Network of standards
A European project may have created the building blocks for the world's first practical communications network secured by quantum theory, E&T explores.
The pressure is on to improve the security of our communications networks. But can quantum cryptography be part of the answer?
News that an EU-funded consortium has successfully protected data in a commercial telecommunications network using quantum key distribution (QKD), suggests that not only is quantum cryptography practical but also that Europe could lead its mainstream implementation.
QKD involves sending streams of photons, whose quantum states are used to represent 1s and 0s, between two parties. The parties measure the state of the photons to produce a shared cryptographic key made of identical random bit strings. The appeal of the technique is that the sender and receiver can tell whether the stream has been tapped by a third party. The drawback to date has been that the quantum states of photons tend to get jumbled in long fibre runs, limiting the technique's usefulness in commercial networks.
The Sixth Framework Programme's €11.4m SECOQC project (for 'development of a global network for secure communications based on quantum cryptography') began four-and-a-half years ago as a collaboration between European national research organisations, universities and companies including Hewlett Packard, ID Quantique, Qinetiq, Siemens, Thales and Toshiba Research Europe. The idea was to commercialise what were, back then, experiments in quantum key-based data encryption that were intended to make QKD useful in real-world networks.
Espionage and cyber-crime
While the initial impetus of SECOQC was a 2001 European Parliamentary report outlining concerns that the UK-USA ECHELON communication surveillance and interception network was being used for industrial espionage, time has moved on.
These days, China and Russia head the list of suspects blamed for causing economic damage through espionage and cyber-crime. But numerous other nations appear to be at it too: the US Department of Defense's most recent counterintelligence study said more than 100 countries were trying to acquire intellectual property from US entities. There are no similar up-to-date European Commission studies but SECOQC's latest business white paper mentions discreetly how "unauthorised third parties routinely and systematically attack communication and data transmission over public networks, and put in danger data confidentiality and integrity".
In these circumstances, QKD is attractive because an eavesdropper can't gain information on the keys secretly. Tampering with quantum states leaves tracks behind as an error rate that can be identified by the legitimate users. In the quantum world, it is impossible to measure something without also affecting its state. So once data is encrypted with keys generated in this way, it should be safe to send it down any non-secure line without fear of interception.
The SECOQC QKD demonstration took place in October 2008 in a standard metropolitan fibre-optic network connecting five of Siemens' sites around Vienna, encrypting applications such as VoIP, video-conferencing and Web services with constantly refreshed quantum keys, 24 hours a day.
Siemens installed seven QKD links connected by fibre as a separate channel for distributing 'secrets', to work hand-in-hand with the channels carrying the actual data. This 'network of secrets' also had two free-space links to allow keys to be exchanged with external devices. Each link comprised a pair of network appliances containing hardware to generate specially prepared photons at one end and detect them at the other. The links, developed by different groups of partners, used six different techniques to generate the quantum keys, to prove that these could all be integrated into the same network and used together.
The QKD links were connected to six network nodes via a special 'node module', designed by the SECOQC partners. The node module, which has to be in a secure location to prevent tampering, reads the incoming photon-based quantum keys, buffers them and then relays them securely as a new stream of photons to other network nodes.
This means keys can travel over an indirect route between sender and receiver on a hop-by-hop basis, with each hop on the way being secured by the quantum nature of light. The node module also synchronises secret-key provision to the key-consuming applications across the network. The nodes were, on average, 20 and 30km apart, with the longest separation being 83km.
Prior to the Vienna demo there had been a number of trials of point-to-point QKD links including ID Quantique's system, which was used to guarantee the security of votes cast in Geneva during the Swiss general election. But the only other fibre-optic network demonstrator has been DARPA's smaller and simpler one deployed between Harvard University, Boston University and BBN Technologies in 2004.
The DARPA demonstrator used keys on a point-to-point basis without the key management or node-module layers used in the SECOQC demo. A free-space link was added to the demonstrator eventually, but the basic working set-up was two photon transmitters and two receivers directly controlled by a 2x2 optical switch that could couple any transmitter to any receiver. One transmitter, receiver and the switch were in BBN's laboratory; the second transmitter was at Harvard; and the second receiver at Boston. The fibres linking the various parties ranged from several metres to 29km long.
One important difference between the DARPA set-up and SECOQC's is that in the former, if the fibre-optic links are broken, there are no alternative routes over which the keys can travel. The SECOQC approach enables keys to be rerouted down alternate paths to the same destination. Furthermore, it isn't possible to increase the distance over which keys can be distributed in DARPA's set-up, because the losses due to photon scattering in the fibre become too high.
Photon scattering reduces the key generation bit-rate an order of magnitude for every 50km of fibre distance, so a 10kbit/s key-generation rate is reduced to 1kbit/s. This is important because the keys are consumed in use, so limits on the rate at which they can be generated and distributed also potentially limit the bandwidth of the communications channels they secure. Keys can travel much further in SECOQC's network because they are distributed using the hop-by-hop approach, dubbed the 'trusted repeater' architecture: the QKD links generate as much key as possible and then just hand it over to the network node no matter which end-user will later request it.
"With our trusted repeater approach you can not only extend the distance of quantum key distribution, but you can put more than one link in the repeater station and decide within the station to which specific link you want to hand the key," says SECOQC project leader Christian Monyk of ARC, the Austrian Research Centre.
"It delivers a network structure where you can add as many users as you like and all can communicate together as we can do with phone networks and the Internet."
At the heart of the 'network of secrets' is a specially developed lower-layer point-to-point protocol called Q3P, which provides a standard way to access services provided by the QKD links in order to accommodate the varying characteristics and interfaces of links from different vendors.
Running on top of Q3P are two specially adapted end-to-end routing and transport-level protocols: QKD-RL, which follows the widely used Open Shortest Path First protocol; and QKD-TL, which adopts TCP/IP but with a new approach to dealing with highly congested networks based on quantum-key resources.
All three protocols present a standard-like interface, which can be introduced in current telecom networks. Applications running on the upper layers need not be modified in order to use the secure key material.
All this work will now form the basis of the world's first ever quantum cryptography standard, under ETSI's newly-formed Industry Specification Group on QKD. The group
had its first official meeting after the Vienna demo and agreed to work on security assurance requirements, user requirements, components and internal interfaces, application interfaces, security proofs, and QKD device integration in standard optical networks.
Monyk says that de facto technical standards could be developed within six months but concedes that it will take a few years before such standards are internationally accepted.
"From a technical point of view, it's quick to define this standard but it's a longer process to get agreements from all partners, such as banks or insurance companies, that they will follow these standards and use them," he says. "But we are confident that this European standardisation effort will spread over the world. At this stage the basics are there to implement QKD in a closed company network with a small number of network nodes."
The main plank of the standard, which everyone has agreed on, is an interface (the Quantum BackBone Link) based around Q3P that defines how network-management nodes can extract key material from any QKD link. This will ensure that kit from different vendors works together.
The toughest task for the ETSI group will be to reach a consensus about the security assumptions of QKD systems.
A security-assurance standard would need to answer questions about how you prevent physical tampering, as well as the overall system design and management of keys and the interaction of all those aspects, according to Brian Lowans, product director at Qinetiq. He says the security framework provided by the ISO/EN15408 Common Criteria standard's Protection Profile and the US FIPS (Federal Information Processing Standard) could form a basis for security assurance. But working with potential users is going to be an important part of the process.
"At Qinetiq we're trying to understand what is really needed for security rather than what can QKD do for the market," says Lowans.
As part of this process, Qinetiq has been doing trials in London with the network operator AboveNet to see if it can use QKD technology in its networks.
"We've done some initial experiments sending polarised photons through part of their network in the City of London," says Lowans. "We didn't have any hiccups or concerns for our signal rating. It was along a 96km stretch, which is important as it's about the length of a standard hop in a telecoms network."
At this stage the cost of the optical components means a pair of QKD link boxes is around €60,000 to €70,000. While the standards initiative provides a path for low-cost volume manufacture of integrated optics, it will take some time to bring costs down. However, QKD can be made cheaper in the short term by increasing the rate of key generation so more users can be hooked into a network, says Andrew Shields, quantum information group leader at Toshiba Research Labs in Cambridge.
Shields' group has made a single-photon detector that enables the number of key users on a network to be increased 100 fold. Detectors (which are basically avalanche photodiodes) currently offer a maximum key bit rate of around 10kbit/s over a 20km fibre.
"If the keys are 256bit long and the key refresh rate is once a second, only 80 users can share that 20km length on the network, which isn't a great deal in a network environment with multiple applications running, " points out Shields. Toshiba's new detector can handle an incoming bit rate of more than 1Mbit/s over 20km of fibre.
"That means we can have 8,000 users and the technology starts to become very useful."
Toshiba is confident there'll be a volume market for QKD.
"QKD would be for business networks initially but eventually there could be ubiquitous use of QKD, even to the home. That may be ten years down the line," says Shields.
Largely due to the SECOQC project, European engineers and scientists have developed the leading quantum cryptography hardware in the world. Whether this work will form a sustainable advantage for European industry is difficult to predict, but the potential is there.
"European organisations will be part of the standards efforts right from the beginning. The GSM standard was key to helping companies like Ericsson and Nokia become world leaders in mobile phones," says Grégoire Ribordy, CEO of ID-Quantique.
Maybe the QKD standard will be similarly influential…