To address the challenges of dynamic key relay path establishment and poor scalability in quantum key distribution (QKD) networks over long distances, this paper proposes a software-defined networking (SDN)-based quantum-secure key management architecture. The architecture introduces two novel components: a virtualized Key Management System (vKMS) and a Quantum Security Controller (QSC), enabling abstraction of key services, end-to-end dynamic relay path computation, and centralized policy-driven control. By integrating QKD, SDN, and Network Function Virtualization (NFV), it establishes a hierarchical, policy-driven secure communication framework. Experimental evaluation and formal security analysis demonstrate that the architecture significantly improves key distribution efficiency and network scalability while preserving critical security properties—including forward secrecy and post-quantum resistance—thereby providing a viable pathway for large-scale deployment of quantum-secure networks.

With the advent of quantum computing, the increasing threats to security poses a great challenge to communication networks. Recent innovations in this field resulted in promising technologies such as Quantum Key Distribution (QKD), which enables the generation of unconditionally secure keys, establishing secure communications between remote nodes. Additionally, QKD networks enable the interconnection of multinode architectures, extending the point-to-point nature of QKD. However, due to the limitations of the current state of technology, the scalability of QKD networks remains a challenge toward feasible implementations. When it comes to long-distance implementations, trusted relay nodes partially solve the distance issue through the forwarding of the distributed keys, allowing applications that do not have a direct QKD link to securely share key material. Even though the relay procedure itself has been extensively studied, the establishment of the relaying node path still lacks a solution. This paper proposes an innovative network architecture that solves the challenges of Key Management System (KMS) identification, relay path discovery, and scalability of QKD networks by integrating Software-Defined Networking (SDN) principles, and establishing high-level virtual KMSs (vKMS) in each node and creating a new entity called the Quantum Security Controller (QuSeC). The vKMS serves the end-user key requests, managing the multiple KMSs within the node and abstracting the user from discovering the correct KMS. Additionally, based on the high-level view of the network topology and status, the QuSeC serves the path discovery requests from vKMSs, computing the end-to-end (E2E) relay path and applying security policies. The paper also provides a security analysis of the proposal, identifying the security levels of the architecture and analyzing the core networking security properties.