This work addresses the vulnerability of conventional public-key cryptography (e.g., RSA, ECC) to “harvest now, decrypt later” (HNDL) attacks in the quantum era, particularly during session key establishment. To mitigate this threat without requiring endpoint modifications, the paper proposes a transparent proxy architecture that intercepts key-exchange requests at the network boundary and seamlessly supplies quantum-safe key agreement for non-post-quantum clients. The design innovatively integrates multi-path key fragmentation across diverse physical layers (Wi-Fi, Bluetooth, NFC, cellular, Ethernet), anonymous transmission via proxy pools, post-quantum cryptography (PQC) offloading, and a QKD interface, all orchestrated through a novel hybrid handshake protocol. Formal analysis demonstrates that security scales exponentially with the diversity of transport media. Prototype evaluation on AWS EC2 confirms that key recovery probability decays as (B/d)ⁿ, with latency dominated by network conditions, thereby significantly enhancing practical quantum-safe deployment.

The harvest-now, decrypt-later (HNDL) threat--adversaries intercepting and archiving ciphertext today for retrospective decryption once quantum computers mature--turns the future quantum threat into a present liability for the public-key primitives (RSA, Diffie-Hellman, ECC) that anchor modern session-key exchange. We present Aquaman, a transparent-proxy architecture for quantum-resilient session-key establishment. A transparent proxy intercepts session-key requests at the edge of a trusted network without requiring client-side configuration, deploying quantum-resistant capability at the network boundary on behalf of clients that may themselves lack post-quantum cryptography (PQC). Aquaman supports four operating modes: PQC offloaded to the proxy for clients without trusted PQC stacks; classical multi-path key fragmentation over heterogeneous media (with an optional anonymous proxy-pool variant); QKD with the SKIP/ETSI GS QKD 014 key-delivery interface; and classical/PQC hybrid handshakes. We implement and evaluate the first two modes; the latter two are well-trodden in the PQC literature and we discuss but do not implement them. The implemented multi-path mode splits the session key into ciphertext fragments distributed across diverse media (Wi-Fi, Bluetooth, NFC, cellular, Ethernet); reconstruction requires all fragments. We formalize the security argument and prove that recovery probability decays as (B/d)^n in the diversity dimension. A 1,000-run prototype evaluation on AWS EC2 shows that latency is dominated by network transmission, not by multi-path overhead.