Hybrid QKD-PQC Systems

• Hybrid QKD-PQC systems combine quantum key distribution and post-quantum cryptography to provide robust, layered key exchange that withstands quantum adversaries.
• They employ series and parallel key-combination techniques, using XOR and HKDF methods, to ensure secrecy even if one component is compromised.
• These systems enable adaptive operational modes in real-world networks, enhancing performance, scalability, and resilience through dynamic control and fallback mechanisms.

A hybrid QKD-PQC system is a cryptographic architecture that integrates Quantum Key Distribution (QKD)—which provides information-theoretic key exchange security via quantum mechanics—with Post-Quantum Cryptography (PQC), which employs computationally hard problems (commonly lattice-based) to defend against attacks by quantum adversaries. These systems combine the distinct strengths of QKD and PQC to provide layered, resilient key-distribution and authentication suitable for real-world, quantum-safe networks at scale. Hybridization achieves defense-in-depth, mitigates single points of failure, and enables adaptive operational modes and key-combination strategies under diverse trust, cost, and infrastructure constraints.

1. Hybrid QKD–PQC Protocol Principles

Hybrid systems integrate both QKD and PQC primitives at various layers for key exchange, transport, and authentication.

• In key-exchange, the most common schemes are "series" (one layer after another) and "parallel" (simultaneous, then combined). For a generic key $K$:
  • Series: $K = K_1 \oplus K_2 \oplus K_3$ for intermediate hops (e.g., QKD–PQC–QKD, as in (Zeng et al., 1 Nov 2024, Zeng et al., 2 Nov 2024)).
  • Parallel: $K = K_{\mathrm{QKD}} \oplus K_{\mathrm{PQC}}$ or $$K = \mathrm{HKDF}(K_{\mathrm{QKD}}\,||\,K_{\mathrm{PQC}})$$, so secrecy holds if either remains secure (Zeng et al., 1 Nov 2024, Sanz et al., 27 Nov 2025).
• At the classical channel, PQC emerges in two forms:
  • Key Encapsulation Mechanisms (KEMs), e.g., CRYSTALS-Kyber, for transporting ephemeral symmetric secrets (Raj et al., 9 Sep 2025, Chen, 30 Sep 2025).
  • Digital Signature Algorithms (DSAs), e.g., ML-DSA and SLH-DSA, for authenticating messages, certificates, and device identities (Chen, 30 Sep 2025, Yang et al., 2021, Liu-Jun et al., 2020).
• Modern architectures include dynamic control: a “quantum-classical switch” or Quantum Security Controller (e.g., QuSeC (Sanz et al., 27 Nov 2025)) that can assign QKD-only, hybrid, or PQC-only operation mode per connection, adapting to channel conditions and node capabilities (Sanz et al., 27 Nov 2025, Makris et al., 13 Mar 2024).

The hybrid approach is motivated by the recognition that QKD and PQC have orthogonal—and often complementary—threat models, performance limits, and cost profiles (Zeng et al., 1 Nov 2024, Zhu, 17 Oct 2025, Prisco, 2023). If either primitive is defeated (e.g., by a cryptanalytic breakthrough in PQC or implementation failure in QKD), the other remains to protect confidentiality.

2. Protocol Designs and Key-Generation Workflows

Hybrid QKD-PQC schemes span physical, architectural, and protocol layers:

• Physical/QKD Layer: QKD devices implement protocols such as BB84, E91, B92, or entanglement-based methods (e.g., with GHZ states as in (Sykot et al., 10 Nov 2024)). Channel loss, detector efficiency, fiber distance, and quantum bit error rate (QBER) bound performance.
• PQC Layer: PQC KEMs (e.g., ML-KEM–768, Kyber, NTRU) operate over standard classical networks. Signatures (e.g., ML-DSA, Dilithium, Falcon) are leveraged for entity authentication (Chen, 30 Sep 2025, Liu-Jun et al., 2020, Yang et al., 2021).
• Key-Combination: After QKD and PQC keys are established, hybrid schemes typically combine them:
  • $K = K_{\mathrm{QKD}} \oplus K_{\mathrm{PQC}}$ (XOR-combiner, minimum entropy security)
  • $$K = \mathrm{HKDF}(K_{\mathrm{QKD}}\,||\,K_{\mathrm{PQC}})$$; supports variable-length and robust mixing (Zeng et al., 2 Nov 2024, Blanco-Romero et al., 12 Jul 2025, Sanz et al., 27 Nov 2025)
  • Secret sharing across multiple links/nodes (e.g., Shamir-based (Zeng et al., 2 Nov 2024))
• Authentication Channel: The classical communication required for QKD post-processing (basis sifting, error correction, privacy amplification) is authenticated using either information-theoretic MACs (Wegman–Carter) fueled by pre-shared key or PQC digital signatures/certificates (Liu-Jun et al., 2020, Yang et al., 2021, Prisco, 2023).
• Operational Switching: Key management and orchestration logic enables seamless mode switching based on performance indicators (buffer occupancy, QKD outage, PQC compromise alerts) (Sanz et al., 27 Nov 2025, Makris et al., 13 Mar 2024), with fallback to PQC or classical symmetric methods as necessary.

A representative table for series and parallel designs is as follows:

Architecture	Key Rate Formula	Security Condition
Series	$$R_{\rm series} = \min(R_{\rm QKD,1}, R_{\rm PQC}, R_{\rm QKD,2})$$	At least one sub-key is secret
Parallel/XOR	$$R_{\mathrm{hybrid}} = \min(R_{\rm QKD}, R_{\rm PQC})$$	Either sub-key unknown to adversary
Secret Sharing	$R_{\rm SS} = \sum_i R_i$	Adversary must break $t$ of $n$

3. Security Model and Proof Frameworks

Security in hybrid QKD-PQC protocols is composable and quantifiable (Zeng et al., 1 Nov 2024, Zeng et al., 2 Nov 2024, Sanz et al., 27 Nov 2025, Gupta et al., 4 Dec 2025, Chen, 30 Sep 2025):

• Composable Security: Final key indistinguishability is maintained if at least one component is secure. For parallel/XOR protocols:

$$\varepsilon_{\mathrm{total}} \leq \varepsilon_{\mathrm{QKD}} + \varepsilon_{\mathrm{PQC}}$$

For serial (XOR) composition, secrecy is retained if even one key is information-theoretically random (Zeng et al., 1 Nov 2024).

• Finite-Key Effects: Protocols using the entanglement-based BBM92 or BB84 must account for finite-key-size effects, quantified via security parameter breakdown:

$$\varepsilon_{\rm QKD} \ge \varepsilon_{\rm auth}+\varepsilon_{\rm ec}+\varepsilon_{\rm pa}+2\varepsilon_{\rm pe}$$

(see (Gupta et al., 4 Dec 2025) for detailed expressions).

• Authentication Security: Lattice-based PQC signatures (Aigis-Sig, ML-DSA, Dilithium) provide quantum-resistance for classical channels (Yang et al., 2021, Liu-Jun et al., 2020, Chen, 30 Sep 2025), shifting trust from pre-shared symmetric keys to digital certificates.
• Entropic Mixing: Keys are merged via robust combiners (XOR, KMAC/Shake/HKDF); analyses show output entropy is not less than the most secure input component (Zeng et al., 1 Nov 2024, Chen, 30 Sep 2025).
• Side-Channel & Leakage: Security proofs assume non-coordinated or minimal overlap in side-channel vulnerabilities of QKD and PQC (Gupta et al., 4 Dec 2025, Rani et al., 11 Aug 2025). Dynamically obfuscated instruction sequences further amplify attack complexity, as shown in (Rani et al., 11 Aug 2025).

4. Performance and Practical Implementation

Performance analysis quantifies key rate, end-to-end latency, and resilience under realistic network and system constraints:

• Key Rate:
  • For QKD: $R_{\rm QKD} \ge Q_1[1-h(e_1)]-Q f h(E)$ (Zeng et al., 1 Nov 2024)
  • For PQC: $R_{\rm PQC} = f_{\rm cpu} \cdot \eta_{\rm pqc}$; rates of 10–100 Mbps on commodity CPUs are typical (Zeng et al., 2 Nov 2024, Raj et al., 9 Sep 2025)
  • Hybrid rates inherit the min-rate rule in parallel or bottleneck in series (Zeng et al., 2 Nov 2024, Gupta et al., 4 Dec 2025).
• Latency and Throughput: Parallel hybridization (simultaneous key retrieval and encapsulation) eliminates the multiplicative latency seen in the sequential approach—measured speedup is up to 2× under high RTT (Blanco-Romero et al., 12 Jul 2025).
• Authentication Overhead: PQC digital signatures introduce sub-millisecond latency, not rate-limiting in networked QKD (Liu-Jun et al., 2020, Yang et al., 2021).
• Buffering and Fallback: Service continuity and key-availability can be analytically engineered by buffer sizing, hybrid fallback fraction, and SLA-driven policies (see stochastic modeling in (Zhu, 17 Oct 2025)).

Empirical results from deployed and simulated networks show that such systems can maintain key rotation intervals of sub-minute (at >98% reliability), with flexibility to transition between QKD, hybrid, and PQC modes with no data-path interruption (Makris et al., 13 Mar 2024, Sanz et al., 27 Nov 2025).

5. Deployment Scenarios and Standards Integration

Hybrid QKD-PQC is implemented in several network and application scenarios:

• Metropolitan and Backbone Networks: Hybridization enables QKD-based keying over short/medium distances with PQC-based bridging for long-haul or cross-domain connections (Brauer et al., 2023, Sanz et al., 27 Nov 2025).
• Critical Infrastructure: Power-system communications (Zhu, 17 Oct 2025) and field-deployed high-throughput encryption (Makris et al., 13 Mar 2024) demonstrate statistical SLA bounds and risk mitigation via hybrid logical fallback.
• IPsec and TLS: Unified QKD-KEM interfaces plug into standard protocol negotiation (e.g., in strongSwan IKEv2); hybrid keys are derived via API-based combinations (Blanco-Romero et al., 12 Jul 2025, Chen, 30 Sep 2025).
• Certificate and Entity Authentication: Integration of PQC signing into QKD network onboarding and key management minimizes O($n^2$) pre-sharing burdens, enabling dynamic, scalable mesh topologies (Yang et al., 2021, Liu-Jun et al., 2020, Chen, 30 Sep 2025).
• Adaptive Security Frameworks: Hierarchical controllers (e.g., QuSeC (Sanz et al., 27 Nov 2025)) choose per-connection security level, spanning pure QKD, hybrid, and PQC modes, with measured end-to-end key establishment latencies from 73 ms (direct QKD) to 155 ms (hybrid).
• Obfuscated Hybridization: Dynamic, pre-shared key-driven obfuscation of QKD-PQC operational sequence resists side-channel and unknown-future attacks (Rani et al., 11 Aug 2025, Gupta et al., 4 Dec 2025).

The ETSI GS QKD 014/015/018 standards and NIST PQC algorithms (Kyber, Dilithium, ML-KEM, ML-DSA) are commonly adopted building blocks (Chen, 30 Sep 2025).

6. Security, Cost, and Tradeoff Analysis

Hybridization brings sharply characterized tradeoffs:

• Security:
  • Provides defense-in-depth: adversaries must break both QKD and PQC in parallel/XOR compositions (Zeng et al., 1 Nov 2024, Prisco, 2023, Sanz et al., 27 Nov 2025).
  • Enables graceful service degradation: if one primitive is unavailable or compromised, the other provides continuity (Sanz et al., 27 Nov 2025).
  • Entropy amplification through KDFs ensures key unpredictability even given partial compromise (Zeng et al., 1 Nov 2024, Chen, 30 Sep 2025).
• Cost and Economic Metrics:
  • Hybrid solutions incur moderate hardware and management cost increases but yield substantial gains in SLA availability and risk reduction (see LCoSec and CIS metrics in (Zhu, 17 Oct 2025)).
  • Economic breakeven versus PQC-only approaches is topology- and SLA-dependent; metro and distribution-level networks see early cost-effectiveness (Zhu, 17 Oct 2025).
• Scalability and Complexity: Hybrid approaches reduce pre-shared-key management complexity (O($n$) vs. O($n^2$)), simplify user onboarding, and allow staged PQC adoption (Liu-Jun et al., 2020, Makris et al., 13 Mar 2024).
• Limitations:
  • QKD hardware imposes range and deployment constraints; buffer management and trust in relay nodes persist as open issues (Sanz et al., 27 Nov 2025, Makris et al., 13 Mar 2024).
  • Side-channel resilience depends on true independence of vulnerabilities (Gupta et al., 4 Dec 2025, Rani et al., 11 Aug 2025).
  • Management complexity increases, requiring unified key management APIs and dynamic orchestration logic (Zeng et al., 1 Nov 2024, Sanz et al., 27 Nov 2025).

7. Advanced and Experimental Hybridization Strategies

Recent innovations and prototypes extend hybrid QKD-PQC in several directions:

• Obfuscated Operation Sequencing: Dynamic, PSK-driven selection and obfuscation of encryption primitive sequence (instruction sequence IS) as an additional security layer (Rani et al., 11 Aug 2025, Gupta et al., 4 Dec 2025).
• Multipath and Multi-technology Interconnects: Long-distance, continental-scale hybrid QKD-PQC links incorporating satellite, fiber, and parallel PQC channels, combined at border nodes for composable security (Brauer et al., 2023).
• Finite-Key and Side-Channel Models: Systematic modeling of finite-key-size effects and explicit leakage channels, with fallback to IT-secure instruction sequence in the worst-case (Gupta et al., 4 Dec 2025).
• Hybrid Digital Signatures: Certificate size optimization by splitting PQC signature material, confirmed using QKD-generated confirmation codes at verification time (Chen, 30 Sep 2025).
• Standardization: Integration with ETSI QKD APIs, NIST PQC standards, and major cryptonet protocols (TLS, IPsec, REST-based KMEs) for maximum interoperability (Sanz et al., 27 Nov 2025, Blanco-Romero et al., 12 Jul 2025, Chen, 30 Sep 2025).

---

This synthesis demonstrates that hybrid QKD-PQC systems provide a mathematically rigorous, systematically engineered, and field-validated foundation for quantum-safe networked communications. Layered key-distribution, dynamic operational switching, and security composability are essential elements for practical deployments that demand both immediate quantum resistance and forward-compatibility with IT-secure cryptographic guarantees.