Key insight
“The quantum computer isn’t built yet” is no defence. An adversary can record your encrypted traffic today and decrypt it years later once the machine exists — the Harvest Now, Decrypt Later attack. So the real question isn’t “is my data safe now?” but “will it still need to be secret when quantum arrives?” Mosca’s inequality makes this concrete: if (how long your data must stay secret) + (how long migration takes) is greater than (years until the quantum threat), you are already late.
Attackers are stockpiling your encrypted data now to open it later, so any secret with a long shelf life is effectively exposed today — and slow migration only widens the gap.
The Foundations articles ended on a clean verdict: Shor breaks public-key cryptography, and a large enough quantum computer will pick those locks. The natural response is: “fine — we’ll deal with it when the machine exists.” This article dismantles that comfort.
The recording attack, step by step
When you send encrypted data across the internet, anyone positioned along the path — a hostile network operator, an intelligence agency tapping a cable, a compromised router — can copy it as it passes. They can’t read it today; it’s scrambled with cryptography their current computers can’t break. But nothing stops them from saving the scrambled data and waiting.
- Harvest (today). The adversary records your encrypted traffic — TLS sessions, VPN tunnels, encrypted backups in transit — and files it away. Storage is cheap; patience is free.
- Wait (years). The recording sits in an archive while quantum hardware matures.
- Decrypt (later). Once a cryptographically-relevant quantum computer exists, they run Shor’s algorithm against the recorded key exchange, recover the session key, and read everything — retroactively.
Whose data is already exposed?
The attack only matters for data that must stay confidential long enough to still be sensitive at Q-day. A surprising amount qualifies:
| Data type | Must stay secret for… |
|---|---|
| Health & medical records | A lifetime |
| Government / military classification | Decades (often 25–75 years) |
| Biometrics (fingerprints, genome) | Forever — you can’t reissue them |
| Trade secrets, source code, formulas | Product lifetime & beyond |
| Financial, tax & identity data | Many years |
| Legal, diplomatic, M&A communications | Years to decades |
A stolen password can be reset; a leaked fingerprint or genome cannot. Long-lived, unchangeable secrets are the most damaging harvest-now targets, because their exposure at Q-day is permanent and irreversible. These deserve the very first attention in any readiness plan.
Mosca’s inequality: are you already late?
Cryptographer Michele Mosca gave us a wonderfully simple way to reason about the deadline, using three durations:
- X — shelf life: how many years your data must stay secret.
- Y — migration time: how many years to move your systems to quantum-safe cryptography.
- Z — threat timeline: how many years until a quantum computer can break today’s public-key crypto.
The logic is airtight: if it takes you Y years to migrate, then anything you encrypt during those years is protected by the old algorithms. If that data must remain secret for X more years, its protection needs to survive until X + Y years from today. If the quantum threat arrives before then (Z < X + Y), the protection fails while the secret still matters. You lose.
A worked example
Suppose the quantum threat is 15 years away (Z = 15) — comfortably distant, you might think. Your data must stay secret for 10 years (X = 10). And a realistic enterprise cryptographic migration takes 6 years (Y = 6) — inventory, testing, vendor updates, phased rollout across thousands of systems.
Then X + Y = 10 + 6 = 16, which is greater than Z = 15. Despite the threat being “15 years off,” you are already one year behind. The villain here is Y: migration is slow, and every year you delay starting is a year added directly to your exposure.
Nobody knows Z precisely — estimates for a cryptographically-relevant quantum computer commonly range from the early-to-mid 2030s onward, and NIST’s transition guidance targets deprecating vulnerable algorithms around 2030 and disallowing them after 2035. The honest posture is to treat Z as uncertain but not distant, and to attack the number you actually control: Y. Shrinking migration time is the whole point of a readiness assessment.
A subtlety: signatures fail differently
Harvest-now-decrypt-later mainly threatens confidentiality — secrets recorded today and read later. Digital signatures have a different risk profile: a signature only needs to resist forgery at the moment it’s trusted, so a recording made today can’t be “forged retroactively.” But signatures have their own long-horizon problem: anything meant to stay verifiable for decades (long-lived firmware-signing keys, root certificates, signed legal documents, software you’ll still trust in 2040) must move to quantum-safe signatures before Q-day, or that trust collapses. We’ll map both failure modes precisely in the next article.
What this changes about your priorities
- Confidentiality-first triage. Rank data by shelf life. Long-lived, unchangeable secrets (biometrics, health, classified, keys) migrate first — they’re being harvested now.
- Protect data in transit and at rest early. Adopt quantum-safe (hybrid) key exchange for your most sensitive channels as soon as it’s available, even before a full migration.
- Treat Y as the emergency. Begin inventory and crypto-agility work immediately; those are the long poles that determine whether you beat the deadline.
- Don’t wait for certainty about Z. By the time Q-day is announced, the harvested data is already decrypted.
- Harvest Now, Decrypt Later (HNDL)
- Recording encrypted data today to decrypt once a quantum computer exists. Also “store now, decrypt later” / “retrospective decryption.”
- Q-day
- Informal name for the day a cryptographically-relevant quantum computer becomes available.
- Mosca’s inequality
- If shelf life (X) + migration time (Y) > threat timeline (Z), you’re already exposed.
- Shelf life / data confidentiality lifetime
- How long a piece of data must remain secret.
- TLS (Transport Layer Security) / VPN (Virtual Private Network)
- Two everyday encrypted channels — web traffic and network tunnels — whose recordings are prime harvest-now targets.
- NIST (National Institute of Standards and Technology)
- The US standards body whose transition timeline (deprecate ~2030, disallow after 2035) anchors the Z estimate.
What to carry forward
- The attack is present-tense: harvesting happens now; only decryption waits.
- Ask “will it still be secret at Q-day?” — long-lived secrets are effectively exposed today.
- X + Y > Z means you’re already late; the controllable term is Y (migration time).
- Prioritise long-lived, unchangeable confidential data first.
Next: What Breaks — RSA, ECC, PKI, TLS — a guided tour of exactly which real-world systems fall when public-key falls, and how they’re connected.
⚡ AI-first? Training data, model weights, and embeddings are textbook long-lived secrets — see Quantum-Safe AI for how harvest-now-decrypt-later hits AI systems.
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning why the quantum threat is urgent even before the computer
exists. Quiz me one question at a time, correcting me gently:
1. Explain "harvest now, decrypt later" in my own words. What is copied
today, and what waits?
2. Why is a long "shelf life" the thing that makes data vulnerable to
this attack? Give examples of data with a long shelf life.
3. State Mosca's inequality (X + Y vs Z) and explain what each letter
means.
4. If the quantum threat is 15 years away, my data must stay secret 10
years, and migration takes 6 years — am I safe? Do the sum.
5. Which of the three numbers do I actually control, and what should I
do about it right now?
References & further reading
- M. Mosca, “Cybersecurity in an Era with Quantum Computers: Will We Be Ready?” IEEE Security & Privacy, 2018 — origin of the X+Y>Z framing.
- CISA, NSA & NIST, Quantum-Readiness: Migration to Post-Quantum Cryptography (2023) — official guidance naming the harvest-now threat. cisa.gov/quantum
- NIST IR 8547 (draft), Transition to Post-Quantum Cryptography Standards — deprecation ~2030, disallowed after 2035. csrc.nist.gov
- NSA, CNSA 2.0 — timelines urging early migration for long-lived data. nsa.gov/cybersecurity