Battelle QKD Test Bed

Alex Morrow, Don Hayford Battelle

Columbus, OH, USA morrowa@battelle.org

Matthieu Legré ID Quantique

Geneva, Switzerland

Abstract— Modern communication systems rely on encryption technology based on difficult mathematical problems, such as factoring large numbers, to protect sensitive data. Existing algorithms have demonstrated that these classically hard-to-solve problems may be solved easily by quantum computing. Even though existing data is still protected, future data will not be. Moreover, encrypted data that is captured and saved will become vulnerable as current cryptographic methods are compromised. This emerging situation has prompted a number of researchers to develop alternative methods for encryption that are provably secure. One such method is to use quantum key distribution (QKD) technology.

This paper is a report on a test bed that Battelle is using to obtain real world performance data on commercially-available QKD equipment. The test bed is being developed in four stages:

1. Laboratory testing using spooled fibers in various lengths ranging from 30 to 100 km,

2. Commercial-grade fiber located in Columbus, Ohio linking two facilities separated by 30 km

3. Metropolitan-sized ring topology in the Columbus, Ohio area, connecting multiple businesses within the loop, and

4. Long range QKD backbone with a link between Columbus, Ohio and the Washington, DC area using multiple commercial fiber services along with a trusted node architecture connecting individual short-range QKD components.

The first stage of the Battelle QKD test bed is complete and is located at Battelle’s headquarters in Columbus, Ohio. Work to complete Stage 2 is underway and will be operational by Q2 2013. Results from Stage 1 are presented in this paper along with the design of Stages 2 through 4. Included are option of the use of Wavelength Division Multiplexing (WDM) technology to allow the quantum link to also carry classical data at high data rates, reducing the total cost of the quantum link by aggregating the data and keys onto a single fiber.

Keywords- Network Security; Quantum Cryptography; Quantum Key Distribution; Test Bed

I. INTRODUCTION

This paper is a report on a test bed that Battelle is using to obtain real world performance data on commercially-available QKD equipment. Modern communication systems rely on encryption technology based on difficult mathematical

problems, such as factoring large numbers, to protect sensitive data. Existing algorithms have demonstrated that these classically hard-to-solve problems may be solved easily by quantum computing. Even though existing data is still protected, future data will not be. Moreover, encrypted data that is captured and saved will become vulnerable as current cryptographic methods are compromised. This emerging situation has prompted a number of researchers to develop alternative methods for encryption that are provably secure. One such method is to use quantum key distribution (QKD) technology.

II. BACKGROUND

Quantum key distribution was originally described by Bennett and Brassard in 1984 [1] and since that time, numerous researchers around the world have developed the technology to the point where it is now possible to buy off-the-shelf equipment [2] that can transfer secure keys between points separated by as much as 100 km. In addition, numerous demonstrations of QKD technology have taken place in various locations, such as

• Boston (2007) [3]

• Vienna (2009) [4]

• Tokyo (2010) [5]

• Geneva (2009) [6]

• Melbourne (2010) [7]

• China (2009) [8]

While the hardware used in these demonstrations is highly sophisticated, with few exceptions it is also highly experimental and unavailable for commercial applications. One exception is the equipment developed by ID Quantique SA of Switzerland, who has been active in the development and deployment of QKD technology and commercial hardware since 2001. All QKD equipment uses some quantum property of photons, such as polarization or phase, to transmit a random sequence of bits between two users, commonly referred to as Alice and Bob. Though somewhat dependent on the exact nature of the quantum property that is used to convey information, the key generation process involves a number of steps. For simplicity, the discussion here is limited to a quantum interferometric technique known as plug-and-play [9], which forms the basis of ID Quantique’s Cerberis system. In

978-1-4673-2709-1/12/$31.00 ©2012 IEEE 162

this implementation, a photon pulse is split into two pulse groups using a quantum interferometer with unequal leg lengths and sent from Bob to Alice. Alice randomly modulates the phase of one group but sends both groups back to Bob by reflecting them from a Faraday mirror. The attenuation of the fiber optic line plus additional attenuation added by Bob and Alice ensures that only a single photon, on average, makes it back to Bob for measurement. Bob randomly modulates the phase on one leg of his interferometer, so that an eavesdropper intercepting one or more of the photons in the fiber between Alice and Bob can’t determine the “bit” selected by the combined random settings of Alice and Bob’s phase modulators. The plug-and-play technique significantly simplifies the optical setup of the overall QKD system, since much of the noise added to the two interferometer pulses will cancel due to the common path of the photons. Plug-and-play is one of the variants of the general class of QKD equipment known as “discrete variable” QKD, or DV-QKD, since the measurement ultimately is made on single (discrete) photons. “Continuous variable”, or CV-QKD, techniques that use many photons to send a key from Alice to Bob have also been developed, but are not commercially available as of the time of this writing.

Because of attenuation in the fiber connecting Alice to Bob, not all of the bits transmitted by Alice reach Bob, and even fewer of those that reach Bob are successfully measured. Using a classical communication channel (often an Ethernet link), Bob and Alice compare data to confirm which photons were successfully received but concealing the measurement made by Bob. Since the measurement of the quantum state by an attacker (known as Eve) will usually, but not always, change the state of the photons that Bob measures, Bob and Alice will compare approximately ten percent of the measurements that Bob made to the bit states that Alice transmitted to determine the quantum bit error rate (QBER). Generally, this rate will be a few percent of the total and allow Alice and Bob to determine the maximum amount of information that Eve might have gained from listening in. Processes known as key sifting and privacy amplification allow Alice and Bob to generate a secure key as long as the QBER is below about 11.4% [10]. Higher error rates can mean that either an attacker is listening on the line, which might be detectable using optical time domain reflectometry, or that the optical properties of the line are insufficient to successfully transmit the key. This can be caused by excessive movement of an overhead fiber during high winds, for example.

Once a secure key has been transmitted from Alice to Bob, then data can be safely encrypted using that key. Though some demonstrations of encryption using one-time-pad encryption have been made, most applications use more conventional block algorithms like AES to encrypt data using 128 or 256 bits of the random data as the key. This is done for two reasons. First, there is no approved security standard, like FIPS 140-2 [11] or Common Criteria [12], for QKD, but the combination of a quantum key with a standard software generated key can be shown to comply with these standards. Second, key generation rates over long distances are insufficient for transmitting more than a few thousand bits per second, where

data rates of millions of bits per second or higher are required for most applications.

Several commercial applications of QKD [4],[6] exist in Europe, but, surprisingly, there are none in the United States. The authors believe this can be attributed to some extent to differences in legal requirements for data protection in the US compared to various parts of Europe. However, the authors also believe that the current technical limitations of QKD hardware are partially responsible. For example, commercial (or even highly specialized research equipment) QKD hardware has definite limits to the distance over which keys can be practically transmitted. For most situations, that limit is on the order of 100 km (62 miles). These sorts of lengths are sufficient for certain applications, particularly those that involve the transmission of a company’s entire business data repository to a secure, off-site, backup facility. However for routine usage between banking branches spread across the United States, for example, 100 km links are woefully inadequate. Another limitation is the ability to share keys without specific point-to-point links between users. Using current technology, an institution with fifty satellite locations, for example, would need fifty QKD systems at the main headquarters to enable links with all of its branch locations.

Several researchers have previously discussed the need for a trusted relay that can link multiple QKD users within a network. Such a network, consisting of eight QKD links connecting six nodes, was demonstrated in Vienna as part of the SECOQC conference in October, 2008 [4]. Though not demonstrated at the time, the same trusted relay technology could be used to increase the distance over which keys can be transmitted.

Battelle and ID Quantique are working to make long-range, networked quantum key distribution a reality in the US. As part of that effort, a multiphase QKD test bed is being developed to demonstrate and test a commercial QKD implementation that will include many of the features described in the SECOQC Vienna demonstration. Ultimately, this test bed will be used to connect Battelle offices more than 600 km apart with a secure, high-speed data network.

III. TEST BED PHASES

The test bed is being developed in four stages: laboratory testing, point to point satellite office deployment, metropolitan-sized ring topology and a long range QKD backbone.

A. Laboratory Testing

Laboratory testing will start by configuring the quantum key server to communicate with a layer-2 encryptor. After that connection has been established the other end of the link would be configured as well. Then the QKD link would be created between the two quantum key servers. With a successful quantum link and with the encryptors running properly, additional fiber will be connected between the quantum key servers to more closely simulate the distance found in the next stage. The attenuation of the quantum link will be measured to verify the specifications are accurate for Battelle’s application. After successful operation in the lab, Battelle then will move the hardware to be used in our intranet for live traffic testing. Battelle wants to make sure everything they use will be

163

compatible. Duplicate hardware will be deployed to connect two buildings on their campus that will be used in the next stage. First a few computers then an entire floor and finally the entire building will be on the same network as the satellite facility. After the QKD system proves itself to be reliable for a number of different network conditions, Battelle will move it over to be used in the next stage.

B. Satellite Office Connection

The first off-site location Battelle has selected to connect is located in Dublin, Ohio. This facility is their Production and Field Support (PFS) office which handles their small to medium production needs. PFS is approximately 15km away via direct line, but in order to deploy a dark fiber link at a reasonable cost Battelle will have to utilize existing infrastructures in place. The three most common paths to connect their facilities can be seen in Fig. 1 below. The distances for the dark fiber routes are between 25km and 50km. This should still be within the capability of the QKD hardware assuming no extraneous losses within the fibers. All traffic from this site is routed through the main campus, even internet traffic so the data bandwidth can be large. They will be utilizing a pair of 1Gbit/s encryptors which will increase the current bandwidth of the facility. The current implementation of QKD they are using requires 3 dark fibers for the system. They will be multiplexing all three channels onto one fiber [13]. Fig. 2 shows the diagram for their WDM plan of implementation. If the fiber span proves to be too long, or the attenuation too high, then they will multiplex two of the channels (key sifting and data) onto one fiber and putting the quantum link on a fiber alone. Finding dark fiber can be challenging depending on the location of the facility. There are a lot of options at their Dublin office, but to get dark fiber to their main campus, they will have to build a section of dark fiber. A number of possible companies have been identified that can create this dark fiber link for them. Once the dark fiber has been connected they will characterize the connection. The current encryption method for data between facilities is utilizing layer-3 IPSec encryption. The layer-2 encryption can be added in addition to layer-3 with no additional throughput loss [14].

Figure 1. Alternate dark fiber routes.

Figure 2. Multiplexing of signals.

C. Metropolitan-Sized Ring

After a full year of operation of the satellite office connection, Battelle plans to start building a QKD metro ring in Columbus, Ohio. Initially they plan to connect some of their facilities in the Columbus area. The current plan is to create a ring network of their facilities and then make the ring available for non-Battelle companies to utilize. This approach will require a trusted node to be created by Battelle. The trusted node will allow multiple other businesses to utilize the infrastructure to be built to increase the encryption of their data. Figure 3. shows the future QKD metro ring planned.

A trusted node is a repeater for the quantum keys. One of the essential features of the trusted node is the ability to share private keys between two nodal points that don’t share a quantum link, as long as there is more than one independent path linking the two points. Fig. 3 shows the arrangement of QKD links in the Columbus metropolitan network. Trusted nodes 1 and 3, for example, don’t share a quantum link, but it is important that the transmission of encrypted information between the two links occur as easily, and securely, as between directly connected nodal points. One approach for transmitting information from TN1 to TN3 involves sending the data first to

164

TN2, then on to TN3. This method has several drawbacks including having to encrypt that data twice and having the data available, even if only for a short time, at a third location.

Where nodes are linked by multiple paths, however, the ability to transmit keys along independent paths can help increase the overall security of the link. As illustrated in Figure 4. , TN2 transmits key K1 to both TN1 and TN3, while TN4 transmits a second key, K2, to nodes 1 and 3 as well. TN1 can then generate a third random key, K3, and transmit that key to TN3 using both K1 and K2 to protect K3. Since only TN1 and TN3 know both quantum keys, only these two nodes will know K3 as well. This same method can be extended to any number of nodes to provide quantum-equivalent security between any two nodes that have redundant paths.

Figure 3. Future QKD metro route.

Figure 4. Sharing keys between unconnected nodal points.

D. Long Range QKD Backbone

With Columbus, Ohio successfully connected with the QKD metro ring from the third stage Battelle will start work on connecting central Ohio to the Washington, DC area. A link of this size will be a costly endeavor, but will prove to be valuable for Battelle and its customers for enabling secure communication to the Midwest from the east coast. The quantum channel has a distance limitation of around 50km when using a single fiber [13]. Unfortunately 50km with a single fiber for all three channels will result in a secret key rate of 10bps which would be too slow for multiple users. Therefore, a single fiber will be used for all quantum links, and all other data will be fed into other fiber(s). Using the trusted nodes developed in the previous stage, Battelle will be able to extend their quantum key reach to the coast. Fig. 5 shows how using the trusted node will work between a series of point to point quantum key systems. At this point they will have to reduce the size of the trusted node and create a trusted quantum regenerator that can be installed along the path of the dark fiber. The proposed path for the long range network will likely exit Columbus paralleling the US I-70 freeway, until it meets up near Pittsburgh, PA. From there the network will continue south on US I-79 to Morgantown, WV, and then on US I-68 into Washington, DC. They will also move west from Columbus, first connecting their facilities at West Jefferson, then moving on to Dayton, Ohio. This will allow Battelle and their clients to have secure communications from Dayton, all the way to the east coast. At the completion of this long range QKD backbone, Battelle will have the longest known QKD network in the US at nearly 770km. Battelle will exceed the distance of the next longest proposed QKD network in the US by 25% [7].

Figure 5. Using the trusted relay to extend the overall length of the quantum

link.

IV. CONCLUSION

Advancements in computing have led to a decline in data security which has prompted the development of commercial QKD systems. Battelle is at the forefront to deploy the first commercial QKD system in the United States with long term plans for continued QKD growth. Battelle has successfully completed the first stage of the QKD test bed and will start construction to connect their satellite office in the fourth quarter of 2012.

3 2

4 1

K1

K1

K2

K2

E(K1,E(K2,K3))

165

REFERENCES

[1] C. H. Bennett and G. Brassard, “Quantum Cryptography: Public key

distribution and coin tossing”, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, p. 175, 1984

[2] ID Quantique, “http://www.idquantique.com”

[3] C. Elliott, H. Yeh, “DARPA quantum network testbed,” Defense Advanced Research Projects Agency, July 2007.

[4] M. Peev, et al., “The SECOQC quantum key distribution network in Vienna,” New Journal of Physics, vol 11, 075001, July 2009.

[5] Updating quantum cryptography and communications 2010 conference, “http://www.uqcc2010.org/highlights/index.html,” 2010

[6] D. Stucki, et al., “Long-term performance of the SwissQuantum quantum key distribution network in a field environment,” New Journal of Physics, vol 13, December 2011.

[7] V. Sharma, “Enterprise security services incorporating continuous variable QKD,” Quintessence Labs, January 2012.

[8] Teng-Yun C., et al., “Field test of a practical secure communication network with decoy-state quantum cryptography,” Optics Express, vol 17, pp 6540-6549, 2009.

[9] G. Ribordy, J. Gautier, N. Gisin, O. Guinnard, H. Zbinden, “Automated ‘plug & play’ quantum key distribution,” Electronics Letters, vol 34, pp 2116-2117, 1998

[10] N. Lütkenhaus, “Estimates for practical quantum cryptography,” Phys. Rev. A 59, 3301(1999)

[11] http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

[12] http:// www.commoncriteriaportal.org/

[13] P. Eraerds, N. Walenta, M. Legre, N. Gisin, and H. Zbinden, “Quantum key distribution and 1Gbps data encryption over a single fibre,” New Journal of Physics, vol 12, 063027, June 2009.

[14] Luther Troell, Bruce Hartpence, and Seth Simons, “Comparative performance of layer 2 and IPSec encryption on ethernet networks,” Rochester Institute of Technology, October 2006.

166