Regarding Figure 2, asymmetric encryption allows Alice to send a symmetric encryption key to Bob by using Bob’s public key for encryption which only Bob can decrypt the message with his private key. If Eve the eavesdropper has Bob’s public key and a strong enough quantum computer, she can easily determine Bob’s private key.  With Bob’s private key, Eve can see the symmetric key proposed by Alice and use it to decrypt the secrets sent over the subsequent symmetric encryption session.

Several protocols have been developed to obtain an encryption key from the encoded photons.  As depicted in Figure 3, BB84, proposed by C.H. Bennett and G. Brassard in 1984, is a popular protocol which encodes four bit values over two different measurement bases.

In the polarization case, two polarizing filters are available; one which filters vertically and horizontally and the other which filters in the diagonal directions. Alice transmits the photon through a random filter, Bob randomly applies a polarizing filter which the photon travels through and deflects to one of two photon detectors.  When the photon polarization matches the filter, it will always deflect to a particular detector so if Bob applied the vertical/horizontal filter and the polarization was vertical, Bob would always detect the photon on detector A and would assign a bit value of 0 while a horizontal polarization would be detected on detector B and be assigned a bit value of 1.  When the filter doesn’t match the photon polarization the photon randomly deflects to either detector. At the end of the sequence of photons, Bob shares the filter setting used with Alice over a classical channel. Alice informs Bob which measurements had the same send and receive filters. All the measurements where the filter settings didn’t match are discarded.  Although the filter settings are shared over the classical channel it provides no useful information to the eavesdropper because they only know the filter settings and not the measurements results. Next some error correction and privacy amplification can be applied to the remaining bit string resulting in the same bit string at each end which can now be used as a shared secret for symmetric encryption.

The provable security for QKD relies on quantum mechanical properties which allow detection and prevent successful eavesdropping. Quantum objects exist in a state of superposition where the value for a property of the object can be described as a set of probabilities for different values. Observation of the quantum object perturbs it in manner which leads it to collapse into a single measurable value. For example, a single photon could be encoded with a value based on its polarization and transmitted to a receiver. If that encoded photon were observed by an eavesdropper, the measurement will have changed the photon in an irreparable way which will be detected at the receiving end as errors. This property and the no-cloning theorem, which prevents a perfect copy of an arbitrary quantum state, provides the foundations for QKD security.

Other implementations of QKD include Continuous Variable QKD (CV-QKD) and entanglement.  With CV-QKD Alice applies a random source of data to modulate the position and momentum quantum states of the transmission.  When Bob measures the position and/or momentum states, the result will be the random string Alice had used. Alice then combines a secret key with the random string and sends that result over the classical channel to Bob who determines the secret key by backing out the random string and now both Alice and Bob have the same secret key.

Entanglement QKD leverages one of the more interesting quantum phenomena where two quantum particles are generated in a way in which they share quantum properties and no matter how far apart they may later separate, a measurement of a property on each will result in the same values.  So, two entangled photons possessing the same polarization could be measured in two locations, providing the same polarization values.  Entanglement QKD is exciting because it is a natural step towards the realization of a quantum internet. 

It should be noted that there are distance constraints on the QKD over fiber. The individual photons being transmitted will be absorbed over distance as the laser strength is attenuated to create the individual photons and standard telecom equipment cannot be used to repeat or strengthen the signal. In general, 100 kilometers has been stated as a practical limit. Methods to extend the distance include trusted exchange, twin field QKD, and quantum repeaters. Trusted exchanges act as a repeater, receiving the optical signals, converting them to digital and then back to optical. Trusted exchanges must be secured to prevent an intruder from reading the transmission while it is in digital form.

Other alternatives to trusted exchange are twin-field QKD and quantum repeaters. Twin-field QKD has generated interest since it is measure-device-independent (MDI) and effectively doubles the distance. In twin-field QKD both Alice and Bob transmit phase encoded pulses to a beam splitter on a third station, which we’ll call Charlie. The encoded pulses interfere with each other and get detected on one of Charlie's detectors. Charlie reports which detector was triggered to Alice and Bob who exchange information between each other to derive keys. MDI essentially means it makes no difference if Charlie is trusted or not because the measurements reported by Charlie do not provide enough information to gain knowledge of the key which will be derived.

Eventually quantum repeaters could break the distance barriers of QKD over fiber providing a similar function as repeaters in telecommunications provide today. There are still some difficult problems to be solved but progress continues to be made. Entanglement plus quantum repeaters not only extends QKD but will be foundations for the future Quantum Internet. Advancements in single photon sources and low noise detectors will further improve the viable distances for QKD. In addition to efforts for improving distances and key rates, the QKD systems should also provide a standard mechanism such as ETSI GS QKD 014 for retrieving the keys.[6][7][8][9]

Satellite QKD

As previously discussed, the distance limitation of a QKD system poses a challenge to global networks. Satellite QKD (S-QKD) offers a mechanism that can be used to augment terrestrial QKD for global environments. With S-QKD, free space optics enables the delivery of a photonic channel from which the symmetric key can be derived. Factors that will impact the use of S-QKD include weather and other environmental factors that impact the free space optic channel. Also, the key rate of the S-QKD system must be sufficient to support the keying material required for the network.

Post-Quantum Cryptography and QKD

Post-Quantum Cryptography (PQC) refers to ciphers which will be resistant to quantum computing. The National Institute of Standards and Technology is leading an effort to vet and standardize new cryptographic algorithms and should have final standards in the next one to three years. PQC and QKD can coexist bringing each of their strengths together. The advantage of PQC is that it does not require hardware to be added to the network. PQC is mathematically based, so it does have the risk that as quantum computers become more widespread that the algorithm could be broken. QKD is based on physics which makes it a stronger approach for security. QKD, however, has other challenges such as distance limitations and the need for additional hardware to be introduced. It is likely that PQC will initially be used at the furthest points in the network, e.g., on customer devices, and QKD will be used in more aggregated parts of the network. This will allow the scaling of the network to be preserved. [10]

Future of QKD

QKD has significant value in a post-quantum world due to its ability to enable symmetric key sharing between endpoints and identifying when eavesdropping on the quantum channel is occurring. However, to be broadly implemented by carriers, QKD must be supportable in a carrier environment providing the availability and reliability their customers expect. For example, disruption of the quantum channel can result in the loss of real-time key material; however, having a secure key storage associated with QKD allows key material to continue to be distributed while investigation of the quantum channel outage occurs. This also means that approaches and capabilities to troubleshoot and manage QKD equipment and services must be developed. Since QKD relies on quantum mechanics, observing state will impact the quantum system, and this in itself poses challenges to approaches for troubleshooting and management.  Continued focus in this area is required to enable large-scale deployments.

QKD has evolved from lab experiments to commercial off-the-shelf systems. The technology will continue to improve over time. Components will continue to see performance improvements and miniaturization. Improved components and protocols will extend operational distances. These improvements potentially open the door to QKD implementations on smaller mobile devices such as drones. Whatever the future of QKD may be, one can be certain it will be foundational for secure communications on the Quantum Internet.

References

1. T. Shimeall, J. Spring, “Resistance Strategies: Symmetric Encryption”, Introduction to Information Security, Elsevier/Syngress (2014)
2. W. Stallings, Cryptography and Network Security: Principles and Practice, 7th Edition, Prentice Hall (2017)
3. J.P. Aumasson, Serious Cryptography: A Practical Introduction to Modern Encryption, No Starch Press (2017)
4. S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. Shamsul Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, "Advances in quantum cryptography," Adv. Opt. Photon. 12, 1012-1236 (2020)
5. L. Gyongyosi, L. Bacsardi, S. Imre, “A Survey on Quantum Key Distribution” in Infocommunications Journal. XI, 14-21 (2019)
6. European Telecommunications Standards Institute. (2020). Quantum Key Distribution (QKD); Application Interface (ETSI GS QKD 004 V2.1.1). Sophia Antipolis, France; ETSI
7. L. Ma, O. Slattery, and X. Tang, “Optical Quantum Memory and its Applications in Quantum Communication Systems”, Journal of Research of the National Institute of Standards and Technology. 125:125002 (2020)
8. M. Caleffi, D. Chandra, D. Cuomo, S. Hassanpour and A. Cacciapuoti, "The Rise of the Quantum Internet" in Computer, vol. 53, no. 06, pp. 67-72, 2020.
9. M. Lucamarini, Z. L. Yuan, J. F. Dynes and A. J. Shields “Overcoming the rate–distance limit of quantum key distribution without quantum repeaters”, Nature. 557 400-403 (2018)
10. A. Scriminich, G. Foletto, F. Picciariello, A. Stanco, G. Vallone, P. Villoresi, F. Vedovato, “Optimal design and performance evaluation of free-space Quantum Key Distribution systems”, Università degli Studi di Padova (2022)