Store Now, Decrypt Later: How Governments Have Been Collecting Your Encrypted Data for Decades
The US, Russia, and China have been archiving encrypted internet traffic for years — planning to decrypt it the moment quantum computers are ready.
The Data Is Already Gone — You Just Don’t Know It Yet
Somewhere in a government data center — US, Russian, or Chinese — there is a copy of encrypted traffic you sent years ago. Maybe a decade ago. The encryption was unbroken when they collected it. It’s still unbroken today. But the plan was never to read it now.
This is “store now, decrypt later.” And if you haven’t heard of it, that’s partly the point.
The attack is simple in concept: intercept and archive encrypted internet traffic at scale, then wait for quantum computers to arrive and decrypt everything retroactively. Governments including the US, Russia, and China have been running this playbook for decades. The bet they made was that fault-tolerant quantum computers would eventually exist. That bet is looking increasingly correct.
What changed recently is the timeline. Not the existence of the threat — that’s been known since Peter Shor published his algorithm in 1994. What changed is that serious people, people who have historically been skeptical of quantum hype, are now saying 2029 out loud.
What “Store Now, Decrypt Later” Actually Means
Most encryption discussions focus on the wrong threat model. People imagine a quantum computer sitting in a lab somewhere, pointed at a live HTTPS connection, cracking it in real time. That’s not how this works.
- ✕a coding agent
- ✕no-code
- ✕vibe coding
- ✕a faster Cursor
The one that tells the coding agents what to build.
The actual threat is asymmetric in time. The collection happens now, at scale, passively. The decryption happens later, once the compute exists. This means the attack surface isn’t just your future communications — it’s everything you’ve ever sent over an encrypted channel that someone bothered to save.
Shor’s algorithm, published in 1994, showed that a sufficiently large fault-tolerant quantum computer could break RSA and elliptic curve cryptography efficiently. Peter Shor then demonstrated in 1996 that fault-tolerant quantum computation was possible in principle. The cryptographic community knew this. And yet Bitcoin launched more than a decade after Shor’s paper, Ethereum launched in 2015 — two full decades later — and both chose quantum-vulnerable cryptography. The threat was documented and the ecosystem built on top of it anyway.
The “store now” part of the attack requires no quantum hardware at all. It just requires storage and patience. Both are cheap. Both have been available to nation-state actors for a long time.
What’s Actually Being Collected
Think about what public-key cryptography protects. It’s not just passwords. It’s the authentication layer underneath most of the internet: classified communications, diplomatic cables, military systems, interbank networks, software update signatures, API authentication, medical records, satellite control systems.
Any encrypted traffic that was intercepted in transit — and a lot of traffic gets intercepted in transit, that’s not a conspiracy theory, that’s documented — is potentially sitting in an archive somewhere waiting for a quantum computer to arrive.
The specific targets that matter most for retroactive decryption are the high-value, long-shelf-life secrets. Intelligence communications from 2010 that are still sensitive in 2030. Diplomatic cables. Financial transaction records. The kind of data where the value doesn’t decay with time.
For cryptocurrency specifically, the exposure is different and more immediate. Blockchains are public and permanent. If a wallet’s public key has ever been exposed on-chain — which happens when you spend from an address — a future quantum computer may be able to derive the private key and move the funds. Satoshi Nakamoto’s dormant Bitcoin wallet is the obvious example: those coins have never moved, the keys are old, and if elliptic curve cryptography breaks, someone could impersonate the private key and transfer them. That’s not a theoretical edge case. That’s a named wallet with a known public key sitting on a public ledger.
Why 2029 Is the Number Everyone Is Converging On
Scott Aaronson is not a quantum hype person. He’s the Schlumberger Centennial Chair of Computer Science at UT Austin, co-founding director of UT Austin’s Quantum Information Center, and was just elected to the US National Academy of Sciences. For years his job, effectively, was correcting people who overstated what quantum computers could do. He was the skeptic’s skeptic.
In a blog post published around May 1, 2026, titled “Will you heed my warnings?”, Aaronson wrote that “some of the most reputable people in quantum hardware and quantum error correction — people whose judgment I trust more than my own on these topics — now tell me that a fault-tolerant quantum computer able to break deployed crypto systems ought to be possible by around 2029.”
When the person who spent years telling people to calm down about quantum computers says that, you should update your priors.
Built like a system. Not vibe-coded.
Remy manages the project — every layer architected, not stitched together at the last second.
Google’s March 25, 2026 post on blog.google — “Quantum Frontiers may be closer than they appear” — set an internal 2029 deadline to migrate all of Google’s infrastructure to post-quantum cryptography. The stated reason: faster-than-expected progress in reducing the number of qubits needed to break current RSA encryption. Google also published a zero-knowledge proof showing they know how to break elliptic curve cryptography with fewer qubits and gates than previously realized — without releasing the actual attack method. The responsible disclosure framing is: we know the password, here’s proof we know it, but we’re not saying it out loud.
Cloudflare is also targeting 2029 for full quantum security. These aren’t random companies picking the same number. They’re companies with direct visibility into the state of quantum hardware, and they’re all converging on the same deadline. For a broader look at how AI model capabilities are intersecting with security timelines, the GPT-5.4 vs Claude Opus 4.6 comparison is a useful reference point for understanding where frontier models sit today relative to the cryptographic challenges ahead.
The Role AI Played in Getting Here Faster
Here’s the part that makes this an AI story, not just a cryptography story.
One of the core bottlenecks blocking fault-tolerant quantum computers was error correction. Qubits are noisy. They decohere. Running long computations requires identifying and correcting errors faster than they accumulate, and that error correction problem was genuinely hard.
Google DeepMind built AlphaQubit: an AI-based quantum error decoder that identifies quantum computing errors with state-of-the-art accuracy. The parallel to AlphaFold is direct — a problem that looked intractable to classical approaches, solved by a neural network trained to recognize patterns in the noise. AlphaQubit didn’t just improve error correction incrementally. It opened the door to quantum computers capable of performing long computations at scale.
This is the feedback loop that makes the 2029 timeline credible: AI is directly accelerating the quantum hardware progress that threatens the cryptographic infrastructure that AI systems themselves depend on. The same class of techniques that’s making AI more capable is making the quantum threat more imminent.
For anyone building AI-powered systems that handle sensitive data — and that’s most production AI applications — this isn’t background noise. The security model you’re building on today has a known expiration date. If you’re using MindStudio to chain AI models and automate workflows that touch user data, the transport and storage encryption protecting that data is in the same category of infrastructure that needs to migrate before 2029. MindStudio’s enterprise platform connects 200+ models and 1,000+ integrations, which means the cryptographic surface area across those connections is exactly the kind of distributed exposure that post-quantum migration needs to account for.
What’s Actually Being Done About It
The organizations that are moving are moving fast. Google’s internal 2029 deadline is aggressive — migrating all infrastructure to post-quantum cryptography in three years is a massive engineering effort. Chrome and Android are already integrating post-quantum digital signature protections. Apple has implemented post-quantum cryptography for iMessage, though the full Apple ecosystem isn’t yet protected.
Aaronson collaborated with Dan Boneh — one of the world’s leading cryptographers — and Justin Drake from the Ethereum Foundation on a position paper about the quantum threat to cryptocurrencies. Coinbase is involved because the exposure is direct: if elliptic curve keys break, the entire model of cryptographic ownership of digital assets breaks with them.
Not a coding agent. A product manager.
Remy doesn't type the next file. Remy runs the project — manages the agents, coordinates the layers, ships the app.
The governance problem for crypto is harder than the technical problem. Ethereum has active governance — Vitalik Buterin and the core team can coordinate a migration, even if it’s complex. Bitcoin doesn’t have that. There’s no central authority to decide when to change the cryptographic primitives, no mechanism to force old addresses to migrate to quantum-resistant keys, and no way to protect dormant wallets whose owners may be unreachable or dead. It’s a constitutional crisis in slow motion.
The US Department of Defense has entered agreements with eight frontier AI companies — SpaceX, OpenAI, Google, Nvidia, Reflection, Microsoft, AWS, and Oracle — presumably to coordinate on exactly these kinds of infrastructure security questions. Anthropic is notably absent from that list.
The argument being made inside quantum computing labs — and Aaronson is somewhat skeptical of this argument — is the same one made inside AI labs: better that this capability emerges first from US-based companies operating in the open than from Chinese or Russian intelligence operating in secret. Whether you find that reasoning convincing or self-serving probably depends on how much you trust the institutions making it.
What You Should Actually Do
The practical question is what to do with this information if you’re an engineer or builder.
First, understand what’s actually vulnerable. The threat is to public-key cryptography — RSA, elliptic curve. Symmetric encryption (AES-256) is much more resilient to quantum attacks; Grover’s algorithm provides a quadratic speedup but not the exponential speedup that Shor’s provides against asymmetric crypto. So “quantum breaks everything” is wrong. “Quantum breaks the authentication and key exchange layer that most of the internet depends on” is more accurate.
Second, audit your dependencies. If you’re building applications that handle sensitive data, look at what cryptographic primitives your dependencies use for key exchange, digital signatures, and certificate validation. Most of this is handled by TLS libraries and you don’t touch it directly, but you should know what’s underneath you.
Third, watch the NIST post-quantum cryptography standards. NIST finalized its first set of post-quantum cryptographic standards in 2024 — CRYSTALS-Kyber for key encapsulation, CRYSTALS-Dilithium for digital signatures. These are the algorithms that Google, Cloudflare, and Apple are migrating toward. If you’re building something that will still be running in 2029, you want to be on a migration path toward these standards.
The “store now, decrypt later” threat is already in the past tense for the collection phase. That data is already collected. The question is whether the decrypt phase arrives on schedule. If the people with the best visibility into quantum hardware are saying 2029, the window to migrate is roughly 1,000 days from now.
For teams building internal security tooling or compliance systems, the spec-driven approach matters here — Remy is MindStudio’s spec-driven full-stack app compiler that takes annotated markdown specs and compiles them into complete TypeScript applications with backend, database, auth, and deployment included. That means your security requirements can live in a readable spec document that gets compiled into actual enforcement logic, rather than scattered across undocumented code. For post-quantum migration work specifically, having your cryptographic requirements expressed as a versioned spec rather than implicit library choices is exactly the kind of auditability that compliance teams will eventually demand.
One coffee. One working app.
You bring the idea. Remy manages the project.
For anyone thinking about AI agents for research and analysis in the security space, the post-quantum migration is one of the most tractable research problems right now — the standards exist, the threat model is clear, and the gap between organizational awareness and organizational action is enormous. The work is in the implementation, not the theory.
The Part That Should Actually Concern You
The most unsettling aspect of “store now, decrypt later” isn’t the future decryption. It’s the implication about what’s already been collected.
Every government with the capability and the motive has been running this program. The US has documented bulk collection programs. Russia and China have similar capabilities and fewer legal constraints on domestic collection. The data that was encrypted and “safe” in 2010 or 2015 was only safe under the assumption that the encryption would remain unbroken indefinitely.
That assumption is now being revised, on a specific timeline, by the people who built the quantum computers that will break it.
Aaronson’s post ends with something close to an ultimatum: “If quantum computers start breaking cryptography a few years from now, don’t you dare come to this blog and tell me that I failed to warn you. This post is your warning.”
The warning has been there since 1994. What’s new is the deadline.
The cybersecurity risks that AI models like Claude Mythos have already demonstrated are real and immediate. But they operate on a different threat model than quantum — they’re about what AI can do to systems today. The quantum threat is about what happens to data that was collected yesterday once the compute arrives. Both timelines are running simultaneously. Understanding what Claude Mythos actually is and how Anthropic positions it helps clarify why frontier model capabilities and cryptographic infrastructure are increasingly discussed in the same breath by security teams.
The organizations that are taking this seriously — Google, Cloudflare, Apple, the Ethereum Foundation — are treating 2029 as a hard deadline, not a planning horizon. The ones that aren’t are making a bet that the skeptics were right and the timeline slips again.
Given who’s now saying 2029, that’s a bet worth examining carefully.
The data is already collected. The clock is already running.
