← LearnPost-quantum cryptography

Harvest now, decrypt later: the quantum threat, explained honestly

The urgency isn’t a quantum computer today — it’s that data recorded today can be decrypted the day one arrives.

The threat model, honestly

The public-key cryptography behind most of the internet — RSA and elliptic-curve — depends on math problems a sufficiently large, fault-tolerant quantum computer could solve efficiently using Shor’s algorithm. No machine capable of that exists today, and credible estimates for when one might range widely. This is a planning problem, not an emergency, and anyone selling a “quantum apocalypse next quarter” is selling panic.

The twist that makes it urgent now

Here is why you can’t simply wait. An adversary can capture and store encrypted traffic today and hold it until a capable quantum computer exists — then decrypt it retroactively. This is “harvest now, decrypt later.” It means the relevant question isn’t “is my data safe today?” but “does my data need to stay secret for longer than it takes quantum computing to mature?”

The same logic applies to signatures and provenance: a signature you need to remain trustworthy a decade from now should be made with an algorithm expected to survive that decade.

What’s actually at risk

Long-lived confidential data (health records, financial and legal documents, state secrets) and long-lived integrity guarantees (signed records, audit trails, provenance you expect to verify years later). Ephemeral data that’s worthless once stale is far less exposed to a harvest-now attack.

The measured response

The response is orderly, not frantic: inventory what cryptography you use (a CBOM), prioritize long-lived secrets and signatures, and migrate to the finalized NIST post-quantum standards — using hybrid schemes (a classical algorithm paired with a post-quantum one) during the transition so you’re never worse off than today. It’s a multi-year program, and the first step is simply seeing what you have.

Throndar signs every answer with post-quantum cryptography for exactly this reason: a provenance record should still verify long after the transition.

Verification attests an answer’s origin and integrity, not its factual accuracy. Algorithm names denote the public standards the primitives are based on (ML-DSA-87 / FIPS 204, ML-KEM-1024 / FIPS 203; Falcon / FN-DSA, FIPS 206 forthcoming), not a FIPS-140 / CMVP validation.