Public-key primitives that today anchor session-key establishment - RSA, Diffie-Hellman, and elliptic-curve cryptography - reduce to integer factorization or discrete logarithm and are therefore vulnerable to Shor's algorithm on a sufficiently capable quantum computer. The harvest-now, decrypt-later (HNDL) threat model turns this future capability into a present liability: ciphertext archived today can be decrypted retrospectively once a cryptographically relevant quantum computer becomes available. We propose a session-key establishment scheme that distributes a freshly generated key as multiple, independently encrypted fragments across distinct, ephemeral Tor circuits between an onion-service proxy and an onion-service client. Reconstruction requires every fragment; each fragment travels its own per-bundle circuit established via a NEWNYM signal. The security argument rests on the standard end-to-end correlation bound for onion routing: an adversary controlling a fraction of Tor relays must independently deanonymize every fresh circuit to correlate the fragments belonging to one session, and the per-fragment probability of success decays multiplicatively in the number of fragments. We implement the design as a Flask-based prototype on AWS EC2, with both the proxy and the client deployed as Tor onion services, and measure end-to-end key-establishment latency. The implemented prototype completes a key establishment in 13-20 s on average (7-50 s including tails), of which approximately 88% is attributable to Tor-related delay - a cost we discuss in the context of the privacy-versus-responsiveness trade-off.

翻译：公钥原语（如RSA、Diffie-Hellman和椭圆曲线密码学）目前支撑着会话密钥建立，但这些原语归结为整数因子分解或离散对数问题，因此在具备足够能力的量子计算机上易受Shor算法攻击。“先截获、后解密”（HNDL）威胁模型将这种未来能力转化为当前风险：一旦密码学相关量子计算机问世，今日存档的密文便可被事后解密。本文提出一种会话密钥建立方案，该方案将新生成的密钥拆分为多个独立加密的片段，并通过洋葱服务代理与洋葱服务客户端之间不同的临时Tor电路进行分发。重构需要所有片段；每个片段经由通过NEWNYM信号建立的独立每束电路传输。安全性论证基于洋葱路由的标准端到端关联边界：控制一部分Tor中继的敌手必须独立地去匿名化每条新电路，才能关联出属于同一会话的片段，且每个片段成功关联的概率随片段数量呈乘法衰减。我们将该设计实现为基于Flask的原型系统并部署在AWS EC2上，其中代理和客户端均作为Tor洋葱服务运行，并测量了端到端密钥建立延迟。实验结果表明，该原型完成一次密钥建立平均耗时13–20秒（含尾部延迟为7–50秒），其中约88%的延迟归因于Tor相关开销——我们将在隐私与响应性权衡的背景下讨论这一代价。