Enhancing the Security of Classical Communication with Post-Quantum Authenticated-Encryption Schemes for the Quantum Key Distribution

Abstract

This research aims to establish a secure system for key exchange by using post-quantum cryptography (PQC) schemes in the classic channel of quantum key distribution (QKD). Modern cryptography faces significant threats from quantum computers, which can solve classical problems rapidly. PQC schemes address critical security challenges in QKD, particularly in authentication and encryption, to ensure the reliable communication across quantum and classical channels. The other objective of this study is to balance security and communication speed among various PQC algorithms in different security levels, specifically CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon, which are finalists in the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization project. The quantum channel of QKD is simulated with Qiskit, which is a comprehensive and well-supported tool in the field of quantum computing. By providing a detailed analysis of the performance of these three algorithms with Rivest–Shamir–Adleman (RSA), the results will guide companies and organizations in selecting an optimal combination for their QKD systems to achieve a reliable balance between efficiency and security. Our findings demonstrate that the implemented PQC schemes effectively address security challenges posed by quantum computers, while keeping the the performance similar to RSA.

1. Introduction

In the modern digital age, protecting the confidentiality and integrity of communication data is essential. While modern cryptographic algorithms are effective in classical computing contexts, they are increasingly susceptible to the emerging field of quantum computing. Quantum computers can solve certain problems greatly faster than classical computers. For instance, Shor’s algorithm can easily factor large integers and solve the discrete logarithm problem, which places the security of widely used cryptographic algorithms such as Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC) in risk [1,2,3]. Similarly, symmetric key algorithms are also challenged by the Grover’s algorithm that can speed up brute-force search by reducing their security strength. As these advancements in quantum technologies continue to progress, the demand for innovative cryptographic solutions is becoming increasingly urgent. Post-quantum cryptography (PQC) is a developing area that provides cryptographic algorithms that are resistant to quantum attacks [4]. Simultaneously, quantum key distribution (QKD) protocols are being developed to utilize the principles of quantum mechanics to facilitate secure key exchange, thereby achieving unconditional security. Quantum computers pose a great challenge to traditional cryptographic methods, as noted in [5]. However, PQC algorithms, including lattice-based cryptography, code-based cryptography , hash-based cryptography, and multivariate cryptography [6,7,8,9,10,11,12,13,14], provide strong protection against the computational abilities of quantum adversaries. These adversaries can easily solve classical hard problems like integer factorization and discrete logarithms. It is important to highlight an advantage of PQC encryption algorithms, which is their built-in resilience against attacks from quantum computers as emphasized by [15]. In the complex realm of QKD, security is deeply rooted in the principles of quantum mechanics such as Heisenberg’s uncertainty principle and the no-cloning theorem, explained by [16,17] respectively. These principles act as guardians, promptly detecting any attempts at interception and strengthening the security of distributed keys. The importance of PQC in ensuring the security of communication channels is underscored by [18], given the reliance of QKD on the distribution of secret keys between parties. Moreover, the vulnerabilities revealed in modern cryptographic methods, particularly when faced with quantum threats [19], show the meaning of adopting PQC methodologies. By enhancing authentication and encryption processes, PQC schemes offer an improved approach for integrating new participants into QKD, enhancing accessibility while reinforcing secure communication.

The crucial role of PQC in QKD systems is further emphasized by diverse experimental efforts, similar to those suggested by [4]. This research aims to establish a secure system for key exchange by using PQC schemes in the classic channel of QKD. Other objectives include finding the optimal balance between security and communication speed among different security levels of CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon, which are finalists in the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization project. The quantum channel of QKD is simulated with Qiskit, a comprehensive and well-supported tool in the field of quantum computing. The results will guide organizations in selecting optimal security level for their QKD systems to achieve a reliable balance between efficiency and security. We will achieve this by providing a detailed analysis of the performance of these three algorithms with RSA. Our findings will show that the implemented PQC schemes effectively improve the reliability of communication by addressing security challenges and having the RSA performance.

This study makes several significant contributions. First, it introduces an innovative approach to enhancing the security of the classical channel by combining PQC with QKD, thereby increasing overall safety. Second, it provides an in-depth assessment of various algorithm parameters, including sizes, speeds, and security levels. This comparative analysis aims to identify the optimal combination for the proposed cryptosystem. Third, it explores the practical implementation challenges of integrating PQC into a QKD system. Finally, it provides guidelines for future research and development and shows key areas for further exploration to enhance the robustness and efficiency of quantum-secure communication systems.

The structure of this paper is organized as follows: First, we review relevant studies on the QKD BB84 protocol and the CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon algorithms. Next, we provide a detailed explanation of our methodology, covering the requirements and experimental simulations. Following this, we present our experimental results, compare them with RSA performance, and discuss their significance. We also examine the potential drawbacks of the proposed method. Finally, we conclude the paper with a discussion of possible directions for future research.

2. Literature Review

The BB84 protocol is a QKD protocol that was proposed by Charles Bennett and Gilles Brassard in 1984 [20]. It is one of the most widely used QKD protocols and is named after the surnames of its inventors and the year of its invention. CRYSTALS-Kyber is another technique used to safeguard messages, especially against newer, more powerful computers that could break traditional encryption methods [21]. It relies on advanced mathematical concepts to create codes that are very difficult for these computers to crack. At its core, lattice-based cryptography takes on the complexities of mathematical problems built within lattice structures. These complex problems form the basis upon which the security of lattice-based schemes is established, effectively protecting them from potential attacks from quantum computers [22]. These computers act as an approaching threat to modern digital signature mechanisms as well. CRYSTALS-Dilithium appears as a signature resistant to these quantum attacks and is secure against side-channel attacks as well [23]. As digital communication evolves, a strong and safe method of creating digital signatures is provided by this algorithm, which is at the cutting edge of the evolution at this moment, where the need for digital signatures that are resistant to quantum incidents is urgent. Falcon also appears to be an appropriate choice for safe digital signatures in the rapidly developing area of post-quantum cryptography. With its foundation based on lattice-based cryptography, Falcon addresses an important need for cryptographic algorithms that maintain effectiveness and practicality while dealing with the power of quantum computers [24,25]. The strength of all three PQC algorithms comes from the complexity of lattice problems, which is a mathematical idea that serves as the core of their security.

2.1. Quantum Key Distribution BB84 Protocol

The BB84 protocol is designed to ensure unconditional security in the transmission of a shared secret key between two parties, Alice and Bob [26]. The BB84 protocol uses quantum bits (qubits) for the transmission of data in the quantum channel. The process involves encoding data bits into various polarized states of photons, creating qubits essential for secure key transmission within the quantum channel [27]. In quantum communication, polarized states often appear as either vertical and right diagonal (traditionally denoted as “1”) or horizontal and left diagonal (usually indicated as “0”).

Table 1. Security of BB84 protocol quantum channel.

Qubit	Alice’s Basis	Alice’s Bit	Eve’s Basis	Eve’s Bit	Bob’s Basis	Bob’s Bit	Basis Match	Bit Match	Error
${|\psi \rangle }_1$	+	0	×	0	×	1	No	-	No
${|\psi \rangle }_2$	×	1	+	1	+	1	No	-	No
${|\psi \rangle }_3$	+	0	+	0	+	0	Yes	Yes	No
${|\psi \rangle }_4$	×	1	×	1	×	1	Yes	Yes	No
${|\psi \rangle }_5$	+	0	+	0	+	1	Yes	No	Yes
${|\psi \rangle }_6$	×	1	+	1	+	0	No	-	No
${|\psi \rangle }_7$	+	0	×	0	×	0	No	-	No
${|\psi \rangle }_8$	×	1	×	0	×	0	Yes	No	Yes

shows the use of two distinct bases, labeled as “+” and “×”, for detecting these photons [28].

The quantum state $|\psi \rangle$ is represented as a linear combination of basis states [29]:

$$|\psi \rangle =\alpha |0\rangle +\beta |1\rangle$$

(1)

where $\alpha$ and $\beta$ are complex probability amplitudes.

Basis states in the rectilinear basis (Z basis) and diagonal basis (X basis):

$$\begin{gathered} |0\rangle :\mathrm{Bit}\mathrm{value}0 \\ |1\rangle :\mathrm{Bit}\mathrm{value}1 \end{gathered}$$

$$\begin{gathered} |+\rangle :\frac{1}{\sqrt{2}}\left(\right|0\rangle +|1\rangle ):\mathrm{Bit}\mathrm{value}0 \\ |-\rangle :\frac{1}{\sqrt{2}}\left(\right|0\rangle -|1\rangle ):\mathrm{Bit}\mathrm{value}1 \end{gathered}$$

Classical post-processing in BB84 protocol:

As can be seen in

Table 2. Security of BB84 protocol classic channel.

Step	Description
1. Key Sifting	Bob’s sent bases
2. Error Correction	Correct basis exchange
2.1. QBER Calculation	Calculate QBER
2.2. Threshold Check	Check QBER threshold
3. Key Reconciliation	Correct errors
4. Privacy Amplification	Enhance key security

, the BB84 protocol involves four main steps: key sifting, error correction, key reconciliation, and privacy amplification [30]. Firstly, in key sifting, Bob sends the bases he used to Alice to confirm against the qubits she sent. Then, during error correction, Alice tells Bob the correct bases, and Bob discards any bits measured incorrectly. After this, the “quantum bit error rate (QBER)” is calculated. This rate is found by comparing the results of some qubits’ measurements between Alice and Bob to see how often they disagreed [31]. If there has been interference from an eavesdropper, called Eve, the QBER goes over a certain level. In that case, both Alice and Bob throw out the keys and start over. Even if the QBER is below the threshold, it is still not zero, meaning that Alice and Bob do not have the same keys. Therefore, in addition to correcting errors, they use the cascade protocol for key reconciliation. According to this protocol, Alice and Bob segment the bits into fixed-size blocks, compute the parity of each block, and exchange these data for error correction. The BB84 protocol concludes with privacy amplification, where the shared secret key undergoes further processing to bolster its security. This involves applying a one-way function that reduces the information accessible to potential eavesdroppers. Subsequently, the final key is utilized for encrypting and decrypting messages exchanged between Alice and Bob.

The BB84 protocol has proven its resilience against diverse attacks, including man-in-the-middle and eavesdropping attempts [32]. This robustness arises from any effort to intercept or measure the qubits, inevitably altering their polarization, thus alerting the receiver. Consequently, any eavesdropping attempt is promptly detected, preventing the establishment of the shared secret key. Nevertheless, the BB84 protocol is not without limitations. A primary drawback is its reliance on a costly and challenging-to-implement quantum channel. Also, it requires a classical channel for error correction and communication which is susceptible to potential attacks [33]. To avoid additional overheads like key reconciliation and privacy amplification in the classical channel, there are some authenticated encryption schemes which can be used in the classical channel using the PQC algorithms introduced by NIST [34].

2.2. CRYSTALS-Kyber

CRYSTALS-Kyber is an advanced lattice-based key exchange protocol designed to ensure the integrity of transmitted information. At its core, CRYSTALS-Kyber leverages the module learning with errors (M-LWE) technique, an evolution of the original learning with errors (LWE) problem [35]. This technique enhances computational efficiency while maintaining cryptographic robustness, making CRYSTALS-Kyber a reliable solution for secure key exchange in real-world scenarios [36]. The M-LWE technique is central to the efficacy of CRYSTALS-Kyber. It optimizes the LWE problem, balancing computational efficiency and cryptographic strength [37]. This optimization ensures the practicality of lattice-based cryptography in real-world applications [36]. CRYSTALS-Kyber moves beyond theoretical constructs by providing a key encapsulation mechanism (KEM). This mechanism enhances the protocol’s versatility and utility by enabling secure key establishment through the encapsulation of a symmetric key with a public key. This encapsulated key can be securely exchanged between parties, forming the foundation for robust communication encryption [36].

As described in [38] work, a double-NTRU (D-NTRU)-based KEM with IND-CCA2 security highlights the importance of parameter considerations. The approval of CRYSTALS-Kyber, an NIST Post-Quantum Cryptography finalist with security levels Kyber-512, Kyber-768, and Kyber-1024, complies with this emphasis on parameters [34,35]. The specified parameter sets for Kyber, detailed in

Table 3. Parameter sets for CRYSTALS-Kyber.

Security Level	n	k	q	η	du	dv	δ
Kyber 512	256	2	3329	2	10	4	$2^{-139}$
Kyber 768	256	3	3329	2	10	4	$2^{-164}$
Kyber 1024	256	4	3329	2	11	5	$2^{-174}$

, determine values for n, k, q, $\eta$, $d_u$, $d_v$ (control compression of ($\mathbf{u},v)$), and $\delta$ (the chance of decryption producing an error), ensuring diverse levels of security and efficiency.

Using CRYSTALS-Kyber for secure key exchange, especially for AES-256 encryption [39], is sensible because of the rising vulnerability of lower AES levels to new algorithms like Grover, which represent a risk. This key is for AES 256-bit encryption which ensures protection against emerging cryptographic threats, including those from quantum advancements. Algorithms 1–3 provide an overview of the algorithmic structure of the CRYSTALS-Kyber scheme.

Key generation: The Kyber key generation process commences with the generation of random seeds $\rho$ and $\sigma$. Subsequently, a public matrix $\mathbf{A}$ is sampled from a ring with dimension $k\times k$. Random vectors $\mathbf{s}$ and $\mathbf{e}$ are then drawn from error distributions, contributing to the randomness and security of the key pair. The compressed vector $\mathbf{t}$ is computed by compressing the matrix-vector product of $\mathbf{A}$ and $\mathbf{s}$ added to $\mathbf{e}$, encapsulating essential information about the key pair. The public key $pk$ is meticulously formed by combining the generated seeds and the compressed vector, while the secret key $sk$ is simply the vector $\mathbf{s}$, thereby completing the key generation process in a manner that ensures both the privacy and integrity of the cryptographic system.

Algorithm 1 Crystal-Kyber key generation [35].

$\rho ,\sigma \leftarrow {\{0,1\}}^{256}$  $\mathbf{A}\sim R_q^{k\times k}:=\mathrm{Sam}\left(\rho \right)$  $(\mathbf{s},\mathbf{e})\sim {\beta }_{\eta }^k\times {\beta }_{\eta }^k:=\mathrm{Sam}\left(\sigma \right)$  $\mathbf{t}:={\mathrm{Compress}}_q(\mathbf{As}+\mathbf{e})$  return$(pk:=(\rho ,\mathbf{t}),sk:=\mathbf{s})$

CCAKEM encryption: Kyber CCAKEM encryption takes a message m and generates a shared key K along with a ciphertext c. The process involves generating a random key $\widehat{K}$ and a nonce r. The Kyber CPA encryption algorithm is then applied to generate the ciphertext $(\mathbf{u},v)$ using the public key and message. The shared key K is derived from hashing $\widehat{K}$ and the hash of the ciphertext.

Algorithm 2 Kyber.CCAKEM.Enc(pk) [35].

$m\leftarrow {\{0,1\}}^{256}$  $(\widehat{K},r):=\mathrm{G}(\mathrm{H}\left(pk\right),m)$  $(\mathbf{u},v):=\mathrm{Kyber}.\mathrm{CPA}.\mathrm{Enc}\left(\right(\mathbf{t},\rho ),m;r)$  $c:=(\mathbf{u},v)$  $K:=\mathrm{H}(\widehat{K},\mathrm{H}\left(c\right))$  return$(c,K)$

Key exchange verification: In the Kyber key exchange verification process, upon receiving a ciphertext $({\mathbf{u}}^{\prime },v^{\prime })$, the decryption takes place using the secret key $\mathbf{s}$. Subsequently, the shared key ${\widehat{K}}^{\prime }$ and nonce $r^{\prime }$ are recalculated in a manner analogous to the encryption procedure. To ensure the integrity of the received ciphertext, the Kyber CPA encryption algorithm is once again applied, regenerating a new ciphertext $({\mathbf{u}}^{\prime },v^{\prime })$. The comparison between the regenerated and received ciphertexts is pivotal: if they match, the shared key K is computed by hashing ${\widehat{K}}^{\prime }$ and the hash of the received ciphertext; conversely, if a mismatch occurs, an alternative key is derived by hashing a predetermined placeholder value z along with the hash of the received ciphertext. This multilayered verification mechanism solidifies the security and reliability of the Kyber key exchange protocol.

Algorithm 3 Crystal-Kyber key exchange verification [35].

Require: $m^{\prime }:=\mathrm{Kyber}.\mathrm{CPA}.\mathrm{Dec}(\mathbf{s},(\mathbf{u},v))$  $({\widehat{K}}^{\prime },r^{\prime }):=\mathrm{G}(\mathrm{H}\left(pk\right),m^{\prime })$  $({\mathbf{u}}^{\prime },v^{\prime }):=\mathrm{Kyber}.\mathrm{CPA}.\mathrm{Enc}((\mathbf{t},\rho ),m^{\prime };r^{\prime })$  if  $({\mathbf{u}}^{\prime },v^{\prime })=(\mathbf{u},v)$ then   return $K:=\mathrm{H}({\widehat{K}}^{\prime },\mathrm{H}\left(c\right))$  else   return $K:=\mathrm{H}(z,\mathrm{H}(c\left)\right)$  end if

2.3. CRYSTALS-Dilithium

The CRYSTALS-Dilithium scheme, a robust lattice-based digital signature scheme, stands as a stalwart guardian against the potential threats posed by quantum computers. In the evolving landscape of post-quantum cryptography, CRYSTALS-Dilithium shines as a beacon of security, ensuring the integrity and authenticity of digital signatures, even in the face of quantum advancements [40]. The practicality of CRYSTALS-Dilithium extends beyond theoretical constructs, ensuring that its security benefits are not just conceptual but also accessible and applicable in real-world scenarios [41]. Rigorous analysis and extensive proofs confirm the strong security of this scheme, reflecting the careful work of cryptographic researchers [42]. The design of CRYSTALS-Dilithium meets the highest standards of verifiable security, showing its trustworthiness and suitability for protecting sensitive digital transactions and communications. Notably, CRYSTALS-Dilithium has earned its prominence by being selected as a finalist in the NIST Post-Quantum Cryptography Standardization process [34]. This recognition highlights the scheme’s significance in the global cryptographic community and its potential to shape the future of secure digital communication. With its lattice-based architecture, flexibility in design, and practical applicability, CRYSTALS-Dilithium charts a strategic course in advancing secure digital signatures, effectively enhancing them against the looming quantum challenges anticipated with the widespread adoption of QKD in our networks.

CRYSTALS-Dilithium stands as an NIST finalist that offers various security levels designed for different requirements [34]. The scheme offers security levels based on NIST standards, including levels 2, 3, and 5. Each security level corresponds to specific parameter sets, ensuring a balance between security and computational efficiency as can be seen in

Table 4. Parameter sets for CRYSTALS-Dilithium.

Parameters	2	3	5
q	8,380,417	8,380,417	8,380,417
${\gamma }_1$	2	17	19
${\gamma }_2$	$(q-1)/88$	$(q-1)/32$	$(q-1)/32$
$(k,\ell )$	(4, 4)	(6, 5)	(8, 7)
$\eta$	2	4	2
$\beta$	78	196	120
$\omega$	80	55	75

.

Algorithms 4–6 provide an excellent foundation for the crucial CRYSTALS-Dilithium scheme in the context of the article that was submitted to NIST. These algorithms serve as the foundation for the main methods of cryptography and play a crucial part in ensuring the security of communication.

Key generation: Key generation is responsible for generating the cryptographic keys which create the secret key ($sk$) for signature generation and the public key ($pk$) for signature verification. This process begins with the utilization of seeds $\rho$ and ${\rho }^{\prime }$, alongside a key, to expand a public matrix A using the AES algorithm. This matrix A is structured as a $(k\times \ell )$ matrix and is composed of polynomials within the ring $R_q$ and $\zeta =256$. The seeds ${\rho }^{\prime }$ and a nonce are employed to generate vectors $s_1$ and $s_2$, with $s_1$ being of size l and $s_2$ being of size k. The multiplication of matrix A and vector $s_1$ is achieved through the forward number theoretic transform (NTT). The process iterates for the size of $s_2$ (or k times), wherein each iteration involves the multiplication of a single row of A and $s_1$, with the result stored in t. The matrix multiplication concludes by adding $s_2$ to t, followed by the reduction of the coefficients of t. Subsequently, $t_0$ and $t_1$ are separated from t, and a combination of $\rho$ and $t_1$ is utilized to form $pk$. The function shake256 generates an output $tr$ based on the input $pk$. The formation of $sk$ involves the amalgamation of $\rho$, the key, $tr$, $s_1$, $s_2$, and $t_0$. Notably, the key generation process yields both $sk$ and $pk$ at the same time.

Algorithm 4 Dilithium key generation [43].

Require: $\zeta \in {\{0,1\}}^{256}$ Ensure: $(\rho ,{\rho }^{\prime },K)\in {\{0,1\}}^{256}\times {\{0,1\}}^{512}\times {\{0,1\}}^{256}:=H\left(\zeta \right)$  $A\in {\mathbb{R}}^{k\times \ell }:=\mathrm{ExpandA}\left(\rho \right)$  $(s_1,s_2)\in S^{\ell }\times S^k:=\mathrm{ExpandS}\left({\rho }^{\prime }\right)$  $t:=A{s}_1+s_2$  $(t_1,t_0):={\mathrm{Power}2\mathrm{Round}}_q(t,d)$  $tr\in {\{0,1\}}^{256}:=H(\rho \parallel t_1)$  return $(pk=(\rho ,t_1),sk=(\rho ,K,tr,s_1,s_2,t_0))$

Signature generation: The cryptographic signature generation process begins by extracting seeds and values from $sk$, laying the foundation for crafting a robust signature. These elements, extracted with precision, play a pivotal role in shaping the ensuing signature. Alongside this extraction, the input message seamlessly integrates into the signature creation process, ensuring that the resulting signature faithfully represents the original message. In tandem with this integration, a collision-resistant hash function, $\mu$, undergoes computation, leveraging the message and additional inputs to fortify the integrity of the signature generation process. This hash serves as a critical component, adding an extra layer of security to the cryptographic framework. Furthermore, the expansion of matrix A marks a significant step in enhancing the security posture of the algorithm. The subsequent application of forward number theoretic transform (NTT) to pertinent vectors reinforces the cryptographic resilience of the system, contributing to the overall robustness of the signature generation process. As the execution unfolds, an infinite loop orchestrates the generation of an intermediate vector y, which undergoes meticulous scrutiny through matrix multiplication and various validation functions. This iterative process ensures that the signature meets stringent criteria, affirming its validity and reliability in cryptographic applications.

Algorithm 5 Dilithium signature generation [43].

Require: $sk=(\rho ,K,tr,s_1,s_2,t_0),M\in {\{0,1\}}^{\ast }$ Ensure: $\sigma =(\widehat{c},z,h)$  $A\leftarrow \mathrm{ExpandA}\left(\rho \right)\mu \leftarrow H(tr\parallel M){\rho }^{\prime }\leftarrow H(K\parallel \mu )$  $k\leftarrow 0\mathrm{abort}\leftarrow 1$  while abort do   $\mathrm{abort}\leftarrow 0$   $y\leftarrow \mathrm{ExpandMask}({\rho }^{\prime },k)$   $w\leftarrow A·y$   $w_1\leftarrow \mathrm{HighBits}$   $\widehat{c}\leftarrow H(\mu \parallel {\omega }_1)$   $c\leftarrow \mathrm{SampleInBall}\left(\widehat{c}\right)$   $z\leftarrow y+c·{\gamma }_1$   $r_0\leftarrow \mathrm{LowBits}(\omega -\mathrm{c}·s_2,2{\gamma }_2)$   if ${\parallel z\parallel }_{\infty }\ge {\gamma }_1-\beta$ or $\parallel r_0{\parallel }_{\infty }\ge {\gamma }_2-\beta$ then     $\mathrm{abort}\leftarrow 1$   else    $h\leftarrow \mathrm{MakeHint}(-c·t_0,\omega -c·s_2+c·t_0,2{\gamma }_2)$    if $\parallel c·t_0{\parallel }_{\infty }\ge {\gamma }_2$ or $\sum h_i>\omega$ then      $\mathrm{abort}\leftarrow 1$    end if    $k\leftarrow k+\ell$   end if  end while return $\sigma =(\widehat{c},z,h)$

Signature verification: The algorithm verifies the authenticity of a signature against its corresponding $pk$, ensuring secure communication. It begins by extracting the signature and $pk$ components. If the signature meets predefined conditions, indicating authenticity, the algorithm accepts it and copies the message. Otherwise, it promptly rejects the signature, safeguarding against potential tampering or unauthorized access.

Algorithm 6 Dilithium signature verification [43].

Require: $pk=(\rho ,t_1),M\in {\{0,1\}}^{\ast },\sigma =(\widehat{c},z,h)$ Ensure: Valid or Invalid  $\mathrm{A}\leftarrow \mathrm{ExpandA}\left(\rho \right)$  $\mu \leftarrow H(H(\rho \parallel t_1)\parallel M)$  $c\leftarrow \mathrm{SampleInBall}\left(\widehat{c}\right)$  $({\omega }_1,{\omega }_0)\leftarrow \mathrm{UseHint}(h,A·z-c·t_1·2^d)$  if ${\parallel z\parallel }_{\infty }<{\gamma }_1-\beta$ and $\widehat{c}=H(\mu \parallel {\omega }_1)$ and $\sum h_i\le \omega$ then   return Valid  return Invalid

2.4. Falcon

Falcon, with its foundation based on lattice-based cryptography, addresses an important need for cryptographic algorithms that maintains effectiveness and practicality while dealing with the power of quantum computers [24,25]. One of the outstanding features of this scheme is its remarkable efficiency in both signature generation and verification processes [44]. This efficiency sets Falcon apart by providing a solution that is not only secure against quantum adversaries but also practical for real-world deployment. The ability to achieve robust security without sacrificing performance positions Falcon as a vital candidate in the post-quantum cryptographic landscape. Its selection as another finalist in the NIST Post-Quantum Cryptography Standardization process underscores its credibility and the community’s confidence in its accuracy in cryptography [34]. Being an NIST finalist demonstrates its potential to become a recommended standard for secure communication in the future. Beyond its theoretical prowess, however, some researchers have reported problems with configuration and key generation timing, which can be a block to its widespread adoption [45]. Despite these challenges, its small public and private key sizes make it an attractive option for many applications, and ongoing research and development efforts are aimed at addressing these configuration issues. Although Falcon is undoubtedly a great choice in post-quantum cryptography, it is essential to note that NIST has selected CRYSTALS-Dilithium as its first choice for PQC digital signature schemes [34]. While Falcon has earned its place as an NIST finalist in standardization process and has received significant attention and interest within the cryptographic community, NIST’s preference for CRYSTALS-Dilithium shows the thorough assessment and selection process used to identify the best options for ensuring our digital future in a post-quantum era.

Falcon features parameter sets tailored to different security levels, providing flexibility in selecting an appropriate configuration based on specific requirements. The parameters, summarized in

Table 5. Parameter sets for Falcon.

Parameters	Falcon 256	Falcon 512	Falcon 1024
n	256	512	1024
$\varphi$	$x^{n+1}$	$x^{n+1}$	$x^{n+1}$
q	12,289	12,289	12,289
$\beta$	16,468,416	43,533,782	87,067,565

, play a crucial role in shaping Falcon’s security and efficiency. The parameter sets include values for n (dimension), $\varphi$ (modulus polynomial), q (modulus), ${\beta }^2$ (security parameter), signature size, and public key size. These parameters allow users to customize Falcon’s configuration to achieve the desired balance between security and performance.

During its setup process, Falcon employs a unique mathematical polynomial and a numerical input, employing these elements in a manner outlined in Algorithms 7–9. These algorithms work together to produce both the confidential secret key and the publicly accessible key, establishing the cryptographic foundation upon which the Falcon system operates securely and effectively.

Algorithm 7 Falcon key generation KeyGen($\varphi$, q) [46].

Require: A monic polynomial $\varphi \in \mathbb{Z}\left[x\right]$, a modulus q Ensure: A secret key (sk), a public key (pk)  $\mathbf{f},\mathbf{g},\mathbf{F},\mathbf{G},\mathbf{fl}\leftarrow \mathrm{NTRUGen}(\varphi ,q)$  $\mathbf{B}\leftarrow \left[\frac{g\mid -f}{G\mid -F}\right]$  $\widehat{\mathbf{B}}\leftarrow \mathrm{FFT}\left(\mathbf{B}\right)$  $\mathbf{G}\leftarrow \widehat{\mathbf{B}}\times {\widehat{\mathbf{B}}}^{\ast }$  $\mathrm{T}\leftarrow \mathrm{ffLDL}\left(\mathbf{G}\right)$  for each leaf of T do   $\mathrm{leaf}.\mathrm{value}\leftarrow \frac{\sigma }{\sqrt{\mathrm{leaf}.\mathrm{value}}}$  end for  $\mathrm{sk}\leftarrow (\widehat{\mathbf{B}},\mathrm{T})$  $h\leftarrow g{f}^{-1}\mathrm{mod}q$  $\mathrm{pk}\leftarrow h$  return sk, pk

Key generation: Algorithm 7 outlines the process of generating FALCON key pairs, which involves computing polynomials f, g, F, G, and h based on specific equations. These equations define relationships between the polynomials, ensuring the integrity of the generated keys.

To calculate these polynomials, a random number is generated which serves as a seed for initializing shake256. By using shake256 random numbers, the algorithm generates random polynomials f and g with a Gaussian distribution. If the squared norm of these polynomials exceeds predefined bounds or if the orthogonalized vector norms deviate from expected values, new polynomials are generated. The orthogonalized vector norm computation employs the fast Fourier transform (FFT) for efficiency.

The equations guiding the polynomial computation are as follows:

$$fG-gF=q\mathrm{mod}\varphi$$

(2)

$$h=g{f}^{-1}\mathrm{mod}(\varphi ,q)$$

(3)

Having obtained the f and g polynomials, the algorithm proceeds to compute the public key polynomial h, fulfilling the requirements of the first equation. Additionally, it solves the second equation (NTRU equation) to derive polynomials F and G. For the $sk$, the algorithm sequentially encodes the f, g, F, and G polynomials. Meanwhile, $pk$ is encoded by representing the polynomial h. Ultimately, the algorithm generates both the $sk$ and $pk$, ensuring the cryptographic integrity of the Falcon scheme.

Signature generation: Algorithm 8 outlines the steps for generating signatures in the FALCON scheme. It begins by generating a random seed for the hash function, followed by initializing the shake256 function with this seed. Subsequently, the algorithm computes a hash digest c from the salt r and the input message m. Next, $sk$, previously encoded during key generation, is decoded to retrieve the polynomials f, g, F, and G. If G is not extracted from $sk$, the algorithm calculates it. Leveraging these polynomials, the algorithm computes two short vectors $s_1$ and $s_2$ satisfying $s_1\equiv s_{2}h\mathrm{mod}q$, all while keeping $sk$ hidden. The short vector $s_2$ is then encoded and concatenated with the signature length, salt, message, and encoded $s_2$. These concatenated data are stored in the signature ($sig$). This process ensures the secure generation of FALCON signatures while maintaining the confidentiality of $sk$.

Algorithm 8 Falcon signature generation [46].

Require: A message $\mathrm{m}$, a secret key sk, a bound $⌊{\beta }^2⌋$ Ensure: A signature sig of $\mathrm{m}$  $\mathrm{r}\leftarrow {\{0,1\}}^{320}$ uniformly  $c\leftarrow \mathrm{HashToPoint}(\mathrm{r}\parallel \mathrm{m})$  $\mathbf{t}\leftarrow \left(-\frac{1}{q}\mathrm{FFT}\left(c\right)\odot \mathrm{FFT}\left(F\right),\frac{1}{q}\mathrm{FFT}\left(c\right)\odot \mathrm{FFT}\left(f\right)\right)$  do   do    $\mathrm{z}\leftarrow \mathrm{ffSampling}(\mathrm{t},\mathrm{T})$    $\mathrm{S}=(\mathrm{t}-\mathrm{z})\left[\frac{FFT\left(g\right)\mid -FFT\left(f\right)}{FFT\left(G\right)\mid -FFT\left(F\right)}\right]$   while ${\parallel \mathbf{S}\parallel }^2>{\beta }^2$   $\left(s_1,s_2\right)\leftarrow \mathrm{invFFT}\left(\mathbf{s}\right)$   $s\leftarrow \mathrm{Compress}\left(s_2,8·\mathrm{sbytelen}-328\right)$  while $(s=\perp )$  return sig = $(r,s)$

Signature verification: The verification algorithm, described in Algorithm 9, initiates by computing the combination of the initial component of the signature and the message using the HashToPoint function, resulting in a point on a modulo q. This step lays the groundwork for further validation. Following this, the algorithm proceeds to decompress the second component of the signature. If the decomposition fails, indicating potential tampering or invalidity, the algorithm promptly rejects the signature, ensuring the integrity of the verification process. Subsequently, the algorithm computes $s_1$ by subtracting the hash digest c from the decompressed $s_1$ multiplied by $pk$, all under modulo q. This computation is crucial in validating the authenticity of the signature against the provided $pk$. A pivotal aspect of the verification process is the evaluation of the squared aggregate vector $(s_1,s_2)$ against a predefined bound $⌊{\beta }^2⌋$. If the squared norm of this vector meets or falls below the specified threshold, indicating adherence to expected parameters, the algorithm accepts the signature. However, if the squared norm exceeds the bound, signifying potential irregularities or deviations from expected behavior, the algorithm rejects the signature, safeguarding against potential security threats or inaccuracies in the verification process.

Algorithm 9 Falcon verification $(\mathrm{m},\mathrm{sig},\mathrm{pk},⌊{\beta }^2⌋)$ [46].

Require: A message $\mathrm{m}$, a signature sig $=(\mathrm{r},\mathrm{s})$, a public key $\mathrm{pk}=h\in {\mathbb{Z}}_q\left[x\right]/\left(\varphi \right)$, a bound $⌊{\beta }^2⌋$ Ensure: Accept or Reject  $c\leftarrow \mathrm{HashToPoint}(\mathrm{r}\parallel \mathrm{m},q,n)$  $s_2\leftarrow \mathrm{Decompress}(\mathrm{s},8·\mathrm{sbytelen}-328)$  if $s_2$ = ⊥   return Reject  $s_1\leftarrow c-s_{2}h\mathrm{mod}q$  if ${∥\left(s_1,s_2\right)∥}^2\le ⌊{\beta }^2⌋$   return Accept  else   return Reject

2.5. Evaluation of PQC Algorithms

Before evaluating the three algorithms, it is essential to explain lattice-based cryptography, as they all operate using this method. Lattice-based cryptography relies on the hardness of lattice problems which are believed to be resistant to quantum attacks. Although some researchers have suggested that lattice-based cryptography might be vulnerable because of potential algorithmic weaknesses, further studies have identified errors in these assessments which confirmed the security of lattice-based cryptography methods again [47]. CRYSTALS-Kyber is efficient and secure due to the hardness of module lattice problems, with relatively small key sizes. However, it has potential side-channel vulnerabilities and larger ciphertext sizes compared to traditional algorithms. CRYSTALS-Dilithium offers fast signing and verification with robust security, but has larger public keys and signatures, and its implementation can be complex for some applications. Falcon features compact signatures and high verification speed, supported by a strong theoretical foundation. However, it can be complex to implement, may face numerical stability issues, and has larger key sizes. While previous research on using PQC schemes for QKD introduced valuable insights [48,49,50], there is still a research gap regarding the optimal solution for addressing both encryption and authentication in QKD. In the next section, we introduce our approach to answer this question.

3. Methodology

This methodology outlines our comprehensive approach to exploring the integration of quantum key distribution and post-quantum cryptography, with a primary focus on leveraging Qiskit as a quantum simulation platform. Qiskit, an open-source software development kit (SDK) developed by IBM Research, serves as an effective research tool, enabling us to investigate quantum communications and its advantages over traditional cryptographic primitives [51].

3.1. Quantum Simulation with Qiskit

The methodology begins by using Qiskit for modeling quantum processes. Within this advanced quantum simulation environment, we explored the complexities of quantum computations, allowing us to model and evaluate potential quantum attacks. This advanced quantum computing framework is critical to ensuring the practicability and high precision of our research. It makes it easier to generate simulated data, which provide useful insights into quantum system operation and possible vulnerabilities. These simulated data become an important component for testing and confirming the strength of classical communication channels against quantum threats, hence contributing to a thorough understanding of quantum-resistant cryptographic algorithms and their real-world applications.

3.2. BB84 Protocol

In our experimental methodology, we proceed with the understanding that the security of the BB84 protocol has been carefully tested and verified in prior research papers [32,52,53]. As a result, we focus on the practical implementation and performance aspects of BB84 without directly considering the presence of an eavesdropper (Eve) in our specific experiments. Our objective is to assess the applicability and efficiency of the protocol within the confines of a controlled and without any eavesdropper. Since QKD works with the no-cloning theorem, which states that it is impossible to create perfect copies of an unknown quantum state [17], it will be impossible for Eve to make a perfect copy of a transmitting qubit over the quantum channel. Any act on the qubit will ultimately cause some errors, which can be detected by both Alice and Bob.

As previously discussed in the literature review, consider a quantum state $|\psi \rangle$ expressed as a linear combination of basis states:

$$|\psi \rangle =\alpha |0\rangle +\beta |1\rangle$$

(4)

Suppose there exists a unitary operator U that can clone any quantum state:

$$U\left(\right|\psi \rangle \otimes |0\rangle )=|\psi \rangle \otimes |\psi \rangle$$

(5)

To test this assumption, substitute $|\psi \rangle =\alpha |0\rangle +\beta |1\rangle$ into the cloning operation:

$$U\left(\right(\alpha |0\rangle +\beta |1\rangle )\otimes |0\rangle )=(\alpha |0\rangle +\beta |1\rangle )\otimes (\alpha |0\rangle +\beta |1\rangle )$$

(6)

Expanding the right-hand side:

$$\left(\alpha \right|0\rangle +\beta |1\rangle )\otimes \left(\alpha \right|0\rangle +\beta |1\rangle )={\alpha }^2|0\rangle \otimes |0\rangle +\alpha \beta |0\rangle \otimes |1\rangle +\beta \alpha |1\rangle \otimes |0\rangle +{\beta }^2|1\rangle \otimes |1\rangle$$

(7)

Next, considering the linearity property of unitary operators and assuming perfect cloning by U:

$$U\left(\right(\alpha |0\rangle +\beta |1\rangle )\otimes |0\rangle )=\alpha U(|0\rangle \otimes |0\rangle )+\beta U(|1\rangle \otimes |0\rangle )$$

(8)

Given U performs perfect cloning:

$$U\left(\right|0\rangle \otimes |0\rangle )=|0\rangle \otimes |0\rangle ,U\left(\right|1\rangle \otimes |0\rangle )=|1\rangle \otimes |1\rangle$$

(9)

Substituting these results:

$$\alpha U\left(\right|0\rangle \otimes |0\rangle )+\beta U\left(\right|1\rangle \otimes |0\rangle )=\alpha \left(\right|0\rangle \otimes |0\rangle )+\beta \left(\right|1\rangle \otimes |1\rangle )$$

(10)

Comparison of this with the expanded form reveals:

$$\alpha \left(\right|0\rangle \otimes |0\rangle )+\beta \left(\right|1\rangle \otimes |1\rangle )\ne {\alpha }^2|0\rangle \otimes |0\rangle +\alpha \beta |0\rangle \otimes |1\rangle +\beta \alpha |1\rangle \otimes |0\rangle +{\beta }^2|1\rangle \otimes |1\rangle$$

(11)

This difference shows that no unitary operator U can clone an arbitrary quantum state. As a consequence, the QKD quatnum channel will be considered secure against eavesdropping attacks.

The QKD protocol involves a series of steps to secure quantum communication:

• Alice’s initialization: Alice begins the quantum key distribution process by choosing a set of random bits and corresponding random bases. She keeps this information private to avoid unauthorized access.
• Encoding qubits: Alice encodes each bit into a string of qubits using the selected bases. This encoding process is necessary to ensure trustworthy transmission. She sends the encrypted data to Bob in the form of a qubit string, which is Alice’s result.
• Bob’s measurement: When Bob receives Alice’s encoded qubit string, he randomly measures each qubit using his own set of randomly selected bases. By keeping the measurement results private, Bob protects the confidentiality of the communication and the process’s integrity.
• Basis disclosure: Following the measurement step, Bob and Alice reveal the bases used for each qubit. This disclosure allows both parties to match their measurement bases which helps in the creation of a shared secret key. Incompatible bases and their bit values will be removed.
• Verification: To confirm that the key was successfully transmitted, Bob and Alice share random samples of their keys. By comparing these samples, they can ensure that the transmission is accurate within a very small range of error. This verification stage is essential for determining the reliability of the quantum key distribution process.

Table 6. Knowledge exchange protocol.

Steps	Alice’s Information	Over Eve’s Communication Channel	Bob’s Information
1	Alice’s classical bits
	Alice’s choice of bases
2	Qubits	Qubits	Qubits
3			Bob’s chosen bases
			Bob’s measurement results
4		Alice’s chosen bases	Alice’s chosen bases
	Bob’s chosen bases	Bob’s chosen bases
5	Alice’s encrypted key (noisy)		Bob’s encrypted key (noisy)
6	Bob’s measurement sample	Bob’s measurement sample	Bob’s measurement sample
	Alice’s measurement sample	Alice’s measurement sample	Alice’s measurement sample
7	Shared secret key		Shared secret key

provides a concise summary of how knowledge is distributed throughout the QKD BB84 protocol.

In the QKD BB84 protocol, the classical channel simulation plays a crucial role and it works after Bob’s measurement, which is the third step. At this stage, Bob successfully receives the qubits and obtains the measurement outcomes. During this pivotal phase, Alice and Bob collaborate to establish both public and private keys, enhancing the security of their digital communications.

Moving forward, this research centers on the CRYSTALS-Kyber algorithm, the renowned KEM within the realm of PQC. The primary objective is to securely exchange a symmetric key between Alice and Bob, leveraging CRYSTALS-Kyber as a KEM. This key will subsequently facilitate AES 256-bit encryption between the two parties.

Expanding the scope of our research, we delve into digital signature mechanisms in the context of quantum computing. We assess two significant contenders in this domain, CRYSTALS-Dilithium and Falcon. The evaluation centers on their ability to ensure message integrity and authenticity within a quantum computing environment, as well as their resistance to quantum attacks. In this stage, we want to check the performance of both PQC digital signature schemes to find the best combination of our authenticated encryption scheme for QKD.

3.3. Classical Channel Simulation

As can be seen in Figure 1, in a precisely designed series of actions, Alice and Bob independently generate their chosen digital signature public and private keys. They right away exchange the public keys between them, and Alice goes a step further by generating Kyber’s public and private keys. She applies her chosen digital signature algorithm to sign her public key, marking a critical stage in the secure key exchange process. Bob then takes on the role of the verifier, receiving Alice’s Kyber public key and employing the designated digital signature algorithm to authenticate its origin, thereby confirming Alice’s identity and preserving the integrity of the transmitted data. Demonstrating cryptographic sophistication, Bob generates a robust 256-bit random string. He encapsulates this string using Alice’s public key and appends a digital signature, ensuring the security of the entire package, which represents a securely determined secret dispatched back to Alice. Upon receipt of this encapsulated key packet, Alice initiates a series of cryptographic operations to validate its authenticity. She subjects the encapsulated data to rigorous verification processes, all relying on the public key associated with the chosen digital signature algorithm. Once the integrity of the data is confirmed, she proceeds to decrypt the encapsulated string with her private Kyber key. Through these intricate algorithms and complex mechanisms, including encapsulation, signing, and verification, Alice and Bob successfully share a reliable 256-bit key, serving as the cornerstone of their secure digital communication. This key ensures data confidentiality, authentication, and trustworthiness. Finally, with the shared key in hand, both parties can employ AES symmetric encryption with utmost confidence in the security and privacy of their information exchange, thanks to their meticulous orchestration of cryptographic protocols, which has forged an unbreakable bond of trust in their digital communications.

3.4. Implementation Details

To implement PQC algorithms, the project applies several libraries, include the GiacomoPope/kyber-py [54] for Kyber, GiacomoPope/dilithium-py [55] for Dilithium, and tprest/falcon.py [56] for Falcon. The PQC algorithms are designed and executed with the Qiskit library [57], which manipulates quantum circuits and provides the simulation for quantum protocol and algorithms. This includes operations such as quantum key generation, encoding, and decoding qubits. The PyCrypto library [58] for AES encryption. Execution timing is performed with time library [59] and performance evaluation is conducted using NumPy [60] for numerical computations. To test this setup, including key generation, encapsulation, decapsulation, signing, and verification, the project was executed on a Windows 10 64-bit system. The hardware configuration consists of an Intel(R) Core(TM) i7-8750H CPU @ 2.20 GHz and 12 GB RAM.

4. Results

Table 7. Key generation times (ms).

Security Level	Key Generation (ms)
Kyber 512	31.2
Kyber 768	78.1
Kyber 1024	93.72
Dilithium 2	62.42
Dilithium 3	93.73
Dilithium 5	171.87
Falcon 256	6606.39
Falcon 512	10,016.76
Falcon 1024	53,601.41

and Figure 2, Figure 3 and Figure 4 show a wide range of performance benchmarks, providing an extensive analysis of the effectiveness and efficiency of three well-known cryptographic schemes: CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon. These resources move beyond simple comparisons, delving into the details of major generation times, and exposing insights critical for informed decision making. The evident pattern of increasing key generation times with increasing security levels gives meaningful information about the challenging balancing of security robustness and computational needs. This discovery highlights the dynamic nature of cryptographic algorithms and how they respond to increased security needs. The shift from Dilithium to Falcon is particularly notable as large alterations in key generation times become apparent. This highlights the different structural complexities built into each signature method. Such detailed information helps administrators to navigate the complicated field of cryptographic options, and it also offers a mindful selection that meets not just severe security requirements but also realistic performance limitations.

In basic terms, the benchmarks serve as both an in-depth guide and a strategy that shows the numerous choices related to cryptographic decisions. By providing a more in-depth understanding of these compromises, administrators obtain essential insights into the dynamic connection between security and performance concerns. This detailed perspective makes it easier to select cryptographic algorithms that are perfectly suited to the specific security and performance needs of a given application or system. Essentially, these benchmarks function as guidelines which lead the path to making optimal cryptographic decisions in the continuously changing field of digital security.

In Figure 5, signature sizes, we have a comparison of the sizes of cryptographic signatures for different algorithms and configurations. The x-axis represents our various cryptographic algorithms and their key sizes, including Falcon 256, Falcon 512, Falcon 1024, Dilithium 2, Dilithium 3, and Dilithium 5. The y-axis represents the size of the signatures in bytes. Falcon 256 has the smallest signature size at 356 bytes, followed by Falcon 512 at 666 bytes, and Falcon 1024 with the largest signature size at 1280 bytes. On the other hand, the Dilithium signature sizes, which are Dilithium 2, Dilithium 3, and Dilithium 5, are larger, beginning with 2420 to 4595 bytes. This figure provides the efficiency of different signature schemes in terms of signature size. As the security level increases, the size increases as well. Figure 6, ciphertext sizes for CRYSTALS-Kyber configurations, represents the sizes of ciphertexts generated by all three security levels of the CRYSTALS-Kyber cryptographic algorithm including Kyber 512, Kyber 768, and Kyber 1024. Examining these data, we can see that Kyber 512 generates ciphertexts of size 768 bytes, Kyber 768 produces ciphertexts of size 1088 bytes, and Kyber 1024 results in ciphertexts of size 1568 bytes. This figure illustrates how the choice of Kyber security level impacts the size of ciphertexts, which is essential for assessing the trade-off between security and efficiency in cryptographic applications.

Significant differences in key size, cipher size, and signature size among algorithms arise from their principles and design. In CRYSTALS-Kyber, the public key consists of a matrix and some random values used in the encryption process. This public key size is quite large. The ciphertext is generated during the encryption process and includes some compressed values derived from the public key and the message. Compression techniques are used to reduce the size of these values, which makes the ciphertext smaller than the public key. CRYSTALS-Dilithium also uses lattice-based cryptography. It achieves a lower signature size than the key size by using structured lattices. Falcon is based on the NTRU lattice problem and uses the FFT for optimization. This allows Falcon to achieve very compact signatures and smaller key sizes compared to other lattice-based algorithms.

Figure 7, Figure 8 and Figure 9 provide a detailed examination of the encapsulation time of CRYSTALS-Kyber across various signing algorithms. These figures illustrate the time, measured in milliseconds, needed to encapsulate data for different security levels. It is important to observe that as security levels increase, the time required for this operation also increases. This increase in time reflects the enhanced security and encryption offered by these algorithms. Achieving the right balance between security and time efficiency is crucial for specific use cases.

Figure 10, Figure 11 and Figure 12 offer valuable insights into the timeline for decapsulation and verification, focusing on the complex process of decrypting and verifying data secured using CRYSTALS-Kyber and different signing algorithms. Notably, a moderate increase in time becomes evident as security levels rise, offering a trade-off for improved protection. It is worth emphasizing that when utilizing CRYSTALS-Dilithium, the time investment remains considerably lower compared to both encapsulation and signing. This illustrates its efficiency, a crucial consideration tailored to a variety of use cases and security requirements.

Figure 13 and Figure 14 illustrate the performance of three Kyber post-quantum cryptographic variants (Kyber 512, Kyber 768, and Kyber 1024) in terms of total data size (x-axis in bytes) and processing time (y-axis in milliseconds). Each point on the graph represents a digital signature that is combined with the specified Kyber variant. In Figure 13, starting from Falcon 256, the graph progresses to Falcon 512 and Falcon 1024, demonstrating the variations in processing time concerning different signature sizes. In Figure 14, the focus shifts to Dilithium, with points corresponding to Dilithium 2, Dilithium 3, and finally Dilithium 5. This comprehensive visualization provides insights into the trade-offs between signature size and processing time for each cryptographic scheme. For Kyber 512, processing time increases with data size, and a similar trend is observed for Kyber 768 and Kyber 1024. These figures are valuable documents for selecting the appropriate Kyber variant tailored to specific application needs, allowing for a well-informed decision that balances security and efficiency considerations. Kyber 512 offers quicker processing for smaller data sizes, while Kyber 1024 provides higher security at slightly longer processing times.

Additionally,

Table 8. Encapsulation and signing, decapsulation, and verification times.

Cipher Combination	Encapsulation and Signing (ms)	Decapsulation and Verification (ms)
Kyber 512 and Falcon 256	78.13	78.44
Kyber 768 and Falcon 256	93.72	124.97
Kyber 1024 and Falcon 256	124.97	140.92
Kyber 512 and Falcon 512	124.97	78.07
Kyber 768 and Falcon 512	124.94	140.52
Kyber 1024 and Falcon 512	156.21	156.21
Kyber 512 and Falcon 1024	187.45	109.68
Kyber 768 and Falcon 1024	203.11	156.23
Kyber 1024 and Falcon 1024	250.19	171.86
Kyber 512 and Dilithium 2	187.45	140.52
Kyber 768 and Dilithium 2	422.10	171.84
Kyber 1024 and Dilithium 2	437.77	203.48
Kyber 512 and Dilithium 3	359.29	171.83
Kyber 768 and Dilithium 3	593.94	203.07
Kyber 1024 and Dilithium 3	453.01	234.37
Kyber 512 and Dilithium 5	656.02	249.94
Kyber 768 and Dilithium 5	718.61	296.77
Kyber 1024 and Dilithium 5	1000.07	312.75

,

Table 9. Cipher sizes.

Cipher	Cipher Size (bytes)
Kyber 512	768
Kyber 768	1088
Kyber 1024	1568

,

Table 10. Signature sizes.

Cipher	Signature Size (bytes)
Falcon 256	356
Falcon 512	666
Falcon 1024	1280

and

Table 11. Signature sizes.

Cipher	Signature Size (bytes)
Dilithium 2	2420
Dilithium 3	3293
Dilithium 5	4595

offer an in-depth overview of all cryptographic settings, showing the complex relationships between cipher sizes, signature sizes, and the time needed for key operations. As we peruse the data, we discern intriguing patterns and trade-offs. For instance, increasing the security level of cryptographic algorithms, such as transitioning from Kyber 512 to Kyber 1024, leads to larger cipher and signature sizes. However, this enhancement in security comes at a cost, as both encapsulation and signing times also increase. Notably, the signature size experiences substantial variations as we switch between Dilithium and Falcon, showcasing how different signature algorithms can drastically alter the size of the digital seal appended to messages. In contrast, the cipher size remains fairly stable within each security level of the Kyber algorithm, emphasizing that the core encryption method has a more consistent impact on the size of the encrypted data. This insight into the relationship between signature schemes and signature size versus the influence of encryption algorithms on cipher size provides valuable guidance for tailoring cryptographic solutions to specific security and efficiency requirements.

To have a logical comparison between PQC schemes and RSA, we choose to compare the three security levels of PQC algorithms with RSA key sizes of 3072, 7680, and 15,360 bits. In order to achieve the optimal balance between the security and performance of PQC schemes, we used RSA as secure KEM and digital signature to gain similar results to previous ones.

Table 12. RSA performance.

Key Size	Key Generation (ms)	Encapsulation and Signing (ms)	Decapsulation and Verification (ms)
3072	334.34	16.76	15.66
7680	4461.05	49.21	33.69
15,360	39,045.80	199.52	189.16

shows the performance of different key sizes, which also demonstrates the security of RSA.

From these results of RSA performance and security levels, we choose Kyber 512 with Dilithium 3 as the optimal combination that has a great balance between security and speed. When comparing the choice of Dilithium 3 with Kyber 512 against RSA and Falcon combinations, several factors influence the decision. RSA offers dual functionality as both a digital signature and a KEM, with established security but increasingly longer key generation times at higher security levels (up to 39,045.80 ms for RSA-15360). Falcon, while efficient in operational times, requires extensive key generation times (up to 10,016.76 ms for Falcon 512), which makes it less suitable for applications requiring quick key setup. In contrast, Kyber 512 with Dilithium 3 maintains a balance by providing a total key generation time of 124.93 ms (31.2 ms for Kyber 512 and 93.73 ms for Dilithium 3). This combination also offers reasonable operational times with encapsulation and signing at 359.29 ms and decapsulation and verification at 171.83 ms. As a result, Kyber 512 and Dilithium 3 present a compelling option that provides the best combination of efficient key generation, reasonable operational times, and high security requirements, making them an acceptable substitute to both RSA and Falcon in post-quantum cryptographic applications.

5. Discussion

As we discussed, in the future, when quantum computers could represent an issue, post-quantum encryption will depend on robust and computationally secure methods to protect sensitive data. The standardization of algorithms by NIST has led to the attention and acceptance of CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon. However, NIST advises CRYSTALS-Dilithium as the preferred option for digital signatures and CRYSTALS-Kyber as the first PQC key exchange technique. Lattice-based cryptography issues are at the core of CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon.

In our results in comparing post-quantum cryptographic solutions, the combination of Kyber 512 and Dilithium 3 proved superior when balancing key generation time, operational performance, and security. The performance of RSA declined significantly with larger key sizes; however, Falcon was efficient in operating times but has long key creation times (up to 10,016.76 ms for Falcon 512), making it unsuitable for rapid key setup. Kyber 512 and Dilithium 3 provide an optimal option, with a total key generation time of 124.93 ms, encapsulation and signature at 359.29 ms, and decapsulation and verification at 171.83 ms.

Despite their robustness, there remains a concern that these algorithms may eventually expose vulnerabilities, emphasizing the need for continuous scrutiny in the field. QKD, on the other hand, is secure based on the principles of quantum mechanics. This raises the question of whether using technically safe authentication methods could negatively impact the security of QKD. It is crucial to clarify that the authentication strategy used in QKD only needs to be temporarily secure. Therefore, there is often no need for concern regarding the computational security of the encapsulation and authentication procedures.

If the encapsulation or authentication procedures were compromised during the use of the QKD protocol, a man-in-the-middle attack could be executed successfully. However, even if such a breach occurred after the key exchange, the security of the quantum-distributed symmetric encryption keys would remain intact. In the rare instance that the encapsulation and authentication methods employed in QKD become vulnerable to an attacker with significant computational resources, a straightforward countermeasure would be to update the algorithm to a more secure one. This could be achieved without ever placing the keys produced by QKD at risk.

This shows the importance of flexibility and adaptability in cryptographic protocols. As computational power increases and new vulnerabilities are discovered, the ability to quickly update and improve encryption and authentication methods becomes crucial. The concept of forward secrecy (FS), also known as perfect forward secrecy (PFS), where past communications remain secure even if current keys are compromised, is particularly relevant here. By ensuring that each key exchange session is independently secure, we can protect the integrity of encrypted data over time.

Moreover, the use of computationally secure encapsulation and authentication in QKD does not compromise its security, rendering privacy amplification unnecessary. This illustrates an appropriate justification for integrating post-quantum cryptographic methods with QKD, enhancing the overall security framework without introducing new vulnerabilities.

6. Conclusions and Future Work

In this research, we introduced a new approach for using PQC for the classic channel of QKD and presented an optimal combination for both encryption and authentication. The choice of the best security level for cryptographic algorithms like CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon ultimately depends on striking the right balance between the required level of security and the performance and limits on resources set by the intended use case. These cryptographic techniques each provide a range of security levels that are differentiated by many factors, such as key sizes, signature sizes, and computing demands. Higher security levels, including Kyber 1024, Dilithium 5, and Falcon 1024, often offer more powerful security assurances, making them desirable options for applications where strong security is crucial. It is important to understand, nevertheless, that this increased security frequently results in larger signatures and slower cryptographic procedures. The “best” security level must, thus, be specifically customized for the application in question’s unique security needs and performance limits. For instance, Kyber 512 and Dilithium 3 represent well-balanced choice, offering a commendable compromise between security and performance. They can be widely adopted and considered secure for most practical purposes. However, we should consider that the Falcon worked well in terms of signing and verification but its performance was not good in the key generation phase.

There are various unexplored options for future investigation. Future research could delve deeper into symmetric encryption methods in order to gain a more in-depth understanding of AES’s security and its future among the other schemes. Additionally, an investigation into quantum secure communication in quantum repeaters is also significant. This study creates the groundwork for future study and allows researchers interested in the implementation of PQC schemes to contribute to the continuous advancement of knowledge in this field.