Post-Quantum Durability: How Long Will Your Encryption Last?

The encryption protecting your data today has an expiration date. Not because the algorithms weaken over time, but because the computers that will break them are being built. RSA-2048, ECDSA P-256, AES-128 in certain modes, Diffie-Hellman key exchange -- all of these rely on mathematical problems that quantum computers solve efficiently. The question is not whether these algorithms will be broken. The question is whether the data they protect will still matter when they are.

For most web traffic, the answer is no. An encrypted HTTP session from 2024 is unlikely to contain information valuable enough to justify storing for a decade. But for medical records, financial transactions, legal communications, government intelligence, corporate trade secrets, and personal identity data, the answer is emphatically yes. A patient's genomic data is sensitive for their entire lifetime. A financial transaction record must be auditable for seven years under SOX. A classified government document may carry a 25-year or 50-year protection period. These are the targets of the harvest-now-decrypt-later (HNDL) threat, and they are being collected today.

This article addresses how to protect data that must remain confidential or attestable for 10, 20, or 30 years when the cryptographic landscape is shifting beneath your feet.

The Harvest-Now-Decrypt-Later Timeline

HNDL is not a future threat. It is a present-tense activity. Nation-state intelligence agencies have been intercepting and storing encrypted communications for decades, waiting for the capability to decrypt them. The Snowden revelations confirmed that the NSA stores encrypted intercepts indefinitely. China's intelligence services are widely believed to be conducting systematic collection of encrypted data from Western organizations. These collection programs are rational: the cost of storage is negligible compared to the potential intelligence value of decrypting years of communications.

The timeline for a cryptographically relevant quantum computer (CRQC) is uncertain but narrowing. Current estimates range from 2030 to 2040 for a machine capable of running Shor's algorithm against RSA-2048. The exact date matters less than the planning horizon. If your data must remain confidential until 2040 and a CRQC arrives in 2035, you needed post-quantum encryption in place before the data was created. Retroactive protection is impossible for data already transmitted under quantum-vulnerable encryption.

This creates an asymmetry in the planning calculus. If you migrate to post-quantum cryptography too early, the cost is slightly higher operational complexity. If you migrate too late, the cost is complete exposure of all data encrypted under the old algorithms. The risk profile is wildly asymmetric: the cost of being early is small and bounded; the cost of being late is catastrophic and irreversible.

Crypto-Agility: The Foundation of Durability

Crypto-agility is the architectural property that allows a system to swap cryptographic algorithms without redesigning its data formats, protocols, or infrastructure. It is the single most important design decision for long-term cryptographic durability, and it is the decision most organizations get wrong.

The failure mode is concrete. An organization deploys RSA-2048 in 2015 with RSA key identifiers hardcoded throughout the system. When NIST announces post-quantum standards, migrating to ML-DSA requires changing every layer where the algorithm identifier or key format is assumed. This is not a configuration change; it is a multi-year engineering project that touches every system that touches cryptography.

Crypto-agile systems abstract the algorithm behind an identifier. The database stores a key ID and an algorithm tag, not a raw RSA key. The wire protocol includes algorithm negotiation. The key management infrastructure handles arbitrary key types through a common interface. When a new algorithm is introduced, it is registered in the algorithm registry, new keys are generated, and the system begins using the new algorithm while continuing to verify old signatures during the transition period.

H33's architecture is crypto-agile by design. The H33-74 attestation format stores a 32-byte on-chain commitment and a 42-byte Cachee verification payload. Neither component embeds the signature algorithm directly. The underlying algorithms (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f) can be upgraded to stronger variants or replaced with entirely new algorithms without changing the attestation format. The 74-byte substrate is a commitment to the cryptographic fact, not to the specific algorithm that proved it.

Algorithm Migration: The Practical Challenge

Key Distribution

Post-quantum keys are larger than classical keys. ML-DSA-65 public keys are 1,952 bytes versus 32 bytes for Ed25519. ML-KEM-768 public keys are 1,184 bytes versus 32 bytes for X25519. These larger keys must be distributed through DNS, certificate authorities, JWK endpoints, key transparency logs, and hardware tokens. Some of this infrastructure has size limits that must be expanded. Certificate authorities must issue certificates with post-quantum algorithms. Test your actual infrastructure, not just the specifications.

Hybrid Mode

During migration, systems must support both classical and post-quantum algorithms simultaneously. The IETF composite signature approach combines a classical signature with a post-quantum signature, providing a safety net during transition. H33's three-family approach evolves this concept: instead of two algorithms (one classical, one PQ), H33 uses three PQ algorithms from three different mathematical families, providing defense in depth even within the post-quantum regime.

Backward Compatibility

Legacy systems that cannot be upgraded will exist for years or decades. Industrial control systems, medical devices, embedded sensors, and deployed IoT hardware may not be capable of running post-quantum algorithms. The migration plan must accommodate these systems through gateway translation services that accept classical signatures from legacy devices and re-sign with post-quantum algorithms at the network boundary.

10-Year Planning: The Minimum Viable Horizon

A 10-year data protection plan must account for the following milestones. By 2027, CNSA 2.0 compliance deadlines require US government systems to support ML-KEM and ML-DSA for all new deployments. By 2030, most estimates place a non-trivial probability on a CRQC capable of breaking RSA-2048. By 2033, CNSA 2.0 requires full transition -- classical algorithms no longer accepted for any purpose. By 2035, data encrypted today with RSA or ECC is likely decryptable by nation-state adversaries.

For data that must remain confidential through 2036, post-quantum encryption must be deployed before 2026. For data that must remain attestable through 2036, post-quantum signatures must be applied before 2026 and stored alongside the data. Retroactive signing is possible but retroactive encryption is not. The practical action items for a 10-year plan: inventory all cryptographic dependencies; identify data with long confidentiality requirements; deploy PQ encryption for new high-priority data; begin hybrid signing for all new attestation records; plan migration for legacy systems; establish crypto-agility testing as a regular practice.

30-Year Planning: Beyond the First Transition

A 30-year planning horizon must account for the possibility that today's post-quantum algorithms will themselves need replacement. The history of cryptography is a history of breaks. DES was replaced by AES. MD5 was replaced by SHA-2. SHA-1 was deprecated. RSA key sizes have increased from 512 bits to 4096. Every algorithm that seemed secure at deployment has eventually been weakened by advances in mathematics and computation.

NIST's post-quantum standards are based on the best current understanding of lattice problem hardness. But lattice cryptography has been studied intensively for only about 25 years, compared to over 50 years for factoring-based cryptography. It is possible that a breakthrough in lattice algorithms will weaken ML-DSA or ML-KEM within a 30-year horizon. It is also possible that entirely new computational paradigms beyond quantum computing will emerge.

The defense against this uncertainty is layered security with independent assumptions. H33's three-family approach (MLWE lattices, NTRU lattices, hash functions) is designed for 30-year durability. A break in MLWE does not break NTRU. A break in all lattice problems does not break hash functions. The attestation survives as long as at least one of the three families remains secure. Over a 30-year horizon, the probability that all three are simultaneously broken is orders of magnitude lower than the probability that any single family is broken.

The H33-74 substrate's algorithm-agnostic format means that even if all three current algorithms need replacement, the 74-byte attestation format remains valid. New algorithms are registered, new signatures generated, and verification checks new signatures. The on-chain commitment does not change, preserving the link to the anchoring timestamp. The 42-byte Cachee component is updated to reflect new verification material. The attestation survives the algorithm transition intact.

The Cost of Waiting

Every month of delay in post-quantum migration adds to the HNDL exposure window. Data transmitted this month under classical encryption is collectible this month and storable indefinitely. Once collected, it cannot be un-collected. The migration cost does not decrease with delay -- if anything, it increases as more systems and data accumulate under old algorithms. But the exposure cost increases monotonically with every day of delay.

The organizations that will be best positioned in 2036 are the ones that began migration in 2025: deploying hybrid signatures, encrypting new data under ML-KEM, establishing crypto-agile infrastructure, and distilling attestations into algorithm-agnostic formats like H33-74. H33's production pipeline processes 2,293,766 authentications per second at 38 microseconds each. The performance overhead of post-quantum cryptography is not a reason to delay. The migration complexity is real, but bounded and manageable. The exposure risk of waiting is unbounded and irreversible.

Contact support@h33.ai for a quantum readiness assessment and migration planning consultation.