Active threat

Harvest Now, Decrypt Later

Nation-states are collecting encrypted traffic today — medical records, legal documents, financial transfers — to decrypt once quantum computers arrive. The breach is not in the future. It happened when your data was intercepted.

How it works

An adversary taps a backbone connection, records the ciphertext, and stores it. No decryption is attempted now. The data sits in an archive and waits. When a cryptographically relevant quantum computer (CRQC) becomes available, Shor's algorithm breaks the key exchange retroactively — and the archive opens.

Estimates for Q-Day range from 5 to 15 years depending on the source, though some researchers place it closer. Google's March 2026 research accelerated timelines; Cloudflare has an internal deadline of 2029 for completing post-quantum migration across their infrastructure. The NSA's CNSA 2.0 guidance (September 2022) states that organizations should stop using RSA and elliptic-curve for any data that must remain confidential beyond approximately five years.

The window is already open. Every year of delay extends the archive of retroactively decryptable data.

Now

Harvest (active)

State actors tap internet backbone connections and archive encrypted traffic. TLS sessions, VPN tunnels, encrypted email — anything protected by RSA or elliptic-curve key exchange is recorded for future processing.

2026–2028

Preparation

Quantum hardware becomes operationally viable. First CRQCs appear in classified environments. NIST FIPS 203/204/205 are finalized — migration becomes legally required under NIS2, DORA, and national frameworks.

2029–2031

Decrypt Later (Q-Day)

A CRQC with sufficient qubit count breaks RSA-2048 in hours. The archived traffic from the preceding decade becomes readable. Healthcare records, diplomatic communications, financial transfers — exposed retroactively.

Who is at risk

HNDL targets long-lived sensitive data — not casual messages. The selection criterion is simple: anything that is worth reading in five to ten years.

Healthcare records carry a lifetime confidentiality obligation. Legal documents — attorney-client correspondence, notarial deeds, criminal cases in preparation — can be used retroactively to undermine proceedings that have not yet occurred. Financial data including M&A documents, trade secrets, and pension transfers represents a primary target for state-sponsored economic espionage. Industrial OT environments and critical infrastructure face a separate risk: control system configurations and firmware rarely change, making archived data indefinitely useful to an adversary.

The common factor is not sensitivity today — it is sensitivity at Q-Day. If the data would still matter in ten years, it is a valid harvest target now.

Why standard encryption fails

AES-256 is not the problem. Symmetric encryption is unaffected by Shor's algorithm and remains quantum-safe. The failure is in key exchange.

RSA and elliptic-curve Diffie-Hellman derive their security from the hardness of integer factorization and the discrete logarithm problem. Shor's algorithm solves both in polynomial time on a quantum computer. An adversary who records an RSA- or ECDH-protected session today can recover the session key after Q-Day and decrypt the contents — even if the private key was discarded years earlier.

NIST finalized ML-KEM (FIPS 203) in August 2024 specifically to replace vulnerable key exchange mechanisms. The underlying data encryption — AES-256-GCM — stays. Only the key agreement layer changes.

What post-quantum actually means

ML-KEM-768 is a key encapsulation mechanism based on the hardness of the Module Learning With Errors (MLWE) problem. No known quantum algorithm solves MLWE efficiently. An archived ciphertext from a session protected by ML-KEM-768 today remains unreadable after Q-Day — there is no retroactive attack.

Paramant uses ML-KEM-768 in a hybrid construction: ML-KEM-768 + ECDH P-256 + AES-256-GCM. The shared secret is derived from both key exchanges via HKDF. Breaking ECDH at Q-Day provides no advantage — ML-KEM-768 still protects the session. This hybrid approach is what NIST recommends during the migration period.

NSA CNSA 2.0 — September 2022

"Organizations should avoid using public-key cryptography based on RSA or elliptic curve for all sensitive data with a secrecy requirement extending beyond approximately five years."

CISA, NCSC-UK, and the BSI issue the same guidance: begin migration now. Waiting for Q-Day means the archive is already complete. NSA CNSA 2.0 (PDF) →

Why storage matters too

Post-quantum key exchange eliminates the retroactive decryption risk for data in transit. But data at rest creates a different attack surface: court orders, server breaches, and insider access can all expose stored ciphertext regardless of how well it was encrypted during transmission.

Paramant removes the storage target entirely. Encrypted blobs exist in RAM only. After the first read, the memory is overwritten with zeros. There is nothing to seize, no archive to subpoena, no breach surface to compromise. A relay that holds no data cannot be compelled to produce it.

Paramant uses ML-KEM-768 + AES-256-GCM. Files exist in RAM only, destroyed after one read. No storage, no trace, no target.

Get a free API key Security architecture →