Introduction
Quantum computers can achieve an exponential speedup in deciphering most public key cryptography algorithms, such as RSA algorithm, discrete logarithm algorithm and DiffieHellman algorithm [31, 12, 3, 1, 42], thus posing a serious threat to encryption systems based on these algorithms. Quantum key distribution (QKD) and postquantum Cryptography (PQC) are two known cryptographic mechanisms that are resistant to quantum computing. And through the combination of them, a more practical effective key distribution mechanism can be realized [22].
Quantum key distribution is proposed by S. Wiesner, C. H. Bennett and G. Brassard et al. in the 1970s and 1980s [37, 2]. The security of some QKD protocols has been strictly proven [21, 17, 30, 29], and more secure and efficient protocols are proposed, such as measurementdeviceindependent QKD protocols [18] and twinfield QKD protocols [19], and these protocols have been demonstrated in experiments. At present, the pointtopoint distance of key distribution has reached more than 500 km [5, 9, 26], and the farthest distance has reached 833 km [36]. In the range of metro distance, the secure key rate can reach the order of 26 Mbps [14]. The QKD technology based on satellite platform is also developing continuously [33, 13, 16, 40]. Although QKD has theoretical unconditional security, the practical QKD system is difficult to be made perfectly, so attacks against the QKD system have appeared from time to time [20, 4, 32, 23], which also indirectly prompts QKD equipment manufacturers to consider various defenses in the design to close loopholes, so as to improve the practical security of the QKD system [38]. Several quantum communication metropolitan area networks have been constructed and tested for a long period [24, 28, 10, 35, 7]. At the same time, using trusted relays and satellitebased QKD, it is also possible to provide quantum secure communication between cities and even continents [8, 15].
There are still some practical problems in the application of quantum key distribution, including the relatively low key rate, the difficulty of authentication, the difficulty in integrating with the existing cryptosystems, and security dependence on trusted relays. With the development of QKD protocol, optimization and technology, the key rate is gradually increasing. This paper proposes two full authentication protocols for QKD based on postquantum cryptography, which is convenient and can ensure quantum resistant security. In addition, since postquantum cryptography is generally based on public key cryptography, it can also provide some references for the integration of QKD and existing public key systems. At the same time, the use of authentication based on post quantum cryptography can in principle reduce the use of trusted relays in the QKD metropolitan area networks, thereby reducing the security dependence on them and improving the security of the entire quantum communication network.
For the authentication problem, this is mainly due to the unconditional security of QKD, which requires that some processes in the data postprocessing must be authenticated, otherwise there will be a maninthemiddle attack, that is, the attacker will impersonate the legitimate parties and distribute keys to each other. According to the security analysis of Ma et al. [11], the data postprocessing processes requiring authentication includes basis sifting, error correction verification, random number transfer for privacy amplification, and final key verification. The authentication method currently adopted is mainly using preshared symmetric keys to start the first round of QKD, and then use a small part of the generated key to authenticate the subsequent round of QKD. The preshared key is generally realized by manually transferring the key pair. This method is secure but inconvenient to implement, especially in the QKD network, if the number of users is , it is necessary to preshare a total of key pairs in order to realize QKD between any two users, and when there are a large number of users, it will become very troublesome. Through trusted relays, the number of key pairs that need to be preshared can be reduced, but at the same time, the interconnection of the whole network is also reduced, and the security of trusted relays must be assumed.
The authentication can also be realized by the digital signature of public key cryptography, and postquantum cryptography has quantum resistant security that traditional public key algorithms such as RSA do not have. Postquantum cryptography mainly includes lattice ciphers, multivariable ciphers, codebased ciphers, and hash functionbased ciphers. In order to deal with the potential threat of quantum computing, in August 2016, the National Institute of Standards and Technology (NIST) launched the ”PostQuantum Cryptographic Algorithm Standardization Project” [6], calling for PQC algorithms worldwide, and going through the third round of screening in 2020, a total of 7 algorithms were officially approved.
In the previous experiments, we verified the feasibility of applying postquantum cryptography to QKD classical channel authentication [34], and conducted field experiments [39]. We use the PQC signature algorithm based on lattice cipher [41, 27, 25] to authenticate the two processes of basis sifting and random number transfer for privacy amplification. However, the PQC algorithm is not used for the authentication of the error correction verification and the final key verification, but the presharing key authentication is used. This is because when authenticating the above two key verification processes, the generated digest will contain part of the key information. If only the signature is made without encryption through PQC, the digest can be easily decrypted with the public key, which will reveal part of the key information. When using the preshared symmetric key authentication, it is equivalent to performing authentication and encryption at the same time, so there is no need to worry about information leakage. In this way, it is incomplete to authenticate only parts of QKD data postprocessing through PQC, and presharing pair of keys is still required. Therefore, this paper proposes to realize the complete authentication of QKD data processing based on PQC and without preshared keys, and ensure the quantum resistant and longterm security of QKD keys, so as to avoid the difficulties caused by authentication based on preshared keys, and promote the deployment and application of quantum key distribution networks.
Full authentication with PQC
To realize the full authentication of the QKD data processing by PQC and to ensure the security of the output key, it is necessary to simultaneously sign and encrypt the digests generated by the errorcorrected key and the final key. The previous method was to use the preshared symmetric key for encryption, but since PQC does not have unconditional security, and we only want to assume its shortterm security, not longterm security, Therefore, in order to ensure that PQC encryption does not affect the security of the final key, we propose to only use PQC algorithm to sign and encrypt the digest generated by the errorcorrected key and the final key in the first round of QKD, and then take a part of the key generated in the first round to authenticate the second round of QKD by using symmetric key encryption method, as shown in Fig. 1. From the third round, each round of QKD will use a part of the key generated in the previous round to perform authentication based on symmetric key encryption. After the authentication is completed, the key for encryption is discarded, and the remaining key is stored in the key pool as secure keys.
.1 Data postprocessing protocol 1
Taking the BB84 protocol as an example, the sender and receiver are called Alice and Bob respectively. For each round of QKD, after the modulation, transmission and detection of the quantum signals, the first protocol of the data postprocessing is as follows.
First round of QKD:
Step 1. Bob informs Alice of the positions of valid detections, and Alice discards the records of the undetected quantum states.
Step 2. Alice and Bob perform a twoway basis sifting with each other, which is authenticated by the PQC signature algorithm. If the authentication passes, continue, otherwise abort.
Step 3. Alice and Bob estimate the quantum bit error rate. If the bit error rate is higher than the threshold, the protocol will be terminated. Otherwise, the two parties will correct the raw key after the basis sifting to obtain the errorcorrected key.
Step 4. Alice and Bob perform a twoway error correction verification, the digest of which is signed and encrypted through PQC algorithms. If the verification passes, continue, otherwise abort.
Step 5. Alice generates a string of 2n bits random numbers and sends them to Bob. The two parties negotiate to use the n bits to construct the Toeplitz matrix used for privacy amplification, and the process is authenticated by the PQC signature algorithm. If the authentication passes, continue, otherwise abort.
Step 6. Alice and Bob perform privacy amplification simultaneously to generate a secure key. And the calculation of the privacy amplification factor should take into account not only the bit error rate, but also the amount of information potentially leaked by the digest encrypted with PQC in Step 4.
Step 7. Alice and Bob perform a twoway final key verification, the digest of which is signed and encrypted through the PQC algorithms. If the verification passes, continue, otherwise abort.
Step 8. Alice and Bob construct a new Toeplitz matrix with another n bits of random numbers from Step 5. Both parties use privacy amplification to eliminate the amount of information that Eve may obtain from Step 7, and output the final key.
The data postprocessing of the second round of QKD is similar to that of the first round. The difference is that Step 4 and Step 7 do not use PQC signature and encryption for authentication, but take out a part of the key generated in the first round for authentication through symmetric encryption; in Step 5 Alice only needs to generate n bits of random numbers and send them to Bob; in Step 6, the calculation of the privacy amplification factor only needs to consider the bit error rate; in Step 7, the final key is output, and there is no Step 8.
From the third round, the data postprocessing of each round of QKD is basically the same as that of the second round, but in each round, Alice and Bob agree to take the same part from the final key output in the previous round for the error correction verification and final key verification in this round. After the authentication is completed, the authentication key is discarded and will not be reused.
It should be noted that the PQC signature and encryption algorithms are generally different. In the above protocol, we assume both the security of the PQC signature algorithm and the security of the PQC encryption algorithm, but this assumption is based on a short time. For example, the typical time required for the data postprocessing of each round of QKD is about 1 second, then we only need to believe that the PQC algorithm is safe within 1 second. As long as the amount of keys generated by each round of QKD is greater than that required for the next round of symmetric key authentication, the secure and continuous operation of QKD can be maintained. In order to reduce the consumption of keys, considering that the basis sifting and random number transfer for privacy amplification will not leak key information, each round of QKD authentication of these two processes can be completed using the PQC signature algorithm, as shown in Fig. 1. If starting from the second round of QKD, the authentication of basis sifting and random number transfer does not use PQC, but uses a symmetric key for authentication, then assuming that the length of each digest is n bits (for example, SHA256 is 256 bits), these two processes will consume n bits of keys, which will reduce the secure key rate and the maximum distance. If the duration of each round of QKD is T, the key rate will decrease
(1) 
The authentication of QKD data postprocessing with PQC is shown in Fig. 2, with Alice as the transmitter and Bob as the receiver. According to the post quantum cryptographic signature algorithm, each node generates a pair of publicprivate key pairs, such as Alice’s and Bob’s where are private keys and are public keys. According to the public key infrastructure protocol, the private key is kept safely by each user. The public key is handed over to the third party that everyone trusts – the certification authority (CA), which signs it and issues it to the user in the form of a digital certificate. The CA also adopts a postquantum signature algorithm.
At the beginning of authentication, Alice and Bob exchange digital certificates with each other, and verify the authenticity of the digital certificates with the public key of the CA, so as to obtain the public key of the other party. For the two processes of basis sifting and random number transfer required for privacy amplification, first, the QKD system generates a short digest of the message that needs to be authenticated through a hash algorithm, and passes the digest to the PQC algorithm to complete the processes of signature, encryption, transmission, decryption and comparison, as shown in Fig. 2. If Alice wants to authenticate Bob’s message, then Bob signs the digest with his private key and sends it to Alice together with the classical message. Alice decrypts the digest with Bob’s public key and compares it with the digest generated by hashing of the received message. If they are same, the authentication passes; Otherwise, authentication fails. PQC algorithm feeds back the authentication results to the QKD system to complete this round of authentication. For the two processes of error correction verification and final key verification, it is necessary to encrypt the signed digests. According to the public key algorithm, Bob encrypts the digests with Alice’s public key and sends the ciphertext to Alice. Obviously, the errorcorrected key and final key cannot be sent. After receiving the ciphertext, Alice decrypts it with her private key to obtain the signed digest, and then performs the above signature verification process. Conversely, if Bob wants to authenticate Alice’s message, the authentication process is similar.
.2 Data postprocessing protocol 2
In this protocol, we use PQC only for signatures and not for encryption. First, the PQC signature algorithm is used to authenticate the basis sifting. After the raw key is corrected, the PQC signature is used to authenticate the key consistency verification process after the correction, but the digest is not encrypted. The amount of potentially leaked information will be compressed in the subsequent privacy amplification. Once the error correction verification is valid, it indicates that Alice and Bob have identical keys. Next, the PQC signature algorithm is used to authenticate the random number transfer required for privacy amplification. After that, both parties use these random numbers to construct the same Toeplitz matrix, and perform privacy amplification on the errorcorrected key. Here, it is necessary to take into account the amount of information leaked in the previous digest, so that Eve cannot grasp any information. The final key after privacy amplification is secure, but it cannot guarantee that the keys of Alice and Bob are exactly the same, so the final key verification is required, and this process needs authentication. Then Alice and Bob can take a symmetric small part of the final key according to a prior agreement for the verification of the remaining final key, so as to ensure the security of the authentication. The authentication will succeed only when the authentication keys taken out by Alice and Bob and the remaining keys to be verified are the same, otherwise, the authentication will fail. This just meets the requirements for the final key verification. Although here we uses the symmetric key encryption for authentication, it does not require a preshared symmetric key, nor does it need to be encrypted with PQC. Compared with the first protocol, this protocol reduces the security assumption of PQC encryption algorithm and has the same key rate.
It should be noted that although Alice and Bob have the same random basis information after basis sifting, since the basis information is not confidential, it cannot be used for authentication of the other three processes with symmetric encryption.
Replay attack on the authentication
For the replay attack, it means that Eve intercepts the messages and authentication digests sent by Alice and Bob in the history, and reuses this information in a maninthemiddle attack, trying to pretend to be Alice or Bob and establish a QKD with other parties. Whether it is basis sifting, random number transfer for privacy amplification, error correction verification, or the final key verification, the authenticated messages of these processes are all random numbers, and the message and digest of each authentication are different. Therefore, Eve must successfully execute replay attacks on all four processes. For the authentication using preshared keys, since the key between any two users is random, and even for the same two users, the symmetric keys used to start QKD at different times are updated, so Eve cannot use the previously intercepted encrypted digest to attack the QKD authentication between any two legitimate parties. Eve only has the possibility to launch replay attacks on authentication based on public key algorithms, including the PQC algorithm.
Basis sifting: The authentication of basis sifting is a twoway process. Here, we take Eve impersonating Alice as an example, Eve intercepts the basis sifting information and signed digest sent by Alice in history, and tries to establish a QKD link with other users. Suppose that Eve obtained string of basis , and is the length of the basis string. Taking polarization encoding as an example, represents the basis, including horizontal polarization state and vertical polarization state , and represents the basis, including aligned state and aligned state . Note that Eve can’t determine which state to send with only the basis information. In the actual QKD link, both transmission efficiency and detection efficiency are less than 1, so there must be some signals that cannot be detected by the receiver. In order to simulate the actual situation, Eve can randomly insert vacuum states between the effective signal states. At the same time, all signal states are required to be detected by the receiver to ensure that the signed digest can be replayed during the authentication of basis sifting.
Error correction verification: In this process, since only the signed digest is sent, and the errorcorrected key is not sent, so Eve with a general identity cannot obtain the errorcorrected key, and the quantum states corresponding to the above intercepted basis are unknown. Therefore, in order to successfully implement the replay attack in this process, Eve must have established QKD as a legitimate identity with another party in the past. For example, Bob has established QKD with Alice. At some time, Bob becomes an attacker Eve, and he tries to establish a QKD with another user Charlie via impersonating Alice. Eve has all the authentication information with Alice, including the errorcorrected key and the final key, for Eve to launch a replay attack. However, as the receiver, Charlie’s measurement basis is random, and the measurement results are also random. Even without considering the bit error rate, it is almost impossible to obtain the same errorcorrected key required for the replay attack. The probability that the two happen to be the same is about
, where is the length of the errorcorrected key. Therefore, Eve cannot replay the signed digest of the error correction verification, and even the digest signed by the public key algorithm cannot be replayed. Similarly, if Alice becomes the attacker Eve at some time, she tries to establish QKD with Charlie by impersonating Bob, but at this time Charlie, as the transmitter, modulates signal states randomly, and Eve cannot replay the previous authentication digest.Random number transfer for privacy amplification: Alice generates the random number and sends it to Bob through authentication. In this process, Bob needs to authenticate Alice’s identity. The attacker can impersonate Alice by replaying the random number and the signed digest intercepted before, so as to share the same random number with Bob and construct the same matrix for privacy amplification.
Final key verification: Since Eve cannot obtain the same corrected key, even after the same privacy amplification process, Eve cannot obtain the same final key as the intercepted key, so replay attacks cannot be implemented in this process.
Therefore, for the above three authentication methods, Eve cannot implement a complete replay attack. The main reason is that Eve cannot obtain a repetitive errorcorrected key due to the randomness of the other party’s modulation states or measurement basis.
Conclusion and Discussion
In this article, we propose two authentication protocols for quantum key distribution data postprocessing based on post quantum cryptography. By authenticating the error correction verification and the final key verification of the first round of QKD, and encrypting the digest, and then eliminating the potentially leaked key information through privacy amplification, the longterm quantum resistant security of the final key can be realized. In the second protocol, after the authentication of basis sifting, error correction verification and random number transfer with PQC signature algorithm, Alice and Bob use a small part of the privacy amplified key to complete the authentication of the final key verification. If the authentication passes, the final key will be output. We also analyze the replay attack on QKD and obtain the fact that the attacker cannot successfully launch replay attack on the authenticated QKD.
The two authentication protocols proposed in this paper have some properties and advantages. On the one hand, they avoid the difficulty of presharing symmetric keys in largescale quantum key distribution networks. On the other hand, the protocols provide quantum resistant security. Thirdly, in combination with public key infrastructure, trusted relays are no longer required in principle within the scope of QKD metropolitan area network, so as to improve the interconnection of quantum key distribution network; Finally, we only need to assume the shortterm security of the PQC algorithm, that is, after the authentication is completed, even if the PQC algorithm is cracked, the security of the generated QKD key will not be affected. This is different from the general encryption, which needs to ensure that the PQC algorithm is secure during the data confidentiality period, that is, it needs to assume the longterm security of PQC algorithm.
The authentication protocols are not only applicable to prepare and measure QKD protocols, but also to protocols such as measurementdeviceindependent QKD, twinfield QKD, and continuous variable QKD.
Acknowledgements.
We thank T. Y. Chen, Q. Zhang and Y. Yu for valuable discussions. This work was supported by the National Natural Science Foundation of China (Grant No. 62001414, No. 12165020), and the Yunnan Fundamental Research Project (Grant No. 202001BB050028).References
 [1] (2019) Quantum supremacy using a programmable superconducting processor. Nature 574 (7779), pp. 505–510. Cited by: Introduction.
 [2] (1984) Quantum Cryptography: Public Key Distribution and Coin Tossing. In Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, New York, pp. 175–179. Cited by: Introduction.
 [3] (202008) Comparing the difficulty of factorization and discrete logarithm: a 240digit experiment. In The 40th Annual International Cryptology Conference (Crypto 2020), T. R. Daniele Micciancio (Ed.), Advances in Cryptology – CRYPTO, Santa Barbara, USA, United States. Cited by: Introduction.
 [4] (2014) Laser damage helps the eavesdropper in quantum cryptography. Physical review letters 112 (7), pp. 070503. Cited by: Introduction.
 [5] (202002) Sendingornotsending with independent lasers: secure twinfield quantum key distribution over 509 km. Phys. Rev. Lett. 124, pp. 070501. External Links: Document Cited by: Introduction.
 [6] (201604) Report on postquantum cryptography. Technical report Technical Report NISTIR 8105, National Institute of Standards and Technology. Cited by: Introduction.
 [7] (2021) Implementation of a 46node quantum metropolitan area network. npj Quantum Information 7 (1), pp. 1–6. Cited by: Introduction.
 [8] (2021) An integrated spacetoground quantum communication network over 4,600 kilometres. Nature 589 (7841), pp. 214–219. Cited by: Introduction.
 [9] (2020) Implementation of quantum key distribution surpassing the linear ratetransmittance bound. Nat. Photonics 14, pp. 422–425. Cited by: Introduction.
 [10] (2013SEP 5) A quantum access network. Nature 501 (7465), pp. 69. Cited by: Introduction.
 [11] (201001) Practical issues in quantumkeydistribution postprocessing. Phys. Rev. A 81, pp. 012318. External Links: Document Cited by: Introduction.

[12]
(1996)
A fast quantum mechanical algorithm for database search.
In
Proceedings of the twentyeighth annual ACM symposium on Theory of computing
, pp. 212–219. Cited by: Introduction.  [13] (2017) Quantumlimited measurements of optical signals from a geostationary satellite. Optica 4 (6), pp. 611–616. Cited by: Introduction.
 [14] (2017) Provably secure and highrate quantum key distribution with timebin qudits. Sci. Adv. 3 (11), pp. e1701491. Cited by: Introduction.
 [15] (201801) Satelliterelayed intercontinental quantum network. Phys. Rev. Lett. 120, pp. 030501. External Links: Document Cited by: Introduction.
 [16] (2017) Satellitetoground quantum key distribution. Nature 549 (7670), pp. 43–47. Cited by: Introduction.
 [17] (1999) Unconditional security of quantum key distribution over arbitrarily long distances. science 283 (5410), pp. 2050–2056. Cited by: Introduction.
 [18] (2012) Measurementdeviceindependent quantum key distribution. Physical review letters 108 (13), pp. 130503. Cited by: Introduction.
 [19] (2018) Overcoming the rate–distance limit of quantum key distribution without quantum repeaters. Nature 557 (7705), pp. 400–403. Cited by: Introduction.
 [20] (2010) Hacking commercial quantum cryptography systems by tailored bright illumination. Nature photonics 4 (10), pp. 686–689. Cited by: Introduction.
 [21] (1998) Quantum cryptography with imperfect apparatus. In Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No. 98CB36280), pp. 503–509. Cited by: Introduction.
 [22] (2013) Quantum key distribution in the classical authenticated key exchange framework. In PostQuantum Cryptography, P. Gaborit (Ed.), Lecture Notes in Computer Science, Vol. 7932, pp. 136–154. External Links: ISBN 9783642386152, Document, Link Cited by: Introduction.
 [23] (2020) Hacking quantum key distribution via injection locking. Physical Review Applied 13 (3), pp. 034008. Cited by: Introduction.
 [24] (2009JUL 2) The SECOQC quantum key distribution network in Vienna. New J. Phys. 11, pp. 075001. Cited by: Introduction.

[25]
(2009)
Publickey cryptosystems from the worstcase shortest vector problem: extended abstract
. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31  June 2, 2009, M. Mitzenmacher (Ed.), pp. 333–342. External Links: Document Cited by: Introduction.  [26] (2021) 600km repeaterlike quantum communications with dualband stabilization. Nature Photonics 15 (7), pp. 530–535. Cited by: Introduction.
 [27] (2009) On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56 (6), pp. 34:1–34:40. External Links: Document Cited by: Introduction.
 [28] (2011MAY 23) Field test of quantum key distribution in the Tokyo QKD Network. Opt. Express 19 (11), pp. 10387. Cited by: Introduction.
 [29] (2009JULSEP) The security of practical quantum key distribution. Rev. Mod. Phys. 81 (3), pp. 1301. Cited by: Introduction.
 [30] (2000) Simple proof of security of the bb84 quantum key distribution protocol. Physical review letters 85 (2), pp. 441. Cited by: Introduction.
 [31] (1994) Algorithms for quantum computation: discrete logarithms and factoring. In Proceedings 35th annual symposium on foundations of computer science, pp. 124–134. Cited by: Introduction.
 [32] (2015) Effect of source tampering in the security of quantum cryptography. Physical Review A 92 (2), pp. 022304. Cited by: Introduction.
 [33] (2017) Satellitetoground quantumlimited communication using a 50kgclass microsatellite. Nature photonics 11 (8), pp. 502–508. Cited by: Introduction.
 [34] (2021) Experimental authentication of quantum key distribution with postquantum cryptography. npj quantum information 7 (1), pp. 1–7. Cited by: Introduction.
 [35] (2014) Field and longterm demonstration of a wide area quantum key distribution network. Opt. Express 22 (18), pp. 21739–21756. Cited by: Introduction.
 [36] (2022) Twinfield quantum key distribution over 830km fibre. Nature Photonics, pp. 1–8. Cited by: Introduction.
 [37] (1983) Conjugate coding. ACM Sigact News 15 (1), pp. 78–88. Cited by: Introduction.
 [38] (2020) Secure quantum key distribution with realistic devices. Rev. Mod. Phys. 92 (2), pp. 025002. Cited by: Introduction.
 [39] (2021) All optical metropolitan quantum key distribution network with postquantum cryptography authentication. Optics Express 29 (16), pp. 25859–25867. Cited by: Introduction.
 [40] (2020) Entanglementbased secure quantum cryptography over 1,120 kilometres. Nature 582, pp. 501–505. Cited by: Introduction.
 [41] (2020) Tweaking the asymmetry of asymmetrickey cryptography on lattices: kems and signatures of smaller sizes. In IACR International Conference on PublicKey Cryptography, pp. 37–65. Cited by: Introduction.
 [42] (202110) Phaseprogrammable gaussian boson sampling using stimulated squeezed light. Phys. Rev. Lett. 127, pp. 180502. External Links: Document, Link Cited by: Introduction.