Quantum-secured data transmission in urban fibre-optic communication lines

by   A. V. Duplinskiy, et al.

Quantum key distribution (QKD) provides information-theoretic security in communication based on the laws of quantum physics. In this work, we report an implementation of quantum-secured data transmission in standard communication lines in Moscow. The experiment is realized on the basis of the already deployed urban fibre-optic communication channels with significant losses. We realize the decoy-state BB84 QKD protocol using the one-way scheme with polarization encoding for generating keys. Quantum-generated keys are then used for continuous key renewal in the hardware devices for establishing a quantum-secured VPN Tunnel. Such a hybrid approach offers possibilities for long-term protection of the transmitted data, and it is promising for integrating into the already existing information security infrastructure.


Quantum Key Recycling with optimal key recycling rate based on a noise level

Quantum Key Recycling (QKR) protocol can send a secret classical message...

Efficient Quantum Voting with Information-Theoretic Security

Ensuring security and integrity of elections constitutes an important ch...

Potentially Information-theoretic Secure Y00 Quantum Stream Cipher with Limited Key Lengths beyond One-Time Pad

The previous work showed that the Y00 protocol could stay secure with th...

Quantum Inspired Security on a Mobile Phone

The widespread use of mobile electronic devices increases the complexiti...

Development of NavIC synchronized fully automated inter-building QKD framework and demonstration of quantum secured video calling

Quantum key distribution (QKD) is a revolutionary communication technolo...

Entanglement-based quantum private comparison protocol with bit-flipping

Quantum private comparison (QPC), whose security is based on the laws of...

Long-distance twin-field quantum key distribution with entangled sources

Twin-field quantum key distribution (TFQKD), using single-photon-type in...

I Introduction

Recent progress in creating quantum algorithms posses a serious threat on the central element of currently used tools for ensuring information security, the key distribution infrastructure. The majority of methods for key distribution is based on the assumption of the computational complexity of several mathematical tasks, such as large number factorization Schneier . However, Shor’s algorithm for a quantum computer allows solving these problems in a polynomial time Shor1997 . Moreover, absence of an efficient classical (non-quantum) algorithm breaking such public-key cryptosystems still remains unproved.

Quantum computers have less of an effect on symmetric cryptographic primitives, such as GOST block cipher if it is assumed that the master key has been distributed secretly, since Shor’s algorithm does not apply, and then exponential speedups are not expected Shor1997 . Nevertheless, Grover’s search algorithm Grover1996 would allow quantum computers a quadratic speedup in brute force search, which means that the key management in terms of the key size and the key refresh time for such primitives needs to be reconsidered.

An ultimate and practical solution for the key distribution problem is the QKD technology. The QKD method uses the possibility to encode information in states of single photons, transmit them through optical channels, and measure on the receiver side Gisin2002 ; Lo2015 ; Lo2016 . By virtue of a number quantum-mechanical phenomena, this allows one to exclude possibilities for undetectable eavesdropping Gisin2002 . It is important to note that the method for preparation and measurements of quantum states, so-called QKD protocol, should guarantee the absence of undetectable eavesdropping. Presently, decoy-state BB84 QKD is a standard technique, which provides security and significant key rates for a large distance between parties Hwang2003 ; Lo2005 ; Wang2005 ; Ma2005 ; Curty2014 ; Lim2014 ; Ma2017 ; Trushechkin2017 .

Figure 1: Setup for QKD using the polarization-encoding scheme with the light source L1, intensity modulator IM, half-wave plate , phase modulators PM1 and PM2, variable optical attenuator VOA, synchronization laser L2, analyzing detector AD, wavelength-division multiplexing filter WDM, polarization controller PC, synchronization detector SD, quantum channel (urban fiber-optics channel) QC, polarization beam splitter PBS, and single-photon detectors SPD1 and SPD2. The polarization maintaining fiber is used for connections between L1 and PM1 for Alice, and between PM2 and PBS for Bob.

In this work, we report the experimental demonstration of quantum-secured data transmission in standard communication lines in Moscow. Due to significant losses in the urban fibre-optic communication lines, we use the recently suggested one-way scheme of key distribution with fast polarization encoding Duplinskiy2017 . The setup is based on LiNbO3 phase modulators, single laser source for states generation, and two single-photon detectors (see Fig. 1). An important improvement in compare with recent experiments on realizing three-node QKD network in Moscow Pozhar2017 is the inclusion of an intensity modulator to the optical scheme as well as updating control units and post-processing software for the implementation of the decoy-state QKD protocol. Quantum-generated keys then used for continuous key renewal in the hardware devices for establishing quantum-secured VPN Tunnel by Amicon Amicon . The used fiber-optic communication lines are deployed between the Sberbank office on Bol’shaya Andron’yevskaya street (Alice) and the Sberbank office on Vavilova street (Bob): the one is used for QKD and another one for information transmitting.

Ii Experiment

The optical scheme (Fig. 1) realizing decoy-state BB84 QKD works as follows Duplinskiy2017 . The laser source (L1) emits polarized optical pulses at 1550 nm. Then half-wave plate transforms the polarization state so that the amplitudes along the crystal axes of Alice’s phase modulator (PM 1) are equal to each other. This allows Alice to encode bits of the secret key in polarization states with the help of the modulator. To weaken the pulse, a variable optical attenuator (VOA) is used. After the quantum channel (QC), the piezo-driven polarization controller (PC) compensates SOP (state of polarization ) drifts and rotates it so that the polarization components along the lithium niobate crystal axes switch places, compensating the birefringence of LiNbO3. Bob’s modulator PM 2 is used for basis selection. Finally, a half-wave plate () converts SOP for polarization beam splitter (PBS) to distinguish states with the help of single-photon detectors (SPD1, SPD2). The decoy-state QKD protocol is realized by using intensity modulators. Polarization recalibration is applied once quantum bit error rate (QBER) in decoy pulses rises above the 8% value. Then the gradient descent algorithm is applied for polarization controller to minimize the QBER. As soon as QBER over all types of pulses is under 5.5%, the calibration is over and key generation is restarted.

The parameters of the QKD setup implementation are as follows: number of pulses in train , repetition rate of pulses in train 312,5 MHz, detectors efficiencies are 10% and 6.4% (for SPD1 and SPD2, respectively; see Fig. 1), detectors dead time 5 

, dark count probability

, fiber channel losses 14.05 dB in the channel of 25 km length (which corresponds to km of standard fiber-optic communication line with 0.2dB/km losses), and additional losses on Bob’s side 6 dB. The communication line between two server rooms consists of 8 segments (6 segments outside the buildings and 2 inside the buildings). Few connections give us about 4% of reflection. Toward to prevent the detector blinding, we separate clock synchronisation signal and quantum signal not only in wavelength but also on time. The resulting raw key generation rate in our experiments is 2 kbit/s. After realization of the QKD session, we realize the standard sifting procedure, which is needed for dropping the positions with inconsistent bases from the raw quantum keys, by using authenticated communication channel (see below). The resulting keys are called sifted keys. The decoy states statistics Trushechkin2017 is announced on this stage as well.

Figure 2: QKD technology stack, where control units realize the decoy-state QKD protocol. As a result of their work, raw quantum keys go to the basis reconciliation and to the post-processing procedures realized on conjugation units. After these stages, final secret keys can be requested by Amicon devices for establishing VPN tunnels.

Iii Post-Processing Procedure and Application Level

The sifted keys are the input for a post-processing procedure Kiktenko2016

. The post-processing procedure includes a number of stages: information reconciliation, parameter estimation, privacy amplification, and, finally, authentication check. First, sifted keys from the hardware devices go through the information reconciliation stage. We use the recently suggested symmetric blind information reconciliation method 

Kiktenko2017 . It uses low-density parity-check (LDPC) codes with frame length . For a coarse tuning of the code rate we employ a pool of LDPC codes consisting of nine codes with the following rates: . For a fine tuning of the code rate, we employ the shortening and puncturing techniques Elkouss2010 ; Elkouss2011 . We note that the total number of shortening and puncturing bits was kept at constant level as follows:


The sub-block length of sifted key processed in a single launch of the symmetric blind reconciliation is as follows:


Here, sub-blocks of sifted keys were processed in parallel launches of the symmetric blind reconciliation method. The resulting length of the sifted key processed in one round of the post-processing procedure was bits.

After performing the information reconciliation stage, there is still a certain probability that uncorrected errors remain. In order to detect possible remaining errors, we use the subsequent verification protocol with the use of -universal hash functions Kiktenko2017_2 . The probability of the presence of errors after successful verification of the block of bits is bounded by the value of with the use of a hash-tag of 50 bit length. Due to the low level of frame error rate of the employed LDPC codes, we obtain the length of verified keys to be almost always equal to the length of the processed sifted keys .

The next stage in the post processing is the parameter estimation stage. On this stage, the parties obtain the actual level of the QBER for their key blocks via direct comparison of the keys before and after the information reconciliation. If the value of QBER appeared to be higher than the critical value needed for efficient privacy amplification (11% for the decoy-state BB84 protocol), the parties receive a warning message about possible eavesdropping. Otherwise, the verified key blocks go to the privacy amplification stage, and estimated QBER is used in next rounds of the information reconciliation stage. In our experiments, QBER was on the level of 4.8%-6%, so we were able successfully implement the privacy amplification procedure.

The aim of the privacy amplification stage is to reduce potential information of an adversary about the verified blocks to a negligible quantity Gisin2002 . Such a reduction can be achieved by a contraction of the input verified key into a shorter key. The length of the secret key is computed as follows:


where is length of the verified key, is an estimation of the portion of the sifted key bits generated from single photons pulses,

is binary entropy function, is an estimation of the QBER for single photon pulses, is total number of bits disclosed in information reconciliation and verification stages, and is the failure probability of privacy amplification stages ( in our setup).

The estimates of and were obtained using the decoy-states method. We employed three types of pulses with different intensities (signal), (decoy), and (vacuum). The corresponding probabilities of generating each type of pulses were as follows: , . We note that the sifted key was generated using signal pulses only Trushechkin2017 . The length of the secret key can be then calculated as a function of the following form:


where and are the numbers of sent and detected states of intensity . The detailed description of the function can be found in Ref. Trushechkin2017 .

Figure 3: QBER (upper curve) and the length of final keys (lower curve) are shown as functions of the generated block indices. Each block of the final key is obtained from a block of the sifted keys of bits length.

After the calculation of the length of the secret key, the privacy amplification can be realized. On this step, the block of the secret key is computed as a result of application of the 2-universal hash function to the verified key Kiktenko2016 . In our setup the Toeplitz hashing is used.

At the final state, the parties need to check the authenticity of their communications over the classical channel by an exchange of hash values of the whole incoming traffic. For this purpose, we employ the information-theoretically secure Toeplitz hashing together with one time-pad encryption 

Kiktenko2016 . The length of the hash value is bit, which bounds the probability of successful man in the middle attack at the level of


If the authenticity is verified, the parties reserve bits of their secret quantum keys for the next post-processing round and obtain


bits of the final key that can be used in cryptographic purposes. We then obtain the length of the secret key to be of depending on QBER (see Fig. 3). The final security level of the obtained key is given by


As a result, after the post-processing procedure, from kbit/s of sifted keys, we obtain about kbit/s of secret keys. This value can be improved significantly by fine tuning of the parameters of the decoy-state QKD protocol, stabilization of the hardware, and improving characteristics of the fiber-optic communication line.

After post processing, quantum-generated keys are used for continuous key renegotiation in the hardware devices for establishing quantum-secured VPN Tunnel. The VPN Tunnel performs L3-level encryption using the Russian symmetric block cipher algorithm (GOST 28147-89) with a 256 bit key size. In our experimental tests, hardware device establishing the VPN Tunnel was connected to the QKD setup via the Ethernet channel. Using the special API-protocol the VPN Tunnel device requests a new quantum key every 400 seconds, which adds to the master keys of the device. In the case of successful obtaining symmetric quantum-generated keys on the both sides, then encryption of transmitted data is performed using both session and quantum keys, i.e. a hybrid scheme. Data transfer rate in the hybrid encryption scheme is about 1 Gbit/s. Up to our knowledge, this is a first in Russia experimental demonstration of quantum-secured data transmission in urban fibre-optic communication lines, while previously announced results were about implementations of QKD protocols only Balygin2017 ; Glem2017 .

Iv Conclusions

QKD technology provides the ultimate in quantum-safe security, guaranteeing provably secure key exchange for encryption and other security devices on point-to-point backbone, networks, and distributed ledgers, such as blockchains Kiktenko2017_3 . We emphasize that the realized hybrid approach, where quantum-generated keys are used for continuous key renewal in already existing information security solutions, offers the method for long-term data protection in the post-quantum era. Furthermore, we expect that using a high-quality fiber-optic communication line (e.g. with 0.2 dB/km loss coefficient) and improving all stabilization issues in hardware and software results in an increase of the key generation rate up to 100 kbit/s, which is enough for transmitting audio information in the one-time pad regime.

Acknowledgments. We express our gratitude to Mr. S. V. Lebed’, the head of Cybersecurity Division of the Sberbank and Mr. S. K. Kuznetsov, the Deputy Chairman of the Sberbank Board, as well as the colleagues from Amicon for their help in realizing this experimental work. The work was supported by the Russian Science Foundation under Grant No. 17-71-20146.