Search papers, labs, and topics across Lattice.
This paper analyzes the economic feasibility of harvest-now, decrypt-later (HN-DL) attacks against TLS 1.2, TLS 1.3, QUIC, and SSH by quantifying adversary costs using an open-source testbed that simulates the full attack sequence. The analysis demonstrates that archiving intercepted traffic is economically trivial for adversaries, highlighting decryption cost as the primary defensive consideration. The study identifies Encrypted Client Hello as a means to inflate storage costs for attackers and aggressive rekeying/larger key exchange parameters as effective strategies to increase the quantum computational workload required for decryption.
Archiving encrypted traffic for future quantum decryption is cheap, so the real defense lies in making the decryption itself prohibitively expensive through strategies like aggressive rekeying.
Harvest-now, decrypt-later (HN-DL) attacks threaten today's encrypted communications by archiving ciphertext until a quantum computer can break the underlying key exchange. This paper reframes HN-DL as an economic problem, quantifying adversary costs across Transport Layer Security (TLS) 1.2, TLS 1.3, QUIC, and Secure Shell (SSH) with an open-source testbed that reproduces the full attack sequence. Our model shows that retaining intercepted traffic is economically trivial, shifting the defensive question from whether an adversary can archive to how much decryption will cost. We evaluate protocol configuration strategies that act along two independent cost axes: storage overhead and quantum workload. Beyond the ongoing migration to post-quantum cryptography, these strategies provide defense in depth with current infrastructure. Encrypted Client Hello forces indiscriminate bulk collection, inflating the archive the adversary must retain, while aggressive rekeying and larger key exchange parameters multiply the quantum computations required to recover plaintext. Because storage inflation penalizes both sides while quantum cost inflation targets the adversary alone, rekeying and key size selection offer the strongest defensive levers.
