Sourced from: Peev, M. et al. (02.07.2009) The SECOQC quantum key distribution network in Vienna, The Journal of Physics.
Current constraints of QKD (as of 2009)
- Limited distance for key distribution
- Low rate of key distribution, which exponentially decreases with respect to distance
- Distribution is point-to-point, which limits potential for application
Quantum links are the links between two QKD devices, which contain a quantum channel and a classical channel. These channels perform QKD protocol and transfer QKD keys between the two parties hosting the QKD devices. The quantum links only operate over point-to-point connections and hence, cannot be ‘deployed over any arbitrary network topology’.
The SECOQC defined the QKD network as an infrastructure with point-to-point capabilities that ‘aims at information theoretically secure key agreement’, rather than at secure communication.
‘There are two principal types of QKD network paradigms:’
- Quantum channel switching paradigm
- Trusted repeater paradigm
End-to-end requires a technology not yet realized, quantum repeaters. Optical switching is used instead, where optical switching is applied to quantum signals to create a direct quantum channel. However, in fully-switched optical networks, the two end parties require an initial secret. This limits the scalability, also optical losses limit distance of the key distribution. They could be considered suitable for networks of a metropolitan scale.
Trusted repeater QKD networks contain quantum links between the locations or nodes, and QKD devices are used at the end of link to point to a node. In this system, a QKD key may be sent over a chain of QKD links and nodes. The key is randomly generated then sent to another node, encrypted using the OTP protocol, which uses ‘QKD key material, stored in the memory of the node, which was previously generated over the outgoing QKD link from the chain.’ The OTP key is sent from the node it was generated, with an ITS authentication tag, to the node where the QKD key is being sent. The OTP key can be verified by the receiving node and used to decrypt the QKD key. The QKD key can then be encrypted with an OTP from the received node before being sent to another node, the OTP key being sent their along a secure classical channel. This type of network requires full trust of all of the nodes, as every intermediate node is able to decrypt the QKD key. The nodes then, can be considered as trusted repeaters. SECOQC implemented this type of QKD paradigm into their network.
For SECOQC’s network, they also implemented an additional feature where initial secrets for authentication were only shared between neighboring nodes. This simplified the initialization of the QKD network, and made it easy to add any additional nodes during their operation.
Quantum Network Architecture
The SECOQC used the following device structure:
- QKD devices have ‘access to the quantum channel alone and perform only a node internal classical communication with a dedicated device called a node module.’
- Node modules manage the QKD key material of the QKD devices within the node ‘and takes over the authenticated classical communication with the partner QKD devices.’
This structure results in the QKD device having the objective ‘to communicate over the quantum channel, distill and push a QKD key to the node using the communication facilities of the latter.’
The node manages the point-to-point connections. This includes, classical communication to neighboring nodes, key management, and cryptoservices. The connections are required for determining destination paths and the realization of secure transport protocols. The implementation of the node modules hide the QKD devices from the network, which relieves the requirement for homogeneous QKD technology, and leaves only the requirement that the device can communicate with the node and can push up the QKD key.
The SECOQC contained six nodes and eight QKD links. All devices had to meet the following criteria:
- QKD devices communicate classically with peers ‘over standardized interface, provided by the node module’
- QKD devices push key to the node
- QKD devices share management information and accept commands from the node
- QKD links operate over distances greater than 25km with standard telecom fiber (Approx. 0.25dB km-1)
- Key generation rate at 25km is greater than 1kbit s-1
- Weak laser pulse auto-compensated system: ‘plug & play’ device pairs (id-Q)
- One-way weak coherent pulse system with decoy states (Tosh)
- Coherent-one-way (COW)
- Entangled photons ENT)
- Continuous variable QKD system; with Guassian modulation, reverse reconciliation and homodyne detection of coherent light pulses (CV)
- Access free space link (FS)
Below is a table from the data for each system, provided by the SECOQC article.
- System designed by id Quantique SA
- BB84 and SARG protocols incorporated into system, specifically the BRT-ERD link, with mean number of photons per pulse = 1.03
- System BRT-ERD had 5.75 dB link loss
- The id-Q systems have been tested over longer periods of time
- Utilizes a protocol that is proven secure against all types of eavesdropping attacks
- Mean number of photons per pulse for both signal (μ) and decoy state (ν) is dependent upon fiber distance, for SECOQC they were: μ = 0.48, and ν = 0.16, based on ‘numerical optimization of the secure bit rate’.
- For fiber length 20km: SBR = 11kbits-1, for fiber length 25km: SBR = 5.7kbits-1. For fiber length 10km: SBR = 18kbits-1, for fiber length 1km: SBR = 27kbits-1
- COW-protocol can be implemented such that it is ‘insensitive to optical errors’
- ‘Eve cannot count the number of photons in any finite number of pulses without introducing errors’.
- Counting rate for the COW detector can be calculated by: DB is R ≈ μ t tB Σ , where η is the quantum efficiency of the photodetector, and μ ≈ 0.5.
- Bob has monitoring detectors DM1 and DM2, where DM1 is set to pick up Alice’s wavelength and DM2 picks up detection of an eavesdropper
- ‘the COW QKD system is compatible with standard telecom components, insensitive to polarization fluctuations in the fiber and robust against PNS attacks’.
- Long-term stability of an ENT system requires multiple different stabilization modules: source stabilization, state alignment, polarization control, and delay synchronization.
- ‘In terms of entanglement distribution, the system achieved an average polarization visibility of 93%’
- ‘The high purity of the shared entangled state allows the device to efficiently extract a secure key from the measured correlations.’
- Noise; such as shot-noise, loss-based noise, and excess noise, need to accurately calculated as they influence the ‘calculation of the secret information available in the shared data’
- To determine a key, highly sophisticated algorithms need to be applied to the data, ‘based on low-density parity-check codes’. The quantized data then has a privacy amplification scheme applied to it.
- This type of system provides very high key generation rates at small distances such as 10-20km.
- The mean photon number for this system was 0.3
- This system requires end systems that can be completely protected from any light.
- During the testing period, fluctuations were noticed in the decoy parameter, which were considered to have likely occurred due to temperature variation.
Node module architecture
SECOQC give their node modules three main roles; enabling functionality of links and managing the key generated over said links, determining a path between nodes, and ensuring end-to-end transport of the secret key material. These roles are divided into three network layers.
The enabling of functionality of links and management of generated keys is considered as the quantum point-to-point protocol (Q3P) layer. This layer is designed to ‘separate key production from key usage.’ In this layer, the node module creates a Q3P connection with each node with which it has an association. These connections use QKD links and are considered as Q3P links. The Q3P link has interchangeable modes based on the transmitted packet’s header. The three modes are: OTP and ITS authenticated communication, Non-encrypted and ITS authenticated communication, and neither encrypted nor authenticated communication. These modes are determined by two ‘functional entities: a key store, and a crypto-engine.
The key store has different levels in itself.
It has a ‘Pickup store’ in which multiple QKD devices can be attached to one Q3P link. This creates an association between each QKD device and a pickup store, to which generated keys are pushed. A protocol is run between the device and the pickup store which ensures that ‘synchronous keys’ are present in both, after which, if it terminates successfully, the key material is moved to the ‘Common store’. The common store is where all the QKD created keys are collected. Here, all of the key bits ‘form a homogeneous mass’. The final level is are the key buffers, which are either in or out. Specific portions of key material are removed from the common store and are dedicated for either inbound or outbound communications. A key store is either given the role of master or slave. The master key store decides on which key material should be removed from the common store. Once the key material is used, it is shredded to ensure no further availability.
Q3P maintains connection between the ‘underlying QKD device corresponding to each Q3P link in the node’. Any key material that is pushed up by the QKD device is accepted by the Q3P link, as are ‘general node management commands’.
The second role of determining paths along the network nodes is considered the quantum network layer. Whilst IPv4 and IPv6 over Q3P for routing is suitable, the traditional use of IPv4 and IPv6 does not work well over Q3P. Hence, SECOQC used a similar method to the OSPF protocol where ‘the routing information exchanged by the QKD network layer protocol as link state packets holds additional properties addressing the average secure key generation rate on each link as well as the current amount of key material, available in the respective key store.’ The routing information is not encrypted when it is exchanged, but it is authenticated over the Q3P links, which results in ‘constant key consumption on the lines’.
The final role of ensuring end-to-end transport over the Q3P link, is the QKD transport layer protocol, QKD-TL. The method used by SECOQC is called ‘hop-by-hop encryption/decryption mechanism’, which is where each node, whether end-stage or intermediate, decrypts and authenticates a received message, before encrypting it again and sending it to the next node, along with an authentication tag. All of this is achieved over the Q3P network by having the incoming message be pulled from a link, its destination address read, then pushing the outgoing message along another link towards its specific final node.
‘It should be stressed that the secure communications between the client and server by means of the key distributed over the QKD network can use any communication channel of (generally any type of) a secure communication infrastructure.’
There is a baseline key consumption rate that is resultant from the Q3P authentication process, which involves sifting, error correction, key confirmation, and privacy amplification. Also, there are pay-load applications that involve key expenditure.
The maximum shared key length between two nodes is equivalent to the maximum length of the message that can be shared via information-theoretic security.