Active research material. Status: Open This page is part of Deretti Cyber Labs' open research and is currently being developed and revised. It reflects the lab's working understanding at the time of last revision, not a final or stable position. See the Active Research index for context and full listing.

2026 · Cryptographic Exposure · Open Research

Post-Quantum Cryptographic Exposure

Harvest Now, Decrypt Later · long-lived data exposure · enterprise PQC transition risk

Living Exposure Class Full Cryptography / Identity Application Network Protocol Cloud Service Supply Chain

Research window: 2024–2026 (FIPS 203/204/205 finalized August 2024; ongoing)
Last revised: May 2026
Status: Active
Type: Living Exposure Class
IOC status: None
Attribution: Not applicable / capability and exposure analysis

Reader contract. This is an active research note, not an active intrusion report. It does not track a named threat actor, malware family, campaign, exploit chain, or indicator set. There are no IoCs associated with this entry. It does not claim that cryptographically relevant quantum decryption is occurring against captured ciphertext in the wild today. The subject is active because the exposure condition is current: encrypted data can be collected today, retained over time, and later placed at risk if cryptographically relevant quantum capability becomes available before affected systems and data protections are migrated. This entry belongs to a research category Deretti Cyber Labs tracks as a Living Exposure Class — a structural property of the operating environment that creates persistent risk without requiring a named adversary or active campaign to be present.

Executive Summary

Post-quantum cryptographic exposure is a long-horizon security risk created by the mismatch between data confidentiality lifetimes and cryptographic migration timelines. The immediate concern is Harvest Now, Decrypt Later (HNDL): the collection or retention of encrypted data today for potential decryption later, once classical public-key cryptography can be defeated by a cryptographically relevant quantum computer.

The operational risk is not bounded by the arrival date of such a computer. It begins now, with every byte of long-lived sensitive data transmitted, replicated, backed up, logged, or archived under classical encryption. Already-collected ciphertext cannot be retroactively re-encrypted. Migration to post-quantum cryptography closes the future collection window only; it does not protect material already captured.

The cryptanalytic resource estimates required to break classical public-key cryptography have materially compressed in 2025 and 2026, reducing the conservative planning estimate for cryptographically relevant quantum capability from the mid-2030s toward the earlier end of the 2029–2035 range. NIST has finalized three post-quantum standards. CISA has issued procurement-category guidance. Federal compliance timelines under CNSA 2.0 are in motion. Vendor support is uneven and evolving.

The defender’s working posture is disciplined urgency — neither panic spending nor deferral, executed as a small, repeatable, defensible discipline over multi-year migration timelines.

Why This Is Active Research

The exposure condition is current because all of the following are simultaneously true in May 2026:

NIST post-quantum standards are finalized. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) were issued in August 2024 and provide the algorithmic basis for migration.¹

Federal inventory and migration expectations are in motion. CISA issued post-quantum product-category procurement guidance in January 2026. CNSA 2.0 establishes January 2027 as the inflection point for preferred PQC use in National Security Systems, with deprecation milestones extending through 2030–2031.

Vendor support is uneven. Hyperscaler-edge providers (Cloudflare, AWS, Google, Microsoft) have moved into production hybrid deployments. Mid-market vendors, appliance vendors, and embedded systems vendors are at widely varying stages of roadmap maturity.

Long-lived encrypted data is already within the HNDL risk window. Any data with a confidentiality requirement extending past the conservative CRQC emergence range (2029–2035) is presently exposed if transmitted under classical encryption.

The cryptanalytic resource estimates required to operationalize the decryption phase have compressed substantially in the last twelve months. Two papers published in March 2026 reduced the qubit threshold for ECDLP-256 by approximately 20x compared to the 2023 baseline.²³

PQC implementation affects TLS, VPNs, PKI, identity systems, code signing, firmware update trust, cloud services, SaaS platforms, backup and archive systems, and the procurement language that governs all of them. The operational guidance for each of these areas is still maturing.

Each of these conditions is subject to change, often quickly. The research is active because it will be revised as the standards, guidance, and capability environment changes.

What This Is Not

This entry is not:

A SOC alert. There is no detection signature, behavioral pattern, or operational indicator that would be appropriate for SIEM ingestion or alert tuning.

A campaign report. No campaign is named, tracked, or attributed in this entry.

An attribution assessment. No threat actor is identified as currently operating against any specific target set. Public statements from national cybersecurity authorities about adversary collection intent are cited as institutional context, not as attribution.

A malware analysis. No malware family, tooling chain, or operational capability is documented.

A vulnerability advisory. No CVE, software defect, or configuration weakness is the subject of this entry. The cryptographic algorithms being deprecated are not defective; they are being deprecated against a future threat model.

An IoC collection. No indicators of compromise, file hashes, domain names, IP addresses, or behavioral indicators are associated with this entry.

A claim that CRQC-driven decryption is operationally occurring today. The decryption phase of HNDL requires capabilities that do not yet exist in operational form. The exposure is the collection phase, which is plausible and likely ongoing, plus the deferred decryption phase, which is expected but not present.

This is a structured analysis of a current exposure condition and the operational transition risk surrounding post-quantum cryptography. Reader interpretations should remain within that frame.

Exposure Model

        Sensitive Data
              ↓
   Classical Public-Key Protection
   (RSA, ECDH, ECDSA, etc.)
              ↓
   Collection / Replication / Retention
   (network capture, backup, archive,
    distributed ledger, log retention)
              ↓
        Long Storage Window
   (years to decades; outside
    organizational visibility once captured)
              ↓
       Future CRQC Capability
   (estimated emergence 2029–2035,
    range compressing toward earlier)
              ↓
  Retrospective Confidentiality Loss
   (irreversible; remediation impossible
    after collection)

The exposure is realized when the storage window for harvested ciphertext outlasts the time required for cryptographically relevant quantum capability to emerge, and the data retains confidentiality value at the moment decryption becomes feasible.

The operative inequality is Mosca’s: if the time required to migrate to post-quantum cryptography (X) plus the time data must remain confidential (Y) exceeds the time until CRQC emergence (Z), the migration is already behind. For most enterprise operators with material long-lived data, X + Y > Z is presently true.

Evidence Base

The evidence base for this Living Exposure Class is institutional, technical, and analytical. It is not operational. No operational evidence — in the form of attributed campaigns or technical indicators of HNDL collection — is publicly available, and none is required to establish the exposure class.

Primary authority

NIST FIPS 203, 204, 205 (August 2024). Algorithm standards.
NIST IR 8547 (initial public draft, November 2024; ongoing). Transition timeline guidance.
NIST CSWP 39 (finalized January 2026). Crypto-agility framework.
CISA Product Categories for Technologies That Use Post-Quantum Cryptography Standards (January 2026). Federal procurement signaling.
OMB Memorandum M-23-02 (January 2023). Federal cryptographic inventory mandate.
NSA Commercial National Security Algorithm Suite 2.0 (CNSA 2.0). Algorithm and timeline guidance for National Security Systems.
Quantum Computing Cybersecurity Preparedness Act (Public Law 117-260).

Research and analysis

Federal Reserve FEDS Working Paper 2025-093, Mascelli and Rodden (September 2025). Characterizes HNDL as a “present and ongoing” risk; analyzes distributed-ledger exposure as illustrative case.⁴
Babbush et al. with Boneh and Drake (Google Quantum AI, March 2026). Reduced ECDLP-256 quantum resource estimate to fewer than 500,000 surface-code qubits with runtime in minutes; approximately 20x reduction from 2023 baseline.²
Cain, Bluvstein, Preskill et al. (Caltech / UC Berkeley / Oratomic, March 2026). Shor’s algorithm feasibility at as few as 10,000 reconfigurable neutral-atom qubits; P-256 ECDLP in days at 26,000 qubits.³
Gidney (Google Quantum AI, May 2025). RSA-2048 resource estimate under one million qubits.
NIST NCCoE migration practice work (SP 1800-38 series).
Post-Quantum Cryptography Coalition migration roadmap (May 2025).
Trusted Computing Group State of PQC Readiness (December 2025). Survey of 1,500 security professionals; 91% no formal PQC roadmap, 81% report crypto libraries and HSMs not migration-ready.⁵
ISACA Quantum Computing Pulse Poll (April 2025). Survey of 2,600+ professionals; 95% lack defined quantum strategy.⁶

Institutional intent statements

NSA quantum computing advisory (August 2021, subsequent updates).
UK NCSC Annual Review 2023.
ODNI Annual Threat Assessment 2023.
G7 Cyber Expert Group financial-sector PQC roadmap (January 2026).
Five Eyes joint cybersecurity advisories on long-term collection campaigns.

Not used as primary evidence

Vendor marketing positioning cryptographic exposure as imminent without sourced timeline claims.
Aggregated “Q-Day” predictions without primary cryptanalytic citation.
Attribution inferences from public BGP, route-hijack, or traffic-interception incidents. These incidents are publicly documented; their interpretation as HNDL operations is speculative and is not relied on in this entry.

Enterprise Impact

Post-quantum cryptographic exposure surfaces operationally in several categories of enterprise systems and data. The list below is not exhaustive but identifies the categories where most operators will find material exposure during inventory.

Cryptographic boundaries. TLS termination points, VPN endpoints, SSH access, SaaS API authentication, and federated identity protocols all rely on classical public-key primitives for key establishment and authentication. Hybrid post-quantum modes are emerging across this layer at uneven vendor velocities.

Trust infrastructure. Certificate authorities, code-signing pipelines, firmware update trust chains, and software supply-chain signing are highest-priority because the trust they establish must outlast both the data and the systems they protect. Compromise of these layers in the post-CRQC era has compounding effects on every downstream system.

Long-lived data domains. Legal work-product and litigation files (attorney-client communications, eDiscovery review collections, M&A diligence, sealed records, trade secret filings); healthcare records (patient files, genomic data, clinical research); financial transaction logs (with regulated retention windows typically 7–10 years and often longer); identity and biometric records (where compromise is permanent because biometrics cannot be reissued); intellectual property in long-cycle industries (pharmaceutical, aerospace, semiconductor, automotive R&D); diplomatic, classified, and national-security material.

Vendor and procurement dependencies. For most enterprise operators, between 70% and 90% of cryptographic posture is determined by vendor product roadmaps rather than internal engineering. Procurement language, contract renewal cycles, and vendor accountability mechanisms are the primary leverage points for closing the exposure window.

The structural defender problem. HNDL exposure is structurally different from threat models defenders are trained on. There is no detection event at the target (collection occurs upstream, in transit, outside the organization’s visibility). There is no response window (once ciphertext is captured, no defender action affects it). There is no post-incident remediation (re-encryption does not retroactively protect prior ciphertext; deletion of source records does not invalidate adversary copies). The only meaningful defensive action must occur before the data is transmitted under classical encryption. This inverts the detect-respond-remediate logic that most enterprise security programs are built around.

IR 2.0 Mapping

PQC readiness is not incident response in the narrow sense. It is a resilience and preparedness problem that maps cleanly to the four stages of the Deretti Cyber Labs IR 2.0 framework.

Sense. Identify cryptographic dependencies across applications, infrastructure, vendor products, and third-party services. Identify long-lived data classes and their retention requirements. Identify externally exposed services and high-trust systems. Identify vendor posture on post-quantum support. Identify systems that will not be migrated and require retirement or compensating controls.

Decide. Prioritize migration sequence by the intersection of data lifetime, exposure surface, trust role, regulatory relevance, and migration feasibility. Three working priority tiers are sufficient for most operators: P1 for internet-facing long-lived high-trust systems; P2 for internet-facing short-lived or lower-trust systems; P3 for internal-only short-lifetime systems. Most operators in the mid-market will identify five to fifteen P1 items in total.

Act. Update procurement language to require post-quantum support in new contracts and renewals. Pilot vendor-supported hybrid PQC deployments on highest-priority systems. Retire or compensate around unsupported systems. Build crypto-agility into architecture standards and lifecycle planning. Document rollback procedures for every hybrid transition before production deployment.

Learn. Maintain the cryptographic inventory as a living register, not a one-time artifact. Revise the vendor questionnaire and procurement language quarterly. Update architecture standards as the post-quantum protocol layer evolves. Re-run the priority assessment cycle against revised vendor roadmaps, NIST guidance updates, and CISA category list revisions.

The framework is not the point of this mapping. The discipline is. The same operating habits — calm, sequenced, documented — that hold up under incident pressure are the habits that close the post-quantum exposure window over a multi-year clock.

Tracking Questions

The following open questions define the active research scope of this entry. Material developments against any of these will be reflected in versioned updates.

Which product categories are gaining credible PQC support first, and which remain laggards? CISA’s January 2026 list is the baseline; vendor general-availability announcements are the operational signal.
Which vendors support standards-based post-quantum cryptography (FIPS 203, 204, 205) versus proprietary or pre-standards implementations? Standards conformance is the procurement-grade differentiator.
Where do hybrid TLS deployments create compatibility issues at scale? MTU and packet fragmentation, certificate chain bloat, deep packet inspection appliance compatibility, and load balancer behavior remain emerging failure modes.
How are certificate chains and PKI tooling adapting to post-quantum signature sizes (ML-DSA-87 signatures are approximately 18x larger than RSA-2048)? Chain validation performance, OCSP, and CRL infrastructure all require revisitation.
What procurement language is becoming normalized for post-quantum readiness clauses? RFP rubrics, vendor questionnaires, and contractual SLAs around algorithm support are converging but not yet standard.
Which sectors face the highest long-lived-data exposure and the slowest vendor support? The intersection — long retention, slow vendor — is the highest-risk operating zone.
How should small and mid-sized IT teams scope readiness work without overbuilding? The mid-market gap between hyperscaler playbooks and operator-grade execution is the active translation frontier.
Which parts of the migration are best owned by vendors through normal patch cycles, and which remain customer-owned engineering work? The operating model defines the labor allocation.
What forward signals from the cryptanalytic and hardware research community should accelerate migration timelines? Public Shor demonstrations at non-trivial scale, further qubit threshold reductions, and hardware platform milestones in trapped-ion or neutral-atom configurations are the leading indicators.

References & Change Log

Status

This entry is published under Active Research because the exposure class is current and the transition guidance is still evolving. It should not be read as an active campaign report, attribution assessment, vulnerability advisory, or IoC feed.

Review and revision triggers

This note will be revised on any of:

Material revision to NIST FIPS 203/204/205 or related implementation guidance.
CISA product-category list updates.
CNSA 2.0 deadline or algorithm guidance revisions.
NIST IR 8547 status changes.
New official intelligence community statements on long-term data collection or post-quantum threat posture.
Material revision to cryptanalytic resource estimates from peer-reviewed or industry-research sources.
Public demonstration of Shor’s algorithm at any cryptographically non-trivial scale.

Change log

v1.0 · May 2026. Initial publication.

References

National Institute of Standards and Technology. “NIST Releases First 3 Finalized Post-Quantum Encryption Standards.” FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), August 13, 2024. csrc.nist.gov/news/2024/postquantum-cryptography-fips-approved
Babbush, R., et al., with D. Boneh and J. Drake. The Quantum Threat to Elliptic Curve Cryptocurrencies: Resource Estimates, Vulnerabilities, and Mitigations. Google Quantum AI, March 2026.
Cain, M., Xu, Q., King, R., Picard, L., Levine, H., Endres, M., Preskill, J., Huang, H.-Y., and Bluvstein, D. Shor’s Algorithm is Possible with as Few as 10,000 Reconfigurable Atomic Qubits. Caltech / UC Berkeley / Oratomic, March 2026. arXiv preprint.
Mascelli, J., and Rodden, M. “Harvest Now Decrypt Later”: Examining Post-Quantum Cryptography and the Data Privacy Risks for Distributed Ledger Networks. Finance and Economics Discussion Series 2025-093, Board of Governors of the Federal Reserve System, September 2025. DOI: 10.17016/FEDS.2025.093
Trusted Computing Group. State of PQC Readiness 2025. Survey of 1,500 security professionals in the US, UK, and Europe, December 2025.
ISACA. Quantum Computing Pulse Poll. Survey of 2,600+ professionals globally, April 2025.

Classification note. This entry is published under Active Research because the exposure class is current and the transition guidance is still evolving. It should not be read as an active campaign report, attribution assessment, vulnerability advisory, or IoC feed.

Cross-references: Deretti Cyber Labs research notes — Operational Pitfalls in Hybrid PQC Deployment (forthcoming); PQC Is Not a Quantum Problem (deretti.net/writing). IR 2.0 framework: see Deretti Cyber Labs IR 2.0 canon for the underlying operational discipline.

Sense → Decide → Act → Learn. Disciplined urgency.