Harvest now, decrypt later: why post-quantum encryption is a today problem

Most conversations about quantum computing and encryption start in the wrong place. They ask when a quantum computer will be able to break today's encryption — and then, reassured that the answer is "not yet," move on. That is the wrong question, because it assumes the threat begins on the day the machine arrives. It does not. For any data with a long sensitivity horizon, the threat has already begun.

The reason is a strategy with an unglamorous, accurate name: harvest now, decrypt later.

The attack that does not need a quantum computer yet

Harvest now, decrypt later (HNDL) is exactly what it sounds like. An adversary captures encrypted traffic or exfiltrates encrypted data today, while it cannot read it, and simply stores it. It waits. When a cryptographically relevant quantum computer becomes available — whenever that is — it decrypts the archive in bulk.

The strategy works because most of today's encryption in transit relies on public-key methods (such as RSA and elliptic-curve key exchange) whose security rests on mathematical problems a sufficiently capable quantum computer is expected to solve efficiently. The symmetric encryption that protects data at rest is far more resilient, but the keys protecting it are often exchanged using exactly those vulnerable public-key methods.

The uncomfortable implication: the secrecy of data you transmit today is only guaranteed until the math changes. If your adversary is patient and your data stays sensitive, "we'll upgrade when quantum arrives" is already too late — the ciphertext they need is already in their possession.

Whose data this actually threatens

HNDL is not a universal emergency. For data with a short shelf life — a session token, a one-day price quote — it is irrelevant; by the time it could be decrypted, it is worthless. The risk is a function of one variable: how long your data must stay secret.

That variable is exactly where institutional data sits at the dangerous end:

• Investment strategy and positions. A fund's factor weights and rebalancing logic define its edge for years.
• Health records. Protected health information is sensitive for a lifetime, and the obligation to protect it does not expire.
• M&A and corporate strategy. Deal models, target lists, and negotiating positions retain market-moving sensitivity long after a transaction.
• State and defense information. Sensitivity horizons here are measured in decades.

If your data has a multi-year — or multi-decade — secrecy requirement, HNDL is not a future problem with a delayed reveal. It is a present problem whose consequences are simply scheduled to land later.

What post-quantum cryptography changes

The defense is post-quantum cryptography (PQC) — encryption algorithms designed to resist attack by both classical and quantum computers. In 2024 the U.S. National Institute of Standards and Technology (NIST) finalized the first standards, including ML-KEM (FIPS 203) for key encapsulation and ML-DSA (FIPS 204) for digital signatures. These are not experimental; they are standardized primitives that organizations can deploy now.

Deploying them closes the HNDL window prospectively. Data exchanged under post-quantum key encapsulation today cannot be harvested-and-later-decrypted by a future quantum computer, because the key exchange protecting it was never vulnerable to that machine in the first place. The sooner the switch happens, the smaller the archive of "decrypt later" material an adversary can build.

The catch is migration. Most systems were not designed for these algorithms, and retrofitting transport security across a real estate of applications is genuine work. The organizations that treat it as a today problem — rather than a someday upgrade — are the ones whose long-sensitivity data will still be protected when the math changes.

Where this fits in a confidentiality architecture

Post-quantum transport is necessary, but on its own it protects data only while it moves. The harder question is what happens to data while it is being used — decrypted in memory, processed by a model, dispatched to a service. Encryption in transit and at rest does nothing during that window.

A complete answer pairs post-quantum transport with confidential computing: processing the data inside attested, hardware-isolated environments so it is never exposed in plaintext to the infrastructure or the operator. That is the architecture across the ArcaKey platform — the transport layer between your browser and our enclaves uses ML-KEM-768 and ML-DSA-65 today, not on a roadmap, and the data inside is decrypted only within attested hardware you can verify. Every action is recorded in a dual-signed audit chain, one of those signatures itself post-quantum.

For data with a long sensitivity horizon — fund strategy, health records, deal models — that combination is the point. The protection you put in place today should still hold when the cryptography around you is rewritten.

If post-quantum posture is part of your due diligence, our continuous monitoring product reports on the cryptographic and attestation state of your stack in cryptographically signed reports you can hand to a regulator — and the same architecture underpins ArcaQ, our confidential quantum optimization product. We are glad to walk through any of it.