Experimental Authentication of Quantum Key Distribution with Post-quantum Cryptography

Quantum key distribution (QKD) can provide information theoretically secure key exchange even in the era of quantum computer. However, QKD requires the classical channel to be authenticated, and the current method is pre-sharing symmetric keys. For a QKD network of $n$ users, this method requires $C_n^2 = n(n-1)/2$ pairs of symmetric keys to realize pairwise interconnection. In contrast, with the help of mature public key infrastructure (PKI) and post-quantum cryptography (PQC) with quantum resistant security, each user only needs to apply for a digital certificate from certificate authority (CA) to achieve efficient and secure authentication for QKD. We only need to assume the short-term security of the PQC algorithm to achieve the long-term security of the distributed keys. Here, we experimentally verified the feasibility, efficiency and stability of the PQC algorithm in QKD authentication, and demonstrated the advantages when new users join the QKD network. Using PQC authentication we only need to believe the CA is safe, rather than all trusted relays. QKD combined with PQC authentication will greatly promote and extend the application prospects of quantum safe communication.

Quantum key distribution (QKD) can provide information theoretically secure key exchange even in the era of quantum computer [1][2][3]. However, QKD requires the classical channel to be authenticated, and the current method is presharing symmetric keys [4]. For a QKD network of n users, this method requires C 2 n = n(n − 1)/2 pairs of symmetric keys to realize pairwise interconnection. In contrast, with the help of mature public key infrastructure (PKI) and postquantum cryptography (PQC) with quantum resistant security, each user only needs to apply for a digital certificate from certificate authority (CA) to achieve efficient and secure authentication for QKD. We only need to assume the shortterm security of the PQC algorithm to achieve the long-term security of the distributed keys. Here, we experimentally verified the feasibility, efficiency and stability of the PQC algorithm in QKD authentication, and demonstrated the advantages when new users join the QKD network. Using PQC authentication we only need to believe the CA is safe, rather than all trusted relays. QKD combined with PQC authentication will greatly promote and extend the application prospects of quantum safe communication.
Recently, Google claimed to have achieved quantum supremacy [5], a major milestone towards the development of quantum computers. Quantum computing can efficiently solve classical hard problems such as integer factorization and discrete logarithms and demonstrates its quadratic speedup (over classical algorithms) in solving unstructured search problems [6,7], which poses a serious threat to the security of classical cryptographic algorithms based on the complexity of these problems. Boudot et al. [8] recently announced the factoring of * Liu-Jun Wang and Kai-Yi Zhang contribute equally to this work.
RSA-240, a RSA number of 240 decimal digits or 795 bits, as well as solved a discrete logarithm of the same size. New records of this type are constantly being refreshed as the performance of computer hardware increases over time. In the era of quantum computing, there are two kinds of reliable information security mechanisms: one is quantum cryptography [9], which mainly includes quantum key distribution; the other is post-quantum cryptography, such as lattice-based cryptography and code-based cryptography, which cannot be effectively cracked by the currently known quantum computing algorithms.
Quantum key distribution is unconditionally secure based on the principle of quantum mechanics. With realistic devices, the security of QKD can also be guaranteed [10]. The experiments and practical applications of QKD have drastically developed. The secure key rate reaches 26.2 Mbps at a channel loss of 4 dB (equivalent to a 20-km-long optical fiber) [11], and the maximum key distribution distance through practical optical fiber has exceeded 500 km [12,13]. Micius satellite has realized entanglement-based repeaterless quantum key distribution between two places on the ground at a distance of 1120 km [14]. Through trusted relay, several quantum communication networks have been built [15][16][17][18][19][20], and the "Beijing-Shanghai backbone" quantum communication network spans 2200 km.
Nowadays, the hardness of most public key cryptography are based on integer factorization and discrete logarithm problems that are difficult or intractable for conventional computers. However, Shor's [6] quantum algorithm can achieve an exponential speedup in solving these mathematical problems. In 2016, NIST published a report on Post-quantum Cryptography [21] anticipating that a quantum computer is likely to be built by 2030 that breaks 2000-bit RSA in a few hours, and therefore renders the current public-key infrastructure insecure. As a result, in the same year NIST initiated the "Post-Quantum Cryptography Standardization" process by announcing a call for proposals of quantum resistant cryptographic primitives including public key encryption, digital signature and key exchange algorithms. And the process is expected to release the standardization documents by 2024.
Quantum key distribution includes the quantum channel that transmit photons and the classical channel used in post data processing. The unconditional security of QKD does not require the classical channel to be confidential, but requires it to be authenticated, otherwise there will be a man-in-the-middle attack. Combined with the intercept-resend attack, the attacker can completely obtain the keys of both parties without being discovered, as shown in Fig. 1a.
The processes of QKD that requires authentication includes: basis sifting, error correction verification, random number transfer needed for privacy amplification, and final key verification [4]. QKD requires two-way authentication between the two parties.
The current secure authentication method is to preshare a small amount of symmetric seed keys and encrypt (sign) and decrypt (verify) the hash value of classical messages, as shown in Fig. 1b. Later, the generated quantum key can be used for authentication. This way can guarantee the information theoretical security, however when the number of QKD network users is large, this method is not easy to operate and has the following problems. On the one hand, for a network with arbitrary two users connected, if the number of users is n, then the number of pre-shared key pairs m is Symmetric keys are generally pre-shared by face-to-face. When the number of users is relatively large, the burden of pre-sharing keys is heavy and inefficient. For example, if n=100, then m=4950. At the same time, each user needs to store the authentication key pairs with all other users. The storage, synchronization and management of so many key pairs will increase the complexity and security risk of the network. One solution is to use a trusted relay to form a star-type network, each user only connects and pre-shares one key pair with the trusted relay [18,22], but this reduces the interconnection between users. Moreover, when new users join a QKD network, they need to pre-share symmetric keys with the trusted relay or the original users on demand. If the new user's QKD task is urgent, it may be too late to distribute the authentication key pairs. Another type of secure authentication method is using the post-quantum public key algorithm and PKI [23], as shown in Fig. 1b, c. Each user gets a digital certificate signed by a trusted certification center, which contains his/her identity, public key and other items required by the PKI standard. For a network of n users, the number of digital certificates issued is n. If a new user joins the QKD network, he/she only needs to obtain a digital certificate. Therefore, the authentication based on the public key algorithm can solve the problems of presharing symmetric keys. As long as the PQC algorithm is secure during the authentication process, the security of QKD will not be affected, even if the PQC is cracked after authentication, so we only need to assume the shortterm security of PQC. This is different from using PQC algorithm for confidentiality or key distribution, which will require long-term security of the PQC algorithm.
Here, we verifies the application of PQC in QKD authentication, which greatly improves the operability and efficiency of QKD authentication process. We realized the application of PQC in the QKD pointto-point link, with fiber distances from 10 km to 100 km. Figure 2 shows the key rates as a function of fiber length. It can be seen that the key rates decrease exponentially with fiber length, which is in consistent with the theoretical expectation. We compared the key rates at the same fiber length using the pre-shared key authentication and the post-quantum algorithm authentication, and the two were consistent within the statistical error. This is because the execution time of post-quantum algorithm authentication is less than 1 ms (see Methods), far less than one authentication cycle of the QKD system, which is 1s. In the experiment, we also deliberately set PQC to feedback that the authentication failed, and as a result, the QKD system will discard the keys for these periods.
QKD networks can be generally divided into two types: all-pass network and trusted relay network. For the allpass network, users are connected by optical switches (OS). In order to achieve arbitrary connection between users, each user must have a QKD transmitter and a receiver. We built an all-pass network for four users, connected by an optical switch, as shown in Fig. 3a. It can realize two typical topological relationships, one is ring connection and the other is cross connection, as shown in Fig. 3b and Fig. 3c respectively. We verified the application of PQC authentication in these two kinds of all-pass networks. The experimental results are shown in Table I. We note that because the performance of different QKD devices are not exactly the same, their key rates and QBERs will be different under the same fiber lengths. Using PQC authentication, we also demonstrated the QKD relay network (see Supplementary Fig. 1 and Tabel I).
The above results verify the feasibility of PQC al- In the experiment, we implemented two-way authentication, that is, Bob also authenticates Alice's identity. c, D: digest; R: random nonce, we generate them by Intel chips; C: valid certification; Pr public key of certificate authority; || : concatenate two bit strings ; T : tag (or signature) of concatenation of R and D; S: private key; P : public key.
gorithm for QKD network authentication. In order to demonstrate the efficiency of PQC authentication, we built two trusted relay networks and connected them to simulate the QKD metropolitan area network. They can be located on both sides of a city. Each relay network contains 5 user nodes, and a total of 10 users in the entire network, as shown in Fig. 3d. When using pre-shared key authentication, the trusted relay is usually needed to manage pre-shared keys at the cost of reducing the interconnection. With PQC authentication, the trusted relay can be replaced with an optical switch to realize arbitrary interconnection. Each user only needs one digital certificate for authentication, instead of pre-sharing C 2 10 = 45 pairs of symmetric keys, as shown in Fig. 3e. The interconnectivity of the QKD network has been greatly improved. To illustrate this point, in the experiment, we compared the QKD results of three pairs of users U1-U3, U5-U6, and U8-U10 in two cases, as shown in Table II. Moreover, PQC authentication only needs to assume that the certificate authority is safe, reducing the security dependence on multiple trusted relays, which can improve the actual security of the entire network.
In the experiment, two new users U11 and U12 join the QKD network, as shown in Fig. 3e. If pre-shared key authentication is used, for the relay network, new users need to pre-share keys with the relay, and can only perform QKD with the relay, but not with other users. For the all-pass network, each new user needs to pre-share 10 pairs of symmetric keys with 10 original users, and 1 pair TABLE II. Comparison of key rates and QBERs between relay network and all-pass network. R1 and R2 stand for realy 1 and realy 2 in Fig. 3(e), respectively. The fiber length between two users in the all-pass network is the sum of the fiber lengths of the links between the two users in the relay network.

Connection
Length (  of keys between the two new users. A total of 21 pairs of keys need to be pre-shared to achieve the connection between any two users. In contrast, if PQC authentication is adopted, trusted relays can be replaced with optical switches. Each new user only needs to apply for one digital certificate, and a total of two digital certificates can realize the connection of any two users. This greatly improves the convenience for new users to access the network and interconnection. After U11 and U12 got digital certificates, we demonstrated the QKD between U11-U2, U11-U7, U12-U4, U12-U9, and U11-U12. The results are shown in Table III. Finally, we tested the stability of PQC authentication with a pair of QKD devices. The fiber length is 40 km, and it has been running continuously for 30 hours. The PQC program keeps running normally, and QKD systems continuously generate keys (see Supplementary information).
Summarizing, We used the lattice-based post-quantum digital signature algorithm Aigis-Sig, combined with PKI, to achieve efficient and quantum secure authentication of QKD. Since the Aigis-Sig algorithm is highly computationally efficient, it does not affect the performance of QKD, such as the key rate. We experimentally verified the feasibility of its application in metropolitan QKD relay network and all-pass network. With PQC authentication, the trusted relay in the QKD network can be replaced with an optical switch. Each user only needs to apply for a digital certificate through PKI to realize the direct connection between any two users. When a new user joins the network, he/she only need to obtain a digital certificate, instead of distributing symmetric keys with all other users, and they can immediately establish a QKD connection. Compared with the pre-shared key authentication, PQC authentication has obvious operability and efficiency advantages. Moreover, if the number of trusted relays is less, the security dependence on trusted relays in the network can be reduced, thus improving the security of the entire QKD network. We have also verified the long-term stability of PQC authentication.

Methods
In the experiment, we used the BB84 protocol combined with decoy state method [24], with polarization encoding. The system operating frequency was 625 MHz,  and single photon detectors based on InGaAs avalanche photodiodes were used. The QKD transmitter and the QKD receiver were synchronized by periodic pulsed light. The synchronous light transmitted with the quantum signal light via a single optical fiber through wavelengthdivision multiplexing. The QKD systems used SM3 hash algorithm to generate digest values of 256 bits for the messages to be authenticated, and output them to PQC program. The finite-key effect is considered in the data processing.
The PQC algorithm we used is Aigis-Sig [25], an efficient lattice-based digital signature scheme from variants of Learning With Errors (LWE) [26] and Small Integer Solutions (SIS) [27] problems. It has been shown that these two problems are at least as hard as some worstcase lattice problems (e.g., Gap-SIVP) for certain parameter choices [28][29][30]. Therefore, the post-quantum security of Aigis-Sig algorithm is based on the conjectured quantum resistance of the underlying lattice problems. Furthermore, it has not been found that quantum algorithms have substantial advantages (beyond polynomial speedup) over classical ones in solving lattice problems.
Our authentication protocol adopts a PKI enhanced with post-quantum secure Aigis-Sig as shown in Fig. 1c. The protocol consists of two phases. In the first phase, the transmitter and the receiver first exchange their own certificates issued by the certificate authority (CA) to each other. Then they use the public key of CA to verify the other public key belongs to its identity. In the second phase, the transmitter and the receiver first use our Aigis-Sig to sign the message digest under their own private keys, then they use the confirmed public keys of the other to verify the correctness of the receiving signatures. Because only the legitimate party has the corresponding private key, it can be confirmed that the message is signed legally.
In order to prevent the replay attack, we introduce the nonce in our authentication protocol, the nonce is a random number generated by Intel chips. We exchange the nonce in the first phase and concatenate them with the message digest together as our signing message in the second phase. Note that we implemented two-way authentication in QKD data processing.
We implement PQC algorithm in Win10 64bit, Intel(R) Core(TM) i7-9750H CPU @2.60GHz, 8G RAM. The average CPU cycle of Signature Generation is 459903. The average CPU cycle of Signature Verification is 104337. The signature size is 2445 bytes. The real execution time is less than 1ms.  Due to the high cost of single photon detectors, relay nodes generally deploy QKD receivers, and user nodes deploy QKD transmitters. The fiber lengths between the relay and the users are typical distances within metropolitan area. Using PQC authentication, the QKD between the relay node and the three users was successfully achieved. The key rates and QBERs are shown in the Table IV, they are the average values in five minutes.
In the experiment, we tested the stability of PQC authentication with a pair of QKD devices. The fiber length is 40 km, and it has been running continuously for 30 hours. The PQC program keeps running normally, and QKD systems continuously generate keys, as shown in Fig. 5. The secure key rate is in the range of 100 -180 kbps, and the fluctuations are caused by the QBER reaching 3% or the continuous running time reaching 30 minutes, which triggers the polarization feedback set by the QKD system. The 30-hour average key rate is 144.1 kbps. It can also be seen from the figure that polarization feedback is more frequent during the daytime (08:00-18:00) than at night (18:00-08:00), because human activities and temperature fluctuations during the day interfere more seriously with the optical fiber. Figure 6 shows a curve of the QBER within a 30-minute operating cycle of a QKD system. One QBER data is recorded every second. The QBER is distributed between 0.65% and 1.1%, and the 30-minute average is 0.876%. The above results show the stability and reliability of PQC authentication applied to QKD.  5. A curve of 30-hour QKD key rates. The fiber distance is 40 km, and each value is an average of 5 minutes. The near periodic fluctuation of the key rate is due to the fact that the QKD system is set to start polarization feedback when the QBER reaches 3% or the QKD continuous running time reaches 30 minutes, so the data points containing polarization feedback in the key rate statistical period will be lower.