The Coming Quantum Data Grab: Assessing the Threat of Harvest-Now Attacks

Author: Denis Avetisyan

A new analysis reveals the surprisingly low cost of intercepting encrypted data today, in anticipation of future quantum decryption capabilities.

The model demonstrates that harvest fraction significantly impacts long-term storage costs, with median costs predictably increasing alongside extended retention horizons-spanning five to fifteen years-while the 25th-to-95th percentile bands reveal considerable uncertainty arising from compounded factors like log-normal payload variations, operational expenses fluctuating around $12.16/TB-year, annual traffic growth of 20-30%, and annual storage price shifts ranging from −10% to +20%.

Economic modeling demonstrates that maximizing rekeying frequency is the most effective strategy for mitigating the risk of ‘harvest-now, decrypt-later’ attacks targeting TLS, QUIC, and SSH.

While current encryption standards protect data in transit, the looming threat of quantum computing necessitates a reevaluation of long-term security risks. This paper, ‘On the Practical Feasibility of Harvest-Now, Decrypt-Later Attacks’, reframes the challenge as an economic problem, quantifying the costs for adversaries attempting to archive encrypted communications for future decryption. Our analysis reveals that while ciphertext storage is economically trivial, maximizing the quantum computational workload-through strategies like frequent rekeying and increased key sizes-offers the most effective defense. Can proactive protocol configuration leveraging these cost asymmetries provide a viable, layered approach to security even before widespread adoption of post-quantum cryptography?

The Inevitable Breach: Quantum Threats and Data’s Long Shadow

The bedrock of modern digital security, algorithms like RSA and Elliptic Curve Cryptography (ECC), are increasingly imperiled by advancements in quantum computing. These protocols rely on the mathematical difficulty of factoring large numbers or solving the discrete logarithm problem – tasks easily accomplished by a sufficiently powerful quantum computer utilizing Shor’s algorithm. While currently secure against classical attacks, the theoretical possibility of a quantum breakthrough casts a long shadow over the confidentiality of data protected by these methods. This vulnerability isn’t limited to immediate decryption; the threat extends to encrypted information stored today, which could be retroactively compromised once quantum computers reach the necessary scale. The widespread adoption of these algorithms means a vast amount of sensitive data – from financial transactions to government communications – is at risk, necessitating a proactive transition towards quantum-resistant cryptography.

The escalating development of quantum computing introduces a unique and protracted security risk encapsulated in the ‘Harvest Now, Decrypt Later’ threat model. This scenario posits that motivated adversaries are actively collecting and archiving currently encrypted communications with the intention of decrypting them at a future date, once sufficiently powerful quantum computers become available. Unlike traditional cyberattacks that demand immediate exploitation, this strategy allows for a delayed breach, meaning data secured today could be compromised years or even decades from now. The feasibility of this approach stems from the relatively low cost of data storage compared to quantum computation, incentivizing the accumulation of encrypted data as a long-term investment in potential future intelligence or disruption. Consequently, even data considered secure under current cryptographic standards is vulnerable, demanding proactive consideration of post-quantum cryptographic solutions to mitigate this long-term, delayed threat.

The longevity of encrypted data presents a significant, and often underestimated, security risk. Even communications currently protected by robust cryptographic standards are vulnerable to future decryption should long-term keys be compromised and sufficiently powerful quantum computers become available. This ‘Harvest Now, Decrypt Later’ scenario isn’t merely theoretical; adversaries can feasibly intercept and store encrypted traffic at a surprisingly low cost. Estimates suggest a one percent global harvest of internet communications would require annual expenditures in the range of $10⁹ to $10¹¹ USD – a sum well within the reach of nation-states and large organizations. Consequently, data considered secure today could be retroactively exposed for years to come, underscoring the urgent need for proactive migration to post-quantum cryptographic solutions and a reassessment of long-term data security strategies.

Despite explorations into data compression techniques like per-record stripping – intended to minimize the sheer volume of intercepted encrypted data – potential savings remain negligible, amounting to less than 0.012%. This suggests that the true impediment to a large-scale ‘Harvest Now, Decrypt Later’ attack isn’t storage capacity, but rather the computational expense of running the quantum algorithms required to break modern encryption. While data storage costs continue to fall, the development and deployment of sufficiently powerful quantum computers represent a far more significant and enduring challenge for any adversary seeking to exploit currently encrypted communications at a future date. This highlights that advancements in quantum computing hardware, rather than storage solutions, will ultimately determine the feasibility of this long-term decryption threat.

The effective quantum multiplier <span class="katex-eq" data-katex-display="false">E_{eff}(L,R) = \lceil L/R \rceil</span> indicates that rekeying offers no protection against targeted prefix extraction when <span class="katex-eq" data-katex-display="false">R < L</span>, and connection bandwidth is overwhelmed by cryptographic overhead below a certain rekeying frequency, with typical application-layer payload sizes ranging from 4 KB to 256 KB determining practical extraction targets. — The effective quantum multiplier $E_{eff}(L,R) = \lceil L/R \rceil$ indicates that rekeying offers no protection against targeted prefix extraction when $R < L$ , and connection bandwidth is overwhelmed by cryptographic overhead below a certain rekeying frequency, with typical application-layer payload sizes ranging from 4 KB to 256 KB determining practical extraction targets.

Forward Secrecy: A Fragile Shield Against the Quantum Tide

Forward secrecy, a critical security property, protects the confidentiality of past communication sessions by ensuring that compromise of current cryptographic keys does not reveal prior exchanged data. This is achieved through the use of ephemeral keys – unique, randomly generated keys used for each session – rather than long-term static keys. Protocols such as Transport Layer Security (TLS) versions 1.2 and 1.3 incorporate forward secrecy through key exchange algorithms like Diffie-Hellman (DHE) and Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE). These algorithms allow two parties to establish a shared secret key without transmitting it across the network, and this key is then used to encrypt the session. Crucially, because each session uses a different ephemeral key, a compromise of a server’s long-term private key does not expose previous communication sessions encrypted with different ephemeral keys.

The security of forward secrecy in protocols like TLS 1.2 and 1.3, and by extension QUIC and SSH, is predicated on the computational hardness of problems underlying RSA and Elliptic Curve Cryptography (ECC). However, Shor’s algorithm, a quantum algorithm, can efficiently solve the integer factorization problem (RSA) and the discrete logarithm problem (ECC), effectively breaking the cryptographic foundations of these algorithms. Consequently, a sufficiently powerful quantum computer could compromise past communication sessions even with forward secrecy enabled, as session keys are derived from these vulnerable algorithms. This means that while current implementations offer protection against classical attacks, they lack resilience against future quantum threats, limiting the long-term viability of forward secrecy as currently implemented.

Both QUIC and SSH implement forward secrecy through the use of ephemeral key exchange mechanisms, such as Diffie-Hellman variants. This ensures that even if a long-term private key is compromised, past session keys – and therefore the confidentiality of prior communications – remain protected. However, the security of these key exchanges relies on the computational hardness of problems like discrete logarithm and elliptic curve discrete logarithm. Consequently, both protocols are vulnerable to attacks from sufficiently powerful quantum computers running algorithms like Shor’s algorithm, which can efficiently solve these problems and compromise the forward secrecy they provide. The underlying cryptographic algorithms represent a shared vulnerability, regardless of the protocol-level implementation of forward secrecy.

Current implementations of forward secrecy in protocols such as TLS 1.2, TLS 1.3, QUIC, and SSH are predicated on the computational hardness of problems like integer factorization and the discrete logarithm problem. These algorithms, while currently secure against classical attacks, are vulnerable to algorithms running on sufficiently powerful quantum computers, specifically Shor’s algorithm. This means a compromise of the private key, even after a period of secure communication, would allow decryption of all past sessions protected by these algorithms. Consequently, the long-term security of forward secrecy relies on transitioning to post-quantum cryptographic algorithms that are resistant to both classical and quantum attacks, a process that requires significant standardization, implementation, and deployment efforts.

Experimental results demonstrate that the quantum cost multiplier for SSH rekeying and TLS 1.3 PSK-DHE rotation closely matches the theoretical prediction of <span class="katex-eq" data-katex-display="false">\lceil P/R_{eff} \rceil</span>, with SSH employing an effective threshold approximately twice the nominal value. — Experimental results demonstrate that the quantum cost multiplier for SSH rekeying and TLS 1.3 PSK-DHE rotation closely matches the theoretical prediction of $\lceil P/R_{eff} \rceil$ , with SSH employing an effective threshold approximately twice the nominal value.

Post-Quantum Cryptography: Building a Defense, One Algorithm at a Time

Post-quantum cryptography (PQC) is a field dedicated to creating cryptographic systems that are secure against both classical computers and future quantum computers. Current widely used public-key algorithms, such as RSA and the Elliptic Curve Cryptography (ECC), are vulnerable to Shor’s algorithm, a quantum algorithm capable of efficiently factoring large numbers and solving the discrete logarithm problem – the mathematical foundations of these systems. PQC algorithms, based on different mathematical problems believed to be hard even for quantum computers-like lattice-based cryptography, code-based cryptography, multivariate cryptography, and hash-based signatures-aim to provide long-term security by mitigating this threat. The development of these algorithms is a proactive measure, addressing the potential for “store now, decrypt later” attacks where sensitive data is intercepted and saved for future decryption with a quantum computer.

The practical implementation of post-quantum cryptographic algorithms is heavily influenced by their quantum computational cost, which dictates the resources required for both legitimate encryption/decryption and potential attacks. This cost isn’t solely about the theoretical complexity, but the actual computational effort – measured in gate counts and circuit depth – required on a quantum computer. Balancing this cost with the computational overhead imposed on classical systems is a significant challenge; while storage costs continue to decrease, the processing demands of many post-quantum candidates currently exceed those of widely used algorithms like RSA and ECC. Consequently, algorithm selection prioritizes minimizing classical computational burden, even if it means accepting a potentially higher quantum computational cost, as the immediate constraint is efficient implementation on existing infrastructure.

The implementation of post-quantum cryptography necessitates a shift towards cryptographic agility – the ability to rapidly swap cryptographic algorithms – to mitigate the risk posed by future quantum-based attacks. Currently deployed public-key infrastructure heavily relies on algorithms like RSA and Elliptic Curve Cryptography (ECC), which are known to be vulnerable to Shor’s algorithm. Transitioning away from these algorithms requires careful planning and execution, including the development and deployment of hybrid systems that combine classical and post-quantum algorithms for a period of coexistence. This transition isn’t simply a matter of swapping code; it demands updates to cryptographic libraries, security protocols (such as TLS and SSH), and key management systems to ensure continued secure communication and data protection.

Current communication protocols, such as TLS 1.3 and IPsec, rely heavily on algorithms like RSA and Elliptic Curve Cryptography (ECC) for key exchange and digital signatures. Transitioning to post-quantum cryptography necessitates updates to these protocols to support new algorithms like Kyber, Dilithium, and Falcon. This involves defining new cipher suites and key exchange mechanisms that incorporate these algorithms, alongside ensuring backward compatibility where feasible to maintain interoperability with legacy systems. Updates also require careful consideration of key sizes and computational costs associated with post-quantum algorithms to avoid performance bottlenecks, and thorough testing to validate the security and functionality of the updated protocols against both classical and quantum attacks. Failure to update protocols will leave existing communications vulnerable as quantum computing capabilities mature.

The Inevitable Update: Secure Communication in a Post-Quantum World

The Transport Layer Security (TLS) 1.3 protocol represents a significant leap in securing internet communications, largely through innovations in the initial handshake process. Prior to TLS 1.3, the client hello – the first message a client sends to a server – was transmitted in plain text, exposing crucial information about the client’s supported cipher suites and potentially revealing its identity. TLS 1.3 addresses this vulnerability with the Encrypted Client Hello, where the client encrypts its initial handshake message using a form of forward secrecy. This prevents eavesdroppers from deciphering the client’s capabilities and mitigates risks associated with protocol downgrade attacks. By concealing these details, the Encrypted Client Hello not only enhances privacy but also bolsters security by making it considerably more difficult for attackers to intercept and manipulate the connection setup.

Authenticated Encryption with Associated Data (AEAD) represents a significant leap forward in cryptographic protocol design, moving beyond separate encryption and message authentication code (MAC) operations. Instead of handling confidentiality and integrity as distinct processes, AEAD algorithms – such as ChaCha20-Poly1305 and AES-GCM – combine them into a single, streamlined operation. This approach not only improves performance but also provides mathematically provable security guarantees; a successful decryption implicitly verifies the message’s authenticity, and any tampering will be immediately detected as a decryption failure. This unified approach eliminates common vulnerabilities associated with composing separate cryptographic primitives, such as replay attacks or chosen ciphertext attacks if implemented incorrectly, making AEAD a cornerstone of modern secure communication protocols like TLS and SSH, and ensuring data remains both private and trustworthy.

Session ticket mechanisms and pre-shared keys (PSK) offer significant performance gains by allowing clients to resume encrypted connections without a full handshake, reducing latency and server load. However, the long-term security of these approaches is increasingly challenged by the advent of quantum computing. Current implementations often rely on asymmetric cryptography vulnerable to quantum attacks, meaning compromised tickets or keys could allow decryption of past and future sessions. Careful consideration must be given to migrating these systems to post-quantum cryptographic algorithms, or adopting hybrid approaches that combine classical and quantum-resistant methods, to ensure continued confidentiality and integrity in a future where quantum computers pose a real threat to existing cryptographic infrastructure. This transition requires meticulous key management and algorithm agility to avoid vulnerabilities and maintain seamless connectivity.

The practice of rekeying, prominently featured in protocols like SSH, significantly bolsters cryptographic security by proactively mitigating the impact of potential key compromise. Rather than relying on a single, long-lived key for an entire session, rekeying involves the periodic generation of new, unique cryptographic keys. This limits the window of opportunity for an attacker who may have obtained a key – even if compromised, that key only decrypts a limited amount of data before becoming irrelevant. The frequency of rekeying is a crucial balancing act; too infrequent, and the security benefit is diminished, while too frequent can introduce performance overhead. Modern implementations carefully tune this process to provide a robust defense against various attacks, including those attempting to exploit long-term key exposure or brute-force decryption efforts, and is a cornerstone of secure communication practices.

The protocol overhead ratio α decreases with increasing session payload, as confirmed by both analytical modeling and loopback captures, with stream reassembly providing a slight reduction in overhead by effectively eliminating the transport term.

Long-Term Data Protection: Preparing for the Inevitable Shift

The longevity of data archives, whether maintained on traditional tape storage or increasingly in cloud-based systems, faces a significant threat from the anticipated arrival of practical quantum computers. Current encryption standards, widely used to protect sensitive information, are vulnerable to Shor’s algorithm, a quantum algorithm capable of efficiently factoring large numbers and solving the discrete logarithm problem – the mathematical foundations of these systems. This means data considered secure today could be readily decrypted in the future. Consequently, organizations must acknowledge this evolving risk and proactively implement strategies to safeguard archived data against future quantum decryption, recognizing that the lifespan of data security now extends far beyond conventional technological obsolescence.

The escalating threat of quantum computing necessitates a proactive approach to data security, particularly for long-term archiving. Current encryption standards, while secure today, are vulnerable to future decryption by sufficiently powerful quantum computers. Therefore, a strategy of periodic re-encryption, employing algorithms specifically designed to resist quantum attacks – known as post-quantum cryptography – is paramount. This isn’t a one-time fix, but an ongoing process; data must be revisited and re-encrypted as post-quantum algorithms mature and potential vulnerabilities are identified. Implementing such a re-encryption cycle ensures that archived data, even if compromised in the future, remains confidential, safeguarding sensitive information for decades against the evolving landscape of computational power and cryptographic threats.

Effectively safeguarding archived data against future quantum decryption necessitates a layered security approach. Robust cryptographic algorithms, specifically those resistant to known quantum attacks – known as post-quantum cryptography – form the foundation of this defense. However, algorithm strength is insufficient without secure storage practices, encompassing both physical security of storage media and stringent access controls to prevent unauthorized data retrieval. Crucially, this security posture isn’t static; continuous monitoring for vulnerabilities, regular audits of security protocols, and proactive updates to cryptographic systems are essential. This ongoing vigilance ensures that potential weaknesses are identified and addressed before they can be exploited, ultimately mitigating the long-term risks posed by the advent of quantum computing and preserving data confidentiality for decades to come.

The longevity of data security demands a forward-thinking approach, particularly as quantum computing capabilities mature. Safeguarding sensitive information for the coming decades isn’t simply about implementing current encryption standards; it necessitates substantial, preemptive investment in post-quantum cryptography. This involves not only adopting new algorithms resistant to quantum attacks, but also establishing robust key management practices and continually updating systems to counter evolving threats. Organizations that prioritize proactive planning will position themselves to avoid costly data breaches and maintain trust in an increasingly vulnerable digital landscape, ensuring that archived data remains confidential and accessible long after the advent of practical quantum computers.

The analysis reveals a predictable truth: defense, even when theoretically sound, is ultimately an economic calculation. This paper meticulously charts the cost of interception versus the expense of frequent rekeying, demonstrating that simply having post-quantum cryptography isn’t enough. It’s the sustained effort-the constant quantum workload-that truly matters. As Ken Thompson once observed, “Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.” Similarly, elegant cryptographic schemes are meaningless if the operational cost of maintaining forward secrecy proves unsustainable when facing a determined adversary. The future, it seems, isn’t about unbreakable encryption, but about who can afford to stay ahead of the decryption curve.

The Long Game

The analysis presented here does not invalidate concerns about post-quantum cryptography, but rather re-frames them. The economic calculus of ‘harvest-now, decrypt-later’ suggests the cost isn’t in storage – that’s a solved problem, eventually. It resides in the sustained effort of using that storage, in maximizing the quantum workload required to meaningfully compromise intercepted data. Every algorithm optimized for speed will, inevitably, be optimized back toward security, and then again. It’s a recursion, not a revolution.

Consequently, future research should not focus solely on the theoretical strength of new cryptographic primitives. The true metric isn’t resistance to attack, but the cost of a successful one, spread across time. A system with frequent, automated rekeying, even utilizing currently vulnerable algorithms, may prove more resilient than a theoretically unbreakable scheme rekeyed infrequently. Architecture isn’t a diagram; it’s a compromise that survived deployment.

The field will continue to chase the asymptote of perfect security, of course. But a more pragmatic path lies in treating cryptographic agility as a continuous operational expense. It’s not about preventing decryption; it’s about making it perpetually unprofitable. One doesn’t refactor code; one resuscitates hope.

Original article: https://arxiv.org/pdf/2603.01091.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/