Dynamic Switched-QKD Network

Updated 27 October 2025

The paper demonstrates that dynamic reconfiguration paired with PUF-based authentication enables robust quantum key distribution with reduced hardware complexity.
It employs MEMS-based optical switches and active buffer management to dynamically reroute quantum channels and maintain continuous key exchange under variable loads.
Empirical results indicate secure key rates between 2300 and 3900 bps per link, underscoring the architecture's scalability and low-latency performance in real-world environments.

A dynamic switched-Quantum Key Distribution (QKD) network is a quantum communications architecture in which optical or electronic switching elements dynamically reconfigure the network topology, enabling flexible, on-demand secure quantum key exchanges between arbitrary pairs of network nodes. These networks address key challenges of scalability, infrastructure cost, resource optimization, and authentication in QKD by employing central or distributed control systems for link management, rapid switching of quantum and associated classical channels, and by integrating advanced authentication systems and compatibility with both classical telecom and quantum-specific protocols.

1. Core Network Architecture and Switching Mechanism

Dynamic switched-QKD networks employ a reconfigurable backbone—typically built with optical switching modules such as mechanical MEMS switches, networked optical cross-connects, or programmable routers—that connect multiple QKD-enabled nodes in a star, mesh, or ring layout. Each node serves as a QKD transmitter ("Alice"), receiver ("Bob"), or a hybrid unit. The switching module allows arbitrary interconnection: for an $N$ -node network, any Alice may be paired with any Bob without re-plugging or manual rewiring. This is achieved by automated real-time reconfiguration coordinated by a central controller that tracks link status, buffer occupancy, and triggers switching based on demand or policy-driven rules (Chen et al., 2010, Alia et al., 2021, Konteli et al., 20 Oct 2025).

In a canonical realization, the switching process is driven by buffer monitoring—when the available secure key pool in an "ACTIVE" link falls below a specified threshold, quantum channel connections are dynamically rerouted. This may involve disabling and enabling buffer states, optical path reconfiguration, base alignment or protocol re-initialization, and (if implemented) re-authentication of the link. Support for duplex or multi-role terminals (both transmitter and receiver capabilities on a single platform) further enhances network flexibility and throughput (Chen et al., 2010).

2. Authentication and Security: PUF-Based and Conventional Approaches

Authentication in dynamic switched-QKD networks is critical for preventing man-in-the-middle attacks during link reconfiguration. The network presented in (Konteli et al., 20 Oct 2025) integrates Physical Unclonable Function (PUF)-based authentication at each node, replacing traditional pre-shared keys (PSKs) or MACs. A SRAM-based PUF module in each QKD node responds to unpredictable challenges, producing unique, non-reproducible outputs used to generate ephemeral authentication keys every time a new connection is established via switching:

$\mathrm{PUF\_response} = f_{\mathrm{PUF}}(\mathrm{challenge}), \quad K_{\mathrm{auth}} = H(\mathrm{PUF\_response} \| \mathrm{challenge})$

where $f_{\mathrm{PUF}}$ is the hardware-derived function and $H$ a cryptographic hash.

Each reconfigured link is authenticated with a freshly generated key. This approach offers information-theoretic security (ITS), eliminates key-saturation and distribution problems associated with PSKs (which scale as $N(N-1)/2$ in an $N$ -node network), and is resilient to cloning or impersonation attacks (Konteli et al., 20 Oct 2025). The PUF authentication process introduces a modest latency (mean $27\,$ s per switching event, with $7\,$ s for the key generation), which is negligible relative to operational link durations (~minutes).

3. Buffer Management, Control Flow, and Dynamic Switching Operations

Buffer management is central to the operation and resilience of switched QKD. Each node maintains ACTIVE and PASSIVE buffers for every possible link configuration. The controlling server, implemented in the referenced system as a Python-driven routine, constantly monitors buffer occupancy. When a buffer falls below threshold, it triggers a three-phase switching sequence:

Deactivation of all buffers (to prevent data race conditions),
Execution of MEMS-based optical switching to the new link set,
PUF-based dynamic authentication, buffer reactivation, and resumption of QKD generation on the new active links.

Network reconfiguration—including all switching, authentication, and protocol start-up routines—averages $123.5\,$ s, with secure key rates (SKR) remaining robust and continuous across cycles. Layer-3 application latency (e.g., key retrieval for IPsec VPNs) remains acceptable (mean $114.7\,$ ms, jitter $18.6\,$ ms) (Konteli et al., 20 Oct 2025).

4. Performance, Scalability, and Real-Time Analysis

Empirical results from a four-node centrally controlled switched-QKD testbed demonstrate:

Mean per-link SKRs between $\sim2300$ and $\sim3900$ bps,
Sustained key delivery to multiple consumers with independent extraction rates,
Stable buffer levels under dynamic load and switching cycles.

Scalability is achieved by maintaining only a single PUF module per node regardless of network size, contrasting sharply with the quadratically scaling PSK or MAC key requirements in conventional architectures. Buffer management enables overlapping key generation and consumption, and load balancing prevents performance degradation under rapid reconfiguration. The scheme supports future extension to networks with orders of magnitude more nodes, as dynamic switching and authentication processes are decoupled from $N$ (Konteli et al., 20 Oct 2025).

5. Comparison with Static, Relayed, and Other Dynamic QKD Architectures

Dynamic switched-QKD architectures differ fundamentally from static point-to-point QKD networks, which require dedicated hardware for each node pair, and from relayed architectures relying on trusted intermediary nodes. The dynamic switching approach offers:

Reduction in hardware resource requirements via multiplexed link usage,
Lowered authentication key management complexity via PUFs,
End-to-end quantum key distribution without intermediate trusted relays (Chen et al., 2010, Alia et al., 2021, Makris et al., 2023, Selentis et al., 29 Sep 2025).

Experimental analyses indicate that in dense, short-range networks with many nodes, dynamic switched-QKD consistently outperforms relayed-QKD in terms of SKR and flexibility. However, link performance is sensitive to device matching; mismatched QKD module pairs can experience SKR penalties of $10$–$20$ dB if devices are not engineered for interoperability (Makris et al., 2023, Selentis et al., 29 Sep 2025). Buffer and switching-induced latency is consistently below the threshold that would otherwise replenish the key buffer, eliminating key outages for practical rates and applications.

6. Integration and Real-World Deployment Considerations

Dynamic switched-QKD networks have been demonstrated in field-deployed metropolitan environments and production use-cases. Robust hardware such as the iPOGNAC polarization encoder, environmental hosting strategies (temperature, vibration mitigation), and active compensation routines (automatic polarization, timing, and phase alignment) are integral for maintaining low QBER (typically $<0.2\%$ ) and stable SKR in irregular, high-loss fiber environments (Toni et al., 19 Oct 2025, Chen et al., 2010).

Dynamic switching further supports rapid on-demand rerouting in case of channel impairments, equipment failure, or demand changes. Automated dynamic authentication per link enables new applications—for instance, secure real-time voice with one-time pad encryption repeatedly demonstrated for both metropolitan and inter-city topologies (Chen et al., 2010). The architecture is compatible with standard software-defined networking (SDN) paradigms and can be integrated with classical network management systems for seamless operation.

7. Outlook and Open Issues

Dynamic switched-QKD networks with PUF-based authentication offer a scalable, resilient, and operationally efficient approach for quantum-secured communications. Prominent challenges include minimizing performance variations across device pairings, ensuring robust dynamic authentication at scale, and integrating fast, low-loss switching technology. Further research is directed toward optimizing complex topologies (including meshed, backbone, and hybrid architectures), incorporating machine-learning enhanced channel selection for noise suppression, and extending to networks supporting time-varying and mobility-induced channel reconfiguration.

Summary Table: Key Features of Dynamic Switched-QKD with PUF-based Authentication

Feature	Implementation	Benefit
Switching Mechanism	Central Python controller + MEMS OS	Arbitrary dynamic link configuration
Authentication	SRAM-based PUF per node	Hardware-anchored ITS, scalability
Buffer/Key Management	ACTIVE/PASSIVE monitored buffers	Continuous key delivery, resilience
Performance Metrics	SKR $\sim2300$ –$3900$ bps per link	High throughput, low latency
Switching/Authentication Latency	$123.5$ s switching, $27$ s authentication	Low impact on network availability
Scalability	$O(N)$ PUFs for $N$ nodes	Eliminates $O(N^2)$ PSK scaling
Field Validity	Stability in real-world metro networks	Robust to loss, environmental noise

Dynamic switched-QKD networks with integrated PUF-based authentication advance the state-of-the-art in quantum-secure communication by enabling automated, secure, and scalable key distribution with efficient use of both quantum and physical infrastructure. These architectures provide a blueprint for future post-quantum-proof networks able to serve diverse real-time, broadband, and mission-critical applications (Konteli et al., 20 Oct 2025, Chen et al., 2010).