Post-Quantum Cryptography for Secure Authentication Key Distribution in QKD Networks

This paper presents a vendor-agnostic architecture for secure pre-shared key (PSK) exchange between Quantum Key Distribution (QKD) nodes, leveraging post-quantum cryptography (PQC) tools. The proposed system combines PQC-OpenVPN and OQS-OpenSSH with USB mass storage emulation and single-board computers (SBCs) to automate the transfer of initial authentication secrets. This design significantly reduces manual intervention and mitigates risks associated with physical key handling. The solution was experimentally validated on IDQ Clavis3 and Cerberis3 devices and is broadly applicable to other QKD platforms that support only USB-based key input. Integration of lattice-based algorithms such as Kyber, Dilithium, and ML-DSA enables encapsulation and authentication of quantum-safe keys. Furthermore, a layered design using VPN and SSH channels provides robust cryptographic isolation for authentication material in transit. The work contributes a reproducible and cost-effective testbed for post-quantum hardened QKD deployments and demonstrates the practical feasibility of combining PQC mechanisms with QKD systems to enhance trust in future quantum-safe infrastructures.