Xplaination
← Back to all articles
Security May 20, 2026 · 8 tags

Harvest Now, Decrypt Later: Why Your Secrets Are Already at Risk

The quantum threat isn't science fiction — it's happening today. Here's how NIST's new encryption standards and real-world deployments like Internet2 are fighting back.

#post-quantum-cryptography#quantum-security#nist-standards#cybersecurity#ml-kem#ml-dsa#enterprise-security#educational

Harvest Now, Decrypt Later: Why Your Secrets Are Already at Risk

Imagine a spy who breaks into a building, photographs every document on every desk, then walks away without taking anything. Years later, when the building finally changes locks, the spy pulls out that folder of photos and reads every secret.

That’s exactly what’s happening to your encrypted data right now.

The threat is called Harvest Now, Decrypt Later (HNDL). Adversaries are collecting encrypted communications, storing healthcare records, hoarding government communications — and waiting. Not because they’re good cryptographers, but because they know the lock you’re using today will be useless tomorrow.

Enter post-quantum cryptography (PQC): a new class of encryption algorithms designed to resist attacks from future quantum computers. And unlike sci-fi doomsday scenarios, the migration is already underway.

How We Got Here: The Quantum Wake-Up Call

Modern encryption relies on two mathematical problems that are “hard” for classical computers:

  1. Integer factorization — breaking large numbers into primes (RSA)
  2. Elliptic-curve discrete logarithms — the math behind ECDSA and elliptic-curve Diffie-Hellman

In 1994, mathematician Peter Shor published an algorithm showing that a sufficiently powerful quantum computer could solve both problems efficiently. The math is elegant, the threat is real, and the timeline is… well, that depends who you ask.

Cloudflare estimates there’s a greater than 50% probability that RSA-2048 could be broken within 15 years. The US government has set 2035 as the deprecation deadline for quantum-vulnerable algorithms. Either way, the window to act is closing.

The Locksmiths Step In: NIST’s New Standards

In August 2024, after a multi-year international competition, NIST finalized three post-quantum standards:

  • FIPS 203 — ML-KEM (formerly Kyber): key encapsulation mechanism for encrypted communication
  • FIPS 204 — ML-DSA (formerly Dilithium): digital signatures for authentication
  • FIPS 205 — SLH-DSA: hash-based signatures, a mathematically different approach for specific use cases

These are all lattice-based algorithms — meaning they rely on the hardness of problems in high-dimensional lattice structures rather than integer factorization. Think of it like switching from a combination lock to a vault door that only opens in dimensions we can barely visualize.

A notable scare in April 2024 — when a researcher claimed to have broken lattice-based PQC with a new quantum algorithm — only reinforced the community’s preference for cryptographic diversity. The attack was later proven flawed, but the lesson stuck: don’t put all your eggs in one mathematical basket.

The Real Test: Internet2 Goes Post-Quantum

Here’s where the story moves from theory to practice. In April 2026, Internet2 — the US research and education network that connects universities, hospitals, and government labs — demonstrated post-quantum cryptography on its national backbone.

The demo was significant for three reasons:

  1. Scale: This isn’t a lab experiment. Internet2 operates a hyperscale network carrying research data between major institutions. Getting PQC to work at that scale, without compromising performance, is a real engineering achievement.

  2. End-to-end protection: The solution protected data both in transit (during transmission) and at rest (when stored). Captured traffic remains PQC-protected even when later archived — exactly the kind of protection HNDL attackers fear.

  3. NIST compliance: The demo used a FIPS 203-compliant solution, validated by third-party cryptographers in the research and education community.

The Readiness Gap

Here’s the uncomfortable truth: most organizations aren’t ready.

A Trusted Computing Group survey of 1,500 security professionals found that:

  • 75% felt confident in their understanding of quantum threats
  • 91% lacked a formal post-quantum migration roadmap
  • 81% said cryptographic libraries and hardware security modules weren’t ready for PQC integration

In other words, confidence outpaced preparation by a landslide.

The migration isn’t simple. There are two distinct challenges:

Key agreement (ML-KEM) is relatively straightforward. It replaces the key exchange portion of TLS and can be deployed alongside existing infrastructure with hybrid modes. Cloudflare reported that by late October 2025, more than half of all human-initiated web traffic through its network used post-quantum key agreement.

Digital signatures and certificates (ML-DSA) are much harder. Keys are larger, performance costs are higher, and the entire public key infrastructure (PKI) needs to evolve. NIST itself has said the first PQC certificates won’t be commercially available until 2026 — which is this year.

What You Should Do Now

This isn’t about waiting for quantum computers to arrive. The threat is already active:

  1. Inventory your crypto: Know where RSA and ECC are deployed — TLS, code signing, document signatures, VPNs, database encryption.

  2. Plan for crypto-agility: The goal isn’t to deploy one algorithm forever. It’s to build systems that can swap algorithms when needed. Cloudflare’s own experience proved that flexibility matters more than any single choice.

  3. Start with key agreement: ML-KEM deployment is the lowest-hanging fruit and has the clearest migration path. Get this moving before the signature work gets easier.

  4. Watch the certificate ecosystem: PQC certificates are emerging in 2026. When they arrive, you’ll need to plan the PKI migration carefully — this is the part that will cause the most disruption if you wait too long.

  5. Don’t panic about symmetric keys: NIST and the cryptographic community agree — increasing symmetric key sizes (AES-256 is fine) is unnecessary. The real work is replacing the public-key layer.

The Bottom Line

Post-quantum cryptography is no longer a theoretical exercise. NIST standards are published, Internet2 has demonstrated them at scale, Cloudflare is protecting half the web, and enterprises are beginning — reluctantly — to plan their migrations.

The spies with the photo albums aren’t coming. They’re already there. And the only thing standing between your secrets and their future decryption is how quickly you move today.

Quick Quiz

1. What is the “Harvest Now, Decrypt Later” (HNDL) threat? Answer: Adversaries are collecting encrypted data today and storing it for future decryption once quantum computers become powerful enough to break current encryption.

2. What are the three NIST post-quantum standards finalized in August 2024? Answer: FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), and FIPS 205 (SLH-DSA for hash-based signatures).

3. Which part of PQC migration is easier: key agreement or digital signatures? Answer: Key agreement (ML-KEM) is easier because it replaces TLS key exchange with hybrid modes and has fewer infrastructure dependencies. Digital signatures (ML-DSA) are harder due to larger key sizes, performance costs, and the need to evolve the entire PKI.