pith. sign in

arxiv: 2604.12985 · v1 · submitted 2026-04-14 · 🪐 quant-ph

Quantum-safe IPsec in the banking industry

Rafael J. Vicente , Jaime G\'omez Garc\'ia , Juan P. Brito , Yorlandy Lobaina , Jaime S. Buruaga , Daniel G\'omez Aguado , Miguel \'Angel S\'anchez Serrano , Sim\'on Ovsyannikov
show 4 more authors
Salah Gherdaoui Jean-S\'ebastien Pegon Marco Cofano Vicente Mart\'in
This is my paper

Pith reviewed 2026-05-10 15:33 UTC · model grok-4.3

classification 🪐 quant-ph
keywords quantum-safe IPsecQKDpost-quantum cryptographyDMVPNSDN key distributionhybrid cryptographybanking networksenterprise encryption
0
0 comments X

The pith

A hybrid architecture integrates classical, QKD, and post-quantum cryptography into IPsec via SDN for scalable banking network security.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper aims to establish that banking networks can adopt quantum-safe IPsec communications today by combining classical cryptography with quantum key distribution and post-quantum methods, even before full standards exist. It uses software-defined networking to orchestrate key distribution inside a dynamic multipoint VPN that supports full-mesh connections across multiple sites. This matters because large quantum computers could break the RSA, Diffie-Hellman, and elliptic-curve systems now common in finance. The authors validate the approach on a five-node testbed that mixes physical and cloud nodes, different QKD technologies, and incompatible key interfaces to show flexibility and interoperability. If the claim holds, institutions gain a practical path to protect data against quantum threats without waiting for protocol updates.

Core claim

The central claim is that an SDN-orchestrated hybrid quantum-safe architecture enables early integration of classical cryptography, quantum key distribution, and post-quantum cryptography inside a DMVPN environment. This setup delivers highly scalable, full-mesh, site-to-site encrypted communications for enterprise networks such as those in banking. Validation on a five-node testbed with physical nodes in Madrid plus cloud nodes in northern Spain and Mexico, using both DV-QKD and CV-QKD plus ETSI004, ETSI014, and Cisco SKIP interfaces, demonstrates flexibility, scalability, interoperability, and resilience.

What carries the argument

The SDN-orchestrated key distribution system inside the DMVPN framework that unifies classical, QKD, and post-quantum cryptography despite incompatible interfaces.

If this is right

  • Banks can begin integrating quantum-safe methods into IPsec before post-quantum algorithms are added to finalized standards.
  • The approach supports full-mesh encrypted communications that scale across enterprise sites with mixed physical and cloud infrastructure.
  • Interoperability holds across diverse vendors, QKD types, and key-delivery interfaces in a single deployment.
  • The architecture provides a flexible foundation that remains secure as quantum threats evolve.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The design could shorten the migration window for financial institutions by allowing incremental upgrades rather than full protocol replacements.
  • Similar hybrid orchestration might apply to other sectors that rely on IPsec for site-to-site links and face the same quantum risk timeline.
  • Larger deployments could expose whether key-management overhead grows linearly or creates new bottlenecks under heavy traffic.

Load-bearing premise

That successful operation on a five-node heterogeneous testbed demonstrates sufficient scalability, resilience, and real-world applicability for production banking environments.

What would settle it

A clear failure to maintain secure key exchange or encryption performance when the system is expanded to dozens of nodes carrying typical banking traffic volumes.

Figures

Figures reproduced from arXiv: 2604.12985 by Daniel G\'omez Aguado, Jaime G\'omez Garc\'ia, Jaime S. Buruaga, Jean-S\'ebastien Pegon, Juan P. Brito, Marco Cofano, Miguel \'Angel S\'anchez Serrano, Rafael J. Vicente, Salah Gherdaoui, Sim\'on Ovsyannikov, Vicente Mart\'in, Yorlandy Lobaina.

Figure 1
Figure 1. Figure 1: Cisco Dynamic Multipoint VPN (DMVPN) enables spokes to establish permanent IPsec tunnels with a central hub, while also allowing dynamic, on-demand creation of direct IPsec tunnels between spokes without manual configuration. Image from Cisco official documentation [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: Quantum-Safe IKEv2 and IPsec Session Keys with Dynamic PPK: The IKEv2 initiator and responder are connected to their local key source and configured with the SKIP client that specifies the IP address and port of the key source and the preshared key for the TLS1.2 session. The PPK sources are configured with the SKIP parameters, including the local key source identity and the list of identities of the peer … view at source ↗
Figure 4
Figure 4. Figure 4: This figure illustrates the physical layout of the experimental quantum-safe network deployed for this study. At the center of the topology is the hub node located in Madrid (Boadilla West 1), which hosts the SDN controller, as well as direct access to two QKD links, one provided by LuxQuanta and the other by ID Quantique. These QKD links interconnect the three nodes in the Madrid metropolitan area, two of… view at source ↗
Figure 5
Figure 5. Figure 5: The specific IP addresses, ports and other specific details in the code above are provided as an example only, and not reflecting actual configuration of the devices used in this project. 4.3 QKD Infrastructure and Integration The Quantum Key Distribution infrastructure is deployed within the Madrid region segment of the network, forming what we refer to as the Quantum Trust Domain. This domain includes th… view at source ↗
Figure 6
Figure 6. Figure 6: High-level schematic overview of the quantum-safe network architecture deployed in the experiment. The diagram captures all five participating Trusted Nodes: three physically connected with QKD links within the Madrid region and two remote endpoints located in Cantabria and Quer´etaro. In the lower section of the figure, the underlying communication infrastructure is depicted, distinguishing between the qu… view at source ↗
Figure 7
Figure 7. Figure 7: The figure shows the SDN architeture used in the experiment, it shows the representative nodes in the network, each interconnected through a combination of quantum and classical channels. These include the PQC links, the QKD links (that includes quantum channels for transmitting quantum signals, service channels required for maintaining quantum link stability and classical channels for key distillation pro… view at source ↗
Figure 8
Figure 8. Figure 8: The IKEv2 SA setup via the SKIP interface begins when the Initiator router requests cryptographic capabilities from its local SD-QKD Node and initiates a handshake with the Responder router. The Responder also retrieves its capabilities, confirming readiness to proceed. The Initiator then requests specific key material via SKIP, compliant with ETSI GS QKD 004 interface, and shares the key identifier (key i… view at source ↗
Figure 9
Figure 9. Figure 9: The first traceroute represents the situation when there is no active IPSEC tunnel between NODE-BE1 and NODE-BE2. NODE-BE1 forwards the traffic through the DMVPN hub, NODE-BW1. Once the IPSEC tunnel between NODE-BE1 and NODE-BE2 has been set up, the traffic will flow directly between both nodes, hence needing one hop less and reducing end-to-end latency in the second traceroute, which can be a relevant sav… view at source ↗
Figure 11
Figure 11. Figure 11: Key rate of IDQ link during all the field trial (Cerberis XG – 12dB). The results summarized in [PITH_FULL_IMAGE:figures/full_fig_p016_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: This figure summarizes the bandwidth performance of the quantum-safe network, based on IPerf measurements between key node pairs across four periods and their associated variance: HQKD-only, classical ECDH and cloud-connected HPQC nodes. At the top, the graph shows throughput from the central hub Boadilla West 1 in Madrid to the other four nodes, including the HPQC cloud endpoints in Cantabria and Quer´et… view at source ↗
Figure 13
Figure 13. Figure 13: The latency impact of introducing quantum-safe mechanisms through our framework was evaluated by analysing 12,439 IKEv2 initial Security Association (SA) setups. Of these, 54% relied solely on classical ECDH and were used as the baseline. The remaining sessions employed various combinations of QKD and PQC to generate RFC 8784 PPKs, enabling a full set of traffic samples. Introducing the KMS increased sess… view at source ↗
read the original abstract

The emergence of Cryptographically Relevant Quantum Computers (CRQCs) presents a critical threat to classical cryptographic systems, particularly widely adopted protocols such as RSA, Diffie-Hellman (DH), and Elliptic Curve Cryptography (ECC). Given their extensive use in the financial sector, the advent of quantum adversaries compels banking institutions to proactively develop and adopt quantum-safe communication mechanisms. This paper introduces a hybrid quantum-safe architecture, orchestrated via Software-Defined Networking (SDN) key distribution. The proposed framework enables the early integration of Classical Cryptography (CC), Quantum Key Distribution (QKD), and Post-Quantum Cryptography (PQC) within a Dynamic Multipoint Virtual Private Network (DMVPN) environment, providing highly scalable, full-mesh, site-to-site encrypted communications for enterprise networks. This is particularly relevant at a time when PQC algorithms have not yet been incorporated into finalized IPsec standards. The architecture has been validated across a five-node testbed comprising three physical nodes within a campus network in Madrid and two private-cloud nodes located in the north of Spain and Mexico. The deployment leverages a heterogeneous mix of physical and virtual devices, diverse technology providers, Discrete Variable QKD (DV-QKD) and Continuous Variable QKD (CV-QKD) implementations, and mutually incompatible key-delivery interfaces (ETSI004, ETSI014 and Cisco SKIP), demonstrating flexibility, scalability, and interoperability across environments. Through this framework, we demonstrate that quantum-safe communication in financial networks is not only technically feasible but also scalable, interoperable, and resilient. The proposed architecture establishes a robust, flexible, and future-proof foundation for secure financial communications in the era of quantum computing.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes an SDN-orchestrated hybrid architecture that integrates classical cryptography (CC), quantum key distribution (QKD), and post-quantum cryptography (PQC) into a DMVPN-based IPsec framework. It claims this delivers highly scalable, full-mesh site-to-site encrypted communications suitable for banking networks and validates the approach via a five-node heterogeneous testbed (three physical Madrid nodes plus two cloud nodes in Spain and Mexico) using mixed DV/CV-QKD systems and incompatible key interfaces (ETSI004, ETSI014, Cisco SKIP).

Significance. If the interoperability and flexibility results hold, the work would be significant for showing a practical path to early quantum-safe IPsec deployment in enterprise settings before PQC is standardized in IPsec, with the testbed's handling of diverse providers and interfaces providing concrete evidence of flexibility that could guide banking migrations.

major comments (2)
  1. [Abstract and testbed validation] Abstract and validation description: the repeated claim of a 'highly scalable' architecture 'suitable for enterprise networks' in banking rests on a five-node full-mesh testbed without any reported measurements of key-distribution latency, tunnel setup time, throughput, or orchestration overhead as a function of node count, nor any simulation or extrapolation to the dozens or hundreds of sites typical in banking deployments. A five-node demonstration does not substantiate the scalability assertion.
  2. [Testbed validation] Testbed results section: the SDN key-orchestration layer is presented as enabling resilience and scalability, yet no data on performance under node addition, failure scenarios, or load are supplied, leaving the production-readiness claim for banking environments unsupported by the reported evidence.
minor comments (1)
  1. [Abstract] The abstract asserts that the framework demonstrates 'scalability, interoperability, and resilience' but the validation details focus primarily on successful operation and interface compatibility rather than quantitative scalability metrics.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their insightful comments, which help us improve the clarity and accuracy of our claims regarding the proposed architecture. We address each major comment below.

read point-by-point responses

  1. Referee: [Abstract and testbed validation] Abstract and validation description: the repeated claim of a 'highly scalable' architecture 'suitable for enterprise networks' in banking rests on a five-node full-mesh testbed without any reported measurements of key-distribution latency, tunnel setup time, throughput, or orchestration overhead as a function of node count, nor any simulation or extrapolation to the dozens or hundreds of sites typical in banking deployments. A five-node demonstration does not substantiate the scalability assertion.

    Authors: We concur that the five-node testbed does not provide empirical evidence for scalability to large banking networks with many sites. The manuscript's validation emphasizes the successful integration of diverse QKD technologies and key interfaces through SDN orchestration in a DMVPN framework. To address this, we will revise the abstract to remove the phrase 'highly scalable' and instead describe it as 'demonstrating a flexible and interoperable approach with potential for scalability in enterprise settings'. We will also add a paragraph in the discussion section outlining the architectural features that support scalability (such as centralized SDN control) while acknowledging the need for further performance evaluations at larger scales. revision: yes

  2. Referee: [Testbed validation] Testbed results section: the SDN key-orchestration layer is presented as enabling resilience and scalability, yet no data on performance under node addition, failure scenarios, or load are supplied, leaving the production-readiness claim for banking environments unsupported by the reported evidence.

    Authors: The referee correctly notes the lack of specific data on performance under dynamic conditions like node addition or failures. Our testbed results show the basic functionality and interoperability but do not include load testing or failure recovery metrics. We will revise the text in the testbed validation section to avoid implying production-readiness or unproven resilience. The claims will be adjusted to focus on the demonstrated interoperability across heterogeneous environments, and we will include a statement that comprehensive resilience and scalability assessments are planned for future work. revision: yes

Circularity Check

0 steps flagged

No circularity: applied implementation paper with no derivations or self-referential claims

full rationale

This is a purely applied engineering and testbed demonstration paper. It describes an SDN-orchestrated hybrid CC/QKD/PQC architecture inside DMVPN and reports successful operation on a five-node heterogeneous network. There are no equations, no fitted parameters, no predictions derived from models, and no mathematical derivation chain of any kind. Central claims rest on direct experimental interoperability results rather than any reduction to self-citations, ansatzes, or inputs by construction. The work is self-contained as an implementation report.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an applied engineering demonstration paper. No free parameters, mathematical axioms, or invented physical entities are introduced; the work combines existing cryptographic and networking technologies.

pith-pipeline@v0.9.0 · 5668 in / 1282 out tokens · 71088 ms · 2026-05-10T15:33:08.369173+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

54 extracted references · 54 canonical work pages

  1. [1]

    Mosca M and Piani M 2025 Quantum threat timeline report Tech. rep. Global Risk Institute URLhttps: //globalriskinstitute.org/publication/2024-quantum-threat-timeline-report

    work page 2025

  2. [2]

    ACM21120–126

    Rivest R, Shamir A and Adleman L 1978 A method for obtaining digital signatures and public-key cryptosystemsCommun. ACM21120–126

    work page 1978

  3. [3]

    Diffie W and Hellman M 1976 New directions in cryptographyIEEE Transactions on Information Theory22644–654

    work page 1976

  4. [4]

    Miller V 1985 Use of elliptic curves in cryptography.Conference: Advances in Cryptology - CRYPTO ’85, Santa Barbara, California, USA, August 18-22, 1985, Proceedingspp 417–426

    work page 1985

  5. [5]

    Koblitz N 1987 Elliptic curve cryptosystemsMathematics of Computation48203–209 ISSN 0025-5718

    work page 1987

  6. [6]

    National Institute of Standards and Technology 2024 Module-Lattice-Based Key-Encapsulation Mechanism Standard Tech. Rep. Federal Information Processing Standards Publications (FIPS PUBS) 203 U.S. Department of Commerce Washington, D.C

    work page 2024

  7. [7]

    National Institute of Standards and Technology 2024 Module-Lattice-Based Digital Signature Standard Tech. Rep. Federal Information Processing Standards Publications (FIPS PUBS) 204 U.S. Department of Commerce Washington, D.C

    work page 2024

  8. [8]

    National Institute of Standards and Technology 2024 Stateless Hash-Based Digital Signature Standard Tech. Rep. Federal Information Processing Standards Publications (FIPS PUBS) 205 U.S. Department of Commerce Washington, D.C

    work page 2024

  9. [9]

    Betts M, Qiaogang C, Contreras-Murillo LMand Davis N, Doolan P, Hood D, Janz C, K L, Fengkai L, Paul M, Reith L, Schaller S, Schneider F, Shew S, Varma E and Vissers M 2016 Publication ONF TR-521: SDN Architecture for Transport Networks 1.1 http://www.opennetworking.org

    work page 2016

  10. [10]

    Kreutz D, Ramos F M V, Ver´ ıssimo P E, Rothenberg C E, Azodolmolky S and Uhlig S 2015 Software-Defined Networking: A Comprehensive SurveyProceedings of the IEEE10314–76

    work page 2015

  11. [11]

    Aguado A, Lopez V, Lopez D, Peev M, Poppe A, Pastor A, Folgueira J and Martin V 2019 The Engineering of Software-Defined Quantum Key Distribution NetworksIEEE Communications Magazine5720–26

    work page 2019

  12. [12]

    Alia O, Huang A, Luo H, Amer O, Pistoia M and Lim C 2024 100 gbps quantum-safe ipsec vpn tunnels over 46 km deployed fiberarXiv preprint arXiv:2405.04415

    work page arXiv 2024

  13. [13]

    B Mendez R, S Buruaga J, P Brito J, Pastor A, R Lopez D and Martin V 2026 Quantum resistant software Defined-Networking IPsec, enabling ITS communication over IP networks on real telco infrastructuresComputer Networks280112171 ISSN 1389-1286

    work page 2026

  14. [14]

    Eronen P, Nir Y, Hoffman P E and Kaufman C 2010 Internet Key Exchange Protocol Version 2 (IKEv2) RFC 5996 URLhttps://www.rfc-editor.org/info/rfc5996

    work page 2010

  15. [15]

    Shor (1997): Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer

    Shor P W 1997 Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum ComputerSIAM J. Comput.261484–1509 ISSN 0097-5397 URL https://doi.org/10.1137/S0097539795293172

    work page doi:10.1137/s0097539795293172 1997

  16. [16]

    A Leverrier F Grosshans P G 2010 Finite-size analysis of a continuous-variable quantum key distributionPhysical Review A81ISSN 10502947 arXiv: 1005.0339

    work page arXiv 2010

  17. [17]

    Lim C C W, Curty M, Walenta N, Xu F and Zbinden H 2014 Concise security bounds for practical decoy-state quantum key distributionPhys. Rev. A89(2) 022307 URL https://link.aps.org/doi/10.1103/PhysRevA.89.022307 22 IOP PublishingJournalvv(yyyy) aaaaaa Authoret al

    work page doi:10.1103/physreva.89.022307 2014

  18. [18]

    Peev M, Pacher C, All´ eaume R, Barreiro C, Bouda J, Boxleitner W, Debuisschert T, Diamanti E, Dianati M, Dynes J Fet al2009 The secoqc quantum key distribution network in vienna New journal of physics11075001

    work page

  19. [19]

    Pistoia M, Amer O, Behera M R, Dolphin J A, Dynes J F, John B, Haigh P A, Kawakura Y, Kramer D H, Lyon Jet al2023 Paving the way toward 800 gbps quantum-secured optical channel deployment in mission-critical environmentsQuantum Science and Technology8 035015

    work page

  20. [20]

    HSBC 2025 Hsbc quantum protection for ai URL https://www.hsbc.com/news-and-views/news/media-releases/2023/ hsbc-pioneers-quantum-protection-for-ai-powered-fx-trading

    work page 2025

  21. [21]

    HSBC 2025 Hsbc quantum safe tokenized gold URL https://www.hsbc.com/news-and-views/news/media-releases/2024/ hsbc-pilots-quantum-safe-technology-for-tokenised-gold

    work page 2025

  22. [22]

    SoftBank Corp T 2025 Field experiment of ipsec qkd-vpn URLhttps: //www.global.toshiba/ww/news/digitalsolution/2023/09/news-20230920-01.html

    work page 2025

  23. [23]

    ETSI 2025 Preparing for a quantum secure future Tech. rep. ETSI ISG URL https://www.etsi.org/e-brochure/ETSI-QSC-Report-2025/mobile/index.html

    work page 2025

  24. [24]

    Huttner B, John P, Carl D, McGregor K and Elizabeth W 2024 Qkd: Part of a defense-in-depth security strategyPhys. Rev. AURLhttps://quantumconsortium.org/ publication/qkd-part-of-a-defense-in-depth-security-strategy/

    work page 2024

  25. [25]

    Stefan Marksteiner, Benjamin Rainer and Oliver Maurhart 2018 On the resilience of a qkd key synchronization protocol for ipsecarXiv preprint arXiv:1801.01710

    work page arXiv 2018

  26. [26]

    Vahid Heydari Fami Tafreshi, Ebrahim Ghazisaeedi, et al 2014 Integrating ipsec within openflow architecture for secure group communicationZTE COMMUNICATIONS JOURNAL 1241–49

    work page 2014

  27. [27]

    Yunchun Li and Jutao Mao 2015 Sdn-based access authentication and automatic configuration for ipsec2015 4th International Conference on Computer Science and Network Technology (ICCSNT)vol 1 (IEEE) pp 996–999

    work page 2015

  28. [28]

    Marin-Lopez R, Lopez-Millan G and Pereniguez-Garcia F July 2008 A yang data model for ipsec flow protection based on software-defined networking (sdn) Tech. rep. RFC 9061

    work page 2008

  29. [29]

    Bjorklund M 2016 The yang 1.1 data modeling language Tech. rep. Internet Engineering Task Force

    work page 2016

  30. [30]

    ETSI 2020 Quantum Key Distribution (QKD); Application Interface Tech. Rep. GS QKD 004 v2.1.1 ETSI ISG URLhttps://www.etsi.org/deliver/etsi_gs/QKD/001_099/004/02.01. 01_60/gs_QKD004v020101p.pdf

    work page 2020

  31. [31]

    ETSI 2019 Quantum Key Distribution (QKD); Protocol and data format of REST-based key delivery API Tech. Rep. GS QKD 014 v1.1.1 ETSI ISG URLhttps://www.etsi.org/ deliver/etsi_gs/QKD/001_099/014/01.01.01_60/gs_qkd014v010101p.pdf

    work page 2019

  32. [32]

    Kampanakis P 2025 Post-quantum Hybrid Key Exchange with ML-KEM in the Internet Key Exchange Protocol Version 2 (IKEv2) Internet-Draft draft-ietf-ipsecme-ikev2-mlkem-03 Internet Engineering Task Force work in Progress URL https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/03/

    work page 2025

  33. [33]

    ITU-T 2019 Recommendation Y.3800: Overview on networks supporting quantum key distribution Recommendation International Telecommunication Union URL https://www.itu.int/rec/T-REC-Y.3800

    work page 2019

  34. [34]

    ITU-T 2020 Recommendation Y.3801: Functional requirements for quantum key distribution networks Recommendation International Telecommunication Union URL https://www.itu.int/rec/T-REC-Y.3801 23 IOP PublishingJournalvv(yyyy) aaaaaa Authoret al

    work page 2020

  35. [35]

    ITU-T 2020 Recommendation Y.3802: Quantum key distribution networks - Functional architecture Recommendation International Telecommunication Union URL https://www.itu.int/rec/T-REC-Y.3802

    work page 2020

  36. [36]

    ITU-T 2020 Recommendation Y.3803: Quantum key distribution networks - Key management Recommendation International Telecommunication Union URL https://www.itu.int/rec/T-REC-Y.3803

    work page 2020

  37. [37]

    ITU-T 2025 Y.QKD-IPSec-fr framework for integration of quantum key distribution and ipsec Tech. rep. International Telecommunication Union IETF liaison statement to ITU-T SG13 for progress on this work item URLhttps://www.ietf.org/lib/dt/documents/LIAISON/ liaison-2025-03-24-itu-t-sg-13-opsawg-ls-on-work-progress-on-quantum-key-distribution-qkd-network-in...

    work page 2025

  38. [38]

    Goverment S 2025 National quantum safe network URL https://www.imda.gov.sg/about-imda/emerging-technologies-and-research/ national-quantum-safe-network-plus

    work page 2025

  39. [39]

    QCI L 2025 Lux4qci URLhttps://lux4qci.eu/349-2/

    work page 2025

  40. [40]

    Martin V, Brito J P, Ortiz L, Mendez R B, Buruaga J S, Vicente R J, Sebasti´ an-Lombra˜ na A, Rincon D, Perez F, Sanchez C, Peev M, Brunner H H, Fung F, Poppe A, Fr¨ owis F, Shields A J, Woodward R I, Griesser H, Roehrich S, Iglesia F D L, Abellan C, Hentschel M, Rivas-Moscoso J M, Pastor A, Folgueira J and Lopez D R 2024 MadQCI: a heterogeneous and scala...

    work page doi:10.1038/s41534-024-00873-2 2024

  41. [41]

    Centre N C S 2025 Pqc migration timelines URL https://www.ncsc.gov.uk/guidance/pqc-migration-timelines

    work page 2025

  42. [42]

    FS-ISAC 2025 The timeline for post quantum cryptographic migration https://www.fsisac.com/the-timeline-for-post-quantum-cryptographic-migration accessed: 2025-11-17

    work page 2025

  43. [43]

    European Commission 2025 A coordinated implementation roadmap for the transition to post-quantum cryptographyhttps://digital-strategy.ec.europa.eu/en/library/ coordinated-implementation-roadmap-transition-post-quantum-cryptography accessed: 2025-11-17

    work page 2025

  44. [44]

    Fluhrer S, Kampanakis P, McGrew D and Smyslov V 2020 Mixing preshared keys in the internet key exchange protocol version 2 (ikev2) for post-quantum security Tech. Rep. 8784 RFC Editor URLhttps://www.rfc-editor.org/info/rfc8784

    work page 2020

  45. [45]

    Cisco 2025 Quantum encryption ppk URL https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/ b-security-vpn/m-sec-cfg-quantum-encryption-ppk.html

    work page 2025

  46. [46]

    ETSI 2022 Quantum Key Distribution (QKD); Control Interface for Software Defined Networks Tech. Rep. GS QKD 015 v2.1.1 ETSI ISG URLhttps://www.etsi.org/deliver/ etsi_gs/QKD/001_099/015/02.01.01_60/gs_QKD015v020101p.pdf

    work page 2022

  47. [47]

    The Open Quantum Safe Project 2025 liboqs - an open source c library for quantum-safe cryptographic algorithmshttps://github.com/open-quantum-safe/liboqsURL https://github.com/open-quantum-safe/liboqs

    work page 2025

  48. [48]

    ITU-T 2020 Recommendation Y.3804: Quantum key distribution networks - Control and management Recommendation International Telecommunication Union URL https://www.itu.int/rec/T-REC-Y.3804

    work page 2020

  49. [49]

    ITU-T 2021 Recommendation Y.3805: Quantum key distribution networks - Software-defined networking control Recommendation International Telecommunication Union URL https://www.itu.int/rec/T-REC-Y.3805

    work page 2021

  50. [50]

    ITU-T 2021 Recommendation X.1712: Security requirements and measures for quantum key distribution networks - key management Recommendation International Telecommunication Union URLhttps://www.itu.int/rec/T-REC-X.1712 24 IOP PublishingJournalvv(yyyy) aaaaaa Authoret al

    work page 2021

  51. [51]

    Smyslov V 2022 Intermediate Exchange in the Internet Key Exchange Protocol Version 2 (IKEv2) RFC 9242 URLhttps://www.rfc-editor.org/info/rfc9242

    work page 2022

  52. [52]

    Tjhai C, Tomlinson M, Bartlett G, Fluhrer S, Geest D V, Garcia-Morchon O and Smyslov V 2023 Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2) RFC 9370 URLhttps://www.rfc-editor.org/info/rfc9370

    work page 2023

  53. [53]

    Smyslov V 2025 Mixing Preshared Keys in the IKE INTERMEDIATE and CREATE CHILD SA Exchanges of the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-Quantum Security RFC 9867 URLhttps://www.rfc-editor.org/info/rfc9867

    work page 2025

  54. [54]

    Aguilar Melchor C, Aragon N, Bettaieb S, Bidoux L, Blazy O, Deneuville J C, Gaborit P, Hauteville A and Z´ emor G 2025 HQC: Hamming Quasi-Cyclichttps://pqc-hqc.org/ accessed: 2025-12-19 25

    work page 2025