In development. RVNT is pre-release — not yet security-audited. Source code, public builds, and the iOS / App Store release aren’t available yet. Expect rough edges.

2026-05-06 · 8 min read · RVNT Team explainers

Harvest Now, Decrypt Later: Why Post-Quantum Encryption Already Matters

post-quantumencryptionkey-exchangethreat-modelforward-secrecy

Most attacks on encryption try to break it now. “Harvest now, decrypt later” gives up on now. The adversary records your encrypted traffic today, stores it, and waits — a year, a decade — until the math protecting it can be broken cheaply. They are not betting on a flaw in today’s cryptography. They are betting on tomorrow’s hardware. For any secret that still matters when that hardware arrives, the encryption you use today is the only thing standing between you and a decryption that happens long after you have forgotten the conversation took place.

This is not hypothetical. It is the realistic shape of the threat for anyone whose secrets have a long shelf life.

What “harvest now, decrypt later” actually is

The attack — abbreviated HNDL, or called “store now, decrypt later” — has two phases separated by years.

  1. Harvest. A well-resourced adversary (a state intelligence agency, a telecom that can tap a backbone) captures encrypted traffic in bulk and archives it. They cannot read it. They do not need to yet. Storage is cheap; ciphertext is small.
  2. Decrypt. Later, when a sufficiently powerful quantum computer exists, they run a known algorithm — Shor’s — against the archived key exchanges, recover the session keys, and read everything they captured.

The key word is later. The adversary is patient because they do not need to compromise your device, trick you, or break the cipher today. They only need to outlast the cryptography.

Be precise about the quantum part

We will not sell you fear. A cryptographically relevant quantum computer — one large and stable enough to run Shor’s algorithm against X25519 or RSA at real key sizes — does not exist publicly today. Current quantum machines are far too small and too noisy. Anyone who tells you your messenger is being decrypted by a quantum computer right now is wrong.

The threat HNDL describes is future confidentiality, not present confidentiality. The question is not “can someone read this today.” It is “will this still be a secret when that machine arrives, and is someone keeping a copy until then.” If the answer to both is yes, classical-only encryption is a liability you are accruing right now, silently, with every message you send.

Which secrets have a shelf life

The defense matters in proportion to how long your data stays sensitive. Some cases where the clock runs for years or decades:

  • Journalists’ sources. A source’s identity can be dangerous to them for the rest of their life. A leak ten years from now is still a catastrophe.
  • Legal and medical records. Privilege and confidentiality do not expire on a convenient schedule.
  • Dissidents and activists under authoritarian regimes. A regime that archives traffic today and gains decryption capability later can retroactively map an entire network of people.
  • Trade secrets, negotiations, long-term identity material. Anything whose value or danger persists.

If your messages are about lunch, HNDL is irrelevant to you. If your messages could end a career, a case, or a life years from now, it is worth taking seriously today, because the decision to protect them cannot be made retroactively.

The fix is hybrid, not “go all quantum”

The obvious reaction is to throw out classical cryptography and replace it with a post-quantum (PQ) algorithm. That would be a mistake, and here is why RVNT does not do it.

Post-quantum algorithms are newer. They rest on mathematics — for the lattice family, problems like Module-LWE — that the public cryptographic community has studied for far less time than elliptic curves. They are very likely sound; NIST standardized them after years of open analysis. But “very likely” is not the bar for something protecting a source’s life. A classical break of a PQ-only scheme — a clever new attack on the lattice, an implementation flaw — would leave you with nothing.

So RVNT uses hybrid key exchange. The session key is derived from two independent key agreements, combined:

  • X25519 — classical elliptic-curve Diffie-Hellman, battle-tested over decades. Strong against every classical attacker. Vulnerable, eventually, to a quantum computer.
  • ML-KEM-768 — the lattice-based key encapsulation mechanism standardized as FIPS 203, at NIST security level 3. Strong against quantum attackers. Newer, less weathered.

Both run inside a hybrid version of X3DH, our initial key-agreement protocol. The two shared secrets are fed together into the key derivation, so the final session key depends on both.

To recover a session key, an attacker must break both the elliptic curve and the lattice. Defeating either one alone gains them nothing.

That is the whole point of hybrid. You keep decades of confidence in X25519 and you add quantum resistance, and you only lose if both fail at once. It is the responsible choice for the period we are actually in — where PQ algorithms are trustworthy enough to add, but not so weathered that you would stake everything on them alone.

session_key = KDF(
  X25519_shared || ML_KEM_768_shared
)

How this fits the rest of RVNT

The hybrid handshake establishes the first shared secret. From there, every message is protected by the Double Ratchet: AES-256-GCM, a unique key per message, derived from a continuously advancing chain and deleted immediately after use. That gives forward secrecy — if your device is seized today, past messages whose keys are already gone cannot be reconstructed — and break-in recovery, where future messages heal after the next ratchet step.

Forward secrecy and post-quantum key exchange solve different halves of the same long-term problem. Forward secrecy protects the past from a future device compromise. Hybrid PQ key exchange protects today’s traffic from a future cryptographic break. HNDL specifically targets the recorded key exchange, which is exactly the piece ML-KEM-768 hardens. You want both, and RVNT ships both by default — there is no toggle to turn quantum resistance “on,” because security that is opt-in is security most people never get. See the protocol overview and our post-quantum notes for the details.

What hybrid does not fix

We publish our limits, so here are the honest edges of this defense.

  • It protects the key exchange and the data in transit — not your endpoints. If malware or a keylogger is on your own device, no key agreement can help you. Read the threat model.
  • It does not protect against the people you talk to. A contact who screenshots, forwards, or is compelled to hand over their device exposes the plaintext directly. PQ cryptography never touches that.
  • It is not a claim that quantum computers exist today. They do not, publicly. This is insurance against a future capability applied to today’s recorded traffic — which is precisely why it has to be deployed before that capability exists, not after.

Don’t trust us — verify us

The honest version of “post-quantum” is narrow and specific: a hybrid X25519 + ML-KEM-768 key agreement, so that recording your traffic today buys an attacker nothing even if they hold it until a quantum computer arrives. No magic, no claim that the future is already here.

RVNT is open source under AGPLv3. The handshake, the key derivation, the use of ML-KEM-768 — all of it is in the code, not in a marketing claim. If you want to know whether the hybrid is wired the way this post says, read it. That is the standard we hold ourselves to, and the one we ask you to hold us to.

Keep reading

All posts →