Open QKD

OPENQKD brings together a multidisciplinary team of the leading European telecommunication equipment manufacturers, end-users and critical infrastructure providers, network operators, QKD equipment providers, digital security professionals and scientists from 13 countries to reinforce Europe’s position at the forefront of quantum communication capabilities globally. The project will create an open QKD testbed to promote network functionality and use-cases to potential end-users and relevant stakeholders from research and industry. Over 25 use-case trials have already been determined and will be complimented by open calls for funding third parties. OPENQKD will develop an innovation ecosystem and training ground as well as helping to grow the technology and solution supply chains for quantum communication technologies and services. In preparation for not only managing a central QKD testbed in Geneva (CH), but as precursor to managing a pan- European network, we will incorporate testbeds in Cambridge (UK), Madrid (ES) and Poznan (PL), along with specific use-case-driven test sites and develop a virtual network of these islands of security as an interim substitute for a QKD backbone, bringing these distant networks together. OPENQKD will deploy 40 QKD systems with standardized hardware and software interfaces for network devices and protocols on over 1000km of fiber links, as well as testing compatibility with satellite-based schemes. The OPENQKD network will be used to demonstrate the transparent integration of quantum-safe technologies and solutions broadly across the European digital landscape as well as advancing initiatives for the standardization and certification of QKD-enabled technologies. The work in the OPENQKD testbed should lay the foundations for rolling out a pan-European quantum-safe digital infrastructure, with a solid basis to educate and lead a quantum-aware workforce and with European industry leaders already engaged.

Explanation of the work carried out by the beneficiaries and Overview of the progress

1.1 Objectives

Below we list the objectives of the OPENQKD project as presented in the DoA. For each objective we will present highlight results achieved in the second reporting period.

Objective 1: Establishment of the first QKD-enabled experimentation platform as innovation driver for European cryptographic systems.

Important advances have been made on the integration of QKD devices into real production networks along the project. Concretely, prominent efforts enable communication between devices that uses the same interface but also any other QKD devices connected to the same network in a transparent way. Regarding for example the Madrid Testbed, is now highly adaptable and configurable, adding the possibility to connect any QKD devices, with any key delivery API. This KM supports now the ETSI 004, ETSI 014, and it is possible to connect any QKD devices even using proprietary and low-level APIs. Additionally, in order to ease the integration of any kind of devices in the Madrid SDN QKD network, several drives are being created, in collaborations with other partners. Drivers for AIT QKD device and for Rohde and Schwarz have been already developed, both using the ETSI 004 interface. All these functionalities have been significantly improved on the second half of the project, developing several sets of software components and drivers to enable the interoperability between the QKD systems, KMSs (based on both ETSI 004 and 014), hardware (and software) encryptors.

The secure protocols relying on AES-256 have been adapted to combine (via different method such a XOR, KDF) the classical keys (exchanged using DH / RSA / ECC) and the “quantum key” requested to QKD devices. This demonstrates the possibility to use Hybrid keys, leveraging classical, quantum and tomorrow post-quantum Key Exchange Mechanism.  Objective 2: Standardized interfaces ensuring vertical and horizontal interoperability in the QKD eco-system.  The KMS is one of the key components in building large interconnected QKD network domains, and the support of open standard and interfaces is crucial, not only for the integration into real networks but also for the interoperability of the devices. This is an important advance for both components: based and layered classical networks. Further work is necessary to include experimental devices. Following this paradigm, important advances have been made in integrating ETSI 004, ETSI 014, ETSI 015, and partially the ISG 017 Network Work Item. Moreover, a new version of the ETSI 015 have been proposed approved and integrated into the Madrid Network. The new approved ETSI GS 018 is partially integrated and new standards like ETSI ISG 020 and ETSI ISG 021 will be approved at ETSI in the following months and after that, it will be integrated into the network.  Objective 3: Contribute to quantum cryptography standardization and security certification efforts.

Following the initial overview paper on the standardisation landscape “Current Standardisation Landscape and existing Gaps in the Area of Quantum Key Distribution” in 2021, the partners of OPENQKD under the lead of DIN decided to produce an updated version. The updated aper is in its final draft now and will be made available within the next month.

OPENQKD partners also contributed to several work items on QKD standardizations both in ETSI:

• Protection Profile (DGS/QKD-016-PP) Approved for publication

• Security Proofs (RGS/QKD-0005ed2_SecProofs)

• Characterization of Optical Output of QKD transmitter modules (DGS/QKD-0013_TransModChar)

• Group Report on Authentication for Quantum Key Distribution (DGR/QKD-019_AUTH)

• Interoperable KMS API (DGS/QKD-020_InteropKMS)

• Vocabulary (RGR/QKD-007ed2_Vocab)

as well as ITU-T and ISO:

• ISO/IEC JTC 1/SC 27/WG 3 – “Security requirements, test and evaluation methods for QKD”

• Parts 1 and 2 of ISO/IEC 23837 DIS ballot concluded: comments disposed and approved for publication

• ISO/IEC JTC 1/SC 27/WG 2 – revision of “ISO/IEC 18031:2011 - random bit generation”

• ITU-T SG13 – new work items mainly around interworking

• ITU-T SG17 – new work items including interworking

• ITU-T SG11 – work underway on interface Recommendations

OPENQKD also supported the evaluation and certification effort of the ETSI ISG QKD Work Item on QKD Protection Profile (DGS/QKD-016-PP). This protection profile for QKD, a world first, will be used in future to certify QKD systems for security applications. It is expected that the certified protection profile is ready by Q2 2023.

Several OPENQKD partners are participating in the QT Flagship efforts on Standardization and Certification by being members in the Joint Focus Group on Quantum Technologies (CEN/CENELEC) and in the Quantum Industry Consortium (QuIC). For the FGQT, partners contributed to the report “Standardization Roadmap for Quantum Technologies”.

Objective 4: Operation of use-cases deriving from Secure Societies on top of the QKD testbed.

In the second part of the project, thanks to the lifting of COVID-19 restrictions, the bulk of use-case demonstrations could be demonstrated together with the open-call use-cases. All in all, about 30 use-cases were demonstrated by OPENQKD partners together with another 18 use-cases from the open-calls. This very large number of demonstrations with end-users in many European countries raised the awareness of QKD to unprecedented levels. The use-case partners also cover a very wide range of sectors from health, finance, datacentre governments, telecom operators, critical infrastructure and more.

In addition to the actually implemented use-cases a series of use-case simulation was performed mainly for locations without direct fibre access as well as for satellite QKD use-cases. For example, the partners UNIPD working with MPL and DLR focused on the use of an emulated secret key exchanged between a satellite and two ground stations for the secure exchange of satellite data. In UC-23 “Globally securing space and ground infrastructures”.  Objective 5: Open, robust, reliable, modular and fully monitored testbed facility supporting the European QKD and crypto industry and research community.  For the virtual network experience, AIT installed an InfluxDB on the internal database web server that was able to receive the performance data from all use cases over the AIT Kafka messaging bus. A new web interface has been developed using Angular which is used together with Grafana to create and present the visualizations of the collected performance data. In order to fulfil the goals of the task, the so called “Testbed Simulator” web interface has been developed to simulate a test bed using a map to get a rough idea how a testbed for ones use case could look like. The testbed simulator, which is also a web application that uses a docker container in the background for the calculations, was developed to give an overview how many keys can be generated in any given location. It is also possible to calculate how many keys would be consumed if an encryption service would be using the keys.  OPENQKD also developed an QKD network simulator, available for download at the OPENQKD website. The QKDNetSim simulator has been updated with ETSI standards 004 and 014. Now, it is being upgraded to support the SDN architecture using the OpenFlow 1.3 protocol. Work on the simulator includes upgrading the key establishment concept with the key-relay principle of generating a key based on QRNG.

The OPENQKD project also looked beyond QKD, by implementing novel cryptographic protocols, often while keeping the same hardware as for QKD. For the proof-of-principle experiments related to quantum digital signatures, two new CV-QDS and quantum secret sharing (CV-QSS) schemes were implemented by extending a pre-existing CV-QKD system. A quantum oblivious protocol running on standard QKD hardware was demonstrated by requesting raw keys directly from the post-processing stack. In addition, the off-loading of postprocessing into an untrusted cloud server was investigated. It was shown that even without trust assumptions such a scheme could be used to reduce the computational load on the QKD system hardware.

Objective 6: Lay the foundations for a Pan-European Quantum Network.

Feedback from the use-cases will be shared with the EuroQCI project coordinators. For this the public deliverables featuring use case results will be forwarded to the EuroQCI CSA “PETRUS” for distribution. These are the public deliverables D8.6 “First report on field trial execution” and D8.7 “Second and final report on field trial execution”.

The second open-call for external use-cases was very well received with 18 submitted proposals. Out of those, 8 were chosen to be implemented in OPENQKD. Leveraging on those use-cases several additional EU-countries (Slovakia, Hungary and Greece) were added to the OPENQKD testbed federation.

The OPENQKD project also demonstrated an international testbed interconnection between 3 of the main testbeds in the project, that are Madrid, Berlin and Poznan. An overview is shown on Fig. 1. The experiment has defined a set of border nodes between the three testbeds. Two current implementations of the border nodes have been tested successfully, and both of them are based on the ETSI key delivery standards (ETSI GS 014 and 004), but instead of using QKD signals to generate the keys, in this specific case, due to the long distance and the current technological lack of quantum repeaters, these interfaces have been adapted to use Post Quantum Crypto (PQC) algorithms. The experiment also includes satellite connection and key transport from any network to any network involved in the experiment as well as several performance tests. This experiment represents the first cross European quantum safe key exchange system and an important starting point on the development of the future EuroQCI infrastructure. OPENQKD also prepared a report on “Roadmap for large scale QKD deployment” with the EuroQCI deployment in mind. 6