Adversaries are harvesting encrypted data today with a singular purpose: to decrypt it tomorrow using quantum computers. This attack strategy, known as a "harvest now, decrypt later" (HNDL) attack, is not theoretical—it's actively happening right now. Organisations worldwide are racing against time to implement post-quantum cryptography before quantum computers mature enough to render current encryption obsolete.
What Is a Harvest Now, Decrypt Later Attack?
In a harvest now, decrypt later attack, adversaries collect and store encrypted communications and data without attempting to decrypt them immediately. Instead, they wait for quantum computers to mature—machines powerful enough to break today's public-key cryptography (RSA, ECC). NIST, the U.S. Department of Homeland Security, and ENISA have all issued formal warnings about this threat vector. The danger is profound: sensitive information encrypted today—trade secrets, medical records, financial data, state secrets—could be exposed years or decades from now if it was captured by an attacker using the HNDL strategy.
Why the Quantum Threat Is Already Active
The quantum threat is not a distant concern. In August 2024, NIST published Federal Information Processing Standards (FIPS 203, 204, and 205) for post-quantum cryptography, signalling that the migration timeline is now. Organisations that delay PQC adoption are actively increasing their risk surface. Every byte of sensitive data encrypted with classic algorithms today is a potential harvest now, decrypt later target. The timeline to quantum-capable adversaries is uncertain—estimates range from 10 to 30 years—but adversaries collecting data now are betting on being able to decrypt it before its value expires. For long-lived sensitive data (government documents, medical histories, intellectual property), that risk is unacceptable.
How Organisations Can Respond to HNDL Threats Today
Responding to the harvest now, decrypt later threat requires a three-pronged approach. First, conduct a complete inventory of cryptographic assets—certificates, keys, algorithms—across your infrastructure. Second, adopt crypto-agility: the ability to seamlessly upgrade or swap cryptographic implementations without disruptive system overhauls. Third, build a post-quantum migration roadmap aligned to NIST PQC timelines, prioritising long-lived sensitive data and critical systems. This is not a "wait and see" scenario; it demands action now.
eMudhra's Approach to Post-Quantum Readiness
eMudhra is leading the post-quantum shift with two core products. emCA delivers PQC-ready digital certificates aligned to NIST standards, enabling organisations to begin certificate lifecycle transitions now. CertiNext provides full cryptographic inventory discovery and management, giving you the visibility needed to execute a crypto-agility strategy. Together, these solutions address the core dependencies of any harvest now, decrypt later defence: knowing what crypto you have, and being able to swap in quantum-safe alternatives without operational disruption.
