Harvest Now, Decrypt Later — For Governance
The "harvest now, decrypt later" threat is well-understood for encrypted data: adversaries collect encrypted traffic today, store it, and plan to decrypt it once sufficiently powerful quantum computers exist. Nation-states are already doing this.
What is less discussed is that the same threat applies to signed governance evidence. If your compliance records, audit reports, attestation chains, and governance evidence are signed with RSA-2048 or ECDSA-P256, a future adversary with a quantum computer can forge those signatures. They can create fake governance records that appear authentic. They can modify historical evidence and re-sign it with a forged key.
This is not hypothetical paranoia about distant technology. The timeline matters for governance because governance evidence has a long shelf life. A SOC 2 Type II report issued today may be referenced in litigation in 2035. A regulatory filing made today may be audited in 2040. An insurance claim made today may be disputed in 2045. If the signatures on that evidence are forgeable by then, the evidence is worthless.
The Quantum Timeline
No one knows exactly when cryptographically relevant quantum computers will exist. Estimates range from 2030 to 2045. But this uncertainty is precisely the problem. If you wait until quantum computers arrive to migrate your signatures, all evidence signed before the migration is retroactively vulnerable.
NIST recognized this in 2016 when they began the Post-Quantum Cryptography Standardization process. The standards are now published:
- FIPS 203 — ML-KEM (Module Lattice Key Encapsulation Mechanism, formerly CRYSTALS-Kyber)
- FIPS 204 — ML-DSA (Module Lattice Digital Signature Algorithm, formerly CRYSTALS-Dilithium)
- FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+)
H33 implements all three signing standards plus FALCON (selected in NIST Round 3, standardization pending).
Three Independent Hardness Assumptions
A single post-quantum signature family is a bet on a single mathematical problem remaining hard in a post-quantum world. H33 does not make a single bet. It makes three independent bets.
| Family | Standard | Hardness Assumption | Math Domain | Signature Size |
|---|---|---|---|---|
| ML-DSA-65 | NIST FIPS 204 | Module Learning With Errors (MLWE) | Lattice (module) | 3,309 bytes |
| FALCON-512 | NIST Round 3 | Short Integer Solution over NTRU | Lattice (NTRU) | ~690 bytes |
| SLH-DSA-SHA2-128f | NIST FIPS 205 | Hash function collision resistance | Hash-based (no lattice) | 17,088 bytes |
The independence of these assumptions is the critical architectural property. ML-DSA and FALCON both involve lattices, but they rely on different hardness problems (MLWE vs. NTRU-SIS). A cryptanalytic breakthrough against MLWE does not necessarily translate to NTRU, and vice versa. SLH-DSA involves no lattice mathematics at all — its security is based purely on the collision resistance of SHA-256, which is a completely separate mathematical domain.
An attacker must break all three simultaneously to forge a single attestation. This is not breaking three locks in sequence. It is solving three unrelated mathematical problems at once.
What H33 claims: Breaks if and only if MLWE lattices, NTRU lattices, AND stateless hash functions are simultaneously broken — three independent mathematical bets.
Classical Signatures Will Not Survive
RSA-2048 can be broken by a quantum computer running Shor's algorithm with approximately 4,000 logical qubits. ECDSA-P256 requires fewer. Current quantum computers have hundreds of noisy qubits, not thousands of logical qubits, but the trajectory is clear: qubit counts are doubling, error correction is improving, and the timeline is compressing.
Every piece of governance evidence signed with RSA or ECDSA today has an expiration date. Not the explicit expiration date of the certificate, but the implicit expiration date imposed by quantum computing progress. When that date arrives, the signature becomes forgeable, and the evidence becomes untrustworthy.
Post-quantum signatures do not have this implicit expiration. MLWE, NTRU, and hash collision resistance are not known to be vulnerable to quantum algorithms (Grover's algorithm provides at most a quadratic speedup for hash collision search, which is handled by using sufficient hash output length).
Governance Evidence Must Be Verifiable in 10+ Years
Governance evidence is not transient. It serves long-term purposes:
- Litigation — Discovery requests can reference evidence from years ago. If the signatures on that evidence are forgeable, opposing counsel can challenge its authenticity.
- Regulatory review — Regulators may audit historical compliance years after the fact. Unforgeable signatures are the difference between defensible evidence and contested claims.
- Insurance — Claims investigation can occur years after the policy period. Governance evidence from the incident period must be independently verifiable at investigation time.
- M&A due diligence — Acquirers examine historical governance as part of due diligence. PQ-signed evidence is independently verifiable; classically signed evidence has a countdown timer.
Performance: Not a Tradeoff
The conventional assumption is that post-quantum cryptography is slow. This was true for early implementations. It is not true for production-optimized implementations on modern hardware.
H33 sustains 2.2 million authentications per second with all three PQ signature families active. Per-attestation latency is 42 microseconds. The signature generation and verification for all three families combined takes 391 microseconds per 32-user batch, or approximately 12 microseconds per individual attestation.
Post-quantum signatures are larger than classical signatures (ML-DSA at 3,309 bytes vs. ECDSA at 64 bytes). H33 addresses this through the H33-74 attestation model: the full signatures are stored and verified, but the commitment structure is only 74 bytes. This means the on-chain footprint is 74 bytes regardless of the signature sizes.
Frequently Asked Questions
What is harvest now, decrypt later and how does it apply to governance?
Adversaries collect signed governance evidence today, planning to forge signatures once quantum computers can break RSA/ECDSA. Forged governance evidence could fabricate compliance records, alter audit trails, or construct false claims. PQ signatures prevent this by using hardness assumptions that resist quantum attacks.
What are the three independent hardness assumptions?
ML-DSA-65: Module Learning With Errors (MLWE). FALCON-512: Short Integer Solution over NTRU lattices. SLH-DSA-SHA2-128f: hash function collision resistance. Three independent mathematical domains. Breaking one does not help with the others.
Which NIST standards does H33 implement?
FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), FIPS 203 (ML-KEM for key encapsulation), and FALCON (NIST Round 3 selected, standardization pending).
Is there a performance tradeoff for post-quantum signatures?
No. 2.2 million authentications per second with all three PQ families active. 42 microseconds per attestation. The H33-74 commitment model keeps the on-chain footprint at 74 bytes regardless of individual signature sizes.
Why do governance signatures need to be quantum-resistant?
Governance evidence must be verifiable for years or decades. A SOC 2 report signed with RSA-2048 today may need to be verified in 2035. If quantum computers can factor RSA by then, the signature is forgeable and the evidence is worthless. PQ signatures ensure evidence remains verifiable regardless of quantum progress.