Abstract
Quantum key distribution (QKD) can provide information theoretically secure key exchange even in the era of quantum computers. However, QKD requires the classical channel to be authenticated, the current method for which is presharing symmetric keys. For a QKD network of n users, this method requires \({C}_{n}^{2}=n(n1)/2\) pairs of symmetric keys to realize pairwise interconnection. In contrast, with the help of a mature public key infrastructure (PKI) and postquantum cryptography (PQC) with quantumresistant security, each user only needs to apply for one digital certificate from a certificate authority (CA) to achieve efficient and secure authentication for QKD. We need to assume only the shortterm security of the PQC algorithm to achieve longterm security of the distributed keys. Here, we experimentally verified the feasibility, efficiency, and stability of the PQC algorithm in QKD authentication, and demonstrated the advantages when new users join the QKD network. Using the PQC publickey infrastructure, the nodes need to mutually trust only the CA to authenticate each other. QKD combined with PQC authentication will greatly promote and extend the application prospects of quantumsafe communication.
Similar content being viewed by others
Introduction
Recently, Google claimed to have achieved quantum supremacy^{1}, a major milestone towards the development of quantum computers. Quantum computing can efficiently solve classical hard problems such as integer factorization and discrete logarithms and demonstrates a quadratic speedup (over classical algorithms) in solving unstructured search problems^{2,3}, which poses a serious threat to the security of classical cryptographic algorithms based on the complexity of these problems. Boudot et al.^{4} recently announced the factoring of RSA240, an RSA number of 240 decimal digits or 795 bits, as well as solved a discrete logarithm of the same size. New records of this type are constantly being refreshed as the performance of computer hardware increases over time. In the era of quantum computing, there are two kinds of reliable information security mechanism: one is quantum cryptography^{5}, which mainly includes quantum key distribution (QKD); and the other is postquantum cryptography (PQC), such as latticebased cryptography and codebased cryptography, which cannot be effectively cracked by the currently known quantum computing algorithms.
QKD is unconditionally secure based on the principle of quantum mechanics^{6,7,8}. With realistic devices, the security of QKD can also be guaranteed^{9}. The experiments and practical applications of QKD have drastically developed. The secure key rate reaches 26.2 Mbps at a channel loss of 4 dB (equivalent to a 20kmlong optical fiber)^{10}, and the maximum key distribution distance through a practical optical fiber exceeds 500 km^{11,12}. The Micius satellite has realized entanglementbased repeaterless QKD between two places on the ground at a distance of 1120 km^{13}. Through a trusted relay, several quantum communication networks have been built^{14,15,16,17,18,19}, and the “BeijingShanghai backbone” quantum communication network spans 2200 km.
Currently, the hardness of most publickey cryptography is based on integer factorization and discrete logarithm problems that are difficult or intractable for conventional computers. However, Shor’s^{2} quantum algorithm can achieve an exponential speedup in solving these mathematical problems. In 2016, NIST published a report on PQC^{20} anticipating that a quantum computer is likely to be built by 2030 that breaks 2000bit RSA in a few hours and therefore renders the current publickey infrastructure insecure. As a result, in the same year, NIST initiated the “PostQuantum Cryptography Standardization” process by announcing a call for proposals of quantumresistant cryptographic primitives including publickey encryption, digital signature, and key exchange algorithms. And the process is expected to release the standardization documents by 2024.
Shannon proved that only onetimepad encryption can achieve secure message exchange. This requires a symmetric key distribution between the two communicating parties, and the key distribution protocol must be secure; then, both parties can use the symmetric key to encrypt and decrypt messages. In the process of key distribution, the identity legitimacy of both parties must be guaranteed, which is realized by authentication. Conventional encryption and authentication methods do not have provable security and will be vulnerable against Shor algorithm with a quantum computer. PQC can be used for both encryption and authentication and is believed to be secure against Shor algorithm. However, PQC is still not an information theoretically secure method, and it is still an open question whether PQC is secure against other classical or quantum algorithm except for Shor algorithm. Therefore, it is believed that PQC is good for shortterm security (e.g., authentication) but not for longterm security (e.g., key for coding information). Here, we combine PQC and QKD to achieve the shortterm security of authentication and longterm security of keys, and then secure message exchange can be realized with the symmetric keys and onetimepad encryption.
Results
QKD authentication methods
QKD includes the quantum channel that transmits photons and the classical channel used in post data processing. The unconditional security of QKD does not require the classical channel to be confidential, but requires it to be authenticated; otherwise, a maninthemiddle attack will occur. The attacker can completely obtain the keys of both parties without being discovered, as shown in Fig. 1a. The processes of QKD that require authentication include: basis sifting, error correction verification, random number transfer needed for privacy amplification, and final key verification^{21}. QKD requires twoway authentication between the two parties.
The current secure authentication method is to preshare a small amount of symmetric seed keys and encrypt (sign) and decrypt (verify) the hash value of classical messages^{21}, as shown in Fig. 1b. Later, the generated quantum key can be used for authentication. This method can guarantee the information theoretical secure authentication; however, when the number of QKD network users is large, this method is not easy to operate and has the following problems. On the one hand, for a network with two arbitrary users connected, if the number of users is n, then the number of preshared key pairs m is
Symmetric keys are generally preshared face to face. When the number of users is relatively large, the burden of presharing keys is heavy and inefficient. For example, if n = 100, then m = 4950. At the same time, each user needs to store the authentication key pairs with all other users. The storage, synchronization and management of so many key pairs will increase the complexity and security risk of the network. One solution is to use a trusted relay to form a startype network, each user connects and preshares one key pair only with the trusted relay^{17,22}, but this reduces the interconnection between users. Moreover, when new users join a QKD network, they need to preshare symmetric keys with the trusted relay or the original users on demand. If the new user’s QKD task is urgent, it may be too late to distribute the authentication key pairs.
Another type of secure authentication method is to use the postquantum public key algorithm and public key infrastructure (PKI)^{23}, as shown in Fig. 1b, c. Each user receives a digital certificate signed by a trusted certification center, which contains his/her identity, public key and other items required by the PKI standard. For a network of n users, the number of digital certificates issued is n. If a new user joins the QKD network, he/she needs to obtain only a digital certificate. Therefore, the authentication based on the public key algorithm can solve the problems of presharing symmetric keys. As long as the PQC algorithm is secure during the authentication process, the security of this round of authentication and the key generated by QKD can be guaranteed. Even if the PQC algorithm is cracked in the future, the security of the previous authentication and keys will not be affected; thus, we need to assume only the shortterm security of PQC. This is different from using the PQC algorithm for confidentiality or key distribution, which requires longterm security of the PQC algorithm. Here, we verify the application of PQC in QKD authentication, which greatly improves the operability and efficiency of the QKD authentication process.
PQC algorithm and authentication protocol
The PQC algorithm we used is AigisSig^{24}, an efficient latticebased digital signature scheme from variants of the learning with errors (LWE)^{25} and small integer solutions (SIS)^{26} problems. It has been shown that these two problems are at least as hard as some worstcase lattice problems (e.g., GapSIVP) for certain parameter choices^{27,28,29}. Therefore, the postquantum security of AigisSig algorithm is based on the conjectured quantum resistance of the underlying lattice problems. Furthermore, it has not been found that quantum algorithms have substantial advantages (beyond polynomial speedup) over classical ones in solving lattice problems.
Our authentication protocol adopts a PKI enhanced with postquantum secure AigisSig as shown in Fig. 1c. The transmitter and the receiver exchange their certificates with each other, and they sign the message digest with private keys and verify the signatures with public keys. To prevent the replay attack, we introduce the nonce in our authentication protocol, which is a random number generated by Intel chips. We exchange the nonces together with the certificates and concatenate the nonce with the message digest together as our signing message. Note that we implemented twoway authentication in the QKD data processing.
QKD network authentication
We realized the application of PQC in the QKD pointtopoint link, with fiber distances from 10 to 100 km. Figure 2 shows the key rates as a function of the fiber length. It can be seen that the key rates decrease exponentially with the fiber length, which is consistent with the theoretical expectation. We compared the key rates at the same fiber length using the preshared key authentication and the postquantum algorithm authentication, and the difference between the average key rates of the two cases is <1 standard deviation. This is because the execution time of postquantum algorithm authentication is <1 ms (see the “Methods” section), far less than one authentication cycle of the QKD system, which is ≥1 s. In the experiment, we also deliberately set the PQC algorithm to feed back that the authentication failed, and as a result, the QKD system discards the keys for these periods. This indicates that the PQC authentication is working properly.
QKD networks can generally be divided into two types: allpass network and trusted relay network. For the allpass network, users are connected by optical switches (OSs). To achieve an arbitrary connection between users, each user must have a QKD transmitter and a receiver. We built an allpass network for four users, connected by an optical switch, as shown in Fig. 3a. The network can realize two typical topological relationships, i.e., a ring connection and a cross connection, as shown in Fig. 3b and c, respectively. We verified the application of PQC authentication in these two kinds of allpass networks. The experimental results are shown in Table 1. We note that because the performances of different QKD devices are not exactly the same, their key rates and QBERs are different under the same fiber lengths. Using PQC authentication, we also demonstrated the QKD relay network (see Supplementary Note 1, Supplementary Fig. 1 and Supplementary Table 1).
The above results verify the feasibility of the PQC algorithm for QKD network authentication. To demonstrate the efficiency of PQC authentication, we built two trusted relay networks and connected them to simulate the QKD metropolitan area network. They can be located on both sides of a city. Each relay network contains five user nodes, with a total of 10 users in the entire network, as shown in Fig. 3d.
When using preshared key authentication, a trusted relay is usually needed to manage preshared keys at the cost of reducing the interconnection. With PQC authentication, the trusted relay can be replaced with an optical switch to realize arbitrary interconnection. Each user needs only one digital certificate for authentication, instead of presharing \({C}_{10}^{2}=45\) pairs of symmetric keys, as shown in Fig. 3e. The interconnectivity of the QKD network has been greatly improved. To illustrate this point, in the experiment, we compared the QKD results of three pairs of users U1–U3, U5–U6, and U8–U10 in two cases, as shown in Table 2. Moreover, with the PQC authentication, users need to trust only the CA, reducing the security dependence on multiple trusted relays, which can improve the actual security of the entire network.
In the experiment, two new users U11 and U12 join the QKD network, as shown in Fig. 3e. If preshared key authentication is used, for the relay network, new users need to preshare keys with the relay, and can perform QKD only with the relay, and not with other users. For the allpass network, each new user needs to preshare 10 pairs of symmetric keys with 10 original users and 1 pair of keys between the two new users. A total of 21 pairs of keys need to be preshared to achieve a connection between any two users. In contrast, if PQC authentication is adopted, trusted relays can be replaced with OSs. Each new user needs to apply for only one digital certificate, and a total of two digital certificates is sufficient to realize the connection of any two users. This greatly increases the accessibility of the network and the interconnection for new users. After U11 and U12 receive digital certificates, we demonstrate the QKD between U11–U2, U11–U7, U12–U4, U12–U9, and U11–U12. The results are shown in Table 3.
Finally, we tested the stability of PQC authentication with a pair of QKD devices. The fiber length is 40 km, and it has been running continuously for 30 h. The PQC program keeps running normally, and the QKD systems continuously generate keys (see Supplementary Note 2, Supplementary Figs. 2 and 3).
Discussion
In summary, we used the latticebased postquantum digital signature algorithm AigisSig, combined with the PKI, to achieve efficient and quantum secure authentication of QKD. Since the AigisSig algorithm is highly computationally efficient, it does not affect the performance of QKD, such as the key rate. We experimentally verified the feasibility of its application in a metropolitan QKD relay network and an allpass network. With PQC authentication, the trusted relay in the QKD network can be replaced with an optical switch. Each user needs to apply for only one digital certificate through the PKI to realize a direct connection between any two users. We note that when the distance between the two parties of QKD exceeds the pointtopoint tolerable distance, the trusted relay cannot be replaced with an optical switch. Moreover, when a new user joins the network, he/she needs only to obtain a digital certificate, instead of distributing symmetric keys with all other users, and can immediately establish a QKD connection. Compared with the preshared key authentication, PQC authentication has obvious operability and efficiency advantages. Furthermore, if the number of trusted relays is fewer, the security dependence on trusted relays in the network can be reduced, thus improving the security of the entire QKD network. We also verified the longterm stability of PQC authentication.
Methods
QKD setup
In the experiment, we used the BB84 protocol combined with the decoy state method^{30}, with polarization encoding. The system operating frequency was 625 MHz, and the source was weak coherent states of an attenuated laser. We used polarization beam splitters (PBSs) to generate four polarization states: horizontal and vertical states and 45° and −45° aligned states, which are encoded as 0, 1, 0, and 1, respectively. Alice launches the signal states, weak decoy states, and vacuum decoy states with a probability ratio of 6:1:1, and the average photon numbers of signal and weak decoy states are 0.6 and 0.2, respectively. We used a mechanical optical switch. Its switching time is <10 ms, and the insertion loss is ~1.0 dB. In the experiment, singlephoton detectors based on InP/InGaAsP avalanche photodiodes were used, and they worked in gated mode with a detection efficiency of 12% and a dark count rate of 1 × 10^{−6} per clock cycle. To reduce the probability of afterpulsing, we set the dead time of the detectors to 500 ns. The QKD transmitter and the QKD receiver were synchronized by periodic pulsed light. The synchronous light was transmitted with the quantum signal light via a single optical fiber through wavelengthdivision multiplexing. The QKD systems used the SM3 hash algorithm to generate digest values of 256 bits for the messages to be authenticated and then output them to the PQC program. The finitekey effect was considered in the data processing.
The PQC algorithm: Aigis.Sig
In general, a latticebased PQC signature is slightly more complicated than its classic counterparts such as RSA and ECDSA. We briefly introduce our PQC digital signature algorithm Aigis.Sig, which is based on the “FiatShamir with Aborts” technique and can be seen as a variant of the NIST PQC round3 finalist CRYSTALSDILITHIUM.
Preliminary
Let \({R}_{q}={\mathbb{Z}}[X]/({X}^{n}+1)\) denote the quotient ring containing all polynomials over the \({{\mathbb{Z}}}_{q}\) in which X^{n} is identified with −1. Let Hash( ⋅ ) denote a hash function. Let ∣∣ ⋅ ∣∣_{∞} denote the maximum norm. Let HighBits(r, α) = ⌊r/α⌋ and \({\rm{LowBits}}(r,\alpha )=r\ {\rm{mod}}\ \alpha\) denote the higherorder and lowerorder bits of r with respect to the divisor α, respectively. S_{η} denotes the set of ring elements of R, where each coefficient is taken from the set {−η, −η + 1, …, η} for some positive integer η ≪ q. Let n, q, k, l, η, γ_{1}, γ_{2}, β denote other parameters. We can now describe the key generation, signature signing and verification algorithms by Algorithms 1, 2, and 3, respectively. The procedure has at least 128bit quantum security (against any quantum algorithms who attempt to forge a valid signature) based on the underlying quantum hardness of the lattice problems, and the correctness is ensured in the sense that any legitimate signature can be correctly verified by the verification algorithm. Finally, we remark that the “repeat until” subroutine in the signature algorithm represents the “rejection sampling” technique, which is necessary to sample from the desired distribution for security purposes and takes only up to a handful of trials.
The PQC authentication algorithm, which includes the key generation, signature, and verification algorithms, is as follows:
We implement the PQC algorithm in Windows 10 64bit, Intel(R) Core(TM) i79750H CPU @2.60 GHz, 8 GB RAM. The average CPU cycle of signature generation is 459,903. The average CPU cycle of signature verification is 104,337. The signature size is 2445 bytes. The real execution time is <1 ms.
Timing diagram
The timing diagram of the sequence and durations of the authentication and QKD processes is shown in Fig. 4. In our experiment, the photon transmission and detection and the basis sifting were performed continuously, while the basis sifting authentication was executed once per second for the basis sifting messages of the previous second. Then, error correction, privacy amplification and the corresponding authentication processes were carried out within 300 ms. However, they were not necessarily executed every second but were determined by the amount of data after base sifting, which is related to the distance of the fiber and the link loss. After error correction, there are three authentication processes: error correction verification, authentication of random number transfer, and final key verification.
Data availability
The data that support the findings of this study are available from the corresponding author upon reasonable request.
Code availability
The code that support the findings of this study are available from the corresponding author upon reasonable request.
References
Arute, F. et al. Quantum supremacy using a programmable superconducting processor. Nature 574, 505–510 (2019).
Shor, P. W. Algorithms for quantum computation: discrete logarithms and factoring. In Proc. 35th Annual Symposium on Foundations of Computer Science (ed. Goldwasser, S.) 124–134 (IEEE, 1994).
Grover, L. K. A fast quantum mechanical algorithm for database search. In Proc. 28th Annual ACM Symposium on Theory of Computing, 212–219 (1996).
Boudot, F. et al. Comparing the difficulty of factorization and discrete logarithm: a 240digit experiment. In The 40th Annual International Cryptology Conference (Crypto 2020), Advances in Cryptology—CRYPTO (eds Micciancio, D. & Thomas, R.) (Springer, 2020).
Gisin, N., Ribordy, G., Tittel, W. & Zbinden, H. Quantum cryptography. Rev. Mod. Phys. 74, 145 (2002).
Bennett, C. H. & Brassard, G. Quantum cryptography: public key distribution and coin tossing. In Proc IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, 175–179 (IEEE, 1984).
Ekert, A. K. Quantum cryptography based on Bell theorem. Phys. Rev. Lett. 67, 661 (1991).
Scarani, V. et al. The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301 (2009).
Xu, F., Ma, X., Zhang, Q., Lo, H.K. & Pan, J.W. Secure quantum key distribution with realistic devices. Rev. Mod. Phys. 92, 025002 (2020).
Islam, N. T., Lim, C. C. W., Cahall, C., Kim, J. & Gauthier, D. J. Provably secure and highrate quantum key distribution with timebin qudits. Sci. Adv. 3, e1701491 (2017).
Chen, J.P. et al. Sendingornotsending with independent lasers: Secure twinfield quantum key distribution over 509 km. Phys. Rev. Lett. 124, 070501 (2020).
Fang, X.T. et al. Implementation of quantum key distribution surpassing the linear ratetransmittance bound. Nat. Photonics 14, 422–425 (2020).
Yin, J. et al. Entanglementbased secure quantum cryptography over 1,120 kilometres. Nature 582, 501–505 (2020).
Peev, M. et al. The SECOQC quantum key distribution network in Vienna. N. J. Phys. 11, 075001 (2009).
Chen, T. Y. et al. Metropolitan allpass and intercity quantum communication network. Opt. Express 18, 27217 (2010).
Sasaki, M. et al. Field test of quantum key distribution in the Tokyo QKD network. Opt. Express 19, 10387 (2011).
Fröhlich, B. et al. A quantum access network. Nature 501, 69 (2013).
Wang, S. et al. Field and longterm demonstration of a wide area quantum key distribution network. Opt. Express 22, 21739–21756 (2014).
Liao, S.K. et al. Satelliterelayed intercontinental quantum network. Phys. Rev. Lett. 120, 030501 (2018).
Chen, L. et al. Report on Postquantum Cryptography. Technical Report NISTIR 8105 (National Institute of Standards and Technology, 2016).
Fung, C.H. F., Ma, X. & Chau, H. F. Practical issues in quantumkeydistribution postprocessing. Phys. Rev. A 81, 012318 (2010).
Hughes, R. J. et al. Networkcentric quantum communications with application to critical infrastructure protection. Preprint at http://arxiv.org/abs/quantph/1305.0305 (2013).
Mosca, M., Stebila, D. & Ustaoğlu, B. Quantum key distribution in the classical authenticated key exchange framework. In PostQuantum Cryptography (ed. Gaborit, P.) 136–154 (Springer, 2013).
Zhang, J., Yu, Y., Fan, S., Zhang, Z. & Yang, K. Tweaking the asymmetry of asymmetrickey cryptography on lattices: kems and signatures of smaller sizes. In IACR International Conference on PublicKey Cryptography, 37–65 (Springer, 2020).
Regev, O. On lattices, learning with errors, random linear codes, and cryptography. In Proc. 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22–24, 2005 (eds Gabow, H. N. & Fagin, R.) 84–93 (ACM, 2005).
Ajtai, M. Generating hard instances of lattice problems (extended abstract). In Proc. 28th Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22–24, 1996 (ed. Miller, G. L.) 99–108 (ACM, 1996).
Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56, 34:1–34:40 (2009).
Peikert, C. Publickey cryptosystems from the worstcase shortest vector problem: extended abstract. In Proc. 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31–June 2, 2009 (ed. Mitzenmacher, M.) 333–342 (ACM, 2009).
Gentry, C., Peikert, C. & Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17–20, 2008 (ed. Dwork, C.) 197–206 (ACM, 2008).
Ma, X. F., Qi, B., Zhao, Y. & Lo, H. K. Practical decoy state for quantum key distribution. Phys. Rev. A 72, 012326 (2005).
Acknowledgements
This work was supported by the National Key R&D Program of China (Grant No. 2017YFA0304000), the National Natural Science Foundation of China (Grant No. 62001414), the Chinese Academy of Sciences (CAS), the Shanghai Municipal Science and Technology Major Project (Grant No. 2019SHZDZX01), the Anhui Initiative in Quantum Information Technologies, and the Yunnan Fundamental Research Project (Grant No. 202001BB050028) and the Major Science and Technology Project (Grant No. 2018ZI002).
Author information
Authors and Affiliations
Contributions
Q.Z., Y.Y. and J.W.P. conceived the research and designed the experiments. L.J.W., K.Y.Z., J.Y.W., J.C., Y.H.Y., S.B.T., Y.L.T., Y.Y. and Q.Z. prepared the setup and implemented the experiments. K.Y.Z., Y.Y., D.Y., and Z.L. designed the PQC algorithm and developed the software. L.J.W., K.Y.Z., D.Y., Y.Y., Q.Z. and J.W.P. analyzed the data and wrote the manuscript. L.J.W. and K.Y.Z. contributed equally to this work. All authors discussed the results and reviewed the manuscript.
Corresponding authors
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary information
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Wang, LJ., Zhang, KY., Wang, JY. et al. Experimental authentication of quantum key distribution with postquantum cryptography. npj Quantum Inf 7, 67 (2021). https://doi.org/10.1038/s41534021004007
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s41534021004007
This article is cited by

A survey on latticebased digital signature
Cybersecurity (2024)

Recent progress in quantum photonic chips for quantum communication and internet
Light: Science & Applications (2023)

A construction of post quantum secure authenticated key agreement design for mobile digital rights management system
Multimedia Tools and Applications (2023)

A short review on quantum identity authentication protocols: how would Bob know that he is talking with Alice?
Quantum Information Processing (2022)

Leveraging the hardness of dihedral coset problem for quantum cryptography
Quantum Information Processing (2022)