Available via license: CC BY 4.0
Content may be subject to copyright.
Quantum key distribution in a packet-switched network
Reem Mandil,
1, 2, ∗
Stephen DiAdamo,
3, †
Bing Qi,
1, ‡
and Alireza Shabani
1
1
Cisco Quantum Lab, Los Angeles, California, USA
2
University of Toronto, Toronto, Canada
3
Cisco Quantum Lab, Garching bei München, Germany
(Dated: February 28, 2023)
Packet switching revolutionized the Internet by allowing the efficient use of network resources for data
transmission. In a previous work, we introduced packet switching in quantum networks as a path to the Quantum
Internet and presented a proof-of-concept for its application to quantum key distribution (QKD). In this paper,
we outline a three-step approach for key rate optimization in a packet-switched network. Our simulated results
show that practical key rates may be achieved in a sixteen-user network with no optical storage capacity. Under
certain network conditions, we may improve the key rate by using an ultra-low-loss fiber delay line to store
packets during network delays. We also find that implementing cut-off storage times in a strategy analogous to
real-time selection in free-space QKD can significantly enhance performance. Our work demonstrates that packet
switching is imminently suitable as a platform for QKD, an important step towards developing large-scale and
integrated quantum networks.
I. INTRODUCTION
Packet-switched communication networks were introduced
as an efficient and scalable alternative to circuit switching
in the early sixties [
1
,
2
]. Today, packet switching is the
dominant mode of operation in the Internet. Recently we
have introduced packet switching as a paradigm for quantum
networks using hybrid (classical-quantum) data frames [
3
].
Inside a frame, a quantum payload is prepended with a classical
header containing information for routing and more. Frames
travel from sender to receiver through a series of routers which
process the header to determine the channel forward based on
the current conditions of the network (Fig. I). This is in contrast
to a circuit-switched network where a dedicated channel is
established between sender and receiver and reserved until
communication is complete (Fig. 1(b)).
There are important considerations to be made when
deciding whether packet switching or circuit switching is
best suited for a network application. In a circuit-switched
network, communication across multiple user pairs must be
done in a coordinated fashion in order to enable bandwidth
sharing (e.g., via time or wavelength-division multiplexing).
In a packet-switched network, the communication need not
be coordinated in advance. However, frames will experience
delays at the intermediate nodes between users due to finite
header processing times and, under some traffic conditions,
queuing times. Furthermore, packet switching is generally
advantageous over circuit switching when the traffic generated
by network users is bursty, characterized by intervals of activity
and intervals of inactivity.
One important application in a quantum network is quantum
key distribution (QKD), a procedure that allows two remote
users (e.g., Alice and Bob) to establish shared encryption
keys with information-theoretic security [
4
,
5
]. An important
∗reem.mandil@mail.utoronto.ca
†sdiadamo@cisco.com
‡bingq@cisco.com
S1
3
2
4R
(a)
S1
3
2
4R
(b)
FIG. 1. (a) Packet-switched network. The channel between sender
(S) and receiver (R) is not predetermined and can be dynamically
reconfigured. (b) Circuit-switched network. A dedicated channel
between sender and receiver is set up before data is transferred
between them.
feature of QKD is that it is robust against loss in transmission,
meaning that a secure key can still be established even when
most of the transmitted signals are lost. This suggests that
data loss due to delays in a packet-switched network may
be tolerated even without any storage of QKD signals at the
routers. Moreover, the optical loss introduced by an imperfect
storage medium may also be tolerated. Another important
feature of QKD is that key generation is not time-critical,
meaning that secure keys need not be generated immediately
before their consumption. This implies that bursty frame
generation may be sufficient since users can establish and
store keys for later use.
These features motivate our hypothesis that packet switching
is imminently suitable as a platform for QKD. One may of
course imagine a scenario where network users prefer access
to a dedicated quantum channel for their key distribution (e.g.,
urgent requests or large size requirement for encryption keys).
Furthermore, most existing demonstrations of multi-user QKD
arXiv:2302.14005v1 [quant-ph] 27 Feb 2023
2
are conducted over dedicated networks [
6
–
12
] where QKD
is the sole task. In this case, it may be beneficial to have a
central controller to coordinate QKD among different user
pairs, in a fashion similar to circuit switching. However, if
we wish to integrate QKD with existing classical networks in
order to extend its applications, packet switching is a natural
choice. Therefore, the goal of this paper is to demonstrate the
feasibility of performing QKD in a packet-switched network.
To meet this goal, we take a three-step approach. First,
we choose a network routing protocol which describes how a
router handles a frame during network delays. In this paper,
we will investigate three different routing protocols based on
varying optical storage capacity. Second, we simulate the
transport of frames in a network operating under a given
routing protocol and traffic model. The simulation provides
us with statistics for the dynamic channel between each Alice-
Bob pair. Lastly, we use the simulated network statistics to
predict the maximum secure key rate for each user pair in the
network by performing a finite-key analysis.
In our previous work [
3
], we presented a proof-of-
concept for QKD in a packet-switched quantum network,
and considered a basic model for a two-user communica-
tion scenario where the routers had no optical storage
capacity. Packet switching in quantum networks is a relatively
unexplored topic, but has been proposed as a solution for
overcoming scalability issues in previous works [
13
,
14
].
Moreover, Ref. [
15
] has investigated using leading classical
signals to make routing decisions in a QKD network, although
packet switching is not considered in their approach. In this
work, we analyze a sixteen-user network with and without
optical storage capacity at the routers. We also consider a
finite-size security analysis for a practical decoy-state QKD
protocol. Our results show that QKD is feasible in a packet-
switched network with today’s commercial technology and
that optical storage can be used to improve its performance
under certain conditions.
This paper is organized as follows. In Sec. II, we describe
the routing component of a packet-switched network, including
network delays and the routing protocols considered in this
work. We also present a router hardware design based on
current technology. In Sec. III, we describe the QKD protocol
and key rate analysis under consideration. In Sec. IV, we
describe our software tool for simulating the dynamics of a
packet-switched network. Finally, in Sec. V, we present and
discuss the simulated QKD results.
II. NETWORK ROUTING
In this section, we describe how the routers in a packet-
switched network may handle frames that are intended for a
QKD application. We review the frame structure and outline
the network delays and routing strategies considered.
λQ
λCλC
Frame Length,
Tf
(a)
Guard
Time,
Tg
(b)
FIG. 2. (a) The classical header and trailer (
λC
) and the quantum
payload (
λQ
) are generated from a laser source and multiplexed
into a hybrid data frame using time-division and wavelength-division
multiplexing (not shown to scale). (b) The hybrid frame includes
guard time—a time delay between the end of the header and the
beginning of the payload.
A. Network Delays
The total time a frame needs to move through a router
is the sum of three sources of delay. First, there is the
processing delay,
dproc
, which is the time to process the
classical header and determine the next action for the frame
as well as regenerate the header when needed. Depending on
the network complexity, this delay can range from 10
µs
to
1,000
µs
[
16
]. In this work, we assume a
dproc
of 100
µs
.
Second, there is the queuing delay,
dqueue
, which is the time
the frame must wait before it can be forwarded from a router
(after the header has been processed). This quantity depends
on the traffic conditions of the network and can range from
zero to infinity. Lastly, there is the transmission delay,
dtrans
,
which is the time required to transmit the entire frame onto an
outgoing link. This is equal to the temporal frame length,
Tf
,
which may shrink at each router it traverses depending on the
routing protocol employed.
B. Routing Protocols
The network routing protocol determines what happens to
a frame during the network delays
di
proc
and
di
queue
, where
the superscript
i
is used to index each router in the frame’s
path from sender to receiver. Fig. 2 depicts a hybrid frame
with a quantum payload consisting of weak laser pulses with
repetition rate
Rt
(Hz). The frame may be configured to
include a time delay between the end of the header and the
beginning of the payload, referred to as the guard time, Tg.
In general, our network routing protocols fall into one of two
categories based on the capacity to store frames at the routers.
3
For protocols based on no storage,
di
trans
(
=Ti
f
) will shrink
by a duration equal to
di
proc +di
queue
at each router the frame
traverses. If
Ti
g= 0
, this corresponds to the discarding of
Rt(di
proc +di
queue)
pulses in the leading portion of the payload
(note that we consider the lengths of the classical header and
trailer to be negligible compared to the quantum payload). If
Ti
g>0
, then it will serve as a buffer to reduce the number
of pulses that are lost (i.e., if
Ti
g> di
proc +di
queue
, then no
pulses are discarded as the frame shrinks but
Ti
g
will decrease
accordingly). Note that in each routing protocol we consider,
the guard time is not reset at each router. This alternative
approach may be useful for a quantum network application in
which the payload carries information that should not be lost.
For protocols based on storage, the frame will enter a fiber
delay line for a storage time
Ti
s≤di
proc +di
queue
. During
Ti
s
, no pulses are discarded from the payload, but they will be
subject to the attenuation of the fiber delay line. If
Ti
g>0
,
then it will again serve as a buffer to reduce
Ti
s
(i.e., if
Ti
g>
di
proc +di
queue
, then
Ti
s= 0
but
Ti
g
will decrease accordingly).
Note that the header may be configured to include a field that
tracks the cumulative time spent in storage as a frame traverses
the network. In this work, we investigate the following three
routing protocols.
1.
No storage during delays. At each router, a frame will
have its payload discarded for a time
di
proc +di
queue
and
di
trans
will shrink by the same amount. If
di
trans
reaches
zero, then the frame is discarded from the network.
2.
Storage during delays (unlimited). At each router, a
frame will enter a fiber delay line for a storage time
Ti
s= max(0, di
proc+di
queue−Ti
g)
and
di
trans
will shrink
by min(Ti
g, di
proc +di
queue).
3.
Storage during delays (limited). At each router, a
frame will enter a fiber delay line for a storage time
Ti
s= max(0, di
proc +di
queue −Ti
g)
and
di
trans
will
shrink by
min(Ti
g, di
proc +di
queue)
. If the total time
a frame has spent in storage reaches a predetermined
storage time limit, the frame is immediately discarded
from the network.
In the no storage routing protocol, network delays introduce
a controlled photon loss as a portion of the payload is discarded.
In the storage routing protocols, network delays introduce
random photon loss in the payload due to the attenuation of
the fiber delay line. The regime in which one strategy may
dominate over the other therefore depends on factors such as
the frame length, the network delays, and the attenuation of
the storage line. A more detailed motivation for the two types
of routing protocols is provided in Appendix A.
To motivate the limited storage routing protocol, we make
the observation that the dynamic channel conditions in a packet-
switched network are analogous to those in free-space QKD
under turbulent conditions. In such scenarios, it has been
shown that the key rate can be improved by rejecting key bits
when the channel’s transmittance is below a threshold [
17
–
19
]. In our case, since the routing history is recorded in the
classical header, we can discard frames en-route, which has
the additional benefit of reducing network congestion. Another
option, more analogous to the technique used in free-space
QKD, is to allow all frames to reach the receiver end via the
unlimited storage routing protocol, but enforce a storage time
limit (STL) in post-processing. That is, frames for which
PiTi
s> S T L
will be excluded from key generation. In this
work, we compare both options for implementing a cut-off
channel transmittance.
C. Router Hardware
A conceptual router design is shown in Fig. 3. This router
behaves as a quantum version of a reconfigurable optical
add drop multiplexer (ROADM). Frames may arrive at the
router from three different directions (North, East, West) after
which a wavelength-division multiplexer is used to separate
the quantum payload from the classical header and trailer. The
header is fed into a control unit to decide how to further process
the frame. Once the header has been processed, the frame will
be forwarded towards the next node in the network (i.e., to
another router via the East or West degree, or to a receiver via
an Output channel). The control unit will regenerate the header
with updated fields for the quantum payload duration, guard
time, and time spent in storage prior to transmitting the frame
to the next node.
We assume the control unit is capable of processing up to
k
headers simultaneously and that the router has access to
q
variable optical fiber delay lines via its Add/Drop channels.
To achieve an arbitrary delay, each fiber delay line can be
combined with an active optical switch (not illustrated in
figure). The router can also discard frames or partially discard
the quantum payload via its Drop channels. The use of
these channels depends on the network routing protocol being
implemented.
We also assume the router to have a minimum insertion loss
of 4 dB, which accounts for the circulators, multiplexers, and
optical switch fabric (excludes the fiber delay lines). Therefore
the total loss (dB) at each router is given by
lossi
r=Ti
svgαs+ 4 dB, (1)
where
vg
is the speed of light in fiber and
αs
is the attenuation
coefficient (dB/km) of the fiber storage line. Furthermore, we
assume the router may compensate the polarization drift of all
incoming channels by using a feedback signal generated from
the measured drift of the classical pulses in the header.
Lastly, we note that this router design is directly suitable
for the network configuration in Fig. 4 although additional
input fibers and ROADM degrees may be added to the router
depending on the desired connectivity of the network. We also
consider hardware that is directly suitable for the hybrid frame
in Fig. 2 although the hardware can be modified according to
the multiplexing scheme employed for the frame.
4
=
PD
PBS
Control Unit
Optical
Switch Fabric
. . .
Drop
. . .
Output
Delay lines
.
.
.
EPC
Input Fiber 1
Input Fiber 2
North
Input Fiber 4
Input Fiber 3
To Fiber 2
To Fiber 1
East
West
FIG. 3. Hardware design of a router in a packet-switched network. A frame arrives at the router from the North, East, or West degree. Channels
in the North degree are directly connected to senders. The links in the East and West degrees consist of a fiber directly connected to another
router; a circulator is used to allow for bidirectional transmission. A frame passes through a wavelength-division multiplexer to separate the
classical and quantum information. The classical information is processed in the control unit, which signals to the optical switch fabric where to
route the frame (i.e., to another router via the East or West degree, or to a receiver via an Output channel) and regenerates the header prior to
transmitting the frame. Add/Drop channels are used to access variable optical fiber delay lines. Drop channels are used for discarding pulses or
entire frames. PD: photodiode; PBS: polarizing beam splitter; EPC: electronic polarization controller.
III. QKD SECURITY ANALYSIS
Practical implementations of QKD adopt the decoy-state
method [
20
–
23
] to allow for use of a weak pulsed laser source
instead of an ideal single-photon source. In this work, we
consider a decoy-state asymmetric coding BB84 protocol [
24
]
and we adopt the finite-size security analysis in Ref. [
25
] to
calculate the secure key rate. In this section, we provide a brief
summary of the QKD protocol and then describe our strategy
for key rate optimization in a packet-switched network.
A. Protocol Description
1. Preparation. Alice chooses a bit value
bA
uniformly at
random. Then, she selects a basis
∈ {X, Z }
with probabilities
qx
and
1−qx
, respectively, and an intensity
ki∈ K :=
{µ1, µ2, µ3}
with probabilities
pµ1
,
pµ2
, and
pµ3= 1 −pµ1−
pµ2
, respectively. If Alice chooses the
X
basis, she prepares
a weak laser pulse of the chosen intensity in the horizontal
polarization state
|Hi
for the bit value
bA= 0
or vertical state
|Vi
for the bit value
bA= 1
. If the
Z
basis is chosen, she
prepares the diagonal (45-degrees) polarization state
|Di
for
the bit value
bA= 0
or antidiagonal (135-degrees) state
|Ai
for the bit value
bA= 1
. Lastly, she sends her prepared state
to Bob.
2. Measurement. Bob selects a basis
∈ {X, Z }
with
probabilities
qx
and
1−qx
, respectively. Then, he performs a
measurement in the chosen basis and records the outcome in a
bit value
bB
. More precisely, he assigns
bB= 0
for a click in
single-photon detector
D0
and
bB= 1
for a click in detector
D1
. If both detectors click, he assigns a random value to
bB
.
If neither detector clicks, he does not assign any value.
3. Basis reconciliation. Alice and Bob announce their basis
and intensity choices over an authenticated public channel.
Based on the information announced, Alice and Bob identify
their raw keys
bA
and
bB
from the instances where they both
chose basis
X
and Bob observed a detection event. Note that
all intensity levels are used for the key generation [
25
]. They
use the instances where they both chose basis
Z
and Bob
observed a detection event for phase error estimation.
4. Post-processing. Alice and Bob perform classical error
correction and privacy amplification on their raw key pair to
extract a secure key.
5
B. Key Rate Optimization
A convenient feature of QKD security proofs is that
the quantum channel between users is assumed to be fully
controlled by an adversary and thus we do not need to develop
a new security proof for QKD in a packet-switched network.
One may ask whether we need to trust the routers which
control the discarding of pulses and frames. If a security
proof allows for the adversary to fully control Bob’s post-
selection process, as is the case for the proof adopted in
this work, then we need not trust the routers. Nonetheless,
packet switching poses a unique challenge to QKD due to the
dynamic nature of the quantum channel between users. In order
to maximize the secure key rate in the decoy-state protocol
described above, we must optimize over the free parameters
{qx, pµ1, pµ2, µ1, µ2}
[
25
] which requires knowledge of the
average channel transmittance,
hηtoti
, where the average is
taken over all frames contributing to the key. Furthermore, in
order to conduct a finite-size analysis, we must determine the
total number of QKD states,
N
, passed to Bob. Depending
on the network routing protocol employed, this may not be
equivalent to the number of states transmitted by Alice,
N0
,
due to discarding at the routers. Therefore, in order to predict
the maximum secure key rates from QKD in a packet-switched
network, we need a tool for assessing
hηtoti
and
N
for each
user pair. One may consider an analytic approach to gathering
these statistics, however this quickly becomes infeasible for
increased complexity of the network. The theory of Jackson
networks [
26
] allows us to calculate the average queuing delay
at each router quite simply, but only if the network obeys a
specific traffic model. Instead, we build a network simulation
tool to numerically determine the channel statistics. Details of
the key rate analysis, including noise and detection parameters,
are given in Appendix B.
IV. NETWORK SIMULATION
In this section, we first provide a high-level description for
the sequence of events that occur as a frame travels from sender
to receiver in a packet-switched network and then describe our
software tool for simulating these events in order to extract the
dynamic channel statistics.
We model the arrival of frames into the network as follows.
Each sender is allowed to transmit frames one at a time,
following an exponentially distributed inter-arrival time with
average
1/γ
. Note that all senders can be active simultaneously.
We assume a repetition rate
Rt= 1
GHz for the signals in the
quantum payload. The destination for each frame is assigned
randomly from the list of all receivers in the network.
A frame travels from a sender towards its default router
(i.e., the router to which the sender is directly connected). The
default router and all subsequent routers a frame encounters
will forward the frame according to the path determined by
the routing algorithm for the network. The routing algorithm
calculates the least-cost path from sender to receiver, where
the cost of a path is the sum of the link costs along the path.
In this work, we consider a load-insensitive routing algorithm,
meaning the cost of each link in the network does not reflect
its level of congestion and is determined solely by its physical
length. Therefore, the least-cost path is simply the shortest
path. Note that in the case of multiple least-cost paths, the
router will select one at random. In general, the shortest path
may not have the highest expected transmittance, depending
on the number of routers it contains. In this case, the cost of
the path may be modified to include router loss, although this
scenario is not applicable in this work.
A frame can be forwarded from a router only if there are
fewer than
c
frames simultaneously being forwarded from the
router and there are no frames preceding it in the queue (we
refer to
c
as the number of servers for the queue); otherwise,
the frame must join the queue. A frame may join the queue
only if there are fewer than
q
frames already in the queue (we
refer to
q
as the capacity of the queue); otherwise, the frame
will be discarded. Frames will be forwarded from the queue
according to a first-come first-served discipline.
In order to simulate these events in a network, we developed
a software tool based on a simulation method known as
discrete-event simulation (DES) [
27
]. We build on the DES
Python package SimPy [
28
] for the timing and resource
management aspects of the network. For the network
configuration, including path calculations and topology
initialization, we use the Python package NetworkX [29].
The first step in using our simulation is to configure a
topology of nodes (i.e., users and routers) and links (i.e.,
connections between nodes). Each node is able to generate
frames as well as process any incoming frames. If the node is
a sender, frames at the node do not undergo header processing
and the frame need only wait to be sent into the network
according to the frame arrival model. If the node is a router
or a receiver, frames at the node will undergo a processing
delay. In our simulation, routers can process
k1
headers
simultaneously. In general, if
k
is small, the frames may
experience a queuing delay prior to header processing. In
our simulation, the queue in each router has
c= 1
server and
unlimited storage capacity (
q→ ∞
). The actions on the frame
during the processing and queuing delays will depend on the
network routing protocol, as outlined in Sec. II B.
Each frame in the network holds attributes (corresponding to
header fields) for the storage time limit, how long it has spent
in storage, the temporal frame length, the guard time, the path
it has travelled, and its status (in transit, arrived, or discarded).
We can simulate the network dynamics for a specified duration
and collect data on the number of routed QKD signals,
N
, as
well as the path they have travelled, i.e., the number of routers
traversed and the average total time spent in storage,
hPiTi
si
.
Note that signals from different frames will have a different
total storage time, and so we take an average over all frames.
We may then determine the average channel transmittance for
each user-pairing,
hηtoti= 10(−αL−hPilossi
ri)/10,(2)
where
α
is the attenuation coefficient (dB/km) of the network
links,
L
is the distance between sender and receiver, and
hPilossi
ri
is the average loss over all routers in the channel,
found by Eq. 1.
6
The simulated
N
and
hηtoti
may then be used by senders
in the network to optimize their decoy-state parameters. Note
that the network statistics correspond to a particular network
configuration; namely, the topology, number of users, frame
inter-arrival time, and routing protocol. Thus, these parameters
must be known and fixed prior to a QKD session in order for
user pairs to have accurate knowledge of their transmittance
statistics. This is feasible in practice. For example, the network
can employ traffic shaping [
30
] to ensure that frames from each
sender arrive one at a time with inter-arrival times following
the intended distribution. The remaining parameters typically
do not change very frequently and their status can be updated
as needed to all network users.
V. RESULTS AND DISCUSSION
In order to demonstrate the feasibility of performing QKD
in a packet-switched network, we analyze the network shown
in Fig. 4. We choose this topology as it combines properties
of star, ring, and dumbbell networks. We emphasize, however,
that our approach may be used to test an arbitrary network
configuration. In our simulated network, sixteen users are
connected through four routers by standard single-mode fiber.
In practice, each user can operate as a sender or a receiver,
but we assume that users do not operate in both modes
simultaneously. Thus, half of the users are designated as
senders (“Alices”) and half as receivers (“Bobs”). In this
section, we present the secure key rates per sent pulse for
Alice-Bob pairs separated by one, two, and three routers. We
test each of the three routing protocols outlined in Sec. II B.
A11 A12
B11
B12
R1
A21 A22
B21
B22
R2
A31 A32
B31
B32
R3
A41 A42
B41
B42
R4
5km 5km
5km 5km
20 km
20 km 20 km
20 km
FIG. 4. Sixteen-user network for simulation. Each of the four routers
are connected to two Alices and two Bobs. The links are assumed to
be standard single-mode optical fiber (0.2 dB/km) spanning 20 km
between routers and 5 km between each user and their default router.
A. No Storage During Delays
In Fig. 5, we show the key rate performance in a network
with no storage during delays. We fix the number of frames
sent between each user pair and examine the effects of the
average frame inter-arrival time
1/γ
, the initial frame length
T0
f
, and the initial guard time
T0
g
. In this routing protocol,
these parameters affect the data size,
N
, for key generation.
The top and bottom rows contain the results for zero and non-
zero guard times, respectively. The columns from left to right
show the results for a user pair separated by one, two, and three
routers.
We interpret these results as follows. Firstly, the secure key
rate is expected to decrease with higher channel loss. Therefore,
we observe the highest key rates for
A31
and
B32
and the lowest
for
A22
and
B31
. We note that due to the symmetry of the
network configuration, there are negligible differences between
the results of different user pairs with the same separation. For
small values of
1/γ
, higher network traffic results in larger
dqueue
leading to more pulses being discarded and thus smaller
N
. As a result, we observe a decrease in the key rate as
1/γ
decreases. In Figs. 5(a)-5(c), we observe the effect of
T0
f
. As
this parameter increases, more pulses are generated. However,
longer frames have a larger
dtrans
which increases the time
for which the server is occupied at each router and therefore
increases
dqueue
. Thus we expect the upwards trend in the key
rate to eventually stop, as is observed in Fig. 5(c). In Figs. 5(d)-
5(f), we observe the effect of
T0
g
for a fixed
T0
f
. A larger
guard time means fewer pulses are discarded during delays but
smaller payloads are generated. Due to this effect, we see a
rise then fall in the key rate as
T0
g
increases. Furthermore, for
a given
T0
f
, a non-zero guard time is shown to slightly enhance
the key rate. Ultimately, these results suggest that QKD can
succeed in a packet-switched network even without any optical
storage capacity at the routers.
B. Storage During Delays (Unlimited)
In Fig. 6, we show the key rate performance in a network
with storage during delays, where frames have no storage
time limit. We fix the number of frames sent between each
user pair and examine the effect of the attenuation coefficient,
αs
, for the fiber delay lines used as storage at the routers
which will determine
hηtoti
for the QKD channel. The top
and bottom rows consider scenarios of long and short frame
lengths, respectively, where the ratio of frame length to
1/γ
is
fixed in each such that the average network traffic is the same.
The left and right columns consider zero and non-zero guard
times, respectively. For each user pair, we compare the results
of this routing protocol to the no storage routing protocol under
the same network parameters.
We interpret these results as follows. Firstly, the secure
key rate decreases exponentially with
αs
, as expected. A
non-zero guard time is again shown to enhance the key rate
since it reduces the storage time of each payload, which
increases
hηtoti
. Guard time also reduces
dqueue
since it
shrinks
dtrans
at each router. The enhancement is more
7
10,000
20,000
30,000
0
2,500
5,000
7,500
0
5
·10−3
1/γ (µs)
T0
f(µs)
Key Rate (bits/pulse)
(a)
10,000
20,000
30,000
0
2,500
5,000
7,500
0
2
4
6
·10−4
1/γ (µs)
T0
f(µs)
Key Rate (bits/pulse)
(b)
10,000
20,000
30,000
0
2,500
5,000
7,500
0
2
4
·10−5
1/γ (µs)
T0
f(µs)
Key Rate (bits/pulse)
(c)
10,000
20,000
30,000
0
475
950
1,425
0
1
2
·10−3
1/γ (µs)
T0
g(µs)
Key Rate (bits/pulse)
(d)
10,000
20,000
30,000
0
475
950
1,425
0
1
2
·10−4
1/γ (µs)
T0
g(µs)
Key Rate (bits/pulse)
(e)
10,000
20,000
30,000
0
475
950
1,425
0
1
2
·10−5
1/γ (µs)
T0
g(µs)
Key Rate (bits/pulse)
(f)
One Router Two Routers Three Routers
No Guard Time
Guard Time
FIG. 5. Secure key rates in a network with no storage during delays. A total of 18,750 frames are generated by Alice in each user pair. The finite
data size is
N≈1012
. In plots (a)-(c), we fix the initial guard time,
T0
g= 0
and vary the initial frame length,
T0
f
and average frame inter-arrival
time,
1/γ
. In plots (d)-(f), we fix
T0
f= 2,000 µs
and vary
T0
g
and
1/γ
. Columns (left to right) are for user pairs
A31
and
B32
,
A42
and
B22
,
and A22 and B31 of Fig. 4. Color map changes from white to purple as the key rate increases.
pronounced in the long frames scenario since the guard time
is
dproc
in this case. We observe that the short frames
scenario is generally more robust to increasing
αs
, which can
be attributed to smaller storage times due to a smaller
dtrans
.
The distributions of the storage time in the long and short
frames scenarios are shown in Fig. 8 for the case of zero guard
time. In Figs. 6(a) and 6(b), we observe that the no storage
routing protocol is generally superior when
αs>0.01
dB/km.
We note that while attenuation coefficients as low as 0.14
dB/km have been achieved over telecom wavelengths using
state-of-the-art technology [
31
], it is unrealistic to consider
an attenuation much smaller than this. For a more efficient
storage medium, we require long-lived quantum memories.
In Figs. 6(c) and 6(d), we do not extract any secure keys
with the no storage routing protocol except in the case of
one router separating users. This can be explained since the
frame length is on the order of
dproc
, so there are zero to few
non-discarded pulses from each payload. Our results suggest
that, for short frames, storage during network delays is a better
strategy than discarding pulses. The opposite holds true for
frame lengths
dproc
when we consider realistic fibers as our
storage medium. This finding is important since frame lengths
in a packet-switched network may have practical constraints.
As mentioned previously, we may enforce a STL in post-
processing, analogous to applying a cut-off
hηtoti
, in order to
improve the key rate. Fig. 7 shows the results for the same
parameters as in Fig. 6, but with frames excluded from key
generation if their storage time reached the STL. We consider
an ultra-low-loss fiber with
αs= 0.16
dB/km as our storage
medium and examine the effect of the STL duration. It is clear
that implementing a STL enhances the key rate in each scenario
considered, and most significantly for frame lengths
dproc
.
In Fig. 7(a), the optimal STL for users separated by one, two,
and three routers is 200
µs
, 300
µs
, and 400
µs
, respectively.
From Fig. 8(a), we see that these STLs preserve 82%, 70%,
and 58% of frames across the user pairs. In Fig. 7(b), the
optimal STL is roughly 150
µs
for all user pairs and the key
rates approach those of the no storage routing protocol.
8
0 0.05 0.1 0.15 0.2
10−7
10−6
10−5
10−4
10−3
Attenuation (dB/km)
Key Rate (bits/pulse)
1 Router
2 Routers
3 Routers
No Storage
(a)
0 0.05 0.1 0.15 0.2
10−7
10−6
10−5
10−4
10−3
Attenuation (dB/km)
Key Rate (bits/pulse)
(b)
0 0.05 0.1 0.15 0.2
10−7
10−6
10−5
10−4
10−3
Attenuation (dB/km)
Key Rate (bits/pulse)
(c)
0 0.05 0.1 0.15 0.2
10−7
10−6
10−5
10−4
10−3
Attenuation (dB/km)
Key Rate (bits/pulse)
(d)
No Guard Time Guard Time
Long FramesShort Frames
FIG. 6. Secure key rates in a network with storage during delays (unlimited). In each plot, we fix the network parameters and vary the
attenuation of the fiber storage lines. A total of 37,500 frames are generated by Alice in each user pair. The finite data size is
N≈1012
. Unless
displayed, the no storage routing protocol fails to produce a secure key. (a)
T0
g= 0
,
1/γ = 30,000 µs
,
T0
f= 2,000 µs
. (b)
T0
g= 800 µs
,
1/γ = 30,000 µs,T0
f= 2,000 µs. (c) T0
g= 0,1/γ = 3,000 µs,T0
f= 200 µs. (d) T0
g= 80 µs,1/γ = 3,000 µs,T0
f= 200 µs.
C. Storage During Delays (Limited)
In Fig. 9, we show the key rate performance in a network
with storage during delays, where frames have a storage
time limit. Once again, we fix the number of frames sent
between each user pair and consider
αs= 0.16
dB/km.
We examine the effect of the STL duration under various
network parameters and in each case we compare the results
with the unlimited storage routing protocol where a STL is
implemented in post-processing. Note that for the network
parameters in the previous subsection, the two methods for
implementing a cut-off transmittance produce very similar
results. Here we show scenarios in which discarding frames
en-route provides a significant advantage due to its mitigation
of network congestion.
VI. OUTLOOK AND CONCLUSIONS
In this work, we have developed a framework for key rate
optimization in a packet-switched network and assessed QKD
performance in relation to several network parameters such
as frame length, guard time, frame inter-arrival time, and
storage efficiency. Notably, we found that practical secure
key rates can be achieved without any optical storage capacity
in the network and that guard time can generally be used to
mitigate the effects of network delays. We also found that the
transmittance threshold strategy used in free-space QKD can be
applied in a packet-switched network to significantly enhance
the key rate by limiting the permissible storage time of frames.
We believe our results pave the way for future exploration of
quantum applications in a packet-switched network.
Future areas of investigation may include examining more
complex network topologies and perhaps a topology deployed
in the field. Given that our simulation tool can accommodate
arbitrary network configurations, hardware specifications, and
traffic models, it can be used to establish a performance
benchmark for real-world systems. The simulation tool, which
we aim to make publicly available in the near future, can also be
extended to examine the performance of other quantum comm-
unication tasks besides QKD such as entanglement distribution.
An interesting question to address is how QKD in a packet-
switched network compares to a circuit-switched network.
While we have a general idea of when packet switching
9
0 1,000 2,000 3,000 4,000 5,000 6,000
10−7
10−6
10−5
10−4
10−3
Storage Time Limit (µs)
Key Rate (bits/pulse)
1 Router
2 Routers
3 Routers
No Storage
(a)
0 1,000 2,000 3,000 4,000 5,000 6,000
10−7
10−6
10−5
10−4
10−3
Storage Time Limit (µs)
Key Rate (bits/pulse)
(b)
10−3.1
10−3.22
0 200 400 600 800 1,000
10−4.85
10−4.8
Storage Time Limit (µs)
(c)
10−2.92
10−2.9
10−2.88
10−2.86
0 200 400 600 800 1,000
10−4.45
10−4.4
10−4.35
Storage Time Limit (µs)
(d)
No Guard Time Guard Time
Long Frames
Short Frames
Key Rate (bits/pulse)
Key Rate (bits/pulse)
FIG. 7. Secure key rates in a network with storage during delays (unlimited) and STL implemented in post-processing. In each plot, we fix the
network parameters and vary the STL duration. The attenuation of the fiber storage lines is fixed at 0.16 dB/km. The network parameters are
identical to Fig. 6.
outperforms circuit switching based on classical networks,
determining specific conditions for this advantage in a quantum
network may be useful. Lastly, future work may consider the
security of QKD protocols other than BB84, such as protocols
where all signals sent by Alice are required to be measured by
Bob. Such protocols may require us to re-evaluate the security
at the routers in a packet-switched network.
[1]
L. Kleinrock. Information Flow in Large Communication Nets.
Ph.D. Thesis Proposal, Massachusetts Institute of Technology,
1961.
[2]
Paul Baran. On Distributed Communications: I. Introduction
to Distributed Communications Networks. RAND Corporation,
Santa Monica, CA, 1964.
[3]
Stephen DiAdamo, Bing Qi, Glen Miller, Ramana Kompella,
and Alireza Shabani. Packet switching in quantum networks: A
path to the quantum Internet. Phys. Rev. Research, 4:043064,
2022.
[4]
C.H. Bennett and G. Brassard. Quantum cryptography: public
key distribution and coin tossing. Proc. IEEE Int. Conf. Comp.
Systems Signal Processing, pages 175–179, 1984.
[5]
Artur K. Ekert. Quantum cryptography based on Bell’s theorem.
Phys. Rev. Lett., 67:661–663, 1991.
[6]
Paul D. Townsend. Quantum cryptography on multiuser optical
fibre networks. Nature, 385(6611):47–49, 1997.
[7]
Elliott, C., Colvin, A., Pearson, D., Pikalo, O., et al. Current
status of the DARPA quantum network. Proc. SPIE 5815,
Quantum Information and Computation III (2005).
[8]
M Peev, C Pacher, R Alléaume, C Barreiro, et al. The SECOQC
quantum key distribution network in vienna. New Journal of
Physics, 11(7):075001, 2009.
[9] M. Sasaki, M. Fujiwara, H. Ishizuka, W. Klaus, et al. Field test
of quantum key distribution in the Tokyo QKD Network. Opt.
Express, 19(11):10387–10409, 2011.
[10]
Bernd Fröhlich, James F. Dynes, Marco Lucamarini, Andrew W.
Sharpe, et al. A quantum access network. Nature, 501(7465):69–
72, 2013.
[11]
Yan-Lin Tang, Hua-Lei Yin, Qi Zhao, Hui Liu, et al.
10
0
0.4
0.8
1 Router
2 Routers
3 Routers
0
0.4
0.8
0 1,000 2,000 3,000
0
0.4
0.8
Storage Time (µs)
(a)
0
0.4
0.8
1 Router
2 Routers
3 Routers
0
0.4
0.8
0 100 200 300
0
0.4
0.8
Storage Time (µs)
(b)
FIG. 8. Distribution of storage times in a network with storage during
delays (unlimited). The y-axis denotes the fraction out of all frames
traversing the indicated number of routers.
T0
g= 0
. (a)
1/γ =
30,000 µs,T0
f= 2,000 µs. (b) 1/γ = 3,000 µs,T0
f= 200 µs.
Measurement-Device-Independent Quantum Key Distribution
over Untrustful Metropolitan Network. Phys. Rev. X, 6:011024,
2016.
[12]
Yu-Ao Chen, Qiang Zhang, Teng-Yun Chen, Wen-Qi Cai, et al.
An integrated space-to-ground quantum communication network
over 4,600 kilometres. Nature, 589(7841):214–219, 2021.
[13]
William J Munro, Nicolo’Lo Piparo, Josephine Dias, Michael
Hanks, and Kae Nemoto. Designing tomorrow’s quantum
internet. AVS Quantum Science, 4(2):020503, 2022.
[14]
SJ Ben Yoo and Prem Kumar. Quantum Wrapper Networking.
In 2021 IEEE Photonics Conference (IPC), pages 1–2. IEEE,
2021.
[15]
Ansh Singal, Sundaraja Sitharam Iyengar, Latesh Kumar, and
Azad M Madni. Hardware routed quantum key distribution
networks. IET Quantum Communication, 2022.
[16]
R. Ramaswamy, Ning Weng, and T. Wolf. Characterizing
network processing delay. In IEEE Global Telecommunications
Conference, 2004. GLOBECOM ’04., volume 3, pages 1629–
1634 Vol.3, 2004.
[17]
C Erven, B Heim, E Meyer-Scott, J P Bourgoin, R Laflamme,
G Weihs, and T Jennewein. Studying free-space trans-
mission statistics and improving free-space quantum key
distribution in the turbulent atmosphere. New Journal of Physics,
14(12):123018, 2012.
[18]
Giuseppe Vallone, Davide G. Marangon, Matteo Canale, Ilaria
Savorgnan, et al. Adaptive real time selection for quantum key
distribution in lossy and turbulent free-space channels. Phys.
Rev. A, 91:042320, 2015.
[19]
Wenyuan Wang, Feihu Xu, and Hoi-Kwong Lo. Prefixed-
threshold real-time selection method in free-space quantum key
distribution. Phys. Rev. A, 97:032337, 2018.
[20]
Won-Young Hwang. Quantum Key Distribution with High
Loss: Toward Global Secure Communication. Phys. Rev. Lett.,
91:057901, 2003.
[21]
Hoi-Kwong Lo, Xiongfeng Ma, and Kai Chen. Decoy State
Quantum Key Distribution. Phys. Rev. Lett., 94:230504, 2005.
[22]
Xiongfeng Ma, Bing Qi, Yi Zhao, and Hoi-Kwong Lo. Practical
decoy state for quantum key distribution. Phys. Rev. A,
72:012326, 2005.
[23]
Xiang-Bin Wang. Beating the Photon-Number-Splitting Attack
in Practical Quantum Cryptography. Phys. Rev. Lett., 94:230503,
2005.
[24]
Hoi-Kwong Lo, Hoi Fung Chau, and Mohammed Ardehali.
Efficient quantum key distribution scheme and a proof of its
unconditional security. Journal of Cryptology, 18(2):133–165,
2005.
[25]
Charles Ci Wen Lim, Marcos Curty, Nino Walenta, Feihu Xu,
and Hugo Zbinden. Concise security bounds for practical decoy-
state quantum key distribution. Phys. Rev. A, 89:022307, 2014.
[26]
James R Jackson. Networks of Waiting Lines. Operations
research, 5(4):518–521, 1957.
[27]
Norm Matloff. Introduction to Discrete-Event Simulation
and the SimPy Language. Davis, CA. Dept of Computer
Science. University of California at Davis. Retrieved on August,
2(2009):1–33, 2008.
[28]
Klaus Muller and Tony Vignaux. SimPy: Simulating Systems in
Python. O’Reilly, 650, 2003.
[29]
Aric Hagberg, Pieter Swart, and Daniel S Chult. Exploring
network structure, dynamics, and function using NetworkX.
Technical report, Los Alamos National Lab.(LANL), Los
Alamos, NM (United States), 2008.
[30]
Mohammad Noormohammadpour and Cauligi S Raghavendra.
Datacenter traffic control: Understanding techniques and
tradeoffs. IEEE Communications Surveys & Tutorials,
20(2):1492–1525, 2017.
[31]
Yoshiaki Tamura, Hirotaka Sakuma, Keisei Morita, Masato
Suzuki, et al. The First 0.14-dB/km Loss Optical Fiber and
its Impact on Submarine Transmission. J. Lightwave Technol.,
36(1):44–49, 2018.
[32]
Gilles Brassard and Louis Salvail. Secret-Key Reconciliation
by Public Discussion. In Tor Helleseth, editor, Advances
in Cryptology — EUROCRYPT ’93, pages 410–423, Berlin,
Heidelberg, 1994. Springer Berlin Heidelberg.
11
0 1,000 2,000 3,000 4,000 5,000 6,000
10−8
10−6
10−4
Storage Time Limit (µs)
Key Rate (bits/pulse)
1 Router
2 Routers
3 Routers
Post-proc. STL
(a)
0 20,000 40,000 60,000 80,000
10−7
10−6
10−5
10−4
10−3
1/γ (µs)
Key Rate (bits/pulse)
(b)
0 1,000 2,000 3,000 4,000 5,000 6,000
10−8
10−6
10−4
Storage Time Limit (µs)
Key Rate (bits/pulse)
(c)
0 20,000 40,000 60,000 80,000
10−8
10−6
10−4
10−2
1/γ (µs)
Key Rate (bits/pulse)
(d)
FIG. 9. Secure key rates in a network with storage during delays (limited). The attenuation of the fiber storage lines is fixed at 0.16 dB/km.
A total of 37,500 frames are generated by Alice in each user pair.
T0
g= 0
. (a)
1/γ = 15,000 µs
,
T0
f= 2,000 µs
. (b) STL
= 320 µs
,
T0
f= 2,000 µs. (c) 1/γ = 50,000 µs,T0
f= 10,000 µs. (d) STL = 550 µs,T0
f= 10,000 µs.
Appendix A: Storage vs. No Storage
In this Appendix, we discuss and compare the effects of
using storage versus no storage in a network routing protocol.
Fig. 10 depicts the photon losses experienced by a payload in
a router implementing these two types of strategies. We may
describe the transmittance of a fiber delay line in a storage
routing protocol as
ηs= 10−αstDvgαs/10,(A1)
where
tD=dproc +dqueue
. Thus, the number of transmitted
pulses in a quantum payload of duration
tQ
in a storage
routing protocol is given by
ηsRttQ
. Similarly, the number of
transmitted pulses in the no storage routing protocol is given
by
Rt(tQ−tD)
. Let us assume that equal proportions of
random and controlleddeterministic photon loss have the same
effect on the key rate (valid so long as the detector noise is
low compared to the signal). Then we expect a storage routing
protocol to be favorable in the case where
ηstQ> tQ−tD.(A2)
Note that this comparison assumes the same network delays in
each type of routing protocol. However, the no storage routing
protocol introduces smaller
dtrans
since frames will shrink by
tD
at each router they encounter. This effect leads to smaller
dqueue
in the no storage routing protocol. The use of guard
time in the storage routing protocol will also introduce smaller
dtrans, however it is reduced by at most Tg.
Appendix B: Key Rate Analysis
In this Appendix, we explain how the secure key rate is
calculated and describe the optimization process. We follow
the notation of Ref. [
25
]. After completing the protocol
described in Sec. III A, Alice and Bob may distill a secure
key of length
`=$sX,0+sX,1−sX,1h(φX)
−nXfEC h(eobs )−6 log2
21
εsec
−log2
2
εcor %.(B1)
Here,
sX,0
and
sX,1
are the lower bounds on the number of bits
generated from zero- and single-photon pulses, respectively.
12
tQ
Payload Header
tD
tQ−tD
Controlled
photon loss
(a)
tQ
tD
Payload Header
tQ
Random
photon loss
(b)
FIG. 10. Schematic of a hybrid frame before and after passing a router
in a packet-switched network. The duration of the quantum payload
is denoted by
tQ
. The delay time,
tD
, is given by
dproc +dqueue
. (a)
No storage. (b) Storage.
The term
sX,1h(φX)
is the number of bits consumed during
privacy amplification, where
φX
is the upper bound on the
phase error rate associated with the single-photon events
and
h(x):=−xlog2x−(1 −x) log2(1 −x)
is the binary
entropy function. The term
nXfEC h(eobs )
describes the bits
consumed by the classical error correction algorithm [
32
] with
efficiency
fEC
, where
nX
is the number of detection events in
basis
X
. The post-processing stage ensures that Alice’s and
Bob’s keys are identical expect with small probability
εcor
and
secret except with small probability
εsec
. Table I summarizes
the parameter values used in the key rate analysis.
TABLE I. Key rate analysis parameters.
Parameter Value
fEC 1.16
εcor 10−15
εsec 10−10
pdc 2×10−7
ηBob 0.15
emis 0.005
µ30.0002
Next, we show how to estimate
sX,0
,
sX,1
, and
φX
. The
number of zero-photon events satisfies [25]
sX,0>τ0
µ2n−
X,µ3−µ3n+
X,µ2
µ2−µ3
,(B2)
where
τn:=Pk∈K e−kknpk/n!
is the probability that Alice
sends a n-photon state, and
n±
X,k :=ek
pk"nX,k ±rnX
2ln 21
εsec #(B3)
is the number of detection events in basis
X
for pulses of
intensity
k
when considering the finite sample size. Here,
nX=Pk∈K nX,k. The detection numbers are given by
nX,k =Nq2
xpk(1 −(1 −2pdc)e−ηtot ηBob k),(B4)
where
ηtot = 10(−0.2L−Pilossi
r)/10
denotes the overall
transmittance of the channel including the fiber links of
distance
L
(km) and the routers between Alice and Bob. Pulses
belonging to different frames will have a different
ηtot
, so we
take
ηtot → hηtoti
by averaging over all frames contributing
to the key. Bob uses an active measurement setup with two
single-photon detectors (InGaAs APDs) each with a dark count
probability
pdc
. The overall efficiency of Bob’s measurement
is given by ηBob.
The number of single-photon events satisfies
sX,1>
τ1µ1[n−
X,µ2−n+
X,µ3−µ2
2−µ2
3
µ2
1
(n+
X,µ1−sX,0
τ0)]
µ1(µ2−µ3)−µ2
2+µ2
3
.
(B5)
The number of zero- and single-photon events in basis
Z
,
sZ,0
and
sZ,1
, respectively, may be calculated using the same
expressions by replacing X→Z.
The phase error rate of the single-photon events in basis
X
is estimated as
φX6vZ,1
sZ,1
+γεsec,vZ,1
sZ,1
, sZ,1, sX,1,(B6)
where γ(·)is the estimation uncertainty given by
γ(a, b, c, d):=s(c+d)(1 −b)b
cd log 2 log2c+d
cd(1 −b)b
212
a2
(B7)
and
vZ,1
is the number of bit errors in the single-photon events
in basis Zestimated as
vZ,16τ1
m+
Z,µ2−m−
Z,µ3
µ2−µ3
.(B8)
Here,
m±
Z,k
is the number of bit errors in basis
Z
for pulses
of intensity
k
when considering the finite sample size and is
given by
m±
Z,k :=ek
pk"mZ,k ±rmZ
2ln 21
εsec #,(B9)
where
mZ=Pk∈K mZ,k
is the number of bit errors in basis
Z. The error numbers are given by
mZ,k =N(1 −qx)2pk(pdc +emis(1 −e−ηtot k)),(B10)
where emis is the error rate due to optical misalignment.
13
Finally, the bit error rate in basis Xis calculated as
eobs =mX
nX
,(B11)
where
mX
is the number of bit errors in basis
X
, calculated
analogously to mZ.
The numerical optimization returns the parameters
{qx, pµ1, pµ2, µ1, µ2}
that maximize the secure key rate
R:=
`/N
for a given number,
N
, of pulses that are routed to Bob
(i.e.,
N
is the difference between the number of sent pulses,
N0
, and the number of pulses discarded in the routing process).
The decoy intensities satisfy
µ1> µ2+µ3
and
µ2> µ3>0
.
We fix the vacuum decoy state to be
µ3= 0.0002
. The key
rates presented in this paper are scaled by
N/N0
to show the
secure key rate per sent pulse.