Most people assume their encrypted data is safe indefinitely. Send a secure message, make an online banking transfer, upload files to the cloud — the reasonable expectation is that no outsider can read any of it.
Right now, that assumption mostly holds.
But security researchers are increasingly focused on a long-term threat called “Harvest Now, Decrypt Later” (HNDL). The premise is simple and unsettling: adversaries can silently collect encrypted data today, archive it for years, and wait for quantum computers powerful enough to crack the encryption retroactively.
That single concern is now driving one of the largest cryptographic transitions in the history of computing — the global shift toward post-quantum cryptography (PQC). Governments, cloud providers, banks, telecoms, and defense contractors are all actively preparing. And unlike most quantum computing headlines, this is not speculation about a distant future.
The migration is already underway.
How the Internet Encrypts Everything
Encryption is the invisible infrastructure beneath the modern digital economy. Without it, online banking would be trivially compromised, passwords would travel in plaintext, private messages could be intercepted by anyone on the network, and governments couldn’t communicate securely.
The system protecting most internet traffic today is called public-key cryptography. Its central insight is elegant: a server openly shares one key with the world while keeping a second key entirely private. Anyone can use the public key to send information securely; only the server’s private key can unlock it.
Think of it like a special lockbox. Anyone can drop a letter inside and close the latch. But only the box owner holds the key to open it.
This is, roughly, how RSA and elliptic curve cryptography (ECC) work. When your browser connects to a secure website:
- It receives the site’s public key.
- It uses that key to negotiate a shared secret over an otherwise public channel.
- Both sides establish an encrypted session.
The result powers HTTPS, VPNs, encrypted messaging, digital certificates, and virtually all secure cloud infrastructure.
Why RSA Is So Hard to Break — For Now
RSA encryption rests on a simple but profound mathematical asymmetry. Multiplying two large prime numbers together is fast. Reversing that operation — recovering the original primes from only their product — becomes computationally brutal as the numbers grow. For numbers hundreds of digits long, even the world’s most powerful classical supercomputers would need impractical amounts of time to factor them.
That difficulty is what keeps today’s internet secure.
At least against classical computers.
Quantum Computers Change the Rules
Quantum computers operate on fundamentally different principles. Where classical computers process bits — each a definitive 0 or 1 — quantum computers use qubits, which exploit quantum mechanical phenomena to process information in ways that enable certain calculations to be approached very differently.
This does not make quantum computers universally faster. For most everyday tasks, they are not. But for specific categories of mathematical problems, sufficiently advanced quantum systems could be extraordinarily powerful.
One of those problem categories happens to be the mathematical foundation of modern public-key cryptography.
The Threat: Shor’s Algorithm
In 1994, mathematician Peter Shor developed a quantum algorithm capable of solving integer factorization — and the related discrete logarithm problem — far more efficiently than any known classical method. Shor’s Algorithm would allow a sufficiently capable quantum computer to break:
- RSA
- Diffie-Hellman key exchange
- Elliptic curve cryptography (ECC)
These systems collectively protect the vast majority of encrypted internet traffic. That is why the cryptography community has been watching quantum computing research so carefully for three decades.
An Important Reality Check
Quantum computers cannot break the internet today.
That distinction matters enormously, and it is often lost in media coverage.
Current quantum systems face severe engineering limitations: high error rates, unstable qubits, significant scaling challenges, and demanding physical requirements such as near-absolute-zero cooling. No publicly known quantum computer can attack modern RSA encryption at any practical scale.
Google’s Willow chip, announced in December 2024, represented meaningful progress in quantum error correction — but security analysts noted it did not meaningfully reduce the estimated timeline to a cryptographically relevant quantum computer (CRQC) capable of breaking public-key encryption. The chip’s celebrated benchmark involved a narrow class of mathematical problems unrelated to breaking encryption.
Still, cybersecurity planning operates well ahead of immediate threats — because the bigger risk is not what adversaries can decrypt today.
It is what they may be able to decrypt years from now.
What “Harvest Now, Decrypt Later” Actually Means
Imagine an intelligence service intercepting encrypted diplomatic cables today. The contents are unreadable. Rather than discarding them, the service archives everything in long-term storage.
A decade later, capable quantum computers exist. The encryption that once protected those cables no longer does. Archived communications become readable retroactively.
That is the HNDL threat model.
Attackers do not need a quantum computer right now. They need only three things: access to encrypted data in transit today, storage capacity, and patience. The attack is passive and undetectable at the time it occurs.
This makes HNDL particularly dangerous for data with long shelf-lives:
- Military and diplomatic communications
- Healthcare and genomic records
- Intellectual property and trade secrets
- Financial transaction histories
- Government identification and authentication data
A stolen password becomes worthless in hours. A classified defense document may remain valuable for decades. The asymmetry is what makes HNDL so urgent to address now, rather than waiting for quantum computers to mature.
Why Governments Are Acting Before the Threat Arrives
Replacing global cryptographic infrastructure takes a very long time — and that timeline is one of the primary reasons governments are not waiting.
Encryption is deeply embedded into routers, operating systems, cloud platforms, banking systems, satellites, industrial control systems, telecom infrastructure, firmware, and hardware security modules. Many of these systems were never designed to swap cryptographic algorithms on demand. Some were deployed decades ago and will remain in service for decades more.
In August 2024, NIST published its first three finalized post-quantum cryptography standards: FIPS 203 (ML-KEM, for general encryption), FIPS 204 (ML-DSA, the primary digital signature standard), and FIPS 205 (SLH-DSA, a hash-based backup signature scheme). Two of the three — ML-KEM and ML-DSA — were developed by IBM researchers in collaboration with academic and industry partners.
The NSA’s CNSA 2.0 initiative sets 2030 as the mandatory migration deadline for U.S. National Security Systems, while NIST mandates that federal systems complete migration by 2035.
The conversation has shifted decisively from “should we research post-quantum cryptography?” to “how do we deploy it at scale before the deadline?”
What Post-Quantum Cryptography Actually Is
Post-quantum cryptography refers to encryption algorithms designed to resist attacks from future quantum computers — using today’s classical hardware. These are not quantum systems themselves; they are new mathematical approaches that even a capable quantum computer would struggle to break.
NIST’s primary standards rely on lattice-based mathematics: ML-KEM uses the Module-Lattice-Based Key Encapsulation Mechanism for key exchange, while ML-DSA uses the Module-Lattice-Based Digital Signature Algorithm for authentication. A third standard, SLH-DSA, uses stateless hash-based signatures as a mathematically independent backup.
The goal is not to stop quantum computers. It is to make encryption that quantum computers cannot efficiently break.
Why Migration Is So Difficult
Upgrading the world’s cryptographic infrastructure is not like patching software. It is closer to re-engineering the foundations of a building while people continue to live and work inside it.
Larger keys and signatures. Many PQC algorithms require significantly larger keys and signatures than their classical equivalents. ML-KEM public keys are approximately 1,200 bytes and ciphertexts around 1,100 bytes — considerably larger than ECC equivalents. This creates real friction for constrained devices: IoT sensors, smart cards, satellites, and embedded systems often have limited memory and bandwidth budgets that were never designed to accommodate these sizes.
Protocol ossification. Some internet protocols tacitly assume small cryptographic payloads. When Cloudflare and Chrome tested early post-quantum key exchange algorithms, certain network middleboxes and load balancers failed because they assumed TLS handshake messages would always fit within a single network packet. Compatibility testing at internet scale surfaces problems that laboratory testing cannot anticipate.
Interoperability across layers. A single encrypted connection can involve browsers, operating systems, cloud providers, certificate authorities, VPN gateways, and hardware security modules — each potentially from a different vendor. Changing the cryptographic algorithm at one layer can cascade across all the others. This is why many organizations are deploying hybrid approaches that run a classical algorithm and a post-quantum algorithm simultaneously during the transition, ensuring backward compatibility without sacrificing forward security.
Crypto agility. Perhaps the deepest organizational challenge is structural. Historically, many systems hardcoded specific cryptographic algorithms into their architecture. When algorithms need to change — whether due to a discovered vulnerability or a new standard — systems without crypto agility face expensive redesigns. The post-quantum transition is accelerating the industry’s recognition that cryptographic flexibility must be treated as a first-class engineering requirement.
The Migration Is Already Happening
The transition from theory to deployment has moved faster than many expected.
As of late 2025, over half of human-initiated traffic reaching Cloudflare’s network is protected against harvest-now/decrypt-later attacks using post-quantum encryption. That figure was around 2% in early 2024. The acceleration was driven largely by Google Chrome 124, which enabled post-quantum key agreement by default in April 2024, pushing adoption from roughly 2% to around 12% within a single month.
Apple announced PQC protection for iMessage in 2024. Signal had already deployed it. Firefox began rolling out post-quantum defaults. NIST has also signaled that classical algorithms like RSA and ECC will be deprecated by 2030 and completely disallowed in U.S. federal contexts by 2035.
Most users have no idea this is happening — which is precisely the point. The strongest available encryption is being deployed silently, in the background, without disrupting existing workflows.
Common Misconceptions Worth Correcting
“Quantum computers have already broken encryption.” False. No publicly known quantum system can attack modern RSA or ECC at practical scale today.
“The internet will fail suddenly on a specific day.” Unlikely. Migration is gradual and already underway. There is no single cliff edge.
“All encryption becomes useless.” Misleading. Symmetric encryption — such as AES — is affected differently. Doubling the key length (e.g., moving from AES-128 to AES-256) is generally considered sufficient to neutralize the quantum advantage from Grover’s algorithm, which is a weaker threat than Shor’s. The acute risk is concentrated in public-key systems: RSA, Diffie-Hellman, and ECC.
What This Means for Organizations
For businesses, post-quantum cryptography is not only a technology problem. It is increasingly a risk management and compliance problem.
Organizations with sensitive long-term data should be asking:
- Do we have a cryptographic inventory? Most organizations do not know where all their encryption is deployed, which algorithms are in use, or which systems depend on each other cryptographically.
- Are we exposed to HNDL today? If your communications carry information that would remain sensitive five to fifteen years from now, adversaries may already be harvesting it.
- What is our migration timeline against regulatory deadlines? Government contractors, financial institutions, and healthcare organizations face specific compliance windows.
- Do our vendors have crypto agility? A vendor that cannot upgrade their cryptographic stack becomes a weak link in your security posture.
The organizations likely to face the most disruption are those with long-lived systems — critical infrastructure, manufacturing equipment, satellite networks — where hardware replacement cycles stretch over decades.
The Geopolitical Dimension
Quantum technology has become a strategic national priority. The United States, China, the European Union, and several other nations are investing heavily in quantum computing research, post-quantum cryptography standards, and quantum networking.
The concern is not only defensive. If one nation develops a cryptographically relevant quantum computer before others, it would gain the ability to decrypt archived communications that its adversaries believed were permanently protected. The intelligence advantage would be enormous and retroactive — reaching back to every communication ever intercepted and stored.
That possibility helps explain why standards development has moved with unusual urgency, and why export controls on quantum hardware and expertise have become geopolitically significant.
The Central Uncertainty: Nobody Knows When
The most difficult aspect of post-quantum planning is that the timeline is genuinely unknown.
Credible expert estimates for the arrival of a cryptographically relevant quantum computer range from roughly a decade to several decades. Some researchers believe unexpected engineering breakthroughs could compress that timeline. Others believe the physical challenges of building fault-tolerant large-scale quantum systems are more stubborn than current optimism suggests.
What security experts largely agree on is this: waiting for certainty is not a viable strategy.
The HNDL threat means adversaries do not need a quantum computer to begin the attack. They only need to be recording encrypted traffic right now. By the time a capable quantum computer exists, the data collection window may already have closed — and the archive may already be enormous.
That is why the post-quantum migration is happening today, against a threat that may not fully materialize for years. And it is why the organizations and governments that treat this as a future problem are already behind.
Frequently Asked Questions
What is “Harvest Now, Decrypt Later” (HNDL)? HNDL is a cyberattack strategy in which adversaries collect and store encrypted data today — without being able to read it — and wait for future quantum computers powerful enough to break the encryption retroactively. It is a passive, undetectable threat that makes current encryption of long-lived sensitive data urgently relevant.
Can quantum computers break encryption today? No. Current quantum systems cannot break modern RSA or elliptic curve cryptography at any practical scale. The concern is about future systems that do not yet exist.
What is post-quantum cryptography? Post-quantum cryptography (PQC) refers to encryption algorithms — designed to run on classical computers — that are mathematically resistant to attacks from future quantum computers. The leading standards, finalized by NIST in August 2024, are ML-KEM (for key exchange) and ML-DSA (for digital signatures), both based on lattice mathematics.
What did NIST standardize in 2024? NIST finalized three post-quantum standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). A fourth standard, FIPS 206 (FN-DSA, based on FALCON), was published in 2025.
When do organizations need to complete migration? The NSA’s CNSA 2.0 framework sets 2030 as the deadline for U.S. National Security Systems. NIST requires full federal migration by 2035. Classical algorithms like RSA and ECC are scheduled for deprecation in federal contexts by 2030.
Is post-quantum cryptography already deployed? Yes, and adoption is accelerating rapidly. As of late 2025, over half of human-initiated web traffic through Cloudflare’s network uses post-quantum encryption. Major browsers including Chrome and Firefox have enabled it by default.
