Post Quantum Worries

Look, I don’t like to be the bearer of  bad tidings, but hardly anyone I have talked to is doing anything about it at all, claiming it isn’t needed yet. Or as I like to term it “Don’t wait, procrastinate NOW”.

TL;DR

I wrote about it over a year ago, here. It isn’t a long article, but here’s the crux of it in plain business language:

“Information you store or transmit NOW which you protect using encryption, WILL be exposed in the post-quantum world UNLESS you change how you operate NOW”

Sophie Baskerville, 2025-11-04

This matters because some information needs to be kept secure for long periods. So if it is protected now with QVE (Quantum Vulnerable Encryption), then it may already be too late to change that to PQE (Post Quantum Encryption) because of the “Harvest Now, Decrypt Later” principle – I can take a copy of the QVE encrypted data, and in several years’ time get the data out. If the data should be kept secure for the lifetime of a patient, for example, then we are already running too late with this. HNDL gives the advantage to organisations with patience and deep pockets who can store data and wait until they can decrypt it.

Q-Day, the point when it become practical to decrypt QVE encrypted data, could be as soon as 2028–2030. It is most likely to fall in the ballpark of 2031–2035. And if we’re really lucky it might not be until 2040-2045. But even the worst case there is only 20 years away. If you have data, now, that is still sensitive in 20 years, then you already have a problem.

“You can’t win. You can’t break even. You can’t even quit the game”

If you have data that you delete when you’ve finished with it, your legal and regulatory requirements have been satisfied, right? No GDPR concerns if the data no longer exists, yeah?

Bzzzzt! Sorry!

Since one of the main controls you have is likely to be the encryption, HNDL is most likely possible – especially for a determined attacker. So deleting the data and deleting the crypto keys is not sufficient – because if I harvest a copy of the QVE encrypted data, I won’t need the keys to read it, eventually.

Remember Project Venona? That ran from 1943-02-01 until 1980-10-01.

“During the 37-year duration of the Venona project, the Signal Intelligence Service decrypted and translated approximately 3,000 messages. The signals intelligence yield included discovery of the Cambridge Five espionage ring in the United Kingdom, and also of Soviet espionage of the Manhattan Project in the US, known as Project Enormous. Some of the espionage was undertaken to support the Soviet atomic bomb project. The Venona project remained secret for more than 15 years after it concluded.”

— Wikipedia, on “Project Venona”

“No one wants our data that badly”

If you GENUINELY believe that, then all I can do is refer you to the now sadly deceased El Risitas, because I can’t help you beyond this.

Call To Action

I usually hate such terms, but really, now, it is beyond time to be acting.

So what is YOUR organisation doing to prepare?

I’ll leave with some of the words from “Time for Action” by Secret Affair (no, really!)

So take me to your leader
Because it’s time you realised

That this is the time
This is the time for action (time for action)
This is the time to be seen (time to be seen)
This is the time for action
Time to be seen

They can laugh in our face
‘Cause we know we’re right

Secret Affair, “Time for Action”