Harvest Now, Decrypt Later
Also known as: HNDL, Store Now, Decrypt Later, SNDL, Retrospective Decryption
Harvest Now, Decrypt Later is an attack strategy where an adversary records encrypted traffic today and stores it, intending to decrypt it years from now once a cryptographically relevant quantum computer exists. Because encrypted data does not expire, any message protected only by classical public-key cryptography becomes retroactively readable the day quantum computers arrive. It is the core reason to deploy post-quantum encryption before such machines exist.
The unsettling premise of Harvest Now, Decrypt Later (HNDL) is that an attacker does not need to break your encryption today to win. They only need to capture and store your ciphertext today and wait. Storage is cheap: one terabyte of intercepted traffic costs a few dollars a year to keep. The decryption happens later, when a quantum computer running Shor's algorithm can solve the elliptic-curve and RSA problems that protect today's key exchanges in polynomial time.
This is not a hypothetical for high-value targets. Nation-state intelligence agencies already perform bulk interception, and the NSA's CNSA 2.0 guidance explicitly acknowledges that adversaries may be collecting encrypted data now to decrypt once quantum capability matures. The U.S. has set timelines (CNSA 2.0 requires PQC support for national security systems starting around 2027) precisely because the harvesting window is open today.
The key insight is mismatched timelines. The threat is not whether a quantum computer exists now (it does not, at a relevant scale). The threat is the lifetime of your secret. If something you send today must stay confidential for ten or twenty years (a journalist's source, a legal strategy, a medical record, a dissident's identity) then a quantum computer arriving in 2035 still exposes a 2026 message.
The only real defense is to encrypt with post-quantum cryptography before the quantum computer exists, so the harvested ciphertext is already useless when it arrives.
How it works
The attack has three phases. Collect: the adversary intercepts and stores ciphertext, public keys, and key-exchange parameters in bulk; no decryption is attempted. Wait: the stored data sits in a data center for years at negligible cost. Decrypt: once a cryptographically relevant quantum computer (CRQC) is available, the adversary runs Shor's algorithm against the recorded key-exchange material to recover the session keys, then bulk-decrypts every captured message. The window of exposure equals the secrecy lifetime of the data, not the time until quantum computers arrive.
How RVNT uses Harvest Now, Decrypt Later
RVNT defeats HNDL by mixing a post-quantum ML-KEM-768 shared secret into every session handshake alongside classical X25519. Even if an attacker harvests the traffic today and later builds a quantum computer that breaks X25519, the recorded ciphertext stays sealed because they also need to break the lattice KEM. This protection is on by default, not an opt-in. See the post-quantum and key exchange docs.
Frequently asked questions
If quantum computers don't exist yet, why worry about Harvest Now, Decrypt Later?
Because the data is being collected now and stored cheaply. The decryption simply happens whenever the quantum computer arrives, possibly a decade later. If your secret still matters in ten or twenty years, you need to encrypt it post-quantum today, before the harvested copy can ever be opened.
Is Harvest Now, Decrypt Later a real threat or just marketing?
It is documented by the NSA and NIST. NSA's CNSA 2.0 guidance and NIST's PQC program both cite bulk interception of encrypted traffic as the motivating reason to migrate before a cryptographically relevant quantum computer exists. State-level actors operate facilities designed to store intercepted communications at scale.
Does using a VPN or Tor stop Harvest Now, Decrypt Later?
Not on its own. A VPN or Tor circuit still relies on classical key exchange that a future quantum computer can break, so harvested handshakes can be decrypted later. You need post-quantum key agreement, which is what RVNT's hybrid ML-KEM-768 handshake provides, in addition to Tor routing.
Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.