- Key Takeaways
- How Harvest Now, Decrypt Later Works
- Why This Is a Present-Day Problem, Not a Future One
- Mosca's Inequality: Measuring Your Exposure
- Which Data Is Most at Risk
- How to Defend Against HNDL
- How Encryption Consulting Helps
- Frequently Asked Questions
- Protect Your Data Before the Harvesting Window Closes
Harvest Now, Decrypt Later (HNDL) is an attack strategy in which an adversary collects and stores encrypted data today, intending to decrypt it in the future once a cryptographically relevant quantum computer can break the encryption that protects it.
Harvest Now, Decrypt Later, also called Store Now, Decrypt Later, is a present-day threat even though the quantum computers it relies on do not yet exist. An attacker records encrypted traffic or steals encrypted archives now, then waits. When a quantum computer capable of breaking RSA and elliptic-curve cryptography arrives, the harvested data becomes readable. Any secret that must stay confidential for years is therefore already at risk.
Key Takeaways
- HNDL is the practice of capturing encrypted data now and decrypting it later, once a cryptographically relevant quantum computer (CRQC) exists. Multiple national cybersecurity agencies have stated it is already happening.
- The threat is present-day, not future: the moment an attacker captures your ciphertext, any secret that must outlive your migration window is exposed.
- Shor’s algorithm on a future quantum computer breaks the public-key cryptography (RSA, ECC, Diffie-Hellman) used for key exchange and digital signatures. Symmetric encryption such as AES-256 remains secure.
- Mosca’s inequality (X + Y > Z) is the standard way to gauge urgency: if your data’s required confidentiality period plus your migration time exceeds the time until a CRQC, you are already exposed.
- The defense is to migrate key establishment to post-quantum or hybrid cryptography before the harvesting window closes, starting with your longest-lived sensitive data.
How Harvest Now, Decrypt Later Works
HNDL separates the moment of data theft from the moment of data exposure. That separation is what makes it different from a conventional breach.
- Harvest: An adversary intercepts and archives encrypted data today: TLS-protected network traffic, VPN sessions, encrypted backups, or exfiltrated encrypted files. They cannot read it yet, so they simply store it.
- Wait: The data sits in the adversary’s storage. Because storage is cheap and patient adversaries such as nation-states can wait years, this step costs very little.
- Decrypt: When a cryptographically relevant quantum computer becomes available, the adversary uses it to break the public-key cryptography that protected the harvested data, and reads everything of lasting value.
The unsettling part is that the breach is invisible when it happens. Data captured in 2026 might not be decrypted until years later, and the victim may never know the ciphertext was taken until the plaintext surfaces.
Why This Is a Present-Day Problem, Not a Future One
It is tempting to treat quantum risk as something to handle once quantum computers arrive. HNDL removes that option. The exposure begins the moment the ciphertext is captured, which means data you transmit or store today is already at risk if it must remain confidential past the arrival of a capable quantum computer.
This risk rests on a result from the 1990s. Peter Shor showed that a sufficiently powerful quantum computer could efficiently factor large integers and solve the discrete logarithm problem, which breaks RSA, elliptic-curve cryptography, and Diffie-Hellman key exchange. These algorithms protect nearly all secure communication today. Symmetric cryptography is far more resilient: Grover’s algorithm offers only a quadratic speedup against it, so AES-256 remains secure in a post-quantum world. The exposure is concentrated in public-key key establishment, which is exactly what protects data in transit.
Mosca’s Inequality: Measuring Your Exposure
The clearest way to reason about HNDL urgency is a framework introduced by cryptographer Michele Mosca of the University of Waterloo, published in IEEE Security & Privacy in 2018. It is expressed as a simple inequality:
Mosca’s Inequality
If X + Y > Z, your data is at risk.
X = how long your data must remain confidential
Y = how long your migration to post-quantum cryptography will take
Z = how long until a cryptographically relevant quantum computer exists
The insight is that you do not need to know exactly when a quantum computer will arrive to know you have a problem. Consider an organization with data that must stay confidential for 10 years (X = 10) and a realistic migration timeline of 7 years (Y = 7). Even with an optimistic 15-year estimate for a quantum computer (Z = 15), the arithmetic is 10 + 7 = 17, which is greater than 15. That data is already exposed, and the migration should have started two years ago.
Estimates for Z vary and are inherently uncertain. The Global Risk Institute’s 2024 Quantum Threat Timeline Report, authored by Mosca and Marco Piani, places the central probability range for a cryptographically relevant quantum computer around 2033 to 2037. These are expert estimates, not certainties, and the arrival of such a machine may not be publicly announced. For planning, the responsible approach is to treat Z as uncertain and act on the variables you control: X and Y.
Which Data Is Most at Risk
HNDL risk is proportional to how long data must stay secret. Ephemeral data with a shelf life of minutes is largely safe. Data with a long confidentiality requirement is where the risk concentrates.
| Data type | Typical confidentiality need | HNDL exposure |
|---|---|---|
| Session tokens, one-time data | Minutes to hours | Low |
| Financial transaction records | 7 to 10 years | High |
| Health and medical records | Decades (patient lifetime) | Very high |
| Government and defense secrets | Decades | Very high |
| Intellectual property, trade secrets | Indefinite | Very high |
| Encryption keys, credentials | Until rotated | High |
If your organization holds any data in the high or very high categories and transmits or stores it using classical public-key cryptography, that data is a candidate for harvesting today.
How to Defend Against HNDL
The only durable defense is to stop protecting long-lived data with cryptography that a quantum computer can break. In practice, that means a planned migration to post-quantum cryptography (PQC), prioritized by data longevity.
- Inventory your cryptography: You cannot protect what you cannot see. Build a cryptographic inventory (a CBOM) of the algorithms, keys, certificates, and protocols in use across your environment.
- Prioritize by data longevity: Use Mosca’s inequality to rank systems. The data with the longest confidentiality requirement and the longest migration time comes first.
- Adopt post-quantum or hybrid key exchange: Move key establishment to NIST-standardized algorithms such as ML-KEM (FIPS 203), often deployed in a hybrid mode that combines a classical and a post-quantum algorithm during the transition.
- Build crypto-agility: Design systems so algorithms can be swapped without re-architecting, because standards and guidance will keep evolving.
- Protect data in transit first: TLS traffic is the most heavily harvested target, so prioritize post-quantum key exchange for network protocols.
How Encryption Consulting Helps
Encryption Consulting’s Post-Quantum Cryptography Advisory Services help organizations address HNDL risk in the right order. We build a cryptographic inventory of your environment, apply Mosca’s inequality to prioritize your longest-lived and most sensitive data, and design a migration roadmap to NIST-standardized post-quantum algorithms such as ML-KEM (FIPS 203) and ML-DSA (FIPS 204), using hybrid deployments where backward compatibility matters. The goal is straightforward: make sure the data being harvested today cannot be read when a quantum computer finally arrives. Backed by ISO/IEC 27001:2022 and SOC 2 certified practices.
Frequently Asked Questions
What is Harvest Now, Decrypt Later in simple terms?
Harvest Now, Decrypt Later (HNDL) is when an attacker steals or records encrypted data today, even though they cannot read it yet, and stores it until a future quantum computer can break the encryption. It is like stealing a locked safe now and waiting for a tool that can open it later. Any information that must stay secret for years, such as health records or state secrets, is at risk because it will still be valuable when that tool arrives.
Is Harvest Now, Decrypt Later a real threat today?
Yes. While the quantum computers needed to decrypt the data do not yet exist, the harvesting is happening now, and multiple national cybersecurity agencies have stated so publicly. The threat is present-day because the exposure begins the moment your ciphertext is captured. Data intercepted in 2026 could be decrypted years later, so any secret with a long confidentiality requirement is already exposed if it is protected only by classical public-key cryptography.
What kind of encryption is vulnerable to HNDL?
HNDL targets public-key cryptography used for key exchange and digital signatures, specifically RSA, elliptic-curve cryptography (ECC), and Diffie-Hellman. These are broken by Shor’s algorithm on a sufficiently powerful quantum computer. Symmetric encryption such as AES-256 is not meaningfully threatened, because Grover’s algorithm only halves its effective security, leaving AES-256 secure. The practical exposure is in the key establishment that protects data in transit, which is why TLS traffic is a prime harvesting target.
What is Mosca’s inequality?
Mosca’s inequality is a framework from cryptographer Michele Mosca for judging quantum-migration urgency. It states that if X plus Y is greater than Z, your data is at risk, where X is how long your data must stay confidential, Y is how long your migration will take, and Z is how long until a quantum computer can break your encryption. The point is that if your data lifetime and migration time together exceed the time until a quantum computer, you are already too late and should begin migrating now.
When will quantum computers be able to break encryption?
No one knows for certain, and the arrival of such a machine may not be publicly announced. Expert estimates vary: the Global Risk Institute’s 2024 Quantum Threat Timeline Report places the central probability range around 2033 to 2037. Because the date is uncertain and could be earlier than expected, and because migration takes years, the responsible approach is to act now on the factors you control rather than waiting for a confirmed date.
How do I protect my organization from HNDL?
Start by inventorying your cryptography to see which algorithms, keys, and protocols are in use. Use Mosca’s inequality to prioritize systems handling your longest-lived, most sensitive data. Then migrate key establishment to NIST-standardized post-quantum algorithms such as ML-KEM (FIPS 203), often in a hybrid mode alongside classical algorithms during the transition, and build crypto-agility so future algorithm changes are easier. Protect data in transit, especially TLS traffic, first.
Protect Your Data Before the Harvesting Window Closes
The data being harvested today is only safe if it cannot be read when a quantum computer arrives. Explore Encryption Consulting’s PQC Advisory Services to inventory your cryptography, prioritize your most exposed data, and plan a migration to quantum-safe algorithms.
- Key Takeaways
- How Harvest Now, Decrypt Later Works
- Why This Is a Present-Day Problem, Not a Future One
- Mosca's Inequality: Measuring Your Exposure
- Which Data Is Most at Risk
- How to Defend Against HNDL
- How Encryption Consulting Helps
- Frequently Asked Questions
- Protect Your Data Before the Harvesting Window Closes
