DeepAI

# Analysis of Multiple Overlapping Paths algorithms for Secure Key Exchange in Large-Scale Quantum Networks

Quantum networks open the way to an unprecedented level of communication security. However, due to physical limitations on the distances of quantum links, current implementations of quantum networks are unavoidably equipped with trusted nodes. As a consequence, the quantum key distribution can be performed only on the links. Due to this, some new authentication and key exchange schemes must be considered to fully benefit from the unconditional security of links. One such approach uses Multiple Non-Overlapping Paths (MNOPs) for key exchange to mitigate the risk of an attack on a trusted node. The scope of the article is to perform a security analysis of this scheme for the case of both uncorrelated attacks and correlated attacks with finite resources. Furthermore, our analysis is extended to the case of Multiple Overlapping Paths (MOPs). We prove that introducing overlapping paths allows one to increase the security of the protocol, compared to the non-overlapping case with the same number of additional links added. This result may find application in optimising architectures of large-scale (hybrid) quantum networks.

• 1 publication
• 1 publication
10/04/2022

### Long-Range QKD without Trusted Nodes is Not Possible with Current Technology

A recently published patent (https://www.ipo.gov.uk/p-ipsum/Case/Publica...
10/17/2019

### Communication over Continuous Quantum Secure Dialogue using Einstein-Podolsky-Rosen States

With the emergence of quantum computing and quantum networks, many commu...
11/12/2019

### KPsec: Secure End-to-End Communications for Multi-Hop Wireless Networks

The security of cyber-physical systems, from self-driving cars to medica...
09/03/2020

### Network Coding-Based Post-Quantum Cryptography

We propose a novel hybrid universal network-coding cryptosystem (HUNCC) ...
09/20/2018

### Towards practical key exchange from ordinary isogeny graphs

We revisit the ordinary isogeny-graph based cryptosystems of Couveignes ...
12/07/2017

### The Engineering of a Scalable Multi-Site Communications System Utilizing Quantum Key Distribution (QKD)

Quantum Key Distribution (QKD) is a means of generating keys between a p...
12/07/2022

### Secure communication using low dimensional topological elements

Low-dimensional topological objects, such as knots and braids, have beco...

## 1 Introduction

Public-key cryptography discovered in the 1970s of the last century provided a long-sought solution to the problem of secret key exchange [DiffieHellman]. The ingenious breakthrough allowed for the promotion of ideas such as secure communication on the Internet. The security of public-key cryptography is based on the high computational complexity of the problem used, such as factorisation of composite numbers.

When public-key cryptography has already been implemented on a global scale, it has been realised that the complexity of the problems used can be reduced if quantum computing resources are used [Shor]. This raised concerns about the security of public-key cryptography with respect to hypothetical quantum attacks. However, the solution to the problem already existed (theoretically) and relied not on computational complexity-based security but on information-theoretic security (ITS). The solution is the quantum key distribution (QKD) [Ekert91].

While extremely appealing from the theoretical viewpoint, technical difficulties precluded the wide implementation of QKD for decades, since its theoretical introduction in the 1980s of the last century. However, the situation has improved significantly in the last few years and QKD solutions are blossoming. However, the remaining significant obstacle is the distance on which the QKD can be performed. This is due to the suppression of photons in the optical medium. Therefore, ground-based optical fibre links allow for practical QKD (sufficiently high key exchange rate) over distances not longer than approximately 100 km [range]. A possible, but costly and challenging, solution to the problem is to utilise space. Due to the much weaker suppression of photons in air and cosmic vacuum, QKD can be performed at much longer distances [range].

The potential solution to the problem of the constraint on the distance at which the QKD can be performed on the ground is given by quantum repeaters. However, the technology is not mature enough to be implemented in the present realisations of the QKD solutions. As a consequence, in the current implementations of QKD networks (quantum networks), classical trusted nodes must be used. The QKD networks are, consequently, hybrid networks with quantum links and classical nodes. Examples of experimental realisations of such networks are: Tokio network [tokio], Beijing-Shanghai network [Beijing-Shanghai], Madrid network [madrit].

However, the existence of the classical nodes raises security concerns. Although the QKD link has been shown to be ITS-safe, nodes can become a source of information leakage. The purpose of this article is to present a scheme that will significantly improve the security of hybrid QKD networks.

Notably, at this point, QKD algorithms are also potentially vulnerable to the man-in-the-middle (MITM) attacks. Usually, this problem is resolved by applying the authentication of the classical nodes. Since the idea of employing QKD is to eliminate non-ITS protocols, the authentication of QKD nodes must be performed with the use of the Wegman-Carter protocol, which has been proven to be of the ITS class. More information about QKD authentication can be found in Ref. [autentykacja]. Although the authentication problem can be successfully resolved in this way, this does not concern end-to-end encryption (E2EE).

From a theoretical point of view, using QKD combined with a one-time pad (OTP) guarantees end-to-end ITS communication. However, with actual limitations on the key exchange rate, this approach is too slow to be used instead of classical communication. An alternative to OTP is to use weaker (non-ITS) symmetric cryptography algorithms that are generally resistant to quantum attacks

[post-quantum-crypto] and this seems to be the way the QKD network could be used. A completely different direction for preparing for quantum attacks, which does not rely on QKD network, is post-quantum public-key cryptography, which has been intensively developed in recent years [post-quantum-crypto2].

In this work, we consider the potential vulnerability in the quantum network based on trusted nodes with multiple paths [multipath]

, we construct two models of possible attacks, the uncorrelated attack, in which each node has a certain probability of becoming compromised, and the correlated attack, in which the opponent owns certain resources that could be used to compromise the security of certain nodes. Furthermore, based on

[Zhou2019SecurityAA], we extend the QKD multiple-path distribution protocol, assuming that the paths can overlap. Our analysis shows that to improve security, it is (under certain conditions) more optimal to add interlinks between disjoint paths, instead of adding a new path. A similar concept using overlapping paths has been presented in [podobnypomysl], where security is improved by introducing complete subgraphs (“cities”). While preparing this article, another work that addresses security issue of overlapping multiple paths has appeared [securityrosjanie].

## 2 The multiple paths protocol

One of the central concepts behind the design of a telecommunication network is redundancy. To marginalise the probability of a lack of connectivity between two nodes, there must be at least two alternative paths that connect arbitrary two nodes. Here, we assume that the same must concern QKD networks, in particular the hybrid QKD networks under consideration. This approach has been proposed in [multipath] and recently explored in [solomons2021scalable], in which optimal key flooding is considered.

Now to help the reader better understand further material, we introduce problems concerning security and concepts of multipath protocol. Consider a simple uncorrelated attack scheme, in which the possibility of a successful attack on any node is and is the total number of intermediate nodes on the path (excluding communicating nodes/parties). The probability that at least one node has been successfully attacked is , where the approximation is valid for . So, roughly the probability of an attack on the network grows with the number of nodes. If the network is a hybrid QKD network, this would be equivalent to leaking a secret key exchanged via the attacked node.

Following this simple model, we find the probability that at least two nodes have been attacked: . Therefore, under the condition , the probability of a successful simultaneous attack on at least two nodes is quadratically lower than in the previous case.

Following the above observations, let us consider a scenario in which a secret key is composed of two parts and of equal length. For example, if the key is devoted to be applied in the symmetric AES-256 algorithm, both parts and are 256 bits long. Now, we require that knowing one of the keys gives us zero knowledge of the key . This requirement can be easily satisfied by the One-Time Pad (OTP) applied to the two parts and , so that:

 K=(K1,K2)=K1⊕K2, (1)

where is the XOR operation (addition modulo two).

Now, let us suppose that and are two bit strings that are distributed using two different paths in the QKD network. The two paths connect two parties (nodes and ), between which the key is exchanged (see Fig. 1). For every two adjoint nodes on the network a secret key is established via QKD. Then, in a hop-by-hop approach, if node wants to send a secret message to the node , the OTP encryption is used by evaluating the cipher . The classical ciphertext is transmitted to the subsequent node via the classical (untrusted) channel. Then, by evaluating , the ciphertext is decrypted at the node .

The protocol introduced in this section quadratically improves the security of secret key exchange in a hybrid QKD network. However, this is achieved by the cost of doubling the number of keys exchanged. Therefore, we reduce the performance of the system by a factor of two. However, the quadratic improvement by the linear cost seems to be a beneficial solution.

The decomposition of the secret key into two parts is an example of a secret sharing. It is worth emphasising that the idea can be generalised by splitting the secret key into three or more constituents. In this case, Eq. 1 generalises to:

 K=(K1,K2,…,KN)=K1⊕K2⊕⋯⊕KN, (2)

where is the number of different paths. The realisation of the case with allows for a further reduction of the probability of the attack to . However, this is due to the cost of both much complex topology of the QKD network and its lower performance. In the next sections, we perform a detailed analysis of two types of attack on trusted nodes and in Sec. 4 we present the concept in which key exchange can be done with paths that cross each other along with the discussion of performance of this new protocol.

## 3 Security considerations on Multiple Non-Overlapping Paths

We consider two models of possible attack, first for an uncorrelated attack that simulates leaking and publishing information (secret key) steaming from random failure of certain nodes, and second for a correlated attack where the party is assumed to have certain resources that can be used to take over some nodes and gain information. We model the QKD network by an unweighted graph, where two communicating nodes can always be connected by a certain number of disjoint paths. This is justified as a desired property of a real telecommunication network [Elliott_2002].

### 3.1 Uncorrelated attacks

#### 3.1.1 General formulation

Given a graph with two distinguished nodes named and (Alice and Bob), the -th node is marked with a certain number representing the probability that during the protocol the -th node will be hacked and publicly reveal secret key ( represent complete trust while represent fully corrupted node). and can be connected with some disjoint paths, and to compromise security of protocol at least one node on each path must become untrusted. The task is to find a system of disjoint paths between and that minimise the probability of hacking communication.

For a predefined system, calculating the probability is an easy task. Let be the family of all paths in the solution (where the path is considered to be a set of intermediate nodes, i.e. excluding the and nodes). Then, the probability of hacking is given by:

 P=∏Rj∈R⎛⎝1−∏i∈Rj(1−pi)⎞⎠. (3)

Here, each node is identified with its label .

This task poses an algorithmic challenge, and to the best of our knowledge, there is no standard effective method to solve this in this form. Instead, we could search for a strategy that guarantees a certain threshold of security level and is flexible within this limit. As a benefit, this may also allow us to adjust the algorithm to network traffic. In the next paragraph, we present an approach to the problem with respect to the considerations mentioned above.

#### 3.1.2 Simplified problem

Here, we assume that each node has the same probability , which is small enough so that we can use the approximation . The approximation is satisfied under the assumption that and is further analysed in Sec. 4.4. According to the model above, we can simply take . If we consider paths each containing (intermediate) nodes, then the probability of hacking equals:

 P=(n1p)(n2p)...(nNp)≤pN⎛⎜ ⎜⎝∑1≤j≤NnjN⎞⎟ ⎟⎠N=(¯¯¯np)N, (4)

where denotes the average path length (in the sense of the number of intermediate nodes), and we use a well-known inequality:

 N√a1a2...aN≤a1+a2+...+aNN. (5)

Notice that the equality is satisfied for , which in the case under consideration corresponds to the paths of equal length. In a real QKD network, we may expect that the lengths of the paths are similar, and in this case the given upper bound could be a good approximation.

#### 3.1.3 Solution to the simplified problem

Now we can slightly reformulate the problem so that we do not minimise but instead. This depends on two factors: the number of paths and the average length of these paths. In many analyses, equally length paths are considered, and therefore it is always optimal to use as many paths as possible, but it turns out that it may not be desired for an arbitrary network. The analysis of an educational example is provided in Appendix 1. For fixed solution which is given and can be obtained by the minimum-cost flow algorithm (with unit capacities and certain transformation of graph), there also exist other simpler algorithms like Suurballe’s algorithm (vertex disjoint path version) (see Ref. [disjoint_paths]). We may assume that in realistic case will not exceed 10. Therefore, an efficient algorithm could be obtained by checking each possible number of paths separately.

One last remark is about the practical aspect of the obtained solution. If we accept loss in security level (but within threshold bound), we can try to add traffic management within the algorithm simply by manipulating weights of edges. Undesired routes will be less likely to be chosen. However, in this article, we do not develop this concept further - it is left for future work.

#### 3.1.4 Multiple communicating parties

The problem arises when we have more than two communicating parties, and we do not allow a path to share a link (for quantum networks the effectiveness of links is the main restriction). This is an extensively studied problem called -EDP (-edge-disjoint path problem) [EILAMTZOREFF1998113]

###### Definition 1.

Consider the following well-known problem, which is called the -disjoint paths problem (-DPP). For a given graph and a set of pairs of terminals in , the objective is to find vertex-disjoint paths connecting given pairs of terminals or to conclude that such paths do not exist.

It is proven that this problem is NP-complete [k-DPP_KARP]. Therefore, finding many paths for each of the pairs is “at least of class NP,” as this problem can be reduced to -DPP by adding an appropriate number of paths between distinguished pairs of terminals. However, if is fixed, polynomial solutions exist for -DPP and even for shortest -DPP [lochet2020polynomial, KAWARABAYASHI2012424], so we can hope to search for a solution while dividing the network into clusters.

### 3.2 Correlated attacks with finite resources

As in the previous section, let us first formulate a general problem:

Consider a graph with a distinguished pair of nodes . We assume that there exists a system of (disjoint) paths connecting , and the adversary knowing this system, having some resources which can be used to take control of nodes and extract keys. The following assumptions are made:

• Hacking one node on the path makes this path untrusted.

• Communication is hacked if each path is untrusted.

• Probability that the -th node becomes untrusted depends on amount of allotted resources and is given with proper continuous function specified for this node. Because has an interpretation of probability, it takes values from the range .

• Resources are bounded, that is, .

• For each node .

We seek tactics (system of paths) that minimise the probability of hacking communication.

As before, solving problem in this form poses a challenge, and even for a fixed system, calculating the minimal probability of hacking (corresponding to optimal redistribution of resources) is difficult due to the continuous character of variables and unknown functions. Therefore, again, we need simplification.

#### 3.2.1 Simplified problem

We first make the following observation:

###### Lemma 1.

Without loss of generality, we can assume that each function is not decreasing and the condition is used.

###### Proof.

We do not need to use all resources, so if it is optimal to use resources for a certain node and there exists a , such that and , then it is optimal for the adversary to use . The adversary will obtain the same result using the alternative function . The second part of the lemma is straightforward. ∎

In real communication networks, we can assume that each node does not differ much in construction, and thus their characterisation will have much in common. At the same time, one shall not allow the adversary to easily take control of the node (than the mean ), so the arguments of the function could be considered small, which allows us to expand the function in series and consider its linear approximation. Alternatively, for a given function , we can construct a new function that is linear up to a certain point, then constant (equal 1) and satisfy .

We summarise this discussion with the following additional assumptions for the problem:

• The function is the same for all nodes, i.e. .

• The function is not decreasing, and the opponent always uses all available resources.

• The function is expressed in following form:

With this simplification it turns out, that a sensible analysis can be made. We first develop optimal adversary strategy for a single path of length . To solve this problem we use Lagrange multiplayer method. The function we want to maximize (probability of hacking) is:

 Psp(r1,r2...,rn)=1−(1−f(r1))(1−f(r2))...(1−f(rn)), (6)

with constrain .

As a result, we see that among the candidates for the global extremum (points ) some of and the rest are equal to each other. Therefore, the set of extreme values is , where and since this represents the Euler sequence that is decreasing, we obtain the global maximum for , which corresponds to placing all available resources on a single node.

We summarise it in the following theorem:

###### Theorem 1.

Given a single path, the optimal strategy for an adversary is to attack a single node, and the probability of hacking is .

From this we obtain an important conclusion about the situation with many paths.

###### Corollary 1.

Given disjoint paths, the optimal strategy for an adversary is to attack only one node on each path.

###### Proof.

Let us assume on the contrary that in optimal strategy for the opponent there exists a path on which two or more nodes are attacked. If we relocate resources from these nodes to a single node on this path, we will have a higher probability of hacking this path and, therefore, obtain a better strategy as the probability of hacking system is the product of probabilities for individual paths. ∎

If we have paths and are resources used to hack the -th path (at a single node), then the probability of hacking the protocol is:

 P(r1,r2,...,rN)=(αr1)(αr2)...(αrN)≤(αRN)N. (7)

Here, we assumed that , and we used Eq. 5.

#### 3.2.2 Solution

Choosing the hacking strategy, we can focus on minimising term . There is only one variable to control: the number of disjoint paths. As in this approximation shall always be less than (otherwise, the approximation we used fails), we are interested in increasing . The maximal number of disjoint paths between pair and is equal to the minimal size of the vertex cut of that pair, thanks to Menger’s theorem.

Through vertex cut is a notion that has no unique definition in the literature, we restate it here:

###### Definition 2.

A-B vertex cut is a set of vertex that does not contain so that after the removal of this set from the graph, there is no path between and . Later in the article, we will refer to it as cut, while the default vertex and will be sender and receiver (Alice and Bob). We say that the vertex cut is minimal if there is no cut with a smaller order.

We summarise our conclusions with the following theorem:

###### Theorem 2.

To improve security against correlated attack for users and , the desired strategy is to increase the order of the minimal vertex cut, that is, the number of disjoint paths.

Finding order of minimal vertex cut is a problem equivalent to (after a simple transformation of graph) solving the max-flow problem.

## 4 Multiple Overlapping Paths scheme

We have performed an analysis of the security of multiple paths scheme models under the assumption that all paths are disjoint. We now present a Multiple Overlapping Paths scheme (MOPs), where additionally to system of disjoint of paths the interpath links exist. Such an extension can always be made without loss of security, with only slight modification of the well-known hop-by-hop protocol. Unlike MNOPs, where each intermediate node has exactly two links, now it can have more. A similar problem was previously analysed in Ref. [podobnypomysl]. However, to improve security, the total number of links is increased.

In this article we follow an alternative idea, increasing security with the use of interlinks but without changing the number of links. Roughly, we can say that we completely remove one path and use its resources (links) to make interconnections between the rest.

###### Definition 3.

In the MOPs communication scheme, each node in the network, except Alice and Bob, sends the result of all the keys from the neighbour connections to Bob via an unencrypted (but authenticated) channel (available to Eve). The shared key will be the of all such received messages for Bob, and for Alice of all subkeys Alice shares with intermediate nodes.

This idea was originally published in [Zhou2019SecurityAA], where a detailed analysis is included. Here, we recall only the most important conclusions. For the case without interlinks between paths, this will work as in the classic scheme, with the difference that the message is transmitted to Bob instead of to the next node on the path, but in Appendix 2 we show that MOPs can be modified so that it mimics the hop-by-hop method, which is important for the practical use and efficiency of the network.

###### Property 1.

In MOPs connection is secure only if there exist a path with node controlled by adversary. Therefore, to hack a communication between and , adversary must control vertex cut.

There is no reward in using MOPs against uncorrelated attack. It can be shown that adding interlinks to a system of disjoint paths does not increase the order of minimal vertex cut (for example, because the number of nodes connected to Alice does not change and these nodes form a vertex cut). However, it can change the number of such cuts and, therefore, turns out to be useful against uncorrelated attack. In general, to calculate probability that protocol is compromised, one must know trustfulness of all nodes and calculate probability that at least one of cuts (not necessarily minimal) becomes untrusted. This can be really challenging problem in general. We managed to perform analytical analysis on certain special type of “grid-like” graph that could model real QKD network. The model is discussed in the following paragraphs.

### 4.1 Intuitive approach

We begin with an intuitive assertion that adding interlinks instead of a new path could perform better than MNOPs. If the probability of compromising the security of a node (and therefore leaking the key) is sufficiently small, we can take into account only the smallest (minimal) vertex cut. The number of such combinations of nodes in the classical scheme is

 ∏1≤j≤Nnj≈(¯¯¯n)N, (8)

where is the number of intermediate nodes in -th path and is the number of paths. We will improve security by reducing the number of vertex cuts in the graph by adding interlinks between paths. An example is shown in Fig. 2.

Let us assume that the number of intermediate nodes between and is (for every path) and we have initially 2 disjoint paths. The number of 2-cuts (cuts of size 2) is , for the MNOP scheme it would be . If is sufficiently small, we can state that only minimal cuts influence the probability of hacking. Then, the probability of compromising the security of the MNOP scheme is , while for MOPs:

 (2n2)p2(1−p)2n−2probability of hacking % pairs×3n(2n2)allowed pairs≈3np2. (9)

Formula stems from binomial distribution (chance that we control 2 nodes) and the probability that these two nodes form the desired hacking cut. This can be a significant advantage when

is large. However, we use additional links that, in turn, could be used to make another path. We now pose the question: “Can adding interlinks, instead of a new path, be a desired strategy?”. It appears that in some cases, especially for large , this can be true. Comparing the graph with interlinks and the MNOP scheme with one with one additional path, we obtain probability, respectively and . The ratio of probabilities is

 η:=PMOPPMNOP≈3np2(np)3=3pn2. (10)

If , it is optimal to use the proposed strategy. But this poses a condition on , namely:

 p>3n2. (11)

At the same time we have assumed that is “sufficiently” small (because we neglected the influence of non-minimal cuts), in fact, it must at least meet conditions as in chapter 2, i.e. . Now, if is sufficiently large, these conditions do not lead to contradiction. In the next chapters, we formalize and generalize the above considerations.

After the discussion in the previous section, we could easily notice an important property, namely that adding just one link can reduce the probability of hacking by a factor of . This approximation becomes more accurate as increases. Consider a MNOPs network with two disjoint paths as in Fig. 2, if we add a single intermediate link somewhere in the middle of the network and perform similar considerations as in Sec. 4.1, we obtain that the number of 2-cuts is . Consequently, for a network with paths, we can add links and reduce the probability of hacking by a factor . This can be an important property, as by using only a few links, quite a good profit is obtained. Unfortunately, this effect does not stack: just from the example for two paths presented in Fig. 2 we see that adding interlinks gives as probability reduction by factor not .

### 4.3 Formal consideration

Now, we want to compare two situations, MNOPs scheme with disjoint path and strategy presented in Sec. 4.1 (MOPs) where on the behalf of interlinks we remove one path. For the new strategy, Alice and Bob are connected through disjoint path each containing intermediate nodes and each vertex having the same trust level . We introduce the numbering system of vertices: , for two communicating vertex, for intermediate nodes where and denote row and column number, respectively. Adding interlinks can be realized on different strategies. Here, we develop a strategy called the MOPs l-scheme, one that is probably not optimal but provides the possibility of analytical analysis. In the MOPs -scheme we connect all vertically adjoined nodes in every ()-th column (connecting take edges).

Formally, new graph is obtained by adding a set of edges:

 E={gij↔g(i+1)j|j≡0(modl−1)∧i

It can be easily seen that the number of interlinks created is at most . The example is presented in Fig. (3).

In the MNOPs scheme, the probability of hacking is . We will keep this approximation, but later, in Sec. 4.4

, we perform an analytical analysis and estimate its error. To calculate the probability of hacking the

-scheme we divide the sample probability space into events , where each event means that exactly of

nodes become corrupted. This is a complete and pairwise disjoint set of events. Therefore, according to the law of total probability and binomial distribution, probability of information leakage in the MOPs

-scheme is:

 P(H)=nl∑k=0(nlk)pk(1−p)nl−kP(H|Hk), (13)

where is an event related to hacking an vertex cut. Of course, if . Therefore, we must calculate for . This is rather a difficult task. Instead, we perform an estimation that provides a useful upper bound on . Let us denote the number of minimal cuts for -scheme of length by

 c(l,n):=P(H|Hl)(nll). (14)

Obviously, if , and for we have the following theorem:

###### Theorem 3.

Define:

 α(l)=2−l((1+l+√l2+6l−7)l−(1+l−√l2+6l−7)l)√l2+6l−7, (15)

for and . Then

 α(l)×(n−2l2)≤c(l,n)≤α(l)×n. (16)

The term gives the asymptotic average number of minimal cuts per column as . For real schemes, it serves as an upper bound.

###### Proof.

The vertex cut requires hacking at least one vertex in each row, and each vertex belongs to at least one cut (each column forms a cut), and if we settle on one vertex, we can easily find all cuts containing this vertex. Let be the settled vertex and

 1+l

we can formulate a procedure that determines all vertices of the next (or previous) row that can be used to form the cut:

• If degree , then the possible vertices are .

• If degree , then the possible vertices are where and are determined by conditions: .

So, we can say that each vertex “produces” certain new vertices in each row. For vertices that do not meet (17), which can be intuitively described as “boundary vertexes”, the procedure above must be slightly modified, but it will result that the number of “produced” vertices is smaller. Then, we calculate with the following recursion:

f(n,dg2): %n-number of iteration, dg2-boolean variable true if degree >2
if n==l return 1
if dg2==True return 3*f(n+1,1)+2(l-2)*f(n+1,0)
if dg2==False return 2*f(n+1,1)+(l-2)*f(n+1,0)
alpha(l):
return (f(l,1)+(l-2)*f(l,0))/(l-1)


This can be alternatively rewritten as a pair of related sequences and expressed in the following form with matrix multiplication:

 α(l)=1l−1(1l−2)(32(l−2)2(l−2))l−1(11). (18)

The matrix in this formula can be diagonalized leading to Eq. 15. The expression in is overestimated because we neglected the “boundary corrections”. Because the ranges of and are sometimes smaller (especially close to the sides of the graph), the estimation improves as increases. An underestimation is obtained if we do not count all vertex cuts that contain “boundary vertices”.

We now have analytical estimation for the first non-zero term in (13), where we neglect “boundary corrections”. In fact, it can also be calculated numerically in time using dynamic programming. The algorithm is presented in Appendix 3. Therefore, in the numerical calculation (for hypothetical testing of the algorithm), we will use the exact value of , although for analysis it is convenient to use the upper bound as in Theorem 3. The difference is significant when has a similar order as .

Calculating higher terms in 13 pose a problem. However, it turns out that if it can be approximated by geometric series. To do that, we first derive important observation:

###### Lemma 2.

Consider

 βn,l(k):=(nlk)P(H|Hk), (19)

which is the number of cuts of size k in the MOPs l-scheme graph. The following inequality holds

 βn,l(k)≤βn,l(k−1)nl for k−1≥l. (20)

Therefore:

 βn,l(k)≤α(l)n(nl)k−l. (21)

The Lemma 2 is obtained by numerical, not analytical analysis. We do not posses a proper proof of its validity, but for practical use, we only need to confirm its correctness with given and . This could be done numerically with brute force, generating all possible vertex sets, and checking if it is cut. In fact, due to the computational complexity of this method, it can only be performed on small graphs. We performed such calculations with all possible schemes with graph size < 30 i.e if . See more in Appendix 4. An alternative method that could substantiate these results is its statistical testing i.e generating a sample consisting of random sets of nodes and calculating the ratio of cuts, generated this way versus the sample size. An important observation that is worth stressing is that the problem of calculating the number of cuts in such a graph (and calculating probability of that there exists a path between and ) looks similar to the percolation problem. We did not follow this lead, but it could be useful if one would try to prove the lemma 2.

With use of the above lemma we can now obtain:

###### Theorem 4.

If is small enough, so it satisfies , then:

 P(H)≤11−rα(l)npl. (22)
###### Proof.

First, from (21) we derive

 P(H|Hk)=βnl(k)(nlk)≤α(l)n(nl)(k−l)(nlk). (23)

Then (13) can be estimated using a geometric progression formula with initial term and common ratio . ∎

It will be useful to know how much our algorithm is better than the MNOPs. Thus, for a given network, we introduce efficiency coefficient , which approximate ratio of probability of hacking of our algorithm vs MMOP scheme:

 P(H)(np)l+1≤11−rα(l)pnl:=η. (24)

As described before in Sec. 2, we used the approximation for the classic scheme, which is not necessarily desired as is usually . We refer to this concern in Sec. 4.4, in which we show that due to this fact we shall introduce numerical correction for . However, for “reasonable” graphs the corrected efficiency is in the worst cases only about grater than the one predicted by Eq.24. Therefore, it has a really small impact and we omit it.The sufficient condition for the -scheme to perform better than the classic scheme is:

 η<1, (25)

Consequently, the risk of hacking is at least times smaller (if both schemes use the same amount of links). Equation (25) allows us to study the performance of the algorithm and we see that for the constant we can obtain, asymptotically for very large graphs, very low values of . However, as trust of nodes grows (so becomes smaller), the effectiveness of the algorithm decreases. In the same time we need to keep assumed condition . This may leads to concerns about upper bounds on . However, for “realistic networks” we can assume that () what, in worst case, gives , which is not very restrictive. In Sec. 4.5 we present numerical analysis for (25) which shows exactly in which ranges of and our algorithm is useful.

### 4.4 Analysis of approximation in MNOPs scheme

Along chapters 3 and 4 we use approximation , which works for . Here, we analyse validity of this assumption and make correction to equation (25). First, let us note that just for classic scheme we shall demand that . If this does not hold (so ), then the probability of hacking single path is:

 P=1−(1−p)n>1−(1−1n)n>1−1e≈0.63, (26)

which is unacceptable for any real network called “secure”. This can also substantiate reality of assumption made in Theorem 4 that . We define parameter

 μ:=1np≥1, (27)

which is a certain constant fixed for a network (path), this divide all networks models (paths) on certain classes, with fixed value of . Analysing validity of approximation as a function of gives us useful results, namely lower bound for probability of hacking. For a given class (characterized by ) consider:

 vn(μ)=1−(1−p)n−npnp=1−(1−1μn)n−1μ1μ=μ(1−(1−1μn)n)−1. (28)

Clearly

 P=1−(1−p)n=(1+vn(μ))np.

We have two following properties:

 vn(μ)>vn+1(μ), (29)

and

 v(μ):=limn→∞vn=−1+μ(1−e−1/μ). (30)

Let . Then

 1−(1−p)n≥γ(μ)np. (31)

And therefore putting instead of in (25), we get more restrictive condition on (that refer to situation that classic scheme works better than assumed).

 P(H)(1−(1−p)n)l+1≤P(H)(np)l+11γ(μ)l+1≤η1γ(μ)l+1<1. (32)

Function is presented on figure 4.

We conclude that typically we shall deal with systems with parameter , this is done by posing arbitrarily but reasonable condition () and analysis as in equation (26). We assume that usually , otherwise communication will be very expensive in resources. For such assumption we can estimate maximal value of correction, namely . This section does not change our conclusions significantly but is required for completeness of analysis.

### 4.5 Numerical analysis

For given graph and parties communicating with -scheme, parameters like and can be settled or easily estimated, but trust (equivalently probability of hacking) of intermediate nodes is very unclear to define and measure in reality. It can be connected with various events such as random failure of network , corrupted labours, hackers or it could change in time. Therefore, it is rather impossible to declare its value on the stage of theoretical considerations. But still we expect that this trust (and respectively probability of hacking ) must be in reasonable range, for example or are certainly not, of course for security purpose should be as least as possible. Another problem is to find this range but we can analyse conditions imposed on steaming from algorithm structure of -scheme and our considerations, namely and , in dependence of its parameters , , . Those two conditions determine possible range of (first serves to establish upper bound and second for lower bound) in which MOPs -scheme will work. Determined maximal and minimal values for in dependence for and with fixed parameter are presented in Figs. 5, 6 and 7.

Taking plans concerning the future quantum network spanned e.g. across Europe, we suppose its size will refer to average number of intermediate nodes in one path (as expected size of QKD link is about 100 km) and maximal number of disjoint path . Therefore, applicability of MOPs -scheme is under question and depend on real value of .

## 5 Summary

In this article, we have analyzed two scenarios of attack that can be performed on trusted nodes in the hybrid QKD network. First, describing the situation in which each trusted node could be compromised with a certain probability and second describing a correlated attack on a network with finite resources. For which case the risk of hacking is greater depends on individual parameters of network and attacking party, which are difficult to predict in reference to the real world. However, we can infer that with growing network size, the second scenario is less less vulnerable to attacks.

Next, we have described the scheme of communication in the QKD network extending the multiple path scheme by the possibility of crossing communicating paths - the MOPs scheme. This scheme uses the same amount of resources (QKD links) and can perform better under certain conditions, as analyzed in 4.5. The graphic visualization of the most restrictive constraint (i.e. on minimal value of ) is presented in Fig. 8.

Unfortunately, these constraints are possible to fulfill for distant users in large-scale networks.

The concept presented in Sec. 4.2

is worth studying. It does not present a groundbreaking idea but introduces an interesting and inexpensive improvement to the QKD network. This work develops a new way of thinking about QKD multiple path algorithms in hybrid networks with trusted nodes. The proposed algorithm is not an optimal one. Considering different topology of interlinks could perform better but the simple model under investigation enabled analytical analysis. For this moment it is difficult to judge whether the presented concept will be useful in practice, yet it opens a new path for future development of QKD networks.

## Appendix 1

Here, we present an example where for the uncorrelated attack (even with uniform probability for each vertex), it is not always optimal to use as many paths as possible. We adopt the assumptions made in the discussion of this type of attack in Sec. 3.1. Consider the network presented in Fig. 9, and let the number of intermediate nodes on path and (a path that goes from to and to but omits and , respectively) be , and the probability that any (intermediate) node becomes compromised is . If we use one or two paths, then the probability of hacking is, respectively:

 P1=2p, (33) P2=((n+1)p)2. (34)

It is possible to satisfy the inequality , which leads to the condition:

 2(n+1)2

But for large enough, we can find small enough so Eq. 35 do not contradict the condition assumed before, namely. Therefore, even for the simplified version of the correlated attack model, it is not always optimal to use as many paths as possible.

## Appendix 2

In the MNOPs scheme, each intermediate node has a connection to two other nodes and passes a secret key from one to another in a hop-by-hop fashion using a one-time pad. In the MOPs scheme, each node sends a classical message to Bob, which may be not efficient (since it generates a lot of traffic in the classic network), and we now show a certain alternative that reduces impact on key rate.

###### Lemma 3.

Alternatively to the hop-by-hop scheme, we can use the following procedure: In path vertex number 1 take the of keys and and send it to the next node. If node receives the message from the previous node, it takes of his shared keys and the message and sends it forward i.e. . The difference is that instead of decoding and encoding operations, we do it in single step.

###### Lemma 4.

Alternatively, to the MOPs method, we can use the following procedure. Having a graph, we find system of disjoint paths that cover all vertexes. This system will determine the next node for each vertex. While communicating, each node uses the procedure described in Lemma 3 with difference we additionally all interlinks key. Consequently, the message sent forward is: , where denotes adjointness of the nodes and .

One can check that this extension of the MOPs scheme omits unwanted procedure in which each node sends message to Bob and at the same time keeps benefits of utilization of interlinks. A useful example is presented in Fig. 10.

## Appendix 3

Here, we present a dynamical programming algorithm to calculate the exact value of , the greatest discrepancy in the result shows up when is close to :

algorithm alpha is
input: n and l parameters of graph
output: number of minimal cuts separating A and B

create two dimensional array tab[l,n]
for j in 1.. n :
tab[1,j]=1

for each row i in 2...n:
for each cell in given row tab[i,j] , j in 1,n :
calculate range of possible k (a,b) such that nodes(i,j) and (i-1,k)
can be in vertex cut for k in a...b :
tab[i,j]+=tab[i-1,k]

return sum of tab[l,i]


## Appendix 4

Here, we present the numerical calculation performed to substantiate the lemma 2 from Sec. 4.3. For each graph, each subset of size k can be generated and checked to see whether it separates and (if and are in disjoint components). The numerical values of the function for small graphs are presented in Fig. 11.

From this analysis, one can deduce that the ratio is maximal for . We also derive numerical observations suggesting that inequality “cannot be strengthened”, by which we mean that:

 βnl(l+1)βnl(l)nl→1, (36)

as grows. In Fig 12 the numerical result obtained for are shown. For , the above thesis seems to hold but collecting data for many points is too time consuming and, therefore, we do not present more results.