Harvest Now, Decrypt Later: The Quantum Threat to Your Data Today
Your encrypted traffic from today is sitting in a database. Waiting.
Harvest Now, Decrypt Later (HNDL) is an attack strategy where adversaries intercept and store encrypted data today, then decrypt it when quantum computers become powerful enough to break the encryption. The data does not need to be decryptable now. It just needs to be valuable later.
This is the single most urgent reason to adopt post-quantum cryptography today — not in 2030, not when quantum computers arrive, but right now.
How the Attack Works
The HNDL attack is disarmingly simple. It requires four steps, and the first three are already happening.
Step 1: Intercept encrypted traffic. An adversary captures your encrypted network traffic. This requires access to a network tap, a compromised router, or cooperation from a backbone provider. Encrypted traffic transits dozens of networks between your server and your users. Each hop is an interception opportunity.
Step 2: Store everything. Cloud storage costs roughly $20 per terabyte per year. An adversary with nation-state resources can store petabytes of encrypted traffic indefinitely. The cost of storage drops every year, but the value of the data may increase.
Step 3: Wait. The stored ciphertext is useless today. The adversary cannot break the encryption with any current technology. They are investing in the future.
Step 4: Decrypt with a quantum computer. When a cryptographically relevant quantum computer arrives, the adversary breaks the key exchange (RSA or ECDH) used to establish each session. Once the session key is recovered, the AES encryption falls trivially — the adversary has the key. Every stored session is decrypted in bulk.
Interception is cheap and scalable. Storage is cheap and getting cheaper. The only expensive part — building a quantum computer — is being funded by governments and major technology companies worldwide. The adversary bets pennies today for potentially enormous value tomorrow.
Who Is Doing This?
HNDL is not a theoretical exercise. Government intelligence agencies have the motivation, the resources, and the infrastructure to execute this strategy at scale.
The NSA's CNSA 2.0 guidance (published September 2022) explicitly acknowledges the quantum threat to currently deployed cryptographic systems. It sets migration deadlines for U.S. national security systems — a clear signal that the agency considers the threat actionable today, not in some distant future.
CISA (the U.S. Cybersecurity and Infrastructure Security Agency) has published guidance urging critical infrastructure operators to begin post-quantum migration. Their reasoning: migration takes years, and starting after quantum computers arrive is too late.
The implications extend beyond government. If Western intelligence agencies are urgently migrating their own systems, their adversaries are almost certainly collecting encrypted traffic for future decryption. The cost-benefit strongly favors collection: wasted storage is cheap, but access to years of previously unreadable intelligence is invaluable.
State-sponsored groups with long-term intelligence goals operate on decade-long timelines. A few terabytes of encrypted diplomatic communications, healthcare data, or financial records cost almost nothing to store — and could yield enormous intelligence dividends once quantum decryption becomes feasible.
What Data Is at Risk?
Not all data carries HNDL risk equally. The key factor is confidentiality lifetime — how long the data must remain secret.
| Data Type | Confidentiality Lifetime | HNDL Risk |
|---|---|---|
| Medical records | 50+ years | Critical |
| Trade secrets / intellectual property | Indefinite | Critical |
| Government classified information | Decades | Critical |
| Financial transactions | 7+ years | High |
| Personal communications | Variable | High |
| Authentication tokens | Hours to days | Low |
| Marketing analytics | Months | Low |
The rule of thumb: if your data must stay confidential for more than 5 years, it is at risk today. A quantum computer does not need to exist right now. It needs to exist before the data's confidentiality requirement expires.
Healthcare records generated today must remain confidential for the patient's lifetime plus a regulatory retention period — easily exceeding 50 years. Trade secrets have no expiration date. Financial records are subject to retention requirements measured in decades.
Why Traditional Encryption Fails
Your application probably uses TLS 1.3, which encrypts traffic with AES-256. AES-256 is quantum-safe. So why is your data at risk?
The key exchange is the weak link. AES-256 encrypts your data, but before encryption begins, both parties must agree on a shared secret key. This agreement happens through a key exchange algorithm — typically ECDH (Elliptic Curve Diffie-Hellman) in TLS 1.3.
ECDH is based on the elliptic curve discrete logarithm problem, which Shor's algorithm solves efficiently. An adversary who captured the TLS handshake can later use a quantum computer to recover the ECDH shared secret, derive the AES session key, and decrypt the entire session.
The red component — ECDH key exchange — is the single point of quantum vulnerability. The green components — AES-256 encryption and your data — are safe if the key exchange is safe.
AES-256 is fine. The problem is how you agreed on the AES key. Replace ECDH with Kyber768 (ML-KEM-768), and the entire chain becomes quantum-safe.
How to Protect Against HNDL
The defense is straightforward: replace quantum-vulnerable components with quantum-safe alternatives. Four actions, in order of priority.
1. Replace Key Exchange with Kyber768
Kyber768 (ML-KEM-768, standardized as FIPS 203) replaces ECDH for key encapsulation. It is based on lattice mathematics — a class of problems no known quantum algorithm can efficiently solve. Qpher provides Kyber768 key encapsulation through a simple API.
2. Replace Signatures with Dilithium3
Dilithium3 (ML-DSA-65, standardized as FIPS 204) replaces ECDSA and RSA signatures. Quantum-forged signatures could tamper with data in transit, impersonate services, and forge audit trails. Qpher provides Dilithium3 signatures through the Signature API.
3. Re-encrypt Historical Sensitive Data
Data previously encrypted with RSA or ECDH key exchange and stored (database backups, archived records, encrypted files at rest) should be re-encrypted using quantum-safe key encapsulation. Securely destroy the old ciphertext after re-encryption.
4. Start Now
Cryptographic migration is not a weekend project. It involves auditing every system that uses asymmetric cryptography, selecting replacement algorithms, updating clients and servers, testing interoperability, and deploying across your infrastructure. This is a multi-month effort for even small organizations.
Run pqc-check on your project to identify every file that uses quantum-vulnerable cryptographic patterns. It takes 30 seconds and gives you a concrete starting point for your migration plan.
Next Steps
You now understand the quantum threat (from Quantum Computing 101) and why it is urgent today. The next article covers the standards that define the solution: NIST's post-quantum cryptography standards, finalized in August 2024.
Ready to protect your data now? The Qpher Quickstart guide walks you through your first quantum-safe API call in under 5 minutes.