Harvest now, decrypt later
Harvest now, decrypt later (also called store now, decrypt later) is an attack model in which an adversary records encrypted traffic or stolen ciphertext today and archives it until a quantum computer capable of breaking the encryption exists. It makes the quantum threat a present-tense problem: data with a long confidentiality lifetime is already at risk, years before any such machine is built.
The attack model
The attack requires no quantum hardware today, only storage and access to ciphertext. An adversary positioned on a network path, at an exchange point, or inside a compromised service records encrypted sessions in bulk. Storage is cheap relative to the potential intelligence value, and the material can wait indefinitely. Once a cryptographically relevant quantum computer exists (Q-Day), the adversary replays the recorded handshakes through Shor's algorithm, recovers the session keys agreed via RSA, Diffie-Hellman, or elliptic curve key exchange, and decrypts everything.
Forward secrecy does not prevent this. Ephemeral Diffie-Hellman protects past sessions against future compromise of long-term keys, but the ephemeral exchange itself is recorded in the transcript, and Shor's algorithm breaks the exchange directly. Only replacing the key establishment with a quantum-resistant scheme closes the gap.
What is and is not at risk
The attack threatens confidentiality retroactively, but not authentication. A future forger cannot travel back and inject messages into yesterday's session; signatures only need to be secure at the moment they are verified. This asymmetry sets the migration priority order that real deployments follow: quantum-resistant key establishment first, signature migration second (PKI migration to post-quantum). It is why TLS, Signal's PQXDH, and Apple's iMessage PQ3 all upgraded key agreement years before certificates changed; Apple's design documentation cites harvest now, decrypt later as the explicit motivation (Apple 2024).
The most exposed data classes share one property: a confidentiality lifetime longer than the plausible time to a CRQC.
- Government and military material, where classification periods run 25 years or more
- Diplomatic communications and intelligence sources, where exposure endangers people decades later
- Health and genomic records, sensitive for a lifetime and, for genetic data, across generations
- Biometric templates, which cannot be rotated like passwords
- Legal, corporate, and industrial secrets with multi-decade relevance
- Long-lived infrastructure credentials and key material embedded in hardware
- Public keys exposed on blockchains, where signing keys guard funds indefinitely (quantum threat to ECDSA)
Ephemeral data with short relevance, such as most routine web browsing, carries correspondingly low harvest value.
Government guidance
Harvest now, decrypt later is the stated rationale across major government migration mandates. The NSA's CNSA 2.0 advisory directs US national security systems to transition to quantum-resistant algorithms on a fixed schedule precisely because of the threat to long-lived data (NSA CNSA 2.0). A joint CISA, NSA, and NIST factsheet urges organizations to inventory cryptography and begin migration planning now, citing the recording threat (CISA 2023). NIST's draft transition guidance schedules the deprecation of quantum-vulnerable algorithms after 2030 and disallowance after 2035 (NIST IR 8547). In Europe, France's ANSSI recommends hybrid post-quantum protection now for information that must remain confidential into the 2030s (ANSSI 2022), and Germany's BSI gives similar advice.
The underlying arithmetic is Mosca's inequality: if data shelf life plus migration time exceeds the time until a CRQC, protection has already failed (Mosca 2015); see Q-Day.
Mitigation
The only effective defense is deploying quantum-resistant key establishment before sensitive data is transmitted. In practice that means ML-KEM in hybrid mode, as now enabled by default in major browsers (browser post-quantum adoption) and in messaging protocols. Complementary measures from the government guidance: maintain a cryptographic inventory, build cryptographic agility so algorithms can be swapped quickly, and minimize retention of ciphertext-exposed sensitive data. Re-encrypting stored archives helps against future theft, but nothing recovers traffic an adversary has already recorded; every day of delay adds permanently to the exposed corpus.
Sources
- Post-Quantum Cybersecurity Resources (CNSA 2.0) (NSA, 2022)
- Quantum-Readiness: Migration to Post-Quantum Cryptography (CISA, NSA, NIST, 2023)
- NIST IR 8547 (Initial Public Draft), Transition to Post-Quantum Cryptography Standards (NIST, 2024)
- ANSSI views on the Post-Quantum Cryptography transition (ANSSI, 2022)
- Cybersecurity in an era with quantum computers: will we be ready? (IACR ePrint, 2015)
- iMessage with PQ3: The new state of the art in quantum-secure messaging at scale (Apple Security Engineering, 2024)
Cite this entry
"Harvest now, decrypt later." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/harvest-now-decrypt-later@misc{pqwiki-harvest-now-decrypt-later,
title = {Harvest now, decrypt later},
howpublished = {\url{https://postquantum.wiki/harvest-now-decrypt-later}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}