State Actors Are Collecting Encrypted Data Today for Quantum Decryption Tomorrow

The NSA warned about HNDL attacks in a 2022 cybersecurity advisory

In September 2022, the NSA published the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), a set of binding requirements for cryptographic algorithms used in national security systems. The document did not speculate about distant timelines. It set a deadline: all national security systems must begin transitioning to post-quantum cryptography by 2025, with full migration to quantum-resistant algorithms expected by 2033.

The advisory addressed one scenario by name. "A CRQC could compromise the confidentiality of data that was previously encrypted with quantum-vulnerable algorithms," the document stated, referring to data captured and stored before a cryptographically relevant quantum computer (CRQC) exists. That scenario — known in the intelligence community as harvest now, decrypt later (HNDL) — had been discussed in classified settings for years before the 2022 advisory brought it into public policy.

Rob Joyce, former director of cybersecurity at the NSA, put the threat in plain terms during a 2023 conference appearance. "The data that is being exfiltrated today — encrypted or not — will be readable in the future," Joyce said. "Nation-states are absolutely collecting encrypted traffic with the expectation that it will become decryptable."

Blockchain data is public, permanent, and cannot be retroactively encrypted

Most HNDL discussions focus on intercepted network traffic: TLS sessions, VPN tunnels, encrypted emails. An adversary must first capture that traffic — through fiber taps, compromised routers, or lawful intercept programs — before it can be stored and decrypted later. Blockchains eliminate the interception step entirely.

Every Bitcoin and Ethereum transaction broadcasts the sender's public key to a network of thousands of nodes, each maintaining an identical copy of the ledger. That data is permanent. It cannot be deleted, redacted, or retroactively encrypted. An adversary does not need physical access to any cable or server to collect it. A standard archive node — available for public download from dozens of sources — contains the full history of every public key ever exposed through a transaction.

Dr. Michele Mosca, a quantum computing researcher at the University of Waterloo, described the dynamic in a 2024 paper. "Blockchain systems represent a uniquely attractive target for store-now-decrypt-later attacks because the data is already stored, publicly accessible, and economically valuable," Mosca wrote. Unlike intercepted corporate traffic — which may or may not contain something worth decrypting — a blockchain ledger maps directly to billions of dollars in transferable assets.

Exposed public keys on Bitcoin and Ethereum are already harvestable

A 2022 study by Deloitte estimated that 6.9 million BTC — then worth approximately $160 billion, now valued at roughly $690 billion — sit in addresses where the public key has been revealed on-chain. That figure includes 1.7 million BTC in legacy pay-to-public-key (P2PK) addresses from Bitcoin's earliest years and another 5.2 million BTC in addresses that have been reused after at least one outgoing transaction.

The exposure is not limited to Bitcoin. Ethereum's account model reveals the public key with every outgoing transaction from an externally owned account (EOA). Ethereum Foundation researchers have noted that the majority of active EOAs — accounts that have sent at least one transaction — have exposed their public keys. The total value at risk on Ethereum alone runs into hundreds of billions of dollars.

A CRQC operator in possession of a public key can run Shor's algorithm to derive the corresponding private key. The attack does not require brute force. It exploits the mathematical structure of the elliptic curve — a problem that classical computers cannot solve in reasonable time but that a sufficiently large quantum computer can crack in hours or minutes (depending on the qubit count and error-correction overhead).

Nation-state actors have the storage capacity and strategic patience

HNDL requires two resources: storage and time. The storage cost is trivial. A full Bitcoin archive node occupies approximately 600 GB. An Ethereum archive node runs to roughly 3 TB. Combined, the complete public-key dataset for both networks fits on a single consumer-grade hard drive costing less than $100.

Nation-state intelligence agencies operate storage infrastructure on a different scale entirely. The NSA's Utah Data Center, opened in 2014, was designed to store exabytes of intercepted communications. Blockchain data — a rounding error by comparison — could be archived alongside existing signals intelligence collections without any dedicated budget allocation or operational decision.

The strategic patience is equally unremarkable. Intelligence agencies routinely collect data for decades before it becomes actionable. Encrypted diplomatic cables from the Cold War were stockpiled by the NSA and later decrypted when cryptographic methods improved. The same institutional patience that drove those programs applies directly to harvested blockchain data. A Coinbase advisory board report from April 2026 observed that adversaries "have every incentive to collect exposed public keys now, given that the cost of collection is near zero and the potential payoff is measured in hundreds of billions."

HNDL makes the quantum threat immediate even without a working CRQC

The standard framing of the quantum threat focuses on a single question: when will a CRQC arrive? Estimates range from 5 years (John Martinis, Nobel laureate and former Google quantum lead) to 15 years (IBM's most conservative roadmap). HNDL makes that question secondary.

Mosca's inequality — a risk framework developed at the University of Waterloo — captures the problem in a formula. If the time needed to migrate a system to quantum-safe cryptography (migration time) plus the shelf life of the data exceeds the time until a CRQC becomes operational, the system is already at risk. For blockchain data, the shelf life is infinite. The data never expires. It sits on a public ledger, accumulating value, waiting.

That changes the math. Even if a CRQC is 10 years away, any public key exposed on-chain today is already "harvested" in the HNDL sense. The collection phase is complete the moment a transaction hits the mempool. No adversary action is required — the blockchain itself serves as the harvest database, open to anyone willing to run a node. "The distinction between a future threat and a present one collapses when the target data is already public," Mosca noted in a 2025 interview.

The only defense against HNDL is migrating keys before exposure occurs

HNDL cannot be defeated retroactively. Once a public key has been broadcast, no software update, hard fork, or protocol change can un-expose it. The cryptographic material is permanently embedded in the ledger. The only effective countermeasure is preventing exposure in the first place — or moving funds to addresses that have not yet revealed their public keys.

On Bitcoin, that means migrating to fresh pay-to-script-hash (P2SH) or pay-to-witness-public-key-hash (P2WPKH) addresses that have never sent a transaction. Funds sitting in those address types have their public keys hashed rather than exposed directly, adding one layer of pre-quantum defense. Taproot (P2TR) addresses offer a similar — though not identical — benefit by hiding the internal public key behind a tweaked output key until a script-path spend is performed.

On Ethereum, where every outgoing transaction exposes the sender's key, the path is harder. Account abstraction (ERC-4337) allows smart contract wallets to implement quantum-resistant signature schemes without waiting for a protocol-level hard fork. The Ethereum Foundation's "Splurge" roadmap includes quantum resistance as a long-term goal, but no binding timeline has been set.

Legacy P2PK coins on Bitcoin — including the estimated 1.1 million BTC attributed to Satoshi Nakamoto — cannot be migrated without the original private keys. If those keys have been lost, the funds remain exposed indefinitely. No governance mechanism or consensus upgrade can protect assets whose owners are unable to sign a migration transaction. The window for every other wallet holder depends on whether migration happens before a CRQC operator decides the stored keys are worth decrypting.