Tokyo QKD Network

This information is sourced from:
Sasaki M, et al. (11 May 2011) Field test of quantum key distribution in the Tokyo QKD Network.

The previous networks, DARPA, SECOQC, SwissQuantum, Durban[1], ATDNet, and Hefei[2], can be organized into two different network schemes: ‘key relay via trusted nodes, and transparent link via optical switching’.

The Tokyo QKD network is a mesh-type with six different QKD systems using the trusted node scheme. The network has four access points that are connected with commercial grade fibers. The four access points Kogenai (Ko), Otemachi (Ot), Hakusan(Ha), and Hongo (Ho).

For the Ko-Ot link (45km), loss rate is an average of approximately 0.3dB/km.
For the Ha-Ot link (12 Km), and Ho-Ot link (13km), loss rate is an average of 0.5dB/km.

Tokyo QKDN

The QKD network is part of  ‘the NICT open testbed called Japan’s Giga Bit Network 2 plus (JGN2plus)’, and has plenty of noise in the fibers and interfiber crosstalk (‘photon leakage from neighboring fibers’) is often observed. The crosstalk can be reduced through the implementation of a ‘narrow spectral or temporal bandpass at the receiver.’

Link 1: MELCO used decoy state BB84 protocol over 24km (loop) between Otemachi and Hakusan.

Link 2: NEC-NICT used BB84 protocol over 45km between Otemachi and Koganei, using the NICT’s superconducting single photon detector (SSPD).

Link 3: NTT-NICT used differential phase shifted (DPS) QKD over a 90km (loop) between Koganei and Otemachi, using the SSPD also.

Link 4: All Vienna used BBM92 with installed fibers over 1km.

Link 5: TREL used decoy state BB84 protocol over 45km, using electrically cooled self-differentiating avalanche photodiodes (SD-APDs).

Link 6: IDQ used their commercial system that employs the SARG04 protocol over the 13km between Otemachi and Hongo.

The network contains quantum links that are connected to create a network, where each link has a unique method in generating the key. ‘The QKD protocols as wells as the format and size of the key material can be arbitrary.’ The Tokyo network implemented the three-layer architecture similar to the one in the SECOQC article. The base layer involves a QKD device that pushes the key materials to the middle key management layer. The key management layer contains a key management agent (KMA) that exists at each node and ‘receives the the key material via an application interface (API)’. The API used in this system was developed by NEC and NICT and was compatible with the SECOQC quantum backbone link interface (QBB-LI). The use of the compatible API increased the ‘interoperability of a great variety of different QKD devices’.

The KMA is a computer that works as a trusted node. Its job is to ‘resize the key materials for absorbing the difference in key generation rate and key length of each QKD link, to reshape the key materials into a common format for further use, and to supply unique identifiers to the key materials.’ ‘ It then stores the materials in numerical order to synchronize key usage during encryption and decryption.’ The KMA also stores the information of the key generation rate and the QBER, which is then forwarded to the key management server (KMS), ‘who is introduced for the centralized management network’.

‘The KMS coordinates and oversees all links in the network’, as all network functions are performed within the KM layer. ‘A KMA can relay a secure key shared with one node to a second node by OTP-encrypting the key, using another key shared with the node.’ The KMS is in control of determining the provision of secure paths and managing the key life cycle.

Authentication is done by the WC scheme with a prior secure key.

Secure communication is achieved by using the keys for the encryption/decryption of any file ‘produced by various applications’. The users are situated within the trusted nodes and their data is sent to the KMAs to be encrypted/decrypted with an OTP in ‘a stored key mode’. Advanced Encryption Standard (AES) is also implemented in each of the KMAs. ‘The KMS switches two cryptographic schemes, referring residual amounts of secure keys.’

The Tokyo QKD uses an autonomous search algorithm to determine the node pathway. ‘The main reason for adopting the centralized management in the Tokyo QKD Network is that it assumes a test case if a government-chartered network or a mission critical infrastructure network which often have a central dispatcher or a central data server.’

Tokyo -Three layer scheme

QKD Systems
Tokyo Network Table

    • This system has been designed for ‘fast QKD for metropolitan-scale distances, which can realize OTP encryption of video data’.
    • ‘The hardware engine has a large memory, large-size field programmable gate arrays (FPGAs), and hish speed in/out interfaces, which can potentially handle up to 8 WDM channels, i.e. for a processing speed of up to 10Gbps’.
    • The decoy method has been realized with three different types of pulses: signal, decoy, and vacuum.
  • TREL
    • The photons are detected with ‘InGaAs APDs in self differentiating (SD) mode’ that are electrically cooled to -30° C.
    • The self-differentiating technique suppresses any afterpulse noise.
    • ‘The DPS-QKD scheme is especially suitable for fiber transmission, and is known to be secure against general individual attacks’.
    • Bob’s server sends the time information of the generated sifted keys to Alice’s server via an Ethernet connection.
    • ‘Ultra stable sifted key generation for more than 8 days was demonstrated. (Resulted with sifted key generation rate of 18kbps, and QBER of  an average 2.2%)
    • A stable operation for four hours was demonstrated for secure key generation combined with a key distillation engine. (Figures shown in table)
  • Mitsubishi
    • ‘Quantum and classical light sources are designed using DWDM (dense wavelength division multiplexing) DFB laser modules at telecom wavelengths.’ (Quantum is 1549.32nm, Classical is 1550.92nm)
    • ‘The system uses light pulses with four different intensity levels (signal: 0.63 photons per pulse, decoy: 0.3, 0.1, and vacuum). It consists of PLC’s with polarization stabilizers and commercial APDs.’ (Detection efficiency: 3%, dark count probability:6×10-6)
    • The InGaAs/InP APD detectors were set at -40° C through the use of Peltier modules.
    • ‘Single photon detectors were realized with both sinusoidal wave gating and a self-differentiating circuit.’
    • Error correction involved a low density parity check (LDPC) code that has been designed to ‘achieve a performance approaching Shannon’s limit’.
    • Privacy amplification time was reduced by using the fast Fourier transform ‘for multiplying the Toeplitz matrix and a reconciled key’.
    • A stable operation of key generation for 3 days was demonstrated.
    • An ‘OTP smartphone using QKD’ was also achieved: ‘Voice data is encoded at a rate of 1kBps, which requires approximately 1.2 MB for a 10min bidirectional talk. With a 2 GB Secure Digital (SD) card, continuous conversation for 10 days by OTP encryption can be supported with a single downloading.’ The secure key is downloaded from the QKD device, and after a key has been used, it is cleared from the smartphone’s memory.
  • IDQ
    • ‘System is working in a phase coding configuration and is based on the Plug & Play optical platform. This is a go and return configuration which allows high quality auto-compensation of polarization and phase fluctuation of the quantum channel.’
    • Has run for a 6 moth period continuously, except for 2 months  within that period, when tuning and secure key rate optimization occurred.
    • An addition of a filter increased the link loss, but reduced noise, which enabled a higher secure key exchange rate.
    • The QBER was reduced from 4% to 2% with the addition of the filter as it greatly reduced the crosstalk noise via spectral filtering.
  • All Vienna
    • Scheme is not ‘prepared by modulators’, and is instead ‘measured by passive polarization analyzers situated in the spatially separated devices of Alice and Bob’.
    • ‘Thereby quantum correlations are transferred into secrets’.
    • The passive entanglement scheme contains some benefits in that it is robust against certain attacks. An increase in laser power doesn’t present any leakage, but rather, after certain procedures, results in an ‘increased QBER and key rate reduction’. Consistent monitoring of the incident power stops any ‘blinding the detectors remotely’, which ensures that the detectors cannot be directly controlled by an ‘adversary’.
    • ‘The measurement results at Alice and Bob are further processed by an FPGA and an embedded PC (per device), delivering secure key over predefined interfaces’.
    • polarization drift with the fibers can be detected and ‘compensated at the receiver by a sophisticated polarization control algorithm.’
    • ‘Specifically QKD post-processing involves the standard stages of sifting, reconciliation (error correction), confirmation, and privacy amplification.’ The CASCADE error correction technique was applied, in ‘the parallel CASCADE flavor’ (L. Salvail’s proposition from SECOQC), which reduces the communication latency, and ‘real-time error correction speed’.
    • The privacy amplification block length was configured to 300kbit.
    • ‘Privacy amplification is based on a 2-universal hash function family realized as binary matrix multiplication with Toeplitz matrices’. An application which is computationally ineffective as is, but can be sped up using the Fourier transform.
    • The temperature of the environment can influence polarization stability, which was observed in the ‘arms of Bob’s BB84 module leading to a slow decrease of the secure key rate’.



[1] Mirza A. and Petruccione F. (24 May 2010)Realizing long-term quantum cryptography. Optical Society of America, Volume 27, No. 6.
Sourced from:

[2] Wang S. et al. (10 September 2014) Field and long term demonstration of a wide area quantum key distribution network.


DARPA Quantum Network

This information is sourced from:
Chip Elliot (3 December 2004) The DARPA Quantum Network.

DARPA QKD network
QKD is limited by distance through either fiber channels or freespace, which cannot be combined due to ‘frequency propagation and modulation’ problems. Often this can result in quantum links having a single point of failure due to only having a single channel. The DARPA network has attempted to resolve this by creating a QKD network ‘rather than stand-alone links’.

The DARPA network (when this article was published) consisted of six QKD nodes, of which four are weak-coherent systems and the other two are high-speed freespace systems.

The weak coherent system consists of two transmitters, Alice and Anna, which followed the BB84 protocol, and two receivers, Bob and Boris. This system also contained a 2×2 switch to allow the coupling of any of the transmitters with any of the receivers. ‘Alice, Bob, and the switch are in BBN’s laboratory; Anna is at Harvard; and Boris is at Boston University (BU). ‘ The switch is located 10km from Harvard and 19km from BU, which results in the Harvard-BU fiber path being 29km long.

The transmitter, Anna, has a mean photon number of 0.5, with the Anna-Bob path having a delivery speed of ‘1000 privacy-amplified secret bits/second’ with an average QBER of 3%.

The BBN-BU path has attenuation of 11.5dB, which results with the network having a mean photon number of 1.0, but a secret key yield of zero.

The freespace system consists of Ali and Baba, which are ‘electronic subsystems for a high-speed freespace QKD system’. The same BBN QKD protocols are run on this system, and have a link into the network via a key relay between Ali and Alice. (This system, in December 2004, contained ENT nodes that weren’t fully operational.)

This article provides a list of parameters that can be considered for classical encryption methods.

  • Protection of keys
    QKD systems provide keys that have not been encrypted via an algorithm, which provides greater long term security with respect to the processing ability of supercomputers and quantum computers.
  •  Authentication
    QKD doesn’t provide authentication of the key.
  • Robustness
    Point-to-point links contain a single point of failure unless there is redundancy created by creating multiple point-to-point interconnected links.
  • Distance and location Independence
    Due to attenuation in fiber and sensitivity of freespace environments, QKD systems to do not have large distances or location independence.
  • Resistance to traffic analysis
    This is weak due to the point-to-point link approach of most QKD systems.

The conclusive summary of these parameters for QKD, is that although QKD provides great protection of keys, it doesn’t have an intrinsic authentication system, nor does it have strong results for the other parameters.

The DARPA network attempts to increase the robustness and distance of a QKD system by creating a network that contains the links and endpoint all connected together.


In the above diagram, A1 and B1 are the Alice/Bob pair, A2 and B2 are the freespace Ali/Baba pair, A3 and B3, and A4 and B4, are also fiber-connected pairs. QKD networking protocols allow the A1 node to agree on a key with nodes that are multiple ‘hops’ away. For instance, two transmitting nodes A1 and A3 can agree on a key pair via the B1 node as a trusted intermediary.

A photon can be transmitted across an untrusted network to its endpoint node without being measured by the switches. In other words, the information is shared between two nodes within the network, without being shared within the network itself. The negative aspect of untrusted switched, is that each switch ‘adds at least a fractional dB insertion loss along the photonic path.’

A photon can also be transmitted across a trusted network to an end path node, where the intermediary nodes have ‘pairwise agreed-to keys’, which are used to ‘securely relay a key “hop-by-hop” from one endpoint to another.’ Each node along the transmission pathway decrypts then encrypts the photon using the pairwise keys. This results in the key being securely encrypted across each link.

The benefits of a QKD network are as follows:

  • Longer distance
    As a single key can now be distributed over multiple nodes, the ‘geographic reach’ of the quantum key has been increased.
  • Heterogeneous channels
    The links between nodes do not need to be homogeneous, indeed one could use fiber channels and the other use freespace.
  • Greater robustness
    An interconnected network results in multiple pathways between two endpoints. This resolves the single point of failure issue that occurs between single links.
  • Cost savings
    Large scale interconnectivity lowers costs by reducing the ‘required (N x N-1)/2 point-to-point links to as few as N links in the case of a simple star topology’.

BBN QKD Protocols
The software architecture for the BBN network is shown in the diagram below**:
DARPA BBN Protocol

‘The QKD protocols gave been integrated into a Unix operating system and provide key material to its indigenous Internet Key Exchange (IKE) daemon for use in cryptographically protecting Internet traffic via standard IPsec protocols and algorithms.’

The protocol stack contains a ‘traditional sifting protocol and the newer ‘Geneva’ style sifting’ (now commonly referred to as SARG, after the initials of those who produced it.)

Photonic Switching for untrusted network
For an untrusted network, the switch needs to be optically passive in order to not disturb the quantum states of the exchanged photons. For the DARPA network, there exists two transmitters, Alice and Anna, and their two ‘compatible’ receivers, Bob and Boris (as described at the start). In this situation, the transmitters and their receivers are not mutually exclusive, i.e. Any transmitter can organize key exchange with any receiver. The switch was designed to change the connectivity between each transmitter and receiver every 15 minutes. This resulted in the ‘receivers autonomously discover they are receiving photons from a new transmitter, and realign their Mach-Zehnder interferometers to match the tranmsitter’s interferometer.’ This purpose of this is to create multiple different keys. The switch does take time, 8 ms, and causes an optical loss of less than 1 dB.

BBN key relay protocols for trusted networks
For endpoints that are not directly connected, a path is created from links connecting to them. The BBN networking protocol ‘allows them to agree upon shared QKD bits.’ The path through the network is determined with a new random number, R, and ‘sending R one-time-pad encrypted across each link’, termed key relay.

**From a more extensive article on the DARPA network, published in 2005[1], the protocol are expanded upon as follows:

This enables the reconciliation of raw bit streams to reduce and remove such errors as photon loss, incorrect basis symbols, multiple detection symbols. Once sifted, the rest of the bit stream is discarded and only the sifted bits are used.

Error detection and correction
This occurs after the bit stream has been sifted, and is carried out in order to remove any damaged bits. However, Alice and Bob do not want to reveal the entirety of the sifted secret bit stream. This results in the following:
-The error correction is probabilistic, which results in the potential for Alice and Bob to not have completely identical sets.
-As error correction requires that Bob and Alice disclose information across a separate public channel, there is the potential for Eve to observe and obtain the information in plaintext, if she can decipher the communication.
-Error detection is used to estimate the QBER of the quantum channel.
The DARPA network used two types of error detection and modification: a modified version of the Cascade protocol (Brassard and Salvail’s protocol[I]), and a Forward Error Correction technique coined ‘Niagara[II]‘.

Entropy Estimation
The DARPA network used four different entropy techniques: Slutsky, Bennet, Myers-Pearson, and Shor-Preskill. The entropy is calculated in order to ensure that the privacy amplification is correct. If the entropy isn’t correctly calculated, this can result in a lower than possible privacy amplification, which would provide Eve greater accessibility to secret bits than the potential least amount.

Privacy Amplification
This process involves minimizing Eve’s knowledge of the shared bits to an ‘acceptable level’. A process otherwise known as distillation or advantage distillation. The amplification is completed by an algorithm which is designed to ‘operate on bits in computer memory’ and ‘”smears out” the value of each initial shared bit across the shorter resulting set of bits’. The purpose behind this, is that the shorter the resultant bit set, the less that Eve can know.  For the DARPA network, ‘the QKD node initiating privacy amplification selects a linear hash function over the Galois Field[IV] GF[2n] where n is the number of error-corrected bits in a block. ‘It then transmits four items to the other end -the number of bits m of the shortened result, the (sparse) primitive polynomial of the Galois field, a multiplier (n bits long), and an m-bit polynomial to add (i.e a bit string to exclusive-or) with the product. Each side then performs their corresponding hash and truncates the results to mbits to perform privacy amplification.’

Authentication involves the assurance that each endpoint is confident that they are communicating with their intended endpoint. For a QKD link between Alice and Bob, this is not only a preliminary action, but also continuous for the ensuing interactions. The DARPA network used Universal hash functions, based upon the authentication scheme outlined in the BB84 paper. Their Internet security architecture (IPsec) still utilizes standard authentication methods, and those described in the IKE. Their plan ‘is to extend this architecture by further incorporating those BB84 Universal Hash Functions described above in order to achieve continuous authentication based on secret bits derived from ongoing QKD.’


[I] Brassard and Salvail’s Cascade protocol
This protocol was the first error correction protocol for QKD, and requires an initial input of the error rate (QBER). It has an performance efficiency of working within 15-20% of the Shannon Limit[III], and a speed efficiency of being able to process key rates that are less than 5×104 bits-1.

[II] BBN Niagara
This is a type of Low-Density Parity Check (LDPC) code that has been newly designed for QKD applications, which doesn’t need the many protocol interactions between Alice and Bob, that entail a Cascade protocol.

[III] Shannon Limit
The Shannon Limit is a maximum rate for a channel, in which data can be sent without any error.[2]

[IV] Galois Field
A mathematical term for a finite field.[3]


[1] Elliot C., et al. (17 March 2005) Current Status of the DARPA Quantum Network.

[2] Hardesty Larry. (19 January 2010)Explained: The Shannon Limit, MIT News.

[3] Moreira J. and Farrell P. (06 November 2006) Essentials of Error-Control Coding. John Wiley & Sons. Sourced from:

QKD: Multi-user Passive Optical Networks

This is sourced from:
Townsend P. D, et al. (1994) Quantum cryptography for multi-user passive optical networks.

Multi-user passive optical networks (PONs) enable the exchange of secure keys to each user within the network, and hence, securely encrypt a broadcast transmission on the network.

For QKD to become more utilizable, it needs to be able to work in a network that contains any-to-any and any-to-many communications. A multi-user PON scheme can allow ‘a network controller to distribute distinct secret keys to each of N users on the network, and hence to securely encrypt subsequent data transmissions broadcast on the network.’

QKD networks, in general, use optical fiber for data transmission, which allows point-to-point transmission on smaller networks. However, for a large network with many users, the utilization of point-to-point transmission becomes increasingly complicated. This article focuses on ‘simpler architectures based on passive optical networks in which the nodes are passive optical splitters. For a star-styled network, communications occurs at the ‘head-end of the PON and information is broadcast to, and ‘broadgathered’ from the downstream terminals on the network.’

In a multi-terminal network, a single input photon will only be received by a single receiver. This is also the case for optical pulses, except for the instance in which the average photon number per pulse is far less than one. ‘Hence in order to implement the standard quantum cryptography protocols on the network, the controller transmits a randomly encoded sequence of clocked pulses onto the network, an all receivers simultaneously make synchronous but independent random measurements on the network outputs. Because of the statistically random output from each coupler, this procedure is equivalent to simultaneously setting up N distinct quantum cryptography links in which the transmitter sends a random sequence in each case.’ Once this procedure is completed, the controller has supplied each terminal with a distinct key. This key can either be used to establish a secure link between the controller and a specific terminal. By encrypting a message with the key, Ki, the broadcast message can only be decrypted by terminal Ri. Each key can also be used by the controller to create an OTP of a master network key, which could be securely distributed to each terminal. This would enable the secure encryption of traffic between users on the network, with the controller acting only as a router.

The SECOQC quantum key distribution network in Vienna

Sourced from: Peev, M. et al. (02.07.2009) The SECOQC quantum key distribution network in Vienna, The Journal of Physics.

Current constraints of QKD (as of 2009)

  • Limited distance for key distribution
  • Low rate of key distribution, which exponentially decreases with respect to distance
  • Distribution is point-to-point, which limits potential for application

Quantum Networks
Quantum links are the links between two QKD devices, which contain a quantum channel and a classical channel. These channels perform QKD protocol and transfer QKD keys between the two parties hosting the QKD devices. The quantum links only operate over point-to-point connections and hence, cannot be ‘deployed over any arbitrary network topology’.

The SECOQC defined the QKD network as an infrastructure with point-to-point capabilities that ‘aims at information theoretically secure key agreement’, rather than at secure communication.

‘There are two principal types of QKD network paradigms:’

  • Quantum channel switching paradigm
  • Trusted repeater paradigm

End-to-end requires a technology not yet realized, quantum repeaters. Optical switching is used instead, where optical switching is applied to quantum signals to create a direct quantum channel. However, in fully-switched optical networks, the two end parties require an initial secret. This limits the scalability, also optical losses limit distance of the key distribution. They could be considered suitable for networks of a metropolitan scale.

Trusted repeater QKD networks contain quantum links between the locations or nodes, and QKD devices are used at the end of link to point to a node. In this system, a QKD key may be sent over a chain of QKD links and nodes. The key is randomly generated then sent to another node, encrypted using the OTP protocol, which uses ‘QKD key material, stored in the memory of the node, which was previously generated over the outgoing QKD link from the chain.’ The OTP key is sent from the node it was generated, with an ITS authentication tag, to the node where the QKD key is being sent. The OTP key can be verified by the receiving node and used to decrypt the QKD key. The QKD key can then be encrypted with an OTP from the received node before being sent to another node, the OTP key being sent their along a secure classical channel. This type of network requires full trust of all of the nodes, as every intermediate node is able to decrypt the QKD key. The nodes then, can be considered as trusted repeaters. SECOQC implemented this type of QKD paradigm into their network.

For SECOQC’s network, they also implemented an additional feature where initial secrets for authentication were only shared between neighboring nodes. This simplified the initialization of the QKD network, and made it easy to add any additional nodes during their operation.

Quantum Network Architecture
The SECOQC used the following device structure:

  • QKD devices have ‘access to the quantum channel alone and perform only a node internal classical communication with a dedicated device called a node module.’
  • Node modules manage the QKD key material of the QKD devices within the node ‘and takes over the authenticated classical communication with the partner QKD devices.’

This structure results in the QKD device having the objective ‘to communicate over the quantum channel, distill and push a QKD key to the node using the communication facilities of the latter.’
The node manages the point-to-point connections. This includes, classical communication to neighboring nodes, key management, and cryptoservices. The connections are required for determining destination paths and the realization of secure transport protocols. The implementation of the node modules hide the QKD devices from the network, which relieves the requirement for homogeneous QKD technology, and leaves only the requirement that the device can communicate with the node and can push up the QKD key.

The SECOQC contained six nodes and eight QKD links. All devices had to meet the following criteria:

  • QKD devices communicate classically with peers ‘over standardized interface, provided by the node module’
  • QKD devices push key to the node
  • QKD devices share management information and accept commands from the node


  • QKD links operate over distances greater than 25km with standard telecom fiber (Approx. 0.25dB km-1)
  • Key generation rate at 25km is greater than 1kbit s-1

System Types

  1. Weak laser pulse auto-compensated system: ‘plug & play’ device pairs (id-Q)
  2. One-way weak coherent pulse system with decoy states (Tosh)
  3. Coherent-one-way (COW)
  4. Entangled photons ENT)
  5. Continuous variable QKD system; with Guassian modulation, reverse reconciliation and homodyne detection of coherent light pulses (CV)
  6. Access free space link (FS)

SECOQC Network

Below is a table from the data for each system, provided by the SECOQC article.

SECOQC Network Table

  • id-Q:
    • System designed by id Quantique SA
    • BB84 and SARG protocols incorporated into system, specifically the BRT-ERD link, with mean number of photons per pulse = 1.03
    • System BRT-ERD had 5.75 dB link loss
    • The id-Q systems have been tested over longer periods of time
  • Tosh
    • Utilizes a protocol that is proven secure against all types of eavesdropping attacks
    • Mean number of photons per pulse for both signal (μ) and decoy state (ν) is dependent upon fiber distance, for SECOQC they were: μ = 0.48, and ν = 0.16, based on ‘numerical optimization of the secure bit rate’.
    • For fiber length 20km: SBR = 11kbits-1, for fiber length 25km: SBR = 5.7kbits-1. For fiber length 10km: SBR = 18kbits-1, for fiber length 1km: SBR = 27kbits-1

  • COW
    • COW-protocol can be implemented such that it is ‘insensitive to optical errors’
    • ‘Eve cannot count the number of photons in any finite number of pulses without introducing errors’.
    • Counting rate for the COW detector can be calculated by: DB is R ≈ μ t tB Σ , where η is the quantum efficiency of the photodetector, and μ ≈ 0.5.
    • Bob has monitoring detectors DM1 and DM2, where DM1 is set to pick up Alice’s wavelength and DM2 picks up detection of an eavesdropper
    • ‘the COW QKD system is compatible with standard telecom components, insensitive to polarization fluctuations in the fiber and robust against PNS attacks’.
  • ENT
    • Long-term stability of an ENT system requires multiple different stabilization modules: source stabilization, state alignment, polarization control, and delay synchronization.
    • ‘In terms of entanglement distribution, the system achieved an average polarization visibility of 93%’
    • ‘The high purity of the shared entangled state allows the device to efficiently extract a secure key from the measured correlations.’
  • CV
    • Noise; such as shot-noise, loss-based noise, and excess noise, need to accurately calculated as they influence the ‘calculation of the secret information available in the shared data’
    • To determine a key, highly sophisticated algorithms need to be applied to the data, ‘based on low-density parity-check codes’. The quantized data then has a privacy amplification scheme applied to it.
    • This type of system provides very high key generation rates at small distances such as 10-20km.
  • FS
    • The mean photon number for this system was 0.3
    • This system requires end systems that can be completely protected from any light.
    • During the testing period, fluctuations were noticed in the decoy parameter, which were considered to have likely occurred due to temperature variation.


Node module architecture
SECOQC give their node modules three main roles; enabling functionality of links and managing the key generated over said links, determining a path between nodes, and ensuring end-to-end transport of the secret key material. These roles are divided into three network layers.

The enabling of functionality of links and management of generated keys is considered as the quantum point-to-point protocol (Q3P) layer. This layer is designed to ‘separate key production from key usage.’ In this layer, the node module creates a Q3P connection with each node with which it has an association.  These connections use QKD links and are considered as Q3P links. The Q3P link has interchangeable modes based on the transmitted packet’s header. The three modes are: OTP and  ITS authenticated communication, Non-encrypted and ITS authenticated communication, and neither encrypted nor authenticated communication. These modes are determined by two ‘functional entities: a key store, and a crypto-engine.

The key store has different levels in itself. SECOQC Q3P key store levels
It has a ‘Pickup store’ in which multiple QKD devices can be attached to one Q3P link. This creates an association between each QKD device and a pickup store, to which generated keys are pushed. A protocol is run between the device and the pickup store which ensures that ‘synchronous keys’ are present in both, after which, if it terminates successfully, the key material is moved to the ‘Common store’. The common store is where all the QKD created keys are collected. Here, all of the key bits ‘form a homogeneous mass’.  The final level is are the key buffers, which are either in or out. Specific portions of key material are removed from the common store and are dedicated for either inbound or outbound communications. A key store is either given the role of master or slave. The master key store decides on which key material should be removed from the common store. Once the key material is used, it is shredded to ensure no further availability.

Q3P maintains connection between the ‘underlying QKD device corresponding to each Q3P link in the node’. Any key material that is pushed up by the QKD device is accepted by the Q3P link, as are ‘general node management commands’.

The second role of determining paths along the network nodes is considered the quantum network layer. Whilst IPv4 and IPv6 over Q3P for routing is suitable, the traditional use of IPv4 and IPv6 does not work well over Q3P. Hence, SECOQC used a similar method to the OSPF protocol where ‘the routing information exchanged by the QKD network layer protocol as link state packets holds additional properties addressing the average secure key generation rate on each link as well as the current amount of key material, available in the respective key store.’ The routing information is not encrypted when it is exchanged, but it is authenticated over the Q3P links, which results in ‘constant key consumption on the lines’.

The final role of ensuring end-to-end transport over the Q3P link, is the QKD transport layer protocol, QKD-TL. The method used by SECOQC is called ‘hop-by-hop encryption/decryption mechanism’, which is where each node, whether end-stage or intermediate, decrypts and authenticates a received message, before encrypting it again and sending it to the next node, along with an authentication tag. All of this is achieved over the Q3P network by having the incoming message be pulled from a link, its destination address read, then pushing the outgoing message along another link towards its specific final node.

‘It should be stressed that the secure communications between the client and server by means of the key distributed over the QKD network can use any communication channel of (generally any type of) a secure communication infrastructure.’

Key Behavior
There is a baseline key consumption rate that is resultant from the Q3P authentication process, which involves sifting, error correction, key confirmation, and privacy amplification. Also, there are pay-load applications that involve key expenditure.

The maximum shared key length between two nodes is equivalent to the maximum length of the message that can be shared via information-theoretic security.

SwissQuantum QKD Network

This information is sourced from:
Stucki, et al. (23 March 2012) Long term performance of the SwissQuantum quantum key distribution network in a field environment.

The goal of the SwissQuantum experiment was to ‘test the reliability of the quantum layer over a long period of time in a production environment.’

Their deterministic values to define QKD as being commercially successful were:
-Integration in telecommunications networks

QKD networks need to suit current telecommunication network topologies. This includes unicast (point-to-point) traffic, multicast (between a subgroup of nodes) traffic, and broadcast (all nodes) traffic. Current (as of 2012) QKD setup supports point-to-point traffic, but requires further development for multicast and broadcast traffic.

There are two types of implementable QKD networks: Trusted-node networks, or one with ‘additional optical components’. The trusted node network increases the distance for QKD, but requires intermediate nodes. The use of optical components removes the need for nodes, but the distance and bit rate of the network is limited by the optical attenuation of the link.

The topology for the SwissQuantum network contained three nodes: Unige, CERN, and hepia; and three point-to-point links: Unige-CERN, CERN-hepia, and hepia-Unige. ‘Each node was divided into two sub-nodes, one for each point-to-point link connected to the node.’

The nodes are connected by a pair of dark fibres, where one fibre of the pair is used as a quantum channel and the other fibre is used as a classical channel. The classical channel needs to work in both directions, hence the classical channels are multiplexed between the two nodes using wavelength division multiplexing (WDM). The Unige-CERN link also contains a pair of fibres dedicated to the transmission of data by commercial grade, 10 Gbps Ethernet encryptors.

The diagram below, is figure 3 within the SwissQuantum QKD network article.
SwissQuan Fig 3

This next diagram is my interpretation of the fibre connectivity between the three nodes. I am not confident in whether the quantum fibre link is two-way or one-way, as the article doesn’t specify.
SwissQuan Fibre Links

The SwissQuantum network also employed the use of VLANs, one per layer, to a server at the hepia node. These VLANs were used to monitor the SwissQuantum network. There were also two firewalls that were deployed at the server. The first was designed to stop any illegitimate connection from the internet to the server, and the other, to ‘limit access to the management network’. Only legitimate entities were allowed access to the VLAN network through an SSH connection.

The SwissQuantum QKD network also implemented the three layer configuration that was introduced by the SECOQC network, and utilized in the Tokyo QKD network. The three layers are:

  • Quantum layer: This layer consists of the QKD point-to-point link that have ‘been implemented with commercial QKD devices’.
  • Key Management layer: This layer consists of a key buffer and key processing, and oversees the management of keys between the quantum and application layers as well as their use across the network.
  • Application layer: This layer is where the keys are ‘used by end-user applications’.

Quantum Layer
The quantum layer’s links had the following fibre length and optical loss:
SwissQuan Table 1

The quantum links are ‘implemented with a pair of customized commercial QKD servers’, and the ‘optical platform of the QKD servers are based on the plug&play configuration’. The devices used in this plug&play configuration include a Faraday mirror, a phase modulator and variable optical attenuator, an unbalanced Mach-Zehnder interferometer, two single-photon detectors, a laser preceded by an optical circulator, and a polarization beam-splitter. The plug&play optical platform provides auto-compensation of the phase and polarization fluctuations within the quantum channel. It is the interferometer which guarantees the phase compensation, and the combination of Alice’s Faraday mirror with Bob’s polarization beam-splitter which guarantees polarization compensation.

The QKD servers, (ID Quantique, id5100) are able to run the BB84 or the SARG protocols. The SARG protocol differs from the BB84 protocol in that SARG is designed to be more resilient to PNS attacks. The SwissQuantum network utilized the SARG protocol instead of BB84. The key distillation occurred in ‘three steps: error correction, privacy amplification, and authentication of classical communications.’ The timing of the distillation was set to occur whenever Alice’s buffer was full. This corresponded to approximately 5-7 million detections, or 1.25-1.75 million bits post sifting.
Error correction implemented the Cascade algorithm, in which ‘the raw key buffer is separated into blocks of 8192 bits that are corrected one after the other. For the SwissQuantum QKD servers, there was no step of error correction as post-Cascade QBER was already known.
Privacy amplification was done ‘with the 2-universal hash functions proposed by Krawczyk and based on Toeplitz matrices’ on the sifted buffer.
Authentication was done using the Wegman-Carter scheme.

‘The quantum layer continuously generates secret keys and transfers them to the management layer.’

Key Management Layer
The key management layer is responsible for ‘the processing of keys, their storage in each node, and their management between the nodes and the layers. There is a specific computer per node, the key server, that contains a buffer that is dedicated to key storage and a synchronization channel between each of the nodes. ‘This approach allows one to go from a very basic network topology composed of several point-to-point QKD links to more complex network topologies.’

The SwissQuantum focused upon the recent network feature of link aggregation. Link aggregation has been developed to increase the bandwidth and availability of a link between two locations. This is achieved through the implementation of multiple network connections between the locations. Link aggregation can be described as follows: Consider a optical cable that is linked to two locations. The locations each contain a switch that directs the data traffic into either the first or second cable. Link aggregation increases bandwidth through the method of sending half of the traffic through each fibre, which is then recombined at the receiving switch. This doubles throughput and provides resiliency were one of the cables to be disconnected through some means. For a QKD network, link aggregation applies to the exchange of secret keys instead of data. In this network, the switches do not need to be active as the ‘same buffer can be used on both sides’. The link aggregation does however, need an equal number of QKD systems as links between the two locations. This results in each node requiring two QKD devices, one for each link.

Parallel key agreement was used alongside the link aggregation. Within the SwissQuantum network, a dual parallel key agreement was implemented. This agreement involves the combination of the keys exchanged via quantum cryptography and the keys exchanged via the PKI. The network used the combination as a means of improving the reliability and availability of the applications, rather than a means of improving the security. The dual key agreement was also used a method of certifying the the quantum generated keys, as this was a requirement for some of the applications.

Application Layer
The application layer is the layer in which the quantum keys are used by a user. ‘This layer consists of the connection of conventional network devices like switches, routers, or encryptors’. The application layer is independent from the quantum layer and the key management layer, except for key requests.’

The benefit of the dual-key agreement is that it means that the application layer can still run, even if the quantum layer is unable to immediately generate a key.

The SwissQuantum network used the following QKD based encryptors within their system; 10 GBps Ethernet encrytor, 2 Gbps Fibre Channel device encryptor, and IPsec encryptor. The fibre channel and Ethernet encryptors operated on OSI layer 2, as the encryption would not reduce the bandwidth and would only potentially a tiny amount of latency. The use of the IPsec encryptor on OSI layer was implemented despite it causing a large reduction of the link’s bandwidth due as encryption is important for the network traffic.

The layer 2 encryption applications implemented the AES protocol using a 256 bit key. The encryptors that used the dual-key agreement were certified at FIPS 140-2 security level 3.[1] ‘Each certificate contains an identifying name, unique serial number, expiry date and public key and prior to installation is signed by the CA.’

‘The QKD-enhanced IPsec encryptor integrates the cryptographic symmetric key generated using the QKD protocol with the IPsec suite of protocols, in order to provide a point-to-point, quantum-secure communication link operating at layer 3.’

In terms of speed, the 256-bit keys were changed each minute for the different encryptors. The 10 Gbps encryptors suffered no bandwidth loss with the key change, The 2 Gbps encryptors however, required 100 ns to change the key. The latency of the IPsec encryptor was not measured as the effect would be negligible compared to the ‘intrinsic throughput reduction due to encapsulation.’

Implementation of the key management layer
Each of the nodes were implemented differently.
SwissQuantum KML diagram
Within the diagram:

  • The dashed black lines represent quantum key exchange links
  • The thin black line between CERN-Unige and Unige-hepia represent encrypted data links
  • The green lines represent the key distribution via the hepia node
  • The purple lines represent links that allow keys to be exchanged between key managers in each node, using PKI
  • ’10 Gbps Ethernet encryptors were installed between CERN and Unige’
  • ‘2 Gbps Fibre channel and IPsec encryptors were tested between Unige and hepia’
  • Each node contained one key server that managed ‘the storage and distribution of the secret keys in several key buffers.’
  • Each application had its own dedicated key buffer

In terms of the key exchange process

  • The CERN-Unige link was privileged, so key exchange was performed via the intermediate node of hepia.
  • A key redundancy sender in CERN generates a random key, K, which is encrypted by a One-Time-Pad (OTP) protocol.
  • The key used for the OTP encryption is exchanged by the QKD devices between CERN and hepia.
  • K is sent to the key redundancy node in hepia.
  • K is decrypted by the key redundancy node, then encrypted by with a key shared between hepia and Unige by QKD.
  • K is sent to the key redundancy node in Unige and decrypted.

The keys that were exchanged through the intermediate node are then concatenated with keys sent directly.
Prior to the secret keys being stored in a buffer, an internal dual-key agreement is performed.

QKD exchanged keys are proven information theoretically secure, which means that knowing the PKI key doesn’t provide any information on the resulting key. The QKD key is random and also independent of the PKI, which causes the resulting key to be random too. The resulting keys are stored in buffers and are accessed by key managers to be sent to an application that requires a new key.

The secret key rate is the key parameter for QKD devices, and is derived from the raw key rate and the quantum bit error rate. The probability of detection is calculated by multiplying the raw detection rate with the number of gates per second.

The user’s key parameter is the number of keys that can be used for its applications. SwissQuantum deployed keys of length 256 bits.

Optical fibre variation
Optical fibres are influenced by varying temperatures. Variation in temperature causes changes in the optical path length and the refractive index. However, the SwissQuantum’s network determined that QKD devices are flexible enough to handle such changes in the optical path length.

Security of QKD -Quantum Layer
To stop MitM attacks, the classical channels need to be authenticated. The QKD can provide the further keys, so long as an initial secret key has been used to authenticate the first set of quantum key exchanges. The use of a weak coherent pulse means that the detection of the pulses needs to be more carefully monitored due to the increased likelihood of a PNS. The loss value of the quantum channel needs to be known in order to be able to determine any discrepancy between the anticipated detection probability and the measured detection probability. ‘Both the initial secret key and quantum channel loss value, are stored in the QKD devices.’


[1] (25 May 2001) Security Requirements for Cryptographic Models, Federal Information Processing Standards Publication 140-2, page 2.

Secure Quantum Key Distribution

The following information has been extracted from the Secure Quantum Key Distribution Article, and provides more information into QKD.

Introduction to QKD
Quantum cryptography, specifically quantum key distribution is being considered as an important cryptographic method as quantum computers begin to be further developed. One difference between classical cryptography and quantum cryptography, is that the eavesdropper, Eve, is able to store a transcript of any classically encrypted transmission, but cannot do so for a quantum encrypted transmission. This is because classical encryption involves the process of using a mathematically difficult algorithm known as key, which encrypts the data within the transmission so that a passive eavesdropper, like Eve, is unable to decipher the message without the use of either the same key (symmetric keys) or the partner key (asymmetric keys). However, Eve is still able to intercept the data without either Bob or Alice being aware of her. For QKD, Alice sends Bob a sequence of polarized photon, that are either rectilinear or diagonal. As Bob receives the photons, he records the photon through a randomly chosen basis of either rectilinear or diagonal basis. Bob records his basis choice and the result of the respective photon, which he then verifies his data with Alice to determine matching results. The non-matching photon data is ignored and the matching data is compiled to generate a sifted key. Alice and Bob can check whether their data has been intercepted by Eve by checking their quantum bit error rate. If the error rate is below a certain threshold, then they can be confident that their data is secure. ‘The quantum data can have classical post-processing protocols such as error correction and privacy amplification to generate a secure key. This key can be used to make the communication unconditionally secure using a one-time pad protocol.’

One-time pad is a protocol in which the key is the same length as the message. The message is interpreted as a binary string, as is the key. The message is encrypted using a bitwise exclusive-OR between the two corresponding bits in the binary string.

Security model of QKD
The security of the QKD method is based upon the perfect key distribution, where Alice and Bob share a truly random secret key. A QKD system is considered to be ϵ-secure ‘if and only if the probability distribution of an outcome of any measurement performed on the QKD scheme and the resulting key deviates at most ϵ from the one of the perfect key distribution protocol and the perfect key.’ The value of ϵ is approximately 10-10, but this can be adjusted based upon agreements between Bob and Alice on their privacy level. To consider the security of the QKD protocol, the security of the generated key when it is employed in a cryptosystem needs to be taken into account. This is known as composable security. To calculate the composable security, each security protocol is considered to have a defined security parameter,ϵi, with the total security of the cryptographic scheme being defined as Σiϵi.

However, the implementation of QKD relies on imperfect devices. The BB84 protocol provides the theory of Alice and Bob transmitting data through single polarized photons. Yet efficient single-photon sources and measuring devices are still a matter of the future. (During this publication). One current method for implementing the BB84 protocol is through the use of phase-randomized weak coherent state pulses (WCPs) that have a typical average photon number of 0.1 or higher. These states are created using standard semiconductor lasers and and calibrated attenuators. The limitation with these systems is that some signals may contain more than one photon prepared in the same quantum state. This is a security weakness as Eve can perform a Photon-Number-Splitting (P-N-S) attack upon the multi-photon pulses and obtain the portion of key that was generated with that information without Alice and Bob being aware.

The BB84 protocol relies upon Alice and Bob using single-photon states to create the secure key. To generate a key from this data, Bob and Alice do not necessarily need to identify which detected pulses specifically came from the single-photon emissions, but rather can ‘estimate a lower bound for the total number of such events.’ This estimation technique contains the worst case scenario where Eve were to block as many single photon pulses as she could. This assumption can be used to provide a key generation rate that scales as η2, where η is the transmittance of the quantum channel. ‘This quantity has the form η = 10-(αd)/(10), where α is the loss coefficient of the channel measured in dB/km (α ≈ 0.2 dB/km for standard commercial fibres) and d is the the covered distance in km.’

Eve however, may not be performing a PNS attack, so to improve the achievable secret key rate, their needs to be a more precise method for determining the number of single-photon pulses detected by Bob. The decoy-state method, which can ‘basically reach the performance of single-photon sources, where the key generation scales linearly with η’ can be used. Rather than sending equal intensity signals, Alice sends a signal with an intensity that has been randomly picked from a set of prescribed values. The states sent in the chosen intensity are known as signal states, and states that exist with different intensities are considered as decoy states.  ‘Once Bob has detected all the signals, Alice broadcasts the intensity used for each pulse. A crucial assumption here is that all other possible degrees of freedom of the signals (apart from the intensity) are equal for all of them.’ The result of this technique is that even if Eve has knowledge of the number of photons contained within a certain pulse, ‘her decision on whether or not to send that signal to Bob cannot depend on its intensity. That is, Eve’s decision is based upon what is known a priori.‘ Hence, the probability of ‘having a detection event given that Alice sent a single-photon pulse is the same for the signal and decoy pulses. This results in Alice and Bob being able to more precisely estimate the portion of detected events that occur from single-photons.

Experimental implementations
In recent years, QKD has been experimentally implemented. The signal can be transmitted through free space with approximately 800nm wavelength, through optical fibres with wavelengths of around 1310nm and 1550nm. The use of polarized photons, called polarization coding, is used mostly for free space transmission. Fibre optic based transmission uses different coding implementations, such as time-bin coding, phase coding, and frequency coding. These different techniques are used due to optical fibres being more likely to cause disturbances to the polarizion coding due to the fibre’s susceptibility to environmental effects and birefringence.

Entanglement-based QKD protocols allow Alice and Bob to transmit their information through further distances due to this protocol being more resilient to losses than WCP protocols. (It can stand up to about 70 dB). ‘For instance, they could employ a parametric down-conversion source to generate polarization entangled photons that are distributed between [Alice and Bob]’. This scheme however suffers from systems that are more involved than the ones for WCPs, and they have a lower low loss regime for their secret key. Aside from polarization coding, energy-time entangled pairs could be used.

For QKD for distances shorter than 100km, distributed-phase-reference QKD protocols could be used. This protocol involves Alice encoding the information coherently between adjacent pulses rather than in individual pulses. ‘This approach includes the differential phase shift (DPS) and the coherent-one-way (COW) protocols.’ DPS protocol involves Alice preparing a train of WCPs of equal intensity but with modulated phases. ‘Bob uses a one-bit delay Mach-Zehnder interferometer, followed by two single-photon detectors to measure the incoming pulses. The COW protocol involves all the pulses having a common phase but with varied intensities. These protocols are considered to belong to discrete-variable QKD schemes.

Another set of methods belong to the continuous-variable systems (CV-QKD), where the device ‘consists of homodyne or heterodyne measurements if the light-field quadratures. These protocols do not need single-photon detectors, but rather can be implemented through the use of standard telecom components.

QKD components and data-processing
‘For the optical layer of a QKD system, the following components are typically needed:’

  • Light Sources
    Attenuated laser pulses can be used for the signal source. The signal is modeled as a WCP. Application of global phase randomization results in the state becoming a classical mixture of Fock states with Poissonian distribution.
  • Single-photon detectors
    ‘Single photon detection is the ultimate limit of the detection of light.’ Traditional detectors include silicon detectors and InGaAs detectors. Si detectors are used for the 800nm wavelengths, and free-space transmission. InGaAs avalanche photo-diodes (APD) are used for telecom and fibre optic based transmission. InGaAS detectors have had previous issues such as low detection efficiency (15%) compared to the Si detectors (~50%), and a ‘long dead time after a detection event.’ This dead-time reduces the repetition rate to a few MHz. This issue however, has been resolved in recent years with the use of the following techniques: Self-differentiating APDs, sine-wave grating technique, a hybrid approach of SD-APDs and sine-wave grating techniques, superconducting nanowire single-photon detectors (SNSPDs). The detection efficiency for InGaAs has increased to 50%, with SNSPD detection efficiency of ~93%. The SNSPDs have a caveat, in that their operating temperature is around 0.1K (-273.14 ºC)
  • Standard linear optical components
    These optical components include polarizing beam-splitters, beam-splitters, amplitude modulators, and phase modulators.
  • Random number generators
    Random number are required in QKD for basis choice, bit-value choice, phase randomization, intensity choice in the decoy state method, and for data post-processing. Quantum mechanics offers randomness based upon physical principles rather than complex mathematical algorithms. ‘A simple way to build a quantum random number generator (QRNG) is to send a WCP through a 50:50 beam-splitter and put two single-photon detectors on the two outgoing arms. The actual bit value (0 or 1) generated depends on which detector detects a photon.’
  • Classical post-processing techniques
    This includes techniques such as error correction and privacy amplification, which are used to fix any errors in the transmission, and ‘remove any residual information that Eve might have on the raw key.’ A difficulty with classical post-processing is the computational complexity of the protocols that is required to process a very large amount of raw data in a short amount of time.
  • Authenticated Channel
    Alice and Bob need to have an authenticated classical channel through which Bob and Alice verify the results of the QKD transmissions. This channel requires a short authentication key that ‘may be provided in the initial shipment of the QKD system through a temper-resistant device.’ After the first successful QKD session, the authentication key can be renewed by the key generated from the QKD.


Industrial/application perspectives
As of 2015, when this article was published, QKD networks had been deployed in USA, Austria, Switzerland, Chine, and Japan. ‘The [Japanese-Tokyo] network consists of three main layers: a QKD layer, a key management layer, and an application layer.’ To the user in the application layer, the QKD layer and the key management layer can be considered as a black box, which supplies them keys. (Tokyo has a layer structure that is based upon a trusted node architecture. ) ‘Secure communication is possible between any nodes in the network by relaying on the secret key that is controlled by command of the key management server.’ This type of network can be employed for the provision of secure communications with smart phones. When a user needs a new key to protect communications, they could connect to the QKD network and store the obtained in their phone, for use when needed. ‘Other potential of QKD include, for example, offsite backup, enterprise private networks, critical infrastructure protection, backbone protection, and high security access networks.’

Quantum hacking
‘In principle, QKD only secures the communication channel, so Eve may try to attack the sources, i.e. the preparation stage of the quantum signal, and the measurement device.’ The sources can protected by preventative methods against Eve. For instance, ‘Alice can prepare her quantum signals (e.g. the polarization state of phase-randomized WCPs) in a fully protected environment outside the influence of an eavesdropper. The use of optical isolators is an example of this. The measurement device, Bob’s single-photon detector, is harder to protect due to Eve being allowed to send any signal, as it is more difficult to protect Bob’s device from any possible attack. ‘The most important hacking attack so far against the detectors of the system is the so-called detector blinding attack. Here, Eve shines bright light into the detectors to make them enter into the so-called linear mode operation, where they are no longer sensitive to single-photon pulses but only to strong light pulses. This provides Eve with complete control in which detector ‘clicks’ each time through the transmission of bright pulses. This method allows Eve to completely learn the secret key. Other aspects that are exploitable are: the sources detection efficiency mismatch, and the dead-time of detectors.

There are three main approaches in counter-measuring any hacking. The first approach is to use security patches. This provides security against any and all known attacks but implies vulnerability of the system against any hacking advances. This technique is akin to most classical cryptographic techniques.
The second approach is called device-independent QKD (DI-QKD) In this approach, Alice and Bob consider their devices as black boxes. In other words, ‘they do not need to fully characterize their different elements.’ ‘The security of DI-QKD relies on the violation of a Bell inequality, which certifies the presence of quantum correlations. This approach is impractical with current technology due to high decoupling and channel loss, limited detection efficiency of current single-photon detectors (this is considered as the detection efficiency loophole, which requires detection efficiency to be ~80% or more for a loophole free Bell test).
The third approach is MDI-QKD. This approach allows Alice and Bob to perform QKD with untrusted measurement devices, even ones developed by Eve. MDI-QKD security is based upon the idea of time reversal. ‘Alice and Bob  prepare quantum signals and send them to an untrusted relay, Charles/Eve, who is supposed to perform a Bell-state measurement on the signals received. The honesty of Charles can be verified by comparing a subset of the transmitted data.’ MDI-QKD can be achieved through current ‘optical components with low detection efficiency and high lossy channels.’ MDI-QKD has a key rate that is far greater than that of DI-QKD, and has been demonstrated  in laboratories and field tests (as of publication). ‘The key assumption of MDI-QKD is that Alice and Bob trust their sources.” One downside of MDI-QKD is that it has a ‘relatively low secret key rate when compared to the decoy state BB84 protocol.’ This is due to MDI-QKD requiring two-fold coincidence detector events. These are currently restrained due to the low detection efficiency of InGaAs single-photon detectors, however the downside is not an issue if SNSPDs (at ~0.1K) are utilized. ‘MDI-QKD could be used to build a QKD network with untrusted nodes, which would be desirable from a security standpoint.’

This article gives an idea of the advancement of QKD since the publication of BB84. This article contains techniques and terminology that I’m not familiar with, so my next step is to look up the terms that I am unfamiliar with. From this, I will build up a glossary to provide myself with greater comprehension of the prospects discussed within this article, and any further article that I examine.

Lo Hoi-Kwong et al. (21 May 2015). Secure Quantum Key Distribution.

Quantum Cryptography: Public Key Distribution and Coin Tossing (BB84)

The BB84 protocol is based upon the article, ‘Quantum Cryptography: Public Key Distribution and Coin Tossing’ by Charles Bennett and Gilles Brassard, which was published in 1984.

The following information has been extracted from parts I-III of the article.

Most digital communication channels can be either passively monitored or actively copied, whether or not the information is encrypted. If the information is encoded in non-orthogonal quantum states however, then the channel is in theory unable to be monitored or copied without the outside party having critical information on the formation of the transmission. If the outside party were to eavesdrop, this would cause the transmission to be altered in such a way that their presence would be discernible to the legitimate party that received the transmission.

Quantum coding then, can be used to enable secure distribution of key information between two parties that have no initial shared secret information. This however can only occur under the proviso that both parties have access to a quantum channel and an ordinary channel that may be susceptible to passive eavesdropping. This can be done with the use of polarized photons.

Polarized photons are created by polarizing a beam of light with polarizing equipment such as Polaroid filters or calcite crystals. Photons contain quantum mechanical properties, which results in the uncertainty principle constraining the measurements of a single photon to reveal a single bit in regards to its polarization state. Photons, however, will behave deterministically if the orientation of the photon is either parallel of perpendicular to the orientation of the filter. Parallel orientation results in complete transmission, and perpendicular orientation results in complete absorption. If the two axes of orientations are not perpendicular, then an incident photon of orientation α passing through a polarizer of orientation β will result in a transmitted photon of orientation β.  A photon can also not be cloned due to cloning being contradictory to the nature of quantum mechanics.

(This following paragraph contains mostly copied portions from the article as it involves their formalism in introducing quantum mechanics)
A photon is a sub-atomic particle that is subject to quantum effects. Quantum mechanics can be considered as the interpretation of photon’s state within a defined quantum system, which is a ‘vector, ψ, with the properties of being unit length in a linear space, Η, over field of complex numbers.’ This space is known as Hilbert space. For a Hilbert space, ‘each physical measurement, defined as M, upon the system corresponds to a resolution of its H space into orthogonal subspaces, one for each possible outcome of the measurement.’ For the system in a state, which is denoted by ψ, has a physical measurement, M, acted upon it, ‘its behavior is in general probabilistic: where outcome, k, occurs with a probability equal to: Probabilistic outcome of M_k and psiAfter the measurement, the system is left in a new state:Normalized unit vectorWhich is the normalized unit vector in the direction of the old state vector’s projection into the subspace M_k. This measurement has a deterministic outcome which leaves the state vector unmodified.’ The implies that the outcome of the physical measurement will always provide a unique outcome from the same set of input variables. In other words, this measurement can be considered as a 1-1 function.
‘The Hilbert space for a single polarized photon is two-dimensional, which implies that the state of the photon can be described as a linear combination of two unit vectors that represent horizontal and vertical polarization.’ These unit vectors are:
Horizontal and Vertical Unit Vectors‘A photon polarized at an angle, α, to the horizontal is described by the state vector (cosα, sinα).’ When the photon is subject to horizontal polarization, the photon has a probability of (cosα)^2 at becoming horizontal. This is similar for vertical polarization, where the photon has the probability of (sinα)^2 at becoming vertical. This implies that ‘the two orthogonal vectors r_V and r_H exemplify the resolution of a 2-dimensional Hilbert space into 2 orthogonal 1-dimensional subspaces.’
‘An alternative basis for the same Hilbert space can be considered with two diagonal basis vectors:
Diagonal Basis VectorsWhere d_1 represents a 45-degree photon, and d_2 represents a 135-degree photon.’

For non-quantum cryptography, a trapdoor function is used in a public key to initially encrypt a message between two parties in order to hinder any passive eavesdropping. For quantum cryptography, the public key is used to send a sequence of random bits between two parties, rather than a message. The two parties can communicate over a non-quantum channel and with high probability, determine whether the original transmission of random bits has been subject to eavesdropping. If the transmission has been subject to eavesdropping, the disrupted material can be disposed of, and the transmission attempt repeated until a sufficient number of random bits have been exchanged for them to use as a one-time pad. If the transmission has not been subject to eavesdropping, then the shared random bits can be used as a one-time pad to encrypt any further communications or other cryptographic purposes.

The transmission of the random bits through a quantum channel is as follows: Party A, or Alice, chooses a random bit string and a random sequence of polarization bases, that are either rectilinear or diagonal. Alice sends a train of photons to party B, or Bob, where each photon represents a single bit of the string in the basis chosen for that bit position. The photon is a binary zero if the polarization is horizontal or at 45-degrees, and is a binary one if the polarization is vertical or at 135 degrees. Once Bob has received the photons, he can either choose to measure the rectilinear or diagonal polarization of the photons. Bob’s measurements influence the result that he obtains from the polarized photons. As such, if he attempts to measure the rectilinear polarization of a diagonally polarized photon, or vice versa, the information is lost and he receives a non-deterministic result. This implies that Bob will only obtain meaningful results from half of the data. This percentage of meaningful results is an optimal proportion, as in reality, the use of imperfectly-efficient detectors would result in a reduction of photons received. Bob can communicate his results to Alice over a non-quantum encrypted channel that provides Bob and Alice with authentic and non-repudiable messages, but may be susceptible to passive eavesdropping.

Any eavesdropping on the quantum transmission can result in the diagonal and rectilinear photons becoming altered which will cause disagreements between Alice and Bob on bits that would have originally matched. ‘No measurement of a polarized photon during its transit, by an eavesdropper informed of the original basis, will yield more than 1/2 the expected bits of information about the key bit encoded on that photon.’ ‘Were the eavesdropper to measure and re-transmit all of the photons in the rectilinear basis, they would be able to learn the correct polarization of half of the photons and would induce disagreements in 1/4 of the photons that were re-measured in the original basis.’ The implications of this information is that Bob and Alice can publicly compare some of the bits that are likely to agree. If the bits do agree, then Alice and Bob can be confident that no eavesdropping has occurred. Although this method does reduce the secrecy of some of the bits, only a small portion of correctly received bits need to be used, which results in the remaining received bits staying secure.

The received bits can be used as a one-time pad for further secure communication between Bob and Alice over a public channel. The concern for the public channel to not be compromised by active eavesdropping is reduced if Wegman-Carter authentication tags are implemented through a previous agreement of a small secret key. The suggestion for the WC authentication method is due to the unlikely-hood of an eavesdropper, ignorant of the key, being able to reproduce a valid message-tag pair. The WC method also involves the gradual loss of bits which cannot be reused without compromising the security of the system. However, these bits can be replaced by new random bits that are transmitted through the quantum channel.

One of the important advantages of using quantum key distribution is that both Alice and Bob have a high probability of being able to discern whether their exchange is being eavesdropped, and hence, compromised.



Bennett and Brassard, (December 1984) Quantum Cryptography: Quantum Key Distribution and Coin Tossing.