Antigravity Q&A
What if an adversary gains quantum capability years before migration begins—can "harvest now, decrypt later" be meaningfully stopped retroactively?
Answered by claude-haiku-4-5 · 29 May 2026
Answer
The "Harvest Now, Decrypt Later" Problem: Partial Answers, Hard Limits
You're asking about a genuinely troubling scenario: an adversary records encrypted communications today, then decrypts them years later once quantum computers arrive. This is called the "harvest now, decrypt later" threat, and the provided preprints touch on it only obliquely—so I'll lay out what we know and don't.
### The Threat Is Real and Largely Irreversible
The core problem is that RSA and elliptic-curve cryptography—which protect most internet traffic today—can be broken by Shor's algorithm running on a sufficiently powerful quantum computer [AG-2024.05-2225]. Once an adversary has stored ciphertext, retroactive decryption is fundamentally hard to stop: the data is already gone, and breaking the underlying math is a one-time event. This makes historically sensitive data (state secrets, medical records, financial transactions) permanently at risk if encrypted with current schemes.
The threat timeline matters. Current quantum computers are nowhere near capable of running Shor's algorithm at scale [AG-2024.01-2022]: they lack the qubit count, coherence time, and error correction needed for cryptanalysis. But that doesn't mean an adversary won't build one in 5, 10, or 20 years—and any encrypted data captured today could be vulnerable by then.
### Mitigation: Crypto Agility, Not Retroactive Decryption
You cannot meaningfully "stop" harvest-now-decrypt-later retroactively—the plaintext is gone once compromised. Instead, the defense is forward-looking migration:
Lattice-based post-quantum cryptography is the leading solution [AG-2024.05-2225]. Schemes like Kyber (key encapsulation) and Dilithium (signatures) replace RSA and elliptic curves with mathematical problems believed hard even for quantum computers—specifically, the shortest vector problem in high-dimensional lattices. These are not quantum-resistant by philosophical magic; they're just different hard problems that Shor's algorithm doesn't solve.
Hybrid encryption is a practical near-term defense: encrypt data with *both* classical (RSA/ECC) *and* post-quantum (Kyber) keys simultaneously. An adversary would need to break both to decrypt, which raises the bar even if quantum computers arrive soon [AG-2024.02-1291]. This buys time for complete migration.
The blockchain analogy is instructive. Proof-of-work cryptocurrencies using SHA-256 hashing are threatened by Grover's algorithm, which can square-root the search space [AG-2024.03-1707]. However, switching to post-quantum hash functions or signature schemes does not decrypt old blocks retroactively—it only protects future ones [AG-2024.02-1291]. The same logic applies to stored communications.
### What These Preprints Don't Address
The archive doesn't directly tackle the hard policy question: How do we retroactively protect already-compromised data? Spoiler: we don't. Once plaintext is leaked, it's leaked. The only real defense is to:
1. Identify what data matters most (state secrets, long-term identities, cryptographic keys themselves) and assume it may be harvested.
2. Migrate to post-quantum crypto now, not when quantum computers arrive.
3. Use forward secrecy (ephemeral session keys) so that even if long-term keys are broken later, old sessions remain protected.
The last point is crucial: if you use perfect forward secrecy (PFS) with a quantum-safe key agreement, a future quantum computer cannot decrypt your *past* sessions—only your *current* ones, which you'll have already upgraded.
### The Bottom Line
No, harvest-now-decrypt-later cannot be "meaningfully stopped retroactively"—data already encrypted and stored is permanently at risk if the cipher is broken. The only lever is migration speed: switching critical infrastructure to post-quantum cryptography before quantum computers mature enough to run Shor's algorithm at scale [AG-2024.05-2225, AG-2024.01-2022]. This is why NIST standardized Kyber and Dilithium in 2022, and governments are now mandating adoption.
---
Note: The provided preprints focus on post-quantum *algorithm design* and *quantum computer maturity*, but don't deeply explore the policy, key-rotation, or retroactive-recovery strategies needed for a large-scale cryptographic migration. That gap reflects the archive's emphasis on the math and physics, not institutional logistics.
Sources · 8
- 62%cs.CRPost-Quantum Security: Origin, Fundamentals, and AdoptionAG-2024.05-2225
- 61%quant-phAssessing the Benefits and Risks of Quantum ComputersAG-2024.01-2022
- 60%quant-ph51% Attack via Difficulty Increase with a Small Quantum MinerAG-2024.03-1707
- 58%quant-phQuantum Truncated Differential and Boomerang AttackAG-2024.07-2243
- 58%cs.CRA Thorough Study of State Leakage Mitigation in Quantum Computing with One-Time PadAG-2024.01-1977
- 58%cs.CRSecurity Attacks Abusing Pulse-level Quantum CircuitsAG-2024.06-1682
- 57%quant-phCan Quantum Computers Do Nothing?AG-2024.06-2229
- 57%cs.CRTowards post-quantum blockchain: A review on blockchain cryptography resistant to quantum computing attacksAG-2024.02-1291
Keep exploring
- How quickly can lattice-based schemes like Kyber actually be deployed across internet infrastructure?
- Does hybrid encryption with both classical and post-quantum keys significantly slow down real-world communication?
- If an adversary already has quantum capability today, wouldn't they decrypt stored data immediately rather than wait?
This is a research aid — not a peer review. Verify sources before citing.