Open Access
Add to BibSonomy
Abstract
Quantum key distribution (QKD) provides information theoretically secure key exchange requiring authentication of the classic data processing channel via pre-sharing of symmetric private keys to kick-start the process. In previous studies, the lattice-based post-quantum digital signature algorithm Aigis-Sig, combined with public-key infrastructure (PKI), was used to achieve high-efficiency quantum security authentication of QKD, and we have demonstrated its advantages in simplifying the MAN network structure and new user entry. This experiment further integrates the PQC algorithm into the commercial QKD system, the Jinan field metropolitan QKD network comprised of 14 user nodes and 5 optical switching nodes, and verifies the feasibility, effectiveness and stability of the post-quantum cryptography (PQC) algorithm and advantages of replacing trusted relays with optical switching brought by PQC authentication large-scale metropolitan area QKD network. QKD with PQC authentication has potential in quantum-secure communications, specifically in metropolitan QKD networks.
© 2021 Optical Society of America under the terms of the OSA Open Access Publishing Agreement
1. Introduction
In recent years, experiments and practical applications of quantum key distribution (QKD) has made remarkable progress. Starting from an early proof of concept in the laboratory of more than 32 cm [1], to a later expansion to 100 km [2,3], the maximum key distribution distance through practical optical fiber has now exceeded 500 km [4,5]. By employing trusted relays, some QKD networks has also been tested outside the laboratory [6–14], and application demonstrations have been conducted in different fields, such as government affairs, finance, and electricity power. Further, a 4,600 km quantum secure communication network utilizing the Micius satellite and “Beijing-Shanghai backbone” intercity quantum communication network has been built [10].
QKD can provide information theoretically secure key exchange [15–17], including a quantum channel for transmitting photons and a classical channel for data post-processing. However, the unconditional security of QKD requires that the classical channel be authenticated to prevent man-in-the-middle attacks. Further, in the QKD process, basis sifting, error correction, and privacy amplification, along with the verification of the final key must be authenticated. At present, the secure authentication method used by QKD devices helps in pre-sharing symmetric keys [18]. Every paired user is required to store his/her shared authentication keys. However, the storage, synchronization, and management of a large number of key pairs increases the management and security risks of the network. Another secure authentication method is the use of post-quantum public key algorithm and public-key infrastructure (PKI) [19], where each user applies for a digital certificate from the authentication center that trust PKI, and performs the authentication based on the post-quantum cryptography (PQC) public key algorithm. Thus, in this way, each user only needs to trust the trusted authentication center, and does not need to trust each other between users. Compared with the method of pre-sharing symmetric keys, this method not only overcomes the shortage of pre-sharing symmetric keys, which arises when the number of network users is large, but also provides quantum resistant security, which is a practical and effective method.
From the perspective of abstract cryptography, the pure QKD + PQC can not yield an information theory security combination, however, from a practical point of view, it is a practical scheme at present. Using PQC authentication, we don't need to ensure that PQC has the same long-term security as the key, but only need to ensure the security during the authentication period (about 1 s), which is also the reason why we can use PQC authentication safely at present. In a previous study, we adopted the lattice-based post-quantum digital signature algorithm Aigis-Sig [20], combined with PKI to achieve a high-efficiency quantum security authentication for the QKD, and thereafter, we verified the feasibility of using PQC for QKD authentication in a laboratory environment [21].
The feasibility and stability of using PQC authentication in an actual metropolitan QKD network, as well as the performance of QKD after integrating PQC, still need to be verified. Using PQC authentication, the trusted relays in the laboratory environment network can be replaced by optical switches, but its applicability to the metropolitan QKD network with more users and complex network topology also needs to be verified. In addition, in the previous experiment, the PQC algorithm was implemented using a software that ran on a PC independent of the QKD device, and the feasibility of integrating it into a QKD device needs to be verified in practice.
Based on the above unanswered questions, in this experiment, we further integrated the PQC algorithm into a commercial QKD device. In the Jinan field metropolitan QKD network, we verified the high-efficiency quantum secure authentication of QKD by using a lattice-based post-quantum digital signature algorithm Aigis-Sig combined with PKI.
2. Experiment and results
The QKD system used in this experiment is a commercial device that adopts polarization encoding based on the decoy-state BB84 protocol [22]. Its repetition rate was 40 MHz, and an InGaAs gated single-photon detector with a detection efficiency of 15% was used. The typical secret key rate was 10 kbps at a 10 dB channel loss. Further, for data processing, we used the Winnow algorithm for error correction [23], and in the privacy amplification process, a shared Toeplitz matrix for key compression was used to obtain secure keys.
In this experiment, the PQC algorithm was integrated into the ARM chip of the QKD device to realize the authentication process. The implementation diagram is shown in Fig. 1.
Fig. 1. PQC authentication diagram. The data that need to be authenticated include basis sift data, key after error correction, shared random number in privacy amplification and the final key. The process of data authentication includes: 1) Tag calculation performed through SM3 hash algorithm for data to be authenticated; 2) Tag value sent to PQC module through inter-board communication interface; 3) PQC modules of both communicating parties are authenticated through PQC algorithm; 4) Authentication results return to the module waiting for the authentication result through the inter-board communication interface.
As shown in the figure, Alice and Bob first exchange certificates and random numbers, which are used as nonces to resist replay attacks. Thereafter, the public key of the certificate authority was used to verify the legitimacy of certificates of each other. Next, they used the PQC signature algorithm with its own private key to sign both the message digest and the received random number. Consequently, both parties again used the corresponding public keys to verify the integrity and unforgeability of the signature.
The system was implemented on an ARM AM3354 chip, the sizes of the public key, private key and signature are 1.3 KB, 3.4 KB, 2.4 KB, respectively, and the running time of public and private key generation, signature, and signature verification was less than 10 ms. Thus, when the classical channel delay was within 10 ms and the bandwidth was not less than 100 kbps, the entire process was completed within 100 ms.
Further, this experiment was conducted in the Jinan field metropolitan QKD network. The network topology is shown in Fig. 2. There were five optical switching nodes and 14 user nodes in the network.
Fig. 2. Jinan field metropolitan QKD network topology, where X1–X5 are optical switching nodes, U1, U3, U6, U9, U10, U13, U14 are receiver QKD nodes, and U2, U4, U5, U7, U8, U11, U12 are sender QKD nodes. Each QKD node is connected to the optical switching node via optical fiber, and the optical switching node is also connected via optical fiber. Based on the actual deployment geographic location of each of the QKD and optical switching nodes, the lengths of optical fibers range from 5 m to 21.46 km.
Before this experiment was performed, the X1, X2, and X3, in the Jinan field metropolitan QKD network, as depicted in Fig. 2, were originally trusted relay nodes. Here, we replaced them with optical switches, reducing the security reliance on the trusted relay in the network, thereby improving the security of the entire QKD network and reducing networking costs. In addition, the network structure and the connection between nodes were simplified due to this change, thereby improving network interoperability.
We measured the signal attenuation of each optical fiber and then added an insertion loss of 1.5 dB to each optical switching node. Thus, we obtained the signal attenuation of the connection between each receiver QKD node and transmitter QKD node, as summarized in the Table 1.
Table 1. Signal attenuations of connection between each receiver and transmitter (unit: dB)
There are seven receivers and transmitters each in the network, resulting in a total of 7 × 7 = 49 pairs. Among them, 11 pairs cannot generate a key due to high attenuation of the optical fiber (indicated in red). In addition, three groups of optical switches exist in the network, and due to the functional limitation of key management system (KMS), automatic scheduling of more than three sets of optical switches on the same fiber link is not supported. Further, a total of 8 connections from receivers U7, U8, U11, U12 to transmitters U13, U14 could not be paired for key generation (indicated in blue). However, the remaining 49–11 – 8 = 30 connections successfully generated the keys and thus, were kept running.
We analyzed the running log file of QKD devices and extracted the key rate and quantum bit error rate (QBER) of each QKD pairing process. Further, we estimated the standard deviation of each connection’s key rate data and eliminated the data outside three standard deviations. Finally, we calculated the average by using the statistical average method and thereby obtained the key rate of each connection during the experiment period. In the QKD devices of this experiment, when the real-time QBER exceeds a threshold (3.125%), the related key data will be discarded. Moreover, if the threshold is exceeded three times in a row, the QKD device will start the optical self-calibration process. Thus, we ignored the QBERs that exceed the threshold and calculated the average value of the remaining data by using the statistical average method, thereby obtaining the QBER of each connection in the normal pairing process during the experiment period.
The average key rate and QBER of each connection during 36 days of network operation, are presented in Table 2.
Table 2. Key rate and QBER of each connections
In theory, the higher the link attenuation, the lower is the key rate, however, when considering actual test data, it was found that certain connections simultaneously have higher link attenuation and key rates, for example, the U8–U3 link attenuation (13.57 dB) is greater than that of U8–U9 (6 dB), and the key rate of U8–U3 (8.383 kbps) is also higher than that of U8–U9 (4.857 kbps), this is due to the difference in the performance of the existing commercial QKD devices in the Jinan field metropolitan QKD network, which has been built and kept running for more than 7 years.
The experiment was running continuously for more than 36 days, and the entire network maintained a normal operation. Each connection was constantly paired to generate keys, which verified the long-term stability of the PQC algorithm used in the metropolitan QKD network. From 2/8/2021 to 3/16/2021, the average key rate of each connection was counted every day. Considering eight typical connections U2–U6, U2–U10, U7–U10, U8-U1, U5-U10, U11-U10, U12-U10, and U4–U10 as examples, the key rate changes over time are shown in Fig. 3.
Furthermore, to compare the key rates of pre-shared key authentication and the PQC algorithm authentication in a similar hardware environment with the same optical fiber, we restored the software of the U4-U3 connection to the version using pre-shared key authentication, kept it running for more than 6 h, and then calculated the average key rate. The corresponding experimental results are presented in Table 3.
Table 3. Key rate under different authentication methods
The results show that the key rate of using the PQC algorithm authentication is similar to that of using pre-shared key authentication. After integrating the PQC algorithm, the delay of the tag authentication process does not affect QKD.
In the experiment, we designed a business-driven QKD key matching scheduling strategy and verified it using the U4–U3 connection. First, we changed the key queuing strategy on the KMS to queue according to the number of keys, setting it to queue every 30 min. At the initial moment, on the KMS, the number of paired user keys of U4–U3 was shown to have reached 32 MB, and thereafter, the key consumption rate of U3 and U4 user devices (quantum security router devices) was configured to 64 KB every 1 s to quickly consume cache keys in the QKD devices, this process continued till the KMS showed that the pairing key amount of U4–U3 connection reached 0 bytes. Subsequently, the QKD network switched the pairing relationship to the U4–U3 connection according to the queuing strategy. By analyzing the running log of the QKD device, we observed that the key rate of the U4-U3 connection during the experiment was 25.951 kbps, which was less than the key consumption rate. Meanwhile, we observed that the U4-U3 connection maintained the pairing during the seven QKD key generation periods to generate the key. The experimental results showed that the KMS queues up according to the number of keys, confirming the effectiveness of the strategy of scheduling QKD node pairing for key generation.
3. Conclusion
In summary, this study verified the feasibility of integrating the PQC algorithm into a commercial QKD device. In addition, the feasibility and stability of using PQC for authentication in real and complex network topologies were verified in the Jinan field metropolitan QKD network with 14 QKD nodes and 5 optical switching nodes. In the experiment performed for PQC authentication, we replaced the trusted relay in the Jinan field metropolitan QKD network with an optical switch, which simplified the network topology, and thus, reduced the trusted relay node device in the network. Moreover, this change reduced the security dependence of the trusted relay in the network, improved the safety of the metropolitan area QKD, reduced the cost of the device in the construction of the metropolitan QKD network, and improved the interoperability between the QKD nodes.
Further, in metropolitan QKD network applications, compared to pre-shared key authentication, PQC authentication has no effect on the performance of key rate, avoided the process of pre-shared keys between QKD nodes or between QKD nodes and trusted relays, and had distinct advantages in operability, efficiency, security, and device cost. It was found that in the metropolitan QKD network, when the distance between the two parties of QKD exceeded the point-to-point tolerable distance [24], the trusted relay could not be replaced by an optical switch, and the QKD receiver and transmitter, could not be paired to generate the key. Furthermore, the application of multilevel optical switches was also limited by the performance of the KMS and other devices. We also verified the long-term stability of using PQC authentication in an actual metropolitan QKD network.
Future improvements will target a higher performance of the PQC algorithm integrated with QKD device [10], higher completeness of the KMS to support multilevel optical switches and higher integration whit QKD device to enable transmit and receive with the same device, further improving the usability and overall performance of PQC authentication in an actual metropolitan QKD network.
Funding
National Key Research and Development Program of China (2017YFA0303901); Major Science and Technology Projects in Anhui Province (16030901056, 1703090101); Yunnan Fundamental Research Project (202001BB050028); Key R&D Plan of Shandong Province (2019JZZY010205); Taishan Scholar Program of Shandong Province; Leading talents of Quancheng industry; Key Program of Special Development funds of Zhangjiang National Innovation Demonstration Zone (ZJ2018-ZD-009).
Acknowledgments
We would like to thank Feihu Xu and Shengkai Liao, from University of Science and Technology of China, for their thoughtful suggestions.
Disclosures
The authors declare no conflicts of interest.
Data availability
The data underlying the results presented in this paper are not publicly available at this time, but may be obtained from the authors upon reasonable request.
References
1. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, “Experimental quantum cryptography,” J. Cryptol. 5(1), 3–28 (1992). [CrossRef]
2. D. Rosenberg, J. W. Harrington, P. R. Rice, P. A. Hiskett, C. G. Peterson, R. J. Hughes, A. E. Lita, S. W. Nam, and J. E. Nordholt, “Long-distance decoy-state quantum key distribution in optical fiber,” Phys. Rev. Lett. 98(1), 010503 (2007). [CrossRef]
3. C. Z. Peng, J. Zhang, D. Yang, W. B. Gao, H. X. Ma, H. Yin, H. P. Zeng, T. Yang, X. B. Wang, and J. W. Pan, “Experimental long-distance decoy-state quantum key distribution based on polarization encoding,” Phys. Rev. Lett. 98(1), 010505 (2007). [CrossRef]
4. J. P. Chen, C. Zhang, Y. Liu, C. Jiang, W. Zhang, X. L. Hu, J. Y. Guan, Z. W. Yu, H. Xu, J. Lin, M. J. Li, H. Chen, H. Li, L. You, Z. Wang, X. B. Wang, Q. Zhang, and J. W. Pan, “Sending-or-Not-Sending with Independent Lasers: Secure Twin-Field Quantum Key Distribution over 509 km,” Phys. Rev. Lett. 124(7), 070501 (2020). [CrossRef]
5. X. T. Fang, P. Zeng, H. Liu, M. Zou, W. Wu, Y. L. Tang, Y. J. Sheng, Y. Xiang, W. Zhang, H. Li, Z. Wang, L. You, M. J. Li, H. Chen, Y. A. Chen, Q. Zhang, X. Ma, T. Y. Chen, and J. W. Pan, “Implementation of quantum key distribution surpassing the linear rate-transmittance bound,” Nat. Photonics 14(7), 422–425 (2020). [CrossRef]
6. C. Elliott, A. Colvin, D. Pearson, O. Pikalo, J. Schlafer, and H. Yeh, “Current status of the DARPA quantum network,” Proc. SPIE 5815, 138–149 (2005). [CrossRef]
7. M. Peev, C. Pacher, R. Alléaume, Claudio Barreiro, J. Bouda, W. Boxleitner, T. Debuisschert, E. Diamanti, M. Dianati, J F. Dynes, Sandrine Fasel, S. Fossier, M. Fürst, J-D. Gautier, Nicolas Gisin, P. Grangier, A. Happe, Y. Hasani, M. Hentschel, H. Hübel, G. Humer, T. Länger, Matthieu Legre, R. Lieger, J. Lodewyck, T. Lorünser, N. Lütkenhaus, A. Marhold, T. Matyus, O. Maurhart, L. Monat, S. Nauerth, J-B. Page, A. Poppe, E. Querasser, G. Ribordy, S. Robyr, L. Salvail, A W. Sharpe, A J. Shields, Damien Stucki, M. Suda, C. Tamas, T. Themel, Robert Thomas Thew, Y. Thoma, A. Treiber, Patrick Trinkler, R. Tualle-Brouri, Fabien Vannel, N. Walenta, H. Weier, H. Weinfurter, I. Wimberger, Z L. Yuan, Hugo Zbinden, and A. Zeilinger, “The SECOQC quantum key distribution network in Vienna,” New J. Phys. 11(7), 075001 (2009). [CrossRef]
8. T. Y. Chen, H. Liang, Y. Liu, W. Q. Cai, L. Ju, W. Y. Liu, J. Wang, H. Yin, K. Chen, Z. B. Chen, C. Z. Peng, and J. W. Pan, “Field test of a practical secure communication network with decoy-state quantum cryptography,” Opt. Express 17(8), 6540–6549 (2009). [CrossRef]
9. M. Sasaki, M. Fujiwara, H. Ishizuka, W. Klaus, K. Wakui, M. Takeoka, S. Miki, T. Yamashita, Z. Wang, A. Tanaka, K. Yoshino, Y. Nambu, S. Takahashi, A. Tajima, A. Tomita, T. Domeki, T. Hasegawa, Y. Sakai, H. Kobayashi, T. Asai, K. Shimizu, T. Tokura, T. Tsurumaru, M. Matsui, T. Honjo, K. Tamaki, H. Takesue, Y. Tokura, J. F. Dynes, A. R. Dixon, A. W. Sharpe, Z. L. Yuan, A. J. Shields, S. Uchikoga, M. Legré, S. Robyr, P. Trinkler, L. Monat, J. B. Page, G. Ribordy, A. Poppe, A. Allacher, O. Maurhart, T. Länger, M. Peev, and A. Zeilinger, “Field test of quantum key distribution in the Tokyo QKD Network,” Opt. Express 19(11), 10387–10409 (2011). [CrossRef]
10. Y. A. Chen, Q. Zhang, T. Y. Chen, W. Q. Cai, S. K. Liao, J. Zhang, K. Chen, J. Yin, J. G. Ren, Z. Chen, S. L. Han, Q. Yu, K. Liang, F. Zhou, X. Yuan, M. S. Zhao, T. Y. Wang, X. Jiang, L. Zhang, W. Y. Liu, Y. Li, Q. Shen, Y. Cao, C. Y. Lu, R. Shu, J. Y. Wang, L. Li, N. L. Liu, F. H. Xu, X. B. Wang, C. Z. Peng, and J. W. Pan, “An integrated space-to-ground quantum communication network over 4,600 kilometres,” Nature 589(7841), 214–219 (2021). [CrossRef]
11. T. Y. Chen, J. Wang, H. Liang, W. Y. Liu, Y. Liu, X. Jiang, Y. Wang, X. Wan, W. Q. Cai, L. Ju, L. K. Chen, L. J. Wang, Y. Gao, K. Chen, C. Z. Peng, Z. B. Chen, and J. W. Pan, “Metropolitan all-pass and inter-city quantum communication network,” Opt. Express 18(26), 27217–27225 (2010). [CrossRef]
12. B. Fröhlich, J. F. Dynes, M. Lucamarini, A. W. Sharpe, Z. Yuan, and A. J. Shields, “A quantum access network,” Nature 501(7465), 69–72 (2013). [CrossRef]
13. S. Wang, W. Chen, Z. Q. Yin, H. W. Li, D. Y. He, Y. H. Li, Z. Zhou, X. T. Song, F. Y. Li, D. Wang, H. Chen, Y. G. Han, J. Z. Huang, J. F. Guo, P. L. Hao, M. Li, C. M. Zhang, D. Liu, W. Y. Liang, C. H. Miao, P. Wu, G. C. Guo, and Z. F. Han, “Field and long-term demonstration of a wide area quantum key distribution network,” Opt. Express 22(18), 21739–21756 (2014). [CrossRef]
14. S. K. Liao, W. Q. Cai, J. Handsteiner, B. Liu, J. Yin, L. Zhang, D. Rauch, M. Fink, J. G. Ren, W. Y. Liu, Y. Li, Q. Shen, Y. Cao, F. Z. Li, J. F. Wang, Y. M. Huang, L. Deng, T. Xi, L. Ma, T. Hu, L. Li, N. L. Liu, F. Koidl, P. Y. Wang, Y. A. Chen, X. B. Wang, M. Steindorfer, G. Kirchner, C. Y. Lu, R. Shu, R. Ursin, T. Scheidl, C. Z. Peng, J. Y. Wang, A. Zeilinger, and J. W. Pan, “Satellite-Relayed Intercontinental Quantum Network,” Phys. Rev. Lett. 120(3), 030501 (2018). [CrossRef]
15. C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” In Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, (IEEE, 1984), pp. 175–179.
16. A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett. 67(6), 661–663 (1991). [CrossRef]
17. V. Scarani, H. B. Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]
18. C. H. F. Fung, X. Ma, and H. F. Chau, “Practical issues in quantum-key-distribution postprocessing,” Phys. Rev. A 81(1), 012318 (2010). [CrossRef]
19. M. Mosca, D. Stebila, and B. Ustaoğlu, “Quantum key distribution in the classical authenticated key exchange framework,” In International Workshop on Post-Quantum Cryptography, 7932 (Springer, 2013), pp. 136–154.
20. J. Zhang, Y. Yu, S. Fan, Z. Zhang, and K. Yang, “Tweaking the asymmetry of asymmetric-key cryptography on lattices: Kems and signatures of smaller sizes,” In IACR International Conference on Public-Key Cryptography, (Springer, 2020), pp. 37–65.
21. L. J. Wang, K. L. Zhang, J. Y. Wang, J. Cheng, Y. H. Yang, S. B. Tang, D. Yan, Y. L. Tang, Z. Liu, Y. Yu, Q. Zhang, and J. W. Pan, “Experimental Authentication of Quantum Key Distribution with Post-quantum Cryptography,” npj Quantum Inf. 7(1), 67 (2021). [CrossRef]
22. X. F. Ma, B. Qi, Y. Zhao, and H. K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A 72(1), 012326 (2005). [CrossRef]
23. W. T. Buttler, S. K. Lamoreaux, J. R. Torgerson, G. H. Nickel, C. H. Donahue, and C. G. Peterson, “Fast, efficient error reconciliation for quantum cryptography,” Phys. Rev. A 67(5), 052303 (2003). [CrossRef]
24. S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nat. Commun. 8(1), 15043 (2017). [CrossRef]
