This information is sourced from:
Stucki, et al. (23 March 2012) Long term performance of the SwissQuantum quantum key distribution network in a field environment.
The goal of the SwissQuantum experiment was to ‘test the reliability of the quantum layer over a long period of time in a production environment.’
Their deterministic values to define QKD as being commercially successful were:
-Integration in telecommunications networks
QKD networks need to suit current telecommunication network topologies. This includes unicast (point-to-point) traffic, multicast (between a subgroup of nodes) traffic, and broadcast (all nodes) traffic. Current (as of 2012) QKD setup supports point-to-point traffic, but requires further development for multicast and broadcast traffic.
There are two types of implementable QKD networks: Trusted-node networks, or one with ‘additional optical components’. The trusted node network increases the distance for QKD, but requires intermediate nodes. The use of optical components removes the need for nodes, but the distance and bit rate of the network is limited by the optical attenuation of the link.
The topology for the SwissQuantum network contained three nodes: Unige, CERN, and hepia; and three point-to-point links: Unige-CERN, CERN-hepia, and hepia-Unige. ‘Each node was divided into two sub-nodes, one for each point-to-point link connected to the node.’
The nodes are connected by a pair of dark fibres, where one fibre of the pair is used as a quantum channel and the other fibre is used as a classical channel. The classical channel needs to work in both directions, hence the classical channels are multiplexed between the two nodes using wavelength division multiplexing (WDM). The Unige-CERN link also contains a pair of fibres dedicated to the transmission of data by commercial grade, 10 Gbps Ethernet encryptors.
The diagram below, is figure 3 within the SwissQuantum QKD network article.
This next diagram is my interpretation of the fibre connectivity between the three nodes. I am not confident in whether the quantum fibre link is two-way or one-way, as the article doesn’t specify.
The SwissQuantum network also employed the use of VLANs, one per layer, to a server at the hepia node. These VLANs were used to monitor the SwissQuantum network. There were also two firewalls that were deployed at the server. The first was designed to stop any illegitimate connection from the internet to the server, and the other, to ‘limit access to the management network’. Only legitimate entities were allowed access to the VLAN network through an SSH connection.
The SwissQuantum QKD network also implemented the three layer configuration that was introduced by the SECOQC network, and utilized in the Tokyo QKD network. The three layers are:
- Quantum layer: This layer consists of the QKD point-to-point link that have ‘been implemented with commercial QKD devices’.
- Key Management layer: This layer consists of a key buffer and key processing, and oversees the management of keys between the quantum and application layers as well as their use across the network.
- Application layer: This layer is where the keys are ‘used by end-user applications’.
The quantum layer’s links had the following fibre length and optical loss:
The quantum links are ‘implemented with a pair of customized commercial QKD servers’, and the ‘optical platform of the QKD servers are based on the plug&play configuration’. The devices used in this plug&play configuration include a Faraday mirror, a phase modulator and variable optical attenuator, an unbalanced Mach-Zehnder interferometer, two single-photon detectors, a laser preceded by an optical circulator, and a polarization beam-splitter. The plug&play optical platform provides auto-compensation of the phase and polarization fluctuations within the quantum channel. It is the interferometer which guarantees the phase compensation, and the combination of Alice’s Faraday mirror with Bob’s polarization beam-splitter which guarantees polarization compensation.
The QKD servers, (ID Quantique, id5100) are able to run the BB84 or the SARG protocols. The SARG protocol differs from the BB84 protocol in that SARG is designed to be more resilient to PNS attacks. The SwissQuantum network utilized the SARG protocol instead of BB84. The key distillation occurred in ‘three steps: error correction, privacy amplification, and authentication of classical communications.’ The timing of the distillation was set to occur whenever Alice’s buffer was full. This corresponded to approximately 5-7 million detections, or 1.25-1.75 million bits post sifting.
Error correction implemented the Cascade algorithm, in which ‘the raw key buffer is separated into blocks of 8192 bits that are corrected one after the other. For the SwissQuantum QKD servers, there was no step of error correction as post-Cascade QBER was already known.
Privacy amplification was done ‘with the 2-universal hash functions proposed by Krawczyk and based on Toeplitz matrices’ on the sifted buffer.
Authentication was done using the Wegman-Carter scheme.
‘The quantum layer continuously generates secret keys and transfers them to the management layer.’
Key Management Layer
The key management layer is responsible for ‘the processing of keys, their storage in each node, and their management between the nodes and the layers. There is a specific computer per node, the key server, that contains a buffer that is dedicated to key storage and a synchronization channel between each of the nodes. ‘This approach allows one to go from a very basic network topology composed of several point-to-point QKD links to more complex network topologies.’
The SwissQuantum focused upon the recent network feature of link aggregation. Link aggregation has been developed to increase the bandwidth and availability of a link between two locations. This is achieved through the implementation of multiple network connections between the locations. Link aggregation can be described as follows: Consider a optical cable that is linked to two locations. The locations each contain a switch that directs the data traffic into either the first or second cable. Link aggregation increases bandwidth through the method of sending half of the traffic through each fibre, which is then recombined at the receiving switch. This doubles throughput and provides resiliency were one of the cables to be disconnected through some means. For a QKD network, link aggregation applies to the exchange of secret keys instead of data. In this network, the switches do not need to be active as the ‘same buffer can be used on both sides’. The link aggregation does however, need an equal number of QKD systems as links between the two locations. This results in each node requiring two QKD devices, one for each link.
Parallel key agreement was used alongside the link aggregation. Within the SwissQuantum network, a dual parallel key agreement was implemented. This agreement involves the combination of the keys exchanged via quantum cryptography and the keys exchanged via the PKI. The network used the combination as a means of improving the reliability and availability of the applications, rather than a means of improving the security. The dual key agreement was also used a method of certifying the the quantum generated keys, as this was a requirement for some of the applications.
The application layer is the layer in which the quantum keys are used by a user. ‘This layer consists of the connection of conventional network devices like switches, routers, or encryptors’. The application layer is independent from the quantum layer and the key management layer, except for key requests.’
The benefit of the dual-key agreement is that it means that the application layer can still run, even if the quantum layer is unable to immediately generate a key.
The SwissQuantum network used the following QKD based encryptors within their system; 10 GBps Ethernet encrytor, 2 Gbps Fibre Channel device encryptor, and IPsec encryptor. The fibre channel and Ethernet encryptors operated on OSI layer 2, as the encryption would not reduce the bandwidth and would only potentially a tiny amount of latency. The use of the IPsec encryptor on OSI layer was implemented despite it causing a large reduction of the link’s bandwidth due as encryption is important for the network traffic.
The layer 2 encryption applications implemented the AES protocol using a 256 bit key. The encryptors that used the dual-key agreement were certified at FIPS 140-2 security level 3. ‘Each certificate contains an identifying name, unique serial number, expiry date and public key and prior to installation is signed by the CA.’
‘The QKD-enhanced IPsec encryptor integrates the cryptographic symmetric key generated using the QKD protocol with the IPsec suite of protocols, in order to provide a point-to-point, quantum-secure communication link operating at layer 3.’
In terms of speed, the 256-bit keys were changed each minute for the different encryptors. The 10 Gbps encryptors suffered no bandwidth loss with the key change, The 2 Gbps encryptors however, required 100 ns to change the key. The latency of the IPsec encryptor was not measured as the effect would be negligible compared to the ‘intrinsic throughput reduction due to encapsulation.’
Implementation of the key management layer
Each of the nodes were implemented differently.
Within the diagram:
- The dashed black lines represent quantum key exchange links
- The thin black line between CERN-Unige and Unige-hepia represent encrypted data links
- The green lines represent the key distribution via the hepia node
- The purple lines represent links that allow keys to be exchanged between key managers in each node, using PKI
- ’10 Gbps Ethernet encryptors were installed between CERN and Unige’
- ‘2 Gbps Fibre channel and IPsec encryptors were tested between Unige and hepia’
- Each node contained one key server that managed ‘the storage and distribution of the secret keys in several key buffers.’
- Each application had its own dedicated key buffer
In terms of the key exchange process
- The CERN-Unige link was privileged, so key exchange was performed via the intermediate node of hepia.
- A key redundancy sender in CERN generates a random key, K, which is encrypted by a One-Time-Pad (OTP) protocol.
- The key used for the OTP encryption is exchanged by the QKD devices between CERN and hepia.
- K is sent to the key redundancy node in hepia.
- K is decrypted by the key redundancy node, then encrypted by with a key shared between hepia and Unige by QKD.
- K is sent to the key redundancy node in Unige and decrypted.
The keys that were exchanged through the intermediate node are then concatenated with keys sent directly.
Prior to the secret keys being stored in a buffer, an internal dual-key agreement is performed.
QKD exchanged keys are proven information theoretically secure, which means that knowing the PKI key doesn’t provide any information on the resulting key. The QKD key is random and also independent of the PKI, which causes the resulting key to be random too. The resulting keys are stored in buffers and are accessed by key managers to be sent to an application that requires a new key.
The secret key rate is the key parameter for QKD devices, and is derived from the raw key rate and the quantum bit error rate. The probability of detection is calculated by multiplying the raw detection rate with the number of gates per second.
The user’s key parameter is the number of keys that can be used for its applications. SwissQuantum deployed keys of length 256 bits.
Optical fibre variation
Optical fibres are influenced by varying temperatures. Variation in temperature causes changes in the optical path length and the refractive index. However, the SwissQuantum’s network determined that QKD devices are flexible enough to handle such changes in the optical path length.
Security of QKD -Quantum Layer
To stop MitM attacks, the classical channels need to be authenticated. The QKD can provide the further keys, so long as an initial secret key has been used to authenticate the first set of quantum key exchanges. The use of a weak coherent pulse means that the detection of the pulses needs to be more carefully monitored due to the increased likelihood of a PNS. The loss value of the quantum channel needs to be known in order to be able to determine any discrepancy between the anticipated detection probability and the measured detection probability. ‘Both the initial secret key and quantum channel loss value, are stored in the QKD devices.’
 (25 May 2001) Security Requirements for Cryptographic Models, Federal Information Processing Standards Publication 140-2, page 2.