The looming prospect of quantum computing-powered AI decryption has brought with it the notion of “harvest now, decrypt later”, with attackers collecting encrypted data today with a view to decrypting it in the future using quantum computers.
It is more than 30 years since we were first warned that quantum computers would, at some point in the future, be able to crack traditional encryption algorithms.
Back in 1994 mathematician Peter Shor developed an algorithm that could be used on a theoretical quantum computer (theoretical because no physical quantum device existed at the time) to compute prime factors of large numbers. This algorithm, unsurprisingly known as Shor’s Algorithm, is important because the mathematics that underpin cryptographic algorithms such as RSA rely on the fact that calculating prime factors is computationally difficult. Doing so on a traditional computer is intractable (that is, it is possible but requires unfeasibly large amounts of processing power and/or time). Shor’s algorithm reduces the effort required significantly, making it theoretically possible to crack some of today’s encryption algorithms given a big enough quantum computer.
Where Are the Quantum Computers?
This latter point is important, though: although the likes of Google and IBM have produced usable quantum computers, the technology is still in its infancy. Google’s Willow processor has 105 qubits (a qubit is a data element – rather like a bit in traditional computing systems) and IBM’s Condor has 1,121. In 2019 mathematicians Craig Gidney and Martin Ekerå opined that to calculate the prime factors in a 2,048-bit RSA key would take about eight hours on a machine with 20 million qubits. Gidney has since devised a mechanism that should take fewer than a million qubits. Although there are also claims of algorithms that could theoretically do it with 100,000 or so, there is clearly still some way to go before quantum hardware can easily reverse algorithms such as RSA.
It seems, then, that we have a degree of comfort: if we encrypt our data effectively, an attacker who does manage to penetrate our defenses and download the data set will be unable to decrypt it. In reality, this is not quite true: it is more the case that they won’t be able to decrypt it yet. This is where we find ourselves in the reals of harvest now, decrypt later (HNDL).
Steal Today, Profit Tomorrow
If we think about it, this is a perfectly logical approach: if we are the attacker and we are able to obtain some encrypted data, it costs us little or nothing to store it for a year or two (we have probably breached someone’s improperly secured cloud storage and so they are paying for it anyway) until sufficient quantum power is available for us to run the factorization algorithm. Not only this, but attackers probably do not care that it takes more than the eight hours cited by Gidney and Ekerå – if they have held it for months or years, they are in no big rush and are probably happy if they can run the quantum decryption in a week or two.
We must consider, though, what value our data will have in a few years’ time when the attackers are able to decrypt it. Most data has a “shelf life”, after which its value becomes greatly reduced. Imagine, for example, that an attacker steals a file full of encrypted credit card data: new cards, when issued, generally have an expiry date between three and five years in the future, and so large numbers of the cards will have expired by the time the data can be used. Or maybe an aerospace company has been breached and some encrypted critical designs stolen: there is every chance that in two or three years’ time those designs will have ceased to be highly sensitive and secret and have instead become physical products that someone with the funds and the knowledge could buy and reverse-engineer.
Acquiring Access
User authentication and digital certificate data are common targets for attackers, since they are so useful as a means of gaining access to victims’ systems. For the average organization, though, such data ought to be almost unusable in just a few months, let alone two or three years. Our users should be changing their passwords regularly, we should be rotating service account credentials on a schedule and we are seeing organizations reduce the lifetimes of the digital certificates and signatures they use. Not so long ago, certificates were valid for up to two years, but we are seeing many companies reducing this to six months or even less.
Of course, some forms of data lend themselves more readily to HNDL. Government or military communications are an obvious example: it is highly likely that an encrypted message sent today will be of interest to an attacker – particularly a foreign government – in 10 or even 20 years time. Likewise, healthcare or biometric data: as medical research and technology can extend the lives of people with even very serious illnesses, they may still be around for that data to be relevant and hence usable for nefarious purposes.
We do, therefore, need to consider how to future-proof our systems and processes if, as appears to be the case, there is a risk of today’s encrypted data being stolen for future decryption.
It is one of the reasons why ISC2 has created the Introduction to Quantum Computing Express Course. This course provides a clear, practical overview of how quantum computing works, where it is headed and what steps organizations should take to prepare for quantum-era threats. The course will aid you in explaining the fundamental principles of quantum computing, identifying the potential applications and challenges of quantum computing, along with assessing the implications of quantum computing for cybersecurity and organizational readiness.
Considerations For Responding to Future Quantum Risks
First, we should consider the technologies we use today which are likely to remain safe into the quantum era. This does not mean we should simply disregard them, but we can put them lower down the list than the things that we know will become susceptible. An example is the SHA hash function. Grover’s Algorithm is another quantum algorithm, this time one for deducing the plaintext input to a function that resulted in a given output, in this case SHA. When applied to SHA-256, the algorithm brings the complexity of reversing the hash down from 2256 to roughly 2128; applied to SHA-512 it comes down from 2512 to 2256. These are still fiendishly difficult to reverse and so they are relatively safe for now. Similarly the Advanced Encryption System (AES) algorithm – while implementations with smaller key sizes such as 128 or 192 bits are not considered quantum-safe, AES-256 is.
For some technologies we use that are potentially susceptible to HNDL, though, we need to consider where to go. Before quantum became a thing, the world was heading toward Elliptic Curve Cryptography (ECC), because when compared to RSA, ECC algorithms give the same level of encryption but with much, much smaller key lengths. ECC is not quantum-safe, however, so it makes sense to look elsewhere. The National Institute of Science and Technology (NIST) has already published several standards for Post Quantum Cryptography (PQC): FIPS-203, for general encryption; and FIPS-204 and FIPS-205, for digital signatures. Vendors are also now implementing PQC: for example, the November 2025 updates of Microsoft’s Windows 11 and Windows server 2025 have PQC capabilities and Linux’s Post-Quantum Cryptography Alliance is pushing forward with the concept.
As with any security aspects of our systems, we should constantly be looking to take advantage of the tools that are introduced to the systems we use from time to time. As we have seen, much of the cryptographic technology we use today is likely to continue to defend us into the quantum era. Since PQC is now beginning to appear in new versions of systems we use, or at least in updates that are available for those systems, if we are to avoid HNDL attacks we should be looking at the new weapons our vendors have added to our armories, along with planning to deploy them sooner rather than later.
