Contact information
| Name | Daniel Sobral Blanco |
| public_email_address | |
| Address | 4.1 C03 A Edificio Torres Quevedo, Avenida de la Universidad 30, 28911 Leganés |
Academic
| OrcidURL | |
| itWebPage | |
| LinkedInURL |
Contact
Address
4.1 C03 A Edificio Torres Quevedo, Avenida de la Universidad 30, 28911 Leganés
Publications
Blanco-Romero, Javier; García, Pedro Otero; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Vilas, Ana Fernández; Fernández-Veiga, Manuel
Hybrid Quantum Security for IPsec Journal Article
In: pp. 23, 2025.
@article{javierblanco007,
title = {Hybrid Quantum Security for IPsec},
author = {Javier Blanco-Romero and Pedro Otero García and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernández Vilas and Manuel Fernández-Veiga},
url = {https://arxiv.org/pdf/2507.09288},
doi = {https://doi.org/10.48550/arXiv.2507.09288},
year = {2025},
date = {2025-07-12},
pages = {23},
abstract = {Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.
Blanco-Romero, Javier; García, Pedro Otero; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Vilas, Ana Fernández; Fernández-Veiga, Manuel
Hybrid Quantum Security for IPsec Journal Article
In: pp. 23, 2025.
@article{javierblanco007b,
title = {Hybrid Quantum Security for IPsec},
author = {Javier Blanco-Romero and Pedro Otero García and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernández Vilas and Manuel Fernández-Veiga},
url = {https://arxiv.org/pdf/2507.09288},
doi = {https://doi.org/10.48550/arXiv.2507.09288},
year = {2025},
date = {2025-07-12},
urldate = {2025-07-12},
pages = {23},
abstract = {Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Quantum Key Distribution (QKD) offers information-theoretic security against quantum computing threats, but integrating QKD into existing security protocols remains an unsolved challenge due to fundamental mismatches between pre-distributed quantum keys and computational key exchange paradigms. This paper presents the first systematic comparison of sequential versus parallel hybrid QKD-PQC key establishment strategies for IPsec, revealing fundamental protocol design principles that extend beyond specific implementations. We introduce two novel approaches for incorporating QKD into Internet Key Exchange version 2 (IKEv2) with support for both ETSI GS QKD 004 stateful and ETSI GS QKD 014 stateless API specifications: (1) a pure QKD approach that replaces computational key derivation with identifier-based quantum key coordination, and (2) a unified QKD-KEM abstraction that enables parallel composition of quantum and post-quantum cryptographic methods within existing protocol frameworks. Our key insight is that parallel hybrid approaches eliminate the multiplicative latency penalties inherent in sequential methods mandated by RFC 9370, achieving significant performance improvements under realistic network conditions. Performance evaluation using a Docker-based testing framework with IDQuantique QKD hardware demonstrates that the parallel hybrid approach significantly outperforms sequential methods under network latency conditions, while pure QKD achieves minimal bandwidth overhead through identifier-based key coordination. Our implementations provide practical quantum-enhanced IPsec solutions suitable for critical infrastructure deployments requiring defense-in-depth security.
Blanco-Romero, Javier; Otero-Garcia, Pedro; Sobral-Blanco, Daniel; Almenares-Mendoza, Florina; Fernandez-Vilas, Ana; Diaz-Redondo, Rebeca
QKD-KEM: Hybrid QKD Integration into TLS with OpenSSL Providers Conference
2025.
@conference{javierblanco005,
title = {QKD-KEM: Hybrid QKD Integration into TLS with OpenSSL Providers},
author = {Javier Blanco-Romero and Pedro Otero-Garcia and Daniel Sobral-Blanco and Florina Almenares-Mendoza and Ana Fernandez-Vilas and Rebeca Diaz-Redondo},
doi = { https://doi.org/10.48550/arXiv.2503.07196},
year = {2025},
date = {2025-03-10},
urldate = {2025-03-10},
abstract = {Quantum Key Distribution (QKD) promises information-theoretic security, yet integrating QKD into existing protocols like TLS remains challenging due to its fundamentally different operational model. In this paper, we propose a hybrid QKD-KEM protocol with two distinct integration approaches: a client-initiated flow compatible with both ETSI 004 and 014 specifications, and a server-initiated flow similar to existing work but limited to stateless ETSI 014 APIs. Unlike previous implementations, our work specifically addresses the integration of stateful QKD key exchange protocols (ETSI 004) which is essential for production QKD networks but has remained largely unexplored. By adapting OpenSSL’s provider infrastructure to accommodate QKD’s pre-distributed key model, we maintain compatibility with current TLS implementations while offering dual layers of security. Performance evaluations demonstrate the feasibility of our hybrid scheme with acceptable overhead, showing that robust security against quantum threats is achievable while addressing the unique requirements of different QKD API specifications.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
Quantum Key Distribution (QKD) promises information-theoretic security, yet integrating QKD into existing protocols like TLS remains challenging due to its fundamentally different operational model. In this paper, we propose a hybrid QKD-KEM protocol with two distinct integration approaches: a client-initiated flow compatible with both ETSI 004 and 014 specifications, and a server-initiated flow similar to existing work but limited to stateless ETSI 014 APIs. Unlike previous implementations, our work specifically addresses the integration of stateful QKD key exchange protocols (ETSI 004) which is essential for production QKD networks but has remained largely unexplored. By adapting OpenSSL’s provider infrastructure to accommodate QKD’s pre-distributed key model, we maintain compatibility with current TLS implementations while offering dual layers of security. Performance evaluations demonstrate the feasibility of our hybrid scheme with acceptable overhead, showing that robust security against quantum threats is achievable while addressing the unique requirements of different QKD API specifications.