Can PUFs protect against Harvest-Now, Decrypt-Later (HNDL) threats from Quantum Computers?

As quantum computing advances, organizations face “Harvest-Now, Decrypt-Later” (HNDL) attacks where adversaries intercept encrypted communications today to decrypt later with quantum computers. This threat accelerated Post-Quantum Cryptography (PQC) adoption, including ML-KEM, ML-DSA and SLH-DSA [1][2][3] replacing vulnerable RSA and ECC algorithms. However, PQC alone does not fully mitigate HNDL risks when secret keys (or private keys) remain stored persistently and susceptible to physical compromise. This article explains how integrating PQC with hardware-based Physically Unclonable Functions (PUFs) eliminates this critical HNDL risk, creating a truly resilient defense for the quantum era.

Understanding the HNDL Threat

Quantum computers can solve problems like integer factorization and discrete logarithms exponentially faster than classical computers, threatening cryptosystems such as RSA and ECC. Shor’s algorithm, for example, would allow a quantum computer to break these widely used encryption methods, making any intercepted data vulnerable once quantum capabilities mature. Although a cryptographically relevant quantum computer (CRQC) may be a decade or more away, the risk is immediate: attackers can intercept and store encrypted data now, planning to decrypt it later when quantum technology catches up.

This is known as a “Harvest-Now, Decrypt-Later” (HNDL) or “Store-Now, Decrypt-Later” (SNDL) attack. Adversaries are already collecting vast amounts of sensitive data—intellectual property, financial records, and classified information—with the intention of unlocking it in the future. The urgency of this threat has driven rapid development and standardization of PQC by organizations like NIST. However, PQC’s effectiveness is limited if secret keys (or private keys) are stored in non-volatile memory (e.g., flash, EEPROM), as attackers with physical access can extract these keys and retroactively decrypt previously captured data, regardless of the algorithm’s quantum resistance as illustrated in  Figure 1. For data needing long-term security, this is an immediate and critical risk. The transition to quantum-resistant security is not a future problem; it is an urgent priority for today.

PQC: A Necessary First Step, But Not a Silver Bullet

To counter the quantum threat, the U.S. National Institute of Standards and Technology (NIST) has standardized PQC algorithms. These new standards, including ML-KEM for key establishment [1], ML-DSA for digital signatures [2], and SLH-DSA as an additional signature standard [3], are designed to resist attacks from both classical and quantum computers. Adopting PQC is the essential first step to securing data in transit, ensuring the encrypted message itself remains unbroken even by a quantum computer, as shown in Figure 2.

However, PQC protects the algorithm, not the key. The security of any system is defined by its weakest link, and traditional key storage is a critical vulnerability. The conventional method involves generating keys, storing them in a database, and then injecting them into a device’s non-volatile memory (like Flash) during manufacturing. This process creates a massive attack surface. The key database itself is a high-value target for hackers, and the secure transfer of keys to manufacturing facilities, which may be untrusted third parties, presents significant supply chain risks.

An attacker with physical access to the device can later extract this stored key using sophisticated methods like side-channel analysis or microprobing. With the stolen key, all previously harvested data can be decrypted, rendering PQC’s quantum resistance irrelevant. This means any system that stores its keys remains vulnerable to an HNDL attack if the device is ever compromised.

The Ultimate Key Vault: Physically Unclonable Functions (PUFs)

This is where hardware-based security becomes essential. A Physically Unclonable Function (PUF) solves the dangerous problem of key storage by giving a chip a unique “silicon fingerprint.” This identity is based on microscopic, random manufacturing variations and has three essential properties as, standardized in ISO/IEC 20897 [4].

• Unique: No two chips, even from the same wafer, are identical.
• Repeatable: The same chip will reliably produce the same digital response every time.
• Unclonable: It is physically impossible to clone or duplicate the microscopic properties of one chip onto another.

The most critical feature is how a PUF handles secrets. It does not store a secret key. Instead, it regenerates the key from its physical structure on demand. The secret only exists for the instant it is needed, then vanishes, leaving no trace in memory for an attacker to steal.

A Crucial Detail: Why Passive PUF Technology is the Right Choice

Not all PUF technologies are created equal. For a PUF to be a reliable source of security over the entire lifespan of a device, it must be stable. The unique “fingerprint” it generates today must be the exact same one it generates ten or twenty years from now, regardless of temperature, voltage, or aging. PUFs can be broadly categorized into two types: active and passive.

• Active PUFs are made of active transistor devices. They often rely on challenging electronic components with timing delays. This process can cause stress, leading to degradation over time. An active PUF might be reliable for a few years, but its characteristics can drift, eventually making it impossible to regenerate the original, correct key. This instability is unacceptable for long-term security.

• Passive PUFs, in contrast, are not based on transistors but are made from passive components like vias. A prime example is Via PUF technology, which leverages the random formation of vias in the standard CMOS manufacturing process without any special masks or procedures involved. Since these metallic vias are passive components, they are not stressed during operation. This results in extreme stability. Furthermore, because these microscopic via structures are scattered throughout the chip, they are physically protected from reverse-engineering, making it practically impossible to find and characterize them even with invasive attacks [5].

For defending against HNDL threats, where long-term data protection is the primary goal, the endurance and stability of a passive PUF are not just beneficial—they are essential. It ensures the hardware root of trust remains trustworthy for the entire life of the product.

The Integrated Solution: PQC + PUF for True Forward Secrecy

The most robust defense against HNDL attacks is the integration of PQC’s algorithmic strength with the hardware-level security of a PUF. This creates a system where secret keys are both quantum-resistant and physically secure. The core of this integration is using the PUF’s unique output as a cryptographic seed for the PQC key generation algorithm. As shown in Figure 3, this allows a key pair to be created on-demand without ever storing the secret key material itself.

This principle is applied in the establishment of a typical session key in point-to-point communication as follows:

1. Request: A master device initiates a secure connection with a slave device that contains a PUF. The master sends a unique, random number called a “salt” for this specific session.
2. Key Generation: The slave device feeds the salt and its intrinsic PUF response into the PQC key generation algorithm. This produces a fresh, one-time PQC secret key (or private key) and public key pair. This secret key is never stored in memory.
3. Key Exchange: The slave sends its newly generated public key to the master.
4. Secure Communication: The master uses the public key to encapsulate a shared secret, sending the resulting ciphertext to the slave. The slave then uses its ephemeral secret key to decapsulate the ciphertext and retrieves the same shared secret.
5. Key Discarded: After the operation, the slave’s secret key vanishes.

This approach provides true forward secrecy. Even if an attacker captures every message and later steals the physical device, there is no key to be found. The secrets from past sessions are irrecoverable, effectively neutralizing the “Decrypt-Later” part of the HNDL threat.

Business Impact and Strategic Advantages

For business leaders—CEOs, CTOs, CSOs—this combined approach delivers several critical advantages:

• Future-Proof Security: Protects sensitive data against both current threats and future quantum-enabled adversaries, avoiding catastrophic financial and operational losses. The global average cost of a data breach has reached a record high of $4.88 million [6], making preventative investment a clear financial imperative.
• Regulatory Compliance: Aligns with emerging standards for quantum-safe key management and supply chain security. By preventing breaches at the hardware level, companies can avoid significant regulatory penalties, which constitute a major component of overall breach costs.
• Cost Efficiency: Reduces total cost of ownership by eliminating the complex and expensive logistics of secure key injection during manufacturing. Organizations that extensively deploy security automation—a principle inherent in the PUF’s “storage-less” model—save an average of $2.2 million in breach costs compared to those that do not [6].
• Customer Trust: Demonstrates proactive leadership in cybersecurity. The loss of business following a breach averages $1.47 million globally [6]. In an era where up to a third of customers will cease doing business with a breached organization, protecting data with a vPUF based hardware root of trust is a powerful differentiator that preserves brand equity.

Conclusion: A Strategic Imperative for Long-Term Security

The Harvest-Now, Decrypt-Later threat is not a distant problem; it is an active risk to any data with long-term value. While migrating to PQC algorithms is a necessary first step, this defense is incomplete if the secret keys can be physically stolen from a device’s memory.

A truly future-proof security architecture eliminates this vulnerability at its root. By integrating PQC with PUF technology, secret keys are never stored. Instead, they are generated on-demand from the hardware’s unique physical identity. This approach anchors cryptographic security in unchangeable physics, creating a defense that protects against both present-day physical attacks and future quantum threats.

For leaders, the mandate is clear: securing your organization for the quantum era requires more than just new algorithms—it requires a new approach to key security. The PQC+PUF, storage-less paradigm is that approach, offering the most robust defense to ensure that data harvested today remains secure for decades to come.

References

[1] NIST FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard, 2024. https://csrc.nist.gov/pubs/fips/203/final

[2] NIST FIPS 204, Module-Lattice-Based Digital Signature Standard, 2024.

https://csrc.nist.gov/pubs/fips/204/final

[3] NIST FIPS 205, Stateless Hash-Based Digital Signature Standard, 2024.

https://csrc.nist.gov/pubs/fips/205/final

[4] ISO/IEC 20897-1:2020, Information security, cybersecurity and privacy protection — Physically unclonable functions — Part 1: Security requirements, test methods and evaluation criteria.  https://www.iso.org/standard/76353.html

[5] Teddy Kyung Lee, “Via PUF Technology as a Root of Trust in IoT Supply Chain”, Global Semiconductor Alliance Forum Article, May 8, 2020.

https://www.gsaglobal.org/forums/via-puf-technology-as-a-root-of-trust-in-iot-supply-chain/

[6] IBM Security, “Cost of a Data Breach Report 2024”, 2024.

https://www.ibm.com/reports/data-breach