Harvest Now, Decrypt Later: Why Nation-States Are Already Collecting Bitcoin Transactions
How the 'harvest now, decrypt later' strategy threatens Bitcoin users today, even before quantum computers arrive.
Every Bitcoin transaction you have ever made is permanently recorded on a public ledger. Today, the cryptographic signatures protecting those transactions are computationally infeasible to reverse. But adversaries with long time horizons are not waiting for that to change: they are harvesting encrypted and signed data now, storing it cheaply, and planning to decrypt it later when quantum computers running Shor's algorithm can break the elliptic curve cryptography underpinning Bitcoin.
This strategy, known as "harvest now, decrypt later" (HNDL), is not speculative. The Federal Reserve published a paper on it in September 2025. Citi devoted its January 2026 institute report to the "trillion-dollar security race" it creates. And in March 2026, Google Quantum AI published research showing that breaking Bitcoin's secp256k1 curve may require 20 times fewer quantum resources than previously estimated. The clock is ticking, and the data being collected today cannot be un-collected.
What Is Harvest Now, Decrypt Later?
HNDL is a surveillance and intelligence strategy where adversaries intercept and archive encrypted communications and cryptographic signatures today, even though they cannot currently read them. The bet is straightforward: store the data at negligible cost, wait for a cryptographically relevant quantum computer (CRQC) to become available, then retroactively decrypt everything.
The strategy works because storage is cheap and patience is free for nation-state actors. A petabyte of cloud storage costs roughly $20,000 per year. The entire Bitcoin blockchain is under 700 GB. An adversary could archive every transaction, every exposed public key, and every piece of network metadata for less than the cost of a single intelligence analyst's salary.
This is not theoretical. Intelligence agencies have publicly acknowledged the practice. The NSA's CNSA 2.0 guidance, published in September 2022, sets explicit deadlines for migrating national security systems to quantum-safe cryptography: new systems by 2027, application-layer traffic by 2030, and full infrastructure by 2035. Those deadlines exist because the threat of retroactive decryption is already being planned for.
The asymmetry problem: An attacker harvesting data today faces no time pressure and near-zero cost. A defender trying to protect already-broadcast data faces an impossible task: you cannot un-publish a Bitcoin transaction from every full node, archive, and block explorer that has ever stored it.
Why Bitcoin Is Uniquely Exposed
Most HNDL discussions focus on encrypted communications: diplomatic cables, banking messages, classified emails. Bitcoin faces a distinct and arguably worse version of the problem because its transaction data is not merely interceptable: it is intentionally public.
The public ledger as a permanent target
Bitcoin's security model relies on elliptic curve digital signatures (ECDSA on secp256k1) and SHA-256 hash functions. When you spend from a Bitcoin address, your public key is revealed on-chain. A quantum computer running Shor's algorithm could derive the corresponding private key from that public key, enabling the attacker to sign transactions and move any remaining funds.
The Federal Reserve's 2025 paper makes the critical observation: even if Bitcoin successfully deploys post-quantum cryptography to protect future transactions, no existing method can retroactively safeguard data already stored on the public ledger. Every exposed public key from the past 17 years is permanently available for future quantum attack.
How much Bitcoin is at risk?
Not all Bitcoin addresses expose public keys. The vulnerability depends on the address type and spending history. Estimates from multiple sources converge on a significant portion of the total supply being exposed.
| Exposure category | Address types | Estimated BTC | Risk level |
|---|---|---|---|
| Structural (public key exposed by design) | P2PK, bare multisig (P2MS) | ~1.9M BTC | Critical: key visible even if never spent from |
| Operational (public key exposed by spending) | Reused P2PKH, P2WPKH, P2TR | ~4.1M BTC | High: key revealed when prior output was spent |
| Hashed only (public key not yet exposed) | Unspent P2PKH, P2SH, P2WSH | Remaining supply | Lower: protected by hash until first spend |
Project Eleven, a quantum security research firm, estimates roughly 6.9 million BTC have public keys visible on-chain. That figure represents approximately one-third of Bitcoin's total supply. At current prices, the exposed value exceeds $500 billion. Citi's May 2026 analysis places the figure at 4.5 to 6.7 million BTC, with Satoshi Nakamoto's estimated 1 million BTC in early P2PK outputs among the most prominently exposed.
Taproot's double-edged sword: Taproot (P2TR) addresses expose public keys by design to enable Schnorr signature aggregation and advanced scripting. While this was the correct engineering decision for today's threat model, it means that every Taproot output is structurally quantum-vulnerable, creating a growing pool of exposed keys even as the network modernizes.
The Quantum Timeline Is Compressing
For years, the standard response to quantum threats was "we have decades." Multiple developments in 2025 and 2026 have compressed that timeline significantly.
Google's March 2026 bombshell
In March 2026, Google Quantum AI published a whitepaper co-authored with Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh. The paper demonstrated that breaking the 256-bit elliptic curve discrete logarithm problem (ECDLP-256) underlying Bitcoin's security may require fewer than 500,000 physical qubits: a 20-fold reduction from prior estimates.
The paper modeled a real-time transaction hijacking attack with a 41% success rate within Bitcoin's 10-minute block confirmation window. That means a sufficiently powerful quantum computer could potentially derive a private key and broadcast a competing transaction before the legitimate one confirms.
Project Eleven's Q-Day Prize
In April 2026, Project Eleven awarded its Q-Day Prize of 1 BTC to researcher Giancarlo Lelli for breaking a 15-bit elliptic curve key on publicly accessible quantum hardware. While 15 bits is astronomically far from Bitcoin's 256-bit keys, the result represented a 512x jump from the previous public demonstration. Project Eleven pegs "Q-Day" (the moment quantum computers can break current encryption) as likely arriving between 2030 and 2033.
Expert probability estimates
The Global Risk Institute's annual survey of quantum researchers provides the most widely cited probability assessments. The 2025 survey reported the highest 10-year CRQC probability in its seven-year history: 28% (pessimistic) to 49% (optimistic). Looking further out, experts place the probability at 19 to 34% by 2034, spiking to 60 to 82% by 2044.
| Source | CRQC timeline estimate | Key detail |
|---|---|---|
| Project Eleven (May 2026) | 2030 to 2033 | Based on hardware trajectory and algorithmic improvements |
| Global Risk Institute (2025) | 28 to 49% within 10 years | Highest probability in 7-year survey history |
| Google Quantum AI (2026) | Internal 2029 migration deadline | Migrating all infrastructure to post-quantum by 2029 |
| NSA CNSA 2.0 (2022) | Full migration by 2035 | Planning target for national security systems |
| Citi Institute (January 2026) | 19 to 34% by 2034 | Cites GRI data; estimates $3 trillion banking exposure |
What HNDL Means for Bitcoin Specifically
The HNDL threat to Bitcoin operates on three distinct levels, each with different implications and timelines.
Level 1: Exposed key theft
The most discussed scenario: a CRQC derives private keys from exposed public keys and moves funds. This affects the estimated 6+ million BTC with visible public keys. The attack requires a working CRQC and real-time network access, but the target data (public keys) is already permanently available.
Level 2: Transaction interception
When you broadcast a transaction, your public key is exposed in the mempool before confirmation. Google's 2026 research models an attack where a CRQC derives the private key from a pending transaction's public key and broadcasts a competing transaction within the ~10-minute block window. Even hashed addresses become vulnerable the moment you spend from them.
Level 3: Privacy collapse
This is the angle the Federal Reserve paper emphasizes and the one most people overlook. Bitcoin's pseudonymity relies partly on the one-way nature of hash functions: you can see an address but cannot link it to a public key unless funds have been spent. A CRQC could break ECDSA to reveal relationships between addresses, enabling retroactive chain analysis at a scale that would de-anonymize years of transaction history. Combined with existing metadata (IP addresses, exchange KYC records, timing analysis), this creates a comprehensive financial surveillance capability.
The Trillion-Dollar Security Race
Citi's January 2026 report, titled "The Trillion-Dollar Security Race," frames the quantum threat as an economic problem rather than a purely technical one. The report estimates the global banking system's total exposure to quantum-enabled cyberattacks at $3 trillion. For Bitcoin specifically, Citi places between $350 billion and $500 billion at direct quantum risk.
Citi identifies Bitcoin as more exposed than Ethereum for a specific structural reason: governance speed. Ethereum has begun a coordinated post-quantum migration program with multiple research teams and a public roadmap. Bitcoin changes slowly by design. Every protocol modification requires broad consensus among miners, developers, and node operators: a process that took roughly five years for Taproot activation and remains a deliberate feature of Bitcoin's conservative approach to upgrades.
Can Bitcoin Upgrade in Time?
Bitcoin developers are not ignoring the threat. Multiple proposals are in various stages of development, but each faces significant technical and political challenges.
BIP 360: Pay to Quantum Resistant Hash
BIP 360 introduces a new output type called P2QRH (Pay to Quantum Resistant Hash) that would allow spending coins with post-quantum signatures. The proposal rides on SegWit version 3, with addresses starting with "bc1r". It is designed as a soft fork, meaning it would not require all nodes to upgrade simultaneously.
The primary challenge is signature size. A standard Schnorr signature is 64 bytes. Post-quantum alternatives are dramatically larger: ML-DSA (Dilithium) signatures run 2 to 3 KB, and SLH-DSA (SPHINCS+) signatures can reach 8 KB. This has direct implications for block space, transaction fees, and network throughput.
BIP 361: Migration framework
BIP 361 outlines a three-phase migration plan. Phase A (roughly three years after activation) would prohibit new transactions from sending funds to legacy address types. Phase B (about two years later) would invalidate all legacy signatures at the consensus level, effectively freezing any Bitcoin that has not been migrated to quantum-resistant addresses.
This creates a wrenching dilemma: Bitcoin that is not moved to quantum-safe addresses would become permanently unspendable. That includes Satoshi's coins, lost coins, and any holdings belonging to people who cannot or do not upgrade their wallets. The alternative (allowing legacy addresses to remain spendable) leaves the network perpetually vulnerable to quantum theft.
NIST post-quantum standards
The cryptographic building blocks for a post-quantum Bitcoin already exist. NIST finalized three post-quantum standards in August 2024: FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), and FIPS 205 (SLH-DSA as a hash-based signature backup). These standards give Bitcoin developers proven algorithms to build on, but integrating them into Bitcoin's consensus layer remains a multi-year engineering and governance challenge.
The Chicken-and-Egg Problem
Bitcoin faces a fundamental coordination problem. Upgrading the protocol requires consensus from a decentralized network of stakeholders: core developers, miners, node operators, exchanges, wallet providers, and end users. This process is deliberately slow to prevent hasty or politically motivated changes.
But the HNDL threat inverts the usual calculus. With most security threats, you can afford to wait until the attack is imminent before deploying a defense. With HNDL, the data collection is happening now, and no future upgrade can protect data that has already been harvested. The longer the migration takes, the larger the window of vulnerability.
As Project Eleven CEO Alex Pruden noted in May 2026, the migration will be substantially harder than Taproot. Every Bitcoin holder and every institution that touches the asset will need to participate. BIP 360 and BIP 361 remain in draft form with no activation timeline.
The migration paradox: Bitcoin cannot upgrade without consensus, but waiting for consensus means more data gets harvested. Every year of delay adds another year of transactions to the quantum-vulnerable archive. The cost of acting early is engineering effort and potential disruption. The cost of acting late is that the damage is already done and cannot be undone.
What You Can Do Today
Individual Bitcoin holders are not powerless. Several practices significantly reduce quantum exposure, even before protocol-level changes arrive.
- Avoid address reuse: each address should be used for receiving only once, and funds should be moved to a fresh address after any spend to avoid leaving exposed public keys associated with remaining balances
- Prefer hashed address types: P2WPKH and P2WSH addresses keep your public key hidden until you spend, giving you protection until a CRQC actually exists
- Understand your UTXO set: use coin control features in your wallet to identify which of your outputs have exposed public keys and prioritize moving those funds
- Monitor BIP 360 and BIP 361 progress: when quantum-resistant address types become available, migrate early rather than waiting for deadlines
- Consider Layer 2 solutions for active spending: keeping smaller balances on Layer 2 networks for day-to-day transactions reduces the amount of on-chain data exposed to future quantum analysis
Layer 2 as a Quantum Migration Bridge
Bitcoin's base layer faces the hardest quantum migration path in all of cryptocurrency: slow governance, massive signature size increases, and the impossible task of protecting already-published data. Layer 2 protocols operate under different constraints and can potentially adopt post-quantum cryptography faster.
Spark, for example, uses FROST threshold signatures for its operator coordination layer. Because Spark transfers happen off-chain (changing who can authorize spending without broadcasting on-chain transactions), the protocol's signature scheme can be upgraded independently of Bitcoin's consensus rules. An L2 protocol can swap its signing algorithm through an operator upgrade rather than a network-wide soft fork, dramatically reducing the governance overhead.
This does not eliminate the quantum threat to Bitcoin's base layer. The on-chain UTXOs backing Layer 2 balances still use classical cryptography and would need to be migrated along with everything else. But for active spending and day-to-day transactions, Layer 2 networks could serve as a practical bridge during the multi-year migration period: a place where post-quantum signatures are already protecting current activity while the base layer catches up.
Developers building on Bitcoin can explore the Spark SDK and documentation to understand how off-chain transfer protocols work today. For a broader view of how different Bitcoin address types affect quantum vulnerability, see our guide to Bitcoin address types from P2PKH to Taproot and the deep dive on post-quantum cryptography and Bitcoin.
The Clock Is Already Running
The harvest now, decrypt later threat to Bitcoin is unusual because the most damaging phase of the attack (data collection) is already underway and imposes no detectable cost on victims. There are no alerts, no breaches, no stolen funds: just patient archiving of publicly available data by adversaries with long time horizons.
The question is not whether quantum computers will eventually break Bitcoin's current cryptography. The expert consensus is that they will, with meaningful probability within the next decade. The question is whether the Bitcoin ecosystem can coordinate a migration fast enough that the window of vulnerability remains manageable, or whether the combination of slow governance and permanent data exposure creates a systemic risk that compounds with every passing year.
Google is migrating by 2029. The NSA is planning for 2035. Bitcoin has no public timeline. For a network securing over $1 trillion in value, that gap between the threat and the response is the most important number in the entire quantum debate.
This article is for educational purposes only. It does not constitute financial or investment advice. Bitcoin and Layer 2 protocols involve technical and financial risk. Always do your own research and understand the tradeoffs before using any protocol.