On the Practical Feasibility of Harvest-Now, Decrypt-Later Attacks

TL;DR

This paper analyzes the economic feasibility of harvest-now, decrypt-later attacks, showing that strategic protocol configurations can significantly increase adversary costs, thus enhancing current encryption defenses against future quantum threats.

Contribution

It models HN-DL attacks as an economic problem and evaluates protocol strategies that increase adversary costs using open-source testbeds.

Findings

Retaining intercepted traffic is economically trivial for adversaries.

Protocol strategies like rekeying and larger key sizes increase quantum decryption costs.

Encrypted Client Hello inflates storage needs for attackers.

Abstract

Harvest-now, decrypt-later (HN-DL) attacks threaten today's encrypted communications by archiving ciphertext until a quantum computer can break the underlying key exchange. This paper reframes HN-DL as an economic problem, quantifying adversary costs across Transport Layer Security (TLS) 1.2, TLS 1.3, QUIC, and Secure Shell (SSH) with an open-source testbed that reproduces the full attack sequence. Our model shows that retaining intercepted traffic is economically trivial, shifting the defensive question from whether an adversary can archive to how much decryption will cost. We evaluate protocol configuration strategies that act along two independent cost axes: storage overhead and quantum workload. Beyond the ongoing migration to post-quantum cryptography, these strategies provide defense in depth with current infrastructure. Encrypted Client Hello forces indiscriminate bulk collection, inflating the archive the adversary must retain, while aggressive rekeying and larger key exchange parameters multiply the quantum computations required to recover plaintext. Because storage inflation penalizes both sides while quantum cost inflation targets the adversary alone, rekeying and key size selection offer the strongest defensive levers.