JP2024059562A - Node for quantum communication system, quantum communication system and method - Google Patents

Abstract

A node, a quantum communication system and a method for a quantum communication system are provided. A node 301 in the quantum communication system comprises QKD hardware, an authentication key store, a user QKD key store and a controller. The QKD hardware allows quantum keys to be distributed between the node and an external further node. The controller applies post-processing to the quantum keys to produce keys with predefined security parameters indicative of a probability of security failure, and allows the security parameters applied to the quantum keys to be varied for a number of different quantum keys. The node also stores a number of first keys in the authentication key store, the first keys having a first security parameter with a value in a first range, and a number of second keys in the user QKD key store, the second keys having a second security parameter with a value in a second range. [Selected Figure]

Description

The embodiments described herein relate to nodes for quantum communication systems, quantum communication systems and methods.

Quantum Key Distribution (QKD) is a technique for the generation of random digital keys shared between remote users (conventionally called Alice and Bob), where the security of the key exchange process can be quantified using theoretical principles alone (specifically, information theory and quantum mechanics). This means that QKD is secure against attacks where an eavesdropper (conventionally called Eve) may have extremely high computational power (e.g., a large-scale fault-tolerant quantum computer). This is in stark contrast to traditional public key cryptography approaches to key exchange (e.g., RSA, Elliptic Curve Cryptography, etc.), which all rely on computational assumptions - i.e., the perceived difficulty of a computer performing a particular task.

Briefly, QKD generally works by transmitting from a transmitter (usually called Alice) and measuring quantum states at a receiver (usually called Bob), then post-processing the measurements to output a secure key. Due to the laws of quantum mechanics, any attempt by an eavesdropper to intercept the quantum state will inevitably result in a change of state. This can therefore be detected based on the measurements at Bob and the post-processing that is done using classical communication between Alice and Bob. Intuitively, through post-processing, the two users can effectively "process out" the effects of the eavesdropper (e.g., if the eavesdropper interfered with or measured any states in the transmission) and output only the secure key. Naturally, the more the eavesdropper interferes with the transmitted sequence of quantum states, the more processing and bit discarding must be done to remove the eavesdropper's effects, reducing the size of the output secure key.

FIG. 1 is a schematic diagram of communication between two nodes in a QKD system. FIG. 2 is a schematic diagram of a method for generating and storing QKD keys. FIG. 3 is a schematic diagram of a method for generating and storing QKD keys according to one embodiment. FIG. 4 is a plot of key rate per raw key bit versus length for different security parameters. FIG. 5 is a flow diagram illustrating a method for generating and storing keys in which the size of the key store is monitored, according to one embodiment. FIG. 6 is a schematic diagram of a node according to one embodiment. FIG. 7A is a schematic diagram of an emitter for use in a QKD system. FIG. 7B is a schematic diagram of a receiver for use in a QKD system.

In one embodiment there is provided a node in a quantum communication system, the node comprising:
a quantum key distribution unit configured to enable quantum keys to be distributed between the node and an external further node;
a post-processing module configured to apply post-processing to the quantum key to produce a key with a predefined security parameter, wherein the post-processing module comprises a controller configured to allow a security parameter applied to the quantum key to be varied for a plurality of different quantum keys, the security parameter being indicative of a probability of a security failure;
a first key store and a second key store, where the node is configured to store a plurality of first keys in the first key store having a first security parameter with a value in a first range and to store a plurality of second keys in the second key store having a second security parameter with a value in a second range, the first range having a plurality of values different from the second range.

The above provides a flexible post-processing and key storage scheme whereby post-processing parameters are dynamically adjusted on demand in response to QKD system needs. The above provides key management for a quantum key generation system with separate key stores for different applications, where the keys in each key store have different security parameters (resulting from processing stages with different parameter sets).

The above also provides for dynamic tuning of post-processing parameters in a quantum communication system to optimize long-term security of key generation. System parameters (which affect the overall system and/or the security of the generated keys) are dynamically optimized to maximize long-term security of key generation.

In one embodiment, the post-processing module is configured to perform privacy amplification. In one embodiment, the post-processing is performed either in software or using hardware acceleration (e.g., on an FPGA and/or with an ASIC). The post-processing can be collocated with the QKD system or in a separate module provided at the same location. For example, the QKD unit can be a low-power computer, in which case the keys are sent over a local LAN to a high-computation server in the same network. QKD security is typically concerned with protecting the channel between nodes (over several km), rather than protecting the LAN at a given node.

In one embodiment, the node further comprises an authentication module, which is configured to authenticate communications over a classical communication channel with an external further node. The authentication module may be configured to perform authentication using an authentication key obtained via the quantum key distribution unit. Thus, the QKD module is used to provide potential keys for authentication, since the authentication key is to be updated either every QKD session or every N QKD sessions, where N is an integer equal to or greater than 2.

The quantum key distribution unit is configured to sift the quantum key using communication over an authenticated classical communication channel between the node and an external further node. The authenticated channel may also be used for communication during error detection and/or correction, and during privacy amplification.

The nodes may also include a classical communication module configured to encrypt or decrypt communications using keys obtained via the quantum key distribution unit. This allows the nodes to send or receive messages encrypted with a QKD key shared between the two nodes. However, in further embodiments, the QKD system does not need to perform this encryption itself. Often, a customer purchases a QKD system to generate keys, which are then distributed to the customer to perform their own encryption. Thus, in one embodiment, a key store for unauthenticated keys may also be used to distribute keys to "applications", where the applications are left to the user.

In one embodiment, the multiple values of the first security parameter in the first range are lower than the multiple values of the second security parameter in the second range, the authentication module is configured to access the first key store to obtain multiple keys for authentication, and the classical communication module is configured to obtain multiple keys for encryption from the second key store. Thus, the keys used for authentication are more secure than those used to encrypt the communication. In one embodiment, the security of the keys used for authentication is higher than those used to encrypt the communication, because the security of the authentication key will affect the security of any generated keys when the authentication key is used in operations such as sieving, error correction, and privacy amplification.

The control device may be configured to receive a control signal, and in response to the control signal, the control device is configured to determine values of security parameters for the keys to be stored. For example, an external device, such as a user or another node, may provide the control signal. Thus, in this situation, the post-processing parameters for the keys output to each keystore are user-tunable. In a further embodiment, the parameters of the processing (specifically the target security parameters in the privacy amplification stage) are determined based on some threshold size of each keystore.

The control signal may thus be provided by a monitoring circuit configured to monitor the number of keys in the first key store, the monitoring circuit providing a control signal for post-processing the plurality of keys to achieve a first security parameter having a value in a first range when the number of keys in the first key store is less than or equal to a threshold, and for post-processing the plurality of keys to achieve a second security parameter having a value in a second range when the number of keys in the first key store is greater than the threshold. In one embodiment, a node is enabled to communicate with two or more nodes. Since the authentication key is specific to a pairing of nodes, a threshold is determined for each pair of nodes.

The threshold may be the number of keys in a key store for authentication purposes. However, the threshold may be set for other purposes.

In a QKD system, when there are multiple nodes, the key stores in different nodes may be of different sizes and different thresholds may be set. When a key is generated, it is generated between two nodes, and if one node meets the conditions to generate more authentication keys, it will send a control signal to the other node to inform it to post-process the authentication keys as well, even if the other node has not reached the conditions to generate more authentication keys. In another example, the two nodes will be well synchronized in terms of parameters and key stores.

Although two key stores for two different security parameter ranges are described above, three or more key stores may be provided, each storing multiple keys having multiple security parameters in multiple different ranges.

In one embodiment, the first range may comprise keys having security parameters from 1e ⁻¹⁴ to 1e ⁻²² , and the second range may comprise keys having security parameters from 1e ⁻⁸ to 1e ⁻¹⁴ .

In a further embodiment, the quantum key distribution unit comprises:
an encoder configured to encode information onto the light, where the information is encoded by randomly selecting one state from a plurality of states for transmission to a user node, the light leaving the server in pulses containing, on average, less than one photon;
a decoder configured to receive a plurality of light pulses containing on average less than one photon and to decode information from the plurality of light pulses by measuring the plurality of light pulses, wherein a measurement basis for the measurements is randomly selected from a set of a plurality of measurement bases to enable measurement of a plurality of states used to encode the information;
and
The quantum key distribution unit further comprises a sifting unit configured to enable the server to compare a basis it used for encoding or decoding with that used by the user node for decoding or encoding, the quantum key distribution unit being configured to discard information from a number of pulses where the encoding basis and the measurement basis for decoding did not match.

In one embodiment, the QKD unit will comprise both a transmitter and a receiver, depending on whether the node is to function as a transmitter or a receiver during the QKD process. However, a node can include only a transmitter if it is to perform QKD only with nodes that have receivers, and also may include only a receiver if it is to perform QKD only with nodes that have transmitters. The above is not limited to preparation and measurement type QKD systems, and any type of QKD system may be used, including entanglement-based systems, for example, where the quantum communication system is a discrete variable (DV) QKD system, implementing protocols such as (but not limited to) BB84, T12, MDI QKD, or TF QKD. In a further embodiment, the quantum communication system is a continuous variable (CV) QKD system.

In one embodiment, a quantum communication system is provided that includes a plurality of nodes.

In a further embodiment, a method of quantum communication is provided, the method comprising:
performing quantum key distribution at a first node with a second node to obtain a quantum key between the first node and the second node;
post-processing the quantum keys at the first node to produce keys having predefined security parameters, the post-processing being controlled to allow a security parameter applied to the quantum key to be varied for a number of different quantum keys, the security parameter being indicative of a probability of security failure;
storing, by a first node, a plurality of first keys in a first keystore, the first keys having a first security parameter with a value in a first range;
The method comprises storing, by the first node, a plurality of second keys in a second key store having a second security parameter with a value in a second range, the first range having a plurality of values different from the second range.

In one embodiment, performing the quantum key distribution comprises sifting a quantum key using communication on an authenticated classical communication channel between the first node and the second node. In one embodiment, encrypting or decrypting the communication is performed using a key obtained by performing the quantum key distribution. Because the keys used to encrypt and decrypt the classical communication are not reused to generate further keys, they may have higher security parameters than the authentication key, which will contribute to the security of any quantum keys created using the authentication key for authentication.

Thus, in one embodiment, the multiple values of the first security parameter in the first range are lower than the multiple values of the second security parameter in the second range, and the multiple first keys are obtained from a first key store for authentication and the multiple second keys are obtained from a second key store for at least one of encryption and decryption.

In one embodiment, the method further comprises monitoring a number of keys in the first key store and controlling post-processing to create a plurality of keys to achieve a first security parameter having a value in a first range when the number of keys in the first key store is less than or equal to a threshold, and to post-process the plurality of keys to achieve a second security parameter having a value in a second range when the number of keys in the first key store is greater than the threshold.

Although the above mainly refers to security parameters, other parameters, e.g., "key processing block size", may be among the parameters that are dynamically optimized for different key stores.

In a further embodiment, there is provided a method of operating a QKD system, the method comprising:
Obtaining an authentication key from a first key store;
authenticating a first communication channel between the first node and the second node using the obtained authentication key;
performing quantum key distribution between the first node and the second node, the quantum key being sifted using communications on an authenticated first communications channel to establish a first quantum key for the first user and the server;
determining a number of authentication keys in a first key store, where when the number of authentication keys in the first key store is less than or equal to a threshold, post-processing the quantum key to produce a plurality of authentication keys for the first key store having a first security parameter within a first range of values;
wherein when the number of authentication keys in the first key store exceeds a threshold, post-processing the quantum key to create a plurality of authentication keys for the second key store having a second security parameter within a second range of values, the second security parameters within the second range being higher than the first security parameters in the first range.

In a further embodiment, the first security parameter is lower than the second security parameter, the authentication module is configured to access the first key store to obtain a plurality of keys for authentication, and the classical communication module is configured to obtain a plurality of keys for encryption from the second key store.

In a further embodiment, there is provided a method of operating a QKD system, the method comprising:
performing quantum key distribution between a first node and a second node to generate a plurality of quantum keys;
post-processing the plurality of quantum keys to produce a plurality of keys using at least one control processing parameter to produce a plurality of keys of a plurality of different types;
storing the plurality of post-processed quantum keys in a plurality of key stores, such that each key store comprises a plurality of keys of the same type;
monitoring a number of keys in a number of different key stores, and when the number of keys in a key store is below a threshold for that key store, controlling post-processing parameters of the generated quantum keys to create additional keys to replenish the keys in the key store where the number of keys is below the threshold, where the keys of the same type have parameters within predefined ranges.

For example, in one embodiment, multiple keys of the same type may have their security parameters within set ranges. Other parameters, such as key processing block size or raw key length, may also be used.

Figure 1 is a schematic diagram of a quantum communication system. In this embodiment, a QKD protocol called preparation and measurement point-to-point QKD protocol is described. However, other protocols such as (but not limited to) entanglement-based QKD, MDI QKD, and TF QKD may also be used with the methods described herein.

Next, a basic preparation and measurement point-to-point QKD protocol using polarized light is described. However, it should be noted that this is not meant to be limiting and other polarization-based protocols may also be used. Furthermore, the above server may be used with any QKD system and is not limited to applications involving polarized light. For example, phase or energy/time based QKD protocols may also be used.

The protocol uses two bases, where each base is described by two orthogonal states. In this example, the horizontal/vertical (H/V) and diagonal/anti-diagonal (D/A) bases. However, a left/right circular polarization (L/R) basis can also be chosen. The sender in the protocol (Alice) prepares a state with one of the H, V, D or A polarizations in step S1. In other words, the prepared state is selected from two orthogonal states (H and V, or D and A) in one of the two bases H/V and D/A. This can be thought of as sending a signal of 0 and 1 in one of the two bases, for example H=0, V=1 in the H/V basis and D=0, A=1 in the D/A basis. The pulses are attenuated so that they comprise less than one photon on average. Thus, if a measurement is made on the pulse, it is destroyed. It is also not possible to separate the pulses.

The receiver (Bob) uses a measurement basis for the polarization of the pulse, selected in step S3 from the H/V basis or the D/A basis. The selection of the measurement basis can be active or passive. In passive selection, the basis is selected using a fixed component such as a beam splitter. In "active" basis selection, the receiver uses, for example, a modulator with an electrical control signal to determine in which basis to measure. If the basis used to measure the pulse at the receiver is the same as the basis used to encode the pulse, the receiver's measurement of the pulse will be accurate. However, if the receiver selects the other basis to measure the pulse, there will be a 50% error in the results measured by the receiver.

To establish the key, the sender and receiver compare the bases used to encode and measure (decode) in step S5. If they match, the result is kept, if they do not match, the result is discarded. This process is commonly called sieving.

If an eavesdropper intercepts and measures the pulse, the eavesdropper must prepare another pulse to send to the receiver. However, the eavesdropper does not know the correct measurement basis and therefore has only a 50% chance of measuring the pulse correctly. Any pulse reproduced by the eavesdropper will cause a larger error rate for the receiver, which can be used to prove the presence of an eavesdropper. The sender and receiver compare small portions of the key in step S7 to determine the error rate and therefore the presence of an eavesdropper.

Next, in step S9, privacy amplification is performed. Privacy amplification uses Alice's and Bob's keys to create a new, shorter key such that an eavesdropper has only negligible information about the new key. This can be done using a universal hash function, chosen randomly from a known set of such functions, that takes as its input a binary string of length equal to the key and outputs a binary string of the chosen shorter length. The amount by which this new key is shortened can be calculated based on the error rate measured in S7 and the desired security of the QKD system. The obtained keys in S9 are then output to key stores in Alice's and Bob's devices.

The goal of privacy amplification is to reduce the probability that an eavesdropper has some knowledge of the key below a certain boundary, i.e., ε (a security parameter). Specifically, this involves transforming a weak secret string (the error-corrected key from the QKD sieving process) into a secure key that is maximally unknown by Eve. In terms of implementation, privacy amplification uses mathematical randomness extraction techniques, often using randomly chosen hash functions, to shorten the weak secret key, reducing the amount of information obtained by Eve as much as possible. By sacrificing partial key information of Alice and Bob, privacy amplification makes the knowledge obtained by Eve (i.e., intuitively quantified by ε) as small as possible.

The steps of privacy amplification can be summarized as follows:
1) After the sifting stage, Alice and Bob independently calculate the final key length they need to achieve, which depends on the security proof and various parameters contained in the proof. These parameters include measurements such as the link quantum bit error rate (QBER) for each session, as well as QKD system design parameters such as the processing block size and, crucially, the desired security parameter ε.
2) Alice randomly selects a suitable hash function belonging to the well-known 2-universal class and communicates it to Bob (where the processing function is chosen to satisfy the required final key length given the input string size).
3) Alice and Bob act upon their error-corrected keys to hash with this function and output a (shorter but) secure final QKD key.

Although the above has been described with respect to polarization, this is by way of example only. Other QKD protocols based on other systems such as phase or energy/time may be used.

The above QKD requires two channels: a "quantum channel" used for communication of pulses containing less than one photon on average, and a classical channel used for the discussion of bases ("sieving"), error correction and privacy amplification. The classical channel can also be used for further communication once a key has been established on the quantum channel. Note that the term "channel" is used to refer to a logical channel. The quantum and classical channels may be located in the same physical fiber.

However, for the sifting process, error correction and privacy amplification, the classical channel also needs to be authenticated. This means that it can be verified without a doubt that classical messages communicated between Alice and Bob were sent by the other party and have not been tampered with in transmission. In other words, this avoids man-in-the-middle attacks. Authentication can be done using public key cryptography (e.g., RSA). However, in one embodiment, Alice and Bob authenticate each other using a pre-shared symmetric key (PSK).

For completeness, note that when two parties share a secret key, they can authenticate each other using many different methods. One method involves the use of a message authentication code (MAC), often the Wegman-Carter MAC, where the sender (e.g., Alice) and receiver (e.g., Bob) share a key (PSK).

Briefly, to verify the authenticity and integrity of a message Alice sends to Bob, Alice sends a MAC "tag" along with the message itself. The MAC tag is calculated at Alice by hashing the message and one-time pad encrypting it using a PSK pre-shared with Bob. Bob verifies the message by calculating the MAC tag for the message he receives and comparing it to the MAC tag he received from Alice. If the MAC tags match, Bob accepts the message as authentic, since only Alice has the PSK necessary to generate the correct MAC tag for that given message.

Message authentication is often implemented using a Wegman-Carter message authentication code (MAC). There are many possible algorithms for generating an ITS MAC tag, but the general idea is that some pre-shared secret is used to create an authentication tag for a given message or sequence of messages. For example, a pre-shared key may be used to select a particular hash function from a family of available hash functions, and/or this key may be used to encrypt the hash before sending it.

However, despite the quantum nature of the key transmission, the security of QKD is inherently probabilistic. It can be argued that the final key is completely private and completely random, except with probability ε. We make the pessimistic assumption that this probability ε means that an adversary may know the complete key.

The security of QKD can therefore be described by a "security parameter", i.e., ε, which defines the probability of security failure (i.e., intuitively speaking, the probability that an attacker learns the key). The security parameter ε for a given protocol is determined by its security proof (derived from quantum mechanics, information theory, etc.), which takes into account system parameters such as channel loss, error rate, size of processed data blocks, etc.

In one embodiment, a target security parameter is determined and privacy amplification is performed to achieve the target security parameter. The target security parameter may be determined to achieve a given probability of failure. The privacy amplification algorithm then performs enough operations to achieve this target. More privacy amplification operations means more bits are discarded (i.e., more secure and therefore lower probability of failure).

The exact process for privacy amplification relies on fairly complex formulas derived as part of the security proofs for QKD, involving information theory, statistics, and quantum mechanics. This is where epsilon (i.e., the security parameter) comes from in theory. Different protocols have different security proofs and therefore potentially different ways of featuring epsilon. For a discussion of privacy amplification and security parameters, see ETSI GS QKD 005 v1.1.1 (2010-12), Quantum Key Distribution (QKD)Security Proofs and Liu et al “A Security Real-Time Privacy Amplification Scheme in QKD System,” Journal of Universal Computer Science, vol. 19, no. 16 (2013) 2420-2436.

There are many different protocols and certificates that exist for QKD, but the general concept is common and allows for key generation with known security parameters.

There are various factors that contribute to ε, and for high performance QKD systems, efforts are made to minimize this value of ε in order to provide maximum security. Thus, the objective of a QKD system can be more precisely described as generating information-theoretically secure (ITS) keys with security parameter ε, where ε is small. Note that the exact value of ε that is considered acceptable is application and/or user dependent.

When considering a cryptosystem, an overall cryptographic application can be constructed from a variety of underlying cryptographic primitives (i.e., basic protocols that perform a given function).

To analyze such cryptosystems, the Universally Composable Security framework can be used to provide cryptographic primitives that are compatible with it. A "Universally Composable" primitive is thus described as a cryptographic protocol whose output can be used by another cryptographic protocol, so that the security proof for each protocol can be evaluated independently. Universal composability is a mathematical property that forms part of the security proof for an information-theoretically secure cryptographic primitive. This property is independent of whether the primitive is for QKD post-processing, or for authentication, or for something else. Thus, to meet the requirement (i.e., to be composable), the security proof of the primitive must explicitly take into account the ability of the primitive to be analyzed independently of other protocols. If a primitive meets the requirement to be called composable, then the epsilons can be added together when it is used as part of a wider cryptosystem.

This greatly simplifies the analysis of cryptosystems composed of multiple primitives, allowing the security parameter ε of the overall system to be bounded by the sum of the independently derived security parameters of each component. For example, if two composable primitive operations with security parameters ε ₁ and ε ₂ are used in a system, then the security parameter ε for the overall operation of the system is:
ε≦ _ε1 ＋ _ε2

QKD is an ITS cryptographic primitive. However, the QKD protocol relies on the existence of an authenticated classical communication channel for the post-processing stage. If an attacker can successfully spoof messages between users, this man-in-the-middle attack can render the keys output from the QKD system insecure.

Thus, practical QKD system operation relies on composing QKD primitives (with security parameter ε _{qkd-primitive} ) and message authentication primitives. If an ITS message authentication scheme is used with security parameter ε _auth (i.e., ε _auth refers to the probability of "passing" the authentication protocol while the output on Bob's side is in some way distinguishable from Alice's intended message - i.e., intuitively speaking, the probability that Eve successfully forges a message), then the complete QKD operation (including authenticated classical communication) outputs a QKD key with overall security parameter ε, where:
ε≦ε _{qkd-primitive} ＋ε _auth

Note that there are other primitives on which complete QKD depends, such as random number generation for choosing bit values and measurement basis. Therefore, the security parameters of the random number generation (i.e., quantifying the probability of a non-truly random selection), and potentially other factors, should also be added to the overall system security parameters. Such additional factors can potentially be made negligible through judicious selection of device design and/or parameters. To illustrate this concept, the following discussion focuses here only on the security parameters of QKD primitives and authentication. QKD primitives operate in a block-wise fashion, since the security proof must take into account the statistical variation inherent in any measurement. (This is called finite key or finite size QKD processing.)

The above also assumes that security parameters from previous stages are combined by addition. However, the methods taught herein may be used with any type of system in which security parameters from previous sessions may affect the security parameters of subsequent keys.

A single session of QKD comprises sending/measuring some number of quantum states, followed by post-processing performed on the block of measurements. Using a larger block size is more efficient (as the sample is more statistically representative of the population) and results in a higher "raw-measurements-to-secure-key-bits ratio". However, larger blocks are more computationally expensive to process and increase the delay before the QKD key is actually output.

Target security parameters can also be set as post-processing options, which will affect how much privacy amplification is performed.

The overall authentication security parameters ε _auth depend on both the security parameters of the authentication algorithm ε _auth-algo and the security parameters of the key used in the authentication algorithm ε _auth-key :
ε _auth ≦ε _auth-algo ＋ε _auth-key

So if QKD key generation requires authentication, and authentication itself requires a secure key, how do we begin the process? And since the ITS security certificate prevents key reuse, how can we provide additional keys to the authentication process while still guaranteeing security?

The first problem can be solved by using a pre-shared secret - installed during manufacturing of the QKD system, i.e. when Alice's and Bob's QKD systems are first built, a key can be generated by a local quantum random number generator and installed on both systems (since Alice's and Bob's units are co-located in a physically secure location, there is no need for a secure key exchange protocol here).

However, the second problem is more difficult to solve. ITS message authentication requires a "fresh" key for generating each MAC tag. This means that authentication depletes the pre-shared key store. To replenish the key store and prevent the authentication scheme from running out of keys, new keys can be generated by QKD and added to the key store for subsequent authentication sessions.

However, consider that the first session of QKD generates a key with the following security parameters:
ε ₁ ≦ε _{qkd-primitive} ＋ε _auth

When these QKD generated keys are used for authentication in subsequent sessions of QKD system operation, the security parameters become:
ε ₂ ≦ε _{qkd-primitive} ＋ε _auth
... . . ε _auth is expanded to...
ε ₂ ≦ε _{qkd-primitive} + (ε _auth-algo + ε _auth-key )
. . . The QKD output key from the previous session is used, so substitute ε ₁ for ε _auth-key :
ε ₂ ≦ε _{qkd-primitive} + (ε _auth-algo + ε ₁ )

Therefore, the security parameters include a sum that includes the security parameters of the previous session, which means that the new QKD key is slightly less secure than the originally generated QKD key, because the parameters for the QKD primitive (ε _{qkd-primitive} ) and the parameters for the authentication algorithm (ε _auth-algo ) are added together.

Therefore, each time the authentication algorithm is rekeyed, the QKD keys generated in that session become slightly less secure, i.e.
ε ₃ ≦ε _{qkd-primitive} + (ε _auth-algo + ε ₂ )
ε ₃ ≦ε _{qkd-primitive} + (ε _auth-algo + [ε _{qkd-primitive} + (ε _auth-algo + ε ₁ )])

Generalizing this, after N sessions of QKD operation (where each session involves rekeying the authentication using the QKD key of the previous session), the security parameters degrade to:

Figure 2 shows the operation of QKD with multiple sessions 51, 52, 55, 56, 57, 58. In this example, authentication is rekeyed after two QKD sessions using one of the keys from the last session.

For example, sessions 51 and 52 are both conducted using an authentication key with security parameter ε _1. Both of these sessions produce keys with security parameter ε ₂ , which are then provided to key store 53. Authentication is then rekeyed using the latest key with the security parameter of ε _2. Both sessions 55 and 56 are both conducted using an authentication key with security parameter ε _2. Both of these sessions produce keys with security parameter ε ₃ , which are then provided to key store 53. Authentication is then rekeyed using the latest key with the security parameter of ε ₃ .

Both sessions 57 and 58 are conducted using an authentication key with security parameter ε _3. Both of these sessions produce keys with security parameter ε ₄ , which are then provided to key store 53.

In practice, any number of QKD sessions may be used within each authentication session - this is chosen here merely for illustrative purposes. Depending on the size of the key store, many authentication sessions may occur before it becomes necessary to use a QKD key from a previous session - again, the example here is just one possible illustrative implementation.

As an example, a commonly used value of ε _{qkd-primitive} = 1e-10 (where this is set by choosing appropriate parameters for the system design and/or post-processing algorithm). The ITS MAC scheme is used for this QKD system, where the security parameters of the authentication algorithm are negligibly small.

but the key for this ITS MAC is used from the previous QKD session. For this example, assume that the QKD system runs for 5 years, with authentication tags sent at 1 minute intervals. For simplicity, assume that a QKD key is generated every minute, and the next minute uses the QKD key from the previous minute - i.e., each authentication session uses a new key from the last session. In this example, the number of sessions over the life of the QKD system is N~2e6, which means that the security parameters for the QKD keys generated towards the end of the QKD system life are as follows:

This shows that while the initial QKD keys exhibit security parameters of ∼1e-10, subsequent QKD keys generated have security parameters as poor as 2e-4 - i.e., a six order of magnitude reduction in security over the lifetime of the QKD system. This is clearly problematic for a practical QKD system targeted for a long product lifespan to supply keys for real security applications.

The above describes the long-term security degradation of current QKD systems that use generated keys to replenish keying material for authentication in subsequent sessions.

For a practical QKD system, it is desirable to provide security parameter specifications given the application. In the case of security degradation over time, the quoted system performance must be given as the worst case scenario, i.e. after many years of operation (and degradation).

Figure 3 illustrates a system according to one embodiment. In Figure 3, there are multiple QKD sessions. The arrows indicate the direction of key transmission (i.e., from the authentication key store to be used by authentication, or from the QKD session output into a particular key store), and the security parameters of the keys (ε) are shown as labels. Whether a QKD session is a "user key session" or an "authentication key session" may depend on some criteria - note that the patterns of sessions shown above are merely examples.

When a QKD system is first set up, it is installed with a dedicated "authentication key" keystore 71 of pre-shared keys. During normal QKD operation, keys from this keystore are used to ensure that authenticated classical channels operate. QKD post-processing parameters (specifically in the privacy amplification step) are set to generate keys with a target security parameter, e.g., ε _{qkd-primitive-normal} =1e-10. The initially installed pre-shared authentication key is assumed to have a superior security parameter, much better than ε _{qkd-primitive-normal} , e.g., ε=1e-20 in this example.

The QKD output keys from these sessions are stored in a separate "User Keys Keystore" 73 and distributed to users/customers for their applications (this could be direct key distribution to the user's secure application entity, or as part of a wider QKD network via key management systems and trusted node intermediaries). These QKD keys have the desired security parameters, e.g., ε ∼ ε _{qkd-primitive-normal} ∼ 1e-10.

3, the first two sessions 81 and 82 are conducted with an authentication key having a security parameter of ε ₁ , and both of these produce a key to be used to encrypt the subsequent classical channel, which has a security parameter of ε _2. These generated keys are stored in a keystore 73 of user keys.

The next two sessions 83 and 84 are then used to generate further keys for authentication. These keys are produced with security parameters for the QKD primitives that are good enough that even after N sessions (and many years) the degraded performance still results in QKD keys with acceptable security parameters (and this is what is cited in the QKD system specification).

Using the numerical example above, this means that if a six order of magnitude degradation of ε is expected over time, then in order to achieve a desired bound on the long-term overall security parameter, the parameters for the QKD primitives can be chosen to yield a QKD primitive security parameter that is six orders of magnitude better than is initially required.

However, the better security parameters in the QKD primitives are achieved at the expense of the QKD key generation rate. Thus, in order for these keys to be generated with higher security parameters, the overall system performance is degraded, e.g., the secure bit rate is lower.

As explained above, the QKD primitive involves a number of steps - after the quantum state is sent from Alice and measured at Bob, a post-processing stage comprises sieving (discarding measurements prepared/measured in different bases), error correction (identifying and correcting errors in the bits they share after sieving), and finally privacy amplification (processing the error-corrected bit stream to distil a secure key, where the amount of privacy amplification determines the key security parameters). Various parameters in the privacy amplification stage can be adjusted to change the resulting security parameters for the QKD primitive - but there is always a trade-off, i.e. better security parameters degrade the practical performance of the key generation.

For example, ensuring better (i.e. smaller) security parameters may mean having to apply more privacy amplification processing, which discards more bits and results in a lower secure bit rate for the system. Alternatively, parameters could be set that improve security parameters by increasing the size of the block of data processed for each key session - however, this too may be undesirable as it increases the computational resources required and increases the time until the QKD key is available for each session.

The exact performance impact depends on which QKD protocol is used and various other link parameters. However, examples of trade-offs between performance and security parameters can be found in the prior art.

For example, Figure 4 shows simulated key rate performance for a particular QKD protocol and set of link parameters. Note that smaller ε values (i.e., more secure security parameters) result in reduced key rates (i.e., lower "key rate per raw key bit" on the y-axis) for a given raw key length (i.e., input block size).

After the new authentication keys with security parameters of ε _1a are generated, they are then saved in the authentication key store 71. The next two sessions 85 and 86 are conducted with the authentication keys with security parameters of ε _1a , both of which produce keys to be used to encrypt subsequent classical channels with security parameters of ε _2a . These generated keys are stored in the user key store 73.

The numbers regarding the authentication period of messages such as these or the size of the authentication key store may vary between implementations of the QKD system. Whatever values are chosen, the fact remains that the authentication key store will eventually run low and need to be replenished. In a further embodiment, the QKD system will initiate a special "authentication key generation session".

For example, in one embodiment, the QKD system may monitor the remaining size of the "authentication key" key store 71 and trigger an "authentication key generation session" if the size falls below a certain threshold. The threshold may be pre-set or may be intelligently calculated based on link parameters and expected key usage rates (to ensure that it is never completely emptied).

Such an arrangement is illustrated in the flow chart of FIG. 5, where the key generation process starts in step S501. Before generating the key, the size of the authentication key store is checked in step S503. If this falls below a threshold, the method proceeds to step S505, where an authentication key generation session is started.

In the "authentication key generation session", the QKD primitives are executed as normal, but the post-processing parameters, e.g., the privacy amplification parameters, are adjusted to achieve a much more secure security parameter (i.e., a value much smaller than is desired for the security of the QKD key to be output for the user). (e.g., for the values in this current example, ε _{qkd-primitive-extrasecure} << 1e-10, e.g., ε _{qkd-primitive-extrasecure} = 1e-17). The QKD keys generated by this session are stored in the "authentication key keystore" 507 rather than the "user key keystore" 511. Due to the higher security parameters, the secure key rate is lower for this particular session.

Once the authentication key store 507 is replenished, the subsequent QKD session switches back to using the "normal" security parameter target for post-processing and generates keys for the user key store 511 in step S509 with the target security parameters, e.g., 1e-10. This security parameter results in a higher key generation rate than using the security parameter target of 1e-17 used for the authentication key session; when the "authentication key store" runs low, another "authentication key generation session" is triggered.

This approach does not slow down the degradation of security parameters for keys to be used for authentication. Therefore, a very secure epsilon is used as a target for QKD primitives in the authentication key session to pre-compensate for the expected degradation over time.

However, by maintaining separate key stores for authentication keys and user keys, the system can spend the majority of its time performing "user key generation sessions" where the authentication keys are retrieved from the authentication key key store and therefore have significantly better security parameters than current QKD post-processing sessions, which have negligible detrimental effects when composed.

Therefore, after N key sessions, the security parameters for the user key are:

rather than the initial approach of giving

Becomes:

Using the values from the previous example:

This means that after 5 years of QKD system operation, the QKD key security parameters for the user keys are:

This therefore effectively avoids degradation of the QKD keys provided to the user. This means that there is a great deal of design flexibility in how to generate QKD keys and how to use them for authentication. In the above example, it was assumed that each QKD session used a new authentication session with a newly generated QKD key. In practice, since QKD outputs a block of keys with given security parameters, it is not necessary for the nth session to use the QKD key from the (n-1)th session. Instead, a block of QKD keys from a much earlier session can be set aside and used for many subsequent sessions. However, it should be noted that many security applications have policies on things like maximum key lifetime (also known as time-to-live), so it is not desirable to store keys for too long.

In addition, there is no need to use a new authentication session for each QKD session. Instead, authentication can be done at specific intervals, and all communication between Alice and Bob (covering multiple blocks to be processed) is buffered until the MAC tag is sent and verified.

With these two ideas, it is possible to reduce the security parameter degradation rate by using blocks of QKD keys from previous sessions (with optimal ε) for as many authentication sessions as possible. The key store for supplying authentication keys will still be depleted over time and can be replenished by QKD session outputs.

Figure 6 is a schematic diagram of a node 301 that may be used as either Alice or Bob as described above. The node 301 comprises QKD hardware 303 for generating quantum keys. The QKD hardware may comprise a quantum transmitter and a quantum receiver.

One example of a possible transmitter is shown in FIG. 7A as 101. The transmitter can be any type of quantum transmitter capable of emitting polarization-encoded photons. In this particular example, the transmitter 101 comprises four lasers 105, 107, 109, and 111, each emitting horizontally polarized light. The output from laser 105 is fed towards polarization combining optics 139. The output from laser 107 is fed towards polarization combining optics 139 via a half-wave plate configured to convert horizontally polarized light to diagonally polarized light. The output from laser 109 is fed towards polarization combining optics 139 via a half-wave plate configured to convert horizontally polarized light to vertically polarized light. The output from laser 111 is fed towards polarization combining optics 139 via a half-wave plate configured to convert horizontally polarized light to oppositely polarized light.

The polarization combining optics allows the different polarizations to be combined into a stream of pulses with randomly varying polarizations. This can be achieved in many different ways. For example, the lasers can be pulsed lasers and a controller (not shown) is provided to randomly select a laser from lasers 105, 107, 109 and 111 to randomly output pulses, so that the pulses reach the polarization combining optics one by one. In other embodiments, the polarization combining optics or further components can be configured to randomly select the output from one laser or randomly selectively block the output from three lasers to allow a pulsed output stream. The pulses can be produced by pulsed lasers or cw lasers can be used with further components to chop the output into pulses.

An attenuator (not shown) is then used to attenuate the power of the pulses so that they contain less than one photon on average. Alternatively, single-photon emitters can be used in place of lasers 105, 107, 109 and 111.

A simplified form of the receiver is shown in Figure 7B. The receiver comprises a 50-50 beam splitter 205 that will direct the incoming pulse along either the first measurement channel 207 or the second measurement channel 209. Since the pulse contains less than one photon on average, the 50-50 beam splitter 205 will randomly direct the pulse along one of the first or second measurement channels. This has the consequence of selecting the measurement basis to be the X(D/A) or Z(H/V) basis. The non-polarizing beam splitter 205 serves to allow the random selection of one of the two bases.

The first measurement channel is for the X basis, which corresponds to the D/A basis. Here, a half-wave plate 211 is provided to rotate the polarization by 45 degrees between the two detection branches, i.e. to provide two measurement bases X and Z. The output of the half-wave plate 211 is then directed towards a polarizing beam splitter 213, which directs pulses with opposite polarities towards opposite-angle detector 215 and pulses with diagonal polarities towards diagonal detector 217. Detectors 215 and 217 are single-photon detectors, e.g. avalanche photodiodes.

Pulses directed along the second measurement channel are measured in a Z basis to determine whether they are horizontal or vertical. Here, pulses directed into the second measurement channel are directed towards a polarizing beam splitter 219, which directs vertically polarized pulses towards detector 221 and horizontally polarized pulses towards detector 223. Again, detectors 221 and 223 are single photon detectors.

If a photon polarized in the D/A basis is received and sent randomly to be measured in the Z basis along the second measurement channel 209, there is a high probability that one of the detectors 221, 223 will register a count. However, this result is unreliable since there is a 50/50 chance that a photon received at the polarizing beam splitter 219 will be directed towards either the vertical or horizontal detector.

In one embodiment, the QKD hardware 303 in node 301 will include both a transmitter and a receiver, depending on whether the node is to function as a transmitter or a receiver during the QKD process. However, a node can include only a transmitter if it will only perform QKD with nodes that have receivers, and also a node can include only a receiver if it will only perform QKD with nodes that have transmitters.

The node 301 also has a key management system 309. The key management system manages key exchange and storage. In the example of FIG. 6, the key management system 309 comprises a user QKD store 307 that stores keys established via QKD to be used to encrypt communications, and an authentication key store 308 that has authentication keys that have either been generated or pre-stored with higher security parameters than the user keys.

In this example, for simplicity, only two keystores are shown. However, more keystores may be provided. For example, if a node is configured to perform QKD with two other nodes, a separate keystore may be provided for each node, and each keystore would be monitored separately.

A control device will be provided to allow control of post-processing. This may be provided in the key management system, as part of the QKD hardware 303, or may be remote from the node. The control device may receive control input from a user to set security parameters, or may receive control input from another node to generate keys with certain security parameters. In a further embodiment, the control device receives input from a monitoring unit that monitors the size of the key store.

Node 301 also includes a key consuming data encryptor 311. The data encryptor uses the QKD key to encrypt/decrypt data communications (e.g., using a one-time pad or an alternative cipher such as AES).

Above we referred to security parameters in general. However, "key processing block size" is a parameter that affects the key rate and the time it takes for a key to be generated. Smaller blocks = worse key rate, but the key is available to the application more quickly (because less processing is required). This can be used instead of or in addition to security parameters.

The node may also include an authentication agent (and/or unit) 310 used during authentication. This may be a stand-alone component or may be part of any of the other components of the user node 301, for example a key consumption data encryptor.

The above scheme is applicable to all QKD systems, regardless of the QKD protocol, since it applies to a common post-processing stage. This means that the idea is relevant to, but not limited to, point-to-point QKD (e.g., BB84 or T12 protocols, as well as distributed phase reference protocols such as coherent one-way (COW) and differential phase shift (DPS)), measurement device independent QKD (MDI QKD) and twin field QKD (TF QKD). The idea is also applicable to the class of continuous variable (CV) QKD protocols.

The method of dynamically adjusting post-processing parameters and using a separate key store may also be applicable to other systems where privacy amplification techniques are used between users over authenticated classical channels.

While certain specific embodiments have been described, these embodiments are presented merely as examples and are not intended to limit the scope of the invention. Indeed, the novel devices and methods described herein may be embodied in a variety of other forms, and further, various omissions, substitutions, and changes in the form of the devices, methods, and products described herein may be made without departing from the spirit of the invention. The appended claims and their equivalents are intended to cover such forms or modifications as are within the scope and spirit of the invention.

Claims (20)

A node in a quantum communication system, the node comprising:
a quantum key distribution unit configured to enable quantum keys to be distributed between said node and an external further node;
a post-processing module configured to apply post-processing to the quantum key to produce a key having a predefined security parameter, wherein the post-processing module comprises a controller configured to enable the security parameter applied to a quantum key to be varied for a number of different quantum keys, the security parameter being indicative of a probability of a security failure;
a first key store and a second key store, wherein the node is configured to store a first number of keys in the first key store having a first security parameter with a value in a first range and a second number of keys in the second key store having a second security parameter with a value in a second range, the first range having a number of values different from the second range;
A node comprising: The node of claim 1, wherein the post-processing module is configured to perform privacy amplification. The node of claim 1, further comprising an authentication module configured to authenticate communications over a classical communication channel with the external further node. The node of claim 3, wherein the authentication module is configured to perform authentication using an authentication key obtained via the quantum key distribution unit. The node of claim 4, wherein the quantum key distribution unit is configured to sift the quantum key using communications over an authenticated classical communications channel between the node and the external further node. The node of claim 3, further comprising a classical communication module configured to encrypt or decrypt communications using a key obtained via the quantum key distribution unit. The node of claim 6, wherein the multiple values of the first security parameter in the first range are lower than the multiple values of the second security parameter in the second range, the authentication module is configured to access the first key store to obtain multiple keys for authentication, and the classical communication module is configured to obtain multiple keys for encryption from the second key store. The node of claim 7, wherein the control device is configured to receive a control signal, and the control device is configured to determine a value of the security parameter for a key to be stored in response to the control signal. The node of claim 8, further comprising a monitoring circuit configured to monitor a number of keys in the first key store, post-process a plurality of keys to achieve the first security parameter having the value in the first range when the number of keys in the first key store is less than or equal to a threshold, and provide the control signal to post-process a plurality of keys to achieve the second security parameter having the value in the second range when the number of keys in the first key store is greater than the threshold. The node of claim 1 further comprises three or more key stores each storing a plurality of keys having a plurality of different ranges of security parameters. The quantum key distribution unit comprises:
an encoder configured to encode information onto light, where the information is encoded by randomly selecting one state from a plurality of states for transmission to a user node, the light leaving the server in pulses containing, on average, less than one photon;
a decoder configured to receive a plurality of light pulses containing on average less than one photon and to decode information from the plurality of light pulses by measuring the plurality of light pulses, wherein a measurement basis for the measurements is randomly selected from a set of a plurality of measurement bases to enable measurement of the plurality of states used to encode the information.
and
2. The node of claim 1, wherein the quantum key distribution unit further comprises a sifting unit configured to enable the server to compare the basis it used for encoding or decoding with that used by the user node for decoding or encoding, the quantum key distribution unit configured to discard the information from a number of pulses for which the encoding basis and the measurement basis for the decoding did not match. A quantum communication system comprising a plurality of nodes, each of which is a node according to claim 1. The quantum communication system of claim 12, configured to implement a discrete variable protocol or a continuous variable protocol. 1. A method of quantum communication, the method comprising:
performing quantum key distribution at a first node with a second node to obtain a quantum key between the first node and the second node;
post-processing the quantum key at the first node to produce a key having a predefined security parameter, the post-processing being controlled to allow the security parameter applied to the quantum key to be varied for a number of different quantum keys, the security parameter being indicative of a probability of a security failure;
storing, by the first node, a plurality of first keys in a first keystore, the first keys having a first security parameter with a value in a first range;
storing, by the first node, a plurality of second keys in a second key store, the second keys having a second security parameter with a value in a second range, the first range having a plurality of values different from the second range;
A method for providing the above. The method of claim 14, wherein performing quantum key distribution comprises sifting the quantum key using communication over an authenticated classical communication channel between the first node and the second node. The method of claim 15, further comprising encrypting or decrypting communications using a key obtained by performing the quantum key distribution. 17. The method of claim 16, wherein the first security parameter values in the first range are lower than the second security parameter values in the second range, the first keys are obtained from the first key store for authentication, and the second keys are obtained from the second key store for at least one of encryption and decryption. 18. The method of claim 17, further comprising: monitoring a number of keys in the first key store; and controlling the post-processing to create a plurality of keys to achieve the first security parameter with the values in the first range when the number of keys in the first key store is less than or equal to a threshold; and to post-process a plurality of keys to achieve the second security parameter with the values in the second range when the number of keys in the first key store is greater than the threshold. 1. A method of operating a QKD system, the method comprising:
Obtaining an authentication key from a first key store;
authenticating a first communication channel between a first node and a second node using the obtained authentication key;
performing quantum key distribution between the first node and the second node, the quantum key being sifted using communications on the authenticated first communications channel to establish a first quantum key for a first user and a server;
determining a number of authentication keys in the first key store, where when the number of authentication keys in the first key store is less than or equal to a threshold, post-processing the quantum key to produce a plurality of authentication keys for the first key store having a first security parameter within a first range of values;
wherein when a number of authentication keys in the first key store exceeds the threshold, post-processing the quantum key to produce a plurality of authentication keys for a second key store having a second security parameter within a second range of values, the plurality of second security parameters within the second range being higher than the plurality of first security parameters in the first range.
A method for providing the above. 1. A method of operating a QKD system, the method comprising:
performing quantum key distribution between a first node and a second node to generate a plurality of quantum keys;
post-processing the quantum keys to generate a plurality of keys using at least one control processing parameter to generate a plurality of keys of a plurality of different types;
storing the plurality of post-processed quantum keys in a plurality of key stores, such that each key store comprises a plurality of keys of the same type;
monitoring a number of keys in the different key stores, and when the number of keys in a key store is less than or equal to a threshold for that key store, controlling post-processing parameters of the generated quantum keys to create additional keys to replenish the keys in the key store whose number of keys is less than or equal to the threshold, wherein the keys of the same type have parameters within predefined ranges.
A method for providing the above.