The Public Record That Signals a Classified Concern
In August 2015, the NSA's Information Assurance Directorate published a document titled "Commercial National Security Algorithm Suite and Quantum Computing FAQ." The document recommended that operators of national security systems pause new deployments of elliptic curve cryptography and prepare for migration to post-quantum alternatives.
This was not a routine advisory. The NSA had been an active advocate for elliptic curve cryptography for more than a decade, pushing Suite B algorithms including ECDSA and ECDH as the foundation for classified communications infrastructure. Reversing that recommendation publicly required a strong internal rationale. Intelligence agencies do not publish advisories about threats they are not taking seriously in classified contexts. The 2015 document is important precisely because of what it does not say. It does not describe a specific threat, a timeline, or the classified programs that informed the assessment. It simply tells the national security community to stop building on elliptic curves and start planning for something else.
CNSA Suite 2.0: The 2030 Deadline
In September 2022, the NSA published the Commercial National Security Algorithm Suite 2.0, known as CNSA 2.0. The document mandated adoption of post-quantum cryptographic algorithms for all national security systems and gave explicit timelines: software and firmware systems should be using CNSA 2.0 algorithms by 2025, with full transition completed by 2030.
The significance of the 2030 deadline is what it implies about the classified threat model. Government agencies do not mandate ten-year infrastructure migrations unless they have reason to believe the threat they are migrating away from will materialize within the planning horizon. CNSA 2.0 is not a precautionary measure against a risk that might emerge in fifty years. The 2030 deadline reflects an internal assessment that cryptographically relevant quantum hardware is plausible within that timeframe.
CNSA 2.0 specifically mandates CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for digital signatures, both of which are NIST-standardized post-quantum cryptography algorithms. These are the same algorithms that researchers have been advocating for general adoption. The difference is that for national security systems, adoption is now mandatory and on a fixed schedule.
GCHQ and the NCSC on Harvest Now, Decrypt Later
The UK's National Cyber Security Centre, the public-facing arm of GCHQ, has published explicit guidance on what it calls "store now, decrypt later" attacks. The NCSC guidance acknowledges that adversaries are actively collecting encrypted data today with the intention of decrypting it once quantum hardware matures.
The NCSC guidance is notable for its operational specificity. It does not frame harvest-now-decrypt-later as a theoretical future risk. It frames it as a current collection activity that organizations should assume is already underway. For a government signals intelligence agency to acknowledge this in public guidance, the classified picture must be considerably more detailed.
The harvest-now-decrypt-later strategy applies directly to blockchain data. Every transaction ever broadcast on Bitcoin, Ethereum, or any other major public blockchain is permanently recorded and publicly accessible. An adversary does not need to intercept anything — the data is already archived by thousands of full nodes. The collection problem is already solved. The only remaining variable is the decryption capability, and that is improving on a documented hardware curve.
China's Quantum Program: The Public Evidence
China has made quantum computing a national strategic priority in a way that few Western observers have fully internalized. The 14th Five-Year Plan designated quantum information science as a frontier technology requiring state-level investment. Public budget figures are incomplete by design, but academic publication volume provides a useful proxy: Chinese institutions now account for a substantial plurality of quantum computing papers published globally, and the share has been growing year over year.
The Micius satellite, launched in 2016, demonstrated quantum key distribution over satellite links at distances exceeding 1,200 kilometers. The Zuchongzhi processor series, developed by the University of Science and Technology of China, has produced benchmark results that compare directly with Google's Sycamore results from 2019. The Pan Jianwei group at USTC has consistently produced results that place China's quantum hardware within one to two years of the US frontier, based on published academic work.
The classified investment picture is almost certainly larger than what appears in academic journals. China's approach to technology development consistently combines published research with classified military programs, using the academic track to build the talent pipeline and industrial base that the classified track then draws on. Assuming that China's quantum computing capability is limited to what is described in its academic publications would be the same analytical error that Western intelligence made about China's nuclear program in the 1960s.
The Intelligence Logic: Why Blockchain Data Is a Target
Nation-state adversaries collect blockchain data for reasons that extend beyond the obvious interest in cryptocurrency values. Blockchain transaction graphs carry intelligence about financial relationships: who funded whom, what entities share wallet clusters, what time patterns appear in transaction flows. This kind of financial intelligence is exactly what signals intelligence agencies are mandated to collect.
The identities behind blockchain addresses are often obscured but not always. Transaction graph analysis, combined with exchange data obtained through legal process or intelligence operations, routinely de-anonymizes blockchain activity. A nation-state with access to Shor's-capable quantum hardware would not only be able to steal funds from exposed addresses. It would be able to retroactively derive private keys, construct additional transactions, and potentially rewrite the financial history of individuals or organizations whose blockchain activity had been collected years earlier.
The targeting logic is particularly acute for large, illiquid holdings. As documented in the Coinbase advisory board report, roughly 6.9 million BTC sit in addresses with permanently exposed public keys. These are essentially bearer instruments with known locations and knowable private keys once the quantum capability exists. They are a higher-value target than most traditional financial assets, which are protected by institutional custody structures that quantum key derivation does not directly attack.
Harvest Now, Decrypt Later as Operational Doctrine
What does harvest-now-decrypt-later look like as an operational program targeting blockchain networks? At minimum, it involves maintaining synchronized full nodes for major blockchain networks to ensure complete transaction history is archived. It involves monitoring mempools in real time to capture transaction data, including public keys visible in the witness data, before confirmation. It involves correlating transaction graphs with other intelligence sources to identify high-value targets. And it involves storing all of this data in a format that can be processed efficiently once quantum decryption capability is available.
None of this requires advanced technology. A full Bitcoin node archives the entire blockchain history. Running one requires a few hundred gigabytes of storage and a modest internet connection. Any nation-state running a serious signals intelligence program is almost certainly maintaining this capability for every major public blockchain. The data collection side of harvest-now-decrypt-later is operationally trivial. The bottleneck is the quantum hardware that will eventually be used to process the collected data.
The Snowden Precedent
In 2013, Edward Snowden's disclosures revealed that the NSA was operating bulk collection programs that the public had no knowledge of: PRISM, XKeyscore, MUSCULAR, and others. The programs had been classified for years, involved collection at a scale most experts had not believed was operationally feasible, and were known within the intelligence community but not publicly acknowledged.
The Snowden disclosures established something important for the current discussion: large-scale, technically sophisticated classified collection programs exist and operate for years before becoming public knowledge. The gap between what is publicly known and what classified programs are actually doing is not a gap that can be filled by inference from open sources alone.
Applied to quantum computing, the Snowden precedent suggests that the appropriate posture is not to assume classified quantum programs are roughly equivalent to publicly announced academic research. It is to assume that classified programs have access to resources, techniques, and results that the public academic literature does not reflect, and to calibrate risk accordingly.
Why the Crypto Industry Has Lagged
The gap between government advisories on quantum risk and the crypto industry's response is striking when laid out chronologically. The NSA published its first elliptic curve migration advisory in 2015. NIST launched its post-quantum standardization process in 2016. CNSA 2.0 was published in 2022. NIST finalized post-quantum standards in 2024. Throughout this period, no major blockchain protocol has deployed post-quantum signature schemes for user-facing transactions.
The reasons for this lag are partly structural: blockchain protocol changes require broad consensus among decentralized stakeholders and carry significant backward compatibility risks. They are partly cultural: the crypto industry has historically been skeptical of government threat assessments. And they are partly economic: the threat is not yet visible in a way that imposes immediate costs on holders or developers. The post-quantum migration problem for existing chains has no easy structural solution, which further delays action.
The structural lag means that even if the industry commits to post-quantum migration today, the deployment timeline for network-wide changes on major blockchains is measured in years. Bitcoin's Taproot upgrade, a far less disruptive change, took approximately four years from proposal to activation. A full post-quantum signature scheme migration would be considerably more complex.
Structural Immunity as the Only Complete Answer
Mitigation strategies for existing blockchain holders, including moving to fresh addresses and avoiding address reuse, reduce exposure but do not eliminate it. Every spend transaction reveals a public key in its witness data, even from a fresh address. That exposure is brief but real, and a sufficiently resourced adversary monitoring mempools captures it.
The only approach that eliminates the harvest-now-decrypt-later attack surface entirely is architecture that never places public keys on-chain at all. TADEQS implements this through parent/child key structures where spending transactions perform atomic key rotation without exposing the underlying key material. There is no public key in the transaction record for an adversary to harvest, now or later, regardless of when quantum hardware becomes available. Nation-state adversaries are patient. They collect data today that they plan to decrypt in ten or twenty years. The appropriate response is infrastructure that leaves nothing worth decrypting in the first place.
