Privacy Enhanced QKD Networks: Zero Trust Relay Architecture based on Homomorphic Encryption
Aitor Brazaola-Vicario, Oscar Lage, Julen Bernabé-Rodríguez, Eduardo Jacob, Jasone Astorga
TL;DR
QKD networks face distance limitations in terrestrial fibre and rely on trusted relays, which can become security liabilities. The authors introduce a zero-trust relay architecture that uses fully homomorphic encryption (FHE) based on the BFV scheme (rooted in $LWE$) to perform intermediate OTP re-encryption without exposing plaintext keys, augmented by externally generated QRNGs for crypto-agility and optional confidential hardware. This approach preserves the unconditional security of QKD while eliminating trust assumptions about relay operators and remains compatible with ETSI QKD standards, demonstrated through a hybrid testbed with simulated and commercial equipment. The work advances scalable, secure QKD deployments by enabling confidential multi-hop key forwarding across networks like EuroQCI, without requiring wholesale architectural changes to existing devices.
Abstract
Quantum key distribution (QKD) enables unconditionally secure symmetric key exchange between parties. However, terrestrial fibre-optic links face inherent distance constraints due to quantum signal degradation. Traditional solutions to overcome these limits rely on trusted relay nodes, which perform intermediate re-encryption of keys using one-time pad (OTP) encryption. This approach, however, exposes keys as plaintext at each relay, requiring significant trust and stringent security controls at every intermediate node. These "trusted" relays become a security liability if compromised. To address this issue, we propose a zero-trust relay design that applies fully homomorphic encryption (FHE) to perform intermediate OTP re-encryption without exposing plaintext keys, effectively mitigating the risks associated with potentially compromised or malicious relay nodes. Additionally, the architecture enhances crypto-agility by incorporating external quantum random number generators, thus decoupling key generation from specific QKD hardware and reducing vulnerabilities tied to embedded key-generation modules. The solution is designed with the existing European Telecommunication Standards Institute (ETSI) QKD standards in mind, enabling straightforward integration into current infrastructures. Its feasibility has been successfully demonstrated through a hybrid network setup combining simulated and commercially available QKD equipment. The proposed zero-trust architecture thus significantly advances the scalability and practical security of large-scale QKD networks, greatly reducing reliance on fully trusted infrastructure.