Somewhere in a data center you'll never see, encrypted traffic captured from fiber-optic cables is being written to disk. The adversary can't read it today—your TLS 1.3 session, your VPN tunnel, your encrypted database backup are all intact. But the adversary isn't in a hurry. They're waiting for a machine that doesn't exist yet.
This is "Harvest Now, Decrypt Later" (HNDL)—the practice of collecting encrypted data today with the intent to decrypt it using future quantum computers. It is not a theoretical risk. Every credible intelligence assessment confirms it's happening. And if your data has a shelf life longer than the quantum timeline, you're already exposed.
HNDL is the only quantum computing attack that is already in progress. Unlike active quantum attacks (which require a cryptographically relevant quantum computer that doesn't yet exist), HNDL requires only two things that adversaries already have: interception capability and cheap storage. The data being harvested right now cannot be retroactively protected.
The Evidence: It's Already Happening
Let's dispense with the hypothetical. Multiple intelligence agencies, independent researchers, and major consulting firms have publicly confirmed that HNDL collection is underway.
Booz Allen Hamilton (2021)
Booz Allen's 32-page threat assessment, "Chinese Threats in the Quantum Era," explicitly warns that China is likely already collecting encrypted U.S. government data for future quantum decryption:
"Encrypted data with intelligence longevity, like biometric markers, covert intelligence officer and source identities, Social Security numbers, and weapons designs, may be increasingly stolen under the expectation that they can eventually be decrypted."
China has invested heavily in quantum computing R&D since 2016, backed by a 13-year national plan to become a global leader in quantum technology. The collection infrastructure is already mature.
The Federal Reserve (2025)
The Federal Reserve published a dedicated paper (FEDS 2025-093) analyzing HNDL risk specifically to distributed ledger networks and currently protected financial data. When the central bank of the world's largest economy publishes a paper about your attack vector, it's no longer speculative.
Documented Interception Infrastructure
The infrastructure for bulk encrypted traffic collection already exists and has been operational for years:
- 2016: Canadian internet traffic to South Korea was rerouted through China via BGP hijacking
- 2019: European mobile phone traffic was similarly rerouted through Chinese networks
- 2020: Data from Google, Amazon, Facebook, and 200+ other networks was redirected through Russia
- Ongoing: Russia has rerouted Ukrainian internet traffic throughout the Russo-Ukrainian War
These BGP hijacking incidents demonstrate that nation-states can intercept traffic at scale without physical access to cables. Add the NSA's UPSTREAM collection (tapping fiber-optic cables at ISP peering points) and GCHQ's TEMPORA program (processing 600 million telephone events per day across 200+ fiber-optic cables), and the picture is clear: bulk interception of encrypted traffic is a mature, operational capability.
The Deloitte Survey
A 2022 Deloitte survey found that 50.2% of organizations believe they are at risk from HNDL attacks, but only 26% had completed post-quantum encryption vulnerability assessments. Most organizations know the threat is real. Most have done nothing about it.
How HNDL Works: The Attack Model
HNDL is elegant in its simplicity. It requires no zero-days, no exploitation, no breach of your systems. The attack model has four stages:
HNDL Attack Chain
- Intercept—Adversary captures encrypted data in transit (cable taps, BGP hijacking, compromised ISPs, or passive collection at internet exchange points)
- Store—Encrypted data is archived in long-term storage. At ~$0.014/GB for hard drives or ~$1,000/month per petabyte on cloud cold storage, cost is negligible for a nation-state
- Wait—Adversary waits for a cryptographically relevant quantum computer (CRQC). No time pressure. No detection risk.
- Decrypt—When a CRQC is available, run Shor's algorithm against the stored data. RSA keys factor instantly. ECDH sessions crack open. Every secret is exposed.
The critical asymmetry: interception is passive and nearly undetectable. Unlike active cyberattacks that leave forensic traces, HNDL collection at the network level is invisible to the victim. You will never know your data was harvested until it appears decrypted in an adversary's hands, years or decades from now.
The Math: Mosca's Inequality
Dr. Michele Mosca, co-founder of the Institute for Quantum Computing at the University of Waterloo, formalized the HNDL risk calculation into a simple inequality:
Mosca's Inequality
If X + Y > Z, your data is at risk. The window to act has already closed. Let's run the numbers for real-world scenarios.
Worked Examples
| Sector | X (Data Shelf-Life) | Y (Migration Time) | X + Y | Z (CRQC Est.) | Result |
|---|---|---|---|---|---|
| Defense / Intelligence | 25–75 years | 5–7 years | 30–82 | 10–15 | X+Y >> Z |
| Healthcare (patient records) | 50+ years | 3–5 years | 53–55 | 10–15 | X+Y >> Z |
| Biometric data | Lifetime | 2–4 years | ∞ | 10–15 | Always at risk |
| Financial identity (SSN) | 20+ years | 3–5 years | 23–25 | 10–15 | X+Y > Z |
| Legal (attorney-client) | Indefinite | 2–3 years | ∞ | 10–15 | Always at risk |
| E-commerce (session data) | 1–2 years | 1–2 years | 2–4 | 10–15 | X+Y < Z |
The uncomfortable conclusion: most sensitive data categories are already past the point of no return. If an adversary harvested your encrypted biometric templates or medical records last year, no amount of future migration will protect that data. The only defense is ensuring new data is encrypted with quantum-resistant algorithms starting today.
Unlike passwords or encryption keys, biometric data cannot be rotated. Once an adversary decrypts your fingerprint template, iris scan, or voice print, that data is compromised forever. This makes biometric systems the single highest-priority target for HNDL attacks—and the single strongest argument for FHE-based biometric authentication, where the plaintext template never exists to be harvested.
The Quantum Timeline: When Does Z Arrive?
Estimating when a cryptographically relevant quantum computer (CRQC) will exist is inherently uncertain, but the expert consensus is converging.
Global Risk Institute Survey (December 2024)
Dr. Michele Mosca surveyed 32 global quantum computing experts. Their probability estimates for a CRQC capable of breaking RSA-2048:
| Timeframe | Probability | Year |
|---|---|---|
| Within 5 years | 5–14% | ~2029 |
| Within 10 years | 19–34% | ~2034 |
| Within 15 years | ~50% | ~2039 |
| Within 20 years | ~79% | ~2044 |
Nearly one-third of experts (10 of 32) assigned a 50%+ probability of CRQC within 10 years. And these estimates are trending upward year-over-year. Germany's BSI puts the timeline at a maximum of 16 years, potentially as low as 10 with advances in error correction.
The Hardware Gap Is Shrinking Fast
Current quantum computers have roughly 100–1,000 physical qubits. Breaking RSA-2048 with Shor's algorithm was historically estimated to require ~20 million physical qubits (Gidney & Ekårå, 2021). That's a 4-order-of-magnitude gap. Seems comfortable.
Then came the Gidney paper of May 2025, which changed the math dramatically.
Craig Gidney's May 2025 paper reduced the physical qubit requirement from 20 million to under 1 million—a 20x improvement—using approximate residue arithmetic, yoked surface codes for idle qubit storage, and magic state cultivation instead of distillation. The Toffoli count was reduced by over 100x. The gap between current hardware and a CRQC is now three orders of magnitude, not four.
Current hardware trajectory:
- Google Willow (2024): 105 superconducting qubits, demonstrated exponential error reduction scaling
- IBM Kookaburra (2025): 4,158-qubit multi-chip system
- Fujitsu/RIKEN (2025–2026): 256-qubit system delivered, 1,000-qubit planned
- Microsoft + Atom Computing: 28 logical qubits on 112 atoms; 24 entangled logical qubits (record)
- Microsoft projection: path to 1 million physical qubits within a decade (~2035)
The question is no longer if but when. And the Gidney paper moved "when" significantly closer.
What Shor's Algorithm Actually Breaks
Shor's algorithm efficiently solves the integer factorization problem and the discrete logarithm problem on a quantum computer. This breaks every cryptosystem built on those mathematical foundations:
| Broken by Shor's | Algorithm Type | Est. Logical Qubits |
|---|---|---|
| RSA-2048 | Integer factorization | 1,730–6,190 |
| RSA-3072 | Integer factorization | ~9,288 |
| ECDSA P-256 | Discrete log (ECC) | 2,330–2,619 |
| ECDSA P-384 | Discrete log (ECC) | ~3,901 |
| Diffie-Hellman | Discrete log | Similar to RSA |
| Ed25519, X25519 | Discrete log (ECC) | ~2,330 |
| ElGamal, DSA | Discrete log | Varies |
What Shor's does NOT break:
- AES-256, ChaCha20—Symmetric ciphers. Grover's algorithm halves the effective key length (AES-256 → ~128-bit equivalent), but AES-256 remains secure.
- SHA-2, SHA-3, BLAKE2—Hash functions are quantum-resistant
- ML-KEM (FIPS 203)—Lattice-based key encapsulation. Quantum-safe.
- ML-DSA (FIPS 204)—Lattice-based digital signatures. Quantum-safe.
- SLH-DSA (FIPS 205)—Hash-based signatures. Quantum-safe.
This is the crux of the HNDL problem: everything protected by RSA, ECDH, or ECDSA today—which is essentially all TLS traffic, most VPNs, most certificate chains—will be retroactively compromised when a CRQC arrives.
The Regulatory Landscape: Governments Are Moving
The regulatory response to HNDL has been faster than typical government timelines, which itself signals the severity of the threat.
NIST Post-Quantum Standards
On August 13, 2024, NIST finalized the first three post-quantum cryptography standards:
| Standard | Algorithm | Type | Status |
|---|---|---|---|
| FIPS 203 | ML-KEM (from Kyber) | Key Encapsulation | Final |
| FIPS 204 | ML-DSA (from Dilithium) | Digital Signature | Final |
| FIPS 205 | SLH-DSA (from SPHINCS+) | Digital Signature (hash-based) | Final |
| FIPS 206 | FN-DSA (from FALCON) | Digital Signature (NTRU) | Draft ~2026 |
| TBD | HQC | Key Encapsulation (code-based) | Draft ~2027 |
NIST IR 8547 (November 2024) establishes the transition roadmap: all classical public-key cryptography (RSA, ECDSA) will be deprecated after 2030 and disallowed in federal systems after 2035.
CNSA 2.0: NSA's Migration Deadlines
The NSA's Commercial National Security Algorithm Suite 2.0 (September 2022) sets hard deadlines for national security systems:
| Category | Support & Prefer By | Exclusive Use By |
|---|---|---|
| Software & firmware signing | 2025 | 2030 |
| Web browsers, servers, cloud | 2025 | 2033 |
| Traditional networking (VPNs, routers) | 2026 | 2030 |
| Operating systems | 2027 | 2033 |
| Constrained devices, large PKI | 2030 | 2033 |
Starting January 1, 2027, all new National Security System equipment acquisitions must be CNSA 2.0–compliant by default. If you're selling to the government, this is already your deadline.
Executive Orders and Legislation
The Economics: Why HNDL Is Inevitable
HNDL is not just technically feasible—it's economically rational. The cost/benefit analysis for a nation-state adversary is overwhelming:
HNDL Cost Analysis for a Nation-State
Cost (Annual)
- Storage: ~$14,000 per petabyte (raw drives)
- Cloud archive: ~$12,000/PB/year (cold storage)
- Interception: Already amortized into SIGINT budgets
- Total: $1–10M/year for petabyte-scale targeted collection
Potential Payoff
- Classified intelligence: Incalculable
- Trade secrets / IP: Billions
- Biometric databases: Permanent leverage
- Financial data: Hundreds of millions
Hard drive costs have dropped from ~$0.114/GB in 2009 to ~$0.014/GB in 2022—an 87% decrease. Storing a petabyte costs less than a mid-range car. For a nation-state intelligence budget measured in billions, archiving decades of targeted encrypted traffic is a rounding error.
And the collection is free. NSA documents revealed that some surveillance sites collect 20+ terabytes per day. GCHQ's TEMPORA program tapped 200+ fiber-optic cables simultaneously. If you're already intercepting traffic for current intelligence purposes, storing encrypted copies costs almost nothing extra.
There is no detection risk at collection time. Passive interception (cable taps, BGP rerouting) is extremely difficult to detect. There is no time pressure—vacuum up everything, sort it later. And when the CRQC arrives, the adversary decrypts at leisure.
Mitigation: What Actually Works
Protecting against HNDL requires accepting an uncomfortable truth: you cannot protect data that has already been harvested. The only defense is ensuring new data is encrypted with quantum-resistant algorithms starting immediately.
1. Deploy Post-Quantum Key Exchange Now
The single highest-impact mitigation is replacing RSA/ECDH key exchange with ML-KEM (FIPS 203) for all data in transit. This ensures that even if traffic is intercepted, Shor's algorithm cannot recover session keys.
Hybrid key exchange (classical + PQC) provides defense in depth: if either algorithm holds, the session is secure. Chrome, Firefox, and most major TLS libraries already support ML-KEM hybrid key exchange.
2. FHE for Biometric Data
Biometric data is the ultimate HNDL target because it cannot be rotated. The only architectural solution is to ensure the plaintext biometric template never exists in a decryptable form.
Fully Homomorphic Encryption (FHE) enables biometric matching on encrypted data. The template is encrypted at enrollment and never decrypted—not on the server, not in transit, not in storage. An adversary who harvests the encrypted template gets ciphertext that is quantum-resistant by construction (BFV lattice-based encryption is not vulnerable to Shor's algorithm).
// Biometric verification on encrypted data — plaintext never exposed let encrypted_probe = bfv_encrypt(&probe_template, &public_key); let encrypted_enrolled = load_enrolled_template(user_id); // Already encrypted // Inner product computed entirely in FHE domain // Shor's algorithm cannot help — this is lattice-based, not RSA/ECC let encrypted_score = fhe_inner_product(&encrypted_probe, &encrypted_enrolled); // Threshold comparison also in encrypted domain let result = encrypted_threshold_check(encrypted_score, threshold); // Result: encrypted boolean — server never sees the score or the templates
3. Post-Quantum Signatures for Authentication
Replace ECDSA/EdDSA with ML-DSA (FIPS 204) for all authentication tokens, API signatures, and certificate chains. H33's production stack uses Dilithium (ML-DSA) for attestation with ~240µs sign+verify latency—fast enough for real-time authentication.
4. Hybrid PQC Key Exchange for Key Agreement
Use ML-KEM (FIPS 203) combined with X25519 or ECDH for key exchange. The hybrid approach ensures security even if one algorithm is broken. ML-KEM adds minimal overhead to the handshake.
5. Data Minimization and Forward Secrecy
Reduce the value of harvested data by minimizing what you store and ensuring forward secrecy (session keys derived ephemerally, so compromising long-term keys doesn't expose past sessions). With PQC key exchange, forward secrecy extends to the quantum era.
Implementation Priority Matrix
Not all migrations have equal urgency. Use the Mosca inequality to prioritize:
| Priority | Data Type | Action | Deadline |
|---|---|---|---|
| P0 | Biometric templates | FHE-based processing (plaintext never exists) | Now |
| P0 | Classified / long-term secrets | ML-KEM key exchange for all data in transit | Now |
| P1 | Healthcare records, financial identity | PQC TLS for APIs, ML-DSA for auth tokens | 2026 |
| P1 | Legal / privileged communications | Hybrid PQC email encryption, VPN migration | 2026 |
| P2 | General enterprise data | PQC certificate chain migration | 2027–2028 |
| P3 | Ephemeral / low-value data | Standard TLS 1.3 migration timeline | 2030 |
The Bottom Line
HNDL is not a future threat. It is a present attack with future consequences. The data being harvested from your networks today will be decrypted when quantum computers arrive—and every credible timeline puts that event within 10–15 years. The math is unforgiving: if your data has a longer shelf life than the quantum timeline, you are already exposed.
The standards exist (FIPS 203/204/205). The deadlines are set (CNSA 2.0, NIST IR 8547). The regulatory clock is ticking (NSM-10, HR 7535). The only variable is whether you act before or after your data is compromised.
There is no retroactive fix for data that has already been harvested. The only defense is quantum-resistant encryption deployed now.
H33 provides post-quantum authentication infrastructure with FHE biometric processing (BFV lattice-based), ML-DSA digital signatures, and ML-KEM key exchange—all in a single API call at sub-millisecond latency. Every component in the stack is quantum-resistant by construction, not by policy.