With the advent of quantum computing, the increasing threats to security poses a great challenge to communication networks. Recent innovations in this field resulted in promising technologies such as Quantum Key Distribution (QKD), which enables the generation of unconditionally secure keys, establishing secure communications between remote nodes. Additionally, QKD networks enable the interconnection of multinode architectures, extending the point-to-point nature of QKD. However, due to the limitations of the current state of technology, the scalability of QKD networks remains a challenge toward feasible implementations. When it comes to long-distance implementations, trusted relay nodes partially solve the distance issue through the forwarding of the distributed keys, allowing applications that do not have a direct QKD link to securely share key material. Even though the relay procedure itself has been extensively studied, the establishment of the relaying node path still lacks a solution. This paper proposes an innovative network architecture that solves the challenges of Key Management System (KMS) identification, relay path discovery, and scalability of QKD networks by integrating Software-Defined Networking (SDN) principles, and establishing high-level virtual KMSs (vKMS) in each node and creating a new entity called the Quantum Security Controller (QuSeC). The vKMS serves the end-user key requests, managing the multiple KMSs within the node and abstracting the user from discovering the correct KMS. Additionally, based on the high-level view of the network topology and status, the QuSeC serves the path discovery requests from vKMSs, computing the end-to-end (E2E) relay path and applying security policies. The paper also provides a security analysis of the proposal, identifying the security levels of the architecture and analyzing the core networking security properties.

翻译：随着量子计算的出现，日益增长的安全威胁对通信网络构成了巨大挑战。该领域的最新创新催生了诸如量子密钥分发（QKD）等前景广阔的技术，该技术能够生成无条件安全的密钥，从而在远程节点之间建立安全通信。此外，QKD网络实现了多节点架构的互联，扩展了QKD的点对点特性。然而，由于当前技术水平的限制，QKD网络的可扩展性仍然是实现可行部署的挑战。在长距离部署方面，可信中继节点通过转发分发的密钥，部分解决了距离问题，使得不具备直接QKD链路的应用能够安全共享密钥材料。尽管中继过程本身已得到广泛研究，但中继节点路径的建立仍缺乏解决方案。本文提出了一种创新的网络架构，通过集成软件定义网络（SDN）原则，在每个节点中建立高层虚拟密钥管理系统（vKMS），并创建一个称为量子安全控制器（QuSeC）的新实体，从而解决了密钥管理系统（KMS）识别、中继路径发现和QKD网络可扩展性等挑战。vKMS服务于终端用户的密钥请求，管理节点内的多个KMS，并抽象化用户对正确KMS的发现过程。此外，基于网络拓扑和状态的高层视图，QuSeC服务于来自vKMS的路径发现请求，计算端到端（E2E）中继路径并应用安全策略。本文还对该方案进行了安全性分析，识别了架构的安全级别，并分析了核心网络安全属性。