PQC-Enhanced QKD Networks: A Layered Approach
This addresses security for quantum network operators by incrementally enhancing existing QKD deployments with PQC protection.
The paper tackles the challenge of providing scalable end-to-end security in long-distance multi-hop quantum networks by combining Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) in a layered architecture, achieving uninterrupted operation with low resource footprint in experiments.
We present a layered and modular network architecture that combines Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) to provide scalable end-to-end security across long distance multi-hop, trusted-node quantum networks. To ensure interoperability and efficient practical deployment, hop-wise tunnels between physically secured nodes are protected by WireGuard with periodically rotated pre-shared keys sourced via the ETSI GS QKD 014 interface. On top, Rosenpass performs a PQC key exchange to establish an end-to-end data channel without modifying deployed QKD devices or network protocols. This dual-layer composition yields post-quantum forward secrecy and authenticity under practical assumptions. We implement the design using open-source components and validate and evaluate it in simulated and lab test-beds. Experiments show uninterrupted operation over multi-hop paths, low resource footprint and fail-safe mechanisms. We further discuss the design's compositional security, wherein the security of each individual component is preserved under their combination and outline migration paths for operators integrating QKD-aware overlays in existing infrastructures.