Request access
RankShield Network · Financial

Harvest now, decrypt later.Sign it quantum-safe today.Harvest now, decrypt later is the quantum risk to payments: an adversary records signed records today and forges them once a quantum computer arrives. RankShield Financial signs every payment intent with composite ML-DSA-65 (FIPS 204), hybrid and crypto-agile, so a durable, verifiable authorization survives that future.

ml-dsa-65 · fips 204hybridcrypto-agile
signing algorithm · crypto-agility registryrotatable
standard
FIPS 204
security level
NIST Level 3
public key
1,952 B
signature
3,309 B

Default. Lattice-based. Civilian / HVA / EU-hybrid grade.

every signature is independently verifiable against the NIST standard — rotating the algorithm doesn’t break past proofs.
01 // The threat model
What HNDL actually is

What is the harvest-now-decrypt-later threat model?

The harvest-now-decrypt-later threat model is simple and patient: an adversary records signed or encrypted data today, stores it, and waits to break it once a cryptographically-relevant quantum computer exists. The attack has two phases separated by years. In the harvest phase, which is happening now, the attacker needs no special hardware — just the ability to capture and retain traffic and records. In the decrypt phase, once a capable quantum machine arrives, the harvested material is attacked at leisure. For payments this is uniquely dangerous because a payment authorization is long-lived evidence. It may need to prove, years after the fact, that a specific payer, payee, amount, and purpose were approved by a specific identity. A signature that was safe when it was made can become forgeable in retrospect, which means a record harvested today is only as durable as the algorithm that signed it. This is why the quantum risk to payments is a present-tense decision even though the machine is not yet here: the record has to outlive the threat.

How RankShield signs quantum-safe
Harvest today
No special hardware needed now — the attacker only has to capture and retain signed records and traffic.
Decrypt later
Once a cryptographically-relevant quantum computer arrives, the stored material is attacked at leisure.
02 // The worst-case triad
Why payments are the sharp edge

Why is instant, irreversible, and a forged signature the worst-case triad?

Instant, irreversible, and a forged signature is the worst-case triad because the three properties compound into a payment that cannot be caught or undone and that looks completely legitimate. First, instant: RTP and FedNow settle in seconds, so there is no window to reverse a bad authorization after the fact. Second, irreversible: there is no chargeback and nothing to claw back once value moves on instant, tokenized, or on-chain rails. Third, a forged signature is indistinguishable from a real one — if a future quantum attacker can forge the authorization, the fraudulent payment carries a perfectly valid-looking approval. Any one of these is a problem; all three together are the nightmare, because a forged approval settles with finality in seconds and there is no anomaly to notice and no recourse afterward. RankShield Financial cannot change the rails’ speed or their finality — those are features. What it can do is remove the third leg by making the authorization itself durable: sign every intent with a post-quantum scheme so the signature stays hard to forge, now and against a quantum computer, keeping harvest-now-decrypt-later from turning a recorded approval into a forged one.

Instant
RTP and FedNow settle in seconds — no window to reverse a bad authorization.
Irreversible
No chargeback on instant, tokenized, or on-chain rails — nothing to claw back once value moves.
Forged = valid
A forged signature looks legitimate, so the signature itself must be quantum-safe.
Sign at source
RankShield removes the third leg by signing every intent post-quantum at creation — durable against a future quantum attacker.
03 // The softer target
ECC vs RSA under Shor

Why are crypto rails an easier quantum target than RSA?

Crypto rails are an easier quantum target than RSA because of the math the two families rely on. Elliptic-curve cryptography — including the secp256k1 curve that secures most on-chain value — achieves equivalent classical security with much smaller keys than RSA. That efficiency is a feature classically, but under a future quantum computer running Shor’s algorithm it cuts the other way: breaking an elliptic-curve key is generally expected to take fewer quantum resources than breaking a comparably-rated RSA key. In other words, the very compactness that makes secp256k1 attractive for blockchains also makes those signatures a comparatively softer quantum target. This is directly relevant to harvest-now-decrypt-later on on-chain and stablecoin rails: a public ledger is, by design, a permanent archive of signed transactions, which is exactly the kind of material an adversary would harvest and store. RankShield Financial does not rely on the classical curve alone. Every payment intent is signed with a post-quantum scheme hybridized with a classical signature, so the authorization stays verifiable even if the underlying elliptic-curve signature is one day broken by a quantum attacker.

04 // The standards
What RankShield signs with

How does RankShield sign every intent quantum-safe?

RankShield Financial signs every payment intent with composite ML-DSA-65 — the NIST-standardized lattice signature defined in FIPS 204, finalized in August 2024 — hybridized with a classical signature. The hybrid construction is deliberate: pair a proven classical primitive with the new post-quantum one, so an authorization stays verifiable even if either scheme is later weakened, and neither is a single point of failure. The design is crypto-agile, which is the real durability guarantee. The signing algorithm can rotate from ML-DSA-65 to the higher-assurance ML-DSA-87, or to hash-based SLH-DSA (FIPS 205, an entirely different mathematical family) if lattice schemes are ever questioned — without re-architecting the platform and without breaking past proofs, because each signature stays independently verifiable against the standard it was made under. The instrument in the hero makes this concrete: toggle between ML-DSA-65, ML-DSA-87, and SLH-DSA to see the real standard, security level, and key and signature sizes for each. The moat is agility, not any single algorithm, because guidance will keep evolving over the life of a payment record.

Post-quantum

ml-dsa-65 · fips 204

Each intent is signed with the NIST-standardized lattice signature from FIPS 204 — durable integrity for a record that may need to hold up as evidence for years.

Hybrid

pq + classical together

Post-quantum and classical signatures are applied together, so a payment stays verifiable even if one scheme is later questioned. The conservative path through the transition.

Crypto-agile

rotate without re-architecting

Rotate ML-DSA-65 → ML-DSA-87 → SLH-DSA as standards move. Past signatures stay independently verifiable against the standard they were made under.

05 // Transport
The channel, too

What about the channel the harvested data travels over?

Signing protects the authorization; transport protects the channel it travels over — and harvest-now-decrypt-later applies to the channel just as much as to the record. Where the surrounding stack supports it, RankShield Financial uses hybrid post-quantum TLS — X25519MLKEM768, combining classical X25519 with ML-KEM (FIPS 203) — so session keys resist harvest-now capture and later quantum decryption. It is a hybrid by the same principle as the signing layer: pair a proven classical primitive with the new post-quantum one, so neither is a single point of failure. Both layers track the current NIST post-quantum standards, and both are built to rotate as those standards advance. The signature proves who authorized a payment; hybrid PQ TLS protects the traffic that carries it, so an adversary who harvests the session gains nothing durable.

X25519MLKEM768ML-KEM · FIPS 203ML-DSA · FIPS 204SLH-DSA · FIPS 205
06 // The timeline
Standards and mandates

What is the post-quantum standards timeline for payments?

Read the timeline precisely, because the honest version is more useful than the hyped one. NIST finalized the core post-quantum standards — FIPS 203 (ML-KEM), 204 (ML-DSA), and 205 (SLH-DSA) — in August 2024; those are the finished schemes RankShield Financial signs with today. Separately, NIST IR 8547 is a draft that proposes deprecating RSA and elliptic-curve cryptography after 2030 and disallowing them after 2035. That is a proposed transition timeline, not a hard law, and it should be read as guidance rather than a mandate. And underlying all of it: a cryptographically-relevant quantum computer does not exist yet, so this is preparation against harvest-now-decrypt-later, not a response to a machine already in the wild. RankShield does not wait for a mandate — signing every intent post-quantum now, and staying crypto-agile, is how a long-lived payment record stays defensible whether or not the draft becomes binding.

MilestoneStatusWhat it means
Cryptographically-relevant quantum computerDoes not exist yetThe threat is harvest-now-decrypt-later, not a machine already in the wild.
FIPS 203 · 204 · 205Finalized Aug 2024ML-KEM, ML-DSA, SLH-DSA are standardized — the schemes RankShield signs with.
NIST IR 8547 — deprecate RSA/ECC after 2030Draft / proposedA proposed transition timeline, not law — read as guidance, not a mandate.
NIST IR 8547 — disallow RSA/ECC after 2035Draft / proposedProposed end-state. RankShield already signs post-quantum and stays crypto-agile.
07 // The evidence
Why sign now

Why sign every payment intent post-quantum today?

Sign every payment intent post-quantum today because the record has to outlive the threat, and you only control the algorithm at the moment of signing. Once a payment authorization is made, it becomes evidence that may need to prove for years who approved a specific payer, payee, amount, and purpose. If it was signed with a classical-only signature, an adversary who harvested it now can forge or repudiate it the day a quantum computer arrives — and there is no way to retroactively strengthen a signature already made. RankShield Financial therefore signs at creation with composite ML-DSA-65 in a hybrid, crypto-agile design, and seals the decision to a tamper-evident record on the RankShield Network. The result is a durable, independently verifiable authorization: a signed intent whose integrity does not depend on a quantum computer never being built, and whose algorithm can be rotated forward as the standards move. That is what quantum-safe by construction means for payments — not a promise of being quantum-proof, but a standards-tracking posture that keeps harvested records from becoming forged ones.

08 // Inside the flow
Where the signature lives

Where does post-quantum signing sit in the payment flow?

Post-quantum signing sits at the very moment a payment intent is created, before any verdict is reached. RankShield Financial reduces each payment to a canonical intent record — payer, payee, amount, purpose — and signs that record with composite ML-DSA-65 the instant it exists. Only then is the intent verified and resolved to released, held, or denied ahead of settlement on an irreversible rail. Signing first is what makes the verdict trustworthy: the released or held decision, and the reasons behind it, are bound to a signature that a future quantum attacker cannot forge, and the whole decision is sealed to a tamper-evident record on the RankShield Network. Afterward, an enrolled settlement oracle can return a signed receipt confirming the payment settled as attested, or flagging a divergence, so the post-quantum authorization is checked all the way through to final settlement. Harvest-now-decrypt-later is defeated not by a single feature but by signing durably at creation and keeping that signature verifiable across the entire released-held-denied flow.

FAQ

Harvest now, decrypt later — questions, answered.

What is harvest now, decrypt later?
Harvest now, decrypt later (HNDL) is an attack in which an adversary records encrypted or signed data today and stores it, waiting to break it once a cryptographically-relevant quantum computer exists. No such machine exists yet, so the attack is patient rather than immediate. It matters because a payment authorization is long-lived evidence: it may need to prove, years later, that a specific payer, payee, amount, and purpose were approved by a specific identity. Data harvested now is exposed the day a capable quantum computer arrives. RankShield Financial signs each payment intent with post-quantum cryptography today so the record stays durable against that future.
Is the quantum risk to payments real if no quantum computer exists yet?
Yes, because the risk is about the record’s lifetime, not today’s hardware. A cryptographically-relevant quantum computer does not exist today, and no one can say precisely when one will. But an adversary can harvest signed payment records now and attack them later, and a payment authorization may need to hold up as evidence for years. So waiting until a capable machine is announced means every record signed in the interim is already exposed to harvest-now-decrypt-later. RankShield Financial treats post-quantum signing as a present-tense decision because the evidence has to outlive the threat, not because a quantum computer is here.
Why is instant, irreversible settlement plus a forged signature the worst case?
Because three properties compound. Instant: RTP and FedNow settle in seconds, so there is no window to reverse a bad authorization after the fact. Irreversible: there is no chargeback and nothing to claw back once value moves on instant, tokenized, or on-chain rails. And a forged signature is indistinguishable from a real one — if an adversary can forge the authorization, the fraudulent payment looks perfectly legitimate. Together, instant plus irreversible plus a breakable signature is the worst-case triad: a forged approval that settles finally in seconds. Post-quantum signing removes the third leg by making the authorization durable and hard to forge.
Are crypto rails an easier quantum target than RSA?
In one important sense, yes. Elliptic-curve cryptography — including the secp256k1 curve used across most crypto rails — uses smaller keys than RSA for equivalent classical security, and a future quantum computer running Shor’s algorithm is generally expected to need fewer resources to break elliptic-curve keys than to break comparably-rated RSA. That makes the signature schemes securing on-chain value a comparatively softer quantum target. RankShield Financial does not rely on the classical curve alone: it signs every intent with a post-quantum scheme hybridized with a classical signature, so the authorization stays verifiable even against a quantum attacker.
Which post-quantum standards does RankShield use?
RankShield Financial signs every payment intent with composite ML-DSA-65, the NIST-standardized lattice signature from FIPS 204, hybridized with a classical signature. FIPS 203 (ML-KEM), 204 (ML-DSA), and 205 (SLH-DSA) were finalized by NIST in August 2024. Where the surrounding stack supports it, transport uses hybrid post-quantum TLS — X25519MLKEM768, combining classical X25519 with ML-KEM (FIPS 203). The design is crypto-agile: the signing algorithm can rotate to the higher-assurance ML-DSA-87 or to hash-based SLH-DSA without re-architecting the platform or breaking past proofs.
What does NIST IR 8547 say about the timeline?
NIST IR 8547 is a draft that proposes deprecating RSA and elliptic-curve cryptography after 2030 and disallowing them after 2035. It is a proposed transition timeline, not a hard law, and should be read as guidance rather than a mandate. RankShield Financial does not wait for a mandate: signing every intent with post-quantum cryptography today, and staying crypto-agile, is how a long-lived payment record stays defensible whether or not the draft becomes binding. The separate, finalized FIPS 203, 204, and 205 standards are what the platform builds on now.
Is this quantum-proof?
No — RankShield Financial is quantum-safe by construction, never quantum-proof. No honest vendor can promise a system is unbreakable against every future attack. What we can commit to is signing every payment intent with the current NIST post-quantum standard, hybridized with classical cryptography, and designed to rotate algorithms as those standards advance. It is a durable, standards-tracking posture against harvest-now-decrypt-later, not an absolute guarantee. The moat is crypto-agility — the ability to rotate ML-DSA-65 to ML-DSA-87 or SLH-DSA — not any single algorithm.
Verify, then settle

Sign your payments quantum-safe before they settle.

RankShield Financial is rolling out post-quantum intent signing with design partners on instant, tokenized, and on-chain rails. Request access and we’ll map it to your settlement flow.

Request accessQuantum-safe payments