pQKD Twin Cloud Edition with VPN

pQKD Twin Cloud Edition is a solution for high-security connectivity between an AWS VPC (Virtual Private Cloud) and a client network, based on the principles of quantum cryptography realized through QKD emulation. On the classical networking side it follows standard VPN principles, enhanced with secure symmetric key exchange provided by QKD emulation technology. This technology ensures full ETSI QKD compatibility, genuine quantum entropy from a quantum random number generator, and uses a standard post-quantum key encapsulation mechanism (FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard known also as CRYSTALS Kyber). The solution consists of the following elements:

1. An EC2 server instance on AWS
2. A client computer on the client network
3. A pQKD hardware device. The solution schema is presented below in the following picture: https://qkd-ss.s3.eu-west-2.amazonaws.com/pQKD+VPN+diagram.png  As shown in the picture, the VPN network is based on the efficient and secure WireGuard VPN. In our solution, we do not modify the essential security components of the VPN. WireGuard establishes a UDP connection (on port 51920), creating a new virtual network interface in the system. However, for maximum security, the transmitted standard key is encrypted with a presharedKey, identical on both the server and client sides, via an XOR operation, typical for One-Time Pad (OTP) mechanisms. pQKD Twin (on the cloud side) and the pQKD hardware device (on the client network/computer side) provide mechanisms for distributing the presharedKey. Consequently, our solution is a hybrid approach, combining the WireGuard system with a post-quantum key exchange based on quantum entropy. The service requests key generation by connecting to the pQKD service on AWS via the KME (Key Management Entity) port.

The pQKD service communicates through a TCP link (port 8000) with the client service and its pQKD device (where the quantum key is generated). The keys obtained on both the AWS server and client sides are then incorporated into the WireGuard VPN on each end. On the AWS side, there is an EC2 instance with the following services installed:

1. WireGuard
2. A runner service for communication with WireGuard, pQKD, and the client
3. A software-based implementation of pQKD: pQKD Digital Twin
   This server configuration has been saved as an AMI image on AWS. On the client side, the following components are present:
4. WireGuard
5. A service for communication with WireGuard, pQKD, and the AWS server
6. A pQKD device connected to the client computer network. The hardware component (local side pQKD device) can be ordered here: https://www.quantumblockchains.io/buy-pqkd/