As quantum computing advances, organizations can no longer view post-quantum cryptography as a future project. In this episode of Shielded: The Last Line of Cyber Defense, Konstantinos Karagiannis, Director of Quantum Computing Services at Protiviti, lays out a practical and attacker-focused perspective on preparing for the quantum era. Konstantinos explains why the industry’s fixation on harvest-now-decrypt-later misses the most serious exposure: harvest-now-forge-later, where quantum capability targets the foundation of digital trust through attacks on code signing, software update channels, and blockchain consensus mechanisms. He introduces the emerging Five-Day Rule, informed by recent research indicating that a cryptographically relevant quantum machine could break RSA-2048 in roughly five days, reshaping assumptions about risk and timelines. The discussion expands to the potential instability of blockchain networks, such as proof-of-stake systems reliant on BLS signatures, and the broader implications for market integrity and digital identity. Konstantinos outlines the steps security leaders must take now: identify crown-jewel assets, conduct a full cryptographic inventory, evaluate exposure windows, and demand clear post-quantum plans from vendors. The lesson here is post-quantum migration is a core cyber resilience program that must begin immediately, supported by real posture measurement and actionable timelines.

What You’ll Learn:

Konstantinos Karagiannis is the Director of Quantum Computing Services at Protiviti, where he leads efforts helping organizations develop real quantum use cases in optimization, machine learning, and simulation, and build realistic paths toward post-quantum cryptography migration. He has been with Protiviti for more than six years, serving previously as Associate Director of Quantum Computing Services. Before Protiviti, Konstantinos spent 13 years at BT, where he served as CTO of the Security Consulting Practice for BT Americas, and earlier as Global Technical Lead for Ethical Hacking, leading red-team operations and advanced cryptographic security testing.

He is the host of Protiviti’s “Post Quantum World” podcast, recently featured at DEFCON with his talk Post-Quantum Panic: When will the cracking begin, and can we detect it? His work focuses on building real quantum computing solutions today while preparing enterprises for the accelerating risks of Q-Day.

Konstantinos reframes quantum risk by challenging the narrow industry focus on harvest-now-decrypt-later (HNDL). Decrypting old emails years from now is far less damaging than the real threat: harvest-now-forge-later (HNFL), where attackers use quantum capability to forge identities, break code-signing foundations, and compromise the software supply chain. This shifts the threat from exposure of data to the collapse of trust. When an attacker becomes the authoritative sender such as Microsoft, Apple, a firewall vendor, or a banking platform, the attack scales instantly, bypasses controls, and moves invisibly. This is not about curiosity or espionage; it is about control and reach, where one forged update compromises millions of systems in minutes.

Key Question: Where does your organization implicitly trust signed updates or machine identities, and who validates the integrity of that trust boundary today?

Konstantinos introduces what he calls the Five-Day Rule, based on recent research suggesting that a cryptographically relevant quantum computer could break RSA-2048 using roughly 1,399 logical qubits in around five days. This turns timelines from theoretical decades into an operational window that security and architecture teams must model now. Five days changes the logic of risk, pushing leaders to assess which secrets, keys, and operational identities remain valuable within that timeframe. Financial transactions may expire quickly, but the keys protecting critical infrastructure, identity infrastructures, government systems, long-life intellectual property, or blockchain consensus remain valuable long after they are created.

Key Question: If a key protecting your most sensitive systems could be broken in five days, what response tempo, controls, and contingency paths would you rely on?

In his offensive-security perspective, Konstatinos explains that attackers will go after code-signing keys and update channels first, because those are the levers that unlock systemic access. Compromising a single vendor’s signing key turns a routine software update into a global breach. Unlike decrypting a single intercepted email, forging an update affects entire fleets of devices at once, laptops, networking gear, operational systems, and cloud workloads. Supply-chain attacks such as SolarWinds and ShadowHammer demonstrated the scale of trust-based compromise without any quantum capability. Quantum only removes the barrier of needing privileged access. The blast radius is not linear; it grows exponentially.

Key Question: If a major vendor in your environment silently lost control of its signing key, which systems would accept the update without verification, and how quickly would you detect the first signal of compromise?

Konstantinos expands the discussion beyond enterprise IT into blockchain and digital asset ecosystems. Vulnerable Bitcoin wallets using reused or exposed addresses could be drained by reversing private keys. More significantly, proof-of-stake networks such as Ethereum rely on BLS signatures to establish validator identity and consensus. Breaking those signatures enables attackers to hijack consensus, manipulate network governance, or destabilize price confidence. The consequences go far beyond theft. The damage includes global market volatility, reputational collapse, and loss of institutional trust. Even the credible announcement that such capability exists could move markets, without a full attack ever executing.

Key Question: Where is your organization exposed, directly or indirectly, to digital assets, transaction flows, or reputational dependence on market stability?

Konstantinos emphasises that preparing for post-quantum migration begins with security fundamentals: catalogue your cryptography, identify crown-jewel systems, evaluate exposure lifespans, and map relationships between systems, third parties, and identity flows. This reframes PQC from a cryptographic experiment into a disciplined cyber resilience program grounded in visibility and sequencing. Teams must understand what they protect, how long those assets remain valuable, and where control layers converge. This requires more than technical transition; it demands ownership, governance, and prioritisation. A successful roadmap depends on clarity of dependencies before cryptography is swapped.

Key Question: Can you produce a precise and current map of every key, certificate, algorithm, and dependency protecting your core services, and prioritise change based on exposure rather than convenience?

Third-party vendors are central to PQC readiness, but vague statements such as “investigating PQC” provide no protection. Konstatinos urges organizations to demand version-level commitments, timelines, supported PQC algorithms, and attestation paths. Roadmaps must include implementation dates, hybrid-mode support windows, and performance characteristics. Accountability now sits across the entire supply chain, and cryptographic dependencies extend far beyond internal engineering. This is a procurement, legal, and architectural negotiation that requires clarity and documentation, not aspiration. Silence is risk; specificity is control.

Key Question: Do your vendor agreements require measurable and dated PQC milestones, or do you rely on trust without validated evidence?

Want exclusive insights on quantum migration?  Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.


Need help subscribing? Click here for step-by-step instructions.