Harvest Now, Decrypt Later Threat

Research

Harvest Now, Decrypt Later: The Quantum Threat Timeline

13 min read

A Scenario That Is Already Playing Out

Imagine a foreign intelligence service tapping into the undersea fiber optic cables that carry international internet traffic. They record everything: encrypted emails between diplomats, encrypted file transfers between defense contractors, encrypted video calls between corporate executives. They cannot read any of it. The encryption is strong. So they store it all on arrays of hard drives in a government data center and wait.

Five years pass. Ten years. Fifteen years. Then their quantum computing program produces a machine powerful enough to run Shor's algorithm against RSA-2048. In a matter of hours, they begin decrypting the archived traffic. Diplomatic cables from a decade ago reveal negotiating positions that are still politically sensitive. Defense contractor communications expose weapons system vulnerabilities that have not been patched. Corporate communications reveal trade secrets that are still commercially valuable.

This is the "harvest now, decrypt later" (HNDL) attack. It is not a future threat. It is a present reality.

"Harvest Now, Decrypt Later" (HNDL)
Collect encrypted data today. Store it in data centers. Wait for quantum computers to mature. Decrypt everything retroactively. The cost of storage is negligible compared to the intelligence value of the decrypted data.

Who Is Doing This?

Any organization with both the technical capability to intercept internet traffic and the storage capacity to keep it is a potential HNDL actor. In practice, this means nation-state intelligence agencies.

The NSA's activities in this area were partially disclosed through the Snowden revelations in 2013, which documented programs for mass collection of encrypted internet traffic and phone metadata. The Utah Data Center in Bluffdale, which became operational in 2014, was built with storage capacity estimated in the exabyte to yottabyte range. The stated purpose: to store and process signals intelligence.

But the United States is not alone. China, Russia, the United Kingdom, France, Israel, and other nations operate signals intelligence programs with similar capabilities. China in particular has invested heavily in both quantum computing research (the University of Science and Technology of China has published significant results in quantum supremacy demonstrations) and submarine cable tapping capabilities. In 2023, researchers from the Chinese Academy of Sciences published a paper claiming progress toward breaking RSA with quantum annealing techniques, though the claims were met with skepticism by Western cryptographers.

Non-state actors are also relevant. Organized cybercrime groups may not have the resources for mass traffic interception, but they can target specific high-value individuals or organizations and store encrypted data from targeted attacks.

What Types of Data Are Being Targeted?

Storage costs have plummeted. A petabyte of hard drive storage costs under $20,000 at current prices. For a national intelligence agency with a multi-billion-dollar budget, storing years of intercepted traffic is a rounding error. The types of data most valuable in an HNDL context include:

• Diplomatic communications: Negotiating positions, alliance discussions, intelligence assessments. These can remain sensitive for decades. Knowing what one country's diplomats said privately 15 years ago can provide enormous leverage in current negotiations.
• Military and defense communications: Weapons system specifications, deployment plans, intelligence reports. Classified information can remain sensitive for 25 to 75 years depending on classification level.
• Corporate intellectual property: Trade secrets, pharmaceutical research data, semiconductor designs, merger/acquisition plans. Industrial espionage has direct economic value, and some trade secrets remain valuable indefinitely (the formula for Coca-Cola has been a trade secret for over 130 years).
• Healthcare data: Patient records, genetic information, mental health records. Under HIPAA, protected health information must remain confidential for the patient's lifetime. Genetic data is sensitive across generations.
• Legal communications: Attorney-client privileged communications, litigation strategy, regulatory compliance discussions. Exposure of these could compromise ongoing legal proceedings or enable extortion.
• Financial data: High-value transaction details, trading strategies, account information. While individual credit card numbers expire, patterns of financial behavior and institutional trading strategies have longer-term value.
• Personal communications of public figures: Politicians, journalists, activists, religious leaders. Private conversations from years ago can be weaponized for political manipulation or blackmail.

The Quantum Threat Timeline

The critical question for HNDL is not "will quantum computers break encryption" (they will) but "when." Several organizations have published estimates:

Source	Estimate	Context
Global Risk Institute (2023 survey)	50% probability by 2033	Survey of 37 quantum computing experts
NIST (2016)	15-20 years from 2016, so 2031-2036	Rationale for beginning PQC standardization
NSA CNSA 2.0 (2022)	Mandated PQC transition by 2035	All National Security Systems must migrate
Google Quantum AI (2024)	Willow chip: 105 qubits with error correction below threshold	Key milestone toward fault-tolerant quantum computing

The honest answer is that nobody knows exactly when. Quantum computing has had false starts and unexpected breakthroughs. But the consensus is that the window is somewhere between 2030 and 2040, and the consequences of being wrong on the optimistic side are catastrophic and irreversible. Once data has been decrypted, you cannot un-decrypt it.

Mosca's Theorem: A Framework for Urgency

In 2015, Dr. Michele Mosca of the University of Waterloo's Institute for Quantum Computing proposed a simple framework for evaluating the urgency of post-quantum migration. It is sometimes called "Mosca's inequality" or "Mosca's theorem," and it uses three variables:

• X = the number of years the data must remain secure (its "shelf life")
• Y = the number of years it will take to fully migrate your systems to post-quantum cryptography
• Z = the number of years until a cryptographically relevant quantum computer (CRQC) exists

The rule is straightforward: if X + Y > Z, you should have already started migrating.

Let us work through a concrete example. A hospital encrypts patient records that must remain confidential for 50 years (X = 50). Migrating all their systems to post-quantum cryptography will take 5 years (Y = 5). If a quantum computer arrives in 15 years (Z = 15), then X + Y = 55, which is far greater than Z = 15. The hospital needed to start migrating decades ago. Even if the quantum computer is 30 years away, 50 + 5 = 55 is still greater than 30.

For a technology company with trade secrets that need 10 years of protection (X = 10), a 2-year migration timeline (Y = 2), and a quantum computer arriving in 15 years (Z = 15), X + Y = 12, which is less than 15. They have a bit of breathing room, but not much. And if Z turns out to be 10 instead of 15, they are already too late.

The key insight of Mosca's theorem is that the migration timeline Y is the variable most under your control. You cannot speed up or slow down quantum computing research. You cannot reduce how long your data needs protection. But you can start migrating earlier, which reduces Y from your total risk equation.

Why Current Encryption Cannot Be Saved

A common question is: "Can we just use bigger RSA keys?" The answer is no. Shor's algorithm breaks RSA in polynomial time, meaning the attack scales efficiently with key size. Doubling the RSA key size does not double the time to break it. It merely adds a modest amount to the quantum computation. No practical RSA key size can withstand Shor's algorithm.

The same applies to elliptic curve cryptography (ECDH, ECDSA, Ed25519, X25519). Shor's algorithm for discrete logarithms breaks all elliptic curve key sizes. There is no "quantum-resistant curve." The mathematical structure that makes elliptic curves efficient for cryptography is the same structure that makes them vulnerable to quantum attack.

Symmetric encryption (AES) is a different story. AES-256 remains secure against quantum computers. Grover's algorithm provides only a quadratic speedup, reducing AES-256 to an effective security level equivalent to AES-128. This is still more than sufficient. The weak link is the key exchange that establishes the AES session key. If the key exchange uses RSA or ECDH, an attacker who records the exchange can later use a quantum computer to extract the AES key and decrypt everything.

This is precisely why HNDL is such a potent strategy. The attacker does not need to break AES. They need to break the key exchange. And every key exchange recorded today using RSA or ECDH is a future target.

The Signal Protocol: A Case Study in Proactive Defense

Signal Messenger, used by journalists, activists, and millions of privacy-conscious individuals worldwide, provides an instructive example of how seriously the HNDL threat is taken.

In 2023, Signal updated its protocol to include post-quantum key exchange (PQXDH). The protocol combines X25519 (classical) with a post-quantum key encapsulation mechanism. Signal's engineering team acknowledged that encrypted messages sent today could be recorded by adversaries and decrypted in the future. By adding post-quantum protection now, Signal ensures that messages exchanged from this point forward are protected against both current and future threats.

The key insight from Signal's decision: they did not wait for quantum computers to exist. They did not wait for a confirmed HNDL attack. They looked at the mathematics, looked at the threat model, and acted preemptively. Signal's user base includes dissidents, whistleblowers, and journalists whose communications could be sensitive for decades. Waiting would have been irresponsible.

Google Chrome took a similar approach, deploying hybrid ML-KEM + X25519 key exchange in TLS 1.3 connections. When you visit a website using Chrome, your browser now establishes a post-quantum-protected connection by default. The decision was driven by the same HNDL logic: TLS traffic recorded today could be decrypted when quantum computers arrive, so the protection needs to be in place before that happens.

How Long Does Data Actually Need Protection?

Most people underestimate the sensitivity lifetime of their data. Consider these real-world requirements:

• HIPAA (US health data): Covered entities must protect individually identifiable health information for the life of the patient plus additional years. For a 25-year-old, that could mean 70+ years.
• GDPR (EU personal data): Personal data must be protected for as long as it can identify a living individual. There is no fixed time limit.
• US government classified information: Automatic declassification occurs at 25 years for most documents, but Restricted Data (nuclear weapons), intelligence sources and methods, and certain categories can be classified for 50 to 75 years or indefinitely.
• Attorney-client privilege: Survives the death of the client and has no expiration date in most jurisdictions.
• Trade secrets: Protected as long as the information remains secret and provides competitive advantage. Can be indefinite.

For most sensitive data, the protection lifetime exceeds the expected arrival of quantum computers. This means HNDL is not a theoretical risk. It is an active, measurable gap in current security postures.

The Economics of HNDL: Why Storage Costs Make It Inevitable

One reason HNDL is so dangerous is that the economics overwhelmingly favor the attacker. Consider the cost equation:

A petabyte (one million gigabytes) of hard drive storage costs roughly custom pricing to $20,000 at enterprise pricing. For a nation-state intelligence agency with a budget measured in billions of dollars, this is insignificant. The entire annual internet traffic of a medium-sized country could be stored for a few million dollars, which is a rounding error in an intelligence budget.

Meanwhile, the value of the decrypted data is enormous. Diplomatic cables can shift geopolitical negotiations. Military communications can expose vulnerabilities in weapons systems. Corporate communications can reveal trade secrets worth billions. A single intercepted merger/acquisition negotiation could be worth more than the entire storage infrastructure.

The cost-benefit analysis is simple: storage is cheap, data is priceless, and patience is free. Any rational actor with the capability to intercept encrypted traffic has a strong incentive to do so, even if they cannot decrypt it for another decade.

This asymmetry is what makes HNDL fundamentally different from other security threats. Most attacks require breaking in now, and the defender's job is to make that prohibitively expensive or difficult. With HNDL, the attacker only needs to collect and wait. The defender's job is to ensure that waiting does not help, and the only way to do that is to use encryption that quantum computers cannot break.

What You Can Do About It

The good news: the solution already exists. NIST standardized ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) specifically to address the quantum threat. These algorithms use mathematical problems (lattice problems, hash functions) that quantum computers cannot solve efficiently.

For Data at Rest (Files on Disk)

1. Identify files with long sensitivity lifetimes. Medical records, legal documents, financial records, personal archives, trade secrets.
2. Re-encrypt using quantum-safe algorithms. Files encrypted with GPG (RSA), VeraCrypt, or other classical tools should be re-encrypted. QNSQY uses ML-KEM + X25519 hybrid encryption, protecting against both classical and quantum threats.
3. Encrypt before uploading to cloud storage. Do not rely on the cloud provider's encryption. Encrypt locally with quantum-safe tools first, then upload the encrypted file. Even if the provider is compromised, the file remains protected.

For Data in Transit (Network Communications)

1. Adopt TLS 1.3 with post-quantum key exchange. Google Chrome and Cloudflare have already deployed ML-KEM in TLS. As browser and server support expands, data in transit will be protected.
2. Minimize sensitive data transmission. If data does not need to cross a network, do not send it. Process sensitive data locally whenever possible.
3. Use post-quantum VPN configurations. Some VPN providers are beginning to offer post-quantum key exchange. Evaluate your VPN provider's cryptographic roadmap.

For Archived Data

1. Audit existing encrypted archives. Any backup or archive encrypted with RSA or ECDH key exchange is vulnerable to HNDL. Create an inventory.
2. Re-encrypt archives with post-quantum algorithms. This is the most labor-intensive step but also the most critical. Every day an RSA-encrypted archive remains accessible to an adversary is another day it could be harvested.

The Irreversibility Problem

What makes HNDL uniquely dangerous, compared to other security threats, is its irreversibility. Most cyberattacks can be mitigated after the fact. If a hacker steals your password, you change it. If malware infects your computer, you can reformat and restore from backup. If a database is breached, the organization can issue new credentials.

HNDL offers no such remediation. Once encrypted data has been recorded by an adversary, there is no way to "un-record" it. Even if you switch to quantum-safe encryption tomorrow, every byte of classically encrypted data that has already been transmitted and captured remains vulnerable. The encryption was applied at the time of transmission, and it cannot be retroactively strengthened.

This creates a permanent, growing stockpile of potentially decryptable data. Every day that passes without quantum-safe encryption adds to that stockpile. Every email sent with classical TLS, every file transferred over a classical VPN, every backup uploaded with RSA-based encryption becomes another entry in the adversary's collection.

The only defense against HNDL is prevention. Use quantum-safe encryption before the data is transmitted. Once it is in transit with classical protection, the window for protection has closed. This is the fundamental reason that every major security organization urges immediate action rather than a wait-and-see approach.

Sources

1. NIST Post-Quantum Cryptography FAQ
2. NSA CNSA 2.0: Commercial National Security Algorithm Suite 2.0 FAQ
3. Global Risk Institute: Quantum Threat Timeline Report (2023)
4. NIST IR 8105: Report on Post-Quantum Cryptography
5. Mosca, M. "Cybersecurity in an Era with Quantum Computers." Global Risk Institute (2015)

Related Articles

• Why Quantum Computers Threaten Classical Encryption
• When Will Quantum Computers Break Encryption?
• Protect Data from Quantum Computers
• Why Hybrid Encryption Matters

Protect Your Data Before It's Too Late

QNSQY's quantum-safe encryption ensures your files stay private, even decades from now.

---

Originally published at quantumsequrity.com.