Harvest now, decrypt later
The threat model that drives the post-quantum migration is not 'a quantum computer can break RSA today.' It is:
An adversary records ciphertexts today. If a fault-tolerant quantum computer of sufficient scale exists at some future time , the recorded ciphertexts can be decrypted retroactively.
Data whose value extends past is at risk now, regardless of whether the quantum computer exists yet. Examples include long-lived secrets such as:
- Government and diplomatic communications with multi-decade sensitivity.
- Medical records, genetic data, and personal information with lifetime relevance.
- Trade secrets and IP whose value persists over patent lifetimes (20+ years).
- Cryptographic root materials that anchor longer-lived trust chains.
This is the harvest-now, decrypt-later framing. It uncouples the migration timeline from the quantum-hardware timeline: even if useful quantum computers are far away, traffic encrypted with quantum-vulnerable algorithms today exposes data whose confidentiality requirement outlasts the gap.
The migration is therefore treated by major standardization bodies and many enterprises as an immediate operational priority, independent of any specific prediction about when the cryptographic threat materializes.
