TRENDS IN CRYPTOGRAPHY

Performance Evaluations of Quantum Key

Distribution System Architectures
Logan O. Mailloux, Michael R. Grimaila, and Douglas D. Hodson | US Air Force Institute of Technology
Gerald Baumgartner | Laboratory for Telecommunication Sciences
Colin McLaughlin | Naval Research Laboratory
Quantum key distribution (QKD) exploits the laws of quantum physics to generate shared secret
cryptographic keys and can detect eavesdroppers during the key generation process. However, previous
QKD research has focused more on theory than practice.

uantum key distribution (QKD) is the most

mature application of the quantum information field, offering the means for two parties to generate secure cryptographic keying material. Employing
the laws of quantum physics, QKD can detect eavesdroppers during the key generation process, in which
unauthorized observation of quantum communication
induces discernible errors. However, QKD is a nascent
technology where real-world systems are constructed
from nonideal components and deployed in uncertain
operational environments, which can adversely impact
system security and performance.
In this article, we study the performance impact of
QKD implementation nonidealities and practical engineering limitations, evaluating three system examples
using a modularized simulation framework. We also
explore the QKD securityperformance trade space
to gain additional understanding of critical design
tradeoffs associated with interactions between physical components and system-level considerations such
as hardware, software, and protocols. Such evaluations
provide insight and inform designers, researchers, and
users when selecting among competing solutions;

30

January/February 2015

decision makers can also use them to guide future

investments and developmental efforts.
Our research team focuses on bridging the gap
between QKD theory and practice. Theoretical and
experimental physicists are working to advance QKD
technology, but few are strongly focused on evaluating
and improving the implementation of realized systems.
For a general introduction to QKD, see Chip Elliots
Quantum Cryptography.1

The Emergence
of QKD-Enabled Cryptography

QKD systems are emerging in the cryptographic solution space, where many claim they function as unconditionally secure key distribution devices. (The term key
distribution is somewhat misleading as QKD systems
generate or grow shared secret keys from previously
established keys and dont merely distribute them.)
Figure 1 illustrates a QKD system configured to
generate shared secret key K for use in external bulk
encryptors. The architecture consists of a sender Alice,
a receiver Bob, an optical fiber quantum channel, and
a classical channel (that is, a conventional networked

Copublished by the IEEE Computer and Reliability Societies

1540-7993/15/$31.00 2015 IEEE

Alice
Network
interface

CPU

Quantum
module

Bob
Classical channel
Quantum channel

Shared key K
Plaintext m

Encryptor

Network
interface

CPU

Quantum
module

Shared key K
Ciphertext Ek(m)

Encryptor

Plaintext m

Figure 1. Quantum key distribution (QKD) system. The architecture consists of a sender Alice, a receiver Bob, an optical fiber quantum
channel, and a classical channel. Alice and Bob each consist of a CPU, network interface, and quantum channel module (QCM). Additional
administrative and control signals are omitted for clarity.

connection). Alice and Bob each consist of a CPU, network interface, and quantum channel module (QCM).
The quantum channel is sensitive to physical disturbances such as ambient light and generally employs
otherwise unused dark fiber. The quantum and classical channels are often separated due to security and
performance sensitivities but might be multiplexed on
a single fiber.
QKD systems can be paired withand configured
to increase the security posture oftraditional symmetric encryption algorithms, such as Data Encryption Standard (DES), 3DES, and Advanced Encryption
Standard, through frequent rekeying. Alternatively,
QKD is often discussed in conjunction with one-timepad (OTP) encryptionenabling unconditionally
secure communicationsas it provides a feasible solution to OTPs stringent requirements: a truly random
key, key length equal to or greater than the length of the
message to be encrypted, and a key thats never reused.1
However, the challenge is to provide sufficient key
generation rates to meet realistic applications. For example, the ID Quantique Cerberis QKD server advertises
key generation rates up to 3 Kbps over a transmission
distance of 50 km.2 Other commercial offerings from
SeQureNet, QuintessenceLabs, MagiQ Technologies,
and Quantum Communication Technology have similar performance limitations.3

Exploiting Quantum Physics for Security

QKDs genesis can be traced to Stephen Wiesner, who
came up with the idea of fraud-proof quantum money
in the late 1960s.4 In 1984, Charles Bennett and Gilles
Brassard operationalized this concept when they proposed the first QKD protocol (BB84) in which single
photons, representing quantum bits (qubits), are used
www.computer.org/security

to securely generate a shared cryptographic key (see

the QKD Prepare-and-Measure Encoding sidebar
for examples).5
QKD security is based on quantum uncertainty
inherent in the BB84 encoding scheme and captured
in formal proofs (see the Demystifying the Quantum
Physics of QKD sidebar for further discussion).6,7
Modern BB84 implementations generally consist of
eight operational phasesauthentication, quantum
exchange, raw key sifting, error estimation, error reconciliation, entropy loss estimation, privacy amplification,
and final key generation (see Table 1). Only the second
phase, quantum exchange, uses nonclassical communication techniques.8

Implementation Nonidealities
In this article, we focus on a prepare-and-measure
BB84 QKD system with polarization-based encoding,
where qubits are encoded and decoded using four polarization states , , , and . The states are encoded by
randomly selecting a bit value (0 or 1) and a basis (horizontal/vertical or diagonal/antidiagonal ) and
decoded by randomly selecting a measuring basis ( or
). (See the QKD Prepare-and-Measure Encoding
sidebar.) The BB84 protocol assumes several idealities,
including610
on-demand single photon sources in Alice,
perfect single photon detection in Bob,
a lossless quantum channel, and
perfect basis alignment across the quantum channel.
However, these critical assumptions arent valid in
real-world systems. Reliable on-demand single photon
sources arent currently available, single photon detectors
31

TRENDS IN CRYPTOGRAPHY

QKD Prepare-and-Measure Encoding

ractical quantum key distribution (QKD) implementations often use prepare-and-measure protocols wherein a sender Alice prepares a quantum bit (qubit) by encoding a randomly selected
bit and basis, and a receiver Bob measures the qubit according to a
randomly selected basis. If Alices and Bobs bases agree, the encoded
qubit is read correctly with a very high probability; otherwise, a
random result occurs. Prepare-and-measure protocols primarily use
two types of modulation techniques, as Table A illustrates.
Polarization-based protocols encode and decode qubits using
horizontal (H = 0 degrees), vertical (V = 90 degrees), diagonal (D

= 45 degrees), and antidiagonal (A = 45 degrees) polarization

states in two mutually unbiased, conjugate basis sets: rectilinear representing the horizontal/vertical orthogonal basis and
diagonal representing the diagonal/antidiagonal orthogonal
basis. Polarization-based implementations are typically used for
free-space line-of-sight laser applications because theyre less susceptible to disturbances in the atmosphere. Phase-based protocols
are generally used for transmission through optical fibers, where
wave interference is used to encode and decode information at
phase shifts of 0 and .

Table A. Example prepare-and-measure encoding types.

Polarization-based BB84
Sender (Alice)

Phase-based BB84

Receiver (Bob)

Sender (Alice)

Receiver (Bob)

Encoded
bit value

Encoding
basis

Encoded
polarization
state ()
in degrees

Measuring
basis

Measured
bit value

Encoded
bit value

Encoding
phase shift
(A in
radians)

Measuring
phase shift
(B in
radians)

Phase
interference
(B A
in radians)

Measured
bit value

H/V

H=0

H/V

H/V

H=0

D/A

0 or 1

/2

3/2

0 or 1

H/V

V = 90

H/V

H/V

V = 90

D/A

0 or 1

/2

/2

0 or 1

D/A

A = 45

H/V

0 or 1

/2

/2

0 or 1

D/A

A = 45

D/A

/2

/2

D/A

D = 45

H/V

0 or 1

3/2

3/2

0 or 1

D/A

D = 45

D/A

3/2

/2

Note: H, V, D, and A represent the horizontal, vertical, diagonal, and antidiagonal polarization states; these polarization states are sometimes
represented with bidirectional arrows , , , and . Furthermore, while H/V and D/A represent the rectilinear and diagonal orthogonal basis
sets, theyre often represented as and .

(SPDs) have low detection efficiencies, and quantum

channels (optical fiber and direct line-of-sight optical
links) have transmission losses, with the compensation
mechanisms accuracy limiting basis alignment.

Eavesdropping on QKD Systems

QKD security relies on the fact that eavesdropping on
the quantum communication channel necessarily introduces detectable errors evident in the quantum bit error
rate (QBER). We calculate the QBER from the errorreconciled key by dividing the number of errors in the
sifted key by the total number of sifted bits. Typical
values are approximately 3 to 5 percent due to device
imperfections and transmission errors.7,8
If eavesdropper Eve attempts to listen to the quantum exchange, she introduces additional errors and
32

IEEE Security & Privacy

increases the QBER. Therefore, the QBER must be

monitored closely with allowable rates of 11 to 12 percent and practical rates as low as 8 percent.7 If the QBER
exceeds the threshold, the key generation process generally aborts, as its assumed an adversary is interfering
with the key exchange. Because QKD systems attribute
all errors to eavesdroppers (even if theyre caused by the
environment), its important to characterize the QBER
well to prevent false positives and provide reliable system performance.

Quantum Hacking
With increased interest in and availability of QKD
technologies, quantum hacking has become a specialty area.11 QKD systems are vulnerable to attacks
over the quantum channel, including man in the
January/February 2015

Table 1. BB84 protocol operational phases.

Phase

Description

Authentication

Authentication occurs over the classical channeltypically a point-to-point networked connectionand might
or might not involve encryption. (QKD security proofs dont require the classical channel to be encrypted.) The
authenticated classical channel is used to control the QKD process, and transactional authentication is assumed
to ensure secure transmission.

Quantum exchange

The sender encodes information onto quantum bits (qubits) using a randomly selected basis and bit value, and
sends them to the receiver over the quantum channeltypically a dedicated optical fiber. The receiver randomly
selects a basis to measure each qubit. This phase generates raw key bits in which the quality of randomness can
be assured through certified quantum random number generators in both the sender and receiver.79

Raw key sifting

The sender and receiver exchange basis information for each qubit. If the receiver measures the qubit in the
same basis as the sender encoded it, the bit value will be obtained with a high degree of accuracy. If the receiver
measures qubits in the wrong basis, a random result occurs and it needs to be sifted out from both the senders
and receivers raw key bits. This results in a shared sifted key (in both Alice and Bob) approximately half the
length of the raw key. Note that the sender and receiver expose only the bases and not the bit values.

Error estimation

The sender and receiver exchange a portion of sifted key bits over the public channel to estimate the sifted keys
quantum bit error rate (QBER). If the estimated QBER is higher than a user-defined threshold, an unauthorized
third party is assumed to be eavesdropping on the quantum channel, and the process is aborted and restarted.
The estimated QBER can be used as an input parameter for error reconciliation.

Error reconciliation

Error reconciliation is a two-way error correction of discrepancies between the distributed sifted key bits.
Reconciliation occurs over the classical channel and leaks information about the potential key based on the
efficiency of the algorithm selected. The actual QBER is calculated after error reconciliation and used as the
primary QKD secret key check. If the QBER is higher than a predetermined security threshold, eavesdropping is
assumed and the process is aborted and restarted.

Entropy loss estimation

Entropy loss attempts to quantify the amount of information exposed to an eavesdropper during the key
distribution process based on the QBER and amount of information exposed during error reconciliation.
While the QBER is relatively fixed for a given architecture, the amount of information lost can be thought of as
exposed parity bits on a variable number of increasingly smaller block sizes based on the number and placement
of errors in the sifted key.

Privacy amplification

Privacy amplification is an information theory technique that ensures the eavesdropper has negligible
information regarding the final key based on the entropy loss estimation. This results in a smaller, securer key.

Final key generation

A hash of the privacy-amplified key is produced and shared with the sender and receiver to ensure the final key
is the same. If the hashes match, the QKD system has successfully generated shared secret keying material.

middle (authentication failures), intercept and resend

(measuring and replacing photons), photon splitting (stealing photons), and blinding optical receivers
(overpowering photon detectors to control their detections). QKD systems are also subject to threats common to networked devices such as vulnerabilities in
operating systems, applications, and system interfaces.
(See The Black Paper of Quantum Cryptography:
Real Implementation Problems for further discussion
on practical QKD security considerations.10)
As security devices, QKD systems should be protected against physical attacks and manipulation in controlled telecom environments. In addition, practical
security techniques, such as ensuring properly calibrated
systems, characterizing a secure baseline, and continuous monitoring, should be enforced; little discussion of
this type of practical system security is available in the
published QKD literature. These issues should further
www.computer.org/security

motivate a proper understanding of practical engineering

considerations for secure system design, implementation,
and operation.

Advancement of QKD Technology

Realizing QKDs potential, researchers from academic,
commercial, and government sectors in Canada, the
US, Europe, Australia, Japan, Singapore, China, and
other countries continue to advance the technology.
Most notably, researchers in Tokyo recently achieved
a 1-Mbps key distribution rate to support real-time
video encryption,12 and the Battelle Memorial Institute seeks to daisy-chain 10 QKD links from Columbus, Ohio, to Washington, DC, in a 1,000-km trusted
node configuration.3 Such technological advancements
have resulted in a diverse trade space of competing
design and implementation choices, including several encoding schemes; quantum exchange protocols;
33

TRENDS IN CRYPTOGRAPHY

Demystifying the Quantum Physics of QKD

It is safe to say that nobody understands
quantum mechanics.  Richard Feynman

|V

KD security is based on the laws of

quantum mechanics, where photons
representing 0s and 1s (known as quantum bits
or qubits) are exchanged to generate a shared
secret key. To appreciate QKDs security aspects, we first need to examine the differences
between classical and quantum physics. We attempt to explain these quantum behaviors in a
brief and accessible way, specific to QKD. More
comprehensive discussions can be found in
Protecting Information,1 Quantum Computation
and Quantum Information,2 and Introductory
Quantum Optics.3

PV = ||2
|= |H+ |V

Detector

|= |H+ |V

(1)

|H

(2)

Polarizing beam splitter

PH = ||2
Detector

Figure A. Examples of (1) quantum superposition and (2) quantum measurement.

Quantum superposition allows a single quantum bit (qubit) to simultaneously exist
in more than one state; however, when the qubit is measured, it collapses into one of
two states based on the measurement apparatus. Thus, measurement of a quantum
state disturbs the state, preventing perfect copies from being made.

Qubits Exist in a State of Superposition

Classical bits exist in a deterministic state of either 0 or 1, whereas
qubits exist in a simultaneous combination of states, often represented in a two-dimensional complex vector space. For example,
Figure A1 depicts a polarization-based quantum superposition
described as | = |H + |V, where and represent complex
numbers, and the orthogonal basis is represented by horizontal |H
and vertical |V states. This means QKD systems can encode qubits
in a continuum of states between |H and |V, which directly
impacts their measurement.

Qubits Cant Be Measured Directly

A classical bit can be measuredand remeasured if necessaryto
determine its state 0 or 1. In quantum mechanics, directly measuring a qubit in a state of superposition, specifically or , isnt
possible. Instead, when a qubit is measured, a 0 occurs with probability ||2 and a 1 occurs with probability ||2, where ||2 + ||2
= 1. This means that whenever a qubit is measured, its forced to
collapse into a state corresponding to the measurement basis. For
example, as Figure A2 depicts, when an arbitrary quantum state
| = |H + |V encounters a polarizing beam splitter (a common component used to differentiate encoded states) and is subsequently measured in the rectilinear (horizontal/vertical) basis, it
probabilistically collapses into the state |H or |V. Likewise, when
an arbitrary quantum state is measured in the diagonal (diagonal/
antidiagonal) basis, it collapses into the state |D or |A. Consequently, QKD systems cant perfectly measure unknown quantum
states encoded in mutually unbiased, nonorthogonal states (that
is, the rectilinear and diagonal bases), as is the case in BB84.

Qubits Cant Be Perfectly Copied

Classical bits can be perfectly copied, whereas qubits cant, as the
no-cloning theorem proves.2,4 In classical physics, we can measure

34

IEEE Security & Privacy

an object without inducing a change and can therefore make

perfect copies. In contrast, the act of observing a quantum state
imparts a change in the system, introducing noise and preventing
exact copies. For example, if a qubit is diagonally encoded
|D =

1
1
|H +
|V
2
2

and measured in the rectilinear basis, as Figure A2 demonstrates, it

has an equal probability ||2 = ||2 = 1/2 of being detected in the
|H or |V state and cant create a copy of the |D state. Furthermore, because the quantum state collapses, all previously encoded
information is lost during the act of measurement (that is, the |D
state is gone and cant be recovered). This quantum phenomenon
is unavoidable due to interactions between the subject photons
and the measurement device, which prevent the possibility of
making perfect copies.
The principles of quantum mechanics provide the necessary
foundation for provably secure QKD systems, where adversaries
measuring or manipulating photons in flight necessarily introduce detectable errors. However, quantum mechanics doesnt
protect against physical or remote attacks against QKD hardware
or software.
References
1. S. Loepp and W.K. Wooters, Protecting Information, Cambridge
Univ. Press, 2006.
2. M.A. Nielsen and I.L. Chuang, Quantum Computation and Quantum Information, Cambridge Univ. Press, 2010.
3. C.C. Gerry and P.L. Knight, Introductory Quantum Optics, Cambridge Univ. Press, 2005.
4. V. Scarani et al., Quantum Cloning, Rev. Modern Physics, vol. 77,
no. 4, 2005, pp. 12251254.

January/February 2015

photon sources; transmission mediums; error reconciliation methods; privacy amplification solutions; photon detector technologies; and various combinations of
optical, electro-optical, and electronic devices.

The QKD SecurityPerformance

Trade Space

QKD systems are designed to securely distribute cryptographic keys, and securityperformance tradeoffs
should factor in the systems purpose and operational
environment. System performance is generally defined
by the desired capability (that is, a secret key rate) and
the intended application (that is, a transmission distance), while security is described by theoretical proofs
tempered by nonideal implementations assuming a
quality random key certified by the National Institute of
Standards and Technology.79
The creation of an ideal single photon source is an
excellent example of a securityperformance tradeoff.
Because on-demand single photon sources arent currently feasible, Alice attenuates a classical laser pulse
down from millions of photons to a mean photon number (MPN) of 0.1, according to QKD security proofs.7
A Poisson distribution probabilistically represents this
low energy level

P (n |)=

ne
,
n!

where = MPN and n is the number of photons in the

pulse. When MPN = 0.1, 90.48 percent of the pulses
have no photons, 9.05 percent have one photon, and
0.47 percent have two or more photons.8 The low
MPN mitigates vulnerabilities associated with multiphoton pulses, which let Eve siphon photons for use
in cryptanalysis. Although system designers would
like to increase the MPN to improve throughput, the
MPN must be relatively low to maintain a reasonable
security posture.
Other works have addressed QKDs theoretical
and practical securityperformance assumptions68;
we attempt to understand their component- and
system-level impact in realized systems. Its clear that
QKD system performance is a function of competing requirements (for example, key throughput, cost,
security, usability, maintainability, and resilience) and
implementation design decisions (for example, quantum exchange protocols, modulation types, encoding
schemes, and photon sources). However, system architects often make these design choices without fully
understanding the impact of their decisions.
This complex and dynamic trade space is precisely
where modeling and simulation provide great benefit to
system designers, implementers, and customers. Simulation studies allow system architects to more efficiently
www.computer.org/security

compare designs and make objective decisions with

increased confidence. To this end, weve enabled the
efficient study of QKD system architectures through a
modularized and parameterized simulation framework
that lets system architects and analysts design, build,
and evaluate QKD systems.

QKD Trade Space Evaluations

Here, we present our QKD reference architecture and

three example studies to show the design tradeoffs
between critical QKD components and system performance. We ordered these studies according to practical issues in the implementation space related to the
sender, receiver, and transmission channel; they also
correspond to the implementation nonidealities we
mentioned. These evaluations are intended to demonstrate the ability to model and study practical security
performance tradeoffs in QKD systems and arent
intended to be individually comprehensive.

Modeled QKD System Architecture

Figure 2 provides an end-to-end depiction of the QKD
systems quantum communication path from Alices laser
source to Bobs photon detectors. Each QCM comprises
multiple subsystems with one or more optical components and associated controllers; we present only the
most important. In total, this architecture consists of 35
optical components modeled in an event-driven paradigm and 16 controllers modeled in a process-based
paradigm. The model provides a hardware-focused architectural representation in which each component is configured with adjustable performance parameters.
Designers built the model in a modular fashion
from a library of components with user-defined levels
of detail, and verified each component against commercial specifications. System and subsystem verification
of critical behaviors such as expected signal strength,
transmission losses, final key rate, and QBER was also
conducted to ensure valid operation. In total, designers
made dozens of decisions and assumptions to model
these devices and supporting processes based on product specifications; reference literature; available publications; and input from senior quantum communication
physicists, optical research physicists, computer scientists, and electrical, computer, and systems engineers.
Alices signal pulse generator creates optical pulses
with wavelength S = 1,550 nm while the pulse modulator polarization-encodes the qubits. The decoy state
generator employs additional security states, the quantum-level attenuator reduces the classical-level optical
pulses (that is, millions of photons) to quantum-level
pulses (that is, MPN = 0.1), and the optical security
layer detects adversaries probing Alices pulse modulator to read the encoded pulse value.
35

TRENDS IN CRYPTOGRAPHY

Alice QCM
Signal pulse
generator

Pulse
modulator

Decoy state
generation

Quantum-level
attenuator

Optical
security layer

Beam coupler

Switch

Timing pulse
generator

Power monitor
feedback

PolM
S

DET

Quantum module controller

Bob QCM

Input stage
filter

Polarization
correction
controller

Polarization
detector

Single photon
detectors
DET

DET

DET
DET

Quantum module controller

Figure 2. Decomposed Alice and Bob quantum channel modules (QCMs). The quantum communication path is used to prepare and measure
polarization-based qubits. Each subsystem includes one or more optical components and controllers modeled in a modular fashion with
configurable operational parameters.

A timing pulse generator creates synchronization

pulses with wavelength T = 1,540 nm, which are combined with the qubit pulses S in the coupler. A power
monitor measures the optical pulses to ensure they have
the desired output MPN. Bobs input stage filters out
unwanted wavelengths and reduces the threat of optical probing attacks. The polarization correction controller compensates for transmission-induced polarization
errors using the timing pulse T as a frame of reference.
The polarization detector is configured to passively separate the four BB84 encoded polarization states (horizontal, vertical, diagonal, and antidiagonal), while SPDs are
configured to detect arriving qubits. The SPDs are synchronized with the timing pulse T to reduce noise by
precisely gating the detectorstemporarily placing the
SPD in a more sensitive state to detect single photons.

QKD Laser Sources

with Decoy State Implementations
Decoy states represent a significant advancement in
QKD technology as they increase the systems effective key rate and secure operational distance.7 Decoy
state implementations comprise three transmission
36

IEEE Security & Privacy

typessignal, decoy, and vacuumeach configured

with a different MPN and occurrence percentage.
For example, the signal state has an MPN of 0.6 and
is transmitted 70 percent of the time, the decoy state
has an MPN of 0.2 and is transmitted 20 percent of the
time, and the vacuum state has an MPN near 0 and is
transmitted 10 percent of the time. Each of these states
is randomly sent across the quantum channel according to its occurrence percentage and is otherwise indistinguishable to Eve.
The signal state facilitates higher key rates and
greater operational distances due to increased MPNs,
while the decoy state enables the system to detect
photon-dependent interference on the quantum channel. The vacuum state is intended to have pulses containing no photons, where its used to determine the
dark count (a spontaneous error rate) of the receivers photon detectors. The systems security posture
is ensured by monitoring and conducting statistical
comparisons between the signal and decoy states to
determine if Eve is interfering on the quantum channel, thereby preventing her from gaining information
on the secret key.
January/February 2015

Table 2. Comparisons of decoy state performance.

Propagation over 15 km (more than 50% loss)
A

Mean photon
number

Signal

0.5

60

251,501

41,140

Pulses
sent

Detection
count

Decoy

0.2

30

124,837

8,854

Vacuum

Approx. 0+

10

41,662

Total

100

418,000

50,000

QBER

0.0119

Propagation over 50 km (more than 90% loss)

Final key
size

15,439

Propagation over 15 km (more than 50% loss)

B

Mean photon
number

Signal

0.8

70

217,825

47,775

Decoy

0.1

20

62,179

2,223

Vacuum

Approx. 0+

10

30,996

Total

100

311,000

50,000

Pulses
sent

Detection
count

Table 2 demonstrates simulated results of two

decoy state configurations (A and B) over two operation distances15 km and 50 km. Each pulse type is
transmitted according to the stated MPN and occurrence percentage, with the resulting QBER and final key
size reported. The decoy state implementation has the
net effect of increasing the system key rate; however,
the securityperformance tradeoff is unclear (that is,
how the decoy state MPNs and occurrence percentages
affect the desired system security capability). For example, in Field Test of a Practical Secure Communication
Network with Decoy-State Quantum Cryptography,
two similar 20-km transmission links were established
with comparable signal MPNs of 0.65 and 0.60, while
the decoy MPNs were significantly different at 0.08 and
0.20, yet there was no discussion of the systems ability
to detect an eavesdropper.13
In general, decoy state research has focused on
increasing theoretical secure key rates with little discussion of their overall security posture. A comprehensive
characterization and sensitivity analysis is needed for a
fuller understanding of securityperformance design
tradeoffs. This type of analysis helps system designers
and security specialists determine appropriate performance parameters to meet user requirements and, ultimately, system certification.

Competing SPD Technologies

In QKD systems, SPDs are critical components, configured to detect very small energy levels (approximately
1.28 1019 J per photon at 1,550 nm). Commercially
available SPDs severely constrain system throughput
owing to poor detection efficiencies and relatively low
www.computer.org/security

QBER

0.0164

Pulses sent

Detection
count

926,269

41,529

463,235

8,459

154,496

12

1,544,000

50,000

QBER

Final key
size

0.0033

15,562

Propagation over 50 km (more than 90% loss)

Final key
size

17,975

Pulses sent

Detection
count

781,727

47,930

223,123

2,063

112,150

1,117,000

50,000

QBER

Final key
size

0.0051

18,020

maximum detection rates (due to long dead times necessary to prevent erroneous after pulse detections).14
SPD performance is further limited by dark counts and
jitter time (that is, variance in detector response once
a photon is received). Although these limitations can
be partially mitigated by advanced control circuitry,
theyre inherent to the devices material makeup and
operational environment. In addition, SPDs can play
an important role in security as the capability to precisely determine the number of photons receivedand
therefore multiphoton pulses senthelps to mitigate
photon-splitting attacks on the quantum channel.
In this study, we consider the efficiency, maximum
count rate, dead time, jitter time, dark count probability,
and temperature sensitivity of avalanche photodiodes,
superconducting nanowire SPDs, and transition edge
sensors (see Table 3). We determine system performance from a simulated transmission of 1,000,000
qubits through the architecture, reporting the scenario
detection count and operational time. As the relatively
low detection counts indicate, QKD systems generally have poor throughput due to the sources Poissonian nature (1/10 pulses contains a photon) and high
transmission losses through the fiber channel (approximately 50 percent over 15 km).
Avalanche photodiodes are classical optical detectors reverse-biased with higher-than-normal voltage,
causing them to become sensitive to single photons.
Despite their seemingly poor performance, avalanche
photodiodes are implemented with inexpensive thermal-electric coolers owing to their relatively low production costs and ability to operate in close proximity
to room temperature.
37

TRENDS IN CRYPTOGRAPHY

Table 3. Single photon detector (SPD) evaluation for secret key generation.
Competing
detector
technologies

Detector
efficiency
at 1,550
nm

Maximum
detection
rate (Hz)

Dead time
(s)

Jitter
time
(ps)

Dark
count
(1/s)

Operating
temperature
(K)

Relative
cost

Photon
resolving

Scenario
detection
count

Scenario
operation
time (s)

Ideal SPD

100%

Approx. 0+

0.0

0.0

295

N/A

39,016

Avalanche
photodiode

10%*

10 kHz*

100*

370*

Approx.
91*

200*

Low

4,059

100

Superconducting
nanowire SPD

57%*

1 GHz*

0.01*

30*

Approx.
0+*

1.5 to 4*

High

22,457

0.001

Transition edge
sensor

95%*

100 kHz*

10*

100,000*

Approx.
0+*

0.1*

High

37,323

10

* Values are from Single-Photon Detectors for Optical Quantum Information Applications.14 The ideal SPD is a baseline to compare performance parameters.

Offering increased efficiency and high throughput

potential with little noise, superconducting nanowire
SPDs detect single photons through current fluctuations
caused by arriving photons. These devices have been
used in experimental QKD systems and show promise
as the next-generation SPD of choice. Simulating this
device had the added advantage of modeling significantly increased pulse rates, which revealed temporal
dependencies and limitations in the architecture, such
as the relationship between pulse rate and encoding
mechanism performance.
Superconducting transition edge sensor arrays offer
very high efficiencies, triggered by minute temperature changes caused when absorbing photons. Their
ability to accurately resolve photons is very appealing for security, but they require elaborate multistage
cooling devices to achieve near-absolute-zero operating temperatures, which preclude them from all but
the costliest QKD implementations.
This example demonstrates the ability to quickly
compare competing technologies, including multiple
key performance parameters, in an end-to-end system
configuration with less overall expense than building or
modifying existing systems. In addition, this study highlights the flexibility of modeling and evaluating desired
capabilities, such as photon resolving detectors to meet
user performance and security requirements.

Impact of Polarization State Errors

Here, we examine the relationship between polarization error compensation and system-level performance.
Accurate timing and polarization alignment are necessary for successful quantum communications and
particularly important for polarization-based QKD
systems, such as the original BB84 protocol, terrestrial
line-of-sight lasers, and satellite-based QKD. Our study
is loosely based on results from the Tokyo QKD network experiment in which environmentally induced
vibrations over a 45-km transmission link strung from
38

IEEE Security & Privacy

telephone poles caused continuous recalibrations and

temporary system outages.15
In this study, the modeled QKD system architecture is configured to transmit frames of qubits, where
each timing pulse T begins a frame of 1,000 individually modulated signal pulses S . These frames propagate
through 45 km of aerial fiber subject to simulated environmental disturbances such as temperature change,
vibration, sway, and inclement weather. These disturbances induce changes to the polarization state of the
signal pulses S , and when left uncorrected, they can
cause channel misalignment errors proportional to the
angle of drift from the reference angle. The receivers
polarization controller is designed to correct this error
but has a fixed slew rate, potentially limiting the QKD
secret key generation rate.
Figure 3 depicts our examination of this scenario
over a simulated 30-second quantum communication period, where Alice sends Bob 15 million reference pulses T subject to physical disturbances. A
general random approximation (that is, Brownian
motion) is used to model these disturbances resulting from induced stresses on the quantum channel.
Under normal operating conditions, including minor
temperature changes, winds, and vibrations, or even
moderate stresses, including light winds and nearby
traffic vibration, the polarization error can be corrected. However, with significant environmental or
physical stresses, such as high winds or close-proximity subway trains, adverse effects on key throughput will likely occur, as Figure 3 demonstrates with a
simulated strong wind gust occurring between 10 and
20 seconds.
We simulated a 10-second strong wind gust with
increased randomness, exceeding the controllers
ability to compensate for rapid changes to the polarization state of the transmitted optical pulses (15
degrees/ms). Severe disturbances on the quantum
channel result in system-level outages in which the
January/February 2015

Orientation (deg)

Normal operating conditions

(a)

270
225
180
135
90
45
0

Pulse polarization

Simulated strong wind gust

Transmitted at Alice
Received at Bob

10

Normal operating conditions

15
Polarization rate of change

20

Rate (deg/ms)

30

Component impact of strong wind gust

30

(b)

25

Polarization controller
Correction threshold
Polarization error rate

25
20
15
5
0

10

Normal operating conditions

15

Quantum bit error rate (QBER)

20

25

30

System impact of strong wind gust

Rate (%/sec)

20

(c)

>20%

15

QBER threshold
System QBER

10
5
0

10

15
Time (sec)

20

25

30

Figure 3. Polarization correction for aerial fiber disturbances. During this simulated 30-second quantum communication
period, Alice sends Bob 15 million reference pulses T subject to physical disturbances. Under normal operating conditions
or moderate stresses, the polarization error can be corrected. However, when significant environmental or physical stresses
exist, adverse effects on key throughput are likely.

QBER exceeds the established security threshold of

11 percent.15
The results of this simulation demonstrate the careful consideration designers must take regarding the
operation and performance of critical components. For
instance, polarization controller performance ranges
from high-end controllers capable of correcting errors
to within 1 degree in less than 1 ms for tens of thousands of dollars to low-end devices costing hundreds of
dollars with far less precision.
Holistically considering the architectural trade space,
QKD system designers might adjust the pulse frame
size, lower the pulse rate, use alternative synchronization
methods, or take advantage of more robust QKD encoding protocols. Designers should also factor in tradeoffs
between buried (protected) and aerial (unprotected)
fiber. A similar argument can be made for line-of-sight
laser QKD applications, which might have lower installation costs but are subject to additional environmental
constraints such as rain, fog, dust, and smog.
www.computer.org/security

ur future efforts will include studying alternate QKD architectures, exploring emerging
applications such as satellite-based QKD, and modeling notional capabilities. We also want to model and
conduct multicriteria performance analyses to mitigate the risk of unwanted emergent behaviors, discover
unknown dependencies, and confidently meet strict
performance and security requirements.
Acknowledgments
The Laboratory for Telecommunication Sciences grant
5743400-304-6448 supported this work. The views expressed
in this article are those of the authors and do not reflect the
official policy or position of the US Air Force, the US Department of Defense, or the US government.

References
1. C. Elliott, Quantum Cryptography, IEEE Security & Privacy, vol. 2, no. 4, 2004, pp. 5761.
2. Layer 2 Link Encryption with Quantum Key Distribution,
39

TRENDS IN CRYPTOGRAPHY

3.

4.
5.

6.

7.

8.
9.

10.

11.
12.

13.

14.

15.

Cerberis, IDQ, Jan. 2012; www.idquantique.com/images/

stories/PDF/cerberis-encryptor/cerberis-specs.pdf.
L. Oesterling, D. Hayford, and G. Friend, Comparison
of Commercial and Next Generation Quantum Key Distribution: Technologies for Secure Communication of
Information, Proc. IEEE Conf. Technologies for Homeland
Security (HST 12), 2012, pp. 156161.
S. Wiesner, Conjugate Coding, ACM Sigact News, vol.
15, no. 1, 1983, pp. 7888.
C.H. Bennett and G. Brassard, Quantum Cryptography:
Public Key Distribution and Coin Tossing, Proc. IEEE
Intl Conf. Computers, Systems, and Signal Processing, 1984,
pp. 175179.
R. Renner, N. Gisin, and B. Kraus, An Information-Theoretic Security Proof for QKD Protocols, Physical Rev. A,
vol. 72, no. 1, 2005, p. 012332.
V. Scarani et al., The Security of Practical Quantum Key
Distribution, Rev. Modern Physics, vol. 81, no. 3, 2009, pp.
13011350.
N. Gisin et al., Quantum Cryptography, Rev. Modern
Physics, vol. 74, no. 1, 2002, pp. 145195.
Random Number Generation, Natl Inst. Standards and
Technology, 16 July 2014; http://csrc.nist.gov/groups/
ST/toolkit/rng/index.html.
V. Scarani and C. Kurtsiefer, The Black Paper of Quantum Cryptography: Real Implementation Problems,
arXiv:0906.4547v2, 2009.
Quantum Hacking Lab, Inst. Quantum Computing,
Univ. Waterloo, 2014; www.vad1.com/lab.
A. Tanaka et al., High-Speed Quantum Key Distribution
System for 1-Mbps Real-Time Key Generation, IEEE J.
Quantum Electronics, vol. 48, no. 4, 2012, pp. 542550.
T.-Y. Chen et al., Field Test of a Practical Secure
Communication Network with Decoy-State Quantum
Cryptography, Optics Express, vol. 17, no. 8, 2009,
pp. 65406549.
R.H. Hadfield, Single-Photon Detectors for Optical
Quantum Information Applications, Nature Photonics,
vol. 3, no. 12, 2009, pp. 696705.
K. Shimizu et al., Performance of Long-Distance
Quantum Key Distribution over 90-km Optical Links

Installed in a Field Environment of Tokyo Metropolitan Area, J. Lightwave Technology, vol. 32, no. 1, 2014,
pp. 141151.
Logan O. Mailloux is a commissioned officer in the US

Air Force and a PhD candidate at the US Air Force

Institute of Technology (AFIT). His research interests include system security engineering, complex
information communication and technology implementations, and quantum key distribution systems.
Mailloux received an MS in systems engineering from
AFIT. Hes a member of IEEE. Contact him at logan.
mailloux@afit.edu.

Michael R. Grimaila is the head of the Systems Engineer-

ing and Management Department at the US Air Force

Institute of Technology. His research interests include
computer engineering, mission assurance, quantum
communications and cryptography, data analytics,
integrated system health monitoring, network management and security, and systems engineering. Grimaila received a PhD in electrical engineering from
Texas A&M University. Hes a senior member of
IEEE. Contact him at michael.grimaila@afit.edu.

Douglas D. Hodson is a faculty member of the Computer

Science and Engineering Department at the US Air

Force Institute of Technology. His research interests
include computer engineering, software engineering, real-time distributed simulation, and quantum
communications. Hodson received a PhD in computer engineering from AFIT. Contact him at douglas
.hodson@afit.edu.

Gerald Baumgartner is a research physicist at the

Laboratory for Telecommunication Sciences. His

research interests include quantum optics, quantum
communications, quantum information, communications security, communications system modeling and simulation, and statistical signal processing.
Baumgartner received a PhD in physics from the
Illinois Institute of Technology. Contact him at
gbaumgartner@ltsnet.net.

Colin McLaughlin is a research physicist at the Naval

Research Laboratory. His research interests include

advanced photonics, quantum optics, and electrooptic sensors. McLaughlin received a PhD in physics from the University of Maryland. Contact him at
colin.mclaughlin@nrl.navy.mil.

www.computer.org/itpro
40

IEEE Security & Privacy

Selected CS articles and columns are also available for free

at http://ComputingNow.computer.org.
January/February 2015