Quantum key distribution (QKD) promises unconditional security in data communication and is currently being deployed in commercial applications. Nonetheless, before QKD can be widely adopted, it faces a number of important challenges such as secret key rate, distance, size, cost and practical security. Here, we survey those key challenges and the approaches that are currently being taken to address them.
Why quantum key distribution?
For thousands of years, human beings have been using codes to keep secrets. With the rise of the Internet and recent trends to the Internet of Things, our sensitive personal financial and health data as well as commercial and national secrets are routinely being transmitted through the Internet. In this context, communication security is of utmost importance. In conventional symmetric cryptographic algorithms, communication security relies solely on the secrecy of an encryption key. If two users, Alice and Bob, share a long random string of secret bits—the key—then they can achieve unconditional security by encrypting their message using the standard one-time-pad encryption scheme. The central question then is: how do Alice and Bob share a secure key in the first place? This is called the key distribution problem. Unfortunately, all classical methods to distribute a secure key are fundamentally insecure because in classical physics there is nothing preventing an eavesdropper, Eve, from copying the key during its transit from Alice to Bob. On the other hand, standard asymmetric or public-key cryptography solves the key distribution problem by relying on computational assumptions such as the hardness of factoring. Therefore, such schemes do not provide information-theoretic security because they are vulnerable to future advances in hardware and algorithms, including the construction of a large-scale quantum computer.1
We remark that some secrets, for instance, census data, need to be kept secret for decades (e.g. 92 years in Canada (Statistical Canada webpage. Release of personal data after 92 years, URL: http://www12.statcan.gc.ca/census-recensement/2011/ref/about-apropos/personal-personnels-eng.cfm)). Currently, however, data transmitted in 2016 is vulnerable to technological advances made in the future as Eve might simply save the transcripts of communication in her memory and wait for the construction, for example, of a quantum computer some time before 2,108 (92 years from 2016). This is highly probable. Recall that ENIAC, the first general purpose electronics computer,2 which was largely inferior to modern computers, was invented only 70 years ago. The US National Security Agency is taking the threat of quantum computing seriously and has recently announced transition plans to quantum-resistant classical algorithms3 (These algorithms are typically based on hard computational problems involving for instance the structure of some specific lattices. Despite important progress in the development of such algorithms, it is still an open question whether they are secure against a quantum computer).
Quantum cryptography, or more specifically, quantum key distribution (QKD),4,
The potential applications of QKD include securing critical infrastructures (for instance, the Smart Grid), financial institutions and national defense. Experimental QKD has been performed over distances on the order of 100 km in standard telecom fibres as well as in free space, while the secure key rate has now reached a few Mbits per second. QKD has leaped out of the lab.15 In China, the deployment of a 2,000 km QKD network between Shanghai and Beijing is underway; in Europe, after the SECOQC network demonstration in 2008,16 the UK is now creating a quantum network facilitating device and system trials, and the integration of quantum and conventional communications; in Japan, QKD technologies will be put into test to secure transmission of sensitive genome data; and the US has also started installing its own QKD network.
Why practical challenges in QKD?
In this review, we will focus on practical issues in QKD. We remark that, historically, practical considerations in QKD have led to ground-breaking inventions. For example, the need to counter the photon-number-splitting attack17 triggered the invention of the decoy-state protocol,18,
QKD is clearly of interest to engineers too. For instance, practical QKD is closely linked to the development of new single-photon detection technologies such as superconducting nanowire single-photon detectors (SNSPDs),24 superconducting transition-edge sensors (TES),25 frequency up-conversion single photon detectors,26,27 and self-differencing InGaAs avalanche photodiodes,28 as well as of high-performance homodyne detection techniques.29 It is also the motivation for high-speed quantum random number generators30 and broadband entangled photon sources.31
Practical QKD has steered innovation and is a precursor in the field of Quantum Information Processing.
Outline of the review
Despite the important theoretical and experimental achievements, a number of key challenges remain for QKD to be widely used for securing everyday interactions. For instance, much effort is being put into increasing the communication rate and range of QKD and making QKD systems low cost, compact and robust. New hardware such as chip-based QKD and new software such as novel protocols are being studied and developed. The security of practical QKD systems is another important challenge. In order to foil quantum hackers, protocols such as MDI-QKD and loss-tolerant QKD32 have been developed and are currently being experimentally implemented. Yet, a comprehensive theory of the model of a QKD source remains to be constructed. To further extend the reach of QKD, two different approaches—quantum repeaters and ground-to-satellite QKD—are being pursued. In view of the proliferation of mobile computing devices including smart phones, mobile QKD applications have also attracted recent attention. Furthermore, the standardisation of QKD components is currently being pursued in European Telecommunications Standards Institute.33 In what follows, we will highlight some of the above challenges and the various approaches that are being taken to tackle them.
Main protocols and implementations
We begin our discussion with a brief overview of the main QKD protocols currently studied and the state-of-the-art in their practical implementations. As our main focus here is the current challenges in the field, we refer the reader to a recent review7 for the necessary background on the rigorous information-theoretic (or, unconditional) security definition of QKD in the composable framework, secure communication schemes including the one-time pad, the standard BB84 QKD protocol, and basic QKD components.
QKD protocols can be in essence divided with respect to the detection technique required to recover the key information encoded in the properties of light (Figure 1a). In discrete-variable (DV) protocols information is typically encoded in the polarisation or phase of weak coherent pulses simulating true single-photon states; hence the corresponding implementations employ single-photon detection techniques. The previously mentioned BB84 and decoy-state protocols are prominent examples in this category. Single-photon detection techniques are also necessary for the so-called distributed-phase-reference protocols, such as the coherent-one-way34 and differential-phase-shift (DPS)35 protocols, where the key information is encoded in photon arrival times or in the phase between adjacent weak coherent pulses. On the other hand, in continuous-variable (CV) QKD protocols information is encoded in the quadratures of the quantised electromagnetic field, such as those of coherent states,36,37 and homodyne or heterodyne detection techniques are used in this case. Such detectors are routinely deployed in classical optical communications, hence the CV approach offers the possibility for implementations based only on mature telecom components. All these protocols are prepare-and-measure in the sense that the transmitter, Alice, sends the encoded pulses to the receiver, Bob, who decodes as required by the specific protocol. On the contrary, in entanglement-based protocols,5 both parties receive parts of an entangled state and perform suitable measurements. More details on all protocols can be found in refs 6,7,38,39.
When it comes to practical demonstrations, performance of point-to-point links is assessed by the distance over which secret keys can be distributed and the rate of their distribution for a given security level. The security level is determined by the type of attacks considered in the corresponding security proof; demonstrating security against the so-called collective attacks6 is an important challenge for an implementation; however, information-theoretic security is achieved only when security against the most general (or coherent) attacks is proven. Hence, the ultimate goal is to provide this level of security at a speed and a distance that are compatible with practical applications. Some recent implementations have provided high levels of security: several QKD protocols have been demonstrated to provide composable security against collective attacks using reasonable data block sizes and practical setups, including decoy-state BB84,40 coherent-one-way,41 and CV-QKD.42,43 Among those protocols, the security of decoy-state BB84 QKD has been extended to cover coherent attacks, for realistic block sizes and with a minimal sacrifice in the secret key rate.44,45 Unfortunately, for coherent-one-way, the best security proof against coherent attacks currently gives a secret key rate that only scales quadratically with the loss.46 For CV-QKD with coherent states and heterodyne detection, a composable security proof against the most general attacks has recently been provided,47 but the current proof techniques do not allow a positive key rate for realistic block sizes in this case. Extending the security proofs for the latter protocols is therefore a pressing task in the theoretical study of QKD.
Figure 1b,c shows examples of advanced fibre-optic QKD systems allowing for real-time secret key generation over distances of 50 km with Mbit/s rates. In Figure 1d we summarise some important experimental achievements from both established and emerging QKD protocols (discussed in the following sections). Although the security assumptions and technological maturity vary in these implementations, these results illustrate the diversity of protocols and experimental solutions that the research community has invented to push the performance of QKD technology. Indeed, tremendous progress has been achieved in recent years, and avenues for further progress will be discussed in the next section. We remark, however, that there are fundamental limitations on what can be ultimately achieved. Over optical fibre networks, the attenuation of light in standard fibres at the telecom wavelength of 1,550 nm is 0.2 dB/km (or 0.16 dB/km in newly developed ultralow loss fibres). This unavoidable loss will not allow the range of point-to-point QKD links to exceed a few hundreds of kilometres as with overly excessive channel loss it would take several years to generate just one bit even using perfect light sources and detectors. Furthermore, with a practical lossy channel, the ultimate key rate is upper bounded by the so-called TGW bound48 (see also ref. 49 for a more recent result, quoted as the PLOB bound). These bounds provide a useful benchmark for the performance of all QKD protocol implementations.
Major challenges in performance and cost
In the quest for high performance and low-cost QKD systems, both hardware and software solutions are currently being pursued.
Encryption keys generated by QKD can be used in a symmetric cipher scheme, such as Advanced Encryption Standard, which is quantum resistant, for enhanced security, or they can be combined with the one-time-pad encryption scheme for unconditional security. In both cases, the secure key rate achieved by the underlying QKD layer in a typical application scenario is crucial. Higher secure rates allow for a more frequent update of encryption keys in symmetric ciphers, and for a proportional increase in the one-time-pad communication bandwidth as this scheme requires the key to be as long as the message.
Presently, strong disparity exists between the classical and QKD communication rates. Classical optical communications delivering speeds of 100 Gbit/s per wavelength channel are currently being deployed,50 and a field trial featuring 54.2 Tbit/s aggregated data rate has recently been performed.51 On the other hand, the Mbit/s rates achieved by QKD systems today are sufficient, for instance, for video transmission; however, it is clear that if we want in the longer term to encrypt high volumes of classical network traffic using the one-time-pad, major developments on the secure key rate generated by QKD will be required.
The obtained key rate depends crucially on the performance of the detectors used. For QKD systems employing single-photon detection techniques, high efficiency and short dead time of the detectors are essential for reaching a high bit rate. The latest developments on high efficiency detectors52,
Extending the communication range of QKD systems is a major driving factor for technological developments in view of future network applications. QKD systems based on single-photon detection champion the point-to-point communication distance (or channel loss). Here the low noise of single-photon detectors is the key enabling factor; in particular, the attainable range depends on the type and operation temperature of the detectors. InGaAs avalanche photodiodes can tolerate losses of 30 and 52 dB when cooled to −30 and −120 °C,41,61 respectively, whereas SNSPDs cooled to cryogenic temperatures have been demonstrated to withstand a record loss of 72 dB.62 This loss is equivalent to 360 km of standard single mode fibre or about 450 km of ultralow loss fibre. Although technologically possible, further extending the point-to-point distance is increasingly unappealing because the channel loss will inevitably reduce the key rate to a level of little practical relevance. This is also true for CV-QKD systems, which are in general more sensitive to losses. Here it is crucial to keep the excess noise—the noise exceeding the fundamental shot noise of coherent states—low and especially to be able to estimate the noise value precisely, which becomes increasingly difficult with the distance.38,42
We remark that advances towards high-performance QKD systems in terms of key rate and distance are coupled with the security guarantees offered by these systems. For instance, achieving composable security against general attacks requires in practice being able to perform efficient post-processing, including parameter estimation, over large data blocks with stable setups. Particularly for CV-QKD, performing efficient error correction and precise parameter estimation is of utmost importance.38,63
Cost and robustness
For QKD systems to be used in real world applications, low cost and robustness are indispensable features alongside high performance. Several avenues are currently being pursued. First, QKD systems have been shown to coexist with intense data traffic in the same fibre,64,
Another important avenue to address the issue of cost and robustness is photonic integration.70 Chip-scale integration will bring high level of miniaturisation, leading to compact and light-weight QKD modules that can be mass-manufactured at low cost. Two main integration platforms are currently being explored, namely silicon (Si)71 and indium phosphide (InP),72 whereas alternative techniques include lithium niobate (LiNbO3) integration and glass waveguide technologies. For QKD protocols employing single-photon detection, the main difficulty comes from the receiver side so initial experiments have focused on transmitter integration. A LiNbO3 integrated polarisation controller was used for state preparation in a QKD implementation,73 whereas several techniques were combined to construct a handheld QKD sender module in ref. 74. More recently, a QKD transmitter chip that is reconfigurable to accommodate the state preparation for several QKD protocols, including decoy-state BB84, coherent-one-way and DPS, has been developed on InP75 (Figure 3), and Si transmitters have also been demonstrated independently by the U. of Toronto76 and also by Bristol group. (C. Erven and M. Thompson, private communication.)
Chip-scale QKD receivers are also progressing. Low-loss planar-lightwave-circuits based on silica-on-silicon technology have been routinely used to replace fibre-based asymmetric Mach–Zehnder interferometres,75,77,78 a key enabling component for phase-based QKD protocols. Research efforts are currently focused on the integration of single-photon detectors using the aforementioned techniques, which will be essential for developing complete integrated systems. CV-QKD systems are particularly well suited for this objective because they only require the use of standard components. Indeed, Si photonic chips integrating many functionalities of a CV-QKD setup, including active elements such as amplitude and phase modulators and homodyne/heterodyne detectors based on germanium (Ge) photodiodes, have been developed.79
Development of chip-scale QKD is still at its early stages. Further research in this direction will help bring the QKD technology closer to its wide adoption.
New QKD protocols
In parallel to hardware development, much effort has also been devoted to novel QKD protocols aiming to outperform the established ones. Encouragingly, this line of research has led to protocols that may exhibit advantages when certain technical constraints are in place. Below, we discuss two protocols featuring high photon information capacity or noise tolerance.
High dimension-QKD allows retrieval of more than 1 bit from each detected photon, thus offering an advantage in the photon information capacity when the photon rate is restrained.80,
The Round-Robin (RR) DPS protocol, which was proposed in 2014,88 removes the need for monitoring the channel disturbance to establish security, in stark contrast with conventional QKD protocols (see Figure 4a for the principle). Instead, Eve’s information can be tightly set, even to an arbitrarily low level, by just choosing experimental parameters. In theory, a positive key rate is possible for any quantum bit error rate (QBER) <50%. This extraordinary QBER tolerance makes it attractive for deployment when large systematic errors cannot be avoided. Shortly after its introduction the protocol has stimulated a number of experimental demonstrations.89,
Major challenges in practical security
Although the security of a QKD protocol can be proven rigorously, its real-life implementation often contains imperfections that may be overlooked in the corresponding security proof. By exploiting such imperfections, various attacks, targeting either the source or the detectors, have been proposed; some of them have even been demonstrated to be effective against commercial systems.94,
One promising long-term solution to side-channel attacks is DI-QKD, where the security relies on the violation of a Bell inequality and can be proven without knowing the implementation details. While recent loophole-free Bell experiments23,100,101 imply that DI-QKD could be implemented, the expected secure key rate is nevertheless impractically low even at short distances. A more practical solution is MDI-QKD, which is inherently immune to all side-channel attacks targeting the measurement device, usually the most vulnerable part in a QKD system. In fact, the measurement device in MDI-QKD can be treated as a ‘black box’ which could even be manufactured and operated by Eve. Building upon refs 102,103; ref. 21 proposed a practical scheme with weak coherent pulses and decoy states (Figure 5a), whose security against the most general coherent attacks, taking into account the finite data size effect, has been proved in ref. 104 (see also ref. 99, which studied an entanglement-based representation with general finite-dimensional systems, and ref. 105, which proposed a DI-QKD protocol with local Bell test).
MDI-QKD21 is a natural building block for multi-user QKD networks, since the most expensive and complicated measurement device can be placed in an untrusted relay and shared among many QKD users.68 Several groups have demonstrated its feasibility. In particular, DV MDI-QKD was demonstrated over 200 km telecom fibre106 and 404 km of ultralow loss fibre107 in lab conditions, and over 30 km of deployed fibre.108 With highly efficient single-photon detectors, the tolerable channel loss can be as high as 60 dB, which corresponds to 300 km of standard telecom fibre.109 A real-life fibre based multi-user MDI-QKD network was also implemented recently110 (Figure 5c). Moreover, a 1 Mbit/s proof-of-principle MDI-QKD experiment was performed,111 thus illustrating the high key rate potential of DV MDI-QKD. This was also studied in ref. 112 for MDI-QKD employing state-of-the-art SNSPDs; in Figure 5b, simulation results of the secret key rate in this case show an achievable key rate of 0.01 bit per pulse over 25 km. With a transmission rate of 1 GHz, this corresponds to a secret key rate of 10 Mbit/s, which is sufficient for many cryptographic applications. As a comparison, we also present in Figure 5b the previously mentioned fundamental upper bounds per optical mode.48,49 We see that the key rate of DV MDI-QKD is only about 2 orders of magnitude away from the TGW bound at a practical distance, hence this protocol is suitable for high speed communications in metropolitan area networks.
It is important to emphasise that one fundamental assumption in MDI-QKD is that Eve cannot interfere with Alice and Bob’s state preparation processes. To prevent Eve from having access to quantum signals entering Alice’s or Bob’s labs and interfering with the state preparation process, MDI-QKD is commonly implemented using independent laser sources for Alice and Bob. Recently, gigahertz-clocked, phase-randomised pulses from independent gain-switched lasers have been demonstrated to interfere with high visibility, by control of the frequency chirp and/or emission jitter.111,113
One drawback of MDI-QKD is that its key rate scales quadratically with the detector efficiency. This is because in most of existing MDI-QKD protocols (except for ref. 114), secure keys are distilled from two-fold coincidence detection events (In MDI-QKD, the secure key rate R scales as TA×η×TB×η, where TA is the channel transmission from Alice to the measurement device, TB is the channel transmission from Bob to the measurement device, and η is the single-photon detection efficiency (assuming that all detectors have the same efficiency). The overall transmission of the whole channel (from Alice to Bob) is T=TA×TB, hence the key rate R of MDI-QKD scales as T×η2. This means that the key rate of MDI-QKD scales linearly with the whole channel transmittance (same as the case of conventional QKD and DDI-QKD), but quadratically with the detector efficiency.). Recently, the detector-device-independent (DDI) QKD protocol, designed to bridge the strong security of MDI-QKD with the high efficiency of conventional QKD, was proposed.115,
The MDI-QKD scheme has been extended recently to the CV framework122 (see also refs 123,124 for a more restricted security analysis). In the CV framework, both Alice and Bob prepare Gaussian-modulated coherent states and send them to an untrusted third party, Charlie, who measures the correlation between the incoming quantum states. The CV MDI-QKD system requires high efficiency (>85%) homodyne detectors for a positive key rate.112 This efficiency requirement has been met in recent proof-of-principle laboratory free-space experiments.122,125 However, achieving the required efficiencies in a fibre-based optical network setting is more challenging, owing to the detector coupling loss and losses by fibre network interconnects and components110 (see also ref. 126 for a different perspective). When high efficiency detectors are in place, CV MDI-QKD would require an asymmetric configuration, where Charlie needs to be located close to one of the users. Even in this case, the expected key rate of the state-of-the-art CV MDI-QKD system drops to zero when the channel loss is above 6 dB (corresponding to 30 km standard telecom fibre).112,122 Therefore, for long distance (>30 km) applications, DV MDI-QKD is currently the only option available for MDI-QKD. A reliable phase reference between Alice and Bob also needs to be established in CV MDI-QKD, and may be possible to realise using recently proposed techniques for standard CV-QKD.58,
QKD with imperfect sources
Given that the security loopholes associated with the measurement device can be closed by MDI-QKD, an important remaining question is how to justify the assumption of trustable quantum state preparation, including single-mode operation, perfect global phase randomisation, no side channels, etc. On one hand, the imperfections in quantum state preparation need to be carefully quantified and taken into account in the security proof; on the other hand, practical countermeasures are required to prevent Trojan horse attacks119 on the source.
To address imperfections in quantum state preparation in QKD, a loss-tolerant protocol was proposed in ref. 32, which makes QKD tolerable to channel loss in the presence of source flaws (see also studies in refs 127,128). On the basis of the assumption that the single-photon components of the states prepared by Alice remain inside a two-dimensional Hilbert space, it was shown that Eve cannot enhance state preparation flaws by exploiting the channel loss and Eve’s information can be bounded by the rejected data analysis.129 The intuition for the security of loss-tolerant QKD protocol can be understood in the following manner. By assuming that the state prepared by Alice is a qubit, it becomes impossible for Eve to perform an unambiguous state discrimination (USD) attack.130 Indeed, in order for Eve to perform a USD attack, the states prepared by Alice must be linearly independent; but by having three or more states in a two-dimensional space, in general the set of states prepared by Alice is linearly dependent, thus making USD impossible.
The above loss-tolerant protocol has been further developed and demonstrated experimentally in ref. 131, where the authors implemented decoy-state QKD with imperfect state preparation and employed tight finite-key security bounds with composable security against coherent attacks. The work in ref. 32 has also been extended to the finite-key regime in ref. 132, where a wide range of imperfections in the laser source, such as the intensity fluctuations, have been taken into account. In ref. 133, a rigorous security proof of QKD systems using discrete-phase-randomised coherent states was given, thus removing the requirement for perfect phase randomisation. With respect to this, we note that gain-switched laser diodes are presently the de facto QKD light source, capable of naturally providing phase-randomised coherent pulses at a clock rate of up to 2.5 GHz.134,135
Progress has also been made on enhancing the security of QKD by carefully examining source imperfections in implementations. Refs 136,137 studied the risk of Trojan horse attacks due to back reflections from commonly used optical components in QKD. Similar research was also conducted for CV-QKD.138 In ref. 139, by using laser-induced damage threshold of single-mode optical fibre to bound the photon numbers in Eve’s Trojan horse pulses, the authors provided quantitative security bounds and a purely passive solution against a general Trojan horse attack.
All the above advances strongly suggest the feasibility of long-distance secure quantum communication with imperfect sources. A promising research direction is to apply the above techniques for QKD with imperfect sources to MDI-QKD leading to practical side-channel-free QKD. To achieve this goal, it is necessary to establish a comprehensive list of assumptions on the sources, and verify them one by one. In a recent experimental demonstration,140 the loss-tolerant protocol is applied to a MDI-QKD setting. Such an experiment thus addresses source and detector flaws at the same time.
We end our discussion on practical security by noting that in both classical and quantum cryptography, it is also important to carefully address the risks of side-channel attacks on the electronics and post-processing layers. Various side-channel attacks discovered in classical cryptography, such as the timing attack,141 the power-monitoring attack,142 and acoustic cryptanalysis,143 can also pose threats to quantum cryptography. Closing these side channels requires substantial future efforts.
So far, our discussion has been largely limited to point-to-point QKD links. Although these links are useful for some applications, QKD network structures must be considered in order to enable access by a greater many users and also to extend the reach and geographical coverage. In addition, the incorporation of mobile QKD nodes for key transports will add to network connection flexibility and allow even greater geographical coverage. In the following, we discuss approaches for building a QKD network and possibilities for future mobile QKD deployment.
Building QKD networks
An important issue in a network setting is the topology that allows for multiple users to access the network. A star topology is suitable for this purpose for relatively short distance (up to 400 km). Imagine a star network where there is at most one intermediate node between any two users, allowing for secure quantum communication among all users without the need for the relay to be trusted. In fact, this approach has already been demonstrated based on the MDI-QKD protocol.110 The long-term vision is for each user to use a simple and cheap transmitter and outsource all the complicated devices for network control and measurement to an untrusted network operator. As only one set of measurement devices will be needed for such a network that is shared by many users, the cost per user could be kept relatively low. The network provider would then be in a favourable position to deploy state-of-the-art technologies including high detection efficiency SNSPDs to enhance the performance of the network and to perform all network management tasks. The important advantage is that the network operator can be completely untrusted without compromising security. Experimental demonstrations of network MDI-QKD, either in optical fibres110 or in free space, are a major step towards such QKD networks with untrusted relays.
Nonetheless, MDI-QKD is limited in distance, hence in order to address the great challenge of extending the distance of secure QKD, three further approaches are possible. The first and the simplest approach is to use trusted relays. This is already feasible with current technology and indeed has been used as the standard in existing QKD networks.16,144 By setting up trusted nodes, for instance, every 50 km, to relay secrets, it is possible to achieve secure communication over arbitrarily long distances. The QKD network currently under development between Shanghai and Beijing is based on this approach.
The second approach is quantum repeaters, which remove the need for the users to trust the relay nodes. Quantum repeaters are beyond current technology, but have been a subject of intense research efforts in recent years. The long-term vision here is to construct a global quantum internet as described, for example, in ref. 14. Research efforts on quantum repeaters have focused on matter quantum memories and their interface with photonic flying qubits.145,146 However, new recent approaches manage to reduce the need for a quantum memory147 or to completely remove it by using all-photonic quantum repeaters.148
Finally, the third approach is ground-to-satellite QKD. By using one or a few trusted satellites as relay stations, it is possible to extend the distance of secure QKD to the global scale. To this end, several free-space studies, including experiments with low earth orbit (LEO) satellites, have been conducted.149,
The studies in free-space QKD may also open the door to mobile QKD networks, which can be useful in many applications, such as ship-to-ship communication, airport traffic control, communication between autonomous vehicles, etc. In such a network, the mobility of QKD platforms requires the network to be highly reconfigurable—the QKD users should be able to automatically determine the optimal QKD route in real time based on their locations. Fast-beam tracking systems are indispensable. Furthermore, due to the strong ambient light, an effective filtering scheme is required to selectively detect quantum signals. Recent studies analyze the effect of fading and of atmospheric turbulence to CV-QKD156 and show that CV-QKD with coherent detection could be robust against ambient noise photons due to the intrinsic filtering function of the local oscillator.157 We also note that preliminary studies suggest that QKD at microwave wavelengths, which are widely used in wireless communications, might be feasible over short distances.158,
In this review, we have discussed important challenges in practical QKD. These range from extending security proofs to the most general attacks allowed by quantum mechanics to developing photonic chips as well as side-channel-free systems and global-scale QKD networks. Addressing these challenges using some of the approaches that we have presented will open the way to the use of QKD technology for securing everyday interactions.
As the lead application of the field of Quantum Information Processing, advances in QKD will have important implications in many other applications too. For example, a great range of quantum communication protocols beyond QKD have been studied in recent years161 and their development has directly benefited from research in QKD. These include, for instance, quantum bit commitment,162,
Determining the exact power and limitations of quantum communication is the subject of intense research efforts worldwide. The formidable developments that can be expected in the next few years will mark important milestones towards the quantum internet of the future.
Notes added in proof
After a completion of a preliminary version of this paper, a recent preprint181 has been posted on the arXiv that demonstrates the insecurity of DDI-QKD protocol. In addition, it has come to our attention that DI-QKD remains vulnerable to covert channels such as memory attack.182
We acknowledge helpful comments from many colleagues including Romain Alléaume, Hoi-Fung Chau, Marcos Curty, Philippe Grangier, Anthony Leverrier, Charles Ci Wen Lim, Marco Lucamarini, Xiongfeng Ma, Joyce Poon, Li Qian, Kiyoshi Tamaki and Feihu Xu. We thank our colleagues including Ping Koy Lam, Vikas Anant, Jessie Qin-Dregely, Chris Erven, Masato Koashi, Philip Sibson, Mark Thompson and Qiang Zhang for allowing us to reproduce some of their figures. We thank Warren Raye of Nature Partner Journals for securing the permission for reproductions of figures from various publishers. We acknowledge financial support from NSERC, CFI, ORF, the US Office of Naval Research (ONR), the Laboratory Directed Research and Development (LDRD) Program of Oak Ridge National Laboratory (managed by UT-Battelle LLC for the US Department of Energy), the City of Paris, the French National Research Agency, the Ile-de-France Region, the France-USA Partner University Fund, and the Commissioned Research of National Institute of Information and Communications Technology (NICT), Japan.
About this article
npj Quantum Information (2018)