The phrase harvest now decrypt later describes a patient attack. An adversary records encrypted traffic or copies encrypted files today, stores the ciphertext, and waits for the day a powerful quantum computer can unlock it. Nothing needs to be broken now, because the payoff comes later, and the target often never learns the data was taken.
That waiting game is why security agencies treat the risk as present tense rather than future tense. Data with a long shelf life, such as health records, genomic data, defence and diplomatic files, banking details and intellectual property, is still sensitive years or decades from now. If it is captured today under classical encryption, it is exposed the moment a cryptographically relevant quantum computer, often shortened to CRQC, becomes real.
The attack targets the key exchange, not the cipher. A quantum computer breaks the RSA or elliptic-curve handshake that delivers your session key; the AES-256 that encrypts the data itself stays safe, yet the key that unlocks it does not.
Forward secrecy does not save recorded traffic. The ephemeral key exchange is still elliptic-curve Diffie-Hellman, and a recorded handshake can be broken later, so the very feature meant to protect old sessions offers no defence here.
It has already happened once. Under Project VENONA, Soviet cables intercepted in the 1940s were read years and even decades later, so store-now-break-later is documented history, not a thought experiment.
The storage is trivially cheap. A petabyte of intercepted ciphertext costs roughly 5,000 dollars on tape to keep for a decade, and United States law already permits keeping encrypted communications for as long as they remain useful to cryptanalysis.
The defence exists and is standardised. The post-quantum algorithms published in 2024 close the hole, and the honest reason to deploy them now is the shelf life of your own data, not a fixed doomsday date.
What harvest now decrypt later actually means
Most secure connections on the internet rely on public-key cryptography such as RSA and elliptic-curve schemes to agree on a shared key. Those schemes are safe today because classical computers cannot factor huge numbers or solve discrete logarithms in any reasonable time. A large quantum computer running Shor’s algorithm changes that assumption, because it solves those exact problems efficiently and recovers the private keys behind captured sessions.
The attack has two clean stages. First comes collection, where an adversary with access to a network backbone, a cloud tenancy or a stolen backup quietly copies encrypted material and files it away. Second comes decryption, which happens whenever the hardware matures, so the harvest now decrypt later model decouples the cost of stealing data from the moment the data is finally read. That separation is what makes the threat hard to detect, because the theft leaves no obvious trace and the damage only surfaces years later.
What actually breaks, and what does not
The single most common mistake in coverage of this threat is to imagine a quantum computer chewing through your AES-encrypted files. That is not how harvest now decrypt later works, and the distinction is the whole story. Shor’s algorithm attacks the asymmetric key exchange, the RSA or elliptic-curve step that two parties use to agree on a secret, and it leaves the symmetric cipher that actually encrypts your data untouched.
When you load a modern website, your browser and the server run a short handshake that establishes a shared session key, then switch to a fast symmetric cipher such as AES-256 to encrypt the conversation. An attacker who records that whole exchange holds the handshake, including the public values that Shor’s algorithm can invert. Recovering the shared secret from those values yields the session key, and the session key decrypts the AES stream directly, so the strength of AES-256 is beside the point once the key that unlocks it is exposed.

Why AES-256 is not the weak point
The symmetric layer really is safe, and it is worth being precise about why. The best known quantum attack on a symmetric cipher is Grover’s algorithm, which offers only a quadratic speedup rather than the exponential one Shor gives against public-key schemes. In its 2016 report on post-quantum cryptography, the United States National Institute of Standards and Technology concluded that symmetric algorithms and hash functions should remain usable in a quantum era, with at most a doubling of key size.
AES-256 needs no change at all, and the National Security Agency’s own CNSA 2.0 suite keeps AES-256 and SHA-384 precisely because a quantum computer gains little against them. That is the detail the scary headlines skip. The vulnerable link is never the vault, it is the key left in the lock of the handshake, which is exactly the part harvest now decrypt later records and stores.
Why perfect forward secrecy does not save you
Perfect forward secrecy is one of the best ideas in modern cryptography, and it is exactly the reassurance that fails against this attack. The feature works by generating a fresh, ephemeral key for every session and discarding it afterwards, so that stealing a server’s long-term private key tomorrow cannot unlock the traffic it protected yesterday. Against an ordinary attacker that is a powerful guarantee, and it is why forward secrecy became the default across the web.
Harvest now decrypt later slips underneath it. The ephemeral key is still agreed using elliptic-curve Diffie-Hellman, and both ephemeral public values travel inside the recorded handshake, so a quantum computer can solve for the ephemeral private key from the very packets the attacker stored. Forward secrecy defends against a future key theft; it does nothing against future cryptanalysis of the key-exchange primitive itself.
The standards bodies say this plainly. The Internet Engineering Task Force’s draft on hybrid key exchange in TLS 1.3 warns that the threat, which it names harvest now decrypt later, means confidentiality can be broken retroactively by any adversary who has passively recorded handshakes and encrypted communications. The recording is the attack; the quantum computer is only the delayed final step.
There is a cruel twist in the arithmetic. Because forward secrecy forces a new key exchange for every single session, an attacker must run one quantum key-recovery for each recorded conversation rather than breaking one long-term key and reading everything, and a 2026 study from the Universidad Carlos III de Madrid shows this multiplies the attacker’s future workload rather than eliminating it. The feature does raise the cost of decryption; it does not remove the exposure, so recorded traffic protected only by classical forward secrecy is still on the clock.
Who is most at risk
The exposure is not evenly spread, and it tracks one variable above all, which is how long a secret must stay secret. Anything that loses value in minutes is largely safe, while anything that must remain confidential for a decade sits squarely in the blast radius. That is why long-lived secrets dominate every serious risk assessment of this threat.
- Health and genomic records stay sensitive for a lifetime and cannot be reissued like a password.
- Defence, intelligence and diplomatic communications carry classification periods measured in decades.
- Financial and banking data, including account details and long-term contracts, remain valuable well past the year they are created.
- Intellectual property and trade secrets, from chemical formulas to source code, lose protection the moment they are decrypted.
- Government and legal archives, backups and compliance stores are attractive because they concentrate years of records in one place.
Security agencies have said this collection may already be under way, though in carefully hedged language. In a joint 2023 factsheet the Cybersecurity and Infrastructure Security Agency, the National Security Agency and NIST warned that threat actors could be targeting data today that still needs protection in future, using what they called a catch now, break later or harvest now decrypt later operation. That guidance frames the problem as a reason to migrate early rather than proof of any specific breach, and the conditional wording matters.
The math of urgency and Mosca’s inequality
The clearest way to reason about the deadline comes from Michele Mosca, a cofounder of the Institute for Quantum Computing at the University of Waterloo. His inequality uses three numbers, and it turns a vague fear into a simple planning question. The three numbers are the shelf life of your data, the time it takes to migrate your systems, and the time until a quantum computer can break current encryption.
Write the shelf life as X, the migration time as Y, and the time to a capable quantum computer as Z. Mosca’s point is that if X plus Y is greater than Z, you are already exposed, because data you protect today will still be sensitive when the machine that breaks it arrives. Put plainly, a five-year migration protecting data that must live for ten years is already too slow if a capable quantum computer is twelve years away.
The inequality is powerful because it does not need a precise doomsday date to be useful. Even under cautious estimates for Z, long shelf lives and multi-year migrations push many organisations over the line today. That is the real lesson of harvest now decrypt later, since the attacker’s clock started the moment your ciphertext was captured, not the moment quantum hardware finally works.

The estimates for Z have been moving in the wrong direction for defenders. In 2019 Craig Gidney and Martin Ekera calculated that breaking RSA-2048 would take about 20 million noisy qubits running for eight hours, and in May 2025 Gidney, now at Google Quantum AI, published a revised figure of fewer than one million noisy qubits running for under a week. That is roughly a twentyfold drop in the machine you need, achieved in just six years.
The expert consensus has shifted with it. The Global Risk Institute’s 2025 threat timeline, published in March 2026, records a 28 to 49 percent expert estimate that a capable machine arrives within a decade, the highest figure in the report’s history. That survey is compiled with input from researchers connected to evolutionQ, a firm that sells quantum-safe products, so its estimates are best read as expert judgement from parties with a commercial interest in early migration rather than a neutral forecast. The honest reading is uncertainty with a rising trend, not a fixed date, and that trend is what should drive the planning rather than any single predicted year.
This has happened before, and it worked
Harvest now decrypt later can feel like a hypothesis about a machine that does not yet exist, so it is worth remembering that the strategy has already succeeded once, at national scale. During the Second World War the United States Army’s Signal Intelligence Service, working out of Arlington Hall, accumulated enciphered Soviet diplomatic cables it could not read. The programme that eventually broke them was called VENONA, and its own declassified history is the clearest proof that storing ciphertext against a future capability is a real and patient intelligence tactic.
The collection began in 1939, and serious codebreaking work started only in 1943, aimed at first not at Soviet espionage but at the fear of a separate peace between Moscow and Berlin. The payoff came years after the intercepts were filed. On 20 December 1946 the analyst Meredith Gardner broke into a message sent to Moscow more than two years earlier that carried a list of the leading scientists working on the Manhattan Project, a cable enciphered in 1944 under a system its senders believed unbreakable.
The gap between collection and decryption is the entire point, and the declassified VENONA record shows it stretched further than any planner could have promised in advance. The National Security Agency issued 39 first-time translations of 1940s Soviet cables as late as 1978 to 1980, reading in the microprocessor era traffic that had been intercepted before the transistor was invented. The programme ran until 1 October 1980, and over 37 years it exposed Julius Rosenberg, Klaus Fuchs, Donald Maclean and more than 200 other individuals.
One detail matters for accuracy, because it is often told wrong. VENONA did not break the one-time pad, which is mathematically unbreakable when used correctly, but exploited a manufacturing error in which the Soviet cryptographic centre, under wartime pressure, printed duplicate copies of supposedly unique key pages. The lesson still transfers cleanly to the quantum threat. Ciphertext that looks safe forever can become readable the day a weakness or a new capability appears, and by then the data has long since been collected and shelved.
The economics of patience
An attack that depends on storing data for a decade only works if storage is cheap, and it is almost embarrassingly cheap. Keeping a full petabyte of intercepted ciphertext on modern archival tape costs on the order of 5,000 dollars in media for the whole decade, and even keeping it in a cloud cold-storage tier runs to roughly 120,000 dollars over the same period. Against a national signals-intelligence budget those are rounding errors, and an attacker does not need everything, because recording only the handshakes and session ciphertext of targeted connections shrinks the problem by orders of magnitude.
A 2026 feasibility study from the Universidad Carlos III de Madrid put numbers on exactly this, pricing long-term cloud retention at roughly 12 to 15 dollars per terabyte per year and tape at about 5 dollars, and modelling the cost of harvesting one percent of global traffic at around 1.1 billion dollars a year. That is a large figure for a company and a trivial one for a state, which is the asymmetry that makes the threat credible. Storing what you cannot yet read is affordable precisely for the actors most likely to want your long-lived secrets.
The law already allows it
The legal machinery to keep that data already exists in the open. United States surveillance rules under Section 702 of the Foreign Intelligence Surveillance Act set a default five-year retention limit for ordinary communications, but carve out an explicit exception for encrypted material, which may be kept for any period during which it remains subject to, or of use in, cryptanalysis. In plain terms, the law already contemplates holding encrypted traffic indefinitely until someone can decrypt it. Keeping what you cannot yet read is not a theory about a future adversary, it is written policy today.
Where the standards stand
The defensive toolkit already exists and is standardised. In August 2024 NIST published its first post-quantum standards, the algorithms built to blunt harvest now decrypt later at the protocol level. They replace the vulnerable key-exchange and signature schemes that Shor’s algorithm targets, and they are royalty-free so that any vendor can adopt them.
- FIPS 203, ML-KEM, a lattice-based key-encapsulation mechanism derived from CRYSTALS-Kyber, is the primary tool for protecting data in transit.
- FIPS 204, ML-DSA, a lattice-based digital signature scheme derived from CRYSTALS-Dilithium, covers most signing needs.
- FIPS 205, SLH-DSA, a stateless hash-based signature scheme derived from SPHINCS+, provides a conservative signature option resting on different mathematics.
A fifth algorithm is on the way as a backup. In March 2025 NIST selected HQC, a key-encapsulation mechanism built on error-correcting codes rather than lattices, so that a future weakness in the lattice family would not leave defenders without an option. NIST said it expected a draft standard for HQC within about a year, though no draft had appeared by mid 2026, so the practical toolkit for now remains the three finalised standards plus the code-based backup in progress.
The regulatory clock is already running
Governments have turned the science into deadlines, and those deadlines are what will drive most real migrations. In the United States, National Security Memorandum 10 set a goal in 2022 of moving federal systems to post-quantum cryptography by 2035, and Office of Management and Budget memo M-23-02 required agencies to file prioritised cryptographic inventories. Inventory first, migrate by risk, was the pattern those instruments established, and they remain in force.
The pace tightened sharply in mid 2026. Executive Order 14412, signed on 22 June 2026, directs federal agencies to move their high-value and high-impact systems to post-quantum key establishment by 31 December 2030 and to post-quantum digital signatures by 31 December 2031, and the accompanying OMB memo M-26-15, dated 24 June 2026, lays out the phased plan to get there. It is worth being precise here, because reporting often overstates it. The new order does not repeal the older memorandum or its 2035 goal; it implements a firmer near-term schedule on top of the inventory regime that was already in place.
The National Security Agency’s CNSA 2.0 suite sets the pace for national security systems, and its dates have themselves been revised. The current guidance requires new acquisitions to be CNSA 2.0 compliant from 1 January 2027, phases out equipment that cannot support the new algorithms by 31 December 2030, mandates the CNSA 2.0 algorithms from 31 December 2031, and aims for all national security systems to be quantum-resistant by 2035. An older table that spoke of exclusive use by 2033 has been dropped, so the dates to work from are 2027, 2030 and 2031 leading to 2035.
Europe and the United Kingdom have published matching roadmaps. The United Kingdom’s National Cyber Security Centre asks organisations to finish discovery by 2028, complete high-priority migration by 2031, and finish the job by 2035, while the European Union’s coordinated roadmap sets first steps by the end of 2026, high-risk transition complete by 2030, and full transition by 2035. The transatlantic consensus lands on the same finish line even where the interim dates differ.
Who is already deploying defences
The reassuring news is that the largest platforms have already moved, often without users noticing. Google Chrome enabled a hybrid post-quantum key exchange by default in 2024, and since Chrome 131 in November 2024 it uses the standardised combination of X25519 and ML-KEM-768 rather than the earlier draft Kyber. Cloudflare has reported that the share of browser traffic across its network using post-quantum key agreement climbed from around two percent in early 2024 to over two-thirds by June 2026, which steadily shrinks the pool of fresh data an attacker can usefully harvest.
Messaging and infrastructure tools are on the same path, and some led the browsers by years. OpenSSH has defaulted to a post-quantum key agreement since 2022, Apple added its PQ3 protocol to iMessage in 2024, and Signal shipped its PQXDH handshake in 2023 and extended post-quantum protection into the ongoing message ratchet in October 2025. Cloud and operating-system vendors including Amazon Web Services, Microsoft and Mozilla now ship the new algorithms in mainstream products, and each rollout matters because it protects data in transit before the quantum machine that would read it exists.
One gap is worth naming honestly. These deployments protect the key exchange but not yet the certificate signatures that authenticate a connection, so the part that stops harvest now decrypt later is ahead of the part that stops live impersonation. That is why providers like Cloudflare are targeting full post-quantum authentication only by 2029, and why crypto-agility, rather than any single algorithm swap, is the real goal.
The case against the panic
A guide that only sounded the alarm would be doing the same selective job as the vendors selling the cure, so the honest counterargument deserves space. A serious strand of expert opinion holds that the harvest now decrypt later threat is overstated, and the sharpest version comes from Peter Gutmann of the University of Auckland, who calls the scenario a bogeyman. His argument is partly economic, since an attacker must set up a fresh and expensive computation for every stored key, and partly practical, since an adversary who truly wants your plaintext can compromise your systems today rather than gambling on a physics experiment three decades away.
Bruce Schneier makes a narrower and widely shared point about timing, noting that the largest number a quantum computer has legitimately factored remains 35, and that no one can yet say whether a code-breaking machine is a decade away or far longer. His conclusion is not complacency but a shift of motive. He supports migration mainly because crypto-agility, the ability to swap algorithms cleanly, is worth having whether or not the machine ever arrives. It is a reason to move that survives even if the quantum timeline slips.
The counter-rebuttal is just as credible, and it comes from cryptographers who are not selling anything. Daniel J. Bernstein argues that extrapolating a flat graph of tiny factorisations is the same mistake as doubting a Moon landing right up until it happens, and that the energy cost of a single break, which he likens to a long-haul flight, is no deterrent to a state. The trend supports him, since the resource estimates for breaking RSA-2048 fell twentyfold in six years.
The most telling shift is a change of mind. Scott Aaronson, who spent two decades puncturing quantum hype, has said he now urges people to switch to quantum-resistant encryption, because the hardware experts he trusts think a capable machine is plausible around 2029. When the field’s most practised skeptic moves toward caution, the sensible reading is neither panic nor dismissal, but a migration paced to the shelf life of your own data.
Is anyone actually doing this
One question deserves a blunt answer. There is no public evidence that any specific ciphertext is being warehoused right now in anticipation of quantum decryption, and the belief that it is rests on documented capability plus rational incentive rather than on an observed operation. Even the largest real bulk-interception campaigns of recent years were about stealing data with credentials, not hoarding it for a future machine, and the most honest framing is that harvest now decrypt later is a well-founded inference, not a proven fact. What is documented is that the capability, the legal basis and the incentive all exist at once, which is usually enough to justify a defence.
What to do about it
The response to harvest now decrypt later is a programme of work, not a single switch, and it starts with knowing what you have. None of the following is legal or investment advice, and every organisation should map these steps onto its own risk profile, but the sequence below is the one that regulators and standards bodies have converged on.
- Build a cryptographic inventory. Find every place your systems use encryption, from TLS endpoints to code signing, and record the algorithms and key lengths so you know your exposure.
- Rank by data shelf life. Apply the Mosca test and put the longest-lived secrets at the front of the queue, because those are the records an attacker most wants to capture today.
- Deploy hybrid key exchange first. Turn on hybrid schemes that pair a classical algorithm with ML-KEM for data in transit, since key establishment is where harvest now decrypt later does its damage.
- Build crypto-agility. Shorten certificate lifecycles and automate certificate management so that swapping algorithms later is routine rather than a crisis.
- Track vendor support. Confirm that your operating systems, browsers, VPNs and dependencies expose the new algorithms, and retire equipment that cannot be upgraded.
This is deliberately the short version, because the full playbook has its own guide. For a step-by-step programme, including how to run the discovery exercise and how to read the regulatory deadlines that apply to you, see our companion guide on how to prepare for quantum computing. This page explains the threat; that one walks through the defence in detail.
Where to go next on Quantum Zeitgeist
This page explains the threat and its evidence, and our wider coverage goes deeper on the players and the science. If you want to know who supplies the tools, our guide to the leading post-quantum cryptography companies profiles the vendors building quantum-safe products, and our explainer on Q-Day covers the moment those defences are racing against. To understand the machine on the other side of the threat, start with our guide to what quantum computing is.
For the market context, our directory of quantum computing companies maps the hardware and software firms racing toward that machine, and our roundup of publicly traded quantum companies tracks the ones you can follow on the markets. Together those pages show why the timeline in this article is contested yet taken seriously by investors and governments alike.
Frequently asked questions
What does harvest now decrypt later mean
Does harvest now decrypt later break AES-256
Does perfect forward secrecy protect against it
Is the attack actually happening today
Has this ever worked before
When could a quantum computer break RSA
What is Mosca’s inequality
What should an organisation do first
See today’s quantum computing news on Quantum Zeitgeist for the latest breakthroughs in qubits, hardware, algorithms, and industry deals.
