Hybrid Quantum Security for IPsec

TL;DR

This paper compares sequential and parallel hybrid QKD-PQC key establishment strategies for IPsec, introducing two novel approaches that improve performance and security integration of quantum key distribution into existing protocols.

Contribution

It presents the first systematic comparison of hybrid QKD-PQC strategies for IPsec and introduces two new methods supporting existing QKD standards with enhanced performance.

Findings

Parallel hybrid approaches reduce latency compared to sequential methods.

Pure QKD approach minimizes bandwidth overhead with identifier-based key coordination.

Experimental results show significant performance gains in realistic network conditions.

Abstract

Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.