What Is Trust Now, Forge Later (TNFL)?

This is part of the Quantum Security Reference Deep Dive series. For the full landscape overview, see the capstone article on quantum security.

Introduction

Trust Now, Forge Later (TNFL) describes the risk that digital signatures created today using RSA or ECC could be forged retroactively once a quantum computer capable of running Shor’s algorithm becomes available. I first introduced this concept in 2018 (originally as Sign Today, Forge Tomorrow, or STFT) as the signature-side counterpart to Harvest Now, Decrypt Later (HNDL). Where HNDL threatens the confidentiality of encrypted data, TNFL threatens the integrity and authenticity of signed data.

How TNFL Works

Digital signatures prove that a specific entity created or approved a specific piece of data. A document signed with an RSA or ECDSA key can be verified by anyone holding the corresponding public key. The security depends on the assumption that only the legitimate signer could have produced the signature, because only they possess the private key.

Shor’s algorithm breaks this assumption. Given a public key (which is, by definition, publicly available), a quantum computer running Shor’s can derive the corresponding private key. With the private key in hand, an attacker can forge signatures that are cryptographically indistinguishable from legitimate ones.

The “forge later” element is what distinguishes TNFL from a simple future vulnerability. Signatures made today will still be relied upon for years or decades. A software update signed with an RSA key in 2025 will still be trusted by systems that verify it in 2035. A legal contract signed with ECDSA today retains its binding force for the duration of the agreement. A root certificate issued today anchors a chain of trust that may extend for 20 years. If a quantum computer can forge the signing key at any point during that period, every signature ever made with that key becomes suspect.

Why TNFL May Be More Urgent Than HNDL

HNDL gets more attention because it is easier to explain and its threat model is more intuitive: someone steals your encrypted data and reads it later. TNFL is subtler, but I have argued that its consequences may be more disruptive than the encryption threat.

The argument rests on three observations.

Signatures are harder to migrate than encryption. Encryption protects data in transit or at rest; once you upgrade the algorithm, new data is protected immediately. Signatures, however, are attached to artifacts that persist: signed firmware, signed certificates, signed legal documents, signed software packages. Migrating signatures means re-signing existing artifacts or establishing new trust chains, which is operationally more complex than encrypting new data with a new algorithm.

The failure mode is systemic. A compromised encryption key exposes the data encrypted under that key. A compromised signing key undermines every artifact that was ever signed with it, and every system that trusts those signatures. In software supply chains, a single forged code-signing certificate could be used to distribute malicious updates to millions of endpoints. The signature supply chain runs deeper than most organizations realize.

Verification happens in the future. Encryption is consumed at the time of decryption; once data is read, the encryption has served its purpose. Signatures are verified at the time of reliance, which may be years after signing. A document signed today and verified in 2035 is vulnerable if a CRQC exists by 2035, even if no quantum computer existed when the signature was created.

What TNFL Threatens

The scope of TNFL exposure extends across every domain where digital signatures establish trust.

PKI and certificate hierarchies depend on signed root and intermediate certificates. If the root CA’s signing key can be forged, the entire certificate chain collapses. Software distribution relies on code-signing certificates to verify that updates and applications come from legitimate publishers. Forged signatures could enable supply chain attacks at massive scale. Legal and financial instruments increasingly carry digital signatures with long-term validity. A forged signature on a contract, regulatory filing, or financial instrument creates disputes that may be impossible to resolve. Identity systems use signed tokens and certificates for authentication. Forged identity credentials undermine access control across every connected system.

The Defense

The defense against TNFL is the same as the defense against HNDL: migrate to post-quantum cryptography. Specifically, migrate digital signature infrastructure to ML-DSA (FIPS 204), SLH-DSA (FIPS 205), or FN-DSA (FIPS 206, once finalized).

The sequencing matters. As I argue in my analysis of why signature migration should come before encryption migration, the trust infrastructure that signatures protect is both more difficult to migrate and more consequential if compromised. Organizations with limited resources should prioritize their certificate hierarchies, code-signing infrastructure, and long-lived legal signature workflows before turning to bulk data encryption.

For the full treatment of digital signatures in the post-quantum era, my article on the future of digital signatures in a post-quantum world covers the technical and operational dimensions in depth.

Go Deeper

Harvest Now, Decrypt Later (HNDL) — the encryption-side counterpart

Sign Today, Forge Tomorrow (STFT) / Trust Now, Forge Later (TNFL) — the original concept

Trust Now, Forge Later: The Overlooked Quantum Threat — full analysis

Signature Migration Before Encryption — why trust infrastructure comes first

The Signature Supply Chain — how deep digital trust goes

The Future of Digital Signatures in a Post-Quantum World — technical and operational outlook