Sven Erik Matzen

Software Architect | Cloud & Security Expert | Scalable Solutions

Harvest Now, Decrypt Later: Post-Quantum Cryptography and the Race Against the Quantum Computer

EU label: fully AI-generated content Fully AI-generated content. This article was generated using AI systems (e.g. Claude Code, Perplexity) and may contain errors or hallucinations.

← All articles

IT Security · 2026-06-22 · approx. 30 minutes

The Hook: A Theft No One Notices

Picture a burglar who breaks into a vault, photographs all the locked safe-deposit boxes, copies the steel doors along with all their locks — and leaves again without opening a single box. He takes not the contents but the locked containers themselves. An absurd theft, you think. What good is a safe-deposit box he cannot open?

The answer: he knows that in ten years a master key will exist. And he is willing to wait.

This very theft is happening right now — millionfold, on an industrial scale, across the internet. Intelligence services and criminal actors intercept encrypted traffic and store it in reserve. Banking data, health records, diplomatic correspondence, trade secrets, state secrets. Today this data is protected by strong encryption and is worthless noise to any attacker. But the attackers are betting that a sufficiently powerful quantum computer will one day crack this encryption in minutes. Then the vaults stolen today will be opened retroactively. This strategy has its own, disturbingly sober name: "harvest now, decrypt later."

What is remarkable about it is the timeline. Most cyber threats act immediately: ransomware encrypts now, phishing steals now. The quantum threat works backward into the future. Data you encrypt today can be exposed a decade from now — and for many secrets (the identities of sources, military plans, personal data with lifelong relevance), a decade is not a reassuring but an alarmingly short protection horizon.

This article explains why a quantum computer breaks today's encryption, why a wholly new class of methods — post-quantum cryptography (PQC) — can fend it off, which standards the U.S. NIST has set for it since 2024, how large providers like Apple and Cloudflare are already rolling these methods out, and which practical steps follow from this for any organization. It is the story of a race whose finish line no one knows precisely — but where it is already clear that the prudent must start today.

Part 1: Why the Quantum Computer Breaks Today's Encryption

Two Families of Cryptography

To understand the threat, one must distinguish two fundamentally different tools of modern cryptography.

The first family is symmetric encryption (such as AES). Here sender and receiver share the same secret key. It is fast and robust and protects the actual bulk data — the hard disk, the contents of an encrypted connection.

The second family is asymmetric cryptography, or public-key cryptography (RSA, Diffie-Hellman, elliptic curves). It solves a seemingly impossible problem: how do two parties who have never met before and who communicate over a tapped line agree on a shared secret key? And how can you "sign" digitally, so that anyone can verify authenticity but no one can forge the signature? Asymmetric cryptography is the invisible foundation on which trust on the internet rests: every padlock symbol in the browser (TLS/HTTPS), every software signature, every secure messenger connection, every bank transaction.

The crucial insight is: the quantum computer threatens above all the second family. And because the second family handles the key exchange for the first, the entire edifice topples with it.

The Mathematical Bet of Public-Key Cryptography

The security of RSA rests on a simple asymmetry: multiplying two large prime numbers is trivial for a computer. Decomposing a very large number back into its two prime factors, by contrast, is practically impossible — a classical computer would need longer than the age of the universe for an RSA-2048 number. Elliptic-curve cryptography (ECC) rests on a related problem, the discrete logarithm. Both methods are therefore bets that certain mathematical operations are practicable in only one direction.

This bet was considered safe for decades. Until 1994.

Shor's Algorithm: The Achilles' Heel

In 1994 the mathematician Peter Shor showed that a sufficiently large quantum computer can factor numbers efficiently and compute discrete logarithms efficiently. Shor's algorithm exploits a property that classical computers lack: it puts a quantum state into a superposition of many possible values at once and uses interference to filter out the period of the modular exponentiation — and from this period the prime factors can be derived directly (Fortinet). What is exponentially hard for a classical computer becomes efficiently solvable for the quantum computer.

The consequence is brutal and unambiguous: a sufficiently large, error-corrected quantum computer breaks RSA and ECC completely. Not "weakens," but breaks — the methods become worthless.

For symmetric encryption (AES), the situation is more relaxed. Here a different quantum algorithm applies, Grover's algorithm, which only speeds up a search quadratically. In practice this means: the effective key length halves. AES-128 would drop to the security level of AES-64 — problematic. But the answer is simple: you double the key length to AES-256, and the matter is settled. Symmetric cryptography is therefore repairable; asymmetric cryptography is not. This is exactly where the real crisis lies.

How Near Is "Q-Day"?

When will a quantum computer exist that is large enough to break RSA-2048? This hypothetical day is called "Q-Day" in the jargon, and dating it is the field's most contested question. For a long time the estimate held that you would need around 20 million physical qubits — far beyond today's machines, which lie in the range of hundreds to a few thousand.

But the estimates are in motion, and in the wrong direction. Several papers published between May 2025 and early 2026 have lowered the estimated resource requirement for breaking RSA-2048 from around 20 million to under one million, and in newer architectures possibly into the range of 100,000 qubits. Such algorithmic efficiency gains move the threat closer without the hardware having to improve at all.

I am of the view that any concrete year for Q-Day is unserious — the only serious estimates are those of others, which one can cite as a range. In the public debate this range runs from "around 2030" to "after 2035 or considerably later." What matters, though, is not the exact date but a simple inequality that explains the whole drama in the next part.

Part 2: "Harvest Now, Decrypt Later" — Why the Clock Is Already Running

The Mosca Inequality

The cryptographer Michele Mosca cast the problem into a rule of thumb that every decision-maker should understand. Add two time spans:

  • X = how long your data must remain secret (the "protection horizon").
  • Y = how long your organization needs to migrate to quantum-safe methods (the "migration duration").

If the sum X + Y is greater than the time until Q-Day (Z), then you already have a problem. For data that you encrypt today and that is supposed to stay secret for X years falls into the dangerous window as soon as the quantum computer arrives before X + Y elapses.

The subtle, often overlooked point: what counts is not when Q-Day comes, but when it comes relative to your protection horizon plus your migration duration. A bank whose customer data must stay confidential for 30 years, and whose IT migration realistically takes five years, has a problem even if Q-Day arrives only in 2045. The data it protects today must outlast an attacker who strikes only two decades from now.

The Theft That Is Happening Today

This is exactly why "harvest now, decrypt later" (HNDL) is not a distant worry but a present one. NIST states unmistakably in its transition guidance: encrypted data remains at risk because attackers capture it today in order to decrypt it as soon as quantum technology is ready. Several Western intelligence services have warned that adversaries are already exfiltrating encrypted data on an industrial scale — betting that decryption will become possible within a decade.

A working-paper analysis by the U.S. Federal Reserve (2025) likewise examines HNDL as a serious, time-dependent threat model for the financial system. The threat is therefore no longer the stuff of conference slides but a subject of macroeconomic risk assessment.

The cynical elegance of HNDL lies in the fact that the victim notices nothing. A classical data theft is eventually discovered; stolen plaintext surfaces on the dark web. Stolen encrypted data, by contrast, is invisible — it sits in an archive and waits. The victim learns of the damage only when it is too late to prevent it. For secrets with a long half-life, this is the most dangerous conceivable constellation.

Part 3: The Solution — Cryptography That Quantum Computers Cannot Crack

The Basic Idea: Different Mathematical Problems

Post-quantum cryptography (also quantum-resistant or quantum-safe cryptography) is not an exotic quantum technology. It runs on perfectly ordinary, classical computers — on your laptop, your smartphone, your server. The trick lies not in new hardware but in new mathematics.

The idea is strikingly simple: if Shor's algorithm exploits precisely the structure of factoring and the discrete logarithm, then build cryptography on mathematical problems that do not possess this structure. Problems against which even a quantum computer has no known efficient algorithm.

Lattices: The Load-Bearing Foundation

The most important of these problem classes is lattice-based cryptography. A lattice is a regular, infinite grid of points in a high-dimensional space — picture graph paper, but in 500 or 1,000 dimensions instead of two. The underlying hard problems are, for instance: "find the shortest vector in this lattice" (the Shortest Vector Problem) or the related Learning-with-Errors problem (LWE), in which you are to reconstruct the hidden solution from linear equations deliberately falsified with a small amount of noise.

What makes these problems so valuable: first, they lack the periodic structure that Shor's algorithm requires — no efficient quantum attack against them is so far known. Second, and this is cryptographic gold, the security of LWE can be reduced to the worst case of lattice problems: an attacker would have to break not just one concrete instance, but the general hardness of the problem. This "worst-case-to-average-case reduction" is a strength that only a few cryptographic constructions can claim (Sectigo, QRAMM).

Lattices are not the only family. There are also hash-based methods (whose security rests solely on the robustness of hash functions — an extremely conservative, well-understood assumption) and code-based methods (relying on the difficulty of decoding error-laden codes). Each family is its own mathematical bet — and smart standardization deliberately does not put everything on one card.

Part 4: The NIST Standards — the New Foundation of the Internet

An Eight-Year Competition

So that not every organization invents its own, possibly flawed quantum-safe crypto, a binding, thoroughly vetted standard was needed. This task was taken on by the U.S. National Institute of Standards and Technology (NIST) — the same institution that once standardized AES. In 2016, NIST launched an open, worldwide competition. Cryptographers from around the world submitted candidates and attacked one another's proposals — several promising methods were spectacularly broken over the course of the process, which only underscores the value of the public competition.

On August 13, 2024, NIST published the first three finalized standards — the conclusion of an eight-year process and a milestone for IT security (NIST).

The Three (and More) Standards at a Glance

Standard Algorithm (origin) Purpose Distinctive feature
FIPS 203 ML-KEM (CRYSTALS-Kyber) Key encapsulation / key exchange The main standard for general encryption; replaces RSA/ECDH for key exchange. Lattice-based.
FIPS 204 ML-DSA (CRYSTALS-Dilithium) Digital signatures The primary signature standard. Lattice-based.
FIPS 205 SLH-DSA (SPHINCS+) Digital signatures Hash-based — the "insurance policy." Would remain secure even if lattice methods surprisingly fall.
FIPS 206 (draft) FN-DSA (FALCON) Digital signatures More compact lattice-based signatures; announced as a draft.
HQC (in standardization) HQC Key encapsulation (backup) Chosen in March 2025 as the fifth algorithm; different mathematics (code-based) than ML-KEM.

One central design principle leaps out: diversification. NIST did not crown a single winner but deliberately standardized methods of different mathematical origin. The signature world gets two independent pillars with ML-DSA (lattice) and SLH-DSA (hash). And for key encapsulation, NIST additionally chose HQC in March 2025 as a reserve — expressly because it rests on different mathematics than ML-KEM and could thus step in should a weakness ever be discovered in the lattice methods (NIST, 2025). The draft of the HQC standard is expected about a year after the selection, with finalization around 2027.

This logic — different independent pillars, so that the collapse of one pillar does not bring down the roof — is the same thinking in redundancy and independent points of failure that characterizes good architecture everywhere.

The Price: Larger Keys

Quantum safety is not free. ML-KEM works with public keys of roughly 800 to 1,568 bytes and ciphertexts of similar size — compared with the compact keys of elliptic curves (often only 32–64 bytes), that is considerably more data volume per handshake. For a single connection this is negligible; but for systems with billions of connections, for embedded devices with scarce memory, or for protocols with tight packet limits, it can become a genuine engineering challenge. Quantum safety is bought with bandwidth and compute time — a trade that almost always pays off, but that wants to be deliberately planned.

Part 5: It Is Already Happening — PQC in the Field

Perhaps the most compelling proof that PQC is not a thing of the future: large providers have long since rolled it out — often before the NIST standards were even final.

Example 1: Apple's iMessage with PQ3

In February 2024, Apple introduced the PQ3 protocol for iMessage. Apple calls it "Level 3" security — the highest level, because the post-quantum cryptography protects not only the initial key exchange but also the continuous renewal of keys during an ongoing conversation (Apple Security Research). For this, PQ3 combines a post-quantum-secure key exchange with several continuous "ratchets" that make the system self-healing against key compromise. The stated goal is expressly protection against "harvest now, decrypt later." Here a mass-market product with over a billion users defends itself proactively against an attacker that does not yet exist today.

Example 2: Signal's PQXDH

The messenger Signal supplemented its proven X3DH handshake protocol with a post-quantum component (based on Kyber) and called the result PQXDH. It reaches "Level 2": the initial key exchange is quantum-safe. The step shows how the transition usually plays out in practice — not as a big break, but as a hybridization of an established, familiar protocol.

Example 3: Cloudflare and the Post-Quantum Internet

Perhaps most impressive is the infrastructure level. Cloudflare, which handles a substantial portion of global web traffic, has rolled out a hybrid key exchange that combines ML-KEM (quantum-safe) with X25519 (classical) to secure TLS 1.3 connections. As early as the end of 2024, a double-digit percentage of TLS connections to Cloudflare were post-quantum-secured — a share that has continued to rise since (Cloudflare).

The Pattern: Hybrid Instead of Break

The same word appears in all three examples: hybrid. You do not throw away the old cryptography but combine it with the new, so that an attacker would have to break both methods at once. This has two reasons. First, the new PQC methods are younger and less battle-tested than RSA, which has been attacked for decades — should a weakness surprisingly show up in ML-KEM, the classical half keeps the protection up. Second, the post-quantum half alone immediately protects against HNDL, without having to give up trust in the proven classical crypto. Hybrid is the engineering-mature, low-risk bridge from the old world into the new.

Part 6: The Migration — Why That Is the Real Challenge

Having the algorithms is one thing. Building them into grown IT landscapes is another — and incomparably harder.

The Inventory Problem: You Cannot Protect What You Do Not Know

Cryptography is everywhere, mostly buried deep and invisible: in TLS libraries, in VPNs, in code signatures, in smart cards, in IoT firmware, in database encryption, in PKI certificates, in old applications whose source code no one understands anymore. The very first, often underestimated step of any PQC migration is therefore a cryptographic inventory (a "Cryptographic Bill of Materials," CBOM): a systematic stocktaking of where at all which cryptographic methods are in use. Many organizations discover to their horror in the process that they simply do not know.

Crypto-Agility: The Real Lesson

From the painfulness of this migration follows a deeper architectural lesson that points beyond PQC: crypto-agility. By this is meant a system's ability to swap out cryptographic methods without having to rewrite the application — algorithms as configurable, exchangeable building blocks rather than as firmly cemented assumptions. The present pain of many organizations stems precisely from the fact that RSA and ECC were hard-wired decades ago, on the silent assumption that they would last forever. If you take only one lesson from the PQC migration, it should be this: never treat the algorithm in use as a constant, but always as an exchangeable parameter. I am of the view that this is the most valuable and most durable insight of the entire quantum upheaval — more valuable than any single algorithm, because it already plans for the next crisis.

The Regulatory Clock

The migration is no longer a voluntary extra but increasingly an obligation with fixed deadlines. Under the NIST transition guidance, RSA-2048 and ECC P-256 — by far the most widespread public-key methods — are slated for deprecation by 2030: they are to be used in new applications no longer after that. By 2035, all quantum-vulnerable public-key methods are to become formally disallowed, regardless of key length. The U.S. government has committed its agencies to migrate by 2035; comparable roadmaps are emerging in Europe and the United Kingdom. Anyone building new systems today that are meant to run for ten or twenty years is therefore already building into a regulatory framework that forbids quantum-vulnerable crypto at the end of its lifespan.

This deadline logic — rigid requirements to which practice must align — is a classic compliance topic that closely interlocks the technical and legal worlds.

Part 7: What Does Not Help — and a Common Misconception

Two things are important for soberly assessing the situation.

First: quantum cryptography is not the same as post-quantum cryptography. There exists a related but fundamentally different field — Quantum Key Distribution (QKD), which uses quantum-physical effects to exchange keys whose eavesdropping in principle becomes noticeable. QKD is fascinating but expensive, tied to special hardware and short distances, and unsuitable for the breadth of the internet. The practical answer to the quantum threat is therefore not QKD but PQC: classical software mathematics that runs everywhere. (The physical foundations on which QKD and the whole quantum computer rest — superposition and entanglement — are described in detail in the linked article on spooky action at a distance.)

Second: more classical bits do not help. A common misconception is that you just have to make RSA "longer" — RSA-4096 or RSA-8192. This is a fallacy. Shor's algorithm scales so favorably that doubling the key length holds off the quantum computer only marginally. Against a structural attack, no quantitative increase of the same structure helps, only a different mathematical foundation. That is exactly the point of PQC.

Part 8: The Honest Reckoning — Residual Risks and Open Questions

It would be dishonest to sell PQC as a finished, worry-free solution.

The new methods are comparatively young. RSA was attacked for over four decades by the whole world and held; ML-KEM and ML-DSA have an intense but shorter barrage behind them. That several serious candidates were surprisingly broken during the NIST competition is both reassuring (the process works) and admonishing (security is never finally proven, only so far unrefuted). The diversification strategy — lattice and hash and code — is the direct answer to this residual risk.

In addition there are implementation risks. The mathematics may be secure, but a faulty implementation opens side channels (for instance via timing differences) through which keys leak. The larger keys and the higher compute effort pose real problems especially for embedded and resource-poor systems.

And finally, the uncertainty about Q-Day itself remains. Perhaps the cryptographically relevant quantum computer arrives only in twenty years — perhaps never in the feared form. But here Mosca's logic applies again: because of the HNDL threat and the long migration duration, waiting is not a neutral option but an active bet against your own data. The asymmetry of the consequences is clear — the costs of acting too early are manageable (a little bandwidth, a little project effort), the costs of acting too late potentially catastrophic and no longer correctable.

The Central Takeaway

The quantum threat to cryptography is real, mathematically well understood, and unambiguous in its mechanics: Shor's algorithm breaks the asymmetric cryptography (RSA, ECC) on which the trust of the entire internet rests. The solution stands ready — post-quantum cryptography, which is founded on different kinds of mathematical problems (above all lattices), runs on normal hardware, and has been bindingly codified since August 2024 in the NIST standards FIPS 203, 204, and 205, supplemented by reserve methods like HQC.

The truly urgent thing, however, is not the distant arrival of the quantum computer, but the present threat of "harvest now, decrypt later": data stolen and archived today falls as soon as Q-Day arrives. The Mosca inequality X + Y > Z makes clear that organizations with long-lived secrets must act already now — not despite, but because of, the uncertainty about the exact date.

The deepest lesson, reaching beyond the quantum question, is called crypto-agility: never treat cryptographic methods as eternal constants, but as exchangeable parameters. Today's migration pain is the bill for assumptions cemented yesterday — and the best precaution against the next crisis, still unknown today.

A concrete prompt to act on this week: For a system you are responsible for, ask three questions. First: How long must the data in this system remain secret? (That is your X.) Second: Do I even know which cryptographic methods are in use here? (If not, you have just identified your first, most important migration step: the inventory.) Third: Could I swap out the encryption algorithm without rewriting the application? If the answer is "no," you now know your true long-term vulnerability — and it is not called "quantum computer" but "missing crypto-agility."

A reflection question: Which of your currently encrypted data would still be sensitive enough in ten or twenty years to make the waiting worthwhile for a patient attacker — and are you already protecting it today as if the master key were already lying in a stranger's drawer?

Cross-References in the Vault

  • Spooky Action at a Distance: Quantum Entanglement from Einstein to the Quantum Internet – The physical foundations (superposition, entanglement) from which both the threatening quantum computer and Quantum Key Distribution arise in the first place; the bedrock beneath this entire article.
  • The Logbook of Truth: Understanding Event Sourcing and CQRS – There, the problem of immutable data and the GDPR "right to be forgotten"; here, the flip side: data that remains readable too long. In both cases, the half-life of information is the central design variable.
  • Ist die Cloud valide – Trust in foreign infrastructure and the weighing of benefit against risk; PQC migration is exactly such a strategic trade-off under uncertainty.
  • Der Wettlauf mit der (um die) KI – A related race against an accelerating technology; there too, algorithmic breakthroughs shift the timelines faster than expected.

Sources and Further Reading

Created as part of the daily learning workflow. Field of interest: IT Security. Estimated reading time: ~30 minutes.

← All articles