They need a number. PQR translates complex quantum-vulnerability analysis into a single metric that can be tracked over time, compared across business units, and reported to the board. It's the cryptographic equivalent of a credit score.
The Migration Timeline
- August 2024 — NIST Finalizes FIPS 203, 204, 205: First production-ready post-quantum standards released. Migration can officially begin.
- 2026 — Now — Inventory & Discovery Phase: Organizations must catalogue all cryptographic usage. CBOM/QBOM scanning enables this. Hybrid approaches (classical + PQC) begin deployment.
- 2030 — Federal Migration Deadline: U.S. federal agencies and contractors must transition sensitive systems to PQC. OMB M-23-02 directive.
- 2035 — CNSA 2.0 Full Deprecation: NSA mandates complete deprecation of RSA, ECDSA, DH for all national security systems. Classical asymmetric cryptography becomes non-compliant.
Why Precogs Is Different
There are a handful of CBOM tools emerging — IBM's CBOMkit, O3 Security, Encryption Consulting. Here's why Precogs stands apart:
100% Deterministic
Pure regex pattern matching. No AI in the detection loop means zero hallucination, zero false positives from model drift. hashlib.md5 is always MD5.
Zero Data Exfiltration
Scans run entirely in-memory. Source code is never persisted, transmitted externally, or used for training. Safe for air-gapped and classified environments.
Fully Auditable
ISO 21434 assessors can inspect the exact regex rule that triggered each finding. Complete, deterministic audit trail with zero black-box components.
CycloneDX Native
Output in CycloneDX CBOM format (ECMA-424). Open standard. Zero vendor lock-in. Machine-readable for GRC and compliance tooling.
Unified Platform Advantage Unlike standalone CBOM tools, Precogs integrates cryptographic discovery into the same platform that provides SCA (dependency scanning), SBOM generation, AI-BOM, SAST, and autonomous penetration testing. One scan. One dashboard. Complete supply chain visibility — from npm packages to quantum-vulnerable RSA keys.
Start Your Cryptographic Inventory Today
Get a complete CBOM, QBOM, and PQR assessment for your codebase in under 60 seconds.
NIST FIPS 203/204/205 references are sourced from official NIST publications. CycloneDX is a trademark of OWASP Foundation.
