Identifier-Based Quantum Key Coordination
- The paper presents identifier-based coordination that replaces Diffie–Hellman payloads with a compact QKD key stream identifier and index in IKEv2 handshakes.
- It uses pre-distributed quantum key material to directly derive session keys, minimizing latency and bandwidth while maintaining information-theoretic and forward secrecy.
- The protocol design bridges QKD systems engineering with quantum-native authentication, offering alternative methods including position-based credentials through QPV.
Searching arXiv for the specified papers and closely related work on identifier-based QKD integration and authentication.
Searching for "Hybrid Quantum Security for IPsec" and "Quantum Secure Key Exchange with Position-based Credentials".
Identifier-based quantum key coordination is a method for using pre-distributed Quantum Key Distribution (QKD) material inside an authenticated key-establishment protocol by exchanging compact classical identifiers rather than computational public values. In the IPsec/IKEv2 setting, the method replaces the Diffie–Hellman-style payload in IKE_SA_INIT with a QKD Key Stream Identifier (KSID), optionally paired with an index into a quantum key stream, so that both peers retrieve the same quantum key from their local key management entities and then feed that key into the standard IKEv2 prf+ derivation pipeline (Blanco-Romero et al., 12 Jul 2025). A distinct line of work uses identifier-based logic in a different sense: message and identity authentication are tied to position-based credentials and quantum position verification (QPV), with authenticated key confirmation realized through QPV subprotocols rather than conventional authenticated channels (Kon et al., 4 Jun 2025). Taken together, these works place identifier-based coordination at the intersection of QKD systems engineering, protocol composition, and quantum-native authentication.
1. Conceptual definition and scope
In the IPsec setting, identifier-based quantum key coordination is defined as a method to integrate pre-distributed QKD key material into an IKEv2 handshake by exchanging only small classical “key identifiers” rather than large public-key or Diffie–Hellman values (Blanco-Romero et al., 12 Jul 2025). The formal notation is explicit: let be a QKD Key Stream Identifier (KSID), let be a 32-bit optional offset into the quantum key stream, and let the retrieval function be
where is the -bit quantum key chunk referenced by (Blanco-Romero et al., 12 Jul 2025). In this formulation, the identifier is not itself cryptographic entropy for session protection; it is a locator that causes both endpoints to obtain identical secret material from their local QKD infrastructure.
The same paper distinguishes this pure-QKD coordination model from hybrid QKD–PQC composition. In pure QKD mode, no XOR or hash-mixing is needed; the quantum key is used directly as the shared secret that a Diffie–Hellman exchange would otherwise produce (Blanco-Romero et al., 12 Jul 2025). This is significant because it isolates the protocol effect of “identifier-only coordination”: classical traffic carries references, while secrecy resides entirely in QKD-generated material.
A different identifier-based architecture appears in quantum secure key exchange with position-based credentials. There, QKD is combined with delayed authentication, and short authentication artifacts are conveyed through QPV-based subprotocols. Alice computes a tag
using a fresh tag key sampled uniformly from a -almost strongly-2-universal hash family 0 (Kon et al., 4 Jun 2025). Here “identifier-based” refers not to a KSID for pre-distributed key chunks, but to a protocol organization in which later authentication and acceptance are mediated by position-verified signaling and codeword transfer.
These two uses should not be conflated. In the IPsec/QKD construction, identifiers coordinate retrieval of pre-existing secret bits. In the QPV construction, authentication state is encoded and transferred through repeated position-verification runs. A plausible implication is that “identifier-based” in current quantum key establishment literature denotes a family of coordination techniques rather than a single canonical protocol class.
2. Protocol realization in IKEv2
The IKEv2 realization modifies only the KEY_EXCHANGE (KE) payload of IKE_SA_INIT; all other fields remain unchanged (Blanco-Romero et al., 12 Jul 2025). The scheme is implemented through a new strongSwan plugin, qkd_kex, which implements IKEv2’s key_exchange_t interface (Blanco-Romero et al., 12 Jul 2025). No new payload types are defined: QKD identifiers simply replace the Diffie–Hellman public value in the existing KE payload (Blanco-Romero et al., 12 Jul 2025).
The client-initiated and server-initiated variants share the same basic logic. In the client-initiated flow, the initiator obtains a quantum-key reference from the QKD API, sends KE = id_0 \Vert idx_0, and the responder uses that reference to retrieve the same chunk 1 (Blanco-Romero et al., 12 Jul 2025). Both sides then return 2 as the IKE SA shared secret. In the server-initiated flow, the first message carries an empty KE, the responder allocates a fresh reference such as 3, returns it in the response, and both sides use it to obtain 4 (Blanco-Romero et al., 12 Jul 2025). In both cases, the final derivation step is unchanged:
5
This use of standard prf+ follows RFC 7296, but the shared secret source is QKD rather than Diffie–Hellman (Blanco-Romero et al., 12 Jul 2025).
The ETSI API mapping is central to the construction. For ETSI GS QKD-004, OPEN_CONNECT([id]) returns a KSID and optionally a starting index, GET_KEY(idx) returns the next chunk of key material, and CLOSE() closes the stream (Blanco-Romero et al., 12 Jul 2025). For ETSI GS QKD-014, GET_KEY() returns 6 and GET_KEY_WITH_IDS(id) returns the same 7 again or subsequent chunks if supported (Blanco-Romero et al., 12 Jul 2025). The 16-byte KSID, plus the optional 4-byte idx, is carried in the IKEv2 KE payload (Blanco-Romero et al., 12 Jul 2025).
For ETSI-004 session reuse, one may hold id constant and increment idx for each GET_KEY() to retrieve subsequent key chunks 8 (Blanco-Romero et al., 12 Jul 2025). This suggests a stream-oriented operational mode in which a single KSID names a longer-lived QKD stream, while individual offset values delimit chunks consumed by specific cryptographic contexts.
3. Mathematical model and key derivation semantics
The mathematical core of the pure-QKD coordination scheme is deliberately minimal. The identifier-to-key mapping is
9
and the IKEv2 SA key derivation uses
0
with 1 (Blanco-Romero et al., 12 Jul 2025). The paper states explicitly that no XOR or hash-mixing is needed in pure QKD mode; the quantum key is used directly as the Diffie–Hellman shared secret would be (Blanco-Romero et al., 12 Jul 2025). This design choice cleanly separates key generation from key scheduling: QKD supplies the entropy, and IKEv2 preserves its existing session-key expansion machinery.
The security objectives are stated in three parts. First, the protocol targets information-theoretic secrecy of 2 against any eavesdropper (Blanco-Romero et al., 12 Jul 2025). Second, it aims at perfect forward secrecy: compromise of long-term credentials does not reveal past keys, provided 3 is securely erased (Blanco-Romero et al., 12 Jul 2025). Third, authentication is delegated to IKEv2’s existing AUTH exchange, using signatures or MACs, so that identifier substitution by an active attacker is detected (Blanco-Romero et al., 12 Jul 2025). The protocol therefore does not redefine IKEv2 authentication semantics; it reuses them with a different KE payload meaning.
A related but structurally different mathematical framework appears in the position-based-credential protocol. There, the underlying QKD stage is BB84 with delayed authentication. Alice prepares states
4
Bob measures in basis 5, and they retain sifted raw keys after basis exchange and loss filtering (Kon et al., 4 Jun 2025). Authentication is then displaced into QPV runs and a final single-bit QPV acceptance check. Full composable security is bounded by
6
under the stated assumptions (Kon et al., 4 Jun 2025). This framework is not a KSID-coordination design, but it shows that identifier-mediated quantum key exchange can also be formalized through composition theorems, explicit error terms, and resource-bounded adversary models.
4. Authentication, freshness, and trust assumptions
In the IPsec/QKD construction, authentication is not performed by proving possession of the quantum key inside IKE_SA_INIT. Instead, possession is implicitly checked when both sides derive AUTH payloads in the subsequent IKE_AUTH exchange; mismatched 7 leads to authentication failure (Blanco-Romero et al., 12 Jul 2025). The paper states that pure QKD in IKEv2 does not include an explicit challenge/response to prove each peer owns 8, unlike some TLS-QKD proposals (Blanco-Romero et al., 12 Jul 2025). This is a notable protocol distinction: agreement on the identifier is not sufficient; successful downstream authenticated transcript processing is the effective confirmation of shared key possession.
The trust model assumes that the QKD devices, or KMEs, and the classical control channel to them are trusted to generate and store true random quantum keys (Blanco-Romero et al., 12 Jul 2025). Both endpoints trust their local KME and the ETSI API implementation, including the wrapper and Python or REST client (Blanco-Romero et al., 12 Jul 2025). These are system-level assumptions rather than purely cryptographic ones, and they are fundamental to the security claims. A plausible implication is that identifier-based coordination shifts part of the attack surface from public-key hardness assumptions to QKD control-plane integrity and key-store correctness.
Replay handling is described in terms of freshness of the identifier. Each KSID is intended to be unique per session or stream (Blanco-Romero et al., 12 Jul 2025). If an attacker replays an old id, one party will fetch old key material and fail the IKE_AUTH verification, producing session failure rather than silent compromise (Blanco-Romero et al., 12 Jul 2025). With 128-bit KSIDs and 32-bit indices, the collision probability is described as negligible, but implementations must ensure KSIDs are never re-used across active sessions unless intentional ETSI-004 stream reuse is in effect (Blanco-Romero et al., 12 Jul 2025).
Denial-of-Service considerations arise because GET_KEY calls block until keys are available. Repeated unauthenticated handshakes could drain a KME’s key buffer (Blanco-Romero et al., 12 Jul 2025). The stated mitigations are rate-limiting, session quotas, and careful timeout handling (Blanco-Romero et al., 12 Jul 2025). This operational risk reflects a broader issue in QKD systems: resource exhaustion can become more salient when key material is a consumable physical-layer output rather than an on-demand computational artifact.
The position-based-credential protocol approaches authentication differently. The adversary may control all channels and may distribute an arbitrary pre-shared entangled state of local dimension 9 to two QPV impostors, but 0 is assumed bounded by 1, and superluminal signaling is excluded (Kon et al., 4 Jun 2025). Bob verifies a codeword-transfer tampering test by checking
2
then decoding 3 and validating whether
4
The resulting soundness and robustness bounds are explicit (Kon et al., 4 Jun 2025). This comparison is useful because it highlights two incompatible but complementary philosophies: implicit key-possession authentication through an established authenticated key exchange, and explicit physically constrained authentication through QPV.
5. Performance characteristics and systems implications
The pure-QKD identifier-coordination scheme is engineered to minimize both bandwidth overhead and latency in IKE_SA_INIT. Table VIII in the cited work reports that pure QKD needs a single 270–319 B message, consisting of a 16 B id plus IKE headers, and remains well under a 1500 B MTU, implying zero IP-level fragmentation (Blanco-Romero et al., 12 Jul 2025). The same comparison gives 334–367 B for classical ECP256 and 816–768 B for Kyber512+QKD hybrid exchange, which may fit in one fragment or two (Blanco-Romero et al., 12 Jul 2025). The salient point is that identifier carriage is compact enough to avoid the packet-size expansion typical of PQC and some hybrid constructions.
Latency measurements show that pure QKD tracks closely with X25519/ECP256 and remains stable under added 10 ms or 100 ms round-trip delays (Blanco-Romero et al., 12 Jul 2025). Figure 1 decomposes behavior under 100 ms delay into network time and plugin overhead: t_net for pure QKD is approximately 200 ms, corresponding to two messages under 100 ms RTT, while \Delta t_{overhead} is at most 5 ms and is described as essentially the KME call latency overlapped with network waits (Blanco-Romero et al., 12 Jul 2025). Because no extra IKE_INTERMEDIATE rounds are needed, identifier coordination incurs no extra round-trips (Blanco-Romero et al., 12 Jul 2025).
The following summary organizes the concrete comparison values that are explicitly reported.
| Aspect | Pure QKD | Reported comparison |
|---|---|---|
IKE_SA_INIT size |
270–319 B | ECP256: 334–367 B; Kyber512+QKD: 816–768 B |
| MTU behavior | Well under 1500 B | Pure QKD: zero IP-level fragmentation |
t_net under 100 ms delay |
5 ms | Two messages × 100 ms RTT |
\Delta t_{overhead} under 100 ms delay |
6 ms | KME call latency overlapped with network waits |
These measurements matter because they address a longstanding integration problem for QKD: the mismatch between pre-distributed secret material and key-establishment protocols designed around computational exchange transcripts (Blanco-Romero et al., 12 Jul 2025). The reported result suggests that replacing public-value transport with identifier transport can neutralize much of the networking penalty that would otherwise accompany QKD integration.
The position-based-credential protocol has a different performance profile. Its complexity summary states that the QKD subprotocol uses 7 qubit transmissions, 8 classical basis announcements, and 9 bits of error-correction/syndrome traffic, while message authentication requires 0 QPV runs and one additional QPV run for the final single-bit acceptance check (Kon et al., 4 Jun 2025). Total QPV runs are therefore 1 (Kon et al., 4 Jun 2025). This underscores a separate systems trade-off: strong physical authentication can be achieved, but with authentication complexity scaling in the tag-key length rather than being compressed into a conventional AUTH exchange.
6. Related quantum authentication paradigms and open technical distinctions
Identifier-based quantum key coordination in IPsec is best understood as a coordination mechanism for already established QKD material, whereas the position-based-credential protocol treats authentication itself as a quantum protocol object. In the latter, Alice encodes the tag key 2 into a codeword 3 with Hamming weight 4 and endpoint constraints 5 (Kon et al., 4 Jun 2025). Bob’s verifiers then perform repeated instances of a loss-tolerant BB84-QPV challenge-response, recording pass/fail outcomes into 6 and decoding an authenticated tag key only if the tampering test passes (Kon et al., 4 Jun 2025). This architecture uses location as a credential and replaces standard authenticated-channel assumptions that are usually built into QKD.
The security analysis of that protocol includes an SDP-based tightening of a trace-distance bound between state sets that pass BB84-Z-basis and X-basis QPV conditions. Defining
7
the SDP maximizes
8
subject to orthonormality, transmission, error, and no-mismatch constraints, and then yields
9
via an NPA-hierarchy relaxation (Kon et al., 4 Jun 2025). Although this construction does not implement IKEv2 identifier carriage, it demonstrates that identifier-mediated or reference-mediated quantum protocols can be analyzed with a level of rigor comparable to composable QKD security proofs.
An optimized multi-basis QPV variant is also proposed. It fixes 0 equi-angled projective bases in the 1–2 plane,
3
while still sending only the four BB84 states (Kon et al., 4 Jun 2025). The paper states that by choosing 4, one can raise the loss tolerance from approximately 50% to 5, with computational and optical overhead 6 rather than 7 (Kon et al., 4 Jun 2025). This is relevant to the broader identifier-based topic because it shows one route toward reducing the authentication bottleneck that currently limits physically grounded credential schemes.
A common misconception is that any “identifier-based” quantum key protocol eliminates the need for authentication. The available evidence does not support that generalization. In the IKEv2/QKD scheme, authentication remains necessary and is supplied by the existing AUTH exchange (Blanco-Romero et al., 12 Jul 2025). In the position-based-credential scheme, authentication is not removed but re-implemented through QPV subprotocols and delayed-authentication composition (Kon et al., 4 Jun 2025). The shared theme is therefore not the absence of authentication, but the replacement of large computational key-exchange artifacts with compact references or physically constrained signaling.
7. Significance for protocol engineering
Within IPsec, identifier-based quantum key coordination provides a lightweight mechanism for injecting QKD output into an established standards-compliant key schedule. The design leaves SA, Ni/Nr, and SPI_i/SPI_r unchanged and re-interprets only the KE payload (Blanco-Romero et al., 12 Jul 2025). Because only a 16–20 B identifier traverses the classical channel and no extra IKE_INTERMEDIATE exchanges are required, the resulting handshake preserves the one-round-trip structure of ordinary IKE_SA_INIT while avoiding the multiplicative latency penalties associated with sequential hybrid methods (Blanco-Romero et al., 12 Jul 2025). The paper’s performance measurements support the claim that pure QKD’s overhead is essentially identical to classical ECDH in latency and bandwidth terms (Blanco-Romero et al., 12 Jul 2025).
From a deployment perspective, the approach is specifically aligned with ETSI GS QKD-004 stateful and ETSI GS QKD-014 stateless APIs (Blanco-Romero et al., 12 Jul 2025). This matters because practical QKD systems are not abstract oracles; they expose retrieval semantics, stream management, and blocking behavior that shape protocol integration. A plausible implication is that identifier-based coordination is as much an API-adaptation strategy as it is a cryptographic one.
The position-based-credential line of work points in a different engineering direction. Its total resource use is summarized as 8 qubits for key establishment plus 9 QPV runs for authentication, with overall security
0
(Kon et al., 4 Jun 2025). This framing suggests that future identifier-based quantum protocols may diverge along two axes: one optimized for compatibility with existing network security frameworks and KME APIs, and another optimized for reducing trust in authenticated classical channels by introducing physically grounded credentials.
In that broader landscape, identifier-based quantum key coordination denotes a protocol design pattern in which compact classical references are sufficient to align secret quantum-derived state across endpoints. In one concrete realization, the reference is a KSID and optional stream index naming pre-distributed QKD chunks inside IKEv2 (Blanco-Romero et al., 12 Jul 2025). In another, authentication state is coordinated through QPV-controlled codeword transfer and delayed-authentication composition (Kon et al., 4 Jun 2025). The existing literature therefore presents identifier-based coordination not as a single primitive, but as a family of mechanisms for reconciling quantum keying resources with the control structures of secure communication protocols.