Accelerating Quantum-Secure Communications via DPU-Based Network Offloads

The imminent advent of quantum computers poses a significant threat to current public key infrastructures (PKIs). Applications such as secure web browsing, code signing, and machine authentication will no longer be secure in the presence of quantum computers, since they can break classical cryptographic primitives, which form the basis of today's secure network communications. This could lead to catastrophic consequences, as sensitive data may be exposed in a matter of days once sufficiently mature quantum computers are developed. Given that the most optimistic projections suggest quantum computers could become available within the next decade, standardization bodies have begun to mandate the transition from classical to quantum-secure cryptographic algorithms. The U.S. NIST has initiated a standardization process for post-quantum cryptography (PQC), selecting algorithms based on computational problems believed to be hard even for quantum computers. In parallel, ETSI has focused on integrating quantum key distribution (QKD), a physically secure primitive, into existing PKI frameworks. This thesis addresses the quantum threat by analyzing where classical key exchanges occur in modern network architectures and how they can be replaced with quantum-secure alternatives, with a strong focus on PQC. It investigates all control-plane operations in key network protocols across different layers, including IPsec and MACsec. These protocols are adapted to use quantum-secure keys through custom modifications or integration with established cryptographic libraries, as appropriate. In addition to the quantum threat, rapid advancements in fields such as optical transmission, artificial intelligence (AI), and large language models (LLMs) are shifting the paradigm of high-speed data transfer. Today, the bottleneck is no longer the transmission channel itself but the processing of data after transmission. This can lead to increased latency, higher CPU usage, elevated energy costs, and even denial of service. To address this second challenge, i.e., the computational burden of cryptography in the data plane, this work explores the use of NVIDIA's data processing units (DPUs). Specifically, this thesis presents use cases that leverage DPUs for accelerating data-plane operations using AES-GCM with 256-bit keys. A quantum-secure testbed based on SmartNICs has been developed in Eindhoven, which secures the control plane using PQC algorithms (Kyber and Dilithium) while accelerating the data plane with hardware-accelerated symmetric encryption. The results in this thesis showcase the potential of DPUs in building future-proof, quantum-secure data centers. Overall, this work has presented, to the best of the author's knowledge, the first implementations and performance evaluations of quantum-secure network protocols employing PQC and QKD in real-world scenarios. It leverages DPUs for cryptographic operations related to the control plane, i.e., computation of KEM keys and authentication mechanisms between servers and clients and for data-plane encryption through AES-GCM. This thesis is organized into chapters, where each chapter provides an introduction, theoretical background, main contributions, and future research directions. This work has been performed under the QUARC European project, funded by the European Union’s Horizon Europe research and innovation program within the framework of Marie Skłodowska-Curie Actions, under grant number 101073355.