Secretus logoSecretus

Harvest now, decrypt later: the attack that's already happening

·6 min read

There is an attack against your encrypted traffic that requires no breakthrough, no zero-day, and no decryption capability whatsoever. Step one: record the ciphertext. Step two: wait.

"Harvest now, decrypt later" (HNDL) is exactly what it sounds like. An adversary with network visibility — an ISP tap, a compromised exchange, a state actor on a backbone — stores encrypted sessions today, betting that a cryptographically relevant quantum computer will eventually run Shor's algorithm and unwrap the key exchange retroactively. The encryption isn't broken today. It doesn't need to be. Storage is cheap, and patience is free.

Why the key exchange is the weak point

Modern encrypted channels (TLS, Signal, WebRTC's DTLS) typically protect data with symmetric ciphers like AES-256 — which quantum computers barely dent. The vulnerable part is how the two sides agreed on the key: elliptic-curve Diffie-Hellman. Shor's algorithm, on a large enough quantum computer, solves the discrete-log problem ECDH rests on. Recover the key exchange, and the AES key — and everything it protected — falls out for free.

Does the timeline matter? Wrong question

Estimates for a cryptographically relevant quantum computer range from a decade to never, and arguing about the date misses the point. The right question is Michele Mosca's inequality: if the time your data must stay secret, plus the time it takes you to migrate, exceeds the time until the machine exists — you are already late. A password you'll rotate Tuesday doesn't care. An SSH key to infrastructure that will run for years, a database dump with customer PII, M&A documents, medical records — these have secrecy lifetimes measured in decades. For them, HNDL is not a future threat; the harvesting is the attack, and it can only happen now.

What NIST standardised

In August 2024, NIST finalised FIPS 203: ML-KEM (Module-Lattice Key-Encapsulation Mechanism, formerly CRYSTALS-Kyber). Its security rests on lattice problems — specifically Module-LWE — for which no efficient quantum algorithm is known. ML-KEM-768, the middle parameter set, targets security comparable to AES-192 and is what most of the industry (browsers, Signal, iMessage) has converged on.

Hybrid: the engineering-honest approach

Lattice cryptography is newer than elliptic curves, and prudent engineering doesn't bet everything on the new thing. The emerging consensus is hybrid key agreement: run classical ECDH and an ML-KEM encapsulation, then feed both outputs through a key-derivation function. An attacker must break both — the elliptic curve and the lattice problem — to recover the session key. If ML-KEM someday falls to clever cryptanalysis, you still have today's ECDH security; if quantum computers arrive, the lattice half holds.

What Secretus does

In Maximum Security mode, the Signal Protocol X3DH handshake between the two browsers is hybridised with ML-KEM-768: the classical ECDH shared secrets and the post-quantum encapsulation are combined through HKDF-SHA-256 into the session key, before the Double Ratchet takes over for per-message keys. The secret itself travels directly browser-to-browser over WebRTC — so there's no stored ciphertext to harvest from a server at all, and what an on-path adversary can record is protected against both today's and tomorrow's cryptanalysis.

You can't retroactively protect traffic you sent unprotected. That's the uncomfortable asymmetry of HNDL — and the reason "we'll migrate when quantum computers are real" is a plan to be exactly one harvest too late.

Share a secret the safe way

End-to-end encrypted, one-time links — free, no account needed.

Try Secretus