Introduction

The ultimate goal of quantum key distribution (QKD)1,2 is to construct a global quantum network, wherein all communication traffics have information-theoretic security guarantees. A global QKD network consists of two main types of links: the ground network (mainly fibre based) and the satellite network (mainly free-space based). The ground network can be further divided into backbone, metropolitan and access networks, which cover intercity distances, metropolitan distances and fibre-to-the-home distances, respectively. The feasibility of QKD between two users has been extensively studied, for example, through long-distance free space3, telecom fibres4 and simulated ground–satellite links5,6. Field tests of QKD networks have been realized, including the three-user network by DARPA (2003)7, the six-node SECOQC network in Europe (2008)8, SwissQuantum network (2009)9, the USTC network10, the six-node mesh-type network in Tokyo (2011)11 and the small-scale metropolitan all-pass and intercity quantum network12,13. The satellite network is a promising way to realize intercontinental secure communication due to the low transmission attenuation in space. The satellite can serve as a trusted relay, connecting remote user nodes or subnetworks14. Recently, a large-scale satellite network has been implemented15, consisting of four metropolitan-area networks, a backbone network and two satellite–ground links. Here, we summarize the existing network implementations in Table 1. For a full review of the subject, one can refer to the recent review article16 and references therein.

Table 1 Existing QKD network implementations.

Nevertheless, these QKD experiments and networks are still preliminary demonstrations with limited scales with less than ten nodes, making it insufficient for meeting the demands of actual metropolitan communication. Furthermore, realizing a practical QKD network is not simply extending the number of nodes; while many scientific and practical issues, such as: (a) network topology; (b) network scalability; (c) key management; (d) practical applications; and (e) network robustness, need to be considered. Thus far, realizing a practical large QKD network still remains a major challenge in quantum communication.

In this work, we construct a 46-node quantum metropolitan-area network throughout the city of Hefei, which connects 40 user nodes, three trusted relays and three optical switches, as shown in Fig. 1. The network covers the entire urban area and connects several major organizations in the city districts, including governments, banks, hospitals, universities and research institutes. In our network, we: (a) implement versatile connection topologies for different hierarchies of users; (b) use standard equipment with a scalable configuration; (c) integrate systematic key management; (d) realize various robust application modules; and (e) deal with node failures. As a result, we address the major challenges in realizing a large-scale practical QKD network.

Fig. 1: The topological structure of our quantum network.
figure 1

The network mainly comprises three subnetworks that are directly connected to each other. In each subnetwork, there are multiple users connected to intermediate nodes in different ways, either by an all-pass optical switch (OS) or by a trusted relay (TR). Users connected by a switch are denoted as red dots (Type-A Users, UA), holding both a quantum transmitter and a receiver. Users connected to a trusted relay are denoted as green dots (Type-B Users, UB), only holding a quantum transmitter. Specifically, UA-1 to UA-5 are connected to OS-1, UA-6 and UA-7 are connected to OS-2, UA-8 to UA-13 are connected to OS-3, UB-1 to UB-12 are connected to TR-1, UB-13 to UB-17 are connected to TR-2, and UB-18 to UB-27 are connected to TR-3.

Results

Network topology

We first review the basic topological structures in a network. There are three general ways of connecting and distributing keys between users in a quantum network. The most robust method uses a fully connected topology. Here, each user is directly connected to every other user in the network. This type of network contains no relays; hence it is robust against a single point of failure, and the users do not need to trust one another. That is to say that a system failure or dishonest user would not affect the communication between other users. The main drawback of this type of network is that the number of links (and cost) of a fully connected network quadratically increases with the number of users. Thus, such a network is typically used for connections between a small number of major nodes.

Alternatively, the user nodes can also be connected via a central switch (relay). In this star-like network, the number of links linearly increases with the number of users. In addition, the users do not need to trust each other or the relay. Because the switch only transfers quantum signals, users can execute QKD protocols as if they are directly connected. The drawback of this type of network is that it is not robust against a single point of failure. That is to say that if the switch relay fails, the entire network will be brought down. The transmission distance of quantum signals is twice the length of the link between the users and the switch; hence this kind of network is typically used for local connections.

In the star-like topology, we can replace the switch with a trusted node. In this trusted node network, every user runs QKD protocols with a central relay, and two users can combine their keys between the central relay to form their own keys. In QKD, the secure key transmission distance is limited; thus, the size of a directly communicated quantum network is also limited. However, the size of the network can be extended by the introduction of trusted relays. Two distant users could also build secure keys with the help of a sufficient number of trusted relays. In practice, the Shanghai–Beijing backbone employs this technique to scale the QKD distance. The disadvantage of this type of network is that the users need to trust the relay. To construct a global quantum network, it is important to realize different topological structures in practice.

Our network consists of three subnetworks located at, USTC, QuantumCTek and the City Library, and are distributed approximately 15 km apart. The longest fibres connecting the east and west end-users is approximately 45 km, and that connecting the south and north end-users is approximately 42 km. The longest direct distance between two users in the network is approximately 18 km. We realize two basic types of topological connection structures, including the full connection between the three subnetworks and the star-like connection for local access networks. The fully connected topology is applied to guarantee the robustness between the most important users; while the star-like connection is used for a more efficient network connection. At the centre of the star-like subnetwork, we use either a trusted node or an optical switch for different scenarios depending on the needs and distribution of the users.

The trusted node can be regarded as a classical router that assigns classical keys between users. The all-pass optical switches acted as quantum routers that redistribute quantum signals. Any two users connected to the same switch could communicate directly without interfering with other users. In the experiment, we made use of two types of optical switches. One is the 4 × 8 switch where four 1 × 8 optical switch modules and eight 1 × 4 modules are connected. This type of switch module comprises 4 input and 8 output ports, forming a 4 × 8 connecting matrix. The other is the 16-port all-pass optical switch where sixteen 1 × 15 optical switch modules are connected to form an optical path. When this 16-port switch was fully connected, it enables 8 pairs of users to communicate simultaneously. In our experiments, the losses in all these optical switches are below 1.2 dB, which are much lower than that in the channel isolation (50 dB).

Standard QKD equipment

In our network, we used the polarization-encoding BB84 QKD protocol17,18,19 with a vacuum + weak decoy-state method20 to generate secret keys between directly connected users and trusted relays. Two users could generate keys if one of them had a quantum transmitter and the other had a quantum receiver. As a quantum receiver is generally more expensive compared with a quantum transmitter, not all users in this network possessed quantum receivers. However, everyone at least had a quantum transmitter and was thus able to transmit signals. In this case, there were two types of users in this network: users directly connected to a switch have both quantum a transmitter and receiver, and users directly connected to a trusted relay have only a quantum transmitter. There were, correspondingly, two types of equipment: one only for transmitting signals and the other for transmitting and receiving signals at the same time.

Standard transmitter and receivers are applied in our network, whose internal structures are shown in Fig. 2. In the transmitters, we use the 14-pin butterfly distribute feedback lasers with a central wavelength of 1550 nm. Polarization states {\(\left|H\right\rangle\), \(\left|V\right\rangle\), \(\left|+\right\rangle\), \(\left|-\right\rangle\)} are produced with four different lasers, where each one can produce three different intensity pulses corresponding to the signal, decoy and vacuum states. Before key generation, a time calibration between the source and the single-photon detectors as well as polarization feedback is performed. In general, the calibration is more efficient with strong pulses. It will take more time to complete the calibration for longer transmission distance but no more than 5 min. The calibration process makes our network robust against environmental disturbances. After basis reconciliation and error correction, privacy amplification is performed after 256 kbit per second (kbps) keys are accumulated. Based on a field-programmable gate array (FPGA), the Winnow algorithm21 is used for error correction, with a correction efficiency of 1.3~1.5. Then, privacy amplification is performed using an FPGA-implemented Toeplitz matrix Hash operation22, which is constructed by true random numbers shared by the transmitter and receiver devices. The standardization of the QKD equipment can greatly reduce the quantity of devices required, allowing the number of devices to scale linearly with the number of user nodes.

Fig. 2: A schematic for the QKD set-up.
figure 2

There are four laser sources in the transmitter emitting four corresponding polarization states in the BB84 protocol. The polarization is modulated via the PBS and the PC, and the average light intensity is modulated via the attenuator. Each laser produces three light pulses with different intensities including signal, decoy and vacuum states. The signal and decoy states contain mean photon numbers of 0.6 and 0.2 per pulse, respectively, and the ratio between the signal, decoy, and vacuum states is 6:1:1. The optical misalignment is less than 0.5%. In the detection side, a four-channel InGaAs single-photon detector is integrated with the following parameters. The detection efficiency is 10%, the dark count is 10−6, the dead time is 2 μs, the afterpulse probability is less than 0.5% and the effective gate width is 500 ps. The receiver detects the light signal with the PC as a polarization feedback. The Cir is used to realize transmission and reception of light signals simultaneously. BS: beam splitter; PBS: polarizing beam splitter; PC: polarization controller; Att: attenuator; Cir: circulator.

Key management

A key management strategy enables the users whose keys are running out to generate keys in high priority. We realize systematic key management for our network by designing a switching strategy. The strategy is determined by the amount of keys stored in the local memories for the users. The user with the least key amount has priority in the queue for key distribution. Here we take the 16-port all-pass optical switch mentioned above as an example. Since it can be connected to 16 users, there are a total of \(\left(\genfrac{}{}{0.0pt}{}{16}{2}\right)=120\) possible key-pairing schemes by which two users are connected for the following QKD process. The queuing process for the key-pairing scheme is determined by the Roll-Call-Polling protocol that judges the amount of keys between users. When the key amounts of all devices are the same, QKD pairing is sequentially performed in the order of the network ID. For arbitrary communication partners, the latency for key pairing is heuristically set to be 10, 15 or 30 min according to experience. Then the optical paths of the optical switch are connected, and the QKD process begins. Such a pairing process will repeat whenever there are QKD tasks. The switching time can be configured, ranging from 10 to 60 min. If two users in different subnetworks wish to perform QKD, they first generate keys with intermediate nodes and then swap them. After key generation is activated, the user can obtain secure keys within 5 min, which are stored in local memories.

Since our network is scalable, we also need to consider the key management for new users. To join the network, a new user should first send a heartbeat frame from their QKD device to the key management server, i.e. its upstream optical switch or trusted relay node. A sequence of 32 kbit initial keys with the trusted relay or optical switch is used for authentication. The authentication is implemented by the HMAC algorithm based on the symmetric key algorithm SM423, which does not provide information-theoretic security. Within 2 min after power-on, the QKD device is connected to the network. Then, the device is in the queue for key generation.

Security analysis

We follow the standard decoy-state BB84 security analysis18,20 and its finite size analysis24. The secret key rate of the BB84 protocol is given by18,25

$$r=-f{Q}_{\mu }H({E}_{\mu })+{Y}_{1}\mu {e}^{-\mu }[1-H({e}_{1}^{p})],$$
(1)

where f is the error correction efficiency, μ is the mean photon number per pulse for a signal state, Qμ is the overall gain for the signal states, Eμ is the quantum bit error rate (QBER), Y1, \({e}_{1}^{p}\) are the yield and phase error rate of the single-photon component and \(H(p)=-p{{{\mathrm{log}}}\,}_{2}p-(1-p){{{\mathrm{log}}}\,}_{2}(1-p)\) is the binary Shannon entropy function. The single-photon yield and phase error rate can be well estimated by the decoy-state method18. In fact, only three intensities (signal, weak decoy and vacuum) are enough to give tight bounds20, as implemented in our network.

In the finite-size case, there will be deviations in the estimations of parameters given above due to the statistical fluctuations. The main finite-size effect comes from the phase error rate estimation24. Suppose we use Z-basis states to generate key, then the single-photon phase error rate in this basis \({e}_{1}^{pz}\) is bounded by the single-photon bit error rate in X basis \({e}_{1}^{bx}\) and a small deviation θ optimized according to the experimental data24

$${e}_{1}^{pz}\le {e}_{1}^{bx}+\theta$$
(2)

with a failure probability of

$${\epsilon }_{ph}\le \frac{\sqrt{{n}_{x}+{n}_{z}}}{\sqrt{{e}_{1}^{bx}(1-{e}_{1}^{bx}){n}_{x}{n}_{z}}}{2}^{-({n}_{x}+{n}_{z})\xi (\theta )}$$
(3)

where nx and nz are the numbers of bits measured in X and Z basis, respectively, and \(\xi (\theta )=H({e}_{1}^{bx}+\theta -{n}_{x}\theta /({n}_{x}+{n}_{z}))-{n}_{x}H({e}_{1}^{bx})/({n}_{x}+{n}_{z})-(1-{n}_{x}/({n}_{x}+{n}_{z}))H({e}_{1}^{bx}+\theta )\). There will also be failure probabilities in other steps including the authentication, error verification and privacy amplification. These failure probabilities are functions of the secure key consumption in the corresponding steps, and have additivity due to the composable security. In Supplementary Note 2, we will show how to calculate the finite-size key rate in detail.

Application

For the application of our network, users could make use of the generated secure keys to confidentially transfer information. The message is encoded in FPGA modules with an exclusive OR operation on the secure keys. We apply our network to transmit encrypted information such as real-time voice telephone, instant messaging and digital files with the one-time pad encryption method26. The total amount of information to be encrypted is 10 Gbit. The encryption speed is 800 Mbps. The total delay in the encryption process is less than 50 μs. In our network, the speed of real-time voice telephone was 2.4 kbps and the speed of file transmission was 320 kbps. The capacity of our network is tested for 50 min, as shown in Fig. 3. In all, 22 users simultaneously made calls in the quantum network for 6 min (see Supplementary Note 1 for more details).

Fig. 3: Twenty-two users simultaneously make calls with QKD protocols.
figure 3

The green areas represent the duration over which users make calls.

Network robustness

In addition, the stability and robustness of the network were tested by running continuously for 31 months. We choose some representative nodes and show the key rates versus time in Fig. 4. The key rate results are summarized in Table 2, ranging from 6 to 60.5 kbps. Since the Hefei network is based on the Roll-Call-Polling protocol, all the results are average key rates during the QKD process. The key rate fluctuation mainly comes from the fast variations of photon polarization, which is determined by the internal structure and surrounding environment of the optical fibre. The error rate caused by the variations of photon polarization will accumulate with the propagation of the photons, leading to a drop in the key rate. Once the error rate is high enough, the QKD process is aborted and calibration is performed. Then the key rate will return to a normal value, corresponding to the ascensions in key rate performance.

Fig. 4: The key rates versus time for some representative links.
figure 4

a The key rates between the three trusted relays. b The key rates between trusted relay and user. In the robustness test, 11 user nodes have continuously run for 31 months. The key rates are recorded every 30 s and taken average over a month. The detailed key rates are given in Supplementary Tables V and VI.

Table 2 List of the average key rates between subnetworks and the key rate ranges with in the three subnetworks (lower).

Discussion

In summary, we have presented a practical, large-scale metropolitan QKD network with standard commercial QKD products, systematic key management and practical usage in Hefei, China. This quantum network can be scaled by adding more users and relays, and it can be connected to the Shanghai–Beijing backbone to become a national network. Our network can be combined with other QKD protocols that are robust against device imperfections. For instance, to overcome the imperfection of measurement devices, measurement-device-independent (MDI) QKD protocols27 can be employed. In experiment, the MDI-QKD protocol has been extensively verified and an MDI-QKD network over unreliable metropolitan has been recently realized28. Combined with the MDI-QKD network, one can imagine that communication in the future can be done in both efficient and secure ways. Recently an intercontinental QKD network was reported15, connecting several metropolitan networks with a satellite. Our practical implementations and applications of a metropolitan network can be well combined with15 for future directions.