For most of the last decade, the quantum threat to cryptography was discussed as a single problem with a single tense: one day, a quantum computer will break the encryption that protects banking, identity and payments. The DST National Quantum Mission Task Force report reframes that into something a risk committee can actually act on. It names two distinct threats, and it insists both are present-tense.
The first is familiar. The second is the one that should change how Indian boards think about the timeline.
Why public-key cryptography is on a clock at all
Almost everything that establishes trust online — a TLS handshake, a digital signature on a payment instruction, the certificate chain behind a banking app — rests on public-key cryptography: RSA, elliptic-curve cryptography, and Diffie–Hellman. Their security comes from mathematical problems that are infeasible for classical computers to solve in any useful timeframe.
A sufficiently large, stable quantum computer running Shor's algorithm dissolves that assumption. As the report puts it, the vulnerability exists regardless of implementation quality, because it comes from a mathematical breakthrough, not a coding flaw. A perfectly written RSA-2048 implementation is exactly as exposed as a sloppy one. The research community converges on a window of roughly 2030–2032 for that capability — what is colloquially called Q-Day. At Davos in January 2026, the chief executive of a leading quantum-computing firm warned it could arrive within three years; the report cites a survey in which 70% of executives expect quantum-enabled cyberattacks within five.
The dangerous part is not Q-Day itself. It is that both attacks begin before it.
The first clock: Harvest Now, Decrypt Later
HNDL is the threat the security community has discussed for years. An adversary does not need a quantum computer today to benefit from one tomorrow. They need only to capture and store encrypted traffic now — TLS sessions, API calls, authentication tokens, database backups — and wait. When a cryptographically relevant quantum computer arrives, the stored ciphertext is decrypted retroactively.
For Indian BFSI this is not abstract. The data that flows through a bank has a long shelf life: KYC records, Aadhaar-linked identity data, loan and account histories, strategic communications. Information that must stay confidential for ten or twenty years is being protected today by algorithms expected to fall well inside that horizon. The report is blunt about the consequence — all cryptographic transition planning should proceed under an "assume-breach" principle, because retrospective mitigation after Q-Day is impossible. You cannot un-harvest data.
The second clock: Trust Now, Forge Later
TNFL is the threat the report elevates to equal standing, and it works on the opposite property of cryptography. HNDL attacks confidentiality — the secrecy of data. TNFL attacks authenticity — the trust placed in a signature.
Here is the mechanism. A digital signature today proves that a particular party authorised a particular thing: a high-value transfer, a software update, a certificate, a regulatory filing. That proof depends on the signing key being unforgeable. Once a quantum computer can recover a private key from its public counterpart, every signature ever produced with that key — and every new signature an attacker chooses to mint — becomes forgeable. An adversary can fabricate authorisations, firmware updates, or certificates that appear to have been signed, legitimately, today.
The exposure window for TNFL is arguably worse than for HNDL, because the artefacts that carry long-lived trust — root certificates, code-signing keys, firmware in long-shelf-life systems — are precisely the ones organisations are slowest to rotate. A root of trust deployed now with a ten-year life is a standing invitation.
What this means for an Indian risk committee
The two clocks dismantle the most common objection to acting now: "Q-Day is years away, so this can wait." If you accept HNDL, today's confidential data is already at risk. If you accept TNFL, today's signatures and roots of trust are already at risk. The migration timeline is therefore not driven by when the quantum computer arrives — it is driven by how long your data and your signatures need to remain trustworthy, counted backwards from Q-Day.
That is why the report's milestones are dated from 2027, not 2030. The work of inventory, prioritisation and migration takes years, and the threat is accruing against you the entire time.
The practical first move is unglamorous and entirely doable today: understand where vulnerable cryptography lives in your estate, which data it protects, and which of it is internet-facing and therefore HNDL-exposed. You cannot defend two clocks you cannot see.
Both clocks turn on the same question: which assets are quantum-vulnerable, and what do they protect? KavachQ's SCORE module classifies each cryptographic asset by quantum risk and explicitly flags HNDL-exposed, internet-facing paths — separating data that may already be harvested from data still behind your perimeter. The output is keyed to data class, so a committee sees not just "RSA in use" but "RSA protecting KYC records, externally reachable." → The starting point is an exposure inventory, not a product trial.