RankShield Legal
Citation checker Request access
Quantum-Safe Law

Harvest Now, Decrypt Later: Why Law Firms Need Post-Quantum Encryption

Post-quantum encryption matters to law firms because attorney-client privilege and trade secrets never expire. An adversary can steal encrypted files today and decrypt them years later once quantum computing catches up. This is a future risk being prepared for, not a present capability, but legal data with decades-long confidentiality is a prime target. NIST has finalized the standards firms will need.

By Jamie Kloncz, Founder, RankShield 15 min read Published

Post-quantum encryption matters to law firms because attorney-client privilege and trade secrets never expire. An adversary can steal encrypted files today and decrypt them years later once quantum computing catches up. This is a future risk being prepared for, not a present capability, but legal data with decades-long confidentiality is a prime target. NIST has finalized the standards firms will need.

This article explains the threat, why the legal profession sits at the sharp end of it, what the U.S. National Institute of Standards and Technology (NIST) has already published, and how a firm can start ranking and protecting its most durable secrets. It is written to be plain and honest about what is known, what is anticipated, and what does not exist yet. It is general information and not legal advice.

The attack that targets permanent secrets

Harvest now, decrypt later separates the moment of theft from the moment of decryption. The ciphertext is copied today and read later, which is why data that must stay secret for decades is the natural target.

Harvest now, decrypt later (HNDL) is a strategy where an adversary records encrypted traffic or copies encrypted files today, stores them, and waits to decrypt them once quantum computing becomes capable. The data is unreadable at the moment of theft, so the breach can go unnoticed. What makes the tactic viable is patience: the attacker is not betting on breaking encryption now, but on breaking it later.

The structure of the attack is what makes it unusual. Most security thinking assumes that an intrusion either succeeds or fails at the moment it happens, and that data protected by strong encryption stays protected. HNDL breaks that assumption by separating the theft from the payoff. The theft can happen this year with today's tools, quietly, while the payoff waits for a capability that has not yet arrived. Because the stolen material looks like meaningless ciphertext at the time it is copied, there may be no alarm, no ransom demand, and no obvious sign that anything of value has left the building.

HNDL specifically threatens data with long confidentiality lifetimes. Information that must stay secret for a few weeks is a poor target, because the payoff arrives too late to matter. Information that must stay secret for a decade or more is an excellent target, because it retains its value long enough for the decryption capability to arrive. That timing mismatch is the entire premise of the attack, and it is why some categories of data are exposed while others are not.

Why legal data is uniquely exposed because privilege never expires

Legal data sits at the extreme end of the confidentiality-lifetime spectrum, which makes it a prime HNDL target. Attorney-client privilege and trade secrets do not expire. A sealed settlement, an M&A negotiation, an intellectual-property portfolio, or a long-lived dispute must stay confidential for decades, well past any near-term cryptographic transition window.

Consider what a law firm holds: privileged communications that remain protected indefinitely, trade secrets whose value depends on never being disclosed, and matter files that outlive the engagements that created them. An adversary who harvests these encrypted records today does not need to read them this year. They only need the confidentiality obligation to still be in force when decryption becomes possible, and for legal data that obligation rarely lapses. The duty to safeguard client secrets does not end when a matter closes, so the exposure window stays open far longer than it does for most other industries.

This is the part that distinguishes a law firm from many of the businesses it advises. A retailer's payment data loses much of its value within a short window. A firm's obligation to protect a client's privileged communications does not run on a timer. The material that a firm is ethically and legally bound to keep confidential is often the same material that would be most damaging if it surfaced years from now, which means the value of the secret and the duration of the duty rise together. That alignment is exactly the profile HNDL is built to exploit.

The timing mismatch that decides who is at risk

Whether a given record is a plausible HNDL target comes down to a simple comparison. On one side is how long the information must stay secret. On the other is how long it might take for a machine capable of decrypting today's encryption to exist. When the required secrecy is short, the attack does not pay off and the data is a poor target. When the required secrecy stretches across decades, the data stays valuable long enough to be worth storing and waiting on.

Ranking records this way turns an abstract worry into an ordinary risk-management exercise. Instead of asking whether quantum computing is frightening in the abstract, a firm can ask a concrete question about each class of data: how long are we obligated to keep this confidential, and does that duration overlap the window in which decryption might become feasible. Legal work produces an unusually high share of records where the answer is measured in decades.

Confidentiality lifetimeHNDL exposure
Short (weeks)Low. The payoff arrives too late to matter, so the data is a poor target.
Medium (a few years)Moderate. Value may fade before decryption becomes feasible.
Long (a decade or more)High. The record still holds value when the capability arrives.
Indefinite (privilege, trade secrets)Highest. The duty rarely lapses, so the exposure window stays open.

The rows describe the timing logic of the attack, not measured breach statistics. The point is that exposure rises with how long a record must stay secret.

What NIST has done: standards and the 2030-2035 deprecation timeline

NIST has moved post-quantum cryptography from research into published standards. On August 14, 2024, NIST finalized FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA), its post-quantum digital-signature standards, alongside FIPS 203 (ML-KEM) for key encapsulation [5]. These are the algorithms organizations are expected to adopt as classical cryptography is phased out.

The significance of these documents is that they end the guesswork about which algorithms to use. Before the standards existed, an organization that wanted to prepare for the quantum transition faced a research problem: which candidate algorithm would survive scrutiny, and would picking one leave it stranded. With FIPS 203, FIPS 204, and FIPS 205 finalized, the signature and key-encapsulation algorithms are named, specified, and available to build on [5]. The question shifts from what to adopt to when and how to migrate.

NIST has also set a transition timeline. In draft IR 8547 (November 2024), it indicates that RSA and ECDSA at the 112-bit-equivalent security level, such as RSA-2048 and ECC P-256, are to be deprecated after 2030 and disallowed after 2035 [6]. For legal data that must stay confidential for decades, those dates are not distant. Files harvested today are meant to remain sealed well beyond 2035, which places them squarely inside the window the timeline is designed to address. The standards exist now; the migration clock is the part that is already running.

Aug 14, 2024 NIST finalized FIPS 203, FIPS 204, and FIPS 205, its post-quantum standards [5].
RANKSHIELD LEGAL Post-Quantum Encryption for Law Firms Why privilege that never expires needs quantum-safe protection Aug 14, 2024 NIST finalized FIPS 203, 204, and 205 Post-quantum standards2030 Classical algorithms deprecated after Draft NIST IR 85472035 Classical algorithms disallowed after Draft NIST IR 8547HNDL Harvest now, decrypt later threat to durable secrets RankShield Legal rankshieldlegal.com
Source: NIST FIPS 203/204/205; IR 8547 (2024)

Reading the deprecation dates the way a firm should

The draft IR 8547 dates are worth reading carefully, because deprecation and disallowance are not the same event and they land on different sides of the confidentiality problem [6]. Deprecation after 2030 signals that the classical algorithms named there are on their way out. Disallowance after 2035 signals the end of their sanctioned use. For a record that only needs to stay secret for a short time, these dates are administrative. For a record that must stay sealed for decades, they mark the point by which the protection wrapped around it should already have been replaced.

The migration is easiest to think about in ordered steps rather than as a single switch. The following sequence follows the logic NIST's standards and timeline set out, applied to a firm's own records [5][6].

  1. Locate the durable recordsIdentify the data whose confidentiality obligation runs for a decade or more, since that is what HNDL targets first.
  2. Map the current protectionNote where classical algorithms such as RSA-2048 or ECC P-256 protect those records, because those are the ones NIST marks for deprecation after 2030 and disallowance after 2035 [6].
  3. Adopt the standardized algorithmsMove the most durable protections onto the NIST-standardized post-quantum algorithms, ML-DSA and SLH-DSA, published in FIPS 204 and FIPS 205 [5].
  4. Keep the migration clock in viewTreat the 2030 and 2035 dates as the outer boundary for records that must stay sealed well beyond them, not as a deadline that can be met at the last minute.

What "quantum-safe" does and does not mean

Quantum-safe means designed to resist a future quantum computer. It is not the same as quantum-proof, and no cryptographically relevant quantum computer exists yet.

"Quantum-safe" means cryptography designed to resist attack by a future quantum computer. It does not mean "quantum-proof," and the distinction is deliberate. A cryptographically relevant quantum computer (CRQC), one powerful enough to break today's classical encryption, does not exist yet. The threat is anticipatory: prepare confidentiality now so it survives the transition, rather than react after a capability arrives.

The word choice carries weight, so it is worth being precise. "Quantum-safe" is a claim about design intent and resistance, not a guarantee of permanent invulnerability. Cryptography is a moving field, and describing an algorithm as designed to resist quantum attack is an honest statement, while calling it "quantum-proof" would overstate what anyone can promise. A firm evaluating its own posture, or a vendor's, is better served by the more modest and more accurate framing.

Two common points of confusion are worth clearing up. First, post-quantum cryptography (PQC) means algorithms like ML-DSA and SLH-DSA that run on ordinary computers and resist quantum attack [5]. Second, quantum random number generation (QRNG) and quantum key distribution (QKD) are separate technologies and are not PQC; they should not be treated as substitutes for the standardized post-quantum algorithms. When a firm evaluates "quantum" security claims, the relevant question is whether the vendor uses the NIST-standardized post-quantum signature and encapsulation algorithms.

Why QRNG and QKD are not post-quantum cryptography

The overlap in vocabulary causes real confusion, so this point deserves its own space. Quantum random number generation and quantum key distribution both use the word "quantum," and both relate to security, but neither is post-quantum cryptography. PQC refers to the standardized algorithms, such as ML-DSA and SLH-DSA, that run on ordinary computers and are designed to resist quantum attack [5]. QRNG and QKD are separate technologies that address different problems and should not be treated as substitutes for those algorithms.

The practical consequence is that a claim built on QRNG or QKD does not answer the question a firm actually needs answered. The material question is whether the signatures and key encapsulation protecting durable legal records are built on the NIST-standardized post-quantum algorithms. A vendor can offer something genuinely described as "quantum" and still not be using PQC, which is why the vocabulary alone is not enough to judge a claim.

Reading vendor "quantum" claims without being misled

Because the terms are easy to blur, the sensible way to evaluate any "quantum" security claim is to reduce it to a single question: does the offering use the NIST-standardized post-quantum signature and encapsulation algorithms. That question cuts through the marketing. It does not ask whether a product sounds advanced or whether it invokes quantum physics. It asks whether the specific, published algorithms, ML-DSA, SLH-DSA, and ML-KEM, are the ones doing the work [5].

Framing the evaluation this way also keeps a firm honest about its own claims. It is tempting to describe a protection as "quantum-proof" or to lean on the strongest-sounding label available. The accurate posture is narrower and more defensible: the protection is designed to resist a future quantum computer, it is built on the standardized post-quantum algorithms, and it exists because the threat is anticipatory rather than present. A claim held to that standard survives scrutiny.

  • Ask whether the NIST-standardized post-quantum algorithms (ML-DSA, SLH-DSA, ML-KEM) are actually in use [5].
  • Treat "quantum-safe" as a design claim about resistance, not a guarantee of permanent invulnerability.
  • Do not accept QRNG or QKD as evidence of post-quantum cryptography; they are separate technologies.
  • Be wary of "quantum-proof" and similar superlatives, since no cryptographically relevant quantum computer exists yet.

Building a confidentiality inventory ranked by lifetime

Firms can begin by mapping which legal data carries the longest confidentiality obligations, because that is what HNDL targets first. Privileged communications, sealed settlements, trade secrets, and long-lived matter files are the highest priority, since their protection must hold well past the 2030-2035 window NIST has outlined [6]. Ranking data by how long it must stay secret turns an abstract quantum risk into a concrete inventory.

An inventory built this way does two useful things at once. It converts a hard-to-picture future threat into a list a firm can actually work from, and it sets the migration order. The records with indefinite confidentiality duties move first, because they are the ones whose exposure window stays open the longest and whose value survives until a decryption capability could plausibly exist. Everything with a shorter duty can follow behind them.

  • Privileged communications, protected for as long as the privilege holds.
  • Sealed settlements that are meant to stay sealed indefinitely.
  • Trade secrets whose value depends on never being disclosed.
  • Long-lived matter files that outlive the engagements that created them.

How firms can start migrating legal confidentiality to post-quantum

From the inventory, the practical step is adopting cryptography built on the NIST-standardized post-quantum algorithms for the certifications, attestations, and records that must survive the transition [5]. RankShield Legal signs and seals certifications and attestations with post-quantum cryptography (ML-DSA and SLH-DSA) so that legal confidentiality holds against future quantum decryption. The goal is not to predict when a CRQC arrives, but to ensure that when it does, the firm's most durable secrets were never exposed to the harvest.

Stated plainly, the posture is anticipatory and bounded. No one can name the day a cryptographically relevant quantum computer will exist, and this work does not depend on naming it. It depends only on the observation that legal confidentiality obligations routinely outlast the transition NIST has already scheduled, and on the fact that the standardized algorithms to carry those obligations forward now exist [5][6]. Migrating the most durable records first is a reasonable response to a risk that is easy to prepare for and hard to reverse once a record has already been harvested.

This article is general information about post-quantum encryption and is not legal advice. A firm should evaluate its own confidentiality obligations and security posture with qualified counsel and technical advisers.

Test yourself

Test yourself on quantum-safe confidentiality

Four questions on the threat, the standards, and the honest limits of the terms.

  1. 1What is harvest now, decrypt later?

    Answer: Stealing encrypted data today to decrypt once quantum computing catches up

    HNDL separates the moment of theft from the moment of decryption. Ciphertext copied today is read later, which is why data that must stay secret for decades is the natural target.

  2. 2When did NIST finalize its post-quantum standards FIPS 203, 204, and 205?

    Answer: August 14, 2024

    NIST finalized FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) effective August 14, 2024.

  3. 3Under draft IR 8547, what happens to RSA-2048 and ECC P-256?

    Answer: Deprecated after 2030 and disallowed after 2035

    Draft IR 8547 indicates these 112-bit-equivalent classical algorithms are to be deprecated after 2030 and disallowed after 2035.

  4. 4Which statement about quantum-safe is accurate?

    Answer: It means designed to resist a future quantum computer; no CRQC exists yet

    Quantum-safe is a design claim about resistance, not a guarantee. No cryptographically relevant quantum computer exists yet, and QRNG and QKD are separate technologies, not PQC.

Honest self-check. There is no sign-up, and nothing is stored.

Questions answered

Straight answers to the common questions

The questions readers ask about this topic, answered directly. No forms, no sales pitch.

JAMIE KLONCZ · SEO AGENCY NAPLES ONLINE

Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

REQUEST ACCESS →

References

  1. NIST. FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA). Effective Aug 14, 2024. https://www. federalregister. gov/documents/2024/08/14/2024-17956/announcing-issuance-of-federal-information-processing-standards-fips-fips-203-module-lattice-based.
  2. NIST. IR 8547 (ipd): Transition to Post-Quantum Cryptography Standards. Nov 2024. https://nvlpubs. nist. gov/nistpubs/ir/2024/NIST. IR. 8547. ipd. pdf.
Written by

Jamie Kloncz

Founder, RankShield

Jamie Kloncz is the founder of RankShield, the verifiable AI and quantum security platform behind RankShield Legal. An engineer by training, he built RankShield after his own devices and business were attacked, including an AI voice-cloning scam that targeted his family, on one conviction: unverifiable security is the real danger, so every consequential action should leave a receipt anyone can independently check.

More about Jamie →
Try it · Free

Check a citation against live case-law

Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.

Try the citation checker