“Harvest now, decrypt later” (HNDL) is a strategy where attackers scan blockchains today and store all vulnerable public keys, waiting to crack them after a sufficiently powerful quantum computer arrives. About 6.9 million BTC (nearly one‑third of all mined bitcoins) are at risk – including Satoshi‑era coins on P2PK addresses (~1.7 million BTC) and coins on reused addresses that have ever been spent from. Cellframe is protected from this attack because it has used post‑quantum cryptography (NIST‑approved Falcon, CRYSTALS‑Dilithium, Kyber 512) since 2017, which remains secure even after Q‑day.
What Is “Harvest Now, Decrypt Later”?
HNDL is a strategy where attackers record and store encrypted data today to decrypt it later, when a sufficiently powerful quantum computer becomes available.
In the context of blockchain, this means: attackers are already scanning blockchains (Bitcoin, Ethereum, and others) and storing every public key that has ever been exposed. When a quantum computer reaches the required power, they simply take that pre‑harvested database and derive private keys in minutes.
| Aspect | Description |
|---|---|
| When harvesting starts | Right now – attackers are already collecting data |
| When it becomes dangerous | After a quantum computer capable of running Shor’s algorithm appears (estimate: 2029–2032) |
| What data is harvested | Public keys from P2PK addresses, reused addresses, Taproot addresses |
| What can be stolen | All coins on those addresses – without needing the owner to sign a new transaction |
The US Federal Reserve, in a September 2025 study, warned that once quantum computers arrive, all historical transaction confidentiality could be irreversibly broken – with consequences for user identification, transaction graph analysis, and proof of ownership of funds.
Which Wallets Are Vulnerable to HNDL?
Not all coins are vulnerable – only those whose public keys have already been exposed on the blockchain. There are three categories: P2PK addresses (Satoshi era), reused addresses, and Taproot addresses.
1. P2PK Addresses (Pay‑to‑Public‑Key)
This is the oldest Bitcoin address format, where the public key is written directly into the blockchain and is permanently visible. Satoshi‑era coins are stored on such addresses.
Researchers warn that about 1.7 million BTC stored on early P2PK addresses could be compromised once quantum hardware appears. Among these coins is the so‑called “Satoshi stash” (about 1.1 million BTC), which some estimate to be worth roughly $74 billion.
2. Reused Addresses
When you send funds from an address, its public key becomes visible to the network and stays on‑chain forever. By default, most wallets generate a new address for each transaction, but many users (and some exchanges) reuse addresses.
Funds are at risk only when public keys are exposed on‑chain. This includes legacy P2PK addresses, reused addresses, and previously spent outputs where public keys have been revealed.
3. Taproot Addresses (P2TR)
Paradoxically, Bitcoin’s 2021 privacy upgrade may have widened the attack surface. Taproot makes public keys visible by default, increasing the number of wallets exposed to quantum attack.
Total Volume of Vulnerable Funds
| Source | Estimate of vulnerable BTC |
|---|---|
| Google Quantum AI (March 2026) | ~6.9 million BTC (about one‑third of total supply) |
| Bernstein (April 2026) | 1.7 million BTC in P2PK addresses at highest risk |
| Galaxy Digital / Project Eleven | up to 7 million BTC |
Google’s research highlights that about 6.9 million BTC are already in wallets where the public key has been exposed in some form. Of these, about 1.7 million BTC remain in legacy P2PK scripts where public keys are permanently visible on‑chain.
How Does the HNDL Attack Work in Practice?
Once a sufficiently powerful quantum computer exists, an attacker can derive the private key from a stored public key without waiting for the owner to make a transaction. This is called an “at‑rest” attack.
Google’s March 2026 white paper described two scenarios:
Scenario 1: At‑rest attack
The attacker scans the blockchain, finds all P2PK addresses and addresses with exposed public keys. Then, when a quantum computer becomes available, they compute the private keys and steal the coins. The owner does nothing – their coins simply vanish.
Scenario 2: On‑spend attack
When someone sends bitcoin, their public key becomes visible in the mempool. A fast‑enough quantum computer can use that information to derive the private key and redirect the funds. According to Google’s model, such a break would take about 9 minutes. Since Bitcoin’s average block confirmation time is about 10 minutes, the attacker has roughly a 41% chance to intercept the transaction before it is finalised.
| Parameter | Value |
|---|---|
| Time to break (fast‑clock) | ~9 minutes |
| Bitcoin block confirmation time | ~10 minutes |
| Probability of successful interception | ~41% |
| Physical qubits required | <500,000 |
| Logical qubits required | ~1,200–1,450 |
Why Are Even “Dead” Wallets Vulnerable?
The scariest part of HNDL is that coins can be stolen even if their owner never makes another transaction. It is enough that the public key was ever exposed.
Once a quantum computer becomes real:
- An attacker can derive the private key directly from public blockchain data.
- No need to wait for the owner to sign a transaction – the key is computed “offline”.
- Stolen coins can be moved without the owner’s knowledge.
Google describes the vulnerable supply as a “fixed, multi‑billion‑dollar target” if protocol changes are not implemented in time.
How Is Bitcoin Trying to Protect Against HNDL?
BIP‑360 and BIP‑361 propose a soft fork to migrate vulnerable coins to quantum‑resistant addresses, but these solutions do not protect against mempool attacks and require voluntary user participation.
BIP‑360 (February 2026) introduces a new output type called Pay‑to‑Merkle‑Root (P2MR) that removes the quantum‑vulnerable key path from Taproot addresses. However, it only protects new coins sent to new addresses – it does not solve the problem of already vulnerable UTXOs.
BIP‑361 (April 2026) proposes a three‑phase migration:
- Phase A (after 3 years): block transfers to vulnerable addresses
- Phase B (after 5 years): invalidate old signatures, freeze remaining coins
- Phase C (optional): recovery mechanism via ZK‑proofs
However, the proposal has faced harsh criticism from the community as “authoritarian and confiscatory”.
How Is Cellframe Protected Against HNDL?
Cellframe is one of the few platforms where an HNDL attack is fundamentally impossible. Post‑quantum cryptography (Falcon, CRYSTALS‑Dilithium, Kyber 512) protects all signatures and keys from day one, and public keys are never exposed in a vulnerable format.
1. NIST‑Approved Algorithms from Day One
Cellframe does not use ECDSA. Instead, since 2017 the platform has run on NIST‑approved post‑quantum algorithms: CRYSTALS‑Dilithium for blocks, Falcon for transactions, and Kyber 512 for channel encryption. Even when a quantum computer arrives, these algorithms remain secure.
2. Upgradable Cryptography Without Hard Forks
Cellframe addresses include an algorithm identifier. If any algorithm is ever compromised in the future, the network simply disables its ID – without stopping operations and without a hard fork.
3. Protection Against Data Harvesting
Because Cellframe does not use ECDSA, attackers cannot pre‑harvest vulnerable public keys – they simply do not exist in a format that Shor’s algorithm could break. The platform protects funds from quantum‑computer attacks, ensuring long‑term asset security.
4. Audits and Market Recognition
In August 2025, the Qverify audit confirmed that Cellframe’s implementation of post‑quantum algorithms complies with NIST standards. In April 2026, after Google Quantum AI’s white paper was published, the CELL token rose 50% as one of the few projects with real post‑quantum protection.
Comparison: HNDL Vulnerability Across Blockchains
| Blockchain | Vulnerable to HNDL | PQC in production | PQC audit | Migration status |
|---|---|---|---|---|
| Bitcoin | Yes (~6.9M BTC) | No | No | BIP‑360/361 (discussion) |
| Ethereum | Yes (all addresses) | No | No | EIP‑8141, plan by 2029 |
| Solana | Yes | No | No | TBD |
| Cardano | Partial (eUTXO) | No | No | TBD |
| Algorand | Partial (State Proofs) | Partial | No | In progress |
| Cellframe | No | Yes (Falcon, Dilithium, Kyber) | Qverify (Aug 2025) | Ready |
Glossary
| Term | Definition |
|---|---|
| HNDL (Harvest Now, Decrypt Later) | Strategy of storing encrypted data today to decrypt after a quantum computer becomes available. |
| At‑rest attack | Cracking static balances on addresses with already exposed public keys. |
| On‑spend attack | Intercepting a transaction in the mempool and cracking the private key before it is confirmed. |
| P2PK (Pay‑to‑Public‑Key) | An early Bitcoin address format where the public key is always visible on‑chain. Holds ~1.7 million BTC (Satoshi’s coins). |
| P2TR (Pay‑to‑Taproot) | Bitcoin Taproot addresses, where public keys are visible by default. |
| Shor’s algorithm | Quantum algorithm for integer factorisation and discrete logarithms – breaks ECDSA and RSA. |
| Post‑quantum cryptography (PQC) | Algorithms resistant to quantum computer attacks. Do not require quantum hardware. |
| CRYSTALS‑Dilithium / ML‑DSA | NIST standard for lattice‑based post‑quantum digital signatures. Cellframe’s primary algorithm. |
| Falcon / FN‑DSA | Compact lattice‑based post‑quantum signature algorithm. Used in Cellframe for transactions. |
| BIP‑360 | Bitcoin improvement proposal introducing P2MR addresses for quantum protection (does not protect against mempool attacks). |
| BIP‑361 | Three‑phase plan to migrate vulnerable bitcoins to quantum‑resistant addresses. |
Summary
The “harvest now, decrypt later” attack is not theory – it is happening right now. Attackers are scanning blockchains and accumulating public keys. About 6.9 million BTC are already sitting on vulnerable addresses, and when a quantum computer arrives (estimates: 2029–2032), those coins could be stolen without a single transaction from the owner.
Bitcoin and Ethereum are trying to patch the problem with BIP‑360 and roadmaps, but these are band‑aids on a fundamentally vulnerable architecture. They do not protect against mempool attacks and require millions of users to voluntarily migrate.
Cellframe, by contrast, was designed with post‑quantum protection from day one. It uses NIST‑approved algorithms (Falcon, CRYSTALS‑Dilithium), allows cryptography upgrades without hard forks, and has passed an external Qverify audit. In Cellframe, an HNDL attack is fundamentally impossible.
And when the quantum computer finally arrives, Cellframe will not have to catch up – it is already there.
Top comments (0)