Quantum Core Institute · harvest now, decrypt later
An adversary can record your encrypted traffic today and store it until a quantum computer can break it. So data with a long secrecy requirement is already at risk — the computer doesn't need to exist yet. This puts dates on it.
Mosca's rule: if your data's shelf life (X) plus the time to migrate to post-quantum crypto (Y) is greater than the years to Q-Day (Z), some of it gets exposed. X + Y > Z means trouble.
—
The timeline
A planning model, not a prediction. Q-Day timing is genuinely uncertain — estimates from NIST, IBM, Google, and others cluster around 2030–2035, but no one knows. Shelf life and migration time are your inputs and dominate the result. The point isn't the exact year; it's that data sent today with a long secrecy requirement is already exposed to harvesting, and migrating later can't unsend it. Not security or legal advice.
FAQ
Harvest-now-decrypt-later (HNDL) is an attack strategy where an adversary — typically a nation-state — captures and stores encrypted communications or blockchain data today, with the intention of decrypting it once they have access to a quantum computer capable of breaking the encryption.
Why this is relevant to Bitcoin specifically:
Bitcoin's blockchain is public. Every transaction, every address, every public key ever broadcast is permanently archived and trivially downloadable. An adversary doesn't need to intercept anything — the data is already available. Any address that has ever signed a transaction has its public key on the chain, and that public key is the input to Shor's algorithm.
The timeline problem:
The question isn't whether quantum computers can break Bitcoin's cryptography today — they can't. The question is whether they will be able to before you've migrated your holdings to quantum-resistant addresses. If the answer is yes, the adversary who harvested your public key years ago will be able to derive your private key and drain the address.
What "cryptographically relevant quantum computer" means:
A CRQC is a quantum computer with enough logical (error-corrected) qubits and low enough error rates to run Shor's algorithm against a 256-bit elliptic curve key in a meaningful time window. Current consensus estimates from NIST and CISA put this at 10–20 years, with wide uncertainty. Some estimates are shorter.
The migration response:
Moving coins from an exposed address (one that has broadcast its public key) to a fresh, never-signed address reduces the attack surface to the hash function layer, which Grover's algorithm weakens but does not break. This migration should happen before quantum capability arrives, not after — once a CRQC exists, the window to move may be very short.
The timeline tool models this risk window against your current exposure profile.
Methodology
Applies Mosca's Inequality to decide whether data being collected today is at risk of being decrypted once a cryptographically relevant quantum computer (CRQC) exists.
X = years data must remain confidential. Y = realistic migration time in your environment. Z = years until a CRQC. The verdict tells you whether to start now or whether you have slack.