Harvest Now, Decrypt Later

How it works

An adversary taps a backbone connection, records the ciphertext, and stores it. No decryption is attempted now. The data sits in an archive and waits. When a cryptographically relevant quantum computer (CRQC) becomes available, Shor's algorithm breaks the key exchange retroactively — and the archive opens.

Estimates for Q-Day range from 5 to 15 years depending on the source, though some researchers place it closer. Google's March 2026 research accelerated timelines: on March 25, Google shortened its own post-quantum migration deadline to 2029, and on March 31, Google published research showing elliptic curve cryptography can be broken with twenty times fewer qubits than previously estimated. Cloudflare followed with its own 2029 deadline. The research is cryptography news, not cryptocurrency news, though coin wallets are the most visible casualty in press coverage. What the finding actually threatens is the elliptic curve mathematics underneath TLS, SSH, email encryption, file transfer, and digital signatures across the internet.

The NSA's CNSA 2.0 guidance (September 2022) states that organizations should stop using RSA and elliptic-curve for any data that must remain confidential beyond approximately five years.

The window is already open. Every year of delay extends the archive of retroactively decryptable data.

Who is at risk

HNDL targets long-lived sensitive data — not casual messages. The selection criterion is simple: anything that is worth reading in five to ten years.

Healthcare records carry a lifetime confidentiality obligation. Legal documents — attorney-client correspondence, notarial deeds, criminal cases in preparation — can be used retroactively to undermine proceedings that have not yet occurred. Financial data including M&A documents, trade secrets, and pension transfers represents a primary target for state-sponsored economic espionage. Industrial OT environments and critical infrastructure face a separate risk: control system configurations and firmware rarely change, making archived data indefinitely useful to an adversary.

The common factor is not sensitivity today — it is sensitivity at Q-Day. If the data would still matter in ten years, it is a valid harvest target now.

A note on crypto terminology

The word "crypto" has two meanings in 2026. In financial news it refers to cryptocurrency. In security it refers to cryptography, the mathematics behind encryption and digital signatures. Paramant is a cryptography product. No coins, no wallets, no tokens, no blockchain. This page uses "crypto" only as shorthand for cryptography.

The Google March 2026 research does affect cryptocurrency wallets because Bitcoin, Ethereum, and most blockchains use ECDSA signatures that depend on the same elliptic curve mathematics. But the finding is much bigger than coins. It threatens the key exchange in TLS, the authentication in SSH, the signatures in code distribution, and the digital signatures in most file transfer products. Paramant addresses this by using ML-KEM-768 and ML-DSA-65 for its key exchange and signatures, neither of which is affected by Shor's algorithm or the Google finding.

Why standard encryption fails

AES-256 is not the problem. Symmetric encryption is unaffected by Shor's algorithm and remains quantum-safe. The failure is in key exchange.

RSA and elliptic-curve Diffie-Hellman derive their security from the hardness of integer factorization and the discrete logarithm problem. Shor's algorithm solves both in polynomial time on a quantum computer. An adversary who records an RSA- or ECDH-protected session today can recover the session key after Q-Day and decrypt the contents — even if the private key was discarded years earlier.

NIST finalized ML-KEM (FIPS 203) in August 2024 specifically to replace vulnerable key exchange mechanisms. The underlying data encryption — AES-256-GCM — stays. Only the key agreement layer changes.

What post-quantum actually means

ML-KEM-768 is a key encapsulation mechanism based on the hardness of the Module Learning With Errors (MLWE) problem. No known quantum algorithm solves MLWE efficiently. An archived ciphertext from a session protected by ML-KEM-768 today remains unreadable after Q-Day — there is no retroactive attack.

ParaShare authenticated transfers use ML-KEM-768 in a hybrid construction: ML-KEM-768 + ECDH P-256 + AES-256-GCM. The shared secret is derived from both key exchanges via HKDF. Breaking ECDH at Q-Day provides no advantage — ML-KEM-768 still protects the session. This hybrid approach is what NIST recommends during the migration period.

Why storage matters too

Post-quantum key exchange eliminates the retroactive decryption risk for data in transit. But data at rest creates a different attack surface: court orders, server breaches, and insider access can all expose stored ciphertext regardless of how well it was encrypted during transmission.

Paramant removes the storage target entirely. Encrypted blobs exist in RAM only. After the first read, the memory is overwritten with zeros. There is nothing to seize, no archive to subpoena, no breach surface to compromise. A relay that holds no data cannot be compelled to produce it.