Toward quantum-safe scalable networks: an open, standards-aware key management framework
Ane Sanz, Asier Atutxa, David Franco, Jasone Astorga, Eduardo Jacob, Diego López
TL;DR
This work tackles the scalability challenge of QKD networks by introducing a standards-aware, SDN-based architecture that centralizes KMS discovery and end-to-end relay path computation. It deploys a hierarchical KMS structure with per-node vKMS and a Quantum Security Controller (QuSeC) to manage multi-hop key delivery, while maintaining interoperability via ETSI QKD APIs. The approach is analyzed for security under a Dolev-Yao model and validated through a Kubernetes-based performance assessment, which shows modest control-plane overhead and scalable latency with increasing hop count. The framework promises practical, vendor-agnostic deployment of quantum-safe networks capable of supporting complex topologies and dynamic relay paths.
Abstract
With the advent of quantum computing, the increasing threats to security poses a great challenge to communication networks. Recent innovations in this field resulted in promising technologies such as Quantum Key Distribution (QKD), which enables the generation of unconditionally secure keys, establishing secure communications between remote nodes. Additionally, QKD networks enable the interconnection of multinode architectures, extending the point-to-point nature of QKD. However, due to the limitations of the current state of technology, the scalability of QKD networks remains a challenge toward feasible implementations. When it comes to long-distance implementations, trusted relay nodes partially solve the distance issue through the forwarding of the distributed keys, allowing applications that do not have a direct QKD link to securely share key material. Even though the relay procedure itself has been extensively studied, the establishment of the relaying node path still lacks a solution. This paper proposes an innovative network architecture that solves the challenges of Key Management System (KMS) identification, relay path discovery, and scalability of QKD networks by integrating Software-Defined Networking (SDN) principles, and establishing high-level virtual KMSs (vKMS) in each node and creating a new entity called the Quantum Security Controller (QuSeC). The vKMS serves the end-user key requests, managing the multiple KMSs within the node and abstracting the user from discovering the correct KMS. Additionally, based on the high-level view of the network topology and status, the QuSeC serves the path discovery requests from vKMSs, computing the end-to-end (E2E) relay path and applying security policies. The paper also provides a security analysis of the proposal, identifying the security levels of the architecture and analyzing the core networking security properties.