The Engineering of a Scalable Multi-Site Communications System Utilizing Quantum Key Distribution (QKD)

TL;DR

This paper presents a scalable, enterprise-ready architecture for integrating Quantum Key Distribution (QKD) into multi-site communication systems, enabling secure, quantum-safe communications across complex networks.

Contribution

It introduces a novel key management service architecture that supports scalable, multi-site QKD integration with flexible security policies and optimized key relay mechanisms.

Findings

Supports arbitrary host-to-host secure sessions across sites

Operates with various QKD implementations through layered architecture

Enables enterprise-level quantum-safe communication

Abstract

Quantum Key Distribution (QKD) is a means of generating keys between a pair of computing hosts that is theoretically secure against cryptanalysis, even by a quantum computer. Although there is much active research into improving the QKD technology itself, there is still significant work to be done to apply engineering methodology and determine how it can be practically built to scale within an enterprise IT environment. Significant challenges exist in building a practical key management service for use in a metropolitan network. QKD is generally a point-to-point technique only and is subject to steep performance constraints. The integration of QKD into enterprise-level computing has been researched, to enable quantum-safe communication. A novel method for constructing a key management service is presented that allows arbitrary computing hosts on one site to establish multiple secure communication sessions with the hosts of another site. A key exchange protocol is proposed where symmetric private keys are granted to hosts while satisfying the scalability needs of an enterprise population of users. The key management service operates within a layered architectural style that is able to interoperate with various underlying QKD implementations. Variable levels of security for the host population are enforced through a policy engine. A network layer provides key generation across a network of nodes connected by quantum links. Scheduling and routing functionality allows quantum key material to be relayed across trusted nodes. Optimizations are performed to match the real-time host demand for key material with the capacity afforded by the infrastructure. The result is a flexible and scalable architecture that is suitable for enterprise use and independent of any specific QKD technology.