Traditional QKD networks rely on trusted relays, where keys are exposed in plaintext at relay nodes, introducing single-point compromise vulnerabilities. This work proposes a zero-trust QKD relay architecture that eliminates both physical and logical trust assumptions on relay nodes. The core method introduces the first one-time-pad (OTP) re-encryption mechanism for QKD relaying based on fully homomorphic encryption (FHE), enabling end-to-end ciphertext-only key forwarding. It further decouples key generation from QKD hardware to enhance cryptographic agility and resilience, and ensures compatibility with ETSI QKD standards while supporting external quantum random number generators. Evaluated on a hybrid simulation and commercial QKD hardware platform, the architecture overcomes fiber-distance limitations, significantly improving scalability and practical security of large-scale QKD networks.

Quantum key distribution (QKD) enables unconditionally secure symmetric key exchange between parties. However, terrestrial fibre-optic links face inherent distance constraints due to quantum signal degradation. Traditional solutions to overcome these limits rely on trusted relay nodes, which perform intermediate re-encryption of keys using one-time pad (OTP) encryption. This approach, however, exposes keys as plaintext at each relay, requiring significant trust and stringent security controls at every intermediate node. These"trusted"relays become a security liability if compromised. To address this issue, we propose a zero-trust relay design that applies fully homomorphic encryption (FHE) to perform intermediate OTP re-encryption without exposing plaintext keys, effectively mitigating the risks associated with potentially compromised or malicious relay nodes. Additionally, the architecture enhances crypto-agility by incorporating external quantum random number generators, thus decoupling key generation from specific QKD hardware and reducing vulnerabilities tied to embedded key-generation modules. The solution is designed with the existing European Telecommunication Standards Institute (ETSI) QKD standards in mind, enabling straightforward integration into current infrastructures. Its feasibility has been successfully demonstrated through a hybrid network setup combining simulated and commercially available QKD equipment. The proposed zero-trust architecture thus significantly advances the scalability and practical security of large-scale QKD networks, greatly reducing reliance on fully trusted infrastructure.