This work addresses the challenge of achieving scalable, end-to-end post-quantum secure communication in multi-hop trusted-node quantum networks by proposing a hierarchical modular architecture that uniquely integrates quantum key distribution (QKD) with post-quantum cryptography (PQC). The approach leverages QKD to establish hop-by-hop secure tunnel keys while employing the Rosenpass protocol for end-to-end PQC key exchange. Crucially, this design achieves post-quantum forward secrecy and strong authentication without requiring modifications to existing QKD hardware or protocols, enabling seamless integration into current infrastructure. A prototype implementation—built using WireGuard tunnels, the ETSI GS QKD 014 interface, and open-source components—demonstrates low overhead, high availability, and fail-safe operation in multi-hop simulations and experiments, confirming the scheme’s practicality alongside its robust security guarantees.

We present a layered and modular network architecture that combines Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) to provide scalable end-to-end security across long distance multi-hop, trusted-node quantum networks. To ensure interoperability and efficient practical deployment, hop-wise tunnels between physically secured nodes are protected by WireGuard with periodically rotated pre-shared keys sourced via the ETSI GS QKD 014 interface. On top, Rosenpass performs a PQC key exchange to establish an end-to-end data channel without modifying deployed QKD devices or network protocols. This dual-layer composition yields post-quantum forward secrecy and authenticity under practical assumptions. We implement the design using open-source components and validate and evaluate it in simulated and lab test-beds. Experiments show uninterrupted operation over multi-hop paths, low resource footprint and fail-safe mechanisms. We further discuss the design's compositional security, wherein the security of each individual component is preserved under their combination and outline migration paths for operators integrating QKD-aware overlays in existing infrastructures.