The harvest-now, decrypt-later (HNDL) threat--adversaries intercepting and archiving ciphertext today for retrospective decryption once quantum computers mature--turns the future quantum threat into a present liability for the public-key primitives (RSA, Diffie-Hellman, ECC) that anchor modern session-key exchange. We present Aquaman, a transparent-proxy architecture for quantum-resilient session-key establishment. A transparent proxy intercepts session-key requests at the edge of a trusted network without requiring client-side configuration, deploying quantum-resistant capability at the network boundary on behalf of clients that may themselves lack post-quantum cryptography (PQC). Aquaman supports four operating modes: PQC offloaded to the proxy for clients without trusted PQC stacks; classical multi-path key fragmentation over heterogeneous media (with an optional anonymous proxy-pool variant); QKD with the SKIP/ETSI GS QKD 014 key-delivery interface; and classical/PQC hybrid handshakes. We implement and evaluate the first two modes; the latter two are well-trodden in the PQC literature and we discuss but do not implement them. The implemented multi-path mode splits the session key into ciphertext fragments distributed across diverse media (Wi-Fi, Bluetooth, NFC, cellular, Ethernet); reconstruction requires all fragments. We formalize the security argument and prove that recovery probability decays as (B/d)^n in the diversity dimension. A 1,000-run prototype evaluation on AWS EC2 shows that latency is dominated by network transmission, not by multi-path overhead.

翻译："即时截获、日后解密"（HNDL）威胁——攻击者当前截获并归档密文，待量子计算机成熟后解密——将未来的量子威胁转变为当前公钥基础设施（RSA、Diffie-Hellman、ECC）的现实风险，这些公钥原语是现代会话密钥交换的基石。本文提出Aquaman，一种用于量子弹性会话密钥建立的透明代理架构。该透明代理在可信网络边缘拦截会话密钥请求，无需客户端配置，代表可能缺乏后量子密码学（PQC）能力的客户端在网络边界部署量子弹性能力。Aquaman支持四种运行模式：PQC卸载至代理（适用于缺乏可信PQC栈的客户端）；基于异构介质的经典多路径密钥分片（附带可选的匿名代理池变体）；采用SKIP/ETSI GS QKD 014密钥分发接口的量子密钥分发（QKD）；经典/PQC混合握手。我们实现并评估了前两种模式；后两种模式在PQC文献中已有充分探讨，本文仅作讨论而不作实现。已实现的多路径模式将会话密钥切分为密文片段，通过多样化介质（Wi-Fi、蓝牙、NFC、蜂窝网络、以太网）分发；重建需集齐所有片段。我们形式化安全论证并证明恢复概率在多样性维度上以(B/d)^n衰减。基于AWS EC2的1000次原型评估表明，延迟主要由网络传输而非多路径开销主导。