Curator's Take
This research tackles one of quantum networking's most pressing challenges by creating a practical bridge between today's quantum key distribution systems and the post-quantum cryptographic standards we'll need tomorrow. The layered architecture is particularly clever because it allows existing QKD infrastructure to work seamlessly with emerging post-quantum algorithms without requiring hardware overhauls, essentially future-proofing quantum networks against both classical and quantum threats. The use of standard protocols like WireGuard makes this approach immediately deployable, addressing the critical gap between quantum cryptography's theoretical promise and real-world network requirements. This work represents a significant step toward making quantum-secured communications practical for large-scale deployment while maintaining robust security guarantees.
— Mark Eatherly
Summary
We present a layered and modular network architecture that combines Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) to provide scalable end-to-end security across long distance multi-hop, trusted-node quantum networks. To ensure interoperability and efficient practical deployment, hop-wise tunnels between physically secured nodes are protected by WireGuard with periodically rotated pre-shared keys sourced via the ETSI GS QKD 014 interface. On top, Rosenpass performs a PQC key exchange to establish an end-to-end data channel without modifying deployed QKD devices or network protocols. This dual-layer composition yields post-quantum forward secrecy and authenticity under practical assumptions. We implement the design using open-source components and validate and evaluate it in simulated and lab test-beds. Experiments show uninterrupted operation over multi-hop paths, low resource footprint and fail-safe mechanisms. We further discuss the design's compositional security, wherein the security of each individual component is preserved under their combination and outline migration paths for operators integrating QKD-aware overlays in existing infrastructures.