Communication method and system using trusted nodes in quantum key distribution

Integrating PQC into EKR mode in QKD networks addresses security risks and key overhead issues, ensuring quantum-safe confidentiality and efficient key consumption in QKD systems with trusted nodes.

JP2026522696APending Publication Date: 2026-07-08ID QUANTIQUE SA

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
ID QUANTIQUE SA
Filing Date
2024-06-06
Publication Date
2026-07-08

AI Technical Summary

Technical Problem

Current QKD systems using trusted nodes face security risks due to the need to store and process sensitive information, which is not quantum-safe and results in unmanageable key overhead when using post-quantum cryptography.

Method used

Integrate post-quantum cryptography (PQC) into the Encrypted Key Relay (EKR) mode to ensure trusted nodes cannot access confidential data while maintaining efficient key consumption.

Benefits of technology

Provides quantum-safe confidentiality and optimal QKD key consumption by ensuring the trusted nodes do not access the exchanged keys, maintaining 100% efficiency and security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026522696000001_ABST
    Figure 2026522696000001_ABST
Patent Text Reader

Abstract

The QKD communication method includes the steps of generating a key K, transmitting a message m encrypted using key K1 via OTP and K1 to an intermediate node T, obtaining m by OTP decrypting using K1, encrypting this encrypted message using key K2 and transmitting the encrypted message and key K2 to a second node B, obtaining m by OTP decrypting using K2, and recovering key K by symmetrically decrypting m using key K', wherein K' is obtained by the steps of generating a key K' and message m' to be transmitted to the second node B at the first node A using the public key of the second node B, transmitting message m' to at least one intermediate node T via a classical communication channel, and at least one intermediate node T forwarding message m' to the second node B, and obtaining key K' at the second node using the private key and message m'.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0005] ,

[0004] , ,

[0001] The present invention relates to a device and method for reducing confidential information known to a trusted node during QKD communication, and more particularly, to a device and method for reducing confidential information known to a trusted node during QKD communication without affecting key overhead.

Background Art

[0002] Quantum cryptography or quantum key distribution, hereinafter also referred to as QKD, is a method that enables the distribution of a secret key with provable absolute security between two separate parties, a transmitter and a receiver. Quantum key distribution depends on the principles of quantum physics and quantum states, i.e., the encoding of information in quantum bits, in contrast to the use of bits in classical communication. Usually, photons are used for these quantum states. Quantum key distribution utilizes specific properties of these quantum states to ensure its security. <00,00010>

[0003] More specifically, the security of the method using this technology is due to the fact that the measurement of the quantum state of an unknown quantum system, such as a quantum bit, changes the system itself. In other words, a spy eavesdropping on the quantum communication channel cannot obtain information about the key without introducing errors into the key exchanged between the transmitter and the receiver, whereby an eavesdropping attempt is notified to the user.

[0004] An encryption device enables secure transmission of a useful payload by performing some symmetric encryption using the key exchanged by quantum key distribution. Specific quantum key distribution systems are described, for example, in Patent Document 1 and Non-Patent Document 2.

[0005] One of the most restrictive limitations of QKD is the distance limitation. Due to unavoidable losses in the optical waveguide and the fact that optical amplifiers cannot be used in quantum channels, the distance between the transmitter and receiver, i.e., the distance between Alice and Bob, is limited to approximately 100 km in commercial systems and up to 400 km in scientific experiments.

[0006] To increase the distance between Alice and Bob, the first solution to this limitation was an implementation of trusted nodes (TNs), a description of such a network can be found in Non-Patent Literature 2.

[0007] The principle of a trusted node (TN) is shown in Figure 1. In this figure, it can be seen that the trusted node is an intermediate element (Charlie) between Alice and Bob, communicating with both Alice and Bob and functioning as a key relay.

[0008] More specifically, the trusted node comprises two QKD modules, each belonging to an independent QKD link. One of the QKD modules receives a QKD signal from Alice and processes it to generate the first secure key. The other QKD module generates a new QKD signal to generate a second independent key and sends it to Bob. The two independent keys are then processed collaboratively by Alice, Bob, and the two QKD modules to generate the final secure key between Alice and Bob.

[0009] This means that the trusted node has a Key Management System (KMS), a QKD receiver for exchanging keys with Alice, and a QKD transmitter for exchanging keys with Bob. Therefore, the final key resides in all nodes, including the intermediate nodes, i.e., the trusted node, at the KMS layer.

[0010] In other words, the intermediate node shares the same final key as Alice and Bob, and therefore, the intermediate node must be completely trusted.

[0011] Since information is processed at trusted nodes and keys are available there, trusted nodes need to be secure and trusted by both parties. By integrating several trusted nodes into a chain, the trusted node QKD model can be used to design long-range QKD networks that extend globally, potentially encompassing entire countries, continents, or even satellites as trusted nodes.

[0012] In its current implementation, the TN holds the final key, which is ultimately distributed, for a certain period of time (a few seconds or a few minutes) by two end users. As the name suggests, key consumers who do not normally control the intermediate node must trust the network operator that the key is adequately protected from physical and IT attacks within the trusted node. This implies a security risk, and QKD cannot be used in cases such as those where standards prohibit the storage of keys on third-party sites in the financial sector.

[0013] Additionally, when a trusted node is used in a QKD network by some users, there may be a desire to hide the exchanged keys from it. This is typically the case when an intermediate node is shared among multiple customers.

[0014] In a typical conventional solution, the trusted node is a fully trusted intermediate node that simply acts as a relay for transferring keys. In this case, the intermediate node has full access to the sensitive information agreed upon by the endpoints. This mode of operation is called key relay (KR) mode.

[0015] However, as mentioned earlier, there are times when you want to hide the exchanged keys from the trusted node, especially when multiple users are using the trusted node.

[0016] A conventional solution to this problem involves partially trusting the intermediate nodes and using asymmetric cryptography to encrypt the confidential information exchanged at the trusted nodes. This mode of operation is called Encrypted Key Relay (EKR) mode. This method will be explained in detail below.

[0017] However, while KR mode performs with 100% efficiency, this means that the required QKD exchange keys can be minimal. In EKR mode, the protocol consumes keys from the QKD with an overhead proportional to the size of the encrypted data. This overhead can be mitigated by using RSA, well-known public-key cryptosystems, or classical cryptography such as ECC, or conventional elliptic curve cryptography. However, if quantum-attack-resistant public-key cryptography (commonly called post-quantum cryptography, hereafter abbreviated as PQC) is used, the overhead becomes unmanageable.

[0018] Therefore, a solution is needed to reduce sensitive information known by trusted nodes without affecting the overhead and QKD consumption during data transmission using the QKD protocol.

[0019] While current technologies can reduce the confidentiality known by trusted nodes, they cannot maintain the quantum-safe level of confidentiality of QKD because PQC encryption cannot be used without affecting key overhead. [Prior art documents] [Patent Documents]

[0020] [Patent Document 1] U.S. Patent No. 5307410 [Non-patent literature]

[0021] [Non-Patent Document 1] C.H. Bennett, "Quantum cryptography using any two non-orthogonal states", Phys. Rev. Lett. 68, 3121 (1992) [Non-Patent Document 2] ITU-T SG 13 Y.3800, Framework for Networks to supporting Quantum Key Distribution [Summary of the Invention]

[0022] The above problem is solved by the present invention, which includes integrating post-quantum cryptography (PQC) into a QKD network using trusted nodes.

[0023] More specifically, the present invention includes integrating PQC in an Encrypted Key Relay (EKR) mode without overhead related to the consumption of keys coming from QKD.

[0024] The invention described herein provides the guarantee that the trusted nodes cannot access the confidential data exchanged between endpoints. Such a guarantee is as strong as the PQC is robust and is generally referred to as "quantum-safe".

[0025] In addition, the present invention consumes fewer keys exchanged via QKD than in the KR mode. Therefore, it has 100% efficiency with respect to key consumption.

[0026] A first aspect of the present invention is a QKD communication method performed between a first node A and a second node B via at least one intermediate node T, the QKD communication method comprising, in the first node A, a step of generating a key K, wherein the key K is symmetrically encrypted using a key K' to create an encrypted key m as a result, and in the first node A, a step of OTP encrypting a message m using a key K1 and transmitting the encrypted message and K1 to the intermediate node T, and in the intermediate node T, a step of OTP decrypting the message transmitted from the first node A using K1 to obtain m, and then OTP encrypting the message m using a key K2 and transmitting the encrypted message and the key K2 to the second node B, and in the second node B, a step of OTP decrypting the message transmitted from T using K2 to obtain m, and symmetrically decrypting m using the key K' to recover the key K, K' being obtained in the first node A by a step of generating a key K' and a message m' to be transmitted to the second node B using the public key of the second node B, and a step of transmitting the message m' to at least one intermediate node T via a classical communication channel, and at least one intermediate node T transferring the message m' to the second node B, and a step of obtaining the key K' using the secret key and the message m' in the second node, a QKD communication method characterized by that.

[0027] Preferably, the first four steps are executed simultaneously with the K' acquisition step.

[0028] Advantageously, the messages m and m' are transmitted through a classical channel.

[0029] According to a preferred embodiment of the present invention, the keys K1 and K2 are transmitted through a quantum channel.

[0030] Advantageously, the first node A generates the key K' and the message m' by performing the server side of a key agreement procedure using the public key of B.

[0031] Preferably, the second node obtains key K' by performing the client-side of the key agreement procedure using its private key.

[0032] A second aspect of the present invention is a QKD communication system comprising a first node, a second node, and an intermediate node, adapted to perform the QKD communication method according to the first aspect of the present invention.

[0033] Preferably, the first node is a transmitter comprising a QRNG device and a QKD transmitter, and the second node is a receiver comprising a QKD receiver. [Brief explanation of the drawing]

[0034] The present invention will be described with reference to the drawings, where the same reference numeral indicates the same feature. In particular, [Figure 1] This diagram illustrates a conventional trusted node system. [Figure 2] This diagram reveals a simplified structure of a message transmitted through a node. [Figure 3] This figure discloses the execution of the EKR method according to the present invention. [Figure 4] This is a flowchart illustrating the method according to the present invention. [Modes for carrying out the invention]

[0035] To better understand the present invention, it will be described with reference to specific embodiments. However, it will be understood that the present invention is not limited to the embodiments described herein, but rather encompasses all embodiments defined by the claims and within the scope of the claims.

[0036] The present invention is shown in Figures 2 to 4.

[0037] In this specification, three nodes are considered, but it should be understood that the present invention may of course be applicable to various systems having two or more transmitters, receivers or intermediate nodes. The three nodes here are (i) A, also called Alice, for a transmitter including a QKD transmitter and a QRNG device; (ii) B, also called Bob, for a receiver including a QKD receiver; and (iii) T, for an intermediate node including both a QKD transmitter and a QKD receiver.

[0038] A typical trusted node system is shown in Figure 1. Transmitter A is connected to intermediate node T via classical and quantum channels. Similarly, receiver B is connected to intermediate node T via classical and quantum channels. However, there is no direct connection between node A and node B.

[0039] Therefore, all communication between A and B, including key exchange via QKD and classical communication, passes through T.

[0040] In this case, the intermediate node T is only partially trusted, i.e., (i) it is assumed that it will properly perform its obligations (in particular, message reception / transmission and associated security obligations), and (ii) the key agreed upon between A and B is not revealed to T.

[0041] It should be noted that these assumptions are typical for an intermediate node T shared among multiple customers. In this case, a given customer does not want other users on the intermediate node to have access to the keys that the customer exchanges.

[0042] Furthermore, in this system, node B possesses an asymmetric key pair, and node A obtains the public access information for this key pair.

[0043] Figure 2 discloses a simplified structure of a typical message exchanged between nodes A and B via T.

[0044] In a typical conventional protocol, the exchange of QKD keys between A and B via T is performed according to the following steps:

[0045] 1. Node A performs the server-side key agreement procedure using B's public key. This leads to the generation of key K and message m, which should be sent to B.

[0046] 2. Nodes A and T exchange QKD-exchanged keys K1 generated by the QKD protocol via their respective pairs of QKD transmitters / receivers.

[0047] 3. Node A performs a bitwise XOR operation between message m and key K1 to encrypt message m, and then sends this encrypted message to T via their classical communication channel.

[0048] 4. Node T performs a bitwise XOR operation with K1 to obtain m.

[0049] 5. Nodes T and B exchange QKD exchanged keys K2 generated by the QKD protocol via their respective pairs of QKD transmitters / receivers.

[0050] 6. Node T performs a bitwise XOR operation between message m and key K2 to encrypt message m, and then sends this encrypted message to B via their classical communication channel.

[0051] 7. Node B performs a bitwise XOR operation with the message sent from T and K2 to obtain m.

[0052] 8. Node B performs the client-side key agreement procedure using its private key and message m to obtain key K.

[0053] As a result, nodes A and B have agreed on key K without revealing it to node T.

[0054] The present invention will now be described with reference to Figure 3, which discloses the execution of the EKR protocol between nodes according to the present invention.

[0055] The conventional protocols described above are based on the use of bitwise XOR for encryption (commonly referred to as one-time pad encryption, abbreviated as OTP), and this method requires that keys K1 and K2 are the same size as the message m being encrypted.

[0056] According to the present invention, by using EKR mode, it becomes possible to utilize elliptic curve cryptography (ECC) in the key agreement procedure, so that m is the same size as the key K agreed upon between A and B. Therefore, using ECC-based EKR mode does not consume more QKD exchanged keys than necessary.

[0057] This can be summarized by the following formula.

[0058] Size (m) = Size (QKD replaced key) = Size (K)

[0059] However, the size of message m depends on the chosen key agreement procedure. For example, when replacing ECC with PQC, m tends to be several orders of magnitude larger than the agreed key K. Therefore, expanding PQC instead of ECC will consume tens of QKD exchanged keys for a single key agreed between A and B.

[0060] Therefore, such a situation can be summarized by the following equation.

[0061] Size (m) = Size (QKD replaced key) >> Size (K)

[0062] As mentioned above, this consumption of QKD keys is unacceptable for the normal use of a QKD system. Therefore, the present invention proposes a different approach.

[0063] This invention essentially enables the complete mitigation of this problem by adding an additional layer of encryption.

[0064] It should be noted that while not specifically dependent on PQC, any key agreement procedure can be utilized, including PQC-based key encapsulation mechanisms, certified classical procedures (according to NIST SP-800-56c), or a combination of several methods.

[0065] Therefore, the present invention relates to a QKD communication method, as shown in Figure 4, which includes the following steps.

[0066] Step 1: Node A performs the server-side key agreement procedure using B's public key. This leads to the generation of key K' and message m', which should be sent to B.

[0067] Step 2 Node A sends message m' to T via the classical communication channel, and T forwards message m' to B.

[0068] Step 3: Node B performs the client-side key agreement procedure using its private key and message m' to obtain key K'.

[0069] Step 4 Node A uses its QNRG to generate a key K that is symmetrically encrypted using key K'. The resulting encrypted key is called m.

[0070] Step 5 Node A performs a bitwise XOR operation on message m and key K1, and sends this encrypted message to T via the classical communication channel. Key K1 is sent to T via a QKD transmitter / receiver pair between A and T.

[0071] Step 6 Node T performs a bitwise XOR operation with the message sent from A and K in order to obtain m.

[0072] Step 7: Repeat Step 5 between T and B using key K2.

[0073] Step 8 Node B performs a bitwise XOR operation with the message sent from T and K2 to obtain m.

[0074] Step 9 Node B decrypts m symmetrically using the key K' obtained in Step 3 in order to recover key K.

[0075] As a result of the above protocol, nodes A and B have agreed on key K without revealing it to node T.

[0076] According to a preferred embodiment, steps 2-3 are carried out together with steps 5-6-7-8.

[0077] In this design, an OTP encrypted message is itself a symmetric encryption of the final key agreed upon between A and B, and is typically the same size as this key.

[0078] In this method, the situation returns to the desired state summarized by the formula: size(m) = size(QKD exchanged keys) = size(K), which is independent of the selected key agreement procedure. Whether a PQC-based key agreement procedure is selected, or whether several key agreement procedures are combined, it leads to optimal QKD consumption.

[0079] The proposed scheme is also optimal in terms of QKD consumption. In fact, for most symmetric encryption, the message m is the same size as the final key K. Therefore, OTP encryption m requires exactly the same number of QKD exchanged keys as a large K, which is optimal with currently available technology.

[0080] Regarding external security, if an attacker intercepts public communications, the following will be captured:

[0081] 1. Public data required to implement the key agreement between A and B, which leads to the exchanged key K'.

[0082] 2. If the encryption key is K', then AES encryption is performed using OTP encryption (bitwise XOR) with the final key K agreed upon between A and B.

[0083] The protection of K' provided by point 1 is as strong as if the underlying key agreement procedure were being leveraged. However, an attacker who can recover K' can only exploit it by first decrypting the OTP encrypted message. Thus, the overall configuration is as secure as OTP with QKD exchanged keys. This means that the proposed configuration is consistent with the information theory security (ITS) of QKD.

[0084] If an attacker intercepts communications passing through T regarding confidential information within a trusted node, the following will be captured:

[0085] 1. Public data required to implement the key agreement between A and B, which leads to the exchanged key K'.

[0086] 2. Assuming the encryption key is K', AES encryption is performed using the final key K agreed upon between A and B.

[0087] An attacker can recover K by directly breaking the AES encryption or by recovering key K'. The latter means breaking the underlying key agreement. Therefore, confidentiality within node T is as strong as the weakest point between the key agreement and AES. When using PQC-based key agreement, it means that the proposed configuration provides quantum-secure confidentiality.

[0088] Finally, the proposed protocol is flexible in that it allows for free modification of the key agreement procedure and can even combine certified cryptographic techniques such as PQC with state-of-the-art cryptographic techniques.

[0089] While embodiments have been described in conjunction with several other embodiments, many alternative forms, modifications, and variations will be apparent, or will be obvious, to those skilled in the art in the applicable field. Therefore, this disclosure is intended to encompass all such alternative forms, modifications, equivalents, and variations that fall within the scope of this disclosure. This is, for example, particularly with respect to different nodes and their number that may be available. [Explanation of symbols]

[0090] A Transmitter B Receiver K key m message T intermediate node

Claims

1. A QKD communication method that connects a first node A and a second node B via at least one intermediate node T, The aforementioned QKD communication method is: The first node A has a step of generating a key K, wherein the key K is symmetrically encrypted using key K', and as a result, an encrypted key m is created. At the first node A, the message m is key K 1 The encrypted message and K are encrypted using OTP encryption. 1 The steps include transmitting to the intermediate node T, At the intermediate node T, the message transmitted from the first node A is K 1 OTP decryption is performed using to obtain m, and then the message m is sent to key K 2 The encrypted message and the key K are encrypted using OTP encryption. 2 The steps include sending the above to the second node B, At the second node B, the message sent from T is K 2 The steps include: obtaining m by OTP decryption using and recovering the key K by symmetrically decrypting m using the key K'; K', The first node A generates a key K' and a message m' to be sent to the second node B using the public key of the second node B, The steps include: transmitting the message m' to the at least one intermediate node T via a classical communication channel, and the at least one intermediate node T forwarding the message m' to the second node B; The second node obtains the key K' using the secret key and the message m', Characterized by being obtained by, QKD communication method.

2. The first four steps are characterized in that they are performed simultaneously with the K' acquisition step. The QKD communication method according to claim 1.

3. The messages m and m' are transmitted through a classical channel, characterized in that The QKD communication method according to any one of claims 1 to 2.

4. key K 1 and K 2 However, it is characterized by being transmitted through a quantum channel. A QKD communication method according to any one of claims 1 to 3.

5. The first node A generates the key K' and the message m' by performing the server-side key agreement procedure using the public key of B. A QKD communication method according to any one of claims 1 to 4.

6. The second node obtains key K' by performing the client side of the key agreement procedure using the second node's private key, A QKD communication method according to any one of claims 1 to 5.

7. A first node, a second node, and an intermediate node, adapted to perform the QKD communication method according to any one of claims 1 to 6, QKD communication system.

8. The first node is a transmitter comprising a QRNG device and a QKD transmitter, and the second node is a receiver comprising a QKD receiver, characterized in that The QKD communication system according to claim 7.