Inside the Quantum “Harvest Now, Decrypt Later” Crisis That Threatens Every Secret You’ve Ever Sent Online

An investigative feature by The Media Glen Publishing

The Heist That Nobody Noticed

Imagine someone broke into your house tonight. They didn’t steal your television or your jewellery. Instead, they walked straight to your filing cabinet, photographed every document inside—your tax returns, your medical records, your love letters, your children’s birth certificates—and then quietly left, locking the door behind them. You would never know they had been there. The photos they took are encrypted with a lock they cannot yet pick. But they are patient. They know that within the next ten to fifteen years, a new kind of key will be invented—one powerful enough to open every lock ever made. And when that day arrives, every secret in those photographs will be laid bare.

This is not a hypothetical scenario. It is happening right now, on a global scale, and the “documents” being photographed are your emails, your banking transactions, your health records, your government’s classified communications, and the private messages you send to the people you love. The perpetrators are nation-state intelligence agencies and sophisticated criminal organisations. The future key they are waiting for is called a quantum computer. And the strategy they are using has a name that sounds almost quaint for something so devastating: “Harvest Now, Decrypt Later.”

This article is written for people who have never heard of quantum computing, who have no background in cryptography, and who have never given a second thought to how their online banking password actually keeps their money safe. By the time you finish reading, you will understand exactly why the world’s top intelligence agencies, the largest technology companies on Earth, and the governments of every major nation are engaged in what many experts are calling the most urgent cybersecurity race in human history.

How the Locks on Your Digital Life Actually Work

Before we can understand the threat, we need to understand what is being threatened. Every time you log into your bank, send an email, or make an online purchase, your information is protected by encryption. Encryption is, at its core, a mathematical lock. It scrambles your data into unreadable gibberish—called ciphertext—so that anyone who intercepts it sees nothing but nonsense. Only someone with the correct mathematical key can unscramble it back into readable form.

The most important type of encryption used on the internet today is called public-key cryptography, and it underpins virtually every secure interaction you have online. Here is how it works in simple terms. Imagine you want to send a secret message to your bank. Your bank publishes a special “public key”—think of it as an open padlock that anyone can use to lock a box. You put your message in the box and snap the padlock shut. Once locked, only the bank’s private key—a secret key that only the bank possesses—can open it. Even though everyone can see the padlock, nobody except the bank can open it.

The mathematical strength of this system relies on something called a “trapdoor function.” This is a calculation that is extraordinarily easy to perform in one direction but virtually impossible to reverse. The most common example involves multiplying two enormous prime numbers together. A modern computer can multiply two 300-digit prime numbers in a fraction of a second. But if you give that same computer the resulting 600-digit product and ask it to figure out which two primes were multiplied together, it would take billions of years to find the answer through trial and error. The most widely used system based on this principle is called RSA, named after its three creators: Rivest, Shamir, and Adleman. Another widely used system, called Elliptic Curve Cryptography or ECC, relies on a different but equally difficult mathematical problem involving curves on a graph.

These systems are not theoretically unbreakable. They are practically unbreakable—meaning that with every computer currently in existence, the time required to crack them exceeds the age of the universe. A 2048-bit RSA key, the current standard for most secure web traffic, would require all of the world’s most powerful classical supercomputers working together for longer than the Sun will continue to burn.

That is the critical word: classical.

A Completely Different Kind of Computer

A quantum computer is not simply a faster version of the computer sitting on your desk. It is a fundamentally different machine that processes information according to the bizarre and counterintuitive rules of quantum mechanics—the branch of physics that governs the behaviour of matter at the subatomic level.

A traditional computer stores and processes information using “bits,” each of which can be either a 0 or a 1—like a light switch that is either on or off. A quantum computer uses “qubits” (quantum bits), which can exist in a state called “superposition.” In superposition, a qubit is both 0 and 1 at the same time, in a way that has no equivalent in our everyday experience. If that sounds impossible, you are in good company—the physicist Richard Feynman famously said that nobody truly understands quantum mechanics. But the mathematics works, and it has been verified by experiment countless times.

When multiple qubits are linked together through a phenomenon called “entanglement,” their combined processing power does not merely add up—it multiplies exponentially. Two entangled qubits can represent four states simultaneously. Three can represent eight. Fifty entangled qubits can represent more than one quadrillion states at once—more than all the bits in the most powerful classical supercomputer on Earth. This allows a quantum computer to explore an astronomical number of possible solutions to a problem at the same time, rather than checking them one by one.

This is not a general-purpose speedup. Quantum computers will not make your video games run faster or your word processor load more quickly. They excel at very specific types of mathematical problems—and, as it happens, the mathematical problems they are best at solving are precisely the ones that protect your encryption.

The Algorithm That Changes Everything

In 1994, an American mathematician named Peter Shor demonstrated something that sent shockwaves through the cryptography community. He showed that a sufficiently powerful quantum computer could factor enormous numbers—the very operation that RSA depends on being impossible—in a manageable amount of time. His method, now called Shor’s algorithm, converts the factoring problem into a pattern-finding problem and then uses a quantum technique called the Quantum Fourier Transform to find the pattern almost instantly.

The implications are total. If Shor’s algorithm is run on a large enough quantum computer, RSA encryption collapses. Elliptic Curve Cryptography collapses. Diffie-Hellman key exchange—the method used to securely negotiate encryption keys at the start of almost every secure internet session—collapses. Every digital lock based on these systems would be pickable in seconds to days, rather than in billions of years.

There is a second quantum algorithm, discovered by Lov Grover in 1996, that also threatens encryption, though less dramatically. Grover’s algorithm speeds up brute-force searching, effectively halving the strength of symmetric encryption systems like AES (the standard used to protect classified government data). An AES key with 128-bit security would be reduced to just 64-bit security under a quantum attack—far too weak. The remedy for AES is relatively simple: double the key size to 256 bits. But for RSA and ECC, there is no such easy fix. Those systems need to be replaced entirely.

The Quantum Threat at a Glance

The Silent Heist: Harvest Now, Decrypt Later

This is where the story turns from a future worry into a present-day crisis. The strategy known as “Harvest Now, Decrypt Later”—often abbreviated HNDL—is built on a chillingly simple logic: even though quantum computers cannot yet break today’s encryption, the encrypted data being transmitted right now can be captured and stored until they can.

Think of it this way. A spy photographs a safe’s combination lock from every angle. The photos are useless today because no one can deduce the combination from them. But the spy knows that in ten years, a technology will exist that can analyse those photos and reconstruct the combination. So the spy stores the photos in a vault and waits. When the new technology arrives, the spy opens the safe and takes everything inside—even though the original theft happened a decade earlier.

Intelligence agencies, cybersecurity firms, and government advisories have confirmed that this is actively happening. State-sponsored actors—the kind of organisations with the budgets to store petabytes of data and the patience to wait years for a return on investment—are intercepting encrypted internet traffic on a massive scale. They are tapping into undersea fibre-optic cables, infiltrating data centres, capturing encrypted VPN sessions, and quietly recording the ciphertext that flows through the internet’s backbone every second of every day.

The critical detail is that this interception is nearly undetectable. Because the attackers are not trying to break the encryption in real time, they do not trigger the alarms that traditional intrusion detection systems are designed to catch. They are not exfiltrating readable data. They are simply making copies of encrypted traffic—a task that looks, to most monitoring systems, like ordinary network activity. Standard data-loss prevention tools are blind to it because no plaintext ever leaves the building. The ciphertext is simply duplicated and stored in enormous, hidden archives maintained by intelligence services or well-funded criminal syndicates.

The Four Phases of an HNDL Attack

Phase One: The Harvest. Adversaries quietly intercept encrypted data from network backbones, data centres, and endpoint devices. They use techniques including fibre-optic tapping, VPN session hijacking, and TLS/SSL interception to capture vast quantities of ciphertext. Because nothing is being “broken” in real time, this phase is virtually invisible to conventional cybersecurity defences.

Phase Two: Long-Term Storage. The captured data is moved to secure, long-term repositories—massive archives operated by national intelligence agencies or organised criminal groups. Modern cloud storage and data compression make it economically feasible to store petabytes of data for decades. The archives are maintained, updated, and concealed from counter-intelligence efforts through techniques such as data fragmentation and mislabelling.

Phase Three: Q-Day. This is the day a “cryptographically relevant quantum computer” (CRQC) becomes operational—a machine powerful and stable enough to run Shor’s algorithm on real-world encryption keys. On Q-Day, the adversary feeds the archived ciphertext into the quantum computer, which factors the underlying mathematical keys in seconds to days. The locks are picked. The secrets pour out.

Phase Four: Retrospective Exploitation. The now-readable data is exploited. Medical records stolen today might reveal the private health conditions of a future prime minister. Diplomatic cables captured in 2025 might expose intelligence sources still active in 2040. Trade secrets intercepted from a pharmaceutical company could be used to undercut a competitor’s drug patent fifteen years later. The damage is not theoretical—it is delayed.

The Ticking Clock: When “Someday” Becomes “Too Late”

One of the most important contributions to understanding this threat comes from Canadian mathematician Michele Mosca, who developed a deceptively simple formula—now known as Mosca’s Theorem—that transforms the quantum threat from an abstract physics conversation into a concrete operational deadline.

Mosca’s Theorem asks three questions. First: how many years does your data need to remain secret? Call that number X. For a hospital, patient genomic data might need to stay confidential for eighty years or more. For a defence department, classified intelligence might require fifty years of secrecy. For a bank, customer financial records might need twenty. Second: how many years will it take your organisation to upgrade all of its encryption systems to quantum-safe alternatives? Call that number Y. Most large organisations estimate five to fifteen years for a full migration, given the complexity of replacing encryption across thousands of interconnected systems. Third: how many years remain before a cryptographically relevant quantum computer becomes operational? Call that number Z.

Mosca’s inequality is devastatingly simple: if X + Y is greater than Z, you have already run out of time. Data you are encrypting today will inevitably be exposed before your new defences can protect it. It does not matter that the quantum computer has not been built yet—the data has already been harvested, and the migration has not yet begun.

Consider a real-world example. A national health service holds patient records that must remain confidential for seventy-five years (X = 75). Its IT department estimates a full encryption overhaul will take eight years (Y = 8). If a CRQC becomes operational in fifteen years (Z = 15), then X + Y = 83, which is vastly greater than 15. The health service needed to have started its migration decades ago. Even data encrypted just last year is at risk, because it will still be confidential long after Q-Day arrives.

Who Is Most at Risk?

The Race to Q-Day: Closer Than Anyone Expected

For years, the mainstream estimate for when a CRQC might arrive was “somewhere between 2040 and 2060.” That timeline has been collapsing with alarming speed. In June 2025, a researcher named Craig Gidney published a groundbreaking paper demonstrating that clever software optimisations for Shor’s algorithm could reduce the number of physical qubits needed to break RSA-2048 from approximately twenty million down to fewer than one million.

That single paper moved the estimated date of Q-Day approximately seven years closer. Under previous projections, reaching twenty million qubits on a hardware trajectory similar to Moore’s Law (where qubit counts roughly double every eighteen months) would not have occurred until about 2052. With Gidney’s optimisations reducing the requirement to one million qubits, that date shifts to around 2045. Some researchers have suggested that if further optimisations continue—pushing the requirement down to as few as 242,000 qubits—Q-Day could arrive as early as 2039.

Hardware breakthroughs have reinforced these compressed timelines. In December 2024, Google unveiled its “Willow” quantum processor, which demonstrated the first scalable logical qubit using a technique called the surface code. While Willow does not yet possess the qubit count needed to threaten RSA, it proved something even more important: that quantum error rates can be successfully reduced as the system scales up. This is the fundamental engineering challenge that has held back quantum computing for decades, and Google showed it can be solved.

In early 2025, Microsoft announced its “Majorana 1” chip, a demonstrator for a radically different approach called topological qubits. Unlike the superconducting qubits used by Google and IBM, topological qubits are theoretically far more resistant to environmental noise and errors—the quantum computing equivalent of building with steel instead of straw. Microsoft’s roadmap projects reaching one million physical qubits within a decade, aligning precisely with Gidney’s revised estimates.

IBM’s own development trajectory targets the delivery of large-scale systems by 2029, focusing on achieving one hundred million quantum gates across two hundred logical qubits. A survey by the Global Risk Institute found that more than half of the experts polled believe there is a better than fifty per cent chance that RSA-2048 will be broken within fifteen years—and that assessment was made before Gidney’s 2025 paper was published.

The Global Response: Building Locks That Quantum Computers Cannot Pick

The world’s primary defence against the HNDL threat is the development of post-quantum cryptography, or PQC. These are new encryption algorithms designed to be secure against both traditional and quantum computers. Crucially, PQC algorithms run on ordinary classical computers—they do not require quantum hardware. They simply use different mathematical problems that quantum computers, as far as anyone knows, cannot solve efficiently.

In August 2024, the United States National Institute of Standards and Technology (NIST) published the first three finalised post-quantum cryptography standards—a milestone that the cybersecurity community had been anticipating for nearly a decade. These three standards represent the foundation upon which the entire world’s encryption infrastructure will eventually be rebuilt.

FIPS 203 (ML-KEM), based on a mathematical structure called a module lattice, is designed for key encapsulation—the process of securely exchanging encryption keys over the internet. It replaces the role currently played by RSA and Diffie-Hellman in protocols like TLS, which secures your web browser connections.

FIPS 204 (ML-DSA) is the new standard for digital signatures—the mathematical equivalent of a handwritten signature that proves a message has not been tampered with and truly came from the claimed sender. It is intended for software updates, code signing, and identity verification.

FIPS 205 (SLH-DSA) provides a fallback digital signature mechanism. While slower than ML-DSA, it relies on a completely different mathematical foundation—cryptographic hash functions rather than lattices—providing insurance against the possibility that someone might find a way to break lattice-based cryptography in the future.

NIST is also advancing additional algorithms for diversity. A signature scheme called FN-DSA, optimised for devices with extremely limited memory like smart cards, is expected to be finalised in 2025. A backup key encapsulation mechanism called HQC, based on error-correcting codes rather than lattices, received draft-standard status in early 2026. And the venerable Classic McEliece algorithm, which has resisted every known attack for over forty years, remains a conservative option for the most security-critical applications.

Nations Racing to Prepare

Governments around the world have recognised that the transition to post-quantum cryptography cannot be left to chance. Formal roadmaps and legal mandates are being issued at the highest levels of national security.

The United States has codified its approach through National Security Memorandum 10 and the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0). The goal is for all National Security Systems to be fully quantum-resistant by 2035. Mandatory milestones include implementing PQC for new software signatures and web browsers by 2025, transitioning networking equipment by 2026, and completing the phase-out of legacy systems that cannot support quantum-safe algorithms by 2030. The Office of Management and Budget has estimated the migration cost for civilian federal agencies alone at 7.1 billion US dollars.

The United Kingdom’s National Cyber Security Centre published a three-phase roadmap in 2025, requiring organisations to complete discovery and inventory of vulnerable systems by 2028, migrate critical systems between 2028 and 2031, and achieve full adoption of PQC across all products and services by 2035.

Canada’s Centre for Cyber Security issued the ITSM.40.001 Roadmap in June 2025. Federal departments must develop an initial migration plan by April 2026, complete PQC migration for high-priority systems by the end of 2031, and transition all remaining systems by 2035. The roadmap establishes the Designated Official for Cyber Security (DOCS) as the individual ultimately accountable for quantum risk within each department.

In Europe, Germany’s Federal Office for Information Security (BSI) and France’s ANSSI have taken a notably cautious stance, emphasising the use of hybrid encryption schemes during the transition period. A hybrid scheme combines a traditional algorithm with a post-quantum algorithm in a single encrypted session, ensuring that even if the new PQC algorithm turns out to have an unforeseen weakness, the system remains at least as secure as current technology. The BSI has specifically recommended conservative alternatives like FrodoKEM and Classic McEliece for scenarios requiring the longest-term security guarantees.

China has pursued a distinctive dual approach, investing heavily in both post-quantum cryptography and quantum key distribution (QKD)—a physically different technology that uses the properties of individual photons of light to detect eavesdropping. While Western nations have expressed scepticism about the scalability of QKD for general use, China has deployed it along high-security trunk lines and is developing its own independent PQC standards, expected to be released in 2026. This suggests a future in which different regions of the world may use fundamentally different cryptographic systems, complicating global interoperability.

What Organisations Must Do Now

The migration to quantum-safe encryption is not a single event but a multi-year journey that cybersecurity experts have broken into five phases.

Phase One: Cryptographic Discovery. Before you can fix your encryption, you need to know where it is. Most large organisations have encryption embedded in thousands of systems, applications, and third-party products—much of it undocumented. The first step is conducting a complete inventory, often called a Cryptographic Bill of Materials (CBOM), that maps every instance of RSA, ECC, and Diffie-Hellman in use across the enterprise.

Phase Two: Risk Assessment. Not all data is equally vulnerable to HNDL. Organisations must classify their data by sensitivity and required confidentiality lifespan, focusing resources on the systems protecting information that must remain secret for decades.

Phase Three: Crypto-Agility. NIST defines crypto-agility as the ability to replace cryptographic algorithms without disrupting running systems. This means designing flexible architectures where encryption components can be swapped out like light bulbs rather than requiring the entire electrical system to be rewired.

Phase Four: Hybrid Testing. Before going live, organisations should test post-quantum algorithms alongside traditional ones in controlled environments. Hybrid deployments—combining a proven algorithm like X25519 with a new one like ML-KEM-768—provide quantum resistance for the key exchange while maintaining backward compatibility.

Phase Five: Continuous Monitoring. The final phase never truly ends. New standards will continue to be published, vulnerabilities may be discovered in current PQC algorithms, and procurement policies must be updated to ensure all newly acquired technology meets quantum-safe requirements from the outset.

A growing market of specialised tools has emerged to support this process. IBM’s Quantum Safe platform uses static code analysis to find vulnerable cryptography in source code. SandboxAQ’s AQtive Guard provides network-level visibility into encrypted sessions. Keyfactor offers agent-based endpoint scanning. PQShield focuses on hardware-level cryptographic security for smart cards and silicon chips. And QuSecure’s QuProtect platform enables centralised, enterprise-wide algorithm management from a single dashboard.

An Alternative Defence: Making the Data Impossible to Steal

While post-quantum cryptography addresses the “decrypt later” half of the HNDL equation, a complementary technology aims to eliminate the “harvest now” half entirely. Physical-layer encryption, sometimes called photonic shielding, modifies the optical signals travelling through fibre-optic cables in a way that makes them literally unrecordable by standard equipment.

Traditional fibre-optic tapping works by bending a cable slightly and capturing the light that leaks out. Physical-layer encryption buries the actual data signal within high levels of optical noise or uses spectral phase encoding to disguise it. An eavesdropper who taps the cable captures only random, meaningless noise—not ciphertext that could be stored for future decryption, but true noise that contains no recoverable information whatsoever.

Experimental systems demonstrated in 2025 achieved ten gigabits per second of encrypted optical transmission using lithium niobate photonic chips, successfully transmitting encrypted images over forty kilometres of fibre. These systems represent a physics-based security layer that does not depend on mathematical assumptions and therefore cannot be undermined by advances in computing power. While not a replacement for PQC across all network layers, photonic shielding is increasingly recommended for the highest-priority long-haul fibre links where preventing data capture altogether is the goal.

What This Means for You

If you are reading this as a private citizen, you may feel that quantum cryptography is a problem for governments and corporations, not for you. That is an understandable but dangerous assumption. Your medical records, your financial history, your private messages, your location data, your biometric information—all of this is encrypted and transmitted over networks that are susceptible to HNDL interception right now. Your personal data has a confidentiality lifespan, too. Genomic data derived from a DNA test you took last year will be relevant for your entire life and potentially the lives of your children and grandchildren.

The good news is that the global cybersecurity community has never mobilised this quickly or this decisively in the face of a threat. NIST’s finalised standards provide a clear technical foundation. Major technology companies—including Google, Apple, Microsoft, and Cloudflare—have already begun integrating post-quantum algorithms into their products. Google Chrome and Apple’s iMessage, among others, have deployed hybrid post-quantum key exchange in production. The transition is happening, and it is accelerating.

For individuals, the practical advice is straightforward even if the underlying science is not. Use services and products from companies that are publicly committed to post-quantum migration. Keep your software and operating systems updated, because quantum-safe protocols are being rolled out through routine patches. Choose messaging applications that have adopted post-quantum key exchange. And if you work in any industry that handles sensitive long-lived data—healthcare, law, finance, government, education, or research—begin asking your IT leadership what their post-quantum migration plan looks like. If the answer is silence, that silence should alarm you.

The bad news is that for the data already harvested—the emails, the medical records, the government communications captured over the past decade—there is no fix. That information is sitting in storage vaults around the world, waiting for the day the locks can be broken. The race is not to prevent the theft. The theft has already occurred. The race is to ensure that the secrets still being created today will be protected by locks that quantum computers cannot pick.

The most urgent message from every cybersecurity expert, government agency, and standards body is the same: the time to act is now. Not when a quantum computer is announced. Not when the first high-profile breach makes headlines. Now. Because as Mosca’s Theorem makes brutally clear, for many organisations, “now” may already be too late.

BEHIND THE STORY

When I first sat down to research this article, I expected a story about the distant future—the kind of “what if” technology piece that lets you marvel at the strangeness of physics and then get on with your day. What I found instead was a story about something happening right now, with consequences that have already been set in motion and cannot be reversed.

The most unsettling moment in the research process came when I truly grasped the implications of Mosca’s Theorem. It is not a prediction about when quantum computers will arrive. It is a statement about when the window for action closes—and for many categories of sensitive data, that window has already closed. The data harvested over the past decade is, in a very real sense, already compromised. It simply has not been read yet. There is a peculiar horror in that idea—the notion that a breach can happen years before anyone, including the victim, knows it has occurred.

The sourcing for this article drew heavily on peer-reviewed research, government policy documents, and technical standards publications. Mosca’s original inequality framework has been cited extensively in the academic literature and forms the basis of risk assessment guidance issued by NIST, the UK’s National Cyber Security Centre, and Canada’s Centre for Cyber Security. Craig Gidney’s 2025 optimisation paper, which compressed the estimated timeline to Q-Day by roughly seven years, was corroborated by independent analysis from researchers including Sam Jaques and was reported on extensively by the technical press. The hardware milestones described—Google’s Willow chip and Microsoft’s Majorana 1 demonstrator—were announced publicly by those companies and verified through published technical specifications.

The NIST post-quantum standards (FIPS 203, 204, and 205) are publicly available federal documents, and the timelines cited for the United States (CNSA 2.0), the United Kingdom (NCSC roadmap), and Canada (ITSM.40.001) are drawn directly from official government publications. The estimated 7.1-billion-dollar migration cost for US civilian agencies was published by the Office of Management and Budget. The international policy divergences—particularly the European emphasis on hybridisation and China’s dual QKD/PQC strategy—were documented through position papers from the BSI, ANSSI, and publicly available Chinese national standards registries.

One of the editorial challenges in writing this piece was translating the mathematics into language that a reader with no technical background could follow without feeling patronised. Quantum mechanics resists analogy. Every metaphor breaks down at some point because the underlying phenomena have no equivalent in everyday experience. The decision to use the “photographing a filing cabinet” analogy for HNDL was deliberate—it captures the essential logic (steal now, read later) without pretending to explain the quantum physics involved. Similarly, describing trapdoor functions as “multiplying versus un-multiplying enormous numbers” is a simplification, but it communicates the core asymmetry that makes public-key cryptography work and why quantum computing breaks it.

I chose to include the sector-by-sector risk table because I believe readers need to see themselves in this story. It is easy to dismiss quantum computing as someone else’s problem when the discussion stays at the level of abstract mathematics. It becomes much harder to dismiss when you realise that the hospital where you were born holds records that need to remain confidential for the rest of your life, and those records may already have been copied by an adversary who cannot yet read them but fully intends to.

The vendor landscape deserves a brief editorial note. The tools mentioned in this article—from IBM and SandboxAQ to Keyfactor and QuSecure—were included because they represent distinct methodological approaches to cryptographic discovery, not as endorsements. The post-quantum migration market is evolving rapidly, and by the time this article reaches many of its readers, new entrants and consolidations will have reshaped the competitive field. What matters is not which tool an organisation selects but that it selects one and begins the process of understanding its own cryptographic footprint before the window narrows further.

Finally, I want to be transparent about what this article cannot tell you. Nobody knows exactly when Q-Day will arrive. The fifteen-year window cited by the Global Risk Institute is an expert consensus, not a guarantee. It could be sooner. It could be later. What is certain is that the data being harvested today will not expire, and the adversaries collecting it are not operating on a deadline. They are simply waiting. The only question is whether the rest of us will be ready when they stop.

— The Editors, The Media Glen Publishing

© 2026 SynexMedia.com • All rights reserved.