On the Practical Feasibility of Harvest-Now, Decrypt-Later Attacks

TL;DR

This paper reframes HN-DL as an economic problem, quantifying adversary costs across Transport Layer Security (TLS) 1.2, TLS 1.3, QUIC, and Secure Shell with an open-source testbed that reproduces the full attack sequence.

Abstract

Harvest-now, decrypt-later (HN-DL) attacks threaten today's encrypted communications by archiving ciphertext until a quantum computer can break the underlying key exchange. This paper reframes HN-DL as an economic problem, quantifying adversary costs across Transport Layer Security (TLS) 1.2, TLS 1.3, QUIC, and Secure Shell (SSH) with an open-source testbed that reproduces the full attack sequence. Our model shows that retaining intercepted traffic is economically trivial, shifting the defensive question from whether an adversary can archive to how much decryption will cost. We evaluate protocol configuration strategies that act along two independent cost axes: storage overhead and quantum workload. Beyond the ongoing migration to post-quantum cryptography, these strategies provide defense in depth with current infrastructure. Encrypted Client Hello forces indiscriminate bulk collection, inflating the archive the adversary must retain, while aggressive rekeying and larger key exchange parameters multiply the quantum computations required to recover plaintext. Because storage inflation penalizes both sides while quantum cost inflation targets the adversary alone, rekeying and key size selection offer the strongest defensive levers.

Figures (5)

• Figure 1: Protocol overhead ratio $\alpha$ vs. session payload. Lines: analytical model; markers: loopback captures. Stream reassembly lowers $\alpha$ slightly (transport term vanishes).
• Figure 2: Monte Carlo HN-DL cost as a function of harvest fraction ($10{,}000$ draws). The plot unifies annual storage bounds (green band) with cumulative exposure over three multi-year retention horizons (green-to-blue bands, $T_r = 5, 10, 15$ years). Solid lines mark median costs; inner bands span the 25th--75th percentiles and outer bands the 5th--95th percentiles. The model compounds log-normal payload uncertainty (median 2 MB) and fully-loaded storage OpEx ($\pm 30\%$ around $12.16/TB-year) with compounding annual traffic growth (20--30%/yr cisco2020air) and annual storage price change ($-10\%$ to $+20\%$/yr backblaze2024costdrivereuters2025memorychip). Network interception costs are excluded.
• Figure 3: Effective quantum multiplier $E_\mathrm{eff}(L,R) = \lceil L/R \rceil$. $R$ denotes the byte budget between DH exchanges. Above the $R = L$ diagonal, $E_\mathrm{eff} = 1$: rekeying provides zero protection against targeted prefix extraction. The dotted line marks the per-rekey overhead floor, where connection bandwidth becomes overwhelmingly dominated by cryptography. Vertical guides indicate ballpark extraction targets ranging from a credential exchange ($\sim$4 KB) to a full initial page load ($\sim$256 KB), representing order-of-magnitude application-layer payload sizes after the handshake.
• Figure 4: Quantum cost multiplier $E$ for SSH rekeying and TLS 1.3 PSK-DHE rotation. Markers denote measured values from the testbed; curves show $\lceil P/R_\mathrm{eff}\rceil$. SSH uses effective thresholds derived from transport-level byte counting ($R_\mathrm{eff} \approx 2 R_\mathrm{nom}$). TLS markers confirm $E = \lceil P/R\rceil$ exactly (15 captures, all match).
• Figure 5: Maximum theoretical padding ($b = 16{,}384$ B) aggressively inflates $\alpha$ for small sessions but imposes negligible friction on large transfers.