Abstract
Key Points at a Glance
- Key exchange protects data after the session ends; signatures only matter during the handshake moment.
- HNDL attacks target confidentiality (key exchange), not authentication (signatures)—attackers store encrypted traffic today to decrypt later.
- Migrating key exchange is time-sensitive; signature migration has more runway because breaking a signature years later doesn't expose past session keys.
- TLS 1.3 already supports hybrid key exchange (X25519 + ML-KEM-768) that provides quantum resistance today.
- RSA/ECDSA signatures remain practical until real-time quantum attacks become feasible—but keep certificate lifetimes short.
The Two Cryptographic Pillars of TLS 1.3
Every time your browser connects to a secure website, TLS 1.3 performs two fundamentally different cryptographic operations. Understanding the distinction is crucial for grasping why quantum threats affect them differently.
Post-Quantum: ML-KEM-768
Post-Quantum: ML-DSA, SLH-DSA
Key exchange (typically using ECDH with the X25519 curve) creates an ephemeral shared secret. Both parties derive encryption keys from this secret, and all subsequent communication is encrypted. The beauty of this approach—called forward secrecy—is that even if someone steals the server's long-term private key later, they cannot decrypt past sessions because each session used a unique ephemeral key.
Digital signatures (RSA or ECDSA) handle authentication. The server signs the handshake transcript with its private key, and the client verifies this signature using the public key from the server's certificate. This proves the client is talking to the genuine server, not an impostor.
The Harvest Now, Decrypt Later Threat
The "harvest now, decrypt later" (HNDL) attack is perhaps the most insidious quantum threat we face. Unlike traditional cyberattacks that seek immediate gain, HNDL is a long game: adversaries passively collect encrypted traffic today and archive it, betting that future quantum computers will break the encryption.
Intelligence agencies and security researchers confirm this is already happening. Internet route hijacks have diverted massive volumes of encrypted traffic through adversary-controlled networks. The encrypted data is useless today—but could become a goldmine when cryptographically relevant quantum computers (CRQCs) arrive.
But here's the critical insight: HNDL is fundamentally a confidentiality attack. Attackers want to read your encrypted data. This means the threat specifically targets the key exchange mechanism, not the signature mechanism.
Why HNDL Affects Key Exchange and Signatures Differently
To understand the asymmetric impact, consider what happens when a quantum computer eventually breaks each mechanism:
The key insight is that signatures are ephemeral verifications. Once the handshake completes and both parties have authenticated, the signature has done its job. Breaking the signature algorithm ten years later doesn't let an attacker recover session keys—because session keys were derived from the key exchange, not the signature.
In contrast, key exchange secrets persist in the encrypted traffic. Every byte of encrypted data transmitted over the session was protected by keys derived from the Diffie-Hellman exchange. If an attacker can recover the shared secret, they can decrypt everything.
Migration Priority: Key Exchange First
This asymmetry has profound implications for post-quantum migration planning. Consider the timeline:
Industry experts and government bodies like
the BSI and NSA have explicitly
prioritised key exchange migration. The good news: hybrid key exchange is already available.
TLS libraries and major browsers now support the X25519MLKEM768 group, combining classical X25519
with post-quantum ML-KEM-768.
Your Data's Lifespan Determines Your Urgency
Not all data faces equal risk. The critical question is: how long must your data remain confidential? If the answer exceeds the expected timeline for quantum computers, you should already be deploying post-quantum key exchange.
Red line indicates estimated quantum computer timeline (~2030-2035). Data with lifespans extending beyond this point is at risk from HNDL attacks.
Why RSA and ECDSA Signatures Can Wait (But Not Forever)
Given the discussion above, you might wonder: can we ignore post-quantum signatures entirely? Not quite. While the urgency is lower, there are still reasons to plan ahead:
- Real-time impersonation attacks: Once quantum computers can break RSA/ECDSA in real-time, attackers could forge certificates and impersonate legitimate servers. This is a future threat, not a retrospective one.
- Long-lived root CA certificates: Root certificates often have 20+ year validity periods. If quantum computers arrive during their validity window, the entire PKI trust chain could be compromised.
- Migration complexity: Post-quantum signatures (like ML-DSA) have significantly larger keys and signatures, requiring infrastructure updates. Starting early avoids a rushed transition.
The practical advice: keep certificate lifetimes short (one year or less for end-entity certificates), monitor the NIST PQC standardisation process, and ensure your infrastructure can adapt when post-quantum signatures become practical.
The Path Forward
The good news is that the cryptographic community has already done the hard work. NIST standardised ML-KEM (FIPS 203) in 2024, and hybrid key exchange combining X25519 with ML-KEM-768 is already supported by major browsers, cloud providers, and TLS libraries.
For a detailed technical walkthrough of implementing hybrid TLS, see our article on TLS 1.3 Quantum Vulnerabilities and Hybrid Defences.
Related Resources
Ready to go deeper? Explore our other articles on post-quantum cryptography:
Read: Harvest Now, Decrypt Later → Read: TLS 1.3 Hybrid Defences →