Skip to main content
Publications lead hero image abstract pattern


Written By:

Lee Sattler and Dante Pacella, Verizon Labs

Published: 28 Feb 2022


CTN Issue: February 2022

A note from the editors:

Now more than ever information security and confidentiality are in the minds of individuals, enterprises, and governments alike.  We have seen the events in Europe the last several weeks and how cyber warfare has become a modern-day battlefield.  We discussed this subject "Okay, the Unexpected I Can Deal With... As Long as I'm Expecting It, That Is…" on the January issue “A Look Back at 2021 and Our Predictions for 2022”, as this is clearly a challenge to modern day communications.

Confidentiality has always been an inherent part of communication. Modern encryption and authentication depend on asymmetric cryptography, which is based on the mathematical premise that deriving the private key requires an amount of computation that is unattainable in a timely manner.  However, recent advances in quantum computers have demonstrated a supremacy or advantage that can potentially challenge that premise, which begs the question: how can confidentiality be sustained in the future?

We invite you to read the excellent overview by Dante Pacella and Lee Sattler on how a form of encryption based, ironically, on quantum mechanics properties, can make confidentiality safe despite the advances in processing power beyond today's classical computers.

Weimin Liu, CTN Guest Editor
Miguel Dajer, CTN Editor in Chief

Quantum Key Distribution (QKD): Safeguarding for the Future

Lee Sattler

Lee Sattler

Associate Fellow

Verizon Labs

Dante Pacella

Dante Pacella

Technology Fellow

Verizon Labs

Exchanging confidential information in the open has always been a tricky business. Cryptography has long been used to prevent eavesdroppers from obtaining the transmitted secrets; an entire infrastructure has been built around cryptography for securely transmitting digital confidential information. Encryption based on quantum cryptography has progressed in recent years but in order to understand its significance we first briefly describe classic cryptography.

Cryptography and the Rationale of Key Exchange

Cryptography encrypts plaintext into ciphertext in a manner which renders the characters unreadable without knowledge of the mechanisms and key used to encrypt the plaintext. The mechanism used to encrypt the text is referred to as a cipher. Caesar Cipher is the most basic form of cipher: a simple letter substitution. In modern communications, we use more complex ciphers based on complex mathematical operations and keys. In this context, a key is a shared secret which is used in the mathematical operations and knowledge of the key is used to transform the ciphertext back into plaintext. Examples of some common ciphers are Rivest–Shamir–Adleman (RSA), Elliptic-curve cryptography (ECC), and Advanced Encryption Standard (AES). While the mathematical operations for these ciphers are well-known, the complexity of the mathematical operations as well as the length of keys provide confidentiality between the sender and receiver.

Asymmetric and symmetric cryptography are two types of encryption methods used today.  Symmetric cryptography utilizes a single pre-shared key for encryption and decryption and is more desirable because it is faster and requires less computing power to encrypt and decrypt information; however, the key must be pre-shared at each endpoint. Given this pre-sharing requirement along with the best practice of key rotation, if there are a multitude of sites, key management can be burdensome.

Asymmetric cryptography provides a solution to key management given that it utilizes two keys, a public key and a private key, for encryption and decryption. Each participant in the communication will have their own public-private key pair. The public key can be shared with anyone, allowing the recipient to encrypt messages which only the owner of the private key can decrypt. A drawback of asymmetric encryption is it requires more time and computing power; however, this can be used as a secure way to exchange a symmetric key. Once accomplished, the session can switch to symmetric cryptography.

Using asymmetric encryption to set up symmetric encryption sessions is the basis of secure communications on the Internet, occurring transparently for users Public Key Infrastructure (PKI), provides authentication and confidentiality for communications over the Internet. The most widely used asymmetric ciphers have a limited lifetime.  Ciphers are considered strong if the amount of time and computing power required to execute a brute force attack to determine a key is impractical.[1][2][3]

The Threat of Quantum Computing

Quantum computers continue to progress in terms of computational power, and it is expected that they will eventually be powerful enough to efficiently determine the keys used in asymmetric ciphers such as RSA and ECC. Once a powerful enough quantum computer exists, Shor’s quantum algorithm for factoring and Grover’s quantum algorithm for search can be used to rapidly factor numbers and speed up searches.  RSA assumes that the computation required for large prime numbers is extremely hard and takes an inordinate amount of time using classical computers. However, Shor’s algorithm can solve the prime factorization in polynomial time using superposition and quantum Fourier transforms that can take advantage of quantum computers.

In general, symmetric ciphers with sufficient key length are not as vulnerable; however, if a vulnerable asymmetric cipher were used to establish symmetric cipher key, then it is possible to intercept and decode the ciphertext from an asymmetric session and obtain the key used for the symmetric session. Another consideration is data confidentiality lifetime: determining what the impact is if the key establishment and encrypted data were captured and stored today for decryption with a quantum computer later. One solution to this symmetric key distribution issue is Quantum Key Distribution (QKD).[4][5]

Quantum Key Distribution (QKD)

Quantum Key Distribution (QKD) leverages the properties of quantum mechanics to securely derive a symmetric encryption key at two locations. There are several different implementations and protocols used for QKD with Discrete-Variable QKD (DV-QKD) being used in many of the commercial QKD systems available today. A DV-QKD system consists of two endpoints with a sending side referred to as Alice and a receiving side referred to as Bob. The media between Alice and Bob could be free space or dark fiber. Alice encodes a bit value, 0 or 1, on a single photon by controlling the phase or polarization of the photon.  This is different from the type of digital communication used today where large pulses of photons or changes in voltages are used to encode information. Here the information is encoded on a single photon. The transmission of the encoded photons occurs over what’s known as the quantum channel.  A separate channel, referred to as the classical channel, is also established between the two endpoints for clock synchronization, key sifting, or other data exchange, and this channel could be any conventional data communication channel. Initial implementations consisted of separate dedicated fibers for the quantum and data channels; however, separate wavelengths can be used for each channel on the same fiber, leading to more cost-effective deployments and efficiencies. This type of deployment is shown simplified between two sites in Figure 1.

Figure 1: A simple two-site QKD exchange protecting video traffic
Figure 1: A simple two-site QKD exchange protecting video traffic

Regarding Figure 2, asymmetric encryption allows Alice to send a symmetric encryption key to Bob by using Bob’s public key for encryption which only Bob can decrypt the message with his private key. If Eve the eavesdropper has Bob’s public key and a strong enough quantum computer, she can easily determine Bob’s private key.  With Bob’s private key, Eve can see the symmetric key proposed by Alice and use it to decrypt the secrets sent over the subsequent symmetric encryption session.

Figure 2: Public Key and Symmetric Encryption with QKD
Figure 2: Public Key and Symmetric Encryption with QKD

Several protocols have been developed to obtain an encryption key from the encoded photons.  As depicted in Figure 3, BB84, proposed by C.H. Bennett and G. Brassard in 1984, is a popular protocol which encodes four bit values over two different measurement bases.

Figure 3: BB84 encoding example
Figure 3: BB84 encoding example

In the polarization case, two polarizing filters are available; one which filters vertically and horizontally and the other which filters in the diagonal directions. Alice transmits the photon through a random filter, Bob randomly applies a polarizing filter which the photon travels through and deflects to one of two photon detectors.  When the photon polarization matches the filter, it will always deflect to a particular detector so if Bob applied the vertical/horizontal filter and the polarization was vertical, Bob would always detect the photon on detector A and would assign a bit value of 0 while a horizontal polarization would be detected on detector B and be assigned a bit value of 1.  When the filter doesn’t match the photon polarization the photon randomly deflects to either detector. At the end of the sequence of photons, Bob shares the filter setting used with Alice over a classical channel. Alice informs Bob which measurements had the same send and receive filters. All the measurements where the filter settings didn’t match are discarded.  Although the filter settings are shared over the classical channel it provides no useful information to the eavesdropper because they only know the filter settings and not the measurements results. Next some error correction and privacy amplification can be applied to the remaining bit string resulting in the same bit string at each end which can now be used as a shared secret for symmetric encryption.

The provable security for QKD relies on quantum mechanical properties which allow detection and prevent successful eavesdropping. Quantum objects exist in a state of superposition where the value for a property of the object can be described as a set of probabilities for different values. Observation of the quantum object perturbs it in manner which leads it to collapse into a single measurable value. For example, a single photon could be encoded with a value based on its polarization and transmitted to a receiver. If that encoded photon were observed by an eavesdropper, the measurement will have changed the photon in an irreparable way which will be detected at the receiving end as errors. This property and the no-cloning theorem, which prevents a perfect copy of an arbitrary quantum state, provides the foundations for QKD security.

Other implementations of QKD include Continuous Variable QKD (CV-QKD) and entanglement.  With CV-QKD Alice applies a random source of data to modulate the position and momentum quantum states of the transmission.  When Bob measures the position and/or momentum states, the result will be the random string Alice had used. Alice then combines a secret key with the random string and sends that result over the classical channel to Bob who determines the secret key by backing out the random string and now both Alice and Bob have the same secret key.

Entanglement QKD leverages one of the more interesting quantum phenomena where two quantum particles are generated in a way in which they share quantum properties and no matter how far apart they may later separate, a measurement of a property on each will result in the same values.  So, two entangled photons possessing the same polarization could be measured in two locations, providing the same polarization values.  Entanglement QKD is exciting because it is a natural step towards the realization of a quantum internet. 

It should be noted that there are distance constraints on the QKD over fiber. The individual photons being transmitted will be absorbed over distance as the laser strength is attenuated to create the individual photons and standard telecom equipment cannot be used to repeat or strengthen the signal. In general, 100 kilometers has been stated as a practical limit. Methods to extend the distance include trusted exchange, twin field QKD, and quantum repeaters. Trusted exchanges act as a repeater, receiving the optical signals, converting them to digital and then back to optical. Trusted exchanges must be secured to prevent an intruder from reading the transmission while it is in digital form.

Other alternatives to trusted exchange are twin-field QKD and quantum repeaters. Twin-field QKD has generated interest since it is measure-device-independent (MDI) and effectively doubles the distance. In twin-field QKD both Alice and Bob transmit phase encoded pulses to a beam splitter on a third station, which we’ll call Charlie. The encoded pulses interfere with each other and get detected on one of Charlie's detectors. Charlie reports which detector was triggered to Alice and Bob who exchange information between each other to derive keys. MDI essentially means it makes no difference if Charlie is trusted or not because the measurements reported by Charlie do not provide enough information to gain knowledge of the key which will be derived.

Eventually quantum repeaters could break the distance barriers of QKD over fiber providing a similar function as repeaters in telecommunications provide today. There are still some difficult problems to be solved but progress continues to be made. Entanglement plus quantum repeaters not only extends QKD but will be foundations for the future Quantum Internet. Advancements in single photon sources and low noise detectors will further improve the viable distances for QKD. In addition to efforts for improving distances and key rates, the QKD systems should also provide a standard mechanism such as ETSI GS QKD 014 for retrieving the keys.[6][7][8][9]

Satellite QKD

As previously discussed, the distance limitation of a QKD system poses a challenge to global networks. Satellite QKD (S-QKD) offers a mechanism that can be used to augment terrestrial QKD for global environments. With S-QKD, free space optics enables the delivery of a photonic channel from which the symmetric key can be derived. Factors that will impact the use of S-QKD include weather and other environmental factors that impact the free space optic channel. Also, the key rate of the S-QKD system must be sufficient to support the keying material required for the network.

Post-Quantum Cryptography and QKD

Post-Quantum Cryptography (PQC) refers to ciphers which will be resistant to quantum computing. The National Institute of Standards and Technology is leading an effort to vet and standardize new cryptographic algorithms and should have final standards in the next one to three years. PQC and QKD can coexist bringing each of their strengths together. The advantage of PQC is that it does not require hardware to be added to the network. PQC is mathematically based, so it does have the risk that as quantum computers become more widespread that the algorithm could be broken. QKD is based on physics which makes it a stronger approach for security. QKD, however, has other challenges such as distance limitations and the need for additional hardware to be introduced. It is likely that PQC will initially be used at the furthest points in the network, e.g., on customer devices, and QKD will be used in more aggregated parts of the network. This will allow the scaling of the network to be preserved. [10]

Future of QKD

QKD has significant value in a post-quantum world due to its ability to enable symmetric key sharing between endpoints and identifying when eavesdropping on the quantum channel is occurring. However, to be broadly implemented by carriers, QKD must be supportable in a carrier environment providing the availability and reliability their customers expect. For example, disruption of the quantum channel can result in the loss of real-time key material; however, having a secure key storage associated with QKD allows key material to continue to be distributed while investigation of the quantum channel outage occurs. This also means that approaches and capabilities to troubleshoot and manage QKD equipment and services must be developed. Since QKD relies on quantum mechanics, observing state will impact the quantum system, and this in itself poses challenges to approaches for troubleshooting and management.  Continued focus in this area is required to enable large-scale deployments.

QKD has evolved from lab experiments to commercial off-the-shelf systems. The technology will continue to improve over time. Components will continue to see performance improvements and miniaturization. Improved components and protocols will extend operational distances. These improvements potentially open the door to QKD implementations on smaller mobile devices such as drones. Whatever the future of QKD may be, one can be certain it will be foundational for secure communications on the Quantum Internet.


  1. T. Shimeall, J. Spring, “Resistance Strategies: Symmetric Encryption”, Introduction to Information Security, Elsevier/Syngress (2014)
  2. W. Stallings, Cryptography and Network Security: Principles and Practice, 7th Edition, Prentice Hall (2017)
  3. J.P. Aumasson, Serious Cryptography: A Practical Introduction to Modern Encryption, No Starch Press (2017)
  4. S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. Shamsul Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, "Advances in quantum cryptography," Adv. Opt. Photon. 12, 1012-1236 (2020)
  5. L. Gyongyosi, L. Bacsardi, S. Imre, “A Survey on Quantum Key Distribution” in Infocommunications Journal. XI, 14-21 (2019)
  6. European Telecommunications Standards Institute. (2020). Quantum Key Distribution (QKD); Application Interface (ETSI GS QKD 004 V2.1.1). Sophia Antipolis, France; ETSI
  7. L. Ma, O. Slattery, and X. Tang, “Optical Quantum Memory and its Applications in Quantum Communication Systems”, Journal of Research of the National Institute of Standards and Technology. 125:125002 (2020)
  8. M. Caleffi, D. Chandra, D. Cuomo, S. Hassanpour and A. Cacciapuoti, "The Rise of the Quantum Internet" in Computer, vol. 53, no. 06, pp. 67-72, 2020.
  9. M. Lucamarini, Z. L. Yuan, J. F. Dynes and A. J. Shields “Overcoming the rate–distance limit of quantum key distribution without quantum repeaters”, Nature. 557 400-403 (2018)
  10. A. Scriminich, G. Foletto, F. Picciariello, A. Stanco, G. Vallone, P. Villoresi, F. Vedovato, “Optimal design and performance evaluation of free-space Quantum Key Distribution systems”, Università degli Studi di Padova (2022)

Statements and opinions given in a work published by the IEEE or the IEEE Communications Society are the expressions of the author(s). Responsibility for the content of published articles rests upon the authors(s), not IEEE nor the IEEE Communications Society.

Sign In to Comment