PQC-Enhanced QKD Networks: A Layered Approach

TL;DR

This paper proposes a layered network architecture combining QKD and PQC to enable scalable, secure quantum networks with practical deployment and demonstrated in simulations and lab tests.

Contribution

It introduces a modular, dual-layer design integrating QKD and PQC, validated with open-source implementation and experimental evaluation.

Findings

Uninterrupted multi-hop operation demonstrated in tests

Low resource footprint and fail-safe mechanisms validated

Security of individual components preserved in composition

Abstract

We present a layered and modular network architecture that combines Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) to provide scalable end-to-end security across long distance multi-hop, trusted-node quantum networks. To ensure interoperability and efficient practical deployment, hop-wise tunnels between physically secured nodes are protected by WireGuard with periodically rotated pre-shared keys sourced via the ETSI GS QKD 014 interface. On top, Rosenpass performs a PQC key exchange to establish an end-to-end data channel without modifying deployed QKD devices or network protocols. This dual-layer composition yields post-quantum forward secrecy and authenticity under practical assumptions. We implement the design using open-source components and validate and evaluate it in simulated and lab test-beds. Experiments show uninterrupted operation over multi-hop paths, low resource footprint and fail-safe mechanisms. We further discuss the design's compositional security, wherein the security of each individual component is preserved under their combination and outline migration paths for operators integrating QKD-aware overlays in existing infrastructures.