**3.1 The QKDN architecture**

Optical networks today represent a fundamental infrastructure for data transport in the Internet, with more than 2 billion km of fiber deployed globally. To integrate QKD into existing optical networks, an architecture of QKD-enabled optical network with software-defined networking technology is proposed [24], as shown in **Figure 1**. It satisfies the needs of key resource pooling, network openness, and pipeline flexibility. The architecture consists of four planes: application (app) plane, control plane, QKD plane, and data plane, in top-down order.

The application plane generates connection requests. It is at the top of this architecture and is the destination of the final application of quantum keys. It uses the shared key pair provided by QKDN to perform encrypted communication between users. It mainly includes two application types: key application and network application.

The control plane is implemented using an SDN controller and is in charge of resource management and allocation for the QKD plane and data plane. The control plane is the core module of the QKDN architecture. It controls the key distribution behavior of the QKD plane through the south-bound interfaces between the control plane and the QKD plane and communicates with the application layer. Introducing SDN is beneficial for managing the entire network's resources via logically centralized control. The north-bound interfaces of control plane open up network capabilities to the application plane. At the same time, the control plane can control the key supply strategies and complete the information interaction. Specifically, functions in the control plane of QKDN include QKDN topology acquisition, network virtualization, QKDN path calculation and resource allocation, QKD application registration, QKD service configuration, link control, policy control, notification processing, and quality of service control. The control plane also supports connection control, network optimization, and the ability to provide third-party applications in multi-domain, multi-technology, multi-level, and multi-vendor QKDN. In order to realize the scalability of the control plane, the control plane should also support hierarchical structure, multiple control domain division, and controller hierarchical nesting, etc.

**Figure 1.** *The architecture of QKD-enabled optical network [24].*

For each optical connection to be established in the network, in addition to the data channel (DCh), QKD requires a quantum channel (QCh) and a public channel (PCh) for secure key synchronization [25]. The QKD plane and data plane share fiber spectrum resources using WDM technology to construct QSCh, PICh, and TDCh. **Figure 1** shows a possible distribution of different channels in the fiber C-band. PICh and TDCh belong to the data plane. They can use general transmitters and receivers. Quantum communication node (QCN) has quantum switching functions: quantum signal sending and quantum signal receiving. It can use existing technologies for quantum switches, quantum transmitters, and quantum receivers [26]. Physically, an optical cross-connect (OXC) and a QCN are co-located at one node.

There are two types of connection requests in QKDNs including connection requests with and without security requirements. For example, when a connection request arrives with security requirements from node 1 to node 5 shown in **Figure 1** using black solid lines, SDN controller computes and allocates resources for channels including TDCh, PICh, and QSCh. In contrast, when the connection request arrives without security requirements from node 6 to node 4 shown in **Figure 1** using red solid lines, it is served by TDCh in data plane. The procedures of signals for configuring the two requests are delineated using black and red dashed lines in **Figure 1**, respectively. For the connection request with security requirement, the construction of QSCh and PICh for secure key synchronization is completed (steps 2–4), and the construction of TDCh is completed (steps 5–7).

#### **3.2 Trusted repeater nodes structure**

To overcome the distance limitation of QKD, either quantum repeaters or trust repeater nodes (TRNs) are required. However, the feasibility of quantum repeaters has yet to be demonstrated in practical long-distance QKD networks [27]. The TRN technique is a solution to construct long-distance QKD, and it has been widely adopted for the deployed QKD networks such as the deployed 2000 km QKD backbone network between Beijing and Shanghai in China recently.

An example of long-distance QKD based on TRNs is illustrated in **Figure 2** [28]. QBNsrc and QBNdest act as the source and destination QKD backbone nodes (QBNs) of two QKD users. TRN1 and TRN2 are deployed between QBNsrc and QBNdest. Three QKD links are separately established between QBNsrc and TRN1, TRN1 and TRN2, and TRN2 and QBNdest, while secret keys Ks1, K12, and K2d are separately produced on the three QKD links. To enable long-distance QKD between QBNsrc and QBNdest, four steps are performed as follows.


Finally, QBNsrc and QBNdest can share the secret key Ks1. To guarantee the ITS of secret keys, one-time pad cryptosystem is required to be used for encryption. To

*Multipoint-Interconnected Quantum Communication Networks DOI: http://dx.doi.org/10.5772/intechopen.101447*

**Figure 2.**

*Example of long-distance QKD based on TRNs [28].*

extend the distance of QKD, a number of TRNs can be applied. Note that, each TRN is required to be trustworthy.

#### **3.3 Routing and resource allocation in QKDN**

With the expansion of the network scale, the number of users, and the continuous increase of security services, the problems of insecure key distribution process and low resource utilization in the key scheduling process in the prior art have become more and more prominent. To accomplish the key supply for services in QKDN effectively, the QKDN needs an efficient routing and resource allocation algorithm.

To accomplish the key supply for services, the concept of key as a service (KaaS) is proposed in [29]. Its meaning is providing secret keys as a service in a timely and accurate manner to satisfy the security requirements. The typical functions of KaaS are secret-key deployment and employment. To enable these functions, two secret-key virtualization steps are proposed including key pool (KP) assembly and virtual key pool (VKP) for secret-key deployment. For the KP assembly, the secret keys stored in each pair of key storages can be virtualized into a KP to facilitate secret-key resource management (e.g., KPA-B between KS-A and KS-B). For VKP assembly, a portion of secret keys in a KP can be virtualized into a VKP to enhance the security of dedicated service transmission (e.g., VKPA-B-1 or VKPA-B-2 abstracted from KPA-B). Hence, with the combined two steps, the secret keys can be deployed and employed for securing different services in QKDNs.

Given that only finite wavelength resources can be reserved as QKD links, the time-scheduled technique can be applied to increase efficiency by dividing each wavelength channel for QCh/PCh into multiple time slots. Then, through the sharing of QCNs and QKD links in different time slots, the assembly of KPs can be realized between node pairs. The granularity of a time slot, which is denoted by t, is the synchronization time to produce a fixed number N of secret keys after KP assembly between two directly interconnected nodes. Note that, the synchronization time includes the time for channel estimation and calibration, qubit exchange, key sifting, and key distillation. Considering the constant consumption of the secret keys in KPs by the services for encrypting and decrypting data, the periodical KP assembly is needed to compensate for secret-key consumption. The period of KP assembly is denoted by T. Note that t < T, which ensures that KP assembly can be realized within a period.

As shown in **Figure 3**, a static time-shared KP assembly strategy for efficient secret-key deployment based on the Dijkstra and first fit (FF) algorithms is

#### **Figure 3.**

*KP and VKP assembly strategies for key supply [29].*

presented. The KP assembly request is denoted by KP(sk, dk, N), where sk and dk denote the source and destination nodes of the KP assembly request. The number of KPs is calculated by n(n – 1)/2 since that KP is assembled between any pair of nodes. Here, n is the number of nodes in a QKDN. To compute and select the shortest QKD path between two nodes efficiently, the Dijkstra algorithm is utilized. The number nh of hops is also computed, which aims to determine the required number of time slots. Then, to allocate available time slots for the assembly of different KPs, the FF algorithm is utilized.

After KP assembly, secret-key resource becomes a novel resource dimension in QKDNs, which can be virtualized. The virtualized KP is denoted as VKP. By assembling VKPs, the confidential services can be secured. Considering the different security requirements of services, different VKPs can require different numbers of secret keys. The type of VKPs with different secret-key resource requirements is denoted by V. The VKP assembly for secret-key employment is needed to satisfy the specific secret-key requirement of each VKP. The required secret keys for the assembly of a VKP are denoted by KV. Secret keys will be updated and reallocated for VKP assembly when the KPs are assembled again. The updating and reallocating secret keys are necessary to enhance the security of confidential services.

**Figure 3** presents a static on-demand VKP assembly strategy for efficient secret-key employment. The VKP assembly request is denoted by VKP(sv, dv, KV), where sv and dv are the source and destination nodes of the VKP assembly request. Secret-key resources cannot be reutilized, which are different from conventional computing, switching, and wavelength resources. Accordingly, some complicated resource allocation algorithms in conventional network scenarios such as most-used and load-balanced algorithms are not suitable for allocating secret keys in QKDNs. But the FF algorithm, which has high feasibility, can be utilized to allocate secret keys for the VKP assembly. The secret-key resources can be efficiently utilized and allocated using the on-demand VKP assembly strategy.

The simulations show the benefits of KaaS for efficiently deploying and employing secret keys as well as for security enhancement, where the balance of KPs' secret-key resources and VKPs' secret-key requirements can be achieved.

#### **3.4 Key pool construction in QKDN**

Aiming at the problem of low utilization of key resources in QKDNs, and the need to balance the inflow and outflow of key resources, a construction mechanism of virtual quantum key pools (QKPs) in QKDN is proposed [30], which achieves reasonable scheduling and efficient use of channel resources and key resources.

*Multipoint-Interconnected Quantum Communication Networks DOI: http://dx.doi.org/10.5772/intechopen.101447*

#### **Figure 4.**

*QKP in point-to-point QKD system [30].*

The extension of QKD from point-to-point systems to network-wide multipoint-interconnected systems requires to enhance the secret-key synchronization, storage, and provision, which improves the resource management and security performance. QKP construction in QKDNs is a potential solution to satisfy these requirements. In each node, there is a secret-key memory (SKM), which stores the synchronized secret keys. To improve the secret-key management, secret keys between each pair of SKMs are virtualized into a QKP, which is also denoted as VKP. QKP between the two nodes dynamically provides different numbers of secret keys for encrypting data according to different security requirements. **Figure 4** shows an example of QKP in point-to-point QKD system including QKD enhancements in secret-key synchronization, storage, and provision.

There are three main steps for constructing QKPs [30]:


As for the support techniques for QKPs, QKPs are constructed on the control plane to manage the secret keys between QKD node pairs. They are all controlled by the SDN controller and can manage secret-key exchange, storage, assignment, and destruction. The SDN controller with programmable and flexible network control capabilities can also provide the effective implementation technique for QKPs.

### **4. Resilience of QKDN**

The occurrence of failure is inevitable in QKDNs. Resilience of QKDN is very important. The key distribution on the corresponding routes will be disrupted, and key provisioning services will be affected by the failure of a single link. The security demands of users are intuitively violated. Apart from that, a high recovery time and capital expenditure will be indirectly induced further by such interruption.

**Figure 5.**

*Three methods. (a) OPM, (b) MPM, and (c) TWM [31].*

Recovering and protecting failures for key provisioning services in QKDNs are an indispensable and vital problem to be solved.

In order to recover the key provisioning services affected by the failures in QKDNs, a Secret-Key Reallocation Strategy (SKRS) shown in **Figure 5(a)**-**(c)** is proposed including One-Path Method (OPM), Multi-Path Method (MPM) and Time-Window-based Method (TWM)) [31]. The strategy is to reallocate secret keys in QKPs and find available wavelengths, which are able to recover secret keys. By allocating the secret keys in QKPs over other paths, the security demand in failureaffected links will be satisfied. Multiple paths will try to provide keys simultaneously in case that the secret keys in one path are not enough. If multiple paths still fail to provide secret keys to meet the security demands, time division multiplexing technology can be considered. Simulation results verified that three proposed methods in the strategy can recover the failure-affected key provisioning services in different degree. Three methods of the strategy are as follows.

