Quantum Network: Security Assessment and Key Management
Hongyi Zhou, Kefan Lv, Longbo Huang, Xiongfeng Ma

TL;DR
This paper analyzes security and key management in complex quantum networks, proposing schemes to optimize security levels and data utility, applicable to current and future quantum network implementations.
Contribution
It introduces novel communication and key management schemes that enhance security and efficiency in large-scale quantum networks.
Findings
Designed a high-security communication scheme with minimal trusted nodes
Developed key management strategies optimizing data transmission utility
Results applicable to current quantum networks and future standards
Abstract
As an extension of quantum key distribution, secure communication among multiple users is an essential task in a quantum network. When the quantum network structure becomes complicated with a large number of users, it is important to investigate network issues, including security, key management, latency, reliability, scalability, and cost. In this work, we utilize the classical and graph theories to address two critical issues in a quantum network: security and key management. First, we design a communication scheme with the highest security level that trusts a minimum number of intermediate nodes. Second, when the quantum key is a limited resource, we design key management and data scheduling schemes to optimize the utility of data transmission. Our results can be directly applied to the current metropolitan and free-space quantum network implementations and potentially be a standard…
Click any figure to enlarge with its caption.
Figure 1
Figure 2| Symbol | Interpretation |
|---|---|
| Number of nodes in the network, | |
| Number of edges in the network, | |
| Set of nodes connected to (from) node | |
| Total type- data queue at node | |
| Amount of key stored | |
| Amount of key generated per time slot | |
| Working condition of QKD | |
| Saturation of key storage | |
| Total data transmission | |
| Type- data transmission | |
| Key consumption | |
| New type- data transmission request at node |
| (18) |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Quantum Network: Security Assessment and Key Management
Hongyi Zhou
Kefan Lv
Longbo Huang
Xiongfeng Ma
Institute for Interdisciplinary Information Sciences, Tsinghua University, Beijing 100084, China
Abstract
As an extension of quantum key distribution, secure communication among multiple users is an essential task in a quantum network. When the quantum network structure becomes complicated with a large number of users, it is important to investigate network issues, including security, key management, latency, reliability, scalability, and cost. In this work, we utilize the classical and graph theories to address two critical issues in a quantum network: security and key management. First, we design a communication scheme with the highest security level that trusts a minimum number of intermediate nodes. Second, when the quantum key is a limited resource, we design key management and data scheduling schemes to optimize the utility of data transmission. Our results can be directly applied to the current metropolitan and free-space quantum network implementations and potentially be a standard approach for future quantum network designs.
I Introduction
As a principal part of quantum cryptography, quantum key distribution (QKD) allows remote communication parties to share identical and private keys for encryption and decryption [1, 2], whose information-theoretical security is guaranteed by the fundamental principles of quantum mechanics [3, 4]. The practical implementation of QKD has a booming development since the beginning of this century. For the most popularly applied photon source — highly attenuated weak coherent state light, the decoy-state method [5, 6, 7] addresses security issues caused by the information leakage of multi-photon components. Since then, many long-distance QKD experiments have been demonstrated around the world [8, 9, 10, 11, 12, 13]. In the meantime, the measurement-device-independent quantum key distribution (MDI-QKD) protocol has been proposed to address the detection loophole problems [14], which has been demonstrated both in the lab [15, 16, 17, 18, 19] and in the field [20, 21]. Recently, theoretical development on MDI-QKD shows that one can further double the secure communication distance [22, 23]. All these developments suggest that point-to-point QKD over hundreds of kilometers is ready for real-life implementation.
The initial proposal of QKD deals with a two-user communication scenario. In practice, one needs to extend point-to-point links to a network. There are in principle two types of quantum networks according to the way of connection [24]: one is optically switched quantum networks realized by classical optical functions; the other is repeater-based networks. The quantum-repeater-based networks are fully quantum networks enabling multi-partite entanglement distribution [25, 26, 27]. While in practical implementations, restricted by the current technology, it is the classical repeaters, i.e., trusted intermediate nodes together with optical switches that composites different topological network structures. To this day, there have been a number of experimental demonstrations on the field test of quantum networks. Several testing implementations of quantum networks have been realized in the China, Europe, Japan, and USA [28, 29, 30, 31, 32]. Today, the topological structures of QKD networks have become more complex than the early ones [28, 29, 31], such as the mesh structure in 46-node Hefei network, and the star-type structure in MDI-QKD network [33]. Besides these fiber-based quantum networks, a satellite-relayed quantum network has been realized recently [34], in which a secret key was exchanged between intercontinental communication partners. In the mean time, researchers explore the feasibility of hybridizing discrete variable schemes with continuous variable ones [35, 36] in a quantum network and integrating QKD into classical networks, such as utilizing wavelength division multiplexing technique [37, 38].
The ultimate goal of quantum communication is to realize large scale quantum networks. There are a few major challenges that a quantum network faces, including (i) designing the proper topological structure, (ii) assessing the security levels, and (iii) managing secure keys. Recently, an engineering framework of a scalable multi-site quantum network has been established [39], in which a QKD system is divided into multiple layers: host layer, key management layer, QKD network layer, and quantum link layer. The core of designing and operating a quantum network lies in the key management layer and QKD network layer, where the issues of security, key management [40], data routing [41] and stability should be dealt with to realize the optimal transmission performance at a low cost.
In a quantum network, communication between two users, Alice and Bob, are often relayed by intermediate nodes. These nodes can be divided into two types, trusted nodes and untrusted nodes, depending on whether or not the security of communication relies on the security of the nodes, respectively. A trusted node executes full QKD process with adjacent nodes and announces the parities of the two key bit strings such that end users can share secret keys. For example, Alice and Bob establish keys, denoted by and , with an intermediate trusted node. The trusted node announces , and eventually, Alice and Bob share a key . Whereas, an untrusted node can be as simple as an optical switch, or it can be an untrusted measurement site used in MDI-QKD schemes. In a simple network structure, such as the MDI-QKD network [33], users can communicate without trusting any intermediate nodes. Since the security of communication does not depend on untrusted nodes, we can only consider the trusted nodes in the following discussions on security assessment. In this paper, we assume all users in the network are connected with insecure classical communication channels, which are treated as a free resource. We focus on the case where quantum keys are consumed for private communication.
Security is a crucial issue in a quantum network, which may be compromised if an adversary, Eve, can manipulate or crack intermediate trusted nodes. In reality, it is important to evaluate security if Eve can at least compromise one of the nodes. In the extreme case where Eve can hack all the intermediate nodes, no secure communication can be established. Thus, we first consider the interesting problem of security assessment when a certain amount of the nodes are compromised. In particular, for a general network structure, we find an optimal communication scheme using the graph representation of a quantum network [42, 43]. With the highest security level, the communication is secure unless the nodes that eavesdropper compromises form a cut in the graph of the quantum network, which is the ultimate solution of an efficient attack strategy by the adversary.
Another issue addressed in this work is the data routing and key management in the network. In private key systems such as QKD, the encoding process may consumes keys with the same length as the message. With the current quantum technology, the key generation speed (10 Mbps) is far below the speed of classical data transmission (1 Tbps). Thus, the key is a limited resource in a network for most communication tasks. In a network with multiple communication tasks, the lack of key management will lead to instability and inefficiency. To address this issue and optimize network management, we adopt techniques addressing similar problems in the classical network research. Specifically, we formulate the problem of QKD-based network communication as a flow scheduling problem in resource-constrained networks, such as processing networks [44, 45] and energy-harvesting networks [46, 47]. In this formulation, each data transmission consumes supporting resources (in our case, quantum key bits), and the network operator needs to jointly optimize resource usage, data routing, and scheduling. Then, to solve the problem of key-constrained data transmission, we adopt the Lyapunov network optimization technique [48] and design a key management and data scheduling algorithm that has low-implementation complexity. We also rigorously show that our algorithm achieves near-optimal performance in terms of data transmission utility.
II Security assessment
The security in a quantum network lies in two aspects: quantum channel and intermediate nodes. The former has been well studied in the security analysis of QKD; while the latter is a new problem emerging in quantum networks. Trusted nodes can extend communication distances, keeping a relatively high key rate at the mean time. At a cost, the security of communication can be compromised by the trustworthiness of intermediate relay nodes. In practice, an important task is to design a key exchange procedure, so that it can tolerate the maximal number of compromised nodes. We define the tolerance of the compromised nodes as security level. Our target is to find a communication scheme that can tolerate as many compromised node as possible, i.e., with the highest security level.
In this section, we first present our network model. Then, we consider several simple communication schemes and provide the corresponding attack strategies. After that, we propose the strongest attacks that can hack all possible communication schemes. We find a communication strategy with the highest security level that is secure unless Eve performs the strongest attack.
II.1 Network model
In our model, we consider two networks. One is a classical network for data transmission, and the other is a quantum network for key generation. When two users Alice and Bob want to establish a communication, they first distribute secret keys via the quantum network and then encrypt the message and transmit it by the classical network. A quantum network can be represented by a graph , where and are the sets of vertices and edges, respectively. Here a vertex represents a basic unit in a quantum network, which can be a node or a QKD sub-network whose internal structure is unrelated to the security assessment. An edge in the graph represents a QKD link used to distribute secure key strings between connected nodes. While a classical network is represented by another graph sharing the same vertices with the quantum one. Edges in the graph represent classical links, which may be different from the QKD links. In this section, we assume the classical links can be freely used and hence neglect the classical communication efficiency in the following discussions.
We focus on the security of nodes and trust the security of QKD links, i.e., we assume the QKD process has been completed and secret keys have been generated. For example, in this model, the untrusted measurement site in MDI-QKD is merged into the QKD links in as an edge in the graph . We have the following assumptions for the adversary Eve. a) Eve has access to all classical channels. b) Eve has no information about the quantum key of an edge if she does not compromise either of the connected nodes. c) Eve learns everything of the quantum key if she compromises at least one of the connected nodes. We present a toy quantum network in Fig. 1, where Alice and Bob are two communicating parties. There are intermediate nodes between them denoted by , and edges , each representing a quantum channel or quantum key strings generated between the connected nodes.
Here, we use the path concept in the graph theory to describe the sequence of nodes used in message transmission. We only consider simple paths here since any loop of the message transmission is useless in a network. Take the red line in Figure 1 as an example. Once Alice and Bob pick a path, all intermediate nodes are fixed, . There are two means for key sharing. One is that Alice and Bob ask all the intermediate nodes ( and in this example) to announce the parities from the exclusive-or (XOR) operations on the key bit strings with their two neighbors in the path. In the example, announces and announces . Then Bob can share the same key with Alice by calculating the parities. Alternatively, will first calculate Alice’s key with the parity announced by , encrypt Alice’s key with , and sends it to Bob. In this method, Alice’s key can be regarded as a message. In theory, both ways of private communication are equally secure. The first method uses fewer encryptions and decryptions. Also, the intermediate nodes do not obtain the final key directly. However, in practice, the first method will lead to low communication efficiency since all the intermediate nodes should publicly announce their parity bits for the key exchange of end-users. The second method is similar to the data transmission in a realistic network, i.e., a node will receive an encrypted message from one of its neighbors and a request to convey the message to another neighbor privately. The difference between the two methods will vanish if we neglect classical communication efficiency. Therefore, we do not distinguish these two methods in the following discussions.
II.2 Multi-path communication scheme and strongest attack
Let us begin with a simple case with only one single-line path, which is represented by the red line in Figure 1. Alice sends the message to her neighbour relay node encrypted with the quantum key. The message is decrypted and re-encrypted by intermediate nodes and finally received by Bob. This is a strategy that consumes the least amount of keys. In terms of security, this scheme can be weak because once Eve cracked any node on the path, she gets the message.
In order to strengthen the single-path strategy, one can introduce an additional disjoint path, the blue line shown in Figure 1, to defend the single-point eavesdropping attack. The second path is used to transmit another independent random bit string. The final message is the XOR result of the two strings transmitted via the two paths. The details of the communication scheme is shown in Table 1.
Suppose Eve can only successfully hack one of the intermediate nodes, she can only learn or , and hence the transmission of is still secure. In fact, if Eve can only hack the nodes in one of the two paths (red or blue), the transmission is secure. Only when Eve can hack nodes from both paths, say and , she can eavesdrop the message. Obviously, the two-path scheme is securer than the single-path one in practice.
Generally, we can increase the number of paths to increase communication security. The two-path scheme shown in Box 1 can be generalized to a multi-path scheme. In an -path scheme, Alice sends by paths. Then it follows step 2, 3 and 4 in Table 1. Finally, Bob can recover the message . Sometimes, adding a path may not increase security. For example, in the aforementioned two-path strategy, adding the third path, , cannot enhance security since any hacking strategy that can successfully break the security of the two-path scheme will also break this three-path scheme. Our target is to design a robust communication scheme against as many compromised nodes as possible.
Now, we model communication schemes and define the security levels regarding a quantum network formally. In a quantum network represented by a graph , we denote to be the set of paths used in a communication scheme, which has one-to-one correspondence to the communication scheme, and denote the set of compromised nodes, which uniquely determines Eve’s hacking strategy. We introduce a Boolean function of a communication scheme and hacking strategy, which is defined as follows.
Definition 1**.**
For a communication scheme and Eve’s strategy , if is secure against compromised nodes in , then . Otherwise, .
We can see that if and only if each path in goes through at least one nodes in . In other words, if and only if there is at least one path in which does not go through any nodes in . We define the security level as follows.
Definition 2**.**
Given a network , the source and sink nodes and , and the communication scheme , the security level of is the optimal value of the following maximization problem,
[TABLE]
We also define a strongest attack to be the most powerful attack that can successfully hack all possible communication schemes.
Definition 3**.**
A strongest attack can successfully hack all possible communication schemes,
[TABLE]
By definition, we see that a strongest attack should contain at least one node of each possible path between Alice and Bob. When Eve compromises a node, we assume that she knows all the keys distributed from (and to) this node. From a security point of view, one can think of Eve making those connecting edges insecure. Given an attack , define as the set of insecure edges caused by this attack. If Alice and Bob cannot be connected by a path without using any edges in , no secure path can be found under this attack and such attack is strongest. Thus, we have the following theorem.
Theorem 1**.**
Attack is strongest if and only if Alice and Bob belongs to different disjoint subsets partitioned by a cut-set contained in .
Proof. Proof of “if”: a cut in the graph theory is a partition of the nodes into two disjoint subsets. It determines a cut-set, the set of edges whose two end nodes belongs to different subsets of the partition. Alice and Bob belongs to different subsets. Hence any path connecting Alice and Bob must have at least one edge that connect two nodes of different subset. From the definition, this edge belongs to the cut-set. That is, any path connecting them must contain at least one edge in the cut-set. Then, no secure communication is possible. The attack is strongest.
Proof of “only if”: we need to prove that if contains no cut-set, there must be a secure path between Alice and Bob. Consider the set of nodes that have secure paths to Alice, if Bob belongs to this set, the proof is done by finding the secure path. If Bob does not belong to it, this set and its compliment set are two disjoint subsets. This partition is a cut. The cut-set must be contained in and hence is strongest.
From the theorem, we can have the following corollary.
Corollary 1**.**
If an attack is not strongest, there exists a secure path connecting Alice and Bob.
II.2.1 Communication scheme of the highest security level
Now, we want to study the most secure communication scheme. That is, such a scheme can tolerate any attacks that other schemes can tolerate. Denote the set of strongest attacks to be .
Definition 4**.**
A communication scheme, , has the highest security level if
[TABLE]
Here we propose a scheme with the highest security level.
Definition 5**.**
In the communication scheme , each node in the network except Alice and Bob broadcasts the parity (XOR result of all the keys from the neighbor). Bob receives all the parity information via unencrypted channels (available to Eve). By calculating the parity information, he can share a secret key with Alice.
We take the network in Figure 1 as an example. Here will announce , will announce , etc. Of course, Alice’s and Bob’s positions are symmetric. All the parity information can be sent to Alice. The scheme still works.
Theorem 2**.**
Scheme , defined in Definition 5, is of the highest security level.
Proof. First, we need to show that this scheme can yield an identical key between Alice and Bob. On Alice’s side, she performs the XOR operation to all the keys connected to her and obtains . Upon receiving all the parity information from the network, Bob performs XOR operation on all the parity bit string along with his keys connected to his neighbors. Then, all the keys in this network appear in this XOR operation twice except those of the nodes connected directly with Alice. Thus, Bob’s XOR result gives and all others are canceled out. In the end, they can achieve an identical key.
Then, we show that the generated key is secure for any attacks that are not strongest. If an attack is not strongest, from Corollary 1, we can find a secure path between Alice and Bob. For the scheme , one can think of a secure random key bit string being transmitted from Alice to Bob with one-time pad encryption [49] and being XOR with some extra random bit strings that might known to Eve. Specifically, suppose the secure path is . Then Alice can send her random bit string via this path to Bob. In this case, she adds more unrelated random bit strings, which will not affect the security of the transmission.
Finally, it is obvious that is insecure under a strongest attack, since it forms a cut between Alice and Bob.
At the end of this part, we have the following remarks. We notice that similar problems have been investigated in both classical [50] and quantum networks [24], where the relation between the maximum tolerable compromised nodes and the network connectivity is given. There is also a communication scheme proposed in [51] with probabilistic information-theoretical security. In contrast, our results are independent of the connectivity and not probabilistic, i.e., our communication scheme is secure unless Eve performs the strongest attack. Another remark is that we assume the classical channel is free between any two nodes. Thus, there is no need to consider the efficiency of classical data transmission in the analysis. In practical cases, we need to consider the trade-off between network efficiency and security level. We leave this problem for future works.
III Utility optimization and key management
When maximizing the security of the network in the previous section, we essentially assume that the key from QKD is sufficient for encryption. While in a practical quantum network, the amount of key is usually limited since QKD is normally far slower than classical communication. In this section, we consider the scenario where the quantum key is a limited source for multiple communication tasks. The problem becomes how to optimize certain network metrics through key management, data scheduling, and routing. For instance, we need to evaluate the encrypted data transmission capacity of a quantum network, i.e., how much data can be transmitted within a unit of time. Here, we borrow techniques in a classical energy harvesting network [46]. The main difference is that the key (corresponding to the energy in an energy harvesting network) is defined over channels rather than nodes, which leads to different target functions and constraints in our optimization problem. In this section, we formulate a utility optimization problem to deal with the key management and data routing problem in a QKD network and find an efficient solution based on Lyapunov optimization techniques.
Again, we follow the graph theory expression to represent the network. Specifically, represent nodes and represents the link between and . The time is discretized in the following discussions and is the index of the time slot. We summarize the notations in Table 2 and make the following remarks. The working condition of QKD is a Boolean function and the key management strategy lies in the balance between and , representing the key generation and consumption, respectively. During data transmission, we only care about their destinations and classify the data accordingly. For example, we call the data flow with the final destination to node as type- data. Data scheduling is determined by , type- data admitted to at time . Since secure data transmission needs encryption, it is given by a function of the key consumption, i.e., . In particular, for the case of one-time pad encryption, . The total data transmission on an edge is the sum of all types of data transmission, i.e., . The key generation rate is determined by the QKD setting between two adjacent nodes, and . The key is stored in the edge with a storage upper bound . When the amount of key stored in the edge is larger than at time slot , QKD in this edge becomes inactive, i.e., . Compared with the energy harvesting network in literature, we neglect the interaction of different paths due to the optical fiber communications applied in the network.
III.1 Utility optimization problem
The data transmission capacity problem is a special case of the utility optimization problems. The utility is defined on each data flow, i.e., , which quantifies how much one can benefit from achieving a data rate . The concrete expression of the utility function can be defined according to practical applications. A common utility function is concave with the data transmission flow, for example, , where the coefficient can be as simple as a constant. In particular, when , the utility optimization problem reduces to the data transmission capacity problem.
The objective of the problem is to optimize the network utility obtained from serving data traffic. Specifically, we consider the following network utility,
[TABLE]
where the average type- data transmission rate at node is given by
[TABLE]
and is the matrix with elements of . In order to evaluate the data transmission capacity for a quantum network, we need to optimize Eq. (4) with certain dynamics and constraints.
III.2 Dynamics and constraints in a quantum network
Now, we model the dynamics, shown in Fig. 2, and the constraints in the network model. First, we have the key storage dynamics,
[TABLE]
where the increase of the key volume comes from QKD and the decrease is caused by key consumption for encryption. Note that in Eq. (6), the key storage should be non-negative, ,
[TABLE]
This key availability constraint, Eq. (7), is a complicated constraint as it couples the key consumption actions across time, i.e., a current decision can affect future actions.
Similarly, we have the data transmission dynamics,
[TABLE]
The amount of type- data to be transmitted at node come from two sources: data flow from other nodes to node , ; and new data admitted to for , . Meanwhile, the queue will decrease if data is transmitted from to other adjacent nodes . The inequality is due to the possibility that neighbor nodes may not have enough data to fulfill the allocated rate. In the following discussions, we just take it as an equality, as when the rate is over-allocated, one can just send some dummy data. Finally, we take account of the stability of the network. That is, the data queue backlog of the whole network needs to be convergent with time,
[TABLE]
The stability condition makes sure that all packets admitted into the network are eventually delivered.
III.3 Algorithm design
To solve the utility optimization problem defined in Section III.1, we design an algorithm based on the Lyapunov optimization technique [52], which has found wide applications in different network scenarios [53, 54, 55]. Define the Lyapunov function,
[TABLE]
where the storage saturation values should be chosen carefully in the algorithm as discussed later in this section. Define the following drift-plus-penalty [52] for our algorithm design, so as to optimize utility while ensuring network stability,
[TABLE]
where is a tunable positive constant and
[TABLE]
The construction of the target function, Eq. (11), is similar to the Lagrange multiplier method.
Then, we choose the control action to minimize the drift-plus-penalty given in Eq. (11). Using the queueing dynamics in Eqs. (6) and (8), after some algebras, we decouple the key management and data transmission, so that we can optimize them separately. In the end, the target function Eq. (11) can be rewritten as
[TABLE]
Here the constant is given by
[TABLE]
where the subscript means the maximal possible values in the strategies and . The detailed derivations of Eq. (13) is presented in A.
Before we give the utility optimization algorithm, we need to introduce the following network technical terms. The saturation of the key storage, , is defined as
[TABLE]
where is a positive constant satisfying and is the largest first derivative of the utility functions, . Here, we only consider since the utility function is concave. The operational meaning of is to let key storage be saturated to a positive constant rather than zero since we often need a positive key storage to handle urgent data transmission tasks.
Then, we define the weight of the type- data over the link as
[TABLE]
The link weight is given by . Here, is defined as
[TABLE]
which means the maximum possible increase of the data queue in a node in a single time slot, including the maximum endogenous increase and exogenous increase . We consider a data transmission task by some link to be important only when the data queue difference between two nodes, , is large enough (larger than ).
The main idea of the algorithm is to optimize the data transmission, (), and key management, (), by minimizing the target function, Eq. (13), subject to Eqs. (7) and (8). In Eq. (13) we can see that the optimization of and can be done separately. Note that the network stability constraint Eq. (9) is automatically satisfied under the Lyapunov drift approaches Eq. (12). The total utility Eq. (4) is not optimized directly, but the optimization result can be arbitrarily close to maximum utility of Eq. (4), which will be discussed in details in Sec. III.4.
Now, we present the main optimization algorithm given in Table 3, inspired by the energy-limited scheduling algorithm [46].
III.4 Analysis of the algorithm and its performance
Here, we explain how the algorithm works and analyze its performance. We make some remarks on the details of the algorithm. First, the key availability constraint given in Eq. (7) is actually redundant, i.e., we can directly optimize Eq. (19) without any constraint and obtain the same key management action. To prove this, we have the following lemma and leave the proof in B
Lemma 1**.**
The data queue and key storage have the following deterministic bounds, ,
[TABLE]
Suppose the optimized key consumption vector obtained by Eq. (19) is . Then we consider a new key consumption vector by setting in to be [math], i.e., the only difference between and is the key consumption in the link . If the constraint Eq. (7) is violated, i.e., , then
[TABLE]
which leads to a contradiction that is not the optimized strategy. The first inequality is obtained by Lemma 1 and is due to the definition of of Eq. (15). Especially, for one-time-pad encryption, we have and we can take .
Second, in steps key management and routing and scheduling, we make an optimization on the destination , i.e., we only consider the destination with the maximum link weight, because
[TABLE]
Therefore, it is optimal to allocate the full rate over the link to any commodity achieving the maximum positive weight. If there are multiple destinations achieving the maximum link weight, we can randomly choose one of them to allocate the full rate.
Third, one can see that the optimized target function in the algorithm is different from the original utility function given in Eq. (4). We want to show that the optimization result of the algorithm can be arbitrary close to the optimal utility , i.e., the performance of the algorithm is given by the following theorem and leave its proof in C.
Theorem 3**.**
The utility optimization result of the algorithm can be arbitrarily close to the optimal utility ,
[TABLE]
where is the average data flow, is a constant, and is an optimal solution for Eq. (4).
Finally, compared to the original algorithm given in [46], we can optimize the key management in Eq. (19) locally for each edge rather than each node. This is a particularly useful feature for practical implementation.
III.5 Simulation
To test our algorithm, we make a simulation of the toy network model given in Fig. 1. Here we consider a simple task where the data are transmitted from Alice to Bob, i.e., for all nodes except Alice’s node. From the network structure in Fig. 1 we can see that . We set the values of other parameters as , , , , , and . These values are just taken for simplicity and we do not consider their units. The utility function is taken as . The optimization of such a utility function is actually also a maximization of data transmission. We simulate the utility of the whole network versus to see convergence behavior when goes larger.
The simulation of the total utility is given in Fig. 3. It turns out that the utility converges quickly to the optimal value of 0.1815, which shows our algorithm is quite efficient. We also show the evolution of the total data queue and key storage in Fig. 4 with . We can observe that the network become stable after . and the data queue grows slowly during , which is because the amount of data queue exceeds the key storage in the previous time period. After the stability of the network, the gap between the key storage and data queue is determined by the parameter settings, which can be optimized and is left for future works. The evolution of the utility is shown in Fig. 5. The drop at the beginning comes from the initialization of the network. The data transimission at the beginning is high since the data and key storage is initialized to be zero, which leads to a high utility. The convergence speed is similar to the original algorithm [46].
In our simulation of the toy model, we choose typical values for the parameters , , , , , and and assume that the key rates in different links are the same, . While in a practical field test we can substitute some real values into the simulation, such as the QKD key rates in each link and the classical channel capacity. We can obtain useful results with the real values, for example, the convergence time of data queue and key storage, the saturation of the data queue and key storage, and the data transmission capacity of the network.
We make comparisons with some other routing protocols in the literature. Some protocols are proposed for different targets in a QKD network. For example, in ref. [56], the authors apply a multi-path routing scheme to maximize the key rate between two remote end-users in a network with both quantum repeaters and trusted nodes. While in ref. [57], the authors consider a routing protocol based on current key storage. It applies a modified Open Shortest Path Fast routing algorithm to minimize the path length between end-users and reduce the key consumption in the meantime. There are also some routing protocols in energy harvesting networks, aiming at optimizing the utility function of the data flow. In [58], the utility optimization has been formulated as a standard convex optimization problem without Lyapunov optimization techniques, however, it requires future knowledge on the energy harvesting that is hardly available. Another protocol based on a convex optimization problem without Lyapunov optimization techniques is proposed in ref. [59], which gives rise to an asymptotic optimal solution. By simulating the simplest network with one source and one destination, it shows a better performance on utility compared with the optimizations based on Lyapunov optimization techniques.
IV Discussion and conclusion
In this work, we propose solutions to two typical and crucial issues in quantum networks, namely security and key management. We tackle the security issue with graph theory and design a communication scheme of the highest security level, where each intermediate node broadcasts the XOR result of all its keys. To optimize the utility of the data. These two problems are closely connected in some special situations. Suppose the key is free and data cannot be stored in each node. Then our optimization problem will reduce to the maximum flow problem in a directed graph. If we further assume the capacities of the classical links are the same, this maximum flow will be proportional to the security level according to the max-flow min-cut theorem.
In this paper, we consider two networks, a classical network for data transmission and a QKD network for key generation. The latter can be naturally extended to an entanglement distribution network in the future, where the key distribution and XOR operation correspond to the Einstein–Podolsky–Rosen (EPR) pair distribution and entanglement swapping. It is interesting to apply the techniques used in this work to an entanglement distribution network.
For future works, one can substitute the data communication requests and key rate of an actual quantum network (such as the Hefei 46-node network) to our simulations and make a field test of our results. One can also consider more complex topological structures and other practical issues such as latency and scalability.
Finally, a trusted node does not need to perform full QKD with users, i.e., the privacy amplification process can be omitted first and raw keys can be directly exchanged [60]. We call such a node an honest but curious node. In this case, the intermediate nodes lie between trusted and untrusted. The security assessment needs more complicated analysis.
Appendix A Derivations of Eq. (13)
By the definition of in Eq. (12), we divide into two parts. The first part comes from the data queue term,
[TABLE]
For the first term in the rhs. of Eq. (24), we want to show that
[TABLE]
Consider an arbitrary term, , there will always be another term in the summation . We can regroup these terms and obtain . Similarly, we can do this for all other terms in the summation and get the rhs. of Eq. (25).
For the second term in the rhs. of Eq. (24), we have
[TABLE]
Similar calculations can be done for the second part of which comes from the key storage term. Finally we can get Eq. (13) by some algebras.
Appendix B Proof of Lemma 1
We prove this lemma with mathematical induction. First we can easily see that the bound holds for , since and .
Then we prove that if , then . According to the dynamics of data queue Eq. (8), we can see that the increase of the data queue comes from two aspects: endogenous data and exogenous data . We consider the following two exclusive cases: first, if there are endogenous data, then they must come from at least one other node, say . From Eq. (16), if there is a data flow from to at time , their data queues at time must satisfy,
[TABLE]
From time slot to , the maximum possible data queue increase of one node is . Then we have ; second, there are no endogenous data, which means there are only exogenous data or there are no data queue increase at all. From Eq. (18), the existence of a valid optimization result requires . From time slot to , the maximum possible exogenous data queue increase is . Then we also have . If there are no data queue increase from to , it is straightforward that .
Finally we prove if , then . We also consider the following two exclusive cases: according to the second step of the algorithm, if , there will be key generation with a maximum key of , then ; if , there will be no key generation and .
Appendix C Proof of Theorem 3
In the algorithm we minimize the following function at time
[TABLE]
and get an optimized set of strategies . Now we consider another function
[TABLE]
We can see that the only difference between Eq. (28) and Eq. (29) is that in Eq. (29) is not introduced. Suppose the optimized strategy to minimize Eq. (29) is . We have the following relation,
[TABLE]
From the first inequality of Eq. (30) we quickly get
[TABLE]
Then we substitute Eq. (31) to Eq. (13),
[TABLE]
where . Since the strategy can take continuous values, we apply the relation given in Theorem 1 of [46] and Claim 1 of [61]. This means the maximization of the total utility in a single time slot will be larger than that in time average,
[TABLE]
Then we sum over Eq. (33) from to ,
[TABLE]
Divide in both sides and use and ,
[TABLE]
where the first inequality is because the utility function is concave. Then we take a as and have
[TABLE]
Acknowledgements.
The authors would like to thank T. Chen, Y. Liu, and S. Yao for enlightening discussions. This work is supported by the National Natural Science Foundation of China Grants No. 11875173 and No. 11674193 and the National Key R&D Program of China Grants No. 2017YFA0303900 and No. 2017YFA0304004.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] C. H. Bennett and G. Brassard, “Quantum Cryptography: Public Key Distribution and Coin Tossing,” in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing . New York: IEEE Press, 1984, pp. 175–179. [Online]. Available: https://doi.org/10.1016/j.tcs.2014.05.025 · doi ↗
- 2[2] A. K. Ekert, “Quantum cryptography based on bell’s theorem,” Phys. Rev. Lett. , vol. 67, pp. 661–663, Aug 1991. [Online]. Available: https://link.aps.org/doi/10.1103/Phys Rev Lett.67.661
- 3[3] H. K. Lo and H. F. Chau, “Unconditional security of quantum key distribution over arbitrarily long distances,” Science , vol. 283, no. 5410, p. 2050, 1999. [Online]. Available: http://science.sciencemag.org/content/283/5410/2050
- 4[4] P. W. Shor and J. Preskill, “Simple proof of security of the bb 84 quantum key distribution protocol,” Phys. Rev. Lett. , vol. 85, pp. 441–444, Jul 2000. [Online]. Available: https://link.aps.org/doi/10.1103/Phys Rev Lett.85.441
- 5[5] W.-Y. Hwang, “Quantum key distribution with high loss: Toward global secure communication,” Phys. Rev. Lett. , vol. 91, p. 057901, Aug 2003. [Online]. Available: https://link.aps.org/doi/10.1103/Phys Rev Lett.91.057901
- 6[6] H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. , vol. 94, p. 230504, Jun 2005. [Online]. Available: https://link.aps.org/doi/10.1103/Phys Rev Lett.94.230504
- 7[7] X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. , vol. 94, p. 230503, Jun 2005. [Online]. Available: https://link.aps.org/doi/10.1103/Phys Rev Lett.94.230503
- 8[8] Y. Zhao, B. Qi, X. Ma, H.-K. Lo, and L. Qian, “Experimental quantum key distribution with decoy states,” Phys. Rev. Lett. , vol. 96, p. 070502, Feb 2006. [Online]. Available: http://link.aps.org/doi/10.1103/Phys Rev Lett.96.070502
