Curator's Take
This research tackles one of the most pressing challenges facing the financial industry: preparing secure communications for the post-quantum era before current encryption becomes vulnerable to quantum attacks. The work demonstrates a practical hybrid approach that combines traditional encryption, quantum key distribution, and post-quantum algorithms within existing banking network infrastructure, validating the system across a real-world testbed spanning multiple countries and technology platforms. What makes this particularly significant is that it provides banks with a migration path they can implement today, rather than waiting for finalized post-quantum standards in IPsec protocols. The successful integration of incompatible quantum key distribution systems from different vendors also shows that quantum-safe banking networks can be built using diverse, commercially available technologies.
— Mark Eatherly
Summary
The emergence of Cryptographically Relevant Quantum Computers (CRQCs) presents a critical threat to classical cryptographic systems, particularly widely adopted protocols such as RSA, Diffie-Hellman (DH), and Elliptic Curve Cryptography (ECC). Given their extensive use in the financial sector, the advent of quantum adversaries compels banking institutions to proactively develop and adopt quantum-safe communication mechanisms. This paper introduces a hybrid quantum-safe architecture, orchestrated via Software-Defined Networking (SDN) key distribution. The proposed framework enables the early integration of Classical Cryptography (CC), Quantum Key Distribution (QKD), and Post-Quantum Cryptography (PQC) within a Dynamic Multipoint Virtual Private Network (DMVPN) environment, providing highly scalable, full-mesh, site-to-site encrypted communications for enterprise networks. This is particularly relevant at a time when PQC algorithms have not yet been incorporated into finalized IPsec standards. The architecture has been validated across a five-node testbed comprising three physical nodes within a campus network in Madrid and two private-cloud nodes located in the north of Spain and Mexico. The deployment leverages a heterogeneous mix of physical and virtual devices, diverse technology providers, Discrete Variable QKD (DV-QKD) and Continuous Variable QKD (CV-QKD) implementations, and mutually incompatible key-delivery interfaces (ETSI004, ETSI014 and Cisco SKIP), demonstrating flexibility, scalability, and interoperability across environments. Through this framework, we demonstrate that quantum-safe communication in financial networks is not only technically feasible but also scalable, interoperable, and resilient. The proposed architecture establishes a robust, flexible, and future-proof foundation for secure financial communications in the era of quantum computing.