Quantum computing poses a severe threat to classical public-key cryptosystems (e.g., RSA, ECC), while existing quantum key distribution (QKD) networks struggle to simultaneously ensure relay security and communication anonymity. To address this, we propose a novel secure key distribution protocol integrating onion routing with post-quantum cryptography (PQC). Our approach is the first to introduce onion-style multi-layer encryption encapsulation into the multi-hop trusted-relay model of QKD networks, leveraging standardized PQC algorithms—such as CRYSTALS-Kyber—to protect hop-by-hop shared keys. This achieves end-to-end confidentiality, integrity, entity authentication, and strong communication anonymity. Experimental evaluation demonstrates robust resistance against malicious intermediate nodes performing eavesdropping or message tampering. The protocol exhibits high feasibility and resilience in mission-critical applications, including critical infrastructure protection, data center interconnects, and cryptocurrency systems.

The advance of quantum computing poses a significant threat to classical cryptography, compromising the security of current encryption schemes such as RSA and ECC. In response to this challenge, two main approaches have emerged: quantum cryptography and post-quantum cryptography (PQC). However, both have implementation and security limitations. In this paper, we propose a secure key distribution protocol for Quantum Key Distribution Networks (QKDN), which incorporates encapsulation techniques in the key-relay model for QKDN inspired by onion routing and combined with PQC to guarantee confidentiality, integrity, authenticity and anonymity in communication. The proposed protocol optimizes security by using post-quantum public key encryption to protect the shared secrets from intermediate nodes in the QKDN, thereby reducing the risk of attacks by malicious intermediaries. Finally, relevant use cases are presented, such as critical infrastructure networks, interconnection of data centers and digital money, demonstrating the applicability of the proposal in critical high-security environments.