Implementation of a 46-node quantum metropolitan area network

Quantum key distribution (QKD) enables secure key exchanges between two remote users. The ultimate goal of secure communication is to establish a global quantum network. The existing field tests suggest that quantum networks are feasible. To achieve a practical quantum network, we need to overcome several challenges including realizing versatile topologies for large scales, simple network maintenance, extendable configuration and robustness to node failures. To this end, we present a field operation of a quantum metropolitan-area network with 46 nodes and show that all these challenges can be overcome with cutting-edge quantum technologies. In particular, we realize different topological structures and continuously run the network for 31 months, by employing standard equipment for network maintenance with an extendable configuration. We realize QKD pairing and key management with a sophisticated key control centre. In this implementation, the final keys have been used for secure communication such as real-time voice telephone, text messaging and file transmission with one-time pad encryption, which can support 11 pairs of users to make audio calls simultaneously. Combined with intercity quantum backbone and ground–satellite links, our metropolitan implementation paves the way toward a global quantum network.


INTRODUCTION
The ultimate goal of quantum key distribution (QKD) [1,2] is to construct a global quantum network, wherein all communication traffics have information-theoretical security guarantees.A global QKD network consists of two main types of links: the ground network (mainly fibre based) and the satellite network (mainly free-space based).The ground network can be further divided into backbone, metropolitan, and access networks, which cover intercity distances, metropolitan distances, and fibre-to-the-home distances, respectively.The feasibility of QKD between two users has been extensively studied, for example, through long-distance free space [3], telecom fibres [4], and simulated ground-satellite links [5,6].Field tests of QKD networks have been realised, including the three-user network by DARPA (2003) [7], the six-node SECOQC network in Europe (2008) [8], SwissQuantum network (2009) [9], the USTC network [10], the six-node mesh-type network in Tokyo (2011) [11], and the small-scale metropolitan all-pass and inter-city quantum network [12,13].The satellite network is a promising way to realise intercontinental secure communication due to the low transmission attenuation in space.The satellite can serve as a trusted relay, connecting remote user nodes or sub-networks [14].Recently, a large-scale satellite network has been implemented [15], consisting of four metropolitan-area networks, a backbone network and two satellite-ground links.Here, we summarize the existing network implementations in Table I.For a full review of the subject, one can refer to the recent review article [16] and references therein.
Nevertheless, these QKD experiments and networks are still preliminary demonstrations with limited scales with less than ten nodes, making it insufficient for meeting the demands of actual metropolitan communication.Furthermore, realising a practical QKD network is not simply extending the number of nodes; while many scientific and practical issues, such as (a) network topology, (b) network scalability, (c) key management, (d) practical applications, and (e) (order of magnitude) (at max distance/loss) DARPA [7] 6 unknown tree 0.5 kbps (10.2 km) SECOQC [8] 6 hour mesh 3.1 kbps (33 km) SwissQuantum [9] 3 year fully-connected 1 kbps (17.1 km) Tokyo [11] 6 year mesh 2.2 kbps (90 km) USTC [10] 5 unknown star 0.4 kbps (14.8 dB) USTC [12] 3 week fully-connected 1.5 kbps (20 km) USTC [13] 5 week star 0.2 kbps (130 km) USTC [15] 109 year mesh network robustness, need to be considered.Thus far, realising a practical large QKD network still remains as a major challenge in quantum communication.
In this work, we construct a 46-node quantum metropolitan area network throughout the city of Hefei, which connects 40 user nodes, three trusted relays, and three optical switches, as shown in Fig. 1.The network covers the entire urban area and connects several major organizations in the city districts, including governments, banks, hospitals, universities, and research institutes.In our network, we (a) implement versatile connection topologies for different hierarchies of users, (b) use standard equipments with a scalable configuration, (c) integrate systematic key management, (d) realise various robust application modules, and (e) deal with node failures.As a result, we address the major challenges in realising a large scale practical QKD network.

Network topology
We first review the basic topological structures in a network.There are three general ways of connecting and distributing keys between users in a quantum network.The most robust method uses a fully connected topology.Here, each user is directly connected to every other user in the network.This type of network contains no relays; hence it is robust against a single point of failure, and the users do not need to trust one another.That is to say that a system failure or dishonest user would not affect the communication between other users.The main drawback of this type of network is that the number of links (and cost) of a fully connected network quadratically increases with the number of users.Thus, such a network is typically used for connections between a small number of major nodes.
Alternatively, the user nodes can also be connected via a central switch (relay).In this star-like network, the number of links linearly increases with the number of users.In addition, the users do not need to trust each other or the relay.Because the switch only transfers quantum signals, users can execute QKD protocols as if they are directly connected.The drawback of this type of network is that it is not robust against a single point of failure.That is to say that if the switch relay fails, the entire network will be brought down.The transmission distance of quantum signals is twice the length of the link between the users and the switch; hence this kind of network is typically used for local connections.
In the star-like topology, we can replace the switch with a trusted node.In this trusted node network, every user runs QKD protocols with a central relay, and two users can combine their keys between the central relay to form their own keys.In QKD, the secure key transmission distance is limited; thus, the size of a directly communicated quantum network is also limited.However, the size of the network can be extended by the introduction of trusted relays.Two distant users could also build secure keys with the help of a sufficient number of trusted relays.In practice, the Shanghai-Beijing backbone employs this technique to scale the QKD distance.The disadvantage of this type of network is that the users need to trust the relay.To construct a global quantum network, it is important to realize different topological structures in practice.
Our network consists of three sub-networks located at, USTC, QuantumCTek, and the City Library, and are distributed approximately 15 kms apart.The longest fibres connecting the east and west end-users is approximately 45 km, and that connecting the south and north end-users is approximately 42 km.The longest direct distance between two users in the network is approximately 18 km.We realise two basic types of topological connection structures, including the full connection between the three subnetworks and the star-like connection for local access networks.The fully connected topology is applied to guarantee the robustness between the most important users; while the star-like connection is used for a more efficient network connection.At the center of the star-like subnetwork, we either use a trusted node or an optical switch for different scenarios depending on the needs and distribution of the users.
The trusted node can be regarded as a classical router that assigns classical keys between users.The all-pass optical switches acted as quantum routers that redistribute quantum signals.Any two users connected to the same switch could communicate directly without interfering with other users.In the experiment, we made use of two types of optical switches.One is the 4×8 switch where four 1×8 optical switch modules and eight 1×4 modules are connected.This type of switch module comprises 4 input and 8 output ports, forming a 4 × 8 connecting matrix.The other is the 16-port all-pass optical switch where sixteen 1 × 15 optical switch modules are connected to form an optical path.When this 16-port switch was fully connected, it enables 8 pairs of users to communicate simultaneously.In our experiments, the losses of all these optical switches are below 1.2 dB, which are much lower than the channel isolation (50 dB).

Standard QKD equipments
In our network, we used the polarization-encoding BB84 QKD protocol [17][18][19] with a vacuum+weak decoy-state method [20] to generate secrete keys between directly connected users and trusted relays.Two users could generate keys if one of them had a quantum transmitter and the other had a quantum receiver.As a quantum receiver is generally more expensive compared with a quantum transmitter, not all users in this network possessed quantum receivers.However, everyone at least had a quantum transmitter and was thus able to transmit signals.In this case, there were two types of users in this network: users directly connected to a switch have both quantum a transmitter and receiver, and users directly connected to a trusted relay have only a quantum transmitter.There were, correspondingly, two types of equipment: one only for transmitting signals and the other for transmitting and receiving signals at the same time.
Standard transmitter and receivers are applied in our network, whose internal structures are shown in Fig. 2. In the transmitters, we use the 14-pin butterfly distribute feedback lasers with central wavelength 1550 nm.Polarization states {|H , |V , |+ , |− } are produced with four different lasers, where each one can produce three different intensity pulses corresponding to the signal, decoy, and vacuum states.Before key generation, a time calibration between the source and the single-photon detectors as well as polarization feedback is performed.In general, the calibration is more efficient with strong pulses.It will take more time to complete the calibration for longer transmission distance but no more than 5 minutes.The calibration process makes our network robust against environmental disturbances.After basis reconciliation and error correction, privacy amplification is performed after 256 kbit per second (kbps) keys are accumulated.Based on a field-programmable gate array (FPGA), the Winnow algorithm [21] is used for error correction, with a correction efficiency of 1.3 ∼ 1.5.Then, privacy amplification is performed using an FPGA implemented Toeplitz matrix Hash operation [22], which is constructed by true random numbers shared by the transmitter and receiver devices.The standardization of the QKD equipment can greatly reduce the amount of devices required: allowing the number of devices scales linearly with the number of user nodes.The signal and decoy states contain mean photon numbers of 0.6 and 0.2 per pulse, respectively, and the ratio between the signal, decoy, and vacuum states is 6 : 1 : 1.The optical misalignment is less than 0.5%.In the detection side, a four-channel InGaAs single photon detector is integrated with the following parameters.The detection efficiency is 10%, the dark count is 10 −6 , the dead time is 2 µs, the afterpulse probability is less than 0.5%, and the effective gate width is 500 ps.The receiver detects the light signal with the PC as a polarisation feedback.The Cir is used to realise transmission and reception of light signals simultaneously.BS: beam splitter; PBS: polarising beam splitter; PC: polarisation controller; Att: attenuator; Cir: circulator.

Key management
A key management strategy enables the users whose keys are running out to generate keys in high priority.We realise systematic key management for our network by designing a switching strategy.The strategy is determined by the amount of keys stored in the local memories for the users.The user with the least key amount has priority in the queue for key distribution.Here we take the 16-port all-pass optical switch mentioned above as an example.Since it can be connected to 16 users, there are a total of 16  2 = 120 possible key pairing schemes by which two users are connected for the following QKD process.The queuing process for the key pairing scheme is determined by the Roll-Call-Polling protocol that judges the amount of keys between users.When the key amounts of all devices are the same, QKD pairing is sequentially performed in the order of the network ID.For arbitrary communication partners, the latency for key pairing is heuristically set to be 10, 15 or 30 minutes according to experience.Then the optical paths of the optical switch are connected, and the QKD process begins.Such a pairing process will repeat whenever there are QKD tasks.The switching time can be configured, ranging from 10 to 60 minutes.If two users in different subnetworks wish to perform QKD, they first generate keys with intermediate nodes and then swap them.After key generation is activated, the user can obtain secure keys within 5 minutes, which are stored in local memories.
Since our network is scalable, we also need to consider the key management for new users.To join the network, a new user should first send a heartbeat frame from their QKD device to the key management server, i.e., its upstream optical switch or trusted relay node.A sequence of 32 kbit initial keys with the trusted relay or optical switch is used for authentication.The authentication is implemented by the HMAC algorithm based on the symmetric key algorithm SM4 [23], which does not provide information-theoretic security.Within 2 minutes after power-on, the QKD device is connected to the network.Then, the device is in the queue for key generation.

Security analysis
We follow the standard decoy state BB84 security analysis [18,20] and its finite size analysis [24].The secret key rate of the BB84 protocol is given by [18,25], where f is the error correction efficiency, µ is the mean photon number per pulse for a signal state, Q µ is the overall gain for the signal states, E µ is the quantum bit error rate (QBER), Y 1 , e p 1 are the yield and phase error rate of the single photon component and H(p) = −p log 2 p − (1 − p) log 2 (1 − p) is the binary Shannon entropy function.The single photon yield and phase error rate can be well estimated by the decoy state method [18].In fact, only three intensities (signal, weak decoy and vacuum) are enough to give tight bounds [20], as implemented in our network.
In the finite size case, there will be deviations in the estimations of parameters above due to the statistical fluctuations.The main finite-size effect comes from the phase error rate estimation [24].Suppose we use Z-basis states to generate key, then the single photon phase error rate in this basis e pz 1 is bounded by the single photon bit error rate in X basis e bx 1 and a small deviation θ optimized according to experimental data [24], with a failure probability of where n x and n z are the numbers of bits measured in X and Z basis, respectively, and H(e bx 1 + θ).There will also be failure probabilities in other steps including the authentication, error verification, and privacy amplification.These failure probabilities are functions of the secure key consumption in the corresponding steps, and have additivity due to the composable security.In the Supplementary Note 2, we will show how to calculate the finite-size key rate in detail.

Application
For applications of our network, users could make use of the generated secure keys to confidentially transfer information.The message is encoded in FPGA modules with an exclusive or operation on the secure keys.We apply our network to transmit encrypted information such as real-time voice telephone, instant messaging, and digital files with the one-time pad encryption method [26].The total amount of information to be encrypted is 10 Gbits.The encryption speed is 800 Mbps.The total delay in the encryption process is less than 50 us.In our network, the speed of real-time voice telephone was 2.4 kbps, the speed of file transmission was 320 kbps.The capacity of our network is tested for 50 minutes, as shown in Fig. 3. 22 users simultaneously made calls in the quantum network for 6 minutes (see Supplementary Note 1 for more details).

Network robustness
In addition, the stability and robustness of the network were tested by running continuously for 31 months.We choose some representative nodes and show the key rates versus time in Fig. 4. The key rate results are summarized in Table II, ranging from 6 to 60.5 kbps.Since the Hefei network is based on the Roll-Call-Polling protocol, the results are all average key rates during the QKD process.The key rate fluctuation mainly comes from the fast variations of photon polarization, which is determined by the internal structure and surrounding environment of the optical fiber.The error rate caused by the variations of photon polarization will accumulate with the propagation of the photons, leading to a drop of the key rate.Once the error rate is high enough, the QKD process is aborted and calibration is performed.Then the key rate will return to a normal value, corresponding to the ascensions in key rate performance.

T i m e ( m o n t h ) T R -1 t o T R -2 T R -1 t o T R -3 T R -2 t o T R -3 K e y r a t e ( k b p s ) T i m e ( m o n t h ) T R -2 t o U B -1 7 T R -2 t o U B -1 6 T R -3 t o U B -2 3 a )
FIG. 4. The key rates versus time for some representative links.a) The key rates between the three trusted relays.b) The key rates between trusted relay and user.In the robustness test, 11 user nodes have continuously run for 31 months.The key rates are recorded every 30 seconds and taken average over a month.The detailed key rates are given as Supplementary Tables V and VI.TABLE II.List of the average key rates between subnetworks and the key rate ranges with in the three subnetworks (lower).The detailed key rates are presented in the Supplementary Tables II, III and IV.

DISCUSSION
In summary, we have presented a practical, large-scale metropolitan QKD network with standard commercial QKD products, systematic key management, and practical usage in Hefei, China.This quantum network can be scaled by adding more users and relays, and it can be connected to the Shanghai-Beijing backbone to become a national network.Our network can be combined with other QKD protocols that are robust against device imperfections.For instance, to overcome the imperfection of measurement devices, measurement-device-independent (MDI) QKD protocols [27] can be employed.In experiment, the MDI-QKD protocol has been extensively verified and an MDI-QKD network over unreliable metropolitan has been recently realized [28].Combined with the MDI-QKD network, one can imagine that communication in the future can be done in both efficient and secure way.Recently an inter-continental QKD network was reported [15], connecting several metropolitan networks with a satellite.Our practical implementations and applications of a metropolitan network can be well combined with [15] for future directions.
The calibration of the QKD systems is performed in three main steps.Here all the optical pulses are strong pulses and not at single-photon level.The first step is associated with detector gate time calibration, where Alice's lasers sends optical pulses of 40 MHz, and when the photon count rate, D 1 , D 2 , D 3 , and D 4 , of the four single photon detectors reach the maximum simultaneously, a visibility The gate positions of the detectors are scanned to maximize this visibility.The lowest value allowed for the QKD systems in this network is 15%.If the visibility is lower than this value for 3 times in a row for any detector, the calibration is aborted.
The second step is associated with polarization feedback.Specifically, it begins with Alice's sending H polarization laser pulses at 40 MHz to Bob. Bob adjusts his electrical polarization controllers to maximize the visibility.The minimum value of the polarization visibility permitted by the systems in the Hefei network is set to be 20 dB.If the measured value is lower than this value, the electrical polarization controllers are initialized and scanned again.Once the polarization calibration for H passes, Alice immediately switches the H laser off and send V pulses to verify the latter's polarization visibility, which should be around the same value as H.The process is repeated for the + and − polarization pulses, and the calibration is aborted after 3 failed trials.
In the final step the repetition of Alice's lasers are adjusted to 100 kHz to match the synchronization laser pulses (100 kHz, wavelength at 1570 nm).The four lasers send pulses to Bob to calibrate the time sequence.If any of the lasers fail to pass the synchronization after 3 consecutive times, the calibration is aborted.
The calibration performs better with stronger pulses.Therefore, when the transmission distance increases, the QKD system needs to increase the laser power.This makes the total calibration time for the three steps vary with the transmission distance.It turn out that the total time is always within 5 minutes.

FIG. 1 .
FIG.1.The topological structure of our quantum network.The network mainly comprises three sub-networks that are directly connected to each other.In each sub-network, there are multiple users connected to intermediate nodes in different ways, either by an all-pass optical switch (OS) or a trusted relay (TR).Users connected by a switch are denoted as red dots (Type-A Users, UA), holding both a quantum transmitter and a receiver.Users connected to a trusted relay are denoted as green dots (Type-B Users, UB), only holding a quantum transmitter.Specifically, UA-1 to UA-5 are connected to OS-1, UA-6 and UA-7 are connected to OS-2, UA-8 to UA-13 are connected to OS-3, UB-1 to UB-12 are connected to TR-1, UB-13 to UB-17 are connected to TR-2, and UB-18 to UB-27 are connected to TR-3.
FIG.2.A schematic for the QKD set-up.There are four laser sources in the transmitter emitting four corresponding polarisation states in the BB84 protocol.The polarisation is modulated via the PBS and the PC, and the average light intensity is modulated via the attenuator.Each laser produces three light pulses with different intensities including signal, decoy and vacuum states.The signal and decoy states contain mean photon numbers of 0.6 and 0.2 per pulse, respectively, and the ratio between the signal, decoy, and vacuum states is 6 : 1 : 1.The optical misalignment is less than 0.5%.In the detection side, a four-channel InGaAs single photon detector is integrated with the following parameters.The detection efficiency is 10%, the dark count is 10 −6 , the dead time is 2 µs, the afterpulse probability is less than 0.5%, and the effective gate width is 500 ps.The receiver detects the light signal with the PC as a polarisation feedback.The Cir is used to realise transmission and reception of light signals simultaneously.BS: beam splitter; PBS: polarising beam splitter; PC: polarisation controller; Att: attenuator; Cir: circulator.

FIG. 3 .
FIG.3.Twenty-two users simultaneously make calls with QKD protocols.The green areas represent the duration over which users make calls.

FIG. 5 .
FIG.5.Key rate performance of a typical link for over a week.The key rates are collected over a week from Sept. 1 to Sept 7, 2020, are averaged every 20 minutes.The inset shows the detailed data within 24 hours on Sept. 2, 2020.The transmission loss for this link is 4.1 dB.

TABLE III .
Feedback calibration time of the TR2-TR3 link over 24 hours on April 23, 2021.

TABLE IV .
Key rates (unit: kbps) among nodes in the QuantumCTek subnetwork.TR: Trusted Relay; UA: Type-A users that connected to an optical switch; UB: Type-B users that connected to a trusted relay.

TABLE V
. Key rates (unit: kbps) among nodes in the city library subnetwork.TR: Trusted Relay; UA: Type-A users that connected to an optical switch; UB: Type-B users that connected to a trusted relay.

TABLE VI .
Key rates (unit: kbps) among nodes in the USTC subnetwork.TR: Trusted Relay; UA: Type-A users that connected to an optical switch; UB: Type-B users that connected to a trusted relay.

TABLE VII .
Detailed key rates (unit: kbps) in the robustness test among the trusted relay and 5 user nodes in city library subnetwork over 31 months (December 2017 to June 2020).For this robustness test, we have upgraded the system repetition rate from 20 MHz to 40 MHz.TR: Trusted Relay; UB: Type-B users that connected to a trusted relay.The numbers correspond to the key rates with units of kbps.

TABLE VIII .
Detailed key rates (unit: kbps) in the robustness test among the trusted relay and 6 user nodes in QuantumCTek subnetwork over 31 months (December 2017 to June 2020).For this robustness test, we have upgraded the system repetition rate from 20 MHz to 40 MHz.TR: Trusted Relay; UB: Type-B users that connected to a trusted relay.The numbers correspond to the key rates with units of kbps.× 10 7 10 −10 0.75 0.125 40MHz