**4.2 Time-slot allocation**

*Quantum Cryptography in Advanced Networks*

**4. Resource allocation in QKD over SDONs**

**4.1 Wavelength allocation**

performance, as illustrated in **Figure 5**.

the App.

control/configuration messages over the CChs; (3) OF-QKP-D1–2 is configured by the SDN controller to provision secret keys for the service request from OF-OXC1 to OF-OXC2 over the DCh; (4) the SDN controller configures OF-OXC1 and OF-OXC2 to encrypt data and transport the service; and (5) at last, SDN controller replies to

Since three types of channels (i.e., QChs, PChs, and DChs) are coexisting in a single fiber with WDM technique, wavelength allocation for these three types of channels becomes an essential issue. The total number of wavelengths for QChs, PChs, and DChs should conform to existing WDM networks, e.g., 40 wavelengths (with 100 GHz channel spacing) or 80 wavelengths (with 50 GHz channel spacing). Given the DCh is usually located at C-band (1530–1565 nm) in existing WDM networks, some previous studies have demonstrated QKD at O-band (1260–1360 nm) [29, 30] to achieve strong isolation from data transmission. Nevertheless, the faint quantum signals may suffer from more losses at O-band compared with C-band, which will limit the transmission distance and rate. Therefore, the three types of channels can be placed at C-band to achieve better quantum-signal transmission

In particular, the physical layer impairments (e.g., Raman scattering and fourwave-mixing effects) induced by PCh and DCh may have negative impacts on the QCh transmission performance. Raman scattering effects can be effectively reduced by placing the QCh at high frequency [31], thereby the wavelength reserved as QCh starts from 1530 nm. Besides, four-wave-mixing effects can be reduced by allocating 200 GHz guard band between QCh and other classical channels (i.e., PChs and DChs) [17]. Moreover, appropriate channel isolation and stable QKD operation can be achieved by using multistage band-stop filtering technique [32]. The PCh that transmits classical signals for key sifting and distillation as introduced in the principle of point-to-point QKD can share the same wavelengths with DCh or utilize the dedicated wavelengths at fiber C-band. The latter can be selected to ensure one-to-one relationship between the PCh and QCh, although the wavelength resources for data transmission may be degraded. This is because allocating dedicated wavelengths for QCh and PCh is essential in a stable scenario. The intermediate nodes with trusted repeaters and erbium-doped fiber amplifiers (EDFAs) can be deployed for QCh and PCh/DCh, respectively, to extend quantum and classical signal transmission distance, in which EDFA bypass scheme [30, 33] can be utilized

*Wavelength allocation for the three types of channels (i.e., QChs, PChs, and DChs) over the C-band in a single* 

**16**

*fiber.*

**Figure 5.**

Given the finite wavelength resources in a single fiber and the high cost of establishing QChs and PChs, each wavelength for QCh/PCh is segmented into multiple time slots according to optical time division multiplexing (OTDM) technique [34]. Hence, each time slot can be utilized to establish a QCh/PCh for improving resource utilization. We assume that the secret keys provisioned for a service request with specific security demand are exchanged between the source and destination nodes within a fixed time *t*, thereby each QCh/PCh occupies a time slot. On the basis of the principle of point-to-point QKD described above, *t* consists of channel estimation and calibration time, qubit exchange time, key sifting time, and key distillation time. In particular, the scattering and loss may impact the secret key rate between two nodes, which will lead to different number of secret keys shared between different node pairs within *t* in QKD over SDONs. In the network model, to fix *t* with a realistic and simplified manner, the size of *t* can be set as the secret key exchange time for a fixed key size (e.g., 128, 192, and 256 bit while using AES encryption algorithm [35]) under the worst scenario in QKD over SDONs.

Additionally, to prevent attacks for enhancing the data encryption security, the secret keys provisioned for each service request with specific security demand can be updated in a period *T*. The parameter, *T*, is the period after which the secret key must be changed between two nodes. The security level increases while decreasing the value of *T*. This is because the secret keys provisioned for a service request with specific security demand are updated more frequently, thereby increasing the difficulty of cracking the encryption key by a third party [36]. Accordingly, considering the key-updating period, time-slot allocation for QCh/PCh becomes a new topic to be studied. Also, routing, wavelength, and time-slot allocation (RWTA) strategy for establishing the three types of channels (i.e., QChs, PChs, and DChs) needs to be considered.

For instance, **Figure 6** illustrates two security level configuration solutions, in which the parameter, *t*, is the secret key exchange time between the source and destination nodes for each service request with specific security demand, and the parameter, *T*, is the key-updating period (*t* < *T*, which guarantees that the secret keys can be exchanged within a period). In solution 1, we fix *T* for all the QCh/PCh wavelengths and each service request with specific security demand has the same security level value of *T*. Note that the QCh/PCh wavelengths are the wavelengths in WDM optical networks that are reserved as QCh/PCh. The solution 1 can only provide one security level, which may limit the flexibility of security demands of service requests. However, service requests triggered from numerous security-hungry applications may have different security demands with different security levels. Hence, each QCh wavelength has a flexible *T* values in solution 2, thereby different security levels can be provisioned. For different service requests with security demands, this solution can provision more security level types.

## **4.3 Secret key allocation**

Data encryption algorithms need to be considered for CChs and DChs while performing secret key allocation. One-time pad (OTP) encryption algorithm was invented to achieve information-theoretic security, in which the secret key size should be as long as the data size [26]. Hence, OTP encryption algorithm requires much execution time/storage to perform data encryption, which is difficult to be

### **Figure 6.**

*Two security-level provisioning solutions: (a) solution 1: fixed T for all the QCh/PCh wavelengths; and (b) solution 2: flexible T for each QCh/PCh wavelength.*

utilized for high-bit-rate data encryption in SDONs and has negative impacts on the efficiency of SDONs. Nevertheless, symmetric encryption algorithms [37] can be used to perform large amount of data encryption with small secret key size and fast execution time. A commonly used symmetric encryption algorithm is advanced encryption standard (AES) algorithm, which can be integrated with QKD to implement high-bit-rate data encryption [38, 39]. Using secret key lengths of 128, 192, and 256 bit, the AES algorithm can encrypt/decrypt large amount of data in blocks of 128 bit [35]. Hence, the secret key receiving module and data encryption module can be added in optical transport nodes to perform secret key communication and processing.

Nevertheless, the third party can eavesdrop a sequence of encrypted data to crack the secret keys while using AES algorithm. Then, two important factors, i.e., data size and data transmission time, need to be considered during a crack [40, 41]. In order to degrade the probability of encrypted data being cracked, the secret key can be frequently changed between two nodes based on the key-updating period. Key updating is essential to enhance the security of data encryption while using AES algorithm to secure CChs and DChs. Accordingly, the time complexity and data complexity of attacks can be considered for key updating in which time complexity is the maximum available time for a secret key and data complexity is the maximum encrypted data size by a secret key. The security level increases with the increase of secret key length or the decrease of secret key-updating period. Therefore, we can qualitatively evaluate the security level based on secret key length and updating period.

Given the secret key resources are limited and precious in QKPs, the secret key allocation issue for CChs and DChs needs to be solved. The control/configuration messages transmitted over the CChs in SDONs are usually at megabit-per-second transmission rate, which are low compared with the data complexity of attacks [40]. Accordingly, secret key allocation and updating are accomplished for each CCh in the SDON to enhance its security. Through the path of a data service, each node along the path will be configured by the SDN controller via the corresponding CCh. According to the specific security demand of each CCh, QKP-C allocates the required secret keys between SDN controller and each node to enhance the security

**19**

**Figure 8.**

Service 2.

**Figure 7.**

necessary to be considered.

*Quantum Key Distribution (QKD) over Software-Defined Optical Networks*

of each CCh. Hence, we can allocate different number of secret keys to CChs between SDN controller and each node for encrypting/decrypting the control/configuration messages. As illustrated with an example in **Figure 7**, Key*x*–*y* denotes the required number of secret keys in which *x* and *y* represent the node serial number and service serial number, respectively. Key1–1/Key2–1 is allocated to CChs between the SDN controller and Node 1/Node 2 for Service 1, whereas Key1–2/Key2–2/Key3–2 is allocated to CChs between the SDN controller and Node 1/Node 2/Node 3 for

The required number of secret keys for each data service over the DChs is associated with the secret key length and updating period. The QKP-D can allocate the required number of secret keys to enhance the security of data services over the DChs in SDONs. As illustrated with an example in **Figure 8**, three data services (i.e., *r*1, *r*2, and *r*3) have different security demands. In **Figure 8(a)** and **(b)**, we consider the time complexity of attacks (i.e., *Ty*) and data complexity (i.e., *Dy*) of attacks for secret key updating, respectively, in which the parameter, *y*, represents the data service serial number. Based on AES algorithm, the required secret key lengths of *r*1, *r*2, and *r*3 are 128, 192, and 256 bit, respectively. Additionally, as shown in **Figure 8(a)**, the required secret key-updating periods of *r*1, *r*2, and *r*3 are *T*1, *T*2, and *T*3 (*T*1 < *T*2 < *T*3), respectively; whereas in **Figure 8(b)**, the required secret key-updating periods of *r*1, *r*2, and *r*3 are *D*1, *D*2, and *D*3 (*D*1 < *D*2 < *D*3), respectively. Specifically, the data service with longer secret key length and shorter secret keyupdating period demands shows higher security level and will require more secret keys to be allocated for data encryption. Thus, routing, wavelength, and secret key allocation (RWKA) strategy for CChs and DChs in a timely manner on demand is

*Secret key allocation and updating for services with different security requirements based on (a) case 1: time* 

*complexity of attacks and (b) case 2: data complexity of attacks.*

*DOI: http://dx.doi.org/10.5772/intechopen.80450*

*Secret key allocation and updating for CChs.*

*Quantum Key Distribution (QKD) over Software-Defined Optical Networks DOI: http://dx.doi.org/10.5772/intechopen.80450*

**Figure 7.** *Secret key allocation and updating for CChs.*

*Quantum Cryptography in Advanced Networks*

*(b) solution 2: flexible T for each QCh/PCh wavelength.*

utilized for high-bit-rate data encryption in SDONs and has negative impacts on the efficiency of SDONs. Nevertheless, symmetric encryption algorithms [37] can be used to perform large amount of data encryption with small secret key size and fast execution time. A commonly used symmetric encryption algorithm is advanced encryption standard (AES) algorithm, which can be integrated with QKD to implement high-bit-rate data encryption [38, 39]. Using secret key lengths of 128, 192, and 256 bit, the AES algorithm can encrypt/decrypt large amount of data in blocks of 128 bit [35]. Hence, the secret key receiving module and data encryption module can be added in optical transport nodes to perform secret key communication and

*Two security-level provisioning solutions: (a) solution 1: fixed T for all the QCh/PCh wavelengths; and* 

Nevertheless, the third party can eavesdrop a sequence of encrypted data to crack the secret keys while using AES algorithm. Then, two important factors, i.e., data size and data transmission time, need to be considered during a crack [40, 41]. In order to degrade the probability of encrypted data being cracked, the secret key can be frequently changed between two nodes based on the key-updating period. Key updating is essential to enhance the security of data encryption while using AES algorithm to secure CChs and DChs. Accordingly, the time complexity and data complexity of attacks can be considered for key updating in which time complexity is the maximum available time for a secret key and data complexity is the maximum encrypted data size by a secret key. The security level increases with the increase of secret key length or the decrease of secret key-updating period. Therefore, we can qualitatively evaluate the security level based on secret key length and updating

Given the secret key resources are limited and precious in QKPs, the secret key allocation issue for CChs and DChs needs to be solved. The control/configuration messages transmitted over the CChs in SDONs are usually at megabit-per-second transmission rate, which are low compared with the data complexity of attacks [40]. Accordingly, secret key allocation and updating are accomplished for each CCh in the SDON to enhance its security. Through the path of a data service, each node along the path will be configured by the SDN controller via the corresponding CCh. According to the specific security demand of each CCh, QKP-C allocates the required secret keys between SDN controller and each node to enhance the security

**18**

period.

processing.

**Figure 6.**

of each CCh. Hence, we can allocate different number of secret keys to CChs between SDN controller and each node for encrypting/decrypting the control/configuration messages. As illustrated with an example in **Figure 7**, Key*x*–*y* denotes the required number of secret keys in which *x* and *y* represent the node serial number and service serial number, respectively. Key1–1/Key2–1 is allocated to CChs between the SDN controller and Node 1/Node 2 for Service 1, whereas Key1–2/Key2–2/Key3–2 is allocated to CChs between the SDN controller and Node 1/Node 2/Node 3 for Service 2.

The required number of secret keys for each data service over the DChs is associated with the secret key length and updating period. The QKP-D can allocate the required number of secret keys to enhance the security of data services over the DChs in SDONs. As illustrated with an example in **Figure 8**, three data services (i.e., *r*1, *r*2, and *r*3) have different security demands. In **Figure 8(a)** and **(b)**, we consider the time complexity of attacks (i.e., *Ty*) and data complexity (i.e., *Dy*) of attacks for secret key updating, respectively, in which the parameter, *y*, represents the data service serial number. Based on AES algorithm, the required secret key lengths of *r*1, *r*2, and *r*3 are 128, 192, and 256 bit, respectively. Additionally, as shown in **Figure 8(a)**, the required secret key-updating periods of *r*1, *r*2, and *r*3 are *T*1, *T*2, and *T*3 (*T*1 < *T*2 < *T*3), respectively; whereas in **Figure 8(b)**, the required secret key-updating periods of *r*1, *r*2, and *r*3 are *D*1, *D*2, and *D*3 (*D*1 < *D*2 < *D*3), respectively. Specifically, the data service with longer secret key length and shorter secret keyupdating period demands shows higher security level and will require more secret keys to be allocated for data encryption. Thus, routing, wavelength, and secret key allocation (RWKA) strategy for CChs and DChs in a timely manner on demand is necessary to be considered.

### **Figure 8.**

*Secret key allocation and updating for services with different security requirements based on (a) case 1: time complexity of attacks and (b) case 2: data complexity of attacks.*
