Versatile quantum-safe hybrid key exchange and its application to MACsec

IF 5.6 2区物理与天体物理 Q1 OPTICS

EPJ Quantum Technology Pub Date : 2025-07-04 DOI:10.1140/epjqt/s40507-025-00382-x

Jaime S. Buruaga, Augustine Bugler, Juan P. Brito, Vicente Martin, Christoph Striecks

{"title":"Versatile quantum-safe hybrid key exchange and its application to MACsec","authors":"Jaime S. Buruaga, Augustine Bugler, Juan P. Brito, Vicente Martin, Christoph Striecks","doi":"10.1140/epjqt/s40507-025-00382-x","DOIUrl":null,"url":null,"abstract":"<div><p>Advancements in quantum computing pose a significant threat to most of the cryptography currently deployed in our communication networks. Fortunately, cryptographic building blocks to mitigate this threat are already available; mostly based on Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD), but also on symmetric cryptography techniques. Notably, those building blocks must be deployed as soon as possible in communication networks due to the “harvest-now decrypt-later” attack scenario, which is already challenging our sensitive and encrypted data today.</p><p>Following an agile and defense-in-depth approach, Hybrid Authenticated Key-Exchange (HAKE) protocols have recently been gaining significant attention. Such protocols have the benefit of modularly combining classical (symmetric) cryptography, PQC, and QKD to achieve strong confidentiality, authenticity, and integrity guarantees for network channels. Unfortunately, only a few protocols have yet been proposed (mainly Muckle and Muckle+) with different flexibility guarantees.</p><p>Looking at available standards in the network domain – especially at the Media Access Control Security (MACsec) standard – we believe that HAKE protocols could already bring strong security benefits to MACsec today. MACsec is a standard designed to secure communication at the data link layer in Ethernet networks by providing confidentiality, authenticity, and integrity for all traffic between trusted nodes. In addition, it establishes secure channels within a Local Area Network (LAN), ensuring that data remain protected from eavesdropping, tampering, and unauthorized access, while operating transparently to higher layer protocols. Currently, MACsec does not offer enough protection against the aforementioned threats.</p><p>In this work, we tackle the challenge and propose a new versatile HAKE protocol, dubbed VMuckle, which is sufficiently flexible for use in MACsec. The use of VMuckle in MACsec provides LAN participants with quantum-safe hybrid key material to ensure secure communication even in the event of cryptographically relevant quantum computers.</p></div>","PeriodicalId":547,"journal":{"name":"EPJ Quantum Technology","volume":"12 1","pages":""},"PeriodicalIF":5.6000,"publicationDate":"2025-07-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://epjquantumtechnology.springeropen.com/counter/pdf/10.1140/epjqt/s40507-025-00382-x","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"EPJ Quantum Technology","FirstCategoryId":"101","ListUrlMain":"https://link.springer.com/article/10.1140/epjqt/s40507-025-00382-x","RegionNum":2,"RegionCategory":"物理与天体物理","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"OPTICS","Score":null,"Total":0}

引用次数: 0

Abstract

Advancements in quantum computing pose a significant threat to most of the cryptography currently deployed in our communication networks. Fortunately, cryptographic building blocks to mitigate this threat are already available; mostly based on Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD), but also on symmetric cryptography techniques. Notably, those building blocks must be deployed as soon as possible in communication networks due to the “harvest-now decrypt-later” attack scenario, which is already challenging our sensitive and encrypted data today.

Following an agile and defense-in-depth approach, Hybrid Authenticated Key-Exchange (HAKE) protocols have recently been gaining significant attention. Such protocols have the benefit of modularly combining classical (symmetric) cryptography, PQC, and QKD to achieve strong confidentiality, authenticity, and integrity guarantees for network channels. Unfortunately, only a few protocols have yet been proposed (mainly Muckle and Muckle+) with different flexibility guarantees.

Looking at available standards in the network domain – especially at the Media Access Control Security (MACsec) standard – we believe that HAKE protocols could already bring strong security benefits to MACsec today. MACsec is a standard designed to secure communication at the data link layer in Ethernet networks by providing confidentiality, authenticity, and integrity for all traffic between trusted nodes. In addition, it establishes secure channels within a Local Area Network (LAN), ensuring that data remain protected from eavesdropping, tampering, and unauthorized access, while operating transparently to higher layer protocols. Currently, MACsec does not offer enough protection against the aforementioned threats.

In this work, we tackle the challenge and propose a new versatile HAKE protocol, dubbed VMuckle, which is sufficiently flexible for use in MACsec. The use of VMuckle in MACsec provides LAN participants with quantum-safe hybrid key material to ensure secure communication even in the event of cryptographically relevant quantum computers.

查看原文本刊更多论文

通用量子安全混合密钥交换及其在MACsec中的应用

量子计算的进步对目前部署在我们通信网络中的大多数加密技术构成了重大威胁。幸运的是，缓解这种威胁的加密构建块已经可用；主要基于后量子密码（PQC）和量子密钥分发（QKD），但也基于对称密码技术。值得注意的是，由于“先收获后解密”的攻击场景，这些构建块必须尽快部署在通信网络中，这已经挑战了我们今天的敏感和加密数据。遵循敏捷和纵深防御的方法，混合身份验证密钥交换（HAKE）协议最近受到了极大的关注。这种协议的优点是模块化地结合了经典（对称）加密、PQC和QKD，从而为网络通道实现强大的机密性、真实性和完整性保证。不幸的是，目前只有少数协议被提出（主要是Muckle和Muckle+），它们具有不同的灵活性保证。看看网络领域的现有标准，尤其是媒体访问控制安全（MACsec）标准，我们相信HAKE协议已经可以为MACsec带来强大的安全优势。MACsec是一种标准，旨在通过为可信节点之间的所有流量提供机密性、真实性和完整性，来保护以太网网络中数据链路层的通信。此外，它在局域网（LAN）内建立安全通道，确保数据免受窃听、篡改和未经授权的访问，同时对更高层协议透明地运行。目前，MACsec并没有提供足够的保护来抵御上述威胁。在这项工作中，我们解决了这一挑战，并提出了一种新的通用HAKE协议，称为VMuckle，它在MACsec中使用足够灵活。在MACsec中使用VMuckle为LAN参与者提供量子安全的混合密钥材料，以确保即使在与加密相关的量子计算机的情况下也能安全通信。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

EPJ Quantum Technology Physics and Astronomy-Atomic and Molecular Physics, and Optics

CiteScore

7.70

自引率

7.50%

发文量

审稿时长

71 days

期刊介绍： Driven by advances in technology and experimental capability, the last decade has seen the emergence of quantum technology: a new praxis for controlling the quantum world. It is now possible to engineer complex, multi-component systems that merge the once distinct fields of quantum optics and condensed matter physics. EPJ Quantum Technology covers theoretical and experimental advances in subjects including but not limited to the following: Quantum measurement, metrology and lithography Quantum complex systems, networks and cellular automata Quantum electromechanical systems Quantum optomechanical systems Quantum machines, engineering and nanorobotics Quantum control theory Quantum information, communication and computation Quantum thermodynamics Quantum metamaterials The effect of Casimir forces on micro- and nano-electromechanical systems Quantum biology Quantum sensing Hybrid quantum systems Quantum simulations.