The harvest-now-decrypt-later (HNDL) attack model describes a strategy in which an adversary intercepts and archives encrypted network traffic today, storing it until a sufficiently powerful quantum computer exists to break the underlying asymmetric encryption and recover the plaintext. The attack requires no immediate decryption capability. It is passive, scalable and already operational, which is precisely what makes it a present-day compliance and risk problem rather than a distant technical concern.
How the HNDL Attack Model Works
HNDL exploits a structural asymmetry: collecting encrypted data is cheap and technically trivial, while breaking current public-key cryptography is computationally infeasible today. That gap closes the moment a Cryptographically Relevant Quantum Computer (CRQC) comes online.
The mechanism is straightforward. A threat actor with access to a nation-state-level collection infrastructure intercepts TLS-protected traffic, VPN tunnels, encrypted email or any channel that uses asymmetric key exchange. The ciphertext is stored. At collection time, the actor cannot read the content. What they can read are the session parameters: which public keys were exchanged, which algorithms were used and how the keys were negotiated. When a CRQC becomes available, Shor’s Algorithm can factor large integers and compute discrete logarithms in polynomial time. That is sufficient to retroactively recover the session keys and decrypt every stored conversation.
NSA Director of Cybersecurity Rob Joyce stated directly: “Adversaries are already stealing data today that they plan to decrypt once quantum computers are available.” This is not a theoretical projection; it reflects the assessed behaviour of state-level intelligence services.
Which Algorithms Are Vulnerable and to Which Quantum Attack
The vulnerability landscape splits clearly across two quantum algorithms, each targeting a different class of cryptographic primitive.
| Algorithm type | Examples in use today | Quantum threat | Effect |
|---|---|---|---|
| Asymmetric / key exchange | RSA-2048, ECDH, DSA | Shor’s Algorithm | Completely broken: private keys recoverable in polynomial time |
| Symmetric encryption | AES-128 | Grover’s Algorithm | Security halved: 128-bit key drops to ~64-bit effective strength |
| Symmetric encryption | AES-256 | Grover’s Algorithm | Security halved but remains: ~128-bit effective strength, still acceptable |
| Hash functions | SHA-256, SHA-3 | Grover’s Algorithm | Weakened but not broken at current output lengths |
The distinction matters operationally. RSA and ECDH, which underpin TLS handshakes, SSH, S/MIME and most VPN key exchange protocols, face total collapse against a CRQC. AES-256 used for data at rest survives quantum attack with adequate margin, whereas AES-128 does not. Any organisation that uses AES-128 for long-lived data storage should treat that as an urgent remediation item regardless of the quantum timeline.
NIST IR 8105, the Report on Post-Quantum Cryptography, formalised this threat model and provided the policy basis for the eight-year standardisation programme that concluded in 2024 with three published post-quantum standards. NIST was explicit: “The migration to post-quantum cryptography requires significant preparation and organisations should not wait until quantum computers are available before starting this process.”
The Scientific Consensus on CRQC Timelines
No credible public estimate places a CRQC capable of breaking 2048-bit RSA before 2030. Most research groups and intelligence assessments cluster the most probable window between 2030 and 2040. Some scenarios, incorporating classified programme acceleration or unexpected engineering breakthroughs, do not rule out earlier availability.
The NSA’s CNSA 2.0 Suite, published in 2022, set a 2030 deadline for National Security Systems to complete migration to post-quantum algorithms for most software and IT products. That deadline is not arbitrary. It reflects the US intelligence community’s internal assessment of the threat window.
For a data protection officer or CISO, the relevant question is not “when will a CRQC exist?” but “for how long must this data remain confidential?” A patient medical record created today may need to remain private for 30 years. Legal privilege records, trade secrets and classified government communications carry similarly extended sensitivity horizons. If a CRQC arrives in 2035 and your data needs to remain secret until 2045, traffic intercepted in 2025 is already compromised in retrospect.
Why the Urgency Falls on CISOs and DPOs Today
Cryptographic migrations are not configuration changes. They are multi-year infrastructure programmes that touch every system, vendor contract and network device that performs key exchange. The experience of transitioning from SHA-1 to SHA-256, or from TLS 1.0 to TLS 1.3, illustrates the scale: organisations that started those transitions late faced broken integrations, emergency patches and extended exposure windows.
Post-quantum migration is substantially more complex. It requires replacing the underlying mathematical assumptions in TLS libraries, VPN gateways, code-signing infrastructure, HSMs and every third-party integration that imports a cryptographic dependency. The European Union Agency for Cybersecurity (ENISA) flagged in its 2023 threat landscape report that state-level adversaries are already investing in capabilities relevant to quantum-enabled decryption, and recommended that organisations begin transition planning immediately.
GDPR Article 32 requires technical measures appropriate to the risk, evaluated against the state of the art. With NIST post-quantum standards published, NSA CNSA 2.0 Suite guidance in force, and ENISA issuing formal recommendations, the state of the art now includes post-quantum cryptography. A DPO who cannot demonstrate active transition planning for long-sensitivity data will find it difficult to defend the organisation’s risk treatment in a supervisory authority audit.
Sectors Where HNDL Is an Immediate Material Risk
Not every organisation faces equal exposure. The sectors where HNDL constitutes a present-day material risk share a common characteristic: their data has a sensitivity lifetime that extends well beyond any credible CRQC timeline.
Defence and national security data is the canonical case. Military capability, intelligence sources and operational plans retain sensitivity for decades. Government ministries, security services and defence contractors in EU member states are all within scope. The NSA CNSA 2.0 transition requirements exist precisely because this sector cannot afford retroactive decryption.
Healthcare records created today under GDPR remain under strict confidentiality indefinitely. Genomic data, psychiatric records and chronic disease histories carry lifelong sensitivity. A hospital or health insurer whose TLS traffic is being collected today is accepting a risk that no clinical governance framework would sanction if the mechanism were visible.
Legal and professional privilege records, including litigation files, M&A due diligence, arbitration communications and attorney-client correspondence, routinely span 10 to 20 year retention periods. Law firms and in-house legal teams have direct professional obligations to protect privileged communications that would be violated by retroactive decryption.
Financial sector organisations subject to DORA must demonstrate operational resilience against a range of threat scenarios. Long-term financial contracts, proprietary trading strategies and regulatory communications intercepted today and decrypted in 2035 represent both a commercial and a regulatory exposure.
Conducting a Cryptographic Inventory
A cryptographic inventory is the prerequisite for any post-quantum transition programme. It maps every system, data flow and stored dataset to the algorithms it uses, the key lengths involved, and the sensitivity lifetime of the data it protects.
In practice, the inventory should proceed in three layers. The first is the network and transport layer: identify every TLS endpoint, VPN gateway and SSH server, confirm which key exchange algorithms are negotiated, and flag any that rely on RSA or ECDH without post-quantum hybrid modes. Certificate management systems and PKI infrastructure belong here.
The second layer covers application and storage cryptography: which databases use encryption at rest, what algorithm and key length, and whether the encryption is applied at the application layer (where it is auditable) or only at the storage layer (where it may be invisible to the application team). Data classified with long sensitivity lifetimes must be explicitly mapped regardless of where in the stack they are encrypted.
The third layer is the dependency layer: every third-party SaaS integration, cloud API, EDI partner and vendor-supplied system that your organisation exchanges sensitive data with imports cryptographic assumptions you do not control. A sovereign-hosted document management system is only as quantum-safe as the weakest TLS handshake in its integration chain.
The output of a cryptographic inventory is a prioritised remediation register. Systems that handle long-sensitivity data and currently rely on RSA or ECDH key exchange sit at the highest priority. Systems using AES-128 for data at rest come next. Systems that are already isolated from external collection vectors, or that hold only short-sensitivity data, can be addressed in later programme phases.
FAQ
What exactly is a harvest-now-decrypt-later attack?
An adversary intercepts and stores encrypted traffic today, even though they cannot currently decrypt it. Once a CRQC becomes available, they apply Shor’s Algorithm to break the asymmetric encryption that protected the session keys and recover the plaintext. The attack is passive at collection time, making it nearly invisible to the victim.
Which encryption algorithms are immediately threatened and which are less urgent?
RSA and elliptic-curve Diffie-Hellman (ECDH) are broken in polynomial time by Shor’s Algorithm on a CRQC. Symmetric algorithms such as AES-256 are weakened but not broken by Grover’s Algorithm, which effectively halves the key length. AES-128 drops to a 64-bit effective security level and should be treated as urgent. AES-256 remains practically secure at a 128-bit equivalent.
When is a CRQC expected to arrive?
Public estimates cluster between 2030 and 2040 for a CRQC capable of breaking 2048-bit RSA. The NSA CNSA 2.0 Suite set a 2030 migration deadline for National Security Systems, reflecting the intelligence community’s internal assessment. For data that must remain confidential for 15 or 20 years, the migration window is already open.
What does a cryptographic inventory involve in practice?
A cryptographic inventory maps every system, data flow and stored dataset to its algorithms, key lengths and data sensitivity lifetime. It identifies TLS endpoints relying on RSA or ECDH, VPN gateways using non-quantum-safe key exchange, data at rest encrypted with AES-128, and third-party integrations that import cryptographic assumptions outside your control.
Does GDPR or NIS-2 create a legal obligation to address the quantum threat?
Neither regulation names post-quantum cryptography explicitly. However, GDPR Article 32 requires technical measures appropriate to the risk, evaluated against the state of the art. With NIST post-quantum standards published and ENISA issuing formal recommendations, the state of the art now includes post-quantum cryptography. Failing to plan a transition is increasingly difficult to defend as an appropriate risk treatment for long-sensitivity data.
