person Tute World Team

Harvest Now, Decrypt Later

The most counterintuitive insight in post-quantum security: the quantum threat to encrypted data is already here — even though large-scale quantum computers don't exist yet. It's called "harvest now, decrypt later," and it changes the urgency calculation completely.

What is Harvest Now, Decrypt Later?

The attack strategy is simple: collect encrypted data today, and decrypt it later when quantum computers are capable enough.

Today's network-level adversaries (nation-states, intelligence agencies, sophisticated criminal groups) can intercept and store encrypted traffic at scale. The data is encrypted with RSA or ECC keys — unbreakable today. But once a sufficiently powerful quantum computer exists, they can retroactively apply Shor's algorithm and decrypt everything they've collected.

Now (2025)
Adversary intercepts and stores encrypted TLS traffic, emails, VPN sessions, government communications. It's all ciphertext — unreadable today.
~2035–2040?
Quantum computers capable of running Shor's algorithm at scale become available. Adversary applies them to the stored ciphertext and retroactively reads years of private communications.
The key insight: The encryption being broken in the future protects communications from today. The attack doesn't require breaking encryption in real-time — just storing encrypted data and waiting. Every day that passes without migrating to post-quantum cryptography is another day of data being collected for future decryption.

What Data is Being Targeted?

Not all data has long-term value. The threat is most serious for data that needs to remain confidential for 10–20+ years:

High Risk (Keep Secret for Decades)

  • Government classified communications
  • Military intelligence
  • Diplomatic cables
  • Intelligence sources and methods
  • Critical infrastructure controls

Medium Risk

  • Medical records (HIPAA retention: decades)
  • Legal documents and attorney-client privilege
  • Merger and acquisition strategy
  • Intellectual property and patents
  • Long-term financial plans

Lower Risk

  • Shopping cart transactions
  • Casual social media messages
  • Short-lived session data
  • Public-facing web content

Is This Actually Happening?

We can't know for certain — intelligence collection at this scale is classified. But there is substantial evidence that nation-state actors are collecting data for future decryption:

The NSA Utah Data Center

The NSA's 1.5 million square foot data center in Bluffdale, Utah, opened in 2013, is designed to store massive amounts of internet traffic. Its exact capacity is classified, but estimates suggest it can store exabytes to zettabytes of data. The Snowden revelations confirmed mass collection of internet metadata and content.

SNDL programs

Multiple intelligence agencies are believed to run "Store Now, Decrypt Later" (SNDL) programs specifically designed to collect today's encrypted traffic for quantum decryption. The US government's NSM-10 (National Security Memorandum 10, 2022) explicitly references this threat and mandates federal agency migration to post-quantum cryptography.

The US government says so: NSM-10 (May 2022) states: "A cryptographically relevant quantum computer could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions." And the mandate to migrate has already begun.

What Can You Do About It?

The answer is to migrate to post-quantum cryptography before quantum computers arrive — so that the data being collected today is protected by algorithms that even future quantum computers can't break.

Immediate actions for organizations:

  • Inventory cryptographic assets: Identify every place RSA and ECC are used (TLS, VPNs, certificates, code signing, email encryption, etc.)
  • Prioritize long-lived secrets: Start migration with data that needs to stay secret longest
  • Enable hybrid key exchange in TLS: Browsers and web servers can use both ECDH and ML-KEM simultaneously — data is protected even if one is broken
  • Plan for crypto-agility: Build systems that can swap algorithms without full rewrites
  • Follow NIST guidance: Use FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) for signatures

Frequently Asked Questions

Does migrating to post-quantum TLS today protect data collected in the past?

No. Data already collected in the past remains protected only by the encryption used at the time of collection. If that was RSA or ECDH, it will be vulnerable to future quantum computers. Migrating now only protects new traffic going forward. This is why earlier migration is better — every day you delay adds more data to the vulnerable pile.

What about perfect forward secrecy? Doesn't that help?

Perfect forward secrecy (PFS) prevents a stolen long-term private key from retroactively decrypting past sessions. But Shor's algorithm doesn't need to steal the private key — it recomputes it from the public key in the TLS handshake. PFS doesn't help against "harvest now, decrypt later" when Shor's is involved. The session keys are derived from the ECDH handshake — which Shor's can break.

Is this only a government concern, or should businesses care too?

Businesses in sensitive industries (defense contractors, pharma R&D, financial institutions, critical infrastructure operators, law firms) should care now. For most consumer-facing businesses, the urgency is lower — but regulatory requirements are already emerging. The EU Cybersecurity Agency (ENISA) and NIST both recommend businesses begin PQC planning regardless of industry, given the long migration timelines involved.

← Grover's Algorithm Next: Phase 4 — Post-Quantum Cryptography →

Frequently Asked Questions

What will I learn here?

This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.

How should I use this page?

Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.

What should I read next?

Use the navigation below to continue to the next lesson or explore related topics.