Post-Quantum AI Cryptography Exploitation Engine — break AI agent trust before the quantum transition does.
SPECTER QUANTA targets the quantum cryptography vulnerability window — the period between now and when organisations migrate to post-quantum cryptography. AI agent deployments using classical Ed25519, ECDSA, and RSA signing are retroactively vulnerable to Harvest-Now-Decrypt-Later (HNDL) attacks. Every signed attestation stored today is recoverable by a quantum adversary.
The tool demonstrates that classical-signature-based AI agent trust architectures — SPIFFE SVIDs, KYA tokens, A2A identities, MCP server certificates, M99 Doomsday authorisations, RED SCORE reports — can be proven quantum-vulnerable before ANSSI's 2027 certification deadline and EU AI Act Article 50 digital signature requirements.
NIST FIPS 204: ML-DSA-65 signatures are 3,309 bytes — 52× larger than Ed25519 64-byte signatures. All classical signing in AI pipelines must migrate. ANSSI certification deadline: 2027. EU AI Act Article 50: August 2026.
| Attack | Algorithm | Qubits Required | Impact |
|---|---|---|---|
| Shor's — ECDSA/Ed25519 | P-256, Curve25519 | ~2,330–4,096 | Private key recovery from public key |
| Shor's — RSA-2048 | RSA-2048 | ~4,096 | Factor n, recover private key |
| Grover's — SHA-1 | SHA-1 | ~160 | Halves security → 40-bit effective |
| HNDL — All classical | Any classical | None (store now) | Retroactive decryption of stored ciphertext |
Detect classical cryptographic algorithms across AI deployment configurations. 15 algorithm patterns (Ed25519, ECDSA-P256/384, RSA variants, RS256/ES256/HS256, ML-DSA-44/65/87, Falcon-512/1024, SPHINCS+). 8 context detection patterns (M99/Doomsday, RED SCORE, ARMORY, SPIFFE/KYA, A2A, MCP, JWT, attestation). Builds quantum vulnerability inventory with HNDL risk flags.
Force classical certificate acceptance where PQC is expected. JWT algorithm downgrade (RS256/ES256/HS256/none accepted where ML-DSA-65 required). TLS certificate classical cipher suite acceptance. MCP server RSA-2048/Ed25519 certificate substitution. Agent attestation algorithm downgrade. Each returns DowngradeResult with attack_path and severity.
Test classical signature acceptance in agent-to-agent attestation. SPIFFE SVID ECDSA-P256 acceptance. KYA token ES256/RS256 bypass. A2A agent identity classical signing. OAuth JWT classical algorithm bypass. NHI service account token classical signing. All return AttestationResult with trust_chain_compromised flag and bypass impact.
Validate ML-DSA/Falcon/SPHINCS+ implementation. Checks ML-DSA-65 key sizes (pk=1952, sk=4000, sig=3309 bytes per NIST FIPS 204). Falcon-512/1024 detection. Classical fallback path analysis. Readiness score 0–100. Live ML-DSA stub signing and verification path validation.
Identify quantum-vulnerable cryptographic parameters. RSA <3072 (CRITICAL — Shor's requires ~4096 qubits), RSA <4096 (HIGH). ECDSA P-192/P-256/P-384 (CRITICAL — ~2330 logical qubits). SHA-1/MD5 deprecated hashes (Grover halves security). Ed25519 Curve25519 ECDLP (CRITICAL). All with ANSSI 2027 non-compliance flag.
Validate hybrid Ed25519 + ML-DSA-65 signature implementation. Tests both classical and quantum-safe signing/verification paths. Verifies ML-DSA-65 signature byte size (3,309 bytes per FIPS 204). Tamper detection via HMAC-based comparison. Identifies deployments without hybrid scheme during migration period.
Prove trust architecture quantum collapse. Demonstrates classical signature chain forgery in test environment. Proves M99 Doomsday Protocol authorisation is quantum-vulnerable. Proves RED SCORE report evidence chain retroactively forgeable. Proves MCP server certificate impersonation. All 5 WMD classes triggered. Requires SURGERY gate + ROE + Ed25519 key + typed confirmation phrase.
QNT-{hex12} Ed25519-signed session reports with optional ML-DSA-65 dual-signature. Risk score 0–100 (CRITICAL×20 + HIGH×10 + MEDIUM×5). NIST FIPS 203/204/205 compliance block. ANSSI 2027 readiness flag. EU AI Act Article 50 compliance assessment. Migration priority list by algorithm risk level.
⚠ SURGERY gate — Highest gate tier above UNLEASHED. Requires: Ed25519 signing key (QUANTA_SIGNING_KEY) + ROE file containing "quantum trust architecture validation authorised" + typed confirmation phrase "I UNDERSTAND THIS WILL IRREVERSIBLY PROVE TRUST ARCHITECTURE FAILURE". Produces irreversible proof that deployment trust architecture collapses under quantum attack.
The SURGERY gate is required for SURGERY-VALIDATE because this subsystem produces legally and operationally significant evidence — proof that your AI deployment's trust architecture cannot withstand quantum cryptography attacks. This evidence is irreversible in the sense that once produced, it proves the vulnerability existed at the time of assessment.
specter-quanta surgery-validate \
--target '{"kill_switch_signing_algorithm": "Ed25519"}' \
--confirm-destroy \
--surgery-key $QUANTA_SIGNING_KEY \
--roe-file /path/to/roe.txt
| Parameter Set | Public Key | Secret Key | Signature | Security Level |
|---|---|---|---|---|
ML-DSA-44 | 1,312 bytes | 2,528 bytes | 2,420 bytes | NIST Level 2 |
ML-DSA-65 | 1,952 bytes | 4,000 bytes | 3,309 bytes | NIST Level 3 |
ML-DSA-87 | 2,592 bytes | 4,864 bytes | 4,627 bytes | NIST Level 5 |
| Ed25519 (classical) | 32 bytes | 64 bytes | 64 bytes | ~128-bit classical |
ML-DSA-65 signatures are 52× larger than Ed25519. AI pipeline latency and storage impacts must be accounted for in migration planning.
pip install specter-quanta
# Generate Ed25519 signing key
specter-quanta generate-key
# Enumerate classical crypto in deployment
specter-quanta enumerate --target '{"signing_algorithm": "Ed25519", "jwt_alg": "RS256"}'
# Test downgrade vectors (INJECT gate)
specter-quanta downgrade-test --target '{"accepted_algorithms": ["RS256", "ES256"]}'
# Scan PQC readiness
specter-quanta pqc-readiness --target '{"signing_algorithm": "ML-DSA-65"}' --parameter-set ML-DSA-65
# Flag vulnerable parameters
specter-quanta parameter-flag --config '{"rsa_key_bits": 2048, "curve": "P-256"}'
# Validate dual-signature implementation
specter-quanta dual-sign-validate --message "agent attestation payload"
# Retrieve report
specter-quanta report --session QNT-abc123def456
M103 QUANTUM AI SECURITY ENGINE — runtime quantum cryptography compliance enforcement for AI agent deployments.