Post-Quantum

Sign Today, Forge Tomorrow (STFT) or Trust Now, Forge Later (TNFL) Risk

Photo of Marin Marin Follow on X Send an email October 6, 2018
8 minutes read
Sign Today, Forge Tomorrow STFT Trust Now, Forge Later TNFL

[Updated in Sep 2025 – It seems that industry is slowly adopting the Trust Now, Forge Later (TNFL) term – which I accept, sounds better – to describe the same thing. I updated the article to include both terms]

Introduction

When people talk about quantum computing’s threat to cybersecurity, Harvest Now, Decrypt Later (HNDL) is the phrase that pops up. It refers to adversaries quietly collecting encrypted data today in the hope that a future quantum computer can crack RSA or elliptic‑curve encryption and reveal the information. The risk is real, especially for records that must remain confidential for decades – think health records, classified intelligence or long‑term contracts.

Yet there’s another, less publicised danger that worries me even more: Sign Today, Forge Tomorrow (STFT) Risk (or Trust Now, Forge Later (TNFL)).

I’ve spent two decades of my 30+ years of experience focused on cyber-kinetic risks in operational technology (OT) and IoT security, and leading OT/IoT security practices for Big 4 and global companies and advising governments. Since the mid‑1990s I’ve argued that digital threats don’t just jeopardise data – they can compromise physical safety by hijacking the machines we rely on.

I believe that SFTF – the possibility that quantum computers will allow attackers to forge digital signatures and certificates – could have even more disruptive consequences than HNDL, particularly for OT and cyber‑physical systems.

Harvest Now, Decrypt Later vs. Sign Today, Forge Tomorrow / Trust Now, Forge Later

Harvest Now, Decrypt Later – a recap

HNDL is a straightforward three‑stage process: adversaries harvest encrypted traffic now, store it, and wait until quantum computers can break the underlying key exchange or encryption algorithms. Modern communications rely on RSA and elliptic‑curve cryptography, which Shor’s algorithm could solve in polynomial time. Once a cryptographically relevant quantum computer emerges, all of the previously harvested data can be decrypted, exposing sensitive information. By now only a small fraction of websites have deployed quantum‑safe hybrid key exchange and that when Q‑Day arrives the confidentiality of web sessions, APIs and stored secrets could evaporate.

Sign Today, Forge Tomorrow / Trust Now, Forge Later – the overlooked twin

SFTF is the digital‑signature equivalent of HNDL. Digital signatures underpin everything from software updates and firmware integrity to identity verification and supply‑chain provenance. Today’s signatures are based on RSA or ECDSA, which quantum computers will also break. When that happens, adversaries won’t just read secrets – they will forge signatures at will. The term Sign-Today-Forge-Tomorrow or Trust-Now-Forge-Later describes situations where the roots of trust are set at manufacture time and cannot be updated; once quantum computers exist, those signatures become meaningless. Hardware roots such as ePassports, industrial control systems and satellites often embed long‑lived keys; field updates may be impossible or incomplete

I often describe SFTF as “the day digital signatures turn into wet ink.”  While HNDL threatens confidentiality, SFTF undermines integrity and non‑repudiation. In many industries, losing trust is far costlier than losing secrecy.

Why Sign Today, Forge Tomorrow (Trust Now, Forge Later) is more dangerous than Harvest Now, Decrypt Later

Digital signatures aren’t just about code signing and email; they form the root of trust for everything from firmware updates and secure boot to e‑passport validation, OTA (over‑the‑air) updates in vehicles and smart‑meter identities. Once adversaries can forge these signatures, they can pass off malicious software as authentic, impersonate legitimate services, issue bogus certificates and even rewrite historical records.

Unlike encrypted secrets, which remain opaque until a future decryption, a forged signature yields immediate and invisible compromise. A malicious firmware image or software update signed with a forged key would install smoothly – exactly as if it came from the vendor. Users and automated systems would never know they were compromised. Forging TLS certificates and code‑signing keys is the more immediate and damaging threat. In other words, Q‑Day for signatures doesn’t have a slow‑burn lead time like HNDL; it’s a cliff.

In OT and IoT, many devices have lifespans of decades and cannot be easily patched. My OT migration article points out that industrial control systems often use minimal cryptography, but where crypto is used – such as trusted firmware, VPN access, and remote workstation authentication – a compromise has a disproportionate impact.

The same article warns that forging digital signatures would allow malicious firmware to be uploaded or update packages to be spoofed, letting attackers impersonate authorized workstations or remote engineers. Industrial equipment controlling chemical plants, manufacturing lines or power grids could be manipulated to cause physical harm or shut down operations. The encryption consulting blog adds that many IoT sensors and industrial controllers have hard‑coded cryptographic algorithms and cannot support field updates.

Compromised signatures, compromised safety

For critical systems, STFT is not just an IT problem – it’s a safety problem. Quantum computers could forge the proofs of authenticity that global trade relies on, allowing attackers to inject malicious control commands into operational technology.

When cryptographic control fails in OT, the result could be equipment damage, environmental disasters or even loss of life. As I’ve written before, many industrial systems were designed before cybersecurity was a consideration. They rely on obscurity and a plethora of proprietary protocols. Those protocols don’t stop an adversary with a forged certificate.

Why isn’t STFT/TNFL talked about more?

HNDL is easy to explain and resonates with privacy concerns: your encrypted secrets could be read in the future. STFT, on the other hand, sounds esoteric – until you realise it touches every trust decision a computer makes. Most people assume digital signatures are immutable – we treat them like the wax seals of yore. The idea that a future quantum computer could turn those seals into mere scribbles is unsettling.

Another reason is that OT and cyber‑physical attacks are under‑reported. My research on cyber‑kinetic risks highlights how Stuxnet destroyed Iranian centrifuges and how pacemaker hacking could kill people. These incidents are rarely publicised because they mix cyber and kinetic consequences, creating a fear factor that governments and companies prefer not to highlight.

The OT and Cyber‑Kinetic Angle – From Bits to Bolts

In the OT article on PostQuantum, I analysed how a quantum‑broken cryptosystem in industrial settings could lead to catastrophic outcomes. Quantum‑enabled attackers could forge signatures on firmware updates, inject malicious logic into programmable logic controllers (PLCs), or impersonate maintenance engineers. A forged VPN certificate could give an attacker remote access to a safety‑critical control network. Because OT networks are now interconnected with IT networks, quantum‑broken IT credentials could be used as a stepping stone into the plant.

The article also lists a table of typical OT cryptographic use cases: secure boot, signed firmware, device identity, VPNs and access control. Each of these uses could be undermined by SFTF. For example, secure boot relies on verifying a signature before executing firmware. If that signature can be forged, the boot process becomes meaningless.

Long lifecycles and limited patch windows

Industrial equipment often remains in service for 15-30 years. Updating firmware is disruptive and sometimes requires plant shutdowns; patching windows are limited and may only occur annually or during major outages. Regulations, safety certifications and vendor dependencies make it hard to replace cryptography quickly. Many devices have insufficient processing power to support lattice‑based PQC algorithms. This is why I argue that quantum‑ready planning must start now, not in 2030 when the quantum cat is out of the bag.

Linking to decades of cyber‑kinetic research

Since the mid‑1990s I’ve been warning about the coupling of cyberspace and physical systems. My cyber‑kinetic risks article recounts how Vice President Dick Cheney disabled the wireless functionality of his defibrillator after security researchers showed pacemakers could be hacked. It describes how manipulated sensors could cause pipeline explosions or pump lethal doses in medical devices. These examples weren’t theoretical – they highlighted the silent severity of cyber‑physical threats. In the same article I lament that little is publicly said about cyber‑kinetic attacks and that conferences often focus on technology rather than safety.

SFTF is the natural extension of this work. When quantum computers can forge signatures, they provide adversaries with a golden key to open the cyber‑physical door. The threat isn’t just stolen data – it’s manipulated machinery and lost lives. That is why I’ve built my career around OT security and continue to push for more awareness on cyber‑kinetic risks.

Building quantum‑ready trust: what can we do?

Embrace crypto‑agility and inventory

Modern systems must be designed for crypto‑agility – the ability to swap cryptographic algorithms without rewriting the entire system. NIST’s PQC standards are being been finalized. But migrating to PQC is not a simple drop‑in replacement. Organisations should inventory every use of public key cryptography, identify hard‑coded keys in firmware, and plan for staged upgrades. The Ping Identity article urges agencies to monitor standards like JOSE and COSE and build the flexibility to transition to quantum‑resistant algorithms.

Protect and update roots of trust

Hardware roots of trust such as Trusted Platform Modules (TPMs), Hardware Security Modules (HSMs) and secure elements must evolve to support PQC. Encryption Consulting highlights that each device’s built‑in identity must be immutable and cannot be forged; in a quantum world, protecting this identity is crucial to prevent impersonation. Secure boot processes, key storage and random number generation need quantum‑resistant algorithms. Vendors like Entrust have released firmware upgrades that add PQC algorithms to existing HSMs. Organisations should pressure vendors to provide PQC support and plan hardware refresh cycles accordingly.

Refresh long‑term digital archives

Digital archives signed today could be compromised tomorrow. The Ascertia blog notes that quantum computing can break RSA/ECDSA, meaning archives or timestamped files may be decrypted or forged in future. To mitigate this, it recommends using archival techniques like PAdES Long‑Term Archival (LTA) which periodically refreshes signatures with quantum‑safe algorithms. Legal departments should ensure contracts, court documents and e‑signatures remain valid by re‑signing them with PQC schemes.

Plan for OT/IoT constraints

OT environments pose unique challenges. Many devices lack the memory or CPU to handle large lattice‑based signatures. Manufacturers must incorporate lightweight PQC algorithms such as SPHINCS+ for constrained devices. In cases where hardware cannot be updated, network‑level protections like gateway proxies that validate PQC signatures can offer an interim defence. For long‑lived devices that cannot be upgraded, replacement or isolation strategies may be required.

Advocate for cyber‑kinetic safety and awareness

Finally, raising awareness remains critical. Boards and regulators often focus on privacy and HNDL, but they must also understand SFTF/TNFL’s threat to safety and integrity. As security professionals, we need to communicate that a quantum attack could change the value of the digital signature on a control command, causing real‑world harm. We must push for cross‑disciplinary collaboration between IT security, OT engineers, safety professionals and policymakers. Only by breaking down silos can we build resilience into the cyber‑physical world.

Conclusion

The world is racing toward quantum computing, and the time to plan is now. While Harvest Now, Decrypt Later has captured media attention, Sign Today, Forge Tomorrow / Trust Now, Forge Later is the darker twin that could undermine digital trust, break supply chains and endanger lives. The threat of forged signatures is not hypothetical; it is grounded in the same quantum algorithms that threaten encryption, and it affects the very mechanisms that maintain integrity and authenticity. For operational technology and cyber‑physical systems, the stakes are even higher because forged credentials translate into physical danger.

Photo of Marin Marin Follow on X Send an email October 6, 2018
8 minutes read
Photo of Marin

Marin

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Bluesky
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap