Agile and Versatile Quantum Communication: Signatures and Secrets

Agile cryptography allows for a resource-efficient swap of a cryptographic core in case the security of an underlying classical cryptographic algorithm becomes compromised. Conversely, versatile cryptography allows the user to switch the cryptographic task without requiring any knowledge of its inner workings. In this paper, we suggest how these related principles can be applied to the field of quantum cryptography by explicitly demonstrating two quantum cryptographic protocols, quantum digital signatures (QDS) and quantum secret sharing (QSS), on the same hardware sender and receiver platform. Crucially, the protocols differ only in their classical postprocessing. The system is also suitable for quantum key distribution (QKD) and is highly compatible with deployed telecommunication infrastructures, since it uses standard quadrature phase-shift keying encoding and heterodyne detection. For the first time, QDS protocols are modified to allow for postselection at the receiver, enhancing protocol performance. The cryptographic primitives QDS and QSS are inherently multipartite, and we prove that they are secure not only when a player internal to the task is dishonest, but also when (external) eavesdropping on the quantum channel is allowed. In our first proof-of-principle demonstration of an agile and versatile quantum communication system, the quantum states are distributed at GHz rates. A 1-bit message may be securely signed using our QDS protocols in less than 0.05 ms over a 2-km fiber link and in less than 0.2 s over a 20-km fiber link. To our knowledge, this also marks the first demonstration of a continuous-variable direct QSS protocol.

Popular Summary

Throughout history, cryptography has been threatened by advances in mathematics and computational power. This typically leads to a cat-and-mouse effect as cryptosystems are repeatedly developed, attacked, and then hardened. Redeployment of a cryptosystem in the face of new attacks is a difficult and costly endeavor. But by providing a flexible and opaque middleware between the end user and the cryptographic algorithm, the deployed architecture can stay in place while the vulnerable algorithm is replaced. In our paper, we demonstrate this concept of “cryptographic agility” in a quantum communication setting.

Quantum communication protocols already offer provable security against the most powerful adversaries, but often require bespoke hardware setups. To translate agility to the quantum setting, we propose two related concepts: quantum cryptoagility, in which a cryptographic algorithm may be replaced without affecting the end user; and quantum cryptoversatility, in which multiple cryptographic tasks are performed over the same system. Our design structures allow for quantum-secure networks that can be more easily upgraded if a new attack vector emerges and can automatically pick the most efficient quantum protocol from an available pool to accomplish the selected task.

To illustrate these concepts we investigate three protocols—quantum digital signatures, quantum secret sharing, and quantum key distribution—over the same off-the-shelf hardware. Our digital signatures protocol can securely authenticate a single message in less than 0.05 ms, making it the fastest-ever demonstration of such a protocol.

Figure 1

Comparison between classical cryptoagility and the proposed agile and versatile quantum cryptography architecture. (a) Classical cryptoagility and versatility: Different classical cryptographic algorithms, such as Rivest-Shamir-Adleman (RSA), elliptic curve Diffie-Hellman (ECDHE), advanced encryption standard (AES), one-time pad (OTP), or postquantum cryptography (PQC) can be flexibly combined on the same hardware platform. A network interface card (NIC) is used to send and receive secure communication. (b) QKD-assisted cryptoagility: Classical cryptographic algorithms make use of a pool of secret keys generated by a QKD cryptocore. The quantum functionality is tied to the hardware implementation and cannot be upgraded easily, e.g., to perform QDS or QSS. (c) Quantum cryptoagility: Classical cryptographic algorithms and different quantum protocols can be swapped out and combined as necessary, requiring no changes to the underlying hardware architecture. 10G NIC—10 Gb/s Ethernet network interface card.

Figure 2

A layer-based description of an agile and versatile quantum cryptosystem showing how its modular and decoupled components can be swapped out and recombined similarly to puzzle pieces. Quantum cryptoagility and versatility can both be realized by introducing a middleware (a collection of interface layers) between the user application (yellow) and quantum hardware (purple) layers. This requires that the hardware drivers expose a set of standardized functions to the layers above it. The middleware can then select suitable quantum cryptoprimitives and hardware-compatible protocols to fulfill a given user request for a given cryptographic task. In this manner, the middleware layers generalize and extend the functions of a key management system. For some of the acronyms in this figure, please refer to the caption of Fig. 1. CV-I/Q-Tx and CV-I/Q-Rx denote sender (Tx) and receiver (Rx) hardware modules capable of performing continuous-variable (CV) quadrature (I/Q) modulation and detection.

Figure 3

The sender (Tx) and receiver (Rx) modules may be reconfigured to make Alice either the sender (“$f$ configuration”) or receiver (“$b$ configuration”) of quantum states. Each setup may be immediately considered versatile, since once either the $f$ or $b$ configuration is chosen, multiple different cryptographic tasks may be performed. Agility is implied by separation of the user and hardware layers through a stable and opaque interface (see Fig. 2). Shading and a dashed outline are used to indicate that a single device may be used to emulate two different end points as we describe in Sec. 4.

Figure 4

Top: schematic drawing indicating how the different abstraction layers of quantum cryptoagility and versatility (see Fig. 2) are realized in our demo system as different pieces of software running on a laptop connected to our sender (Tx) and receiver (Rx) hardware. Bottom: the Tx and Rx modules used to perform four distinct quantum protocols, assuming different communication roles $A$, $B$, or $C$ as shown in Fig. 3. ECDL, external-cavity diode laser; iso, isolator; VOA, variable optical attenuator; IQM, I/Q modulator; pol.c., polarization controller; AWG, arbitrary waveform generator; LO, local oscillator; 90°h, 90°hybrid; OSC, oscilloscope

Figure 5

Top: raw quadrature data traces produced by our quantum communication system running QPSK modulation [35]. Bottom: a resulting phase-space constellation diagram after digital signal processing is applied to the raw data. Shaded circles indicate the means and variances of the coherent states sent and received, including quantum key states (green) and auxiliary phase reference states (red). SNU: shot noise unit, defined as the quadrature variance which is measured when no signal input is applied

Figure 6

Performance of agile and versatile system $\mathrm{QDS}\text{−}b\text{−}\mathrm{QSS}\text{−}b\text{−}\mathrm{CV}\text{−}\mathrm{QPSK}$. Top: QDS signature lengths under protocol QDS-$b$ with an entangling-cloner attack. The signature lengths at a distance of 2 km remain modest both in the ideal (above) and experimental realizations (Table 1), and the system is robust to choice of $\alpha$. Bottom: maximum calculated QSS key rates under protocol QSS-$b$ with a dishonest Eve performing a beam-splitter attack, and either Bob or Charlie dishonest. The key rate is robust to variations in $\alpha$ and remains large even for our 20-km channel. Solid (red), dashed (blue), dot-dashed (orange), and dotted (green) lines correspond to the performance deduced by parameters from experimental runs 1, 2, 3, and 4, respectively. Vertical grid lines depict loss levels over experimental channels $A$ and $B$ corresponding to fiber lengths 2 km (0.65-dB loss) and 20 km (4.75-dB loss).

Figure 7

Calculated performance of agile and versatile system $\mathrm{QDS}\text{−}f\text{−}\mathrm{QKD}\text{−}f\text{−}\mathrm{CV}\text{−}\mathrm{QPSK}$. Top: QDS signature lengths under protocol QDS-$f$ under a beam-splitter attack. Signature lengths $L$ at 20 km (channel $B$) remain feasible with both ideal (above) and experimental realizations (Table 1). At 2 km (channel $A$), the protocol requires small signature lengths and thus is the fastest QDS protocol over comparable distances (Fig. 8). Bottom: calculated maximum QKD key rates under protocol QKD-$f$ with a beam-splitter attack. Both: vertical grid lines denote channel losses at which we perform an experiment. Solid (red), dashed (blue), dot-dashed (orange), and dotted (green) lines correspond to experiments 1, 2, 3, and 4, respectively, and vertical grid lines depict loss levels over experimental channels $A$ and $B$ corresponding to fiber lengths 2 km (0.65-dB loss) and 20 km (4.75-dB loss).

Figure 8

Time required to sign a 1-bit message and the corresponding channel lengths for several recent QDS protocols. At the short distances (approximately 2 km) favored by the continuous-variable platform, our QDS-$f$ and QDS-$b$ allow for signing times of less than 0.05 and 6 ms, respectively, improving previous results in CV (a) and discrete-variable systems (b). At 20 km, QDS-$f$ has signing time comparable to recent DV-QDS systems (c)–(e). Protocols depicted: red triangles, current paper; (a) free-space CV QDS [25]; (b) unambiguous-state-elimination-based QDS [26]; (c) differential-phase-shift-based QDS [18]; (d) GHz BB84 QDS [21]; (e) early QDS-QKD “versatile” system with measurement-device-independent capabilities [23].