What "harvest now, decrypt later" means
Harvest now, decrypt later (HNDL) is an attack strategy in which an adversary records encrypted communications today, stores the ciphertext indefinitely, and decrypts it once cryptanalytically relevant quantum computers can break the public-key exchange that protected it. The interception happens now; the compromise happens years later. Any data whose secrecy must outlive that gap is already exposed.
This is not a vendor scare scenario; it is a planning assumption inside the standards bodies themselves. NIST's post-quantum transition report, IR 8547, states that NIST "expects to prioritize the migration to quantum-resistant key-establishment schemes" precisely "to protect against 'harvest now, decrypt later' attacks, particularly in interactive protocols like TLS and IKE" [2]. When the institution that writes the cryptographic standards sequences its own migration around an attack, that attack has stopped being hypothetical.
Why recorded calls are the prime target
Bulk interception of transit traffic is a documented, decades-old practice of signals-intelligence agencies, and storage is the cheapest part of the operation. What makes voice uniquely exposed is the mismatch between how long a conversation stays sensitive and how briefly its protection was designed to last. A defence procurement call, a diplomatic exchange or an M&A negotiation can remain damaging if disclosed ten, twenty or thirty years later. Yet in most VoIP deployments, the confidentiality of the entire call hangs on one session key negotiated at call setup with classical elliptic-curve Diffie-Hellman — exactly the class of primitive that Shor's algorithm breaks.
The EU's own risk taxonomy makes the same point. The NIS Cooperation Group's PQC roadmap classifies a use case as high-risk when "compromising confidentiality after 10 years or more would still cause significant damage," and adds that this "implies in particular that attackers have a strong motivation to capture and store such encrypted information even today in order to break the encryption in the future" [3]. Government, defence and boardroom voice fits that definition almost by construction. And unlike a stolen password, a recorded conversation cannot be rotated, revoked or re-encrypted after the fact. The ciphertext the adversary already holds is final.
The timeline math: Mosca's theorem
The standard tool for reasoning about the deadline is the inequality formulated by Michele Mosca of the University of Waterloo. Let x be the number of years your data must remain confidential, y the number of years your migration will take, and z the number of years until a cryptographically relevant quantum computer exists. Whenever x + y > z, some of the data you are encrypting today will be readable within its secrecy lifetime. In the 2015 note where he laid out the argument, Mosca estimated "a 1/2 chance of breaking RSA-2048 by 2031" [1].
Estimates of z vary, which is why they are tracked systematically. The Quantum Threat Timeline report published by the Global Risk Institute with evolutionQ — an annual survey whose 2024 edition combines the assessments of 32 experts — concluded that the threat "may be closer than previously thought" [6]. But the decisive observation is how little the uncertainty in z matters for voice. With x at 10 to 25 years for the conversations described above and y at a realistic 3 to 5 years of enterprise migration, today's calls are safe only if z exceeds roughly 15 to 30 years. No serious published estimate offers that comfort.
The deadlines are already written down
In the United States, NIST IR 8547 — the transition plan published in initial public draft on 12 November 2024 — schedules quantum-vulnerable public-key cryptography, including RSA and elliptic-curve schemes at the 112-bit security level, as deprecated after 2030 and disallowed entirely after 2035, in line with National Security Memorandum 10's goal of mitigating quantum risk by 2035 [2].
In the European Union, the Commission's Recommendation of 11 April 2024 tasked the NIS Cooperation Group with a coordinated roadmap. Its first deliverable sets three milestones: all Member States initiate national PQC transition strategies and complete the roadmap's First Steps by the end of 2026; high-risk use cases are migrated "as soon as possible, no later than the end of 2030"; medium-risk use cases follow by the end of 2035, with hybrid classical-plus-PQC solutions recommended wherever feasible [3].
France's ANSSI published a three-phase transition: Phase 1 (today), in which hybrid post-quantum key establishment provides defence-in-depth; Phase 2 (not earlier than 2025), in which quantum resistance may be claimed but hybridation remains mandatory; and Phase 3 (probably not earlier than 2030), in which standalone PQC becomes acceptable. ANSSI explicitly recommends introducing post-quantum defence-in-depth as soon as possible for products meant to protect information beyond 2030 [4]. Read the three documents together and the message is consistent: 2030 and 2035 are ceilings for the general migration — for data with a long secrecy lifetime, the regulators' own logic places the deadline in the present.
What "quantum-safe voice" actually requires
Start with what is not broken. AES-256-GCM, the symmetric cipher that encrypts the media stream in serious voice systems, is not the weak point. The best known quantum attack on symmetric ciphers, Grover's algorithm, at most halves the effective key length, and NIST IR 8547 confirms that symmetric primitives offering at least 128 bits of classical security are expected to remain adequate [2]. AES-256 sits far above that line. Claims that quantum computers will "break AES" are marketing, not cryptanalysis.
The weak point is the key exchange. The session key that AES-256 uses is negotiated, on almost every existing voice platform, with RSA or elliptic-curve Diffie-Hellman — and those are what Shor's algorithm defeats. Quantum-safe voice therefore requires one specific, checkable property: a standardized post-quantum KEM — ML-KEM, standardized in FIPS 203 and finalized on 13 August 2024 [5] — protecting the session-key establishment of every call, deployed now rather than at the 2030 deadline, and ideally in hybrid combination with a classical scheme, as both the EU roadmap and ANSSI recommend [3][4]. Every call completed before that switch is one more classical ciphertext in somebody's archive.
Voice adds one precision that generic PQC checklists miss: a post-quantum TLS tunnel to your SIP provider does not make the call quantum-safe. If the media keys are generated, derived or escrowed by a server that negotiated them with classical cryptography, the harvested traffic remains breakable regardless of the transport. The KEM must protect the end-to-end media key path itself.
A migration checklist for voice
Inventory and classify first. Map every path where voice crosses infrastructure you do not control — carrier networks, conferencing clouds, SIP trunks, roaming legs — and assign each flow a secrecy lifetime. Following the EU roadmap's definition, anything still damaging after ten years belongs in the high-risk class and moves first [3].
Then demand evidence, not roadmaps. A credible vendor answer to "are you quantum-safe?" names the KEM (ML-KEM per FIPS 203), states whether it runs hybrid, shows known-answer-test results against the official test vectors, and explains where media keys are generated and stored. Crypto-agility — the ability to update a product's cryptographic algorithms without recalling or replacing it — should be a contractual requirement; ANSSI explicitly encourages crypto-agility in future products [4].
Finally, sequence by secrecy lifetime, not by procurement convenience. The conversations whose transcripts still matter in 2040 migrate first. Waiting for certification cycles to complete before adding PQC to the key exchange is itself a risk decision: every month of delay is another month of harvestable ciphertext that no future audit can recall.
Where Q-Audion stands
This analysis is the design premise behind Q-Audion, the hardware-encrypted anti-interception voice system built by BCrypto in Torino. Q-Audion implements ML-KEM-1024 — the highest-security parameter set of FIPS 203 — in a dedicated hardware crypto accelerator for the key establishment of every call, with AES-256-GCM protecting the media stream. Its patent-pending "DMA Air-Gap" places a dedicated MEMS microphone inside a secure enclave built on an ARM TrustZone-M TEE, galvanically isolated from the host phone, so the host operating system never enters the audio path; on-device TinyML screens for deepfake audio. The system spans an encrypted earbud, Android, iOS and desktop apps, a sovereign server and a PQC VPN, works alongside standard BYOD phones, and is built on an EU-designed supply chain. Three patents were filed with the Italian patent office (UIBM) in 2026.
The honest status: Q-Audion is at TRL 6 — firmware feature-complete, with known-answer tests gating every cross-platform CI build — and holds no FIPS 140-3, Common Criteria or national-agency certification yet. Organizations that require certified equipment today should weigh that openly. But harvest-now-decrypt-later inverts the usual ordering: certification protects you in tomorrow's assessment, while post-quantum key establishment protects you against today's recording. For conversations whose secrecy must outlast a decade, the second clock is the one already running.