Combined Quantum and Post-Quantum Security Performance Under Finite Keys

TL;DR

This work advances hybrid quantum/classical cryptography by integrating tight finite-key security into BBM92 QKD within a QKD-PQC framework and by redesigning the HE layer to improve scalability. HOQS+ replaces PKE-based PQC keys with KEM-derived symmetric PQC keys and adopts Ascon alongside optimized AES/OTP, enabling near-linear processing time with the instruction-sequence size and mitigating re-encryption vulnerabilities. Finite-key analysis uses refined bounds (Serfling, Chernoff, CP) to obtain positive key rates under realistic conditions and demonstrates improved performance over HOQS in experiments with entangled-photon BBM92. The results indicate that HOQS+ is better suited for deployed networks requiring quantum-resistant confidentiality even under simultaneous side-channel threats, with implications for defense communications and scalable hybrid cryptosystems.

Abstract

Recent advances in quantum-secure communication have highlighted the value of hybrid schemes that combine Quantum Key Distribution (QKD) with Post-Quantum Cryptography (PQC). Yet most existing hybrid designs omit realistic finite-key effects on QKD key rates and do not specify how to maintain security when both QKD and PQC primitives leak information through side-channels. These gaps limit the applicability of hybrid systems in practical, deployed networks. In this work, we advance a recently proposed hybrid QKD-PQC system by integrating tight finite-key security to the QKD primitive and improving the design for better scalability. This hybrid system employs an information-theoretically secure instruction sequence that determines the configurations of different primitives and thus ensures message confidentiality even when both the QKD and the PQC primitives are compromised. The novelty in our work lies in the implementation of the tightest finite-key security to date for the BBM92 protocol and the design improvements in the primitives of the hybrid system that ensure the processing time scales linearly with the size of secret instructions.

Figures (5)

• Figure 1: A general operational overview of the proposed hybrid QKD-PQC system (common for both the $\text{HOQS}$ and the $\text{HOQS+}$). The encrypted IS is represented as $\pi$. The QKD and PQC primitives establish the corresponding QKD and PQC keys in real-time. In the $\text{HOQS}$, the PQC Key Share is a component used to establish an asymmetric key, and HE involves PKE, OTP, and AES encryption schemes. In the $\text{HOQS+}$, the PQC Key Share establishes symmetric PQC keys via KEM, and HE involves Ascon encryption with PQC keys, modified AES with $256$ bits of the PSK, and OTP with the QKD keys.
• Figure 2: Architectures of the HE (cascaded) primitive within the hybrid QKD-PQC systems. On the left, the HE primitive of the $\text{HOQS}$, in which the output intermediate ciphertext, $c_i$ is concatenated with other relevant data, $o_i$, such as nonces, paddings, and tags. Here, $\xi_i \in$ {OTP, AES, PQ} represents the different encryption schemes with their corresponding keys, $k_i$. On the right, the HE primitive of the $\text{HOQS+}$ is shown, where the relevant data $o'$ is concatenated to the final ciphertext. In the $\text{HOQS+}$, $\xi'_i \in$ {OTP, AES, Ascon} with their corresponding keys, $k_i'$. The details on the derivation of $o_i$ for intermediate encryption and the encryption schemes $\xi'_i$ are given in Sec. \ref{['AES']} and \ref{['sec: Ascon']}.
• Figure 3: The data flow in the HE primitive of the proposed $\text{HOQS+}$. The inputs $\text{IS},m,k'$ represent the instruction sequence, the input message, and the complete set of keys (including QKD keys, PQC keys, and PSK subsets), respectively. The subPSKs denote a subset of pre-shared keys. It is assumed that the base nonces $v$ and $v'$ are generated using true random seeds. The counter block for AES is generated by concatenating the base nonce, $v$, with the sID and counter, $i$. Similarly, in Ascon encryption, the base nonce $v'$ comes from the part of the PQC keys concatenated with the counter. The string $o'$ is constructed by concatenating sID, base nonce $v$, associated data, and the padding size. Associated data is a public data used in Ascon encryption.
• Figure 4: QBER (in (a)) and the corresponding QKD key rates (bits/s) (in (b)) for different $\hat{N}_{obs}$. Here, $k^{\mathrm{QKD}}$ and $k_{+}^{\mathrm{QKD}}$ are asymptotic QKD key rates for both the HOQS and the HOQS+, respectively, while $k^{\text{Chern}}_{+}$, $k^{\text{CP}}_{+}$ and $k^{\text{Serf}}_{+}$, represent finite QKD key rates of the $\text{HOQS+}$ per system cycle, corresponding to optimizations using $\epsilon_{pe}^{\text{Chern}}$, $\epsilon_{pe}^{\text{CP}}$ and $\epsilon_{pe}^{\text{Serf}}$, respectively. 'QBER Th.' marks the QBER threshold (0.11), and 'Mean QBER' is the average of the computed QBER over 10 system cycles. $k^{\mathrm{QKD}}$ was $0$ for $\hat{N}_{obs}>6$ as the HOQS could not successfully complete a single run beyond $\hat{N}_{obs}=6$. Here, the security parameter, $s = 6$.
• Figure 5: Processing times (s) of different primitives in both the HOQS and the HOQS+ for one cycle. We plot the observed experimental mean processing times with solid lines, while the projected processing time for larger $\hat{N}_{obs}$ is shown with dashed lines. The 'HE' in the label corresponds to HE, the 'exp' corresponds to the experimentally observed times, while theory corresponds to the projected fit of the observed data. The light shade plots represent the $\text{HOQS}$, while the corresponding darker shade for the $\text{HOQS+}$. The significant difference in the scaling of the two systems comes from the comparison of the processing times of the HE for the two systems. While the processing time of the HE in the $\text{HOQS}$ scales much faster than the factor of $\hat{N}_{obs}$, such that the system experienced timeout exceptions at large $\hat{N}_{obs}$, the processing time of the HE and its scaling in the $\text{HOQS+}$ are almost constant in $\hat{N}_{obs}$.