Efficient hybrid post-quantum authentication for quantum key distribution under finite-size effects
摘要
With the rapid development of quantum computers, traditional cryptographic systems face imminent security threats. Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) are two leading solutions for future information security. While QKD offers unconditional security, it faces the “bootstrapping” problem of initial authentication, typically requiring pre-shared symmetric keys which are difficult to distribute in large-scale networks. In this paper, we propose a hybrid authentication framework combining PQC and QKD to eliminate the need for pre-shared keys. A critical innovation of our work is addressing the “Finite-Size Effect” in resource-constrained scenarios—such as satellite-to-ground links or ultra-long-distance fibers—where the raw key rate is extremely low. Standard PQC authentication leaks digest information, necessitating privacy amplification that consumes precious key bits, often rendering key generation impossible in these low-yield regimes. To overcome this, we introduce a “Sign-then-Encrypt” strategy for the first round of QKD. By encrypting the verification digests using PQC, we effectively reduce the authentication leakage to zero, bypassing the need for corresponding privacy amplification. We provide a rigorous quantitative analysis demonstrating that this trade-off remains secure even if PQC is compromised in the future, provided the generated key maintains sufficient residual entropy. Additionally, we propose a second protocol that utilizes self-derived symmetric keys for authentication, significantly reducing computational latency and bandwidth overhead. The proposed protocols ensure the long-term quantum-resistant security of distributed keys while substantially lowering the startup threshold and improving the efficiency of QKD networks.