Quantum computing poses a severe threat to MACsec (IEEE 802.1AE), particularly under “harvest-now-decrypt-later” attacks, undermining confidentiality, integrity, and authentication at the link layer. To address this, we propose VMuckle—the first standardized, quantum-safe hybrid authenticated key exchange (HAKE) protocol designed specifically for MACsec. VMuckle dynamically integrates classical ECDH, post-quantum CRYSTALS-Kyber, and symmetric cryptographic primitives, overcoming deployment granularity and protocol compatibility limitations of prior HAKE schemes. It features deep integration of HKDF-based key derivation and hardware acceleration, enabling seamless embedding into MACsec within LAN environments. Experimental evaluation shows sub-5 ms key negotiation latency and less than 1.2% bandwidth overhead, while providing forward secrecy and quantum migration capability. VMuckle thus delivers the first practical, standards-compliant quantum-resistant encryption solution for the Ethernet data link layer.

Advancements in quantum computing pose a significant threat to most of the cryptography currently deployed. Fortunately, cryptographic building blocks to mitigate the threat are already available; mostly based on post-quantum and quantum cryptography, but also on symmetric cryptography techniques. Notably, quantum-safe building blocks must be deployed as soon as possible due to the ``harvest-now decrypt-later'' attack scenario, which is already challenging our sensitive and encrypted data today. Following an agile defense-in-depth approach, Hybrid Authenticated Key Exchange (HAKE) protocols have recently been gaining significant attention. Such protocols modularly combine conventional, post-quantum, and quantum cryptography to achieve confidentiality, authenticity, and integrity guarantees for network channels. Unfortunately, only a few protocols have yet been proposed (mainly Muckle and Muckle+) with different flexibility guarantees. Looking at available standards in the network domain (especially at the Media Access Control Security (MACsec) standard), we believe that HAKE protocols could already bring strong security benefits to MACsec today. MACsec is a standard designed to secure communication at the data link layer in Ethernet networks by providing security for all traffic between adjacent entities. In addition, MACsec establishes secure channels within a Local Area Network (LAN), ensuring that data remain protected from eavesdropping, tampering, and unauthorized access, while operating transparently to higher layer protocols. Currently, MACsec does not offer enough protection in the event of cryptographically relevant quantum computers. In this work, we tackle the challenge and propose a new versatile HAKE protocol, dubbed VMuckle, which is sufficiently flexible for the use in MACsec to provide LAN participants with hybrid key material ensuring secure communication.