What is post-quantum cryptography and how does it defend against HNDL?

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to remain secure against attacks from both classical and quantum computers. Unlike RSA and ECC, which rely on mathematical problems (integer factorization and discrete logarithm) that quantum computers can solve efficiently, PQC algorithms rely on mathematical problems — such as the hardness of learning with errors (LWE) — for which no efficient quantum algorithm is known. NIST finalized its first PQC standards in August 2024, including ML-KEM (FIPS 203) for key encapsulation. Encrypting long-lived secrets with ML-KEM today means data captured now cannot be decrypted even by a future quantum adversary.

When will quantum computers actually be capable of breaking current encryption?

Expert timelines vary considerably. Most security researchers and government agencies estimate a cryptographically relevant quantum computer (CRQC) capable of breaking 2048-bit RSA could emerge between 2030 and 2040. The NSA CNSA 2.0 suite requires PQC migration for all new systems by 2030, reflecting a defensive posture that treats the lower end of that timeline as the planning assumption. For long-lived data — cloud credentials that won't rotate for years — the relevant question is not 'when will QC arrive?' but 'how long will this encrypted data remain exploitable?'

Harvest Now, Decrypt Later: Why Your Cloud Credentials Are Already a Quantum Target

Q: Is post-quantum cryptography expensive to implement in terms of performance?

The performance overhead of PQC for data-at-rest protection is minimal in practice. ML-KEM-768 key encapsulation and decapsulation operations complete in under 300 microseconds on modern server hardware. At typical API request volumes — encrypting and decrypting 5–10 credential fields per request — PQC adds under 5 milliseconds of total latency at the 99th percentile. The storage overhead is approximately 1.2 KB per encrypted field due to the larger key sizes required for post-quantum security. For the protection of long-lived infrastructure credentials, this overhead is immaterial.

In 2013, leaked NSA documents revealed that intelligence agencies had been systematically collecting encrypted internet traffic — not because they could decrypt it at the time, but because they believed they eventually would.^[1] The strategy was simple: if you can't read the message today, save it until you can.

This is the essence of the Harvest Now, Decrypt Later (HNDL) attack. It doesn't require breaking encryption today. It requires only the patience to store encrypted data until the cryptographic foundation it rests on can be broken — and a credible path to that capability.

Quantum computers provide that path. Not today. But possibly within the decade. And for cloud infrastructure teams managing long-lived credentials — AWS access keys, SSH private keys, database passwords, OAuth tokens — "within the decade" is already a planning horizon that matters.

Why Cloud Credentials Are Prime HNDL Targets

Not all encrypted data is equally valuable to an HNDL attacker. Short-lived session tokens, one-time codes, and ephemeral secrets offer little value — by the time they can be decrypted, they'll have long expired. But attackers are specifically interested in data that will remain valuable after decryption, years from now.

Cloud infrastructure credentials meet that criteria almost perfectly:

Long operational lifetimes. AWS IAM access keys are often created once and rotated infrequently, sometimes lasting years. SSH private keys for server access can persist across multiple server generations. A credential captured today in encrypted form may still be valid and valuable when decrypted in 2034.
High post-decryption value. An AWS key that grants access to production infrastructure is not just historically interesting — it could grant real access to production systems if rotation hasn't occurred since the credential was captured.
Concentrated in management layers. Cloud management platforms — which aggregate credentials from multiple cloud accounts into a single store — are particularly attractive collection targets. A single successful exfiltration of a management platform's encrypted credential store could yield access to hundreds of cloud environments.

The Long-Horizon Threat

The HNDL threat is unusual because the damage horizon is measured in years, not hours. A credential store exfiltrated in encrypted form today may look like a low-value "noise" event to a security team — no decryption, no immediate breach. But it represents a time-delayed attack that becomes exploitable the moment quantum decryption capability arrives.

The Quantum Timeline: What We Actually Know

Quantum computing timelines are notoriously difficult to predict, and the field is full of both hype and skepticism. For security planning purposes, the relevant question is not "when will a quantum computer exist?" — various forms of quantum computers exist today — but "when will a cryptographically relevant quantum computer (CRQC) exist?" A CRQC is one capable of running Shor's algorithm on the key sizes used in production cryptography (2048-bit RSA, 256-bit ECC) in a practical timeframe.

2024

NIST PQC Standards FinalizedNIST published FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) on August 13, 2024 — the first finalized post-quantum cryptographic standards in history.

2027

NSA CNSA 2.0 Deadline (Data at Rest)NSA requires PQC migration for all new national security systems. Data-at-rest encryption must use PQ KEM by this date for new systems.

~2030

NIST Migration TargetNIST IR 8547 targets 2030 for deprecated algorithm migration and 2035 for complete removal of classical key-exchange algorithms from use with long-lived data.

2030–40

Expert CRQC Estimate RangeMost security researchers and government agencies estimate a cryptographically relevant quantum computer could emerge within this window. Planning should use the lower bound.

The key insight from this timeline is that the most important decisions are being made now, before quantum computing becomes relevant. Standards are finalized. Government agencies have set deadlines. Organizations that have already encrypted long-lived credentials with classical algorithms — and haven't migrated — are accumulating technical debt with a hard expiration date.

Why Classical Encryption Breaks Under Quantum Attack

To understand why post-quantum cryptography is necessary, it helps to understand why current encryption algorithms are vulnerable to quantum computers specifically.

Most public-key cryptography in use today — RSA, Diffie-Hellman, and Elliptic Curve Cryptography (ECC) — derives its security from mathematical problems that are computationally hard for classical computers: integer factorization (RSA) and the discrete logarithm problem (ECC, DH).

In 1994, mathematician Peter Shor published an algorithm showing that a sufficiently capable quantum computer could solve both of these problems in polynomial time — meaning the difficulty of these problems essentially disappears for a quantum attacker.^[2]

This doesn't affect symmetric encryption like AES in the same way. Grover's algorithm gives quantum computers a quadratic speedup against symmetric ciphers — meaning AES-256 offers roughly 128 bits of quantum security rather than 256. This is why AES-256 remains recommended under post-quantum standards: a 128-bit quantum security level is still practically unbreakable.

Bits of security RSA-2048 has against a CRQC running Shor's algorithm

128

Bits of effective quantum security AES-256 retains (Grover's speedup)

178

Bits of classical + quantum security provided by ML-KEM-768

Post-Quantum Cryptography: The Defense

Post-quantum cryptography (PQC) refers to classical cryptographic algorithms — run on conventional computers — that are designed to remain secure against attacks from both classical and quantum adversaries. Unlike RSA and ECC, PQC algorithms are based on mathematical problems for which no efficient quantum algorithm is known.

NIST finalized three PQC standards in August 2024:

FIPS 203 — ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism): The primary standard for key encapsulation — used to protect symmetric keys and by extension any data encrypted with them. ML-KEM-768 is the recommended parameter set for most applications.
FIPS 204 — ML-DSA (Module-Lattice-Based Digital Signature Algorithm): The primary standard for digital signatures.
FIPS 205 — SLH-DSA (Stateless Hash-Based Digital Signature Algorithm): An alternative signature standard based on hash functions, providing diversity in the algorithm portfolio.

These algorithms are based on problems in lattice mathematics — specifically the Learning With Errors (LWE) problem and its variants — for which the best known algorithms (classical or quantum) require time that grows exponentially with problem size.^[3]

The Hybrid Construction: Defending Against Two Adversary Classes Simultaneously

A critical implementation decision for any organization migrating to post-quantum cryptography is whether to replace classical algorithms outright or use a hybrid construction — combining a post-quantum algorithm with a classical one in a way that requires both to be broken for the protection to fail.

NSA CNSA 2.0 and NIST SP 800-227 both recommend hybrid constructions during the transition period. The rationale is sound: ML-KEM is new, and while it has been analyzed extensively, post-quantum algorithms haven't accumulated the decades of real-world cryptanalytic scrutiny that RSA and AES have. A hybrid construction hedges against the possibility that PQC algorithms have unforeseen weaknesses:

// Hybrid key derivation: both keys must be compromised to decrypt
shared_secret_pq  = ML-KEM-768.decapsulate(sk_pq, kem_ciphertext)
classical_master  = AES-256 key (classical)
key_enc_key       = HKDF-SHA-256(
    ikm  = shared_secret_pq XOR classical_master,
    info = "hybrid-kek-v2"
)
encrypted_payload = AES-256-GCM(key_enc_key, data)

In this construction, a classical adversary (today) cannot decrypt without shared_secret_pq. A quantum adversary (tomorrow) cannot decrypt without classical_master. The security proof requires breaking both simultaneously.

Standards Compliance

This hybrid construction satisfies NSA CNSA 2.0 §4.2, NIST IR 8547 Recommendation R-4 (hybrid during transition; pure PQ after 2035), BSI TR-02102-1 §3.3.1, and CISA Post-Quantum Roadmap Phase 2.^[4]

What to Protect First: A Prioritization Framework

Not every organization can migrate all encryption to PQC immediately. The most practical approach is to prioritize by the combination of sensitivity and longevity of the data being protected.

For cloud infrastructure operators, the priority order is clear:

Cloud provider API keys and OAuth tokens — Grant direct control of cloud accounts. Often long-lived. Highest value post-decryption. Protect first.
SSH private keys for server access — Direct shell access to infrastructure. Can persist for years. Protect alongside API keys.
Database connection strings and credentials — Access to production data. High longevity risk.
Environment variables and application secrets — Variable longevity, but often contain long-lived third-party API keys.
Session tokens and short-lived credentials — Lowest priority. By design, these expire before any CRQC timeline. Classical protection is acceptable.

The prioritization principle: if the secret will still be valid and useful in 10 years, it needs post-quantum protection today.

Performance and Practical Considerations

A common concern when evaluating PQC migration is performance overhead. ML-KEM-768 key sizes are larger than classical equivalents — a public key is 1,184 bytes versus 32 bytes for X25519 — and key generation and encapsulation operations add latency.

In practice, for data-at-rest credential protection, this overhead is immaterial. ML-KEM-768 encapsulation and decapsulation operations complete in under 300 microseconds on modern server hardware. At typical cloud management platform scales — encrypting and decrypting credential fields on API requests — PQC adds under 5 milliseconds of total latency at the 99th percentile.

The storage overhead is approximately 1.2 KB per encrypted credential (compared to ~100–200 bytes for AES-only). For organizations storing thousands of credentials, this is a matter of kilobytes — not a practical concern.

Mosca's Theorem: When Is "Now" Actually Late?

Security researcher Michele Mosca formalized the urgency calculation for PQC migration with what's known as Mosca's Theorem:^[5]

If the time to migrate your cryptographic systems (t) plus the time until a CRQC arrives (y) is less than the sensitivity lifetime of your data (x), then you have a security problem today — not in the future.

For cloud infrastructure credentials: if a credential's sensitivity lifetime is 10 years, and a CRQC might arrive in 8 years, then any organization that hasn't begun migration already is behind.

The theorem doesn't require precise timelines — it reframes the question. Instead of asking "when will quantum computers arrive?", ask: "how long does my most sensitive data need to remain confidential?" If the answer is longer than the expert consensus on CRQC arrival, the migration needs to start now.

Frequently Asked Questions

What is the "harvest now, decrypt later" (HNDL) attack?

Harvest Now, Decrypt Later (HNDL) is an attack strategy where adversaries capture and store encrypted data today — knowing they cannot yet decrypt it — with the intention of decrypting it once cryptographically relevant quantum computers (CRQCs) become available. The encrypted data is worthless to the attacker today, but becomes exploitable if the underlying encryption relies on algorithms (like RSA or ECC) that quantum computers can break using Shor's algorithm.

Which cloud credentials are most at risk from HNDL attacks?

The highest-risk credentials are those with long operational lifetimes: cloud provider API keys (AWS, GCP, Azure, DigitalOcean), SSH private keys for server access, OAuth tokens for CI/CD integrations, database connection strings, and environment variables containing third-party API keys. If an adversary captures an encrypted credential store today, those credentials may still be valid and useful when quantum decryption becomes possible years from now.

What is ML-KEM and how does it differ from RSA?

ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism, standardized as NIST FIPS 203) is a post-quantum key encapsulation algorithm based on the hardness of mathematical problems in lattice structures — specifically the Module Learning With Errors (MLWE) problem. Unlike RSA, which relies on integer factorization, no efficient quantum algorithm is known for MLWE. ML-KEM-768 provides approximately 178 bits of combined classical and quantum security, compared to RSA-2048's 112 bits of classical security and 0 bits of quantum security.

Does post-quantum cryptography add significant performance overhead?

For data-at-rest credential protection, the overhead is minimal. ML-KEM-768 operations complete in under 300 microseconds on modern server hardware. At typical API request volumes — encrypting and decrypting 5–10 credential fields per request — PQC adds under 5 milliseconds of total latency at the 99th percentile. Storage overhead is approximately 1.2 KB per encrypted field. For the protection of long-lived infrastructure credentials, this is immaterial.

Why use a hybrid PQC + classical construction rather than pure PQC?

A hybrid construction — combining ML-KEM with classical AES-256 — provides protection against two adversary classes simultaneously. It defends against a classical attacker today (who cannot break ML-KEM) and a future quantum attacker (who cannot break the classical AES-256 master key without also solving ML-KEM). Both mechanisms must be broken simultaneously to access the protected data. Both NIST SP 800-227 and NSA CNSA 2.0 recommend hybrid constructions during the transition period specifically because PQC algorithms haven't accumulated the decades of real-world cryptanalytic scrutiny that AES has.

References

Greenwald, G. & MacAskill, E. (2013). NSA Prism program taps in to user data of Apple, Google and others. The Guardian, June 7, 2013. theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data. Subsequent reporting and leaked documents described systematic collection of encrypted traffic for future analysis.
Shor, P.W. (1994). Algorithms for Quantum Computation: Discrete Logarithms and Factoring. Proceedings 35th Annual Symposium on Foundations of Computer Science. IEEE. doi:10.1109/SFCS.1994.365700. This paper established the theoretical basis for quantum attacks on RSA and ECC.
National Institute of Standards and Technology (2024). Module-Lattice-Based Key-Encapsulation Mechanism Standard (FIPS 203). U.S. Department of Commerce. Published August 13, 2024. doi.org/10.6028/NIST.FIPS.203
National Security Agency / Central Security Service (2022, updated 2024). Commercial National Security Algorithm Suite 2.0 (CNSA 2.0). NSA Cybersecurity Advisory. media.defense.gov CNSA 2.0
Mosca, M. (2018). Cybersecurity in an era with quantum computers: will we be ready? IEEE Security & Privacy, 16(5), 38–41. Mosca's theorem formalizes the urgency calculation for cryptographic migration based on data sensitivity lifetime vs. CRQC arrival time.