In August 2021, the NSA published an unambiguous assessment: "Adversaries may be collecting encrypted data now, waiting for the day when quantum computers can decrypt it." That is not a vendor warning. That is the US government's own signals intelligence agency describing an active adversarial strategy in public documentation.

HNDL (Harvest Now, Decrypt Later, also called Store Now, Decrypt Later or SNDL) is the practice of intercepting and storing encrypted data today, before a cryptographically relevant quantum computer (CRQC) exists, so that the data can be decrypted when one does. The UK's NCSC made its own position clear in its 2023 Annual Review, noting that state actors are conducting data theft campaigns "for exploitation in years to come." Five Eyes partner agencies have said the same thing in coordinated joint advisories.

The attack is not theoretical. The collection phase is present-tense.

Why HNDL Requires No Quantum Computer Today

The asymmetry of HNDL is what makes it structurally different from most threat models. The collection phase requires three things: bulk traffic interception capability, storage capacity, and patience. None of these are constraints for a well-resourced nation-state actor.

Bulk collection of internet traffic (TLS session records, VPN tunnel ciphertext, encrypted email, encrypted file transfers) has been documented capability of national signals intelligence agencies for over a decade. Storage costs at petabyte scale are not a limiting factor for state-level operations. And patience, for actors pursuing objectives on 10-to-20 year horizons, is structural.

What HNDL does require, and does not yet have, is the decryption capability. A CRQC running Shor's Algorithm (Shor, SIAM Journal on Computing, 1997) can solve the integer factorisation and discrete logarithm problems that underpin RSA and ECDH key exchange. Current quantum hardware cannot do this at the key sizes used in practice. But the collection phase does not wait for the decryption phase. The data is being stored now, against the day when the hardware arrives.

There is a further asymmetry worth understanding. Passive traffic interception does not generate the signals that conventional detection tools flag. Intrusion detection systems and SIEM platforms look for anomalous access, failed authentication, and unusual egress. A passive intercept of packets in transit between networks generates none of these signals. An organisation can be subject to HNDL collection with no log trace whatsoever. The NIST NCCoE SP 1800-38 migration guidance acknowledges exactly this in its discussion of passive monitoring threats.

HNDL Attack Lifecycle: Harvest, Store, Decrypt A three-phase diagram showing the Harvest Now Decrypt Later attack lifecycle. Phase 1 is Harvest Now (present day, 2021 onwards): passive interception of TLS, VPN, email traffic requiring no quantum capability. Phase 2 is Secure Storage (present to Q-Day): ciphertext archived in nation-state infrastructure, undetectable, no active exploitation. Phase 3 is Decrypt Later (Q-Day, estimated 2033 to 2042): Shor's algorithm applied to recovered key exchange material, session keys and plaintext recovered. HNDL Attack Lifecycle Three phases. Only Phase 3 requires quantum hardware. Phases 1 and 2 are underway now. Phase 1: Harvest Now ACTIVE: 2021+ Passive interception of: TLS 1.3 session records VPN ciphertext (IPsec/WireGuard) Encrypted email (S/MIME, PGP) Encrypted file transfers (SFTP) No quantum capability required Leaves no SIEM / IDS signatures Phase 2: Secure Storage ACTIVE: now to Q-Day Ciphertext archived at scale: Nation-state storage infrastructure Key exchange records preserved Petabyte-scale feasible for states No active exploitation. No trace. No quantum capability required Documented: NSA (2021), NCSC (2023) Phase 3: Decrypt Later FUTURE: est. 2033-2042 CRQC applies Shor's Algorithm: Asymmetric key exchange broken Session keys recovered AES session content decrypted All archived ciphertext exposed Quantum capability required Retroactive. Migration too late.
The HNDL attack has three phases. Only the third requires quantum hardware. The collection and storage phases are already active and leave no detectable signature in conventional security tooling. Migration to post-quantum key exchange protects future communications but cannot recover data already captured in Phases 1 and 2.

The Evidence Base: Named Actors, Public Sources

The ODNI 2023 Annual Threat Assessment states that China "almost certainly" uses cyber operations to support "long-term strategic military and economic objectives," the multi-year horizon explicitly referenced. The 2023 Five Eyes joint advisory (CISA Advisory AA23-144A, published by US, UK, Australian, Canadian, and New Zealand intelligence partners) documented that PRC-sponsored actors had achieved persistent access inside telecommunications providers, government networks, and critical infrastructure entities, maintaining that access over extended periods for intelligence collection.

The 2020 SolarWinds intrusion, attributed by ODNI to Russia's SVR in January 2021, demonstrated the operational feasibility of maintaining undetected access inside thousands of organisations simultaneously for nine months. While no public source confirms that specific operation was quantum-targeted, the operational infrastructure it required (persistent access, selective exfiltration, long dwell time) is precisely the infrastructure HNDL collection demands.

The question "would we know if our data had been collected?" has an uncomfortable answer. Based on documented dwell times and the passive nature of traffic interception, the FBI and CISA both assess that state-actor operations commonly persist for months to years before detection. For HNDL collection, which leaves no active exploitation footprint, that figure is likely conservative.

What Adversaries Actually Target

HNDL operations are not indiscriminate. The targeting logic favours data with two properties: it cannot be obtained by other means today, and its intelligence value extends beyond Q-Day.

The NSA, ODNI, and NCSC are consistent in identifying the priority categories. Government classified communications and diplomatic cables. Military capability assessments and operational planning. Long-term R&D in defence, aerospace, and pharmaceuticals. Genomic and biometric databases, which are permanent personal identifiers with intelligence value that does not decay. Intellectual property with long competitive windows. Critical infrastructure operational data.

Financial transaction records deserve specific note. MiFID II requires investment firms to retain records for at least five years (Art. 25(1)); Dodd-Frank mandates 5-7 years for swap records. These regulatory retention requirements create a defined period during which those records remain stored and accessible. For an adversary with quantum decryption capability arriving in the early 2030s, this places archived financial records directly within the collection window. The strategic intelligence value of foreign exchange flows, correspondent banking relationships, and sanctions-adjacent transaction patterns runs well beyond the regulatory retention period.

Genomic and health data presents the most extreme case. Genomic data does not expire. Data collected today and decrypted in 2035 is as sensitive as the day it was created, and more so, given that genomic analysis techniques will have advanced further in the interval.

The Mosca Inequality: When the Risk Window Opens

Dr Michele Mosca at the Institute for Quantum Computing, University of Waterloo, formalised the HNDL risk window as a simple inequality (IEEE Security & Privacy, 2018): if the sum of migration time (x) and required data confidentiality period (y) exceeds Q-Day (t), the data is at risk.

Applied to current conditions: an organisation beginning a PQC migration programme now, in 2026, with a realistic migration timeline of three years (x = 3), protecting data with a 15-year confidentiality requirement (y = 15), needs Q-Day to arrive no earlier than 2044 for that data to be safe. The Global Risk Institute's 2024 Quantum Threat Timeline Report (Mosca & Piani) places the central probability distribution for Q-Day in the range 2033-2037. That data is not safe.

The Mosca inequality has a more immediate implication. For organisations that hold data generated from 2020 onwards with a 10-year or longer confidentiality requirement, the risk window has already opened. The data was generated before the migration started. It was encrypted under classical TLS or RSA key exchange. If it was intercepted, the ciphertext exists in an adversary's storage. Migration protects future communications. It does not retroactively protect data already captured.

QSECDEF's HNDL Estimator applies the Mosca inequality to your specific data inventory. Enter data classification, retention period, and Q-Day scenario assumptions to identify which data categories are within the active HNDL risk window, and which migration sequencing decisions should be prioritised as a result.

Data Category HNDL Risk Matrix: Sensitivity vs Retention Period A matrix plotting data categories by retention period on the horizontal axis (1 year to lifetime) against HNDL risk level on the vertical axis (low to critical). Genomic data and national security data appear at critical risk. Health records and financial records appear at high risk. Enterprise communications appear at medium risk. Public data appears at low risk. Q-Day central estimate is marked at 2035 to 2038. HNDL Data Risk Matrix: Sensitivity vs Retention Period Data categories above the Q-Day line are within the active HNDL risk window 1 yr 5 yrs 10 yrs 20 yrs 30+ yrs Lifetime Data retention / confidentiality requirement Low Medium High Critical Q-Day central 2034–2042 Public data Enterprise comms Financial records 5-7yr (reg.) Health records Defence IP R&D / patents Nat. security 25-50yr class. Genomic does not expire High / Critical HNDL risk Medium risk Low risk Q-Day central estimate band
Data categories to the right of the Q-Day band have retention periods extending beyond the projected CRQC arrival window. Any data in those categories that was intercepted before PQC migration is within the active HNDL risk window. Genomic data, national security records, and long-term R&D carry the highest exposure. Financial records are within the pessimistic Q-Day range under regulatory minimum retention.

What HNDL Cannot Currently Decrypt

There is a narrow form of reassurance in the technical detail, and it matters for understanding what the correct countermeasures are.

HNDL targets the key exchange record, not the symmetric cipher. In TLS 1.3, the session content is protected by AES-256 symmetric encryption. A CRQC running Shor's algorithm targets the asymmetric key exchange (the RSA or ECDHE component) to recover the symmetric session key. Once the session key is recovered, the AES-encrypted session content can be decrypted. AES-256 symmetric ciphertext alone, without the captured key exchange material, is not the target. Grover's algorithm reduces AES-256 to the effective security of AES-128, which remains computationally infeasible for a CRQC to attack directly.

The implication is specific: classical forward secrecy does not protect against HNDL for the reasons often assumed. For new communications, hybrid key exchange is the correct countermeasure, and it is deployable today.

What Can Be Done Now

The practical response to HNDL has three components. They are not sequential: they address different aspects of the risk, and the most urgent can run in parallel.

Data minimisation. Data that does not exist cannot be decrypted. Reducing stored data to regulatory minimums removes material from the HNDL risk surface. This is not a cryptographic intervention. It is a data governance one. Most organisations retain far more than their legal minimum, which means the HNDL-exposed archive is larger than it needs to be.

Cryptographic asset prioritisation. PQC migration is not a single programme applied uniformly across all systems simultaneously. The most effective approach is to identify the highest-risk data flows and migrate key exchange for those first. Long-lived credentials (root CA certificates, code signing keys, archive encryption keys) warrant the highest priority, because their compromised key exchange material enables decryption of everything that trusted them. NIST NCCoE SP 1800-38 provides the methodology.

Hybrid key exchange for active communications. NIST FIPS 203 (August 2024) standardised ML-KEM, the post-quantum key encapsulation mechanism. Hybrid TLS deployment, combining classical ECDHE with ML-KEM, provides forward security against HNDL for all communications from the deployment date forward. Google Chrome deployed X25519Kyber768 (a hybrid of Curve25519 ECDH and ML-KEM-768) in August 2023. Cloudflare deployed post-quantum hybrid TLS across its network the same year. The IETF TLS working group is standardising hybrid ML-KEM key exchange under draft-ietf-tls-ecdhe-mlkem, with browser and CDN implementations already in production. Enterprise deployment requires TLS library support (OpenSSL 3.2+ or BoringSSL) and server-side configuration. It is a configuration project, not a hardware replacement.

The Key Inversion

Standard migration planning frames the deadline as: Q-Day minus migration lead time. Begin migration at least three years before Q-Day, and the organisation's systems are protected before the threat arrives.

HNDL inverts that frame for data that has already been generated. The deadline for historically sensitive data is not Q-Day minus migration time. It is now. Data generated under classical TLS last year, last month, this week, if intercepted and stored, will be decryptable when a CRQC arrives, regardless of when the organisation migrates. Migration closes the exposure for future communications. It does not retroactively secure data that is already in an adversary's collection.

This is the operational reality the NSA was describing in 2021, and what the NCSC confirmed in 2023. The collection phase does not wait for the decryption phase to become possible. The race is not between migration and Q-Day. For already-generated data, that race is over. The programme that matters now is cryptographic asset prioritisation, data minimisation, and hybrid deployment for every new communication from this point forward.

QSECDEF members receive access to practitioner-level guides on ML-KEM implementation and cryptographic inventory methodology, updated as standards evolve. Membership details and resources are available here.