Your Data Is Already Being Stolen: Understanding the Harvest Now, Decrypt Later Threat
The Attack That’s Already Happening
Imagine this scenario: a state-sponsored intelligence agency intercepts encrypted communications from a major financial institution. The encryption is strong — RSA-2048, AES-256. Today, it’s unbreakable. So the agency does something simple: it stores everything and waits.
This isn’t a hypothetical. Intelligence agencies, sophisticated threat actors, and nation-states are actively harvesting encrypted data right now, betting that quantum computers will eventually crack it open. This strategy has a name: Harvest Now, Decrypt Later (HNDL).
Why Quantum Changes Everything
Classical public-key cryptography — RSA, Diffie-Hellman, and elliptic curve cryptography — relies on two mathematical problems: integer factorization and discrete logarithms. These problems are computationally infeasible for today’s computers. A sufficiently powerful quantum computer running Shor’s algorithm could solve both problems efficiently, breaking every cryptosystem built on them.
To be precise: the quantum threat targets asymmetric cryptography — the key exchange and digital signatures that protect data in transit. Symmetric encryption like AES-256 remains quantum-resistant (Grover’s algorithm only halves the effective key length, making AES-256 roughly equivalent to AES-128, which is still secure). But here’s the critical point: if the key exchange that establishes the AES session key is compromised, the symmetric encryption provides no protection. The attacker recovers the session key and decrypts everything.
The exact timeline for a cryptographically relevant quantum computer (CRQC) is debated, but the trajectory is clear enough that governments are already acting. NIST published its first three post-quantum cryptography standards — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) — in August 2024, with additional standards still in development (FN-DSA/Falcon and HQC). The NSA’s CNSA 2.0 guidance sets hard deadlines: software and firmware signing must use quantum-resistant algorithms by 2030, web browsers and cloud services by 2033, and full migration of all national security systems by 2035.
The Data Shelf Life Problem
Not all data needs quantum protection today. But consider what does: financial records (regulatory retention: 7+ years), healthcare data (HIPAA: 6+ years, patient lifetime in practice), government classified information (decades), intellectual property and trade secrets (value measured in years), and personal identity data (permanent).
If your data’s value outlasts the arrival of a CRQC — and most expert assessments place that within 10–15 years — then the risk isn’t when quantum computers arrive. It’s today, while that data is being captured in transit.
The Migration Challenge
Knowing you need post-quantum cryptography is the easy part. Actually implementing it is where organizations struggle.
The algorithm landscape is new and complex: ML-KEM (Kyber) for key encapsulation, ML-DSA (Dilithium) for signatures, hybrid modes that combine classical and PQC algorithms to ensure security even if either algorithm family is compromised in the future.
Key management becomes significantly more complex. PQC key sizes are dramatically larger than their classical counterparts: an ML-KEM-768 public key is 1,184 bytes (versus 256 bytes for RSA-2048 — a 4.6× increase), and an ML-DSA-65 signature is 3,309 bytes (versus 64 bytes for ECDSA P-256 — a 51× increase). Add versioning requirements, key rotation, and the need for crypto-agility (the ability to swap algorithms without rewriting your application), and the infrastructure challenge becomes clear.
Most organizations face a choice: invest 6–12 months building PQC infrastructure in-house, or find a platform that abstracts the complexity away.
Starting the Migration Today
The path forward doesn’t have to be overwhelming. At Qpher, we’ve built a managed post-quantum cryptography platform specifically to eliminate the infrastructure burden. NIST-standard algorithms (ML-KEM-768, ML-DSA-65), hybrid cryptography (X-Wing, Composite ML-DSA) for regulated industries, and a key management system where private keys never leave our security boundary — all accessible through a simple API.
But regardless of which solution you choose, the critical step is starting. Every day of unprotected data transmission is another day of potential harvest.
What’s Next in This Series
This is the first post in a series exploring the post-quantum cryptography landscape. Coming next: what the NIST PQC standards actually mean for your organization, why building your own PQC infrastructure is harder than you think, and a hands-on look at how quantum-safe encryption works in practice.