BT’s first quantum key distribution network
The trial of a commercial quantum-secured metro network has started in London.
The BT network enables customers to send data securely between sites by first sending encryption keys over optical fibre using a technique known as quantum key distribution (QKD).
The attraction of QKD is that any attempt to eavesdrop and intercept the keys being sent is discernable at the receiver.
The network uses QKD equipment and key management software from Toshiba while the trial also involves EY, the professional services company.
EY is using BT’s network to connect two of its London sites and will showcase the merits of QKD to its customers.
London’s quantum network
BT has been trialling QKD for data security for several years. It had announced a QKD trial in Bristol in the U.K. that uses a point-to-point system linking two businesses.
BT and Toshiba announced last October that they were expanding their QKD work to create a metro network. This is the London network that is now being trialled with customers.
Building a quantum-secure network is a different proposition from creating point-to-point links.
“You can’t build a network with millions of separate point-to-point links,” says Professor Andrew Lord, BT’s head of optical network research. “At some point, you have to do some network efficiency otherwise you just can’t afford to build it.”
BT says quantum security may start with bespoke point-to-point links required by early customers but to scale a secure quantum network, a common pipe is needed to carry all of the traffic for customers using the service. BT’s commercial quantum network, which it claims is a world-first, does just that.
“We’ve got nodes in London, three of them, and we will have quantum services coming into them from different directions,” says Lord.
Not only do the physical resources need to be shared but there are management issues regarding the keys. “How does the key management share out those resources to where they’re needed; potentially even dynamically?” says Lord.
He describes the London metro network as QKD nodes with links between them.
One node connects Canary Wharf, London‘s financial district. Another node is in the centre of London for mainstream businesses while the third node is in Slough to serve the data centre community.
“We’re looking at everything really,” says Lord. “But we’d love to engage the data centre side, the financial side – those two are really interesting to us.”
Customers’ requirements will also differ; one might want a quantum-protected Ethernet service while another may only want the network to provide them with keys.
“We have a kind of heterogeneous network that we’re starting to build here, where each customer is likely to be slightly different,” says Lord.
QKD and post-quantum algorithms
QKD uses physics principles to secure data but cryptographic techniques also being developed are based on clever maths to make data secure, even against powerful future quantum computers.
Such quantum-resistant public-key cryptographic techniques are being evaluated and standardised by the US National Institute of Standards and Technology (NIST).
BT says it plans to also use such quantum-resistant techniques and are part of its security roadmap.
“We need to look at both the NIST algorithms and the key QKD ones,” says Lord. “Both need to be developed and to be understood in a commercial environment.“
Lord points out that the encryption products that will come out of the NIST work are not yet available. BT also has plenty of fibre, he says, which can be used not just for data transmission but also for security.
He also points out that the maths-based techniques will likely become available as freeware. “You could, if you have the skills, implement them yourself completely freely,” says Lord. “So the guys that make crypto kits using these maths techniques, how do they make money?”
Also, can a user be sure that those protocols are secure? “How do you know that there isn’t a backdoor into those algorithms?” says Lord. “There’s always this niggling doubt.”
BT says the post-quantum techniques are valuable and their use does not preclude using QKD.
Satellite QKD
Satellites can also be used for QKD.
Indeed, BT has an agreement with UK start-up Arqit which is developing satellite QKD technology whereby BT has exclusive rights to distribute and market quantum keys in the UK and to UK multinationals.
BT says satellite and fibre will both play a role, the question is how much of each will be used.
“They work well together but the fibre is not going to go across oceans, it’s going to be very difficult to do that,” says Lord. “And satellite does that very well.”
However, satellite QKD will struggle to provide dense coverage.
“If you think of a low earth orbit satellite coming overhead, it’s only gonna be able to lock onto to one ground station at a time, and then it’s gone somewhere else around the world,” says Lord. More satellites can be added but that is expensive.
He expects that a small number of satellite-based ground stations will be used to pick up keys at strategic points. Regional key distribution will then be used, based on fibre, with a reach of up to 100km.
“You can see a way in which satellite the fibre solutions come together,” says Lord, the exact balance being determined by economics.
Hollow-core fibre
BT says hollow-core fibre is also attractive for QKD since the hollowness of the optical fibre’s core avoids unwanted interaction between data transmissions and the QKD.
With hollow-core, light carrying regular data doesn’t interact with the quantum light operating at a different wavelength whereas it does for standard fibre that has a solid glass core.
“The glass itself is a mechanism that gets any photons talking to each other and that’s not good,” says Lord. “Particularly, it causes Raman scattering, a nonlinear process in glass, where light, if it’s got enough power, creates a lot of different wavelengths.”
In experiments using standard fibre carrying classical and quantum data, BT has had to turn down the power of the data signal to avoid the Raman effect and ensure the quantum path works.
Classical data generate noise photons that get into the quantum channel and that can’t be avoided. Moreover, filtering doesn’t work because the photons can’t be distinguished. It means the resulting noise stops the QKD system from working.
In contrast, with hollow-core fibre, there is no Raman effect and the classical data signal’s power can be ramped to normal transmission levels.
Another often-cited benefit of hollow-core fibre is its low latency performance. But for QKD that is not an issue: the keys are distributed first and the encryption may happen seconds or even minutes later.
But hollow-core fibre doesn’t just offer low latency, it offers tightly-controlled latency. With standard fibre the latency ‘wiggles around’ a lot due to the temperature of the fibre and pressure. But with a hollow core, such jitter is 20x less and this can be exploited when sending photons.
“As time goes on with the building of quantum networks, timing is going to become increasingly important because you want to know when your photons are due to arrive,” says Lord.
If a photon is expected, the detector can be opened just before its arrival. Detectors are sensitive and the longer they are open, the more likely they are to take in unwanted light.
“Once they’ve taken something in that’s rubbish, you have to reset them and start again,” he says. “And you have to tidy it all up before you can get ready for the next one. This is how these things work.“
The longer that detector can be kept closed, the better it performs when it is opened. It also means a higher key rate becomes possible.
“Ultimately, you’re going to need much better synchronisation and much better predictability in the fibre,” says Lord. “That’s another reason why I like hollow-core fibre for QKD.”
Quantum networks
“People focussed on just trying to build a QKD service, miss the point; that’s not going to be enough in itself,” says Lord. “This is a much longer journey towards building quantum networks.”
BT sees building quantum small-scale QKD networks as the first step towards something much bigger. And it is not just BT. There is the Innovate UK programme in the UK. There are also key European, US and China initiatives.
“All of these big nation-states and continents are heading towards a kind of Stage I, building a QKD link or a QKD network but that will take them to bigger things such as building a quantum network where you are now distributing quantum things.”
This will also include connecting quantum computers.
Lord says different types of quantum computers are emerging and no one yet knows which one is going to win. He believes all will be employed for different kinds of use cases.
“In the future, there will be a broad range of geographically scattered quantum computing resources, as well as classical compute resources,” says Lord. “That is a future internet.”
To connect such quantum computers, quantum information will need to be exchanged between them.
Lord says BT is working with quantum computing experts in the UK to determine what the capabilities of quantum computers are and what they are good at solving. It is classifying quantum computing capabilities into the different categories and matching them with problems BT has.
“In some cases, there’s a good match, in some cases, there isn’t,” says Lord. “So we try to extrapolate from that to say, well, what would our customers want to do with these and it’s a work in progress.”
Lord says it is still early days concerning quantum computing. But he expects quantum resources to sit alongside classical computing with quantum computers being used as required.
“Customers probably won’t use it for very long; maybe buying a few seconds on a quantum computer might be enough for them to run the algorithm that they need,” he says. In effect, quantum computing will eventually be another accelerator alongside classical computing.
”You already can buy time by the second on things like D-Wave Systems’ quantum computers, and you may think, well, how is that useful?” says Lord. “But you can do an awful lot in that time on a quantum computer.”
Lord already spends a third of his working week on quantum.
“It’s such a big growing subject, we need to invest time in it,” says Lord.
ADVA adds quantum-resistant security to its optical systems
ADVA has demonstrated two encryption techniques for optical data transmission to counter the threat posed by quantum computing.
“Quantum computers are very powerful tools to solve specific classes of mathematical problems,” says Jörg-Peter Elbers, senior vice president, advanced technology at ADVA. “One of these classes of problems is solving equations behind certain cryptographic schemes.”
The use of three key exchange schemes over one infrastructure: classical public-key encryption using the Diffie-Hellman scheme, the quantum-resistant Neiderreiter algorithm, and a quantum-key distribution (QKD) scheme. Source: ADVA
Public-key encryption makes use of discrete logarithms, an example of a one-way function. Such functions use mathematical operations that for a conventional computer are easy to calculate in one direction but are too challenging to invert. Solving such complex mathematical problems, however, is exactly what quantum computers excel at.
A fully-fledged quantum computer does not yet exist but the rapid progress being made in the basic technologies suggests it is only a matter of time. Once such computers exist, public key based security will be undermined.
The looming advent of quantum computers already threatens data that must remain secure for years to come. There are agencies that specialise in tapping fibre, says Elbers, while the cost of storage is such that storing huge amounts of data traffic in a data centre is affordable. “The threat scenario is certainly a real one,” says Elbers.
Demonstrations
ADVA has demonstrated two techniques, one using quantum-key distribution (QKD) and the other a quantum-resistant algorithm.
For quantum-key distribution, ADVA’s FSP 3000 platform is being used as part of the UK’s first quantum communication network that includes a metro network for Cambridge that is also linked to BT Labs in Ipswich, 120km away.
ADVA’s platform enables the exchange of keys between sites used for encoding the data traffic. In the Cambridge metro, a quantum system from Toshiba is used to encode the keys while between Cambridge and BT Labs the equipment used is from ID Quantique.
The threat scenario is certainly a real one
For ADVA’s second demonstration, a quantum-resistant encryption algorithm - one invulnerable to quantum computing attacks - is incorporated into its FSP-3000 platform to encrypt 100 gigabit-per-second traffic flows over long-haul distances. ADVA has shown secure transmissions over 2,800km, spanning three European national research and educational networks.
“There is never 100 percent security in one system but you can increase security using multiple independent systems,” says Elbers. “You can use your classical encryption methods in use today and add quantum-key distribution or a quantum-resistant algorithm or use all three over one infrastructure.” (See diagram, top.)
Quantum key distribution
Public key cryptography, comprising a public and a private key pair, is an example of an asymmetric key scheme. The public key, as implied by the name, is published with a recipient’s name. Any party wanting to send data securely to the user employs the published public key to scramble the data. Only the recipient, with the associated private key, can decode the sent data. The Diffie-Hellman algorithm is a widely used public key encryption scheme.
Jörg-Peter ElbersWith a symmetric scheme, the same key is used at both ends to lock and unlock the data. A well-known symmetric key algorithm is the Advanced Encryption Standard. AES-256, for example, uses a 256-bit key.
Although being much more efficient than asymmetrical algorithms, the issue with the symmetrical scheme is getting the secret key to the recipient without it being compromised. The key can be sent manually with armed guards. A more practical approach is to send the key over a secure link using public key cryptography; the asymmetric key exchange scheme protects the transmission of the symmetric key used for the subsequent encryption of the payload.
Quantum computing is a potent threat because it undermines all asymmetric encryption schemes in widespread use today.
Quantum key distribution, which uses particles of light or photons, is a proposed way to secure the symmetric key’s transfer. Here, single photons are used to transmit a binary signal that is then used to generate the same secret key at both ends. Should an adversary eavesdrop with a photo-detector and steal the photon, the photon will not arrive at the other end. Should the hacker be more sophisticated and try to measure the photon before sending it on, they are stymied by the laws of physics since measuring a photon changes its parameters.
Given these physical properties of photons, the sender and receiver can jointly detect a potential eavesdropper. If the number of missing or altered photons is too high, the assumption is the link is compromised.
But with quantum key distribution, the distance a photon can travel is a few tens of kilometres only. A photon is inherently low-intensity light. For longer transmission distances, intermediate trusted sites are required to regenerate the key exchange along the way. BT uses two such trusted sites on the link between Cambridge and BT Labs.
ADVA along with Toshiba have been working on an open interface that allows secure quantum key distribution over a dense wavelength division multiplexing (DWDM) link, independent of the systems used. Having an open interface also means operators using different quantum key distribution systems can interoperate and chat, says Elbers.
The US National Institute of Science and Technology (NIST) is assessing candidate quantum-resistant algorithms with the goal of standardising a suite of protocols by 2024
One way to enable single-photon streams is to use a dedicated fibre. But to avoid the expense of a separate fibre, ADVA sends the photons over a dedicated channel alongside the data transmission channels that carry much higher intensity light.
“Ideally you want a single quantum but, in practice, you might work with a highly attenuated laser source that emits less than a single quantum on average,” says Elbers. “Everything you have on your co-propagating channels can impact the performance.” ADVA uses optical filtering to ensure the data channels don’t spill over and adversely affect the key’s transfer.
Quantum-resistant algorithms
The second approach uses maths rather than fundamental physics to make data encryption invulnerable to quantum computing. The result is what is referred to as quantum-resistant techniques.
The US National Institute of Science and Technology (NIST) is assessing candidate quantum-resistant algorithms with the goal of standardising a suite of protocols by 2024.
The maths behind these schemes is complicated but what unifies them is that none are based on the mathematical problems susceptible to known quantum computing attacks.
ADVA uses the Niederreiter key exchange algorithm, one of NIST’s candidate schemes, for its system. To ensure the highest level of security for high-speed optical transmission a new symmetric key is sent frequently. The Neiderreiter algorithm uses comparatively long key lengths but Elbers points out that with a 100-gigabit payload, the overhead of long keys is minimal. Moreover, ADVA communicates key exchange information in the Optical Transport Network’s (OTN) OTU-4 frame’s overhead field.
Customers are already showing interest in quantum security, says Elbers, and is one of the reasons why ADVA is active in the UK’s Quantum Communications Hub initiative. “We are showing people that the technology is here, ready for deployment and can be integrated with existing systems,” says Elbers.
For organisations keen to ensure the long-term secrecy of their data, they need to be considering now what they should be doing to address this, he adds.
