Network-wide Quantum Key Distribution with Onion Routing Relay (Conference Version)
Pedro Otero-García, David Pérez-Castro, Manuel Fernández-Veiga, Ana Fernández-Vilas
TL;DR
The paper addresses secure key distribution in QKD networks under the threat of compromised intermediate nodes. It proposes Onion Routing Relay (ORR), a hybrid framework that blends key-relay QKD with onion routing and post-quantum cryptography to achieve end-to-end confidentiality and anonymity. ORR-Ext adds end-to-end authentication, delivering stronger CIA assurances at a significant QoS penalty. Through simulations comparing KR, TN, ORR, and ORR-Ext, the study finds that ORR provides competitive security enhancements with acceptable QoS, while ORR-Ext imposes large overhead that may limit use to highly security-sensitive applications. The work demonstrates the practicality of hybrid QC–PQC designs for scalable, secure QKDNs and outlines pathways for real-world deployment and performance benchmarking.
Abstract
The advancement of quantum computing threatens classical cryptographic methods, necessitating the development of secure quantum key distribution (QKD) solutions for QKD Networks (QKDN). In this paper, a novel key distribution protocol, Onion Routing Relay (ORR), that integrates onion routing (OR) with post-quantum cryptography (PQC) in a key-relay (KR) model is evaluated for QKDNs. This approach increases the security by enhancing confidentiality, integrity, authenticity (CIA principles), and anonymity in quantum-secure communications. By employing PQC-based encapsulation, ORR aims to avoid the security risks posed by intermediate malicious nodes and ensures end-to-end security. Our results show a competitive performance of the basic ORR model, against current KR and trusted-node (TN) approaches, demonstrating its feasibility and applicability in high-security environments maintaining a consistent Quality of Service (QoS). The results also show that while basic ORR incurs higher encryption overhead, it provides substantial security improvements without significantly impacting the overall key distribution time. Nevertheless, the introduction of an end-to-end authentication extension (ORR-Ext) has a significant impact on the Quality of Service (QoS), thereby limiting its suitability to applications with stringent security requirements.
