Quantum Networks: Layered Encryption for Security

Scientists at niversity of Applied Sciences Nordhausen, led by Paul Spooren, have developed a new network architecture integrating Quantum Key Distribution and Post-Quantum Cryptography to bolster long-distance, multi-hop quantum communications. This architecture provides a practical and scalable pathway towards secure, end-to-end communication in future quantum networks, validated through both simulations and laboratory testing with uninterrupted operation and a low resource footprint. It utilises hop-wise tunnels secured by WireGuard and Rosenpass for PQC key exchange, achieving post-quantum forward secrecy and authenticity without requiring modifications to existing Quantum Key Distribution devices or network protocols.

Uninterrupted multi-hop quantum networks enabled by integrated key distribution and cryptography

A layered network architecture achieves uninterrupted operation across multi-hop quantum networks, representing a significant advancement over previous methods. These methods often required over 10 seconds for setup with 10 intermediate nodes. Historically, scalability in quantum networks has been hampered by the complexities of key management, particularly when extending beyond direct point-to-point links. This design addresses this challenge by integrating Quantum Key Distribution, which leverages the laws of physics to guarantee secure key exchange, with Post-Quantum Cryptography, designed to resist attacks from future quantum computers. Utilising WireGuard, a modern and efficient VPN protocol, for secure tunnels and Rosenpass, a key exchange protocol built on PQC, streamlines deployment by eliminating the need for complex Software Defined Network infrastructure and associated overhead. WireGuard’s speed and simplicity contribute to the low resource footprint of the system, making it suitable for deployment on constrained hardware.

Simulations and laboratory tests validate the system’s performance, exhibiting a low resource footprint and compositional security. Compositional security is a crucial property, meaning the system maintains security even when individual components are combined or upgraded; this allows for flexible integration into existing infrastructures without compromising overall security. ThinkQuantum and Quantum Optics Jena scientists validated performance using both simulations and a laboratory testbed comprising ten QKD devices, connected via four intermediate trusted nodes in a daisy-chain topology. This topology, while simple, allowed for a thorough evaluation of multi-hop performance and scalability. The QKD devices generated the raw keys, which were then processed and distributed using the layered cryptographic protocols.

Automated scripts repeatedly rebooted and reconnected the entire setup, confirming stable multi-hop key exchanges and demonstrating scalability across multiple physical nodes; the prototype software successfully created five intermediate tunnels for PQC handshakes. These handshakes established secure communication channels between the trusted nodes, protecting the keys transmitted. Further simulations extended the network to 100 trusted nodes, revealing a mean setup time of 10.62 seconds, indicating that hop latency, specifically the time taken for key exchange between adjacent nodes, not the total hop count, dominates overall latency. This finding is key for optimising network design and resource allocation, suggesting that focusing on improving the speed of individual connections, such as by utilising higher bandwidth QKD links, will yield the greatest performance gains. Experiments also demonstrate cryptographic agility, successfully utilising two versions of Rosenpass with independent QKD paths, provisioning a data tunnel in 9.93 seconds. Cryptographic agility allows the system to adapt to evolving cryptographic standards and algorithms, ensuring long-term security.

These timings were achieved under ideal or mildly degraded network conditions and do not yet reflect performance in truly unpredictable real-world environments with packet loss or intermittent connectivity. Future work will focus on evaluating the system’s resilience to these real-world impairments. Latency is primarily determined by the slowest Quantum Key Distribution link rather than the total number of hops, as demonstrated by the simulations. Further investigation focused on cryptographic agility, successfully demonstrating the use of two distinct Rosenpass versions with separate QKD paths, highlighting the system’s adaptability and future-proofing capabilities. This allows for seamless transitions to new PQC algorithms as they are standardised and become available.

Mitigating trusted node vulnerability through layered quantum and post-quantum cryptography

Secure communication across multiple locations is vital as quantum computers pose a significant threat to current encryption methods, particularly those based on algorithms like RSA and ECC. This work presents a practical architecture for extending the reach of Quantum Key Distribution beyond single connections. The system relies on intermediary points, known as “trusted nodes”, which introduces a potential vulnerability; compromise of these nodes could jeopardise the entire network’s security. However, this architecture actively mitigates this risk by layering Quantum Key Distribution with Post-Quantum Cryptography, a future-proof standard currently being defined by bodies like the National Institute of Standards and Technology. ‘Forward secrecy’ is achieved, meaning past communications remain secure even if a trusted node is breached, providing a critical window of time to upgrade vulnerable components and revoke compromised keys. By employing WireGuard to establish protected tunnels and Rosenpass for key exchange, the system avoids modifying existing quantum devices or protocols, simplifying deployment and promoting interoperability. The layered design safeguards past communications even if intermediary nodes are compromised, a key feature as quantum computing advances. The ETSI GS QKD 014 interface is used to ensure interoperability between different QKD systems and components, facilitating wider adoption and integration.

The research demonstrated a layered security architecture combining Quantum Key Distribution and Post-Quantum Cryptography to create scalable, end-to-end secure networks. This approach addresses the vulnerability of ‘trusted nodes’ in multi-hop quantum networks by providing post-quantum forward secrecy, meaning communications remain secure even if a node is compromised. The system utilises existing protocols like WireGuard and Rosenpass, simplifying integration with current infrastructures and avoiding the need to modify deployed quantum devices. Experiments confirmed uninterrupted operation across multiple network hops and a low resource footprint, suggesting practical viability for wider implementation.