Harvest Now, Decrypt Later

Harvest Now, Decrypt Later means an attacker records protected data today and waits until future quantum capability makes the old protection breakable. For blockchains, the key point is that the public ledger already gives every attacker a complete archive.

The phrase often describes encrypted messages. In cryptocurrency, the same idea also applies to public keys and transaction authorization.

This page explains the risk at a user and protocol level. It is not a substitute for the formal security analysis in Protocol / Security Analysis.

The Attack Pattern

For a classical-signature blockchain, the long-term attack looks like this:

Download and archive the chain.
Identify outputs or transactions where public keys are visible.
Wait for cryptographically relevant quantum computers.
Derive private keys from exposed public keys.
Spend funds that are still controlled by those keys, or analyze old activity that was assumed to remain private.

The attacker does not need to compromise the network today. They only need to preserve public data that the network already publishes.

Why Blockchains Are Especially Exposed

Most security systems can rotate keys and delete old sensitive data. Blockchains are different:

Property	Effect
Public replication	Anyone can store a full copy.
Immutability	Old transactions cannot be removed after migration.
Open validation	Anyone can submit a valid spend if they can create the signature.
Long-lived value	Old dormant outputs can remain valuable for decades.
Address reuse	A single exposed key can endanger future funds at the same address.

That combination makes “we will migrate later” a weaker answer than it first appears. Later migration can protect newly created outputs, but it cannot erase public keys already revealed in old transactions.

Which Address Patterns Matter

Pattern	HNDL concern
Pay-to-public-key outputs	The full public key is visible immediately.
Reused addresses after spending	The public key is revealed by the first spend, and remaining funds become exposed.
Multisig scripts with public keys	Script revelation exposes all listed keys.
Hash-only addresses before first spend	Lower immediate exposure, but the key appears when spent.

This is why “do not reuse addresses” remains important even before quantum computers are capable of key recovery. Address reuse turns a delayed exposure into an ongoing exposure.

Why Migration Cannot Fully Fix History

A post-quantum migration can create safer new outputs. It cannot make an old public key disappear from every archived copy of the chain.

For funds whose keys are lost, there may be no owner available to migrate at all. For funds whose owners are active, migration still requires wallet support, block space, fees, user action, and enough time before a quantum-capable adversary exists.

The Tidecoin whitepaper cites estimates that millions of BTC are in quantum-vulnerable categories, including old pay-to-public-key outputs and reused-address exposure. The exact number changes as analysis methods and chain state evolve, but the structural risk is stable: public-key exposure on a permanent ledger is hard to undo.

Tidecoin’s Approach

Tidecoin avoids historical ECDSA exposure by using post-quantum signatures from block zero. Every transaction spend is authenticated by a post-quantum signature scheme rather than by secp256k1 ECDSA.

That does not mean users can ignore privacy and operational security. It means the specific future attack “derive an ECDSA private key from an old public key” is not the baseline authorization model of the chain.

Practical User Rules

Prefer fresh receive addresses.
Do not publish public keys, private keys, seeds, descriptors, or wallet dumps.
Move funds from legacy or imported keys to current wallet addresses when practical.
Keep backups offline and test recovery with small amounts.
Treat post-quantum signatures as one layer of security, not a replacement for safe wallet handling.