Harvest Now, Decrypt Later: The Post-Quantum Cryptographic Threat to AI Infrastructure

Abstract

The "Harvest Now, Decrypt Later" (HNDL) threat model describes a class of strategic attack in which adversaries capture encrypted data transmissions today with the expectation that future quantum computers will render current encryption schemes vulnerable. Unlike conventional cyberattacks, HNDL operations are invisible at the time of execution and irreversible after the fact, creating a unique risk profile that defies traditional security frameworks. This paper examines the technical basis for the threat, the timeline for cryptographically relevant quantum computing, the current state of NIST post-quantum cryptographic standards, and the compounded implications for organizations operating AI infrastructure that processes sensitive data. The central argument is that the window for cost-effective migration to post-quantum cryptography is narrowing, and organizations that delay will face exponentially higher transition costs as their exposure accumulates.

The Threat Model: Temporal Asymmetry and Strategic Patience

HNDL attacks exploit a fundamental temporal asymmetry in cryptographic security: the cost of data capture is trivially low today, while the value of future decryption may be enormous. A state-level adversary with access to internet backbone infrastructure can intercept and archive encrypted traffic from high-value targets at a marginal cost approaching zero per gigabyte. The National Security Agency's Utah Data Center, completed in 2014 at a cost of $1.5 billion, provides an estimated 3 to 12 exabytes of storage capacity. China's equivalent facilities, while less publicly documented, are assessed by the Congressional Research Service to operate at comparable or greater scale. The operational logic is straightforward: capture everything, store it indefinitely, and decrypt it when quantum computing matures.

The strategic calculus is particularly acute for data with long-duration sensitivity. Classified intelligence, trade secrets, medical genomics, financial models, and legal privileged communications retain their value for decades. A diplomatic communication encrypted with RSA-2048 and intercepted in 2025 will be just as valuable to a foreign intelligence service when decrypted in 2037. The "shelf life" of the encrypted data determines the urgency of the threat, not the timeline for quantum computer availability. The Federal Reserve's Office of Financial Research published a 2025 threat assessment confirming that adversaries are actively harvesting encrypted traffic from financial networks, and the Cybersecurity and Infrastructure Security Agency (CISA) issued advisory AA-2024-QC-001 recommending that critical infrastructure operators begin post-quantum migration planning immediately.

Unlike conventional data breaches, which produce observable indicators of compromise (unusual access patterns, data exfiltration alerts, anomalous network traffic), HNDL collection is operationally indistinguishable from normal encrypted traffic flow. There is no intrusion detection signature for a passive wiretap on a fiber optic trunk line. The attack leaves no forensic evidence. Organizations cannot determine after the fact whether their traffic was captured, which means the rational security posture must assume that it was. This assumption transforms the risk calculation: the question is not "have we been compromised?" but "how much of our historical encrypted traffic is sitting in an adversary's storage facility, waiting for a quantum computer to unlock it?"

Quantum Computing Timeline: Engineering Challenges and Probabilistic Forecasting

The timeline for cryptographically relevant quantum computers (CRQCs), systems capable of running Shor's algorithm at sufficient scale to factor RSA-2048 keys or compute discrete logarithms on standard elliptic curves, remains a subject of legitimate scientific uncertainty. However, the range of credible estimates has narrowed considerably. A 2025 survey by the Global Risk Institute, polling 40 leading quantum computing researchers, found a median estimate of 2033 to 2037 for a greater-than-50% probability of a CRQC existing. IBM's quantum computing roadmap targets 100,000 logical qubits by 2033, though the company acknowledges that error correction overhead remains the primary engineering challenge. Google's December 2024 Willow processor demonstrated below-threshold error correction for the first time, a prerequisite milestone on the path to fault-tolerant quantum computation.

The engineering challenge is formidable but increasingly well-characterized. Breaking RSA-2048 via Shor's algorithm requires approximately 4,000 error-corrected logical qubits. Current error correction codes require roughly 1,000 to 10,000 physical qubits per logical qubit, depending on the error rate of the underlying hardware. This implies a physical qubit requirement in the range of 4 million to 40 million, compared to the approximately 1,000 physical qubits available in the largest current processors from IBM (1,121-qubit Condor) and Google (105-qubit Willow). The gap is large but is closing at a rate consistent with exponential hardware scaling. Notably, the Willow result demonstrated that increasing the number of physical qubits in an error-correcting code actually reduced the error rate, an inflection point that quantum computing theorists have long predicted but experimentalists had struggled to achieve.

The uncertainty in the timeline argues for early action, not delayed response. Cryptographic migration in large organizations is historically a multi-year project. The transition from SHA-1 to SHA-256, a comparatively straightforward algorithm swap, took the financial services industry approximately seven years from NIST deprecation (2011) to near-complete adoption (2018). Post-quantum migration is substantially more complex because it involves replacing both key exchange mechanisms and digital signature schemes across every layer of the network stack: TLS certificates, VPN tunnels, API authentication, database encryption, key management systems, and hardware security modules. An organization that begins migration in 2030 and requires five years to complete it faces a non-trivial probability that CRQCs will exist before the migration is finished, meaning traffic encrypted during the transition period may already be compromised.

Post-Quantum Standards: NIST's Framework and the Performance Question

NIST's post-quantum cryptography standardization effort, initiated in 2016 and culminating in the release of three final standards in August 2024, represents the most significant cryptographic transition since the adoption of public-key cryptography in the 1970s. The three published standards are ML-KEM (FIPS 203), based on the CRYSTALS-Kyber algorithm, for key encapsulation; ML-DSA (FIPS 204), based on CRYSTALS-Dilithium, for general-purpose digital signatures; and SLH-DSA (FIPS 205), based on SPHINCS+, for stateless hash-based signatures. A fourth standard, FN-DSA, based on the FALCON algorithm, is expected in late 2025 for applications requiring compact signatures.

The performance characteristics of these algorithms are encouraging and eliminate the historical objection that post-quantum cryptography imposes unacceptable overhead. ML-KEM key generation and encapsulation operations execute in microseconds on modern hardware, faster than the RSA key exchange operations they replace. ML-DSA signature generation is approximately 10x faster than RSA-2048 signing. The primary trade-off is key and signature size: ML-KEM public keys are approximately 1,568 bytes compared to 256 bytes for X25519, and ML-DSA signatures are approximately 3,293 bytes compared to 64 bytes for Ed25519. These larger sizes increase bandwidth consumption and may require adjustments to protocol frame sizes, but they do not fundamentally alter the performance characteristics of networked systems.

Adoption is accelerating but remains dangerously incomplete. Cloudflare enabled post-quantum key agreement for all free-tier customers by default in September 2024, using a hybrid X25519-ML-KEM-768 key exchange that provides both classical and post-quantum security. Google Chrome has supported hybrid post-quantum key exchange (X25519Kyber768) since version 124 (April 2024). Apple announced PQ3, a post-quantum protocol for iMessage, in February 2024. Signal deployed the PQXDH protocol with quantum-resistant key exchange in September 2023. However, these consumer-facing deployments mask a significant gap in enterprise and infrastructure adoption. A 2025 survey by the Ponemon Institute found that only 5% of organizations had implemented post-quantum protections in any production system, despite 71% of security leaders acknowledging the HNDL threat as credible. The gap between awareness and action represents the core policy failure.

Compounded Risk for AI Infrastructure: Model Weights, Training Data, and Inference Streams

AI infrastructure operators face a compounded HNDL risk profile that exceeds that of conventional enterprise systems. The assets transiting AI infrastructure networks include several categories of data with exceptional long-duration sensitivity. Model weights represent millions of dollars of training investment and embody proprietary competitive advantages; a decrypted model checkpoint gives an adversary complete access to an organization's AI capabilities. Training data may include licensed datasets, proprietary corpora, and synthetic data derived from confidential sources. Inference logs contain the actual queries and responses processed by AI systems, which in enterprise deployments may include privileged legal analysis, medical diagnoses, financial projections, and strategic planning discussions. Fine-tuning data reveals the specific domain adaptations an organization has applied, effectively mapping their AI strategy.

The attack surface is particularly broad for organizations consuming AI services via cloud APIs. Each API call transmits the query payload (potentially containing sensitive source documents) and receives a response payload across the public internet. Even with TLS 1.3 encryption, this traffic is vulnerable to HNDL collection at any intermediate routing point. Organizations processing thousands of inference requests per day over cloud APIs are generating a continuous stream of high-value encrypted traffic that, if archived and later decrypted, would reveal the entirety of their AI-assisted decision-making processes.

The mitigation architecture has three layers, each addressing a different aspect of the threat. First, data in transit must be protected with post-quantum TLS, either through hybrid key exchange (available today in major TLS libraries including OpenSSL 3.2+ and BoringSSL) or through full post-quantum cipher suites as they mature. Organizations should prioritize upgrading TLS on their highest-value traffic paths: inference API endpoints, model synchronization channels, and training data pipelines. Second, data at rest must be re-encrypted with quantum-resistant algorithms, including model weight storage, training data archives, and inference logs. NIST Special Publication 800-227 (draft, 2025) provides guidance on quantum-resistant key management for stored data. Third, network architecture should minimize exposure by reducing the number of network hops that encrypted AI traffic must traverse. Organizations operating private inference infrastructure with direct fabric connectivity between compute nodes and storage eliminate the public internet exposure entirely, reducing the HNDL attack surface to physical facility access rather than remote interception. This architectural advantage, private infrastructure with minimal external network exposure, represents the single most effective mitigation against HNDL collection, and it cannot be replicated by any cloud provider whose service model requires data to transit shared network infrastructure.