The Engineering of Software-Defined Quantum Key Distribution Networks

Alejandro Aguado; Andreas Poppe; Antonio Pastor; Diego Lopez; Jesus Folgueira; Momtchil Peev; Vicente Martiin; Victor Lopez

arxiv: 1907.00174 · v1 · pith:6M3T5PFInew · submitted 2019-06-29 · 💻 cs.NI · cs.CR

The Engineering of Software-Defined Quantum Key Distribution Networks

Alejandro Aguado , Victor Lopez , Diego Lopez , Momtchil Peev , Andreas Poppe , Antonio Pastor , Jesus Folgueira , Vicente Martiin This is my paper

Pith reviewed 2026-05-25 13:22 UTC · model grok-4.3

classification 💻 cs.NI cs.CR

keywords quantum key distributionsoftware defined networkingoptical fibernetwork integrationquantum-safe cryptographyclassical-quantum coexistenceproduction network deployment

0 comments

The pith

Software-defined networking integrates quantum key distribution with classical communications on shared optical fiber in one production infrastructure.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Quantum computers will break current public-key cryptography, so quantum key distribution provides a physical alternative immune to computational attacks. QKD has mostly stayed in isolated point-to-point fiber links. This paper shows that programmable network architectures can combine quantum and classical signals, plus their management, on the same shared fiber without separate infrastructure. The result is an evolutionary upgrade path that adds quantum-safe algorithms while keeping existing protocols and avoiding wholesale replacement. The approach has been realized and tested in an actual production network.

Core claim

New programmable software network architectures, together with specially designed quantum systems, produce a network that integrates classical and quantum communications, including management, in a single production-level infrastructure. The network incorporates new quantum-safe algorithms and uses existing security protocols, bridging today's network security to the quantum-safe network of the future in an evolutionary way without zero-day migrations.

What carries the argument

Software-defined networking control plane that coordinates quantum key distribution systems with classical traffic on shared fiber.

If this is right

Classical and quantum communications share one fiber infrastructure under unified management.
Existing security protocols continue to operate alongside new quantum-safe algorithms.
Network upgrades proceed incrementally without full replacement of current equipment.
The same production network can carry both traffic types while maintaining security levels.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The shared control plane could lower the cost of deploying QKD at scale by reusing existing fiber routes.
Wavelength allocation rules between quantum and classical channels become a practical engineering constraint that operators would need to standardize.
Security models may need to treat the SDN controller as a potential new trust boundary for quantum channels.
Hybrid networks of this type could support gradual migration testing in live environments before wider rollout.

Load-bearing premise

Quantum signals can be sent over the same optical fiber as classical traffic without unacceptable loss or new attack surfaces created by the shared control plane and coexistence.

What would settle it

Measurement of quantum signal loss exceeding operational thresholds or a demonstrated attack on the QKD link routed through the SDN control plane in the production deployment would falsify the integration claim.

read the original abstract

Quantum computers will change the cryptographic panorama. A technology once believed to lay far away into the future is increasingly closer to real world applications. Quantum computers will break the algorithms used in our public key infrastructure and in our key exchange protocols, forcing a complete retooling of the cryptography as we know it. Quantum Key distribution is a physical layer technology immune to quantum or classical computational threats. However, it requires a physical substrate, and optical fiber has been the usual choice. Most of the time used just as a point to point link for the exclusive transport of the delicate quantum signals. Its integration in a real-world shared network has not been attempted so far. Here we show how the new programmable software network architectures, together with specially designed quantum systems can be used to produce a network that integrates classical and quantum communications, including management, in a single, production-level infrastructure. The network can also incorporate new quantum-safe algorithms and use the existing security protocols, thus bridging the gap between today's network security and the quantum-safe network of the future. This can be done in an evolutionary way, without zero-day migrations and the corresponding upfront costs. We also present how the technologies have been deployed in practice using a production network.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper describes a real production deployment of QKD integrated with SDN over shared fiber but offers no metrics or security analysis to confirm the integration works without new problems.

read the letter

The main point is that the authors claim to have put QKD into a live shared network using SDN for control and management, something they say had not been tried before. They outline an architecture that keeps quantum signals on the same fiber as classical traffic through wavelength separation and power management, and they show how this setup can add quantum-safe algorithms on top of existing protocols in an incremental way. The deployment in an actual production network is the concrete part that stands out from earlier point-to-point QKD work. That engineering narrative is useful for anyone planning similar rollouts, because it focuses on coexistence rather than isolated links. The paper does not include any measured numbers on quantum bit error rate, secret key rate, or loss under simultaneous classical load, nor does it present a threat model for SDN-induced issues such as timing side channels or wavelength switching attacks. The central assumption that shared infrastructure introduces no unacceptable new attack surfaces or performance hits therefore rests on design principles alone. Readers who need evidence that the quantum channel remains secure and functional in this mixed environment will find the account thin on validation. The work is aimed at network engineers and operators who want a practical description of how to add QKD without a full replacement of current infrastructure. It is not aimed at theorists looking for new proofs or at security researchers needing detailed attack analysis. The paper deserves peer review because a documented production deployment is worth having in the record, provided reviewers push for the missing quantitative data and a basic security argument around the control plane.

Referee Report

2 major / 1 minor

Summary. The paper claims that new programmable software-defined network architectures, together with specially designed quantum systems, can integrate classical and quantum communications (including management) into a single production-level infrastructure. It further claims this integration can be achieved evolutionarily by incorporating quantum-safe algorithms alongside existing protocols, and reports on a practical deployment using a production network.

Significance. If the central claims hold with supporting evidence, the work would be significant for enabling practical deployment of QKD beyond dedicated point-to-point links, potentially lowering adoption barriers for quantum-safe networking in shared infrastructures.

major comments (2)

[Deployment section] Deployment section: The description of the production-network deployment provides no quantitative metrics (e.g., QBER, secret-key rate, or loss under simultaneous classical traffic load) to substantiate that quantum signals coexist with classical traffic without unacceptable degradation. This directly undermines the central claim of successful integration in a shared infrastructure.
[SDN integration discussion] SDN control-plane integration: No threat model or analysis is presented for potential new attack surfaces created by SDN management (e.g., control-plane timing attacks or wavelength-switching side channels on the quantum channel). This is load-bearing for the claim that the architecture preserves QKD security properties.

minor comments (1)

[Abstract] Abstract: Including at least one concrete performance metric from the deployment would better support the high-level claims.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on our manuscript. We address each major comment below and indicate planned revisions.

read point-by-point responses

Referee: [Deployment section] The description of the production-network deployment provides no quantitative metrics (e.g., QBER, secret-key rate, or loss under simultaneous classical traffic load) to substantiate that quantum signals coexist with classical traffic without unacceptable degradation. This directly undermines the central claim of successful integration in a shared infrastructure.

Authors: We agree that the deployment section would be strengthened by quantitative metrics demonstrating coexistence. The manuscript prioritizes the architectural integration and evolutionary deployment approach over benchmark reporting. In the revised version we will add available performance data from the production network, including QBER, secret-key rates, and loss figures measured under simultaneous classical traffic. revision: yes
Referee: [SDN integration discussion] No threat model or analysis is presented for potential new attack surfaces created by SDN management (e.g., control-plane timing attacks or wavelength-switching side channels on the quantum channel). This is load-bearing for the claim that the architecture preserves QKD security properties.

Authors: The manuscript does not contain a dedicated threat model for SDN-induced attack surfaces, as its scope is the engineering feasibility of integration rather than exhaustive security analysis. We will add a concise discussion of potential control-plane timing and wavelength-switching side channels, together with the architectural mitigations (physical-layer separation and standard QKD assumptions) that preserve the quantum channel's security properties. revision: yes

Circularity Check

0 steps flagged

No circularity; engineering narrative with independent deployment claims

full rationale

The paper is an engineering/architecture description of SDN-QKD integration in production networks. It contains no equations, no fitted parameters, no derivations, and no self-citations used to justify uniqueness or load-bearing premises. The central claim rests on reported practical deployment rather than any reduction to inputs by construction. This matches the default expectation of no significant circularity for non-mathematical papers.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical model or derivations; the work rests on domain assumptions about optical fiber behavior and SDN control rather than new axioms or parameters.

pith-pipeline@v0.9.0 · 5762 in / 892 out tokens · 21007 ms · 2026-05-25T13:22:43.678427+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

The objective of this work is to demonstrate, for the first time, a network that can seamlessly integrate, in a logical and physical way, quantum and classical communications in a production level telecommunications infrastructure.
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

The quantum channel is capable of tolerating more than 20 classical channels at 100Gbps in the same C band... key generation rate above 20kbps, with coexistence

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

18 extracted references · 18 canonical work pages · 1 internal anchor

[1]

and network services [10,11]. The importance of the testbed used in this communication lies in that it demonstrates how QKD can be 3 implemented in a real-world network, installed in a production facility and run in a fully integrated manner, where the quantum and classical parts are managed consistently. This allows the incremental installation of QKD an...

work page 2020
[2]

Tomorrow’s Quantum Computers Are Already Threatening Today’s Data,

J. Breeden, “Tomorrow’s Quantum Computers Are Already Threatening Today’s Data,” Defense One, July 10, 2018, https://www.defenseone.com/threats/2018/07/future-quantum-computers-already-threatening-todays-data/149557/ (retrieved June 22,

work page 2018
[3]

Worldwide standardization activity for quantum key distribution

R. Alleaume, I.P. Degiovanni, A. Mink, T.E. Chapuran, N. Lutkenhaus, M. Peev, C.J. Chunnilall, V. Martin, M. Lucamarini, M. Ward, A. Shields, “Worldwide standardization activity for quantum key distribution”, 2014 IEEE Globecom Workshops, 2014, pp. 656-661}, Doi: 10.1109/GLOCOMW.2014.7063507

work page doi:10.1109/glocomw.2014.7063507 2014
[4]

Quantum cryptography

N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, “Quantum cryptography”, Rev. Mod. Phys. 2002, v. 74, pp. 145-195

work page 2002
[5]

Quantum Key Distribution

V. Martin, J. Martinez-Mateo, M. Peev, “Quantum Key Distribution” J. Webster (ed.) Wiley Encyclopedia of Electrical and Electronics Engineering, John Wiley and Sons, 2017, pp 1-17, doi: 10.1002/047134608X.W8354

work page doi:10.1002/047134608x.w8354 2017
[6]

The security of practical quantum key distribution

V. Scarani, H. Bechmann-Pasquinucci, N.J. Cerf, M. Dusek, N. Lutkenhaus and M. Peev, “The security of practical quantum key distribution”, Rev. Mod. Phys. v. 81, 2009, pp. 1301-1350, doi 10.1103/RevModPhys.81.1301

work page doi:10.1103/revmodphys.81.1301 2009
[7]

Quantum internet: A Vision for the road ahead

S. Wehner, D. Elkouss, R. Hanson "Quantum internet: A Vision for the road ahead" Science 362, 6412 (2018)

work page 2018
[8]

Hybrid Conventional and Quantum Security for Software Defined and Virtualized Networks,

A. Aguado, V. Lopez, J. Martinez-Mateo, T. Szyrkowiec, A. Autenrieth, M. Peev, D. Lopez, and V. Martin, "Hybrid Conventional and Quantum Security for Software Defined and Virtualized Networks," J. Opt. Commun. Netw. 9, 2017, pp. 819-825

work page 2017
[9]

Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction and Integration

A. Mink et al. “Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction and Integration”, 7 in the International Journal of Network Security & Its Applications 1.2, 2009, p.p. 101-112

work page 2009
[10]

Virtual Network Function Deployment and Service Automation to Provide End-to-End Quantum Encryption,

A. Aguado, V. Lopez, J. Martinez-Mateo, M. Peev, D. Lopez, and V. Martin, "Virtual Network Function Deployment and Service Automation to Provide End-to-End Quantum Encryption," J. Opt. Commun. Netw. 10, 2018, pp. 421-430

work page 2018
[11]

Building the quantum network

C. Elliott “Building the quantum network” New J. Phys. 4, 2002, pp. 46

work page 2002
[12]

QKD in Standard Optical Telecommunications Networks

D. Lancho, J. Martinez, D. Elkouss, M. Soto, and V. Martin, “QKD in Standard Optical Telecommunications Networks,” in QuantumComm 2009, LNICS, vol. 36, 2009, pp. 142-149, (arXiv:1006.1858)

work page internal anchor Pith review Pith/arXiv arXiv 2009
[13]

The SECOQC quantum key distribution network in Vienna

M. Peev, et al. “The SECOQC quantum key distribution network in Vienna”. New J. Phys. v. 11, 2009, pp. 075001, doi 10.1088/1367-2630/11/7/075001

work page doi:10.1088/1367-2630/11/7/075001 2009
[14]

Field test of quantum key distribution in the Tokyo QKD Network

M. Sasaki, et al. “Field test of quantum key distribution in the Tokyo QKD Network”, Opt. Express, v. 192011, pp. 10387-10409, doi 10.1364/OE.19.010387 Alejandro Aguado received the Graduate degree in mathematics and computer science from the Universidad Autonoma de Madrid, Madrid, Spain, in

work page doi:10.1364/oe.19.010387
[15]

Architectures, Technologies, and Control

He worked as a researcher on SDN with Telefonica I+D. He worked also as a Research Associate at the High Performance Networks Group, University of Bristol. He is currently a PhD student in the Center for Computational Simulation, Universidad Politécnica de Madrid, researching on quantum key distribution networking. Victor López M.Sc. from Universidad de ...

work page 2005
[16]

Research associate at ARCS (resp

From 1993 to 1995, he was a post-doctoral Lise-Meitner Fellow at the Vienna University of Technology and, from 1995 to 1997, a post-doctoral ARCS Fellow. Research associate at ARCS (resp. AIT) until 2010, when he became senior scientist and a thematic coordinator for QKD. Since 2015 he is a senior expert and project leader in the Optical and Quantum Commu...

work page 1993
[17]

Vienna), where he designed an entangled QKD-system, included in the QKD-network demonstration of the European project SECOQC

He joined the quantum cryptography project at the Institute of Experimental Physics (U. Vienna), where he designed an entangled QKD-system, included in the QKD-network demonstration of the European project SECOQC. He was senior scientist at the Optical Quantum Technologies group of the Austrian Institute of Technology, where he led the QKD systems develop...

work page 2015
[18]

He is focused on Optical, Metro & IP Networks, network virtualization (SDN/NFV) and advanced switching

Head of Transport and IP Networks within Telefonica Global CTO unit, he leads Network Planning, Technology and Innovation. He is focused on Optical, Metro & IP Networks, network virtualization (SDN/NFV) and advanced switching. His expertise includes Broadband Access, R&D Management, and network deployment. Vicente Martín Ph.D. Physics (1995) from the Univ...

work page 1995

[1] [1]

and network services [10,11]. The importance of the testbed used in this communication lies in that it demonstrates how QKD can be 3 implemented in a real-world network, installed in a production facility and run in a fully integrated manner, where the quantum and classical parts are managed consistently. This allows the incremental installation of QKD an...

work page 2020

[2] [2]

Tomorrow’s Quantum Computers Are Already Threatening Today’s Data,

J. Breeden, “Tomorrow’s Quantum Computers Are Already Threatening Today’s Data,” Defense One, July 10, 2018, https://www.defenseone.com/threats/2018/07/future-quantum-computers-already-threatening-todays-data/149557/ (retrieved June 22,

work page 2018

[3] [3]

Worldwide standardization activity for quantum key distribution

R. Alleaume, I.P. Degiovanni, A. Mink, T.E. Chapuran, N. Lutkenhaus, M. Peev, C.J. Chunnilall, V. Martin, M. Lucamarini, M. Ward, A. Shields, “Worldwide standardization activity for quantum key distribution”, 2014 IEEE Globecom Workshops, 2014, pp. 656-661}, Doi: 10.1109/GLOCOMW.2014.7063507

work page doi:10.1109/glocomw.2014.7063507 2014

[4] [4]

Quantum cryptography

N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, “Quantum cryptography”, Rev. Mod. Phys. 2002, v. 74, pp. 145-195

work page 2002

[5] [5]

Quantum Key Distribution

V. Martin, J. Martinez-Mateo, M. Peev, “Quantum Key Distribution” J. Webster (ed.) Wiley Encyclopedia of Electrical and Electronics Engineering, John Wiley and Sons, 2017, pp 1-17, doi: 10.1002/047134608X.W8354

work page doi:10.1002/047134608x.w8354 2017

[6] [6]

The security of practical quantum key distribution

V. Scarani, H. Bechmann-Pasquinucci, N.J. Cerf, M. Dusek, N. Lutkenhaus and M. Peev, “The security of practical quantum key distribution”, Rev. Mod. Phys. v. 81, 2009, pp. 1301-1350, doi 10.1103/RevModPhys.81.1301

work page doi:10.1103/revmodphys.81.1301 2009

[7] [7]

Quantum internet: A Vision for the road ahead

S. Wehner, D. Elkouss, R. Hanson "Quantum internet: A Vision for the road ahead" Science 362, 6412 (2018)

work page 2018

[8] [8]

Hybrid Conventional and Quantum Security for Software Defined and Virtualized Networks,

A. Aguado, V. Lopez, J. Martinez-Mateo, T. Szyrkowiec, A. Autenrieth, M. Peev, D. Lopez, and V. Martin, "Hybrid Conventional and Quantum Security for Software Defined and Virtualized Networks," J. Opt. Commun. Netw. 9, 2017, pp. 819-825

work page 2017

[9] [9]

Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction and Integration

A. Mink et al. “Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction and Integration”, 7 in the International Journal of Network Security & Its Applications 1.2, 2009, p.p. 101-112

work page 2009

[10] [10]

Virtual Network Function Deployment and Service Automation to Provide End-to-End Quantum Encryption,

A. Aguado, V. Lopez, J. Martinez-Mateo, M. Peev, D. Lopez, and V. Martin, "Virtual Network Function Deployment and Service Automation to Provide End-to-End Quantum Encryption," J. Opt. Commun. Netw. 10, 2018, pp. 421-430

work page 2018

[11] [11]

Building the quantum network

C. Elliott “Building the quantum network” New J. Phys. 4, 2002, pp. 46

work page 2002

[12] [12]

QKD in Standard Optical Telecommunications Networks

D. Lancho, J. Martinez, D. Elkouss, M. Soto, and V. Martin, “QKD in Standard Optical Telecommunications Networks,” in QuantumComm 2009, LNICS, vol. 36, 2009, pp. 142-149, (arXiv:1006.1858)

work page internal anchor Pith review Pith/arXiv arXiv 2009

[13] [13]

The SECOQC quantum key distribution network in Vienna

M. Peev, et al. “The SECOQC quantum key distribution network in Vienna”. New J. Phys. v. 11, 2009, pp. 075001, doi 10.1088/1367-2630/11/7/075001

work page doi:10.1088/1367-2630/11/7/075001 2009

[14] [14]

Field test of quantum key distribution in the Tokyo QKD Network

M. Sasaki, et al. “Field test of quantum key distribution in the Tokyo QKD Network”, Opt. Express, v. 192011, pp. 10387-10409, doi 10.1364/OE.19.010387 Alejandro Aguado received the Graduate degree in mathematics and computer science from the Universidad Autonoma de Madrid, Madrid, Spain, in

work page doi:10.1364/oe.19.010387

[15] [15]

Architectures, Technologies, and Control

He worked as a researcher on SDN with Telefonica I+D. He worked also as a Research Associate at the High Performance Networks Group, University of Bristol. He is currently a PhD student in the Center for Computational Simulation, Universidad Politécnica de Madrid, researching on quantum key distribution networking. Victor López M.Sc. from Universidad de ...

work page 2005

[16] [16]

Research associate at ARCS (resp

From 1993 to 1995, he was a post-doctoral Lise-Meitner Fellow at the Vienna University of Technology and, from 1995 to 1997, a post-doctoral ARCS Fellow. Research associate at ARCS (resp. AIT) until 2010, when he became senior scientist and a thematic coordinator for QKD. Since 2015 he is a senior expert and project leader in the Optical and Quantum Commu...

work page 1993

[17] [17]

Vienna), where he designed an entangled QKD-system, included in the QKD-network demonstration of the European project SECOQC

He joined the quantum cryptography project at the Institute of Experimental Physics (U. Vienna), where he designed an entangled QKD-system, included in the QKD-network demonstration of the European project SECOQC. He was senior scientist at the Optical Quantum Technologies group of the Austrian Institute of Technology, where he led the QKD systems develop...

work page 2015

[18] [18]

He is focused on Optical, Metro & IP Networks, network virtualization (SDN/NFV) and advanced switching

Head of Transport and IP Networks within Telefonica Global CTO unit, he leads Network Planning, Technology and Innovation. He is focused on Optical, Metro & IP Networks, network virtualization (SDN/NFV) and advanced switching. His expertise includes Broadband Access, R&D Management, and network deployment. Vicente Martín Ph.D. Physics (1995) from the Univ...

work page 1995