Papers
Topics
Authors
Recent
Search
2000 character limit reached

Parallel Hybrid QKD-PQC Key Establishment

Updated 6 July 2026
  • Parallel hybrid QKD-PQC key establishment is a protocol architecture that concurrently executes QKD and PQC mechanisms to generate a unified and secure session key.
  • The approach enhances security by leveraging the information-theoretic guarantees of QKD along with the algorithmic quantum resistance of PQC, thereby defending against heterogeneous attacks.
  • It employs various key combiner designs, such as KDF and XOR, and supports diverse network architectures to balance performance, scalability, and multi-layer trust.

Searching arXiv for papers on hybrid QKDPQC key establishment and related authentication/network architectures. Parallel hybrid QKD–PQC key establishment denotes a family of key-establishment constructions in which a Quantum Key Distribution (QKD) protocol and a post-quantum cryptographic (PQC) key-establishment primitive are executed side by side, and their outputs are combined into a single session key. Across the literature, this combination is motivated by defense-in-depth: QKD contributes information-theoretic security for generated key material under its standard assumptions, while PQC contributes algorithmic quantum resistance on conventional classical networks and improves deployability in settings where QKD alone is constrained by authentication, distance, or operational factors (Prisco, 2023, Zeng et al., 2024, Spooren et al., 7 Apr 2026). The resulting systems vary in combiner design, protocol placement, and network architecture, but they share a common objective: an attacker must compromise heterogeneous security layers, rather than a single primitive, to recover the final session key (Brauer et al., 2023, Blanco-Romero et al., 12 Jul 2025).

1. Conceptual definition and architectural variants

The core architectural pattern is parallel execution of two independent key-establishment branches. In one representative formulation, a BB84-style QKD link runs over a quantum channel plus an authenticated classical channel, while a PQC key-encapsulation or key-agreement protocol runs concurrently over an IP-based network, authenticated using a PQC signature such as CRYSTALS-Dilithium (Prisco, 2023). The outputs are denoted KQKDK_{\mathrm{QKD}} and KPQCK_{\mathrm{PQC}}, and are subsequently combined by a KDF: $K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$ This formulation emphasizes compositional separation between the QKD secrecy mechanism and the PQC computational mechanism (Prisco, 2023).

A second major variant uses an XOR combiner. In the formulation adapted from Zeng et al., Alice and Bob run a prepare-and-measure BB84-style protocol in parallel with a CCA-secure KEM, and then compute

kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.

Here k1k_1 is the final QKD key share and k2k_2 is the KEM-derived secret; because XOR of two length-\ell strings is length \ell, the information-ratio η=1\eta=1 (Zeng et al., 2024). This line of work explicitly studies throughput and universal-composability implications of waiting for both branches before combining them.

A third architectural class treats QKD as if it were a second KEM inside an existing protocol stack. In hybrid IKEv2 for IPsec, the initiator sends a PQC public key together with a QKD KeyID in the normal IKE_SA_INIT exchange; the responder retrieves the referenced QKD block, encapsulates under the PQC public key, and both peers derive a shared secret

Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,

which is then injected into the standard IKEv2 prf/prf+ derivation machinery (Blanco-Romero et al., 12 Jul 2025). This “unified QKD-KEM abstraction” preserves the classical message flow while performing quantum and post-quantum secret acquisition in one round trip (Blanco-Romero et al., 12 Jul 2025).

A fourth class is layered rather than algebraically parallel. In multi-hop QKD networks, per-hop WireGuard tunnels are protected by pre-shared keys sourced via ETSI GS QKD 014, while an end-to-end Rosenpass handshake using Classic McEliece and Kyber establishes an application-layer secret over the concatenated QKD-protected path (Spooren et al., 7 Apr 2026). This does not combine KPQCK_{\mathrm{PQC}}0 and KPQCK_{\mathrm{PQC}}1 into a single bit string at one endpoint in the same manner as the XOR or KDF combiners, but it is still described as a dual-layer composition providing post-quantum forward secrecy and authenticity under practical assumptions (Spooren et al., 7 Apr 2026).

This suggests that “parallel hybrid QKD–PQC” is best understood as a design space rather than a single protocol. The common invariant is concurrent execution of heterogeneous secret-generation mechanisms, followed either by explicit key combination or by layered cryptographic composition (Prisco, 2023, Zeng et al., 2024, Spooren et al., 7 Apr 2026, Blanco-Romero et al., 12 Jul 2025).

2. Protocol mechanics and key-combination methods

At the protocol level, parallel hybrid schemes typically proceed in three stages: bootstrap or authenticate the classical control plane, execute QKD and PQC concurrently, and combine the resulting secrets.

In the BB84-plus-PQC pattern, entity authentication is first established. One option is a small pre-shared secret KPQCK_{\mathrm{PQC}}2 used in a Wegman–Carter universal-hash authentication scheme, with every classical QKD message tagged as

KPQCK_{\mathrm{PQC}}3

Fresh QKD bits replace KPQCK_{\mathrm{PQC}}4 after privacy amplification, giving everlasting authenticity (Prisco, 2023). The alternative recommended in the same source is PQC-signature authentication: each QKD device holds a certified Dilithium public key, and the first classical QKD message is signed, for example

KPQCK_{\mathrm{PQC}}5

after which all QKD classical traffic is sent under an information-theoretic MAC keyed by newly generated QKD bits or under fresh Dilithium signatures if desired (Prisco, 2023).

The QKD branch itself follows the standard prepare-and-measure flow: raw state transmission, basis announcement, sifting, parameter estimation, error correction, and privacy amplification. In one explicit formulation, Alice encodes KPQCK_{\mathrm{PQC}}6 using BB84 states, Bob measures with random bases, both keep KPQCK_{\mathrm{PQC}}7 matching-basis bits, reveal a small random subset to estimate the quantum channel error rate KPQCK_{\mathrm{PQC}}8, reconcile to a common string KPQCK_{\mathrm{PQC}}9, and apply a two-universal hash map

$K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$0

to obtain

$K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$1

with

$K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$2

(Zeng et al., 2024).

In parallel, the PQC branch typically instantiates a CCA-secure KEM such as CRYSTALS-Kyber or ML-KEM. A canonical exchange is: $K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$3 with correctness failure probability $K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$4 (Zeng et al., 2024). In several systems, the KEM messages themselves are signed with PQC signatures such as Dilithium, Falcon, or McEliece-based authentication capsules (Prisco, 2023, Brauer et al., 2023, Spooren et al., 7 Apr 2026).

The final combination step differs across designs.

Combiner family Formula Representative source
Concatenation into KDF $K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$5 (Prisco, 2023)
XOR combiner $K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$6 (Zeng et al., 2024)
KDF over multiple shares $K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$7 or $K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$8 (Chen, 30 Sep 2025, Raj et al., 9 Sep 2025)
Universal-hash extractor $K \;=\; \mathcal{KDF}\bigl(K_{\mathrm{QKD}\;\Vert\;K_{\mathrm{PQC}\bigr)\,.$9 (Giestinhas et al., 27 Mar 2026)

The KDF-based approach is operationally simple and aligns naturally with protocol stacks such as IKEv2 or WireGuard overlays (Prisco, 2023, Blanco-Romero et al., 12 Jul 2025). XOR-based combination offers the “either-one-secure” guarantee in the universal-composability treatment described for parallel hybrid protocols (Zeng et al., 2024). Universal-hash extraction has been proposed as an alternative to XOR because it binds transcript information naturally and preserves quantifiable min-entropy under partial compromise, at the cost of seed management and extractor overhead (Giestinhas et al., 27 Mar 2026).

A plausible implication is that combiner choice is not a superficial engineering decision: it determines not only algebraic output formation, but also the failure model, leakage resilience, and transcript-binding strategy of the whole hybrid system (Zeng et al., 2024, Giestinhas et al., 27 Mar 2026).

3. Authentication, entity source assurance, and trust bootstrapping

Authentication is a foundational issue because QKD does not eliminate the need to authenticate the classical channel; rather, it changes the security objectives attached to that channel (Prisco, 2023, Liu-Jun et al., 2020). In the defense-in-depth literature, this point is frequently framed as “entity source authentication,” namely the sufficiency of initial hardware and channel authentication required to guard against man-in-the-middle attacks in QKD (Prisco, 2023).

Two broad models recur. The first is information-theoretic authentication using a small pre-shared secret and a Wegman–Carter MAC. This model descends from Bennett–Brassard 1984 and yields everlasting authenticity once fresh QKD bits are available to refresh the authentication key (Prisco, 2023). The second is PKI-based PQC authentication. In experimental work on authentication of QKD with PQC, each user obtains a post-quantum digital certificate from a CA, enabling efficient pairwise interconnection without kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.0 pre-shared symmetric keys; in that formulation, one only needs to assume the CA is safe, rather than all trusted relays (Liu-Jun et al., 2020).

In protocol terms, PQC authentication is applied at multiple granularities. One blueprint signs every classical QKD message involved in sifting, error correction, privacy amplification, and final verification, with messages hashed together with fresh nonces kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.1 to prevent replay (Liu-Jun et al., 2020). Another approach signs only the initial QKD classical messages and then migrates to information-theoretic MACs keyed by newly generated QKD bits (Prisco, 2023). In network-scale architectures, signatures and KEMs are also used at border nodes that relay or protect QKD-derived key material across incompatible or geographically remote domains (Brauer et al., 2023, Barral et al., 22 Apr 2026).

Misconceptions arise at this stage. One common misconception is that QKD alone solves authentication. The literature instead states that standalone QKD requires a long-term pre-shared secret or PKI to authenticate its classical channel (Prisco, 2023). Another misconception is that hybridization eliminates trust assumptions. In fact, trust is redistributed: CA trust, trusted-node assumptions, secure KMS or HSM operation, and authenticated classical post-processing remain central to deployed systems (Liu-Jun et al., 2020, Brauer et al., 2023, Barral et al., 22 Apr 2026).

This suggests that hybrid QKD–PQC is as much about trust-architecture design as about cryptographic composition. PQC signatures and certificates are not auxiliary conveniences; in many implementations they are the practical mechanism that makes QKD entity authentication scalable beyond small, manually provisioned deployments (Prisco, 2023, Liu-Jun et al., 2020).

4. Security models, composability, and threat mitigation

The security claims made for parallel hybrid QKD–PQC systems are usually expressed in compositional terms. For QKD, a standard statement is that Eve’s information on the QKD key satisfies

kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.2

after privacy amplification, where kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.3 is the security parameter (Prisco, 2023). For a KEM branch, the relevant notion is computational indistinguishability or IND-CCA security against quantum polynomial-time adversaries, with failure or advantage parameter kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.4 (Zeng et al., 2024).

When a KDF combiner is used, the literature gives the aggregate failure bound

kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.5

with typical practice choosing each component kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.6 or kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.7 (Prisco, 2023). In the XOR-composition treatment, the key lemma states that if kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.8 is kfinal  =  k1    k2    {0,1}.k_{\rm final} \;=\; k_1 \;\oplus\; k_2 \;\in\; \{0,1\}^\ell.9-close to uniform conditioned on Eve’s view and k1k_10 is k1k_11-indistinguishable from uniform for a computationally bounded Eve, then

k1k_12

is k1k_13-secure in the UC sense, yielding

k1k_14

(Zeng et al., 2024).

The defense-in-depth interpretation is explicit in several sources. Authentication of both channels prevents an active man-in-the-middle from injecting classical control messages into QKD or spoofing the KEM handshake (Prisco, 2023). If a future cryptographically relevant quantum computer breaks the PQC KEM, it cannot retroactively learn past QKD-derived bits because k1k_15 confidentiality is information-theoretic (Prisco, 2023). Conversely, if side-channel or implementation flaws affect the QKD hardware, the PQC-derived key still protects confidentiality (Prisco, 2023). In cross-domain deployments, multipath diversity is used so that an attacker must break at least one implementation on each path, and composable security can be bounded by the sum of individual path extraction errors (Brauer et al., 2023).

At the same time, the literature is careful about what is not guaranteed. In trusted-node federations, a fully malicious intermediate trusted node breaks end-to-end confidentiality (Barral et al., 22 Apr 2026). In layered network designs, the theorem for end-to-end confidentiality, authenticity, and forward secrecy assumes that the adversary cannot break both the PQC KEM and QKD simultaneously (Spooren et al., 7 Apr 2026). In HOQSk1k_16-style constructions, security is strengthened with an information-theoretically secure instruction sequence that determines primitive configuration, and the text states that message confidentiality is ensured even when both the QKD and the PQC primitives are compromised (Gupta et al., 4 Dec 2025). That claim is tied to the secrecy of the instruction sequence rather than to conventional “at least one primitive remains secure” hybrid reasoning (Gupta et al., 4 Dec 2025).

A common controversy concerns whether hybrid security is “the union of strengths” or merely “the minimum of components.” The sources support both framings in different senses. One source expresses combined security set-theoretically as

k1k_17

(Brauer et al., 2023), while throughput-oriented analyses show that operational key rate is the minimum of the parallel branches,

k1k_18

(Zeng et al., 2024). Security combination and performance composition therefore obey different laws.

5. Performance, latency, and finite-key effects

Performance behavior in parallel hybrid schemes is dominated by the fact that both branches must usually complete before the final key can be used. In the throughput model for the XOR-based architecture, producing one block of k1k_19 bits takes

k2k_20

and therefore

k2k_21

(Zeng et al., 2024). Because k2k_22 often decays exponentially with distance whereas k2k_23 is essentially distance-independent, the QKD branch commonly becomes the bottleneck at longer distances (Zeng et al., 2024).

Experimental systems confirm this asymmetry. In one hybrid encryption framework, the measured latency for ECDH is k2k_24 ms, for ML-KEM-768 k2k_25 ms, and for a Guardian QKD 256-bit vault k2k_26 ms, while the total hybrid latency is k2k_27 ms; comparative throughput is k2k_28 keys/s for pure ECDH, k2k_29 keys/s for pure ML-KEM-768, \ell0 keys/s for pure QKD 256-bit blocks, and \ell1 keys/s for the hybrid because it is bottlenecked by QKD (Raj et al., 9 Sep 2025). In another implementation study, ML-KEM-512, ML-KEM-768, and ML-KEM-1024 take approximately \ell2, \ell3, and \ell4 ms respectively, whereas simulated QKD BB84 with \ell5 takes \ell6 ms and E91 with \ell7 takes \ell8 ms (Chen, 30 Sep 2025).

Latency-sensitive protocol integration benefits particularly from true parallelism. For IKEv2, sequential hybrid according to the model requires

\ell9

whereas the parallel hybrid design gives

\ell0

(Blanco-Romero et al., 12 Jul 2025). Measurements over 50 runs show that under \ell1 ms RTT, sequential qkd-ke1_kyber1 averages \ell2 ms, while parallel qkd_kyber1 averages \ell3 ms, a \ell4 latency reduction; even at low RTT the parallel design saves a full extra round trip (Blanco-Romero et al., 12 Jul 2025). Pure QKD in that implementation uses only a 16-byte KeyID and no fragmentation, while Kyber512 public key plus KeyID fits in a single 1,472-byte IKE fragment (Blanco-Romero et al., 12 Jul 2025).

Multi-hop and network-overlay systems report a different performance envelope. In the Rosenpass-over-QKD-tunnels architecture, WireGuard uses 3 packets and 398 bytes per handshake, Arnika exchange 2 packets and 78 bytes, and Rosenpass 4 packets and 4,772 bytes; hand-provisioning times averaged \ell5 s over 10 hops, \ell6 s over 100 hops, \ell7 s for dual QKD-path and dual Rosenpass, and \ell8 s in a degraded case with \ell9 ms latency and η=1\eta=10 loss (Spooren et al., 7 Apr 2026). The same work reports a fail-safe window with measured mean disruption of η=1\eta=11 s after QKD failure, Arnika resource footprint below η=1\eta=12 MB RSS and below η=1\eta=13 CPU/core, and Rosenpass scaling to η=1\eta=14 peers/core with below η=1\eta=15 CPU per η=1\eta=16 s interval (Spooren et al., 7 Apr 2026).

Finite-key effects in the QKD branch materially affect hybrid design. One analysis gives

η=1\eta=17

so smaller η=1\eta=18 implies larger η=1\eta=19 and reduced Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,0 (Zeng et al., 2024). A more explicit finite-key treatment for BBM92 defines the composable failure budget

Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,1

and derives the maximal secret-key length

Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,2

with Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,3 (Gupta et al., 4 Dec 2025). This anchors hybrid performance claims in the same finite-key constraints that govern standalone QKD.

6. Networked deployment, interoperability, and scaling

Parallel hybrid QKD–PQC becomes more complex in networked settings because keys must often traverse domains, relay nodes, or heterogeneous physical media. Several systems address this through standard interfaces and border-node abstractions.

A European testbed links metro QKD networks in Berlin, Madrid, and Poznań and demonstrates four border-node methods for transparent hybridization (Brauer et al., 2023). Method 1 XOR-combines keys from two physical QKD links locally at each border node to produce a single bridge key. Method 2 emulates long-haul QKD with two PQC KEM links in parallel, treated by the local QKD-SDN controller as QKD links via an extended ETSI GS QKD 015 link-type property; outputs of two PQC KEMs are XOR’ed to form the long-haul key. Method 3 uses application-level services on border nodes to fetch local QKD keys and protect them via two independent PQC KEM+SIG chains. Method 4 further hardens the design with multi-path diversity over Iridium and public Internet, deriving the final key as

Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,4

All PQC links use TCP/IP, observed key-error rate is effectively Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,5, and Method 4 reaches Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,6 kbit/s, while Methods 1–3 offer QoS at Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,7 bit/s in the reported demos (Brauer et al., 2023).

A layered network architecture for trusted-node quantum networks combines per-hop WireGuard tunnels protected by ETSI GS QKD 014-derived PSKs with an end-to-end Rosenpass KEM over those tunnels (Spooren et al., 7 Apr 2026). PSKs are rotated every Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,8 s with a Spq_sharedKQ,S \leftarrow pq\_shared \,\|\, K_Q,9 s grace period, and the average Rosenpass handshake time is approximately KPQCK_{\mathrm{PQC}}00 s end-to-end (Spooren et al., 7 Apr 2026). The design is explicitly positioned as interoperable because it uses ETSI 014 and requires no modifications to WireGuard or QKD devices (Spooren et al., 7 Apr 2026).

A related distributed architecture for federated QKD islands uses KMSTNs that speak ETSI GS QKD 014 southbound to local vendor KMSs and ETSI GS QKD 020 horizontally to relay keys across a WAN (Barral et al., 22 Apr 2026). At each overlay hop, a message is encrypted under an ephemeral symmetric key derived by blending a QKD link key with a Kyber secret: KPQCK_{\mathrm{PQC}}01 This architecture introduces dynamic routing and concurrency parameters, but it also retains the trusted-node assumption: a fully malicious KMSTN breaks end-to-end confidentiality (Barral et al., 22 Apr 2026).

Scaling analyses at the abstract network level show that between any two users in a graph KPQCK_{\mathrm{PQC}}02, one may build composite protocols by routing through relay nodes, using parallel XOR-combinations, or adopting more general secret-sharing access structures (Zeng et al., 2024). For KPQCK_{\mathrm{PQC}}03 parallel QKD–PQC pairs, the net rate is

KPQCK_{\mathrm{PQC}}04

since all KPQCK_{\mathrm{PQC}}05 shares must finish to produce one final block (Zeng et al., 2024). This identifies a fundamental tension between redundancy for security and synchronization overhead for throughput.

Deployment practice also centers on standards. ETSI GS QKD 004/014 are repeatedly used for application-layer or stateless key delivery, ETSI GS QKD 015 appears in SDN control-plane integration, and ETSI GS QKD 020 is used for cross-domain KMS interoperability (Brauer et al., 2023, Blanco-Romero et al., 12 Jul 2025, Barral et al., 22 Apr 2026). A plausible implication is that standard interface convergence is a precondition for hybrid QKD–PQC systems to move from isolated proofs of concept to operational multi-domain services.

7. Open design questions and research directions

The literature identifies several unresolved design questions. One concerns the best key combiner. XOR is simple, has no auxiliary seed, and supports the claim that if either QKD or PQC remains unbroken, no adversary can predict KPQCK_{\mathrm{PQC}}06 with non-negligible advantage (Zeng et al., 2024). However, universal-hash-based strong extractors have been proposed as an alternative because, unlike XORing, they ensure that if the combined output and one initial key are compromised, the remaining key material retains quantifiable min-entropy and remains secure in exchange of longer keys (Giestinhas et al., 27 Mar 2026). The same work notes the cost of a public seed is essentially KPQCK_{\mathrm{PQC}}07 for Toeplitz constructions, making parameter selection and seed management nontrivial (Giestinhas et al., 27 Mar 2026). This is a live theoretical and engineering trade-off rather than a settled consensus.

A second question concerns the role of transcript binding and active security. Universal-hash extraction can include the entire transcript as part of the extractor input,

KPQCK_{\mathrm{PQC}}08

so that any active modification changes the extractor input and therefore the derived key (Giestinhas et al., 27 Mar 2026). By contrast, protocol-stack integrations such as IKEv2 reuse existing authenticated derivation mechanisms rather than placing the transcript directly inside a separate extractor (Blanco-Romero et al., 12 Jul 2025). The two approaches reflect different philosophies of composition.

A third question concerns side channels and failure domains. The set-theoretic and UC claims for hybrid security are often conditioned on primitive-level abstractions (Brauer et al., 2023, Zeng et al., 2024), but multiple sources emphasize implementation flaws as a primary rationale for hybridization itself (Prisco, 2023, Gupta et al., 4 Dec 2025). HOQSKPQCK_{\mathrm{PQC}}09 goes further by introducing an information-theoretically secure instruction sequence to determine the ordering of OTP, AES, and Ascon layers, asserting that this preserves message confidentiality even when both the QKD and the PQC primitives are compromised (Gupta et al., 4 Dec 2025). This approach departs from standard “one-of-two survives” hybrid reasoning and may be viewed as a distinct branch of the field.

A fourth question is practical scalability under realistic QKD rates and trusted-node constraints. Hybrid systems can span metro, regional, and continental distances by substituting PQC on long-haul segments, multiplexing paths, or using overlay relays (Brauer et al., 2023, Barral et al., 22 Apr 2026). Yet throughput remains constrained by slow or bursty QKD generation, and static routing can lead to congestion or buffer depletion (Barral et al., 22 Apr 2026). This suggests that future research will likely focus not only on cryptographic proofs but also on control-plane adaptation, rate-aware scheduling, and dynamic path selection.

Finally, there is a migration question. Several architectures emphasize that operators can swap PQC implementations at endpoints without touching trusted nodes, or integrate hybrid overlays without modifying deployed QKD devices or network protocols (Spooren et al., 7 Apr 2026). In that sense, parallel hybrid QKD–PQC key establishment also functions as a transition mechanism: it allows immediate use of QKD-derived entropy and standards-based PQC while preserving interoperability with existing secure-channel frameworks (Blanco-Romero et al., 12 Jul 2025, Spooren et al., 7 Apr 2026).

Taken together, these strands establish parallel hybrid QKD–PQC key establishment as a mature research area spanning protocol design, composable security, finite-key analysis, systems engineering, and standards-driven deployment. Its central premise is stable across formulations: quantum and post-quantum key-establishment mechanisms are run concurrently, and their outputs are combined so that heterogeneity of assumptions becomes an explicit part of the security architecture (Prisco, 2023, Zeng et al., 2024, Blanco-Romero et al., 12 Jul 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Parallel Hybrid QKD-PQC Key Establishment.