SECOQC White Paper on Quantum Key Distribution and Cryptography 7 0 0 Reference: Secoqc-WP-v5 2 Documenttype: White Paper n DocumentDate: January22 2007 a Version: 5.1 J 3 Document history: During the first year of the SECOQC project [1], Philippe Grangier initiated 2 an internal debate regarding the “comparative advantages” of quantum key distribution (QKD). A first written contribution to this debate, by Philippe Grangier, Louis Salvail, Nicolas Gisin and 1 v Thierry Debuisschert [2], was then made available to all SECOQC partners. In their 3rd review 8 report, issued on June 26 2006, SECOQC project reviewers and scientific officer pointed out at 6 1 the need of a paper about the “added value of QKD to classical cryptography”. Following this 1 recommandation and extending on the arguments developped in [2], Romain Alléaume wrote a 0 draft document, entitled QKD and Cryptography: strong points, weaknesses and comparative advan- 7 0 tages. OnOctober12,attheLondon10th SECOQC CoreGroup,projectpartnersagreedtojointly / h contribute to the improvement of this draft document and make it evolve into the SECOQC p cryptography whitepaper. Numerous comments, suggestions of corrections andnewideaswere - t proposed through the SECOQC Wiki [3]. Based on those reactions, the first draft version of the n a paperhasbeen modifiedand updatedbyRomain Alléaume,leadingsuccessively tothe versions u 2.0, 3.0, and 4.0. On November 21, version 4.0 of the white paper was presented at the Crypto q networking session organized by the European Network of Excellence ECRYPT, at the Helsinki : v IST event. Preprints of the white paper have also been distributed. Final rounds of revisions, i X taking intoaccount the comments received afterthe Helsinkievent, have thenlead tothe current r version, 5.1,of the white paper. a EditingAuthor: Romain Alléaume [email protected] Contributors: RomainAlléaume1,JanBouda2,CyrilBranciard3,ThierryDebuisschert4,Mehrdad Dianati1, Nicolas Gisin3, Mark Godfrey5, Philippe Grangier6, Thomas Länger7, AnthonyLeverrier1,Norbert Lütkenhaus8,Philippe Painchault9,Momtchil Peev6, AndreasPoppe10,ThomasPornin11,JohnRarity5,RenatoRenner12,GrégoireRibordy13, Michel Riguidel1, Louis Salvail14, Andrew Shields15, Harald Weinfurter16, Anton Zeilinger10. Affiliations: 1 Ecole Nationale Supérieure desTélécommunications, Paris, France. 2 Masaryk University, Brno, Czech Republic. 3 University ofGeneva, Switzerland. 4 ThalesResearchand Technology, Orsay, France. 5 University ofBristol, United Kingdom. 6 CNRS,Institut d’Optique, Orsay, France. 7 Austrian Research Center,Vienna,Austria. 8UniversityofErlangen,Germany&InstituteforQuantumComputing,Waterloo, Canada. 9 ThalesCommunications, Colombes, France. 10 University of Vienna,Austria. 11 Cryptolog International, Paris, France. 12 University of Cambridge,United Kingdom. 13 Id Quantique SA,Geneva, Switzerland. 14 University of Aarhus, Denmark. 15 Toshiba ResearchEurope Ltd, Cambridge,United Kingdom. 16 Ludwig-Maximilians-University Munich, Germany SECOQCCoordinator: ChristianMonyk [email protected] Contents Contents 1 Introduction 2 2 KeyEstablishment 2 2.1 ClassicalInformation-TheoreticKeyEstablishmentSchemes . . . . . . . . . 3 2.2 ClassicalPublic-KeyCryptographyandKeyEstablishment . . . . . . . . . . 4 2.3 Classical Computationally Secure Symmetric-Key Cryptography and Key Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.4 QuantumKeyEstablishment-QuantumKeyDistribution(QKD) . . . . . . 7 2.5 TrustedCouriersKeyDistribution(TCKD) . . . . . . . . . . . . . . . . . . . 8 2.6 HybridKeyEstablishmentschemesbasedonDualKeyagreement . . . . . 9 3 Securingapoint-to-pointclassical communicationlink 10 3.1 QKDcomposedwithOne-Time-Pad: EverlastingSecrecy . . . . . . . . . . . 10 3.2 QKDcomposedwithaclassicalcomputationallysecureencryptionscheme: KeysecurityandKeyAgeing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4 KeyDistributionoveraNetworkofQKDlinks: QKDNetworks 13 4.1 PreviousworkonQKDNetworks . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 ThespecificdesignoftheSECOQC QKDnetwork . . . . . . . . . . . . . . . 15 4.3 Classical Network Key Distribution Schemes and QKD Networks: Ele- mentsofcomparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.4 NetworkInitialisationandKeyPre-distribution . . . . . . . . . . . . . . . . 16 4.5 OpennetworksversustrustedQKDnetworks . . . . . . . . . . . . . . . . . 17 5 Futuredirections 18 5.1 Resiliencetoside-channelattacksandhistoricalsecurity . . . . . . . . . . . 18 5.2 PostQuantumComputingCryptography . . . . . . . . . . . . . . . . . . . . 20 5.3 ClassicalCryptographicPrimitivesbuiltontopofQKDnetworks . . . . . . 20 6 Conclusion 21 1 1 Introduction During recent years quantum cryptography has been the object of a strong activity and rapidprogress[4,5], andit is nowextendingits activity into pre-competitiveresearch[1] and into commercial products [7]. Nevertheless,the fact that Quantum Key Distribution (QKD)couldbeaninterestingcryptographicprimitiveisoftenconsideredwithscepticism by classical cryptographers [6]. Analysing the cryptographic implications of Quantum Key Distribution is indeed a complex task. It requires a combination of knowledge that usually belongs to separate academic communities, ranging from classical cryptography to the foundations of quantum mechanics and network security. Based on a thorough consultationanddiscussionamongtheparticipantsoftheEuropeanprojectSECOQC [1], thispaperpresentsargumentsshowingthatQKDcanindeedbeusefulincryptography,in addition to the scientifically well-established classical cryptographic primitives. We also believe that very fruitful research, involving the classical cryptography community and theQKDcommunity,couldemergein thefutureyearsandtrytosketchwhatmaybethe nextchallengesinthisdirection. HerewearguethatQKDisacryptographicprimitivethatcanbeusedfordifferentpur- poses, of increasing complexity. We will distinguish three levels of complexity, reflecting thefirstthreelayersoftheOSInetworkmodel. ThefirstlevelisKeyEstablishmentbetweentwousers(physicallayercryptographic • primitive). The secondlevelis two-userSecurePayload Transmissionbuilt on topofa Key Es- • tablishmentscheme(linklayercryptographicprimitive). ThethirdlevelisKeyDistributionoveraglobalnetworkcomposedofmultipleusers • (networklayercryptographicprimitive). Ineachofthesescenarios,wewillgiveelementsallowingtocompareQKDwithwhat iscurrentlyofferedbyclassicalcryptographictechniques. Thispaperisthusorganizedas follows: In Section 2, we provide a survey of Key Establishment techniques, and discuss some of their strengths, weaknesses, and relative advantages. In Section 3, we discuss thesecurityandtheperformancesofthedifferentSecurePayloadTransmissionprimitives thatcanbebuiltontopofQKD,andthatcanbeusedtosecureapoint-to-pointcommuni- cationlink. InSection4,weexposethemotivationsforthedevelopmentofQKDnetworks and provide a survey of the previous works on QKD networks. Some major design de- cisions of the SECOQC QKD network are presented in this context as well as elements of comparison between classical networks and quantum networks. Finally, in Section 5 weextendourperspectivesanddiscusssomefutureresearchdirectionsthatcouldbenefit fromactive collaboration betweentheQKD and theclassical cryptographycommunities: thestudyofside-channelsandofmaterialsecurity,thestudyofpost-quantum-computing cryptographyandtheuseofQKDnetworksasanewprimitiveinnetworksecurity. 2 Key Establishment Cryptographyhasforalongtimeconformedtotheideathatthetechniquesusedtoprotect sensitivedatahad themselvesto be keptsecret. Such principle, knownas “cryptography byobscurity”hashoweverbecomeinadequateinourmodernera. Cryptography,thathas 2 2.1 ClassicalInformation-TheoreticKeyEstablishmentSchemes developed as a science in the 1970s and 1980s [68] allowed to move away from this his- toricalpicture and mostofthemoderncryptographicsystemsare now basedonpublicly announcedalgorithmswhiletheirsecurityliesintheuseofsecretkeys. Distributing keys among a set of legitimate users while guaranteeing the secrecy of thesekeyswith respectto any potentialopponentis thusacentralissuein cryptography, knownastheKeyEstablishmentProblem. There are currently five families of cryptographic methods that can be used to solve theKeyEstablishmentProblembetweendistantusers: 1. ClassicalInformation-theoreticschemes 2. Classicalpublic-keycryptography 3. Classicalcomputationallysecuresymmetric-keycryptographicschemes 4. QuantumKeyDistribution 5. Trustedcouriers WewillpresenthoweachofthosecryptographicfamiliescanprovidesolutionstotheKey Establishmentproblemanddiscuss,ineachcase,thetypeofsecuritythatcanbeprovided. WewillalsoconsiderasixthtypeofKeyEstablishmentschemes: hybridschemesbuiltby combiningsomeofthemethodslistedabove. 2.1 ClassicalInformation-Theoretic KeyEstablishmentSchemes A crypto-systemis information-theoretically secure if its securityderives purely from in- formation theory. That is, it makes no unproven assumptions on the hardness of some mathematical problems, and is hence secure even when the adversary has unbounded computingpower. Theexpression“unconditionalsecurity”isasynonymof“information- theoretical security” and is more widely used in the cryptographic literature. The One- Time Pad (OTP) is for example an unconditionally secure encryption scheme. As shown by Ueli Maurer [46], it is possible to establish an information-theoretically secure keybe- tween two parties using only public discussion over a classical channel, provided that these two parties have in their possession correlated strings of classical data that exhibit morecorrelation betweenthemthanwithanystringthatcouldbein thepossessionofan eavesdropper. Asweshallseein2.4,theuseofaquantumchannelandofanappropriate protocolisapracticalsolutioninordertoobtainsuchcorrelatedstringsofclassicaldata. There are however also Key Establishment schemes that can exploit the ideas devel- oped in [46] and that can be implemented within the framework of classical informa- tion theory. Such Classical Information-Theoretic Key Establishment schemes (CITKE schemes) however need to rely on some specific extra assumptions, limiting the power oftheeavesdropper,tobeunconditionallysecure. Christian Cachin andUeliMaurer[30] hence demonstrated that CITKE is possible in the bounded-storage model, in which the adversaries can only store a limited amount of data. CITKE is also possible in Wire-Tap channel model as established in the seminal work of Wyner [44]. The result of this work on CITKE has been extended to what is called the “noisy channel model” where the le- gitimate users are supposed to have access to a common source of randomness through classicalchannelsthatarelessnoisythanthechanneltheeavesdropperhasaccessto[45]. Introducing the idea of advantage distillation, Maurer generalised the previous models andshowedthatCITKEispossibleoverawideclassofclassicalchannels[46] 3 2.2 ClassicalPublic-KeyCryptographyandKeyEstablishment 2.2 ClassicalPublic-KeyCryptography andKeyEstablishment Public-key cryptography foundations rest on the difficulty of solving some mathemati- cal problems for which no polynomial algorithms are known. The computing resources needed to solve these problems become totally unreachable when long enough keys are used. Public-key cryptographic systems thus rely on what is called “provable compu- tational security”. Public-key cryptography is however not unconditionally secure; the problems on which it is based are not intractable; and in addition, their non-polynomial complexityhassofarnotbeenproven. Public-key cryptographyrequires two keys, a public and a private key, which form a key pair and uses algorithms that are designed in such a way that anyone can encrypt a message using the public key, while only the legitimate recipient, in possession of the private key, can decrypt the message. Because of the asymmetry between the two users of a public-key crypto-system (one holding the private key, and keeping it secret, while theotheruseronlyneedtoknowapublic, non-secretkey,and checkfor its authenticity), public-keycryptographyisoftenreferredtoasasymmetriccryptography. Key Establishment based on public-key cryptography As shown by Whitfield Diffie andMartinHellmanin1976[8],public-keycryptographycanbeusedtoestablishashared secret key over an unprotected classical communication channel, without using a prior shared secret. It thus provides a practical way to implement key distribution over open networks. Note however that, in order to ensure the authenticity of the key distribution scheme, the two users have to rely on a third trusted authority. This is the purpose of public-key infrastructure (PKI): a hierarchical infrastructure of trusted third parties that areissuingcertificatesfortheusers’publickeys,providedthattheusersaccepttorelyon them(webasicallydon’treallyhavethechoiceincurrentInternet,inabsenceofanyother practicalsolutionforkeydistribution). Securityofpublic-keycryptography Currentasymmetricclassicalcryptographicschemes, such as RSA, are based on the difficulty to compute logarithms within a finite field. To- day’simplementationsofRSArequiretouseprivateandpublickeysofatleast1024bits,in orderto offer a reasonable securitymargin against the computationalefforts of an eaves- dropper 1, and asymmetric keys of 2048 bits are preferable [9] . It is also important to notethatmostofthecurrentlyusedpublic-keycryptographicschemes(forexampleRSA) could be cracked in polynomial time with a quantum computer: this results from Shor’s algorithm for discrete log and factoring, that has a complexity of O(n3) [14]. Some alter- nativepublic-keycryptographicschemes,basedonotherproblemsthanfactoring,suchas lattice shortest vector problem [16] or coding theory [15], could not be broken in a poly- nomialtimeonaquantumcomputer. Suchschemesarehowevermuchlesspracticalthan RSA-likeschemes. Performanceofpublic-keycryptography Makingthecomputationsrelativetotheasym- metriccryptographicprotocols(overkeyslongerthan1024bits)isarathercomputational intensive and time-consuming task. The performance of RSA-based key distribution im- plementations depend heavily on hardware : for RSA 2048 implemented on a recent PC (Pentium IV with a 2.1 GHz processor running under Windows XP), the computations 1Undertheunverifiedassumptionthatthereisnoeavesdropperthatpossessessomeunexpectedlystrong computationalpowerorknowsbettercryptanalysistechniquesthanthebestpublishedones. 4 2.3 ClassicalComputationallySecureSymmetric-KeyCryptographyandKey Establishment needed for one key exchange (essentially one RSA encryption and one decryption) take roughly30ms[27]. Thesamekeyexchangewouldbeapproximately10timesfaster(thus in the ms range) on dedicated coprocessors and 10 times slower (in the time range of a few tens of a second) on smart card coprocessors [28]. Because of those relatively low exchangerates,public-keycryptographyismostcommonlyusedsolelyforinitial session keydistribution(innetworkprotocolslikeSSLforexample),andclassical symmetric-key cryptography is then generally used for symmetric encryption and/or authentication of data. 2.3 Classical Computationally Secure Symmetric-Key Cryptography and Key Establishment Symmetric-key cryptography refers to cryptography methods in which both the sender andreceivershare thesamekey. Symmetric-keyencryptionwastheonlykindofencryp- tionpubliclyknownuntilthediscoveryofpublic-keycryptographyin1976[8]. Symmetric-key ciphers are used to guarantee the secrecy of the encrypted messages. The modern study of symmetric-key ciphers relates mainly to the study of block ciphers andstreamciphersandtotheirapplications. AESisablockcipherthathadbeendesigned by a team of Belgium cryptographers (Joan Daemen et Vincent Rijmen) and has been adoptedasanencryptionstandardbytheUSgovernment(in replacementofDES).Block cipherscanbeusedtocomputeMessageAuthenticationCodes(MACs)andcanthusalso be used to guarantee integrity and authenticity of messages. Stream ciphers, in contrast to the block ciphers, create an arbitrarily long stream of keymaterial, which is combined with the plaintext bit-by-bit or character-by-character, somewhat like the One-Time-Pad. We will not consider stream ciphers in the remaining part of this sub-section, since, un- like block ciphers, they cannot be easily used to perform Key Establishment. Reference [11] provides a very complete survey of classical computationally secure symmetric-key schemes. Key Establishment based on Classical Computationally Secure Symmetric-Key Cryp- tography KeyEstablishmentcanberealisedbymakinguseofonlysymmetric-keycryp- tographicprimitives. Indeed,thecombinationofasymmetric-keyencryptionschemewith asymmetric-keyauthenticationschemeallowsonetobuildaKeyEstablishmentprimitive. Providedthatasecretkeyispreviouslyshared,symmetrically, byAlice andBob,onecan use a symmetric-key cipher to encrypt a message that will constitute the secret key for thekeydistribution protocol(this messagecan be randomor not). Part ofthe previously shared symmetric key material can also be used to symmetrically compute (on Alice’s side)andcheck(onBob’sside)amessageauthenticationtag. KeyEstablishmentbasedon symmetric-keycryptographicprimitivesarealwaysbasedonapre-establishedsymmetric secret, neededfor authentication. In this sense, they only allow Key Expansion more than KeyEstablishment. Security of classical computationally secure symmetric-key cryptography The secu- rity of key distribution based on classical symmetric-key cryptography depends on the security of the cryptographic primitives that are used, and on the composability of those cryptoprimitives. Shannonhasproventhatthereisnounconditionallysecureencryption schemewhichrequireslesskeythanaOne-TimePad,i.e.,thenumberofkeybitsisatleast aslargeasthelengthofthemessage[17]. Hence,ifweconsiderthepossibilityofbuilding 5 2.3 ClassicalComputationallySecureSymmetric-KeyCryptographyandKey Establishment an unconditionally secure symmetric key expansion scheme, i.e., a method to symmet- rically generate secret key out of a short initial symmetric shared secret key, the former results from Shannon tell us that such a scheme is impossible to achieve in the frame- work of classical cryptography. This is a fundamental limitation of any communication schemerelyingsolelyontheexchangeofclassicalmessagessince,incontrasttoquantum messages,classicalmessagescanbecopiedwithouterrors. It is however possible to use classical symmetric-key encryption and authentication schemes, that are not unconditionally secure, to build a Key Establishment scheme. AES can for example be used for symmetric-key encryption and can be also used to compute message authentication codes (using AES-MAC). Note that the security model that ap- plies to such symmetric-key classical encryption schemes (symmetric-key block ciphers and stream ciphers) is not unconditional security (the entropy of the key is smaller than the entropy of the message) and not even “provable computational security” (based on someprovenupperboundsoronsomeequivalencebetweenthecomplexityofthecrypt- analysis of a given cipher and another well-studied problem2). The security model that appliestoclassicalsymmetric-keycryptographycanbecalled“practicalcomputationalse- curity”: acryptographicschemeisconsidered“practically computationally secure”ifthe best-known attacks require too much resource (such as computation power, time, mem- ory)byanacceptablemargin[11]. Themainproblemwithsuchasecuritymodelisthatit isunabletoguaranteeanythingaboutyetunknownattacks[23]. There are no publicly known efficient quantum attacks on classical symmetric-key cryptographicschemes(butnoproofthatefficientattackscannotbefound),andthecrypt- analysis of symmetric-key classical cryptographyon a quantum computer reduces to ex- haustivesearch. Hereaquantumcomputerwould thusstillgive an advantage: the com- plexityofexhaustivesearchinaunsorteddatabaseofN elementsisofO(N)onaclassical computerbutonlyofO(√N)onaquantumcomputer[29]. Performances In terms of performance, symmetric-key classical cryptography is much fasterandlesscomputationalintensivethanasymmetriccryptography3. Intermsofspeed, there are now 128-bit AES encryptors able to encrypt data at rates in the Gbit/s range [24, 25]. This is the reason why it is widely preferred to use symmetric-key schemes for encryptionand/orauthenticationovercurrentlydeployedcommunicationnetworks.AES is currently thechosen standard for symmetric-keyclassical block ciphers. Underthe as- sumptionthatthebestwaytobreakasymmetric-keycryptographicschemeisexhaustive searchwithinthekeyspace4,then,asymmetrickeymodulusof77bitsisroughlycompa- rable,intermsofcomputationalrequirements,toanasymmetrickeymodulusof2048bits [9, 13]. Note that doubling the length of a symmetric key implies squaring the computa- tional efforts needed for exhaustive search; on the other hand, the computational efforts scale not as fast with key length in the case of asymmetric cryptography (see [9] for de- tails). 2ontheotherhand,provablecomputationalsecurityexistsforclassicalasymmetricschemes. 3thedifferenceisindeedofseveralordersofmagnitude,see[12]forreferencesanddetails. 4asweshallseein3.2,theassumptionthatthebestattackonAESisexhaustivesearch,somehowequivalent to say that there is no known successful attack on AES, is however seriously challenged by the fact that weakerversionsofAES,withreducednumberofrounds,canbeattackedmoreefficiently.Notealsothatthe possibilityofpowerfulalgebraicattacksonAES,althoughnotregardedasarealthreatbythemajorityofthe classicalcryptographycommunity,stillseemstobeanopenandcontroversialquestion[26]. 6 2.4 QuantumKeyEstablishment-QuantumKeyDistribution(QKD) 2.4 QuantumKeyEstablishment-QuantumKeyDistribution (QKD) QuantumKeyDistribution,inventedin 1984byCharlesBennettandGilles Brassard[33], basedon some earlier ideas ofStephenWiesner [34], is an alternative solution to theKey Establishment problem. In contrast to public-key cryptography, it has been proven to be unconditionallysecure,i.e.,secureagainstanyattack,eveninthefuture,irrespectiveofthe computing power or any other resources that may be used [35, 36]. QKD security relies on the laws ofquantum mechanics, and more specifically on the fact that it is impossible togaininformationaboutnon-orthogonalquantumstateswithoutperturbingthesestates [37]. This propertycan be usedtoestablish a randomkeybetweentwousers,commonly called Alice and Bob, and guarantee that the key is perfectly secret5 to any third party eavesdroppingontheline,commonlycalledEve. Inparalleltothe“fullquantumproofs” mentionedabove,thesecurityofrealQKDsystemshasbeenputonastableinformation- theoretic footing thanks to the work on secret key agreement done in the framework of information-theoreticcryptography[46]andtoitsextensions,triggeredbythenewpossi- bilitiesofferedbyquantuminformation[47]and[53]. QKD Link Quantum Channel QKD Device QKD Device Classical Channel Alice Bob Eve Figure1: StructureofaQKDlinkasitisreferredthroughoutthisarticle Without going into the details of the different implementations or protocols, we can describe the structure and the principle of operation of the basic practical QKD system: a QKD link. As depicted on Fig. 1, a QKD link is a point-to-point connection between twousers,commonly called Alice and Bob, thatwant toshare secretkeys. TheQKD link is constituted by the combination of a quantum channel and a classical channel. Alice generates a random stream of classical bits and encodes them into a sequence of non- orthogonal quantum states of light, sent over the quantum channel. Upon reception of thosequantumstates,Bobperformssomeappropriatemeasurementsleadinghimtoshare some classical data correlated with Alice’s bit stream. The classical channel is then used totestthesecorrelations. Ifthecorrelationsare highenough,thisstatisticallyimplies that nosignificant eavesdroppinghastakenplaceonthequantumchannelandthusthatwith veryhighprobability,aperfectlysecuresymmetrickeycanbedistilledfromthecorrelated data shared by Alice and Bob. In the opposite case, the key generation process has to be abortedandstartedagain. QKDisasymmetrickeydistributiontechnique. QKDrequires,forauthenticationpur- poses, that Alice and Bob share, in advance, a short secret key (whose length scales only logarithmically in the length of the secret key generated by a QKD session [18, 19, 20]). 5theperfectsecrecyofthekeyhastobeconsideredfromaninformation-theoreticpointofview:theinfor- mationtheeavesdroppermayhaveaboutthekeyis,withanexponentiallyhighprobability,belowavanish- inglysmallupperbound. 7 2.5 TrustedCouriersKeyDistribution(TCKD) Hence, QKD is a symmetric unconditionally secure key expansion scheme. In contrast to what is achievable while relying solely on the exchange of classical messages, the key expansionfactorprovidedbyQKDisexponential,hence,afterinitialisation ofthesystem (initial distribution of secret key), authentication is not a burden for the global perfor- mance (secret bit rate per second) of QKD schemes. QKD systems are being developed withanincreasingreliabilityandwithincreasingperformances,andtheSECOQC project [1],gatheringthemostprominentexperimentalandtheoreticalEuropeanteamsinvolved inQKDresearch,isactivelycontributingtothepursuitofthisprogression[39,40,41,38]. One can currently expect to exchange between 1 and 10 kbits of secret key per second, overapoint-to-pointQKDlinkof25km(at1550nm,ondarkfibres). Themaximumspan of QKD links is now roughly 100 km (dependingon the systems)at 1550 nm on telecom darkfibres. Bothsecretbitrateandmaximumreachabledistanceareexpectedtocontinue theirprogressionduringthenextyearsduetocombinedtheoreticalandexperimentalad- vances. Notethat in any case QKD performances are intrinsically upper boundedby the performanceofclassical opticalcommunications6. ItisimportanttonoticethatQKDsys- temscannowbasicallybebuiltwithoptimised,off-the-shelvestelecomcomponents(laser, phase modulators, beamsplitters, polarisation controllers, and etc.) at the notable excep- tion of photodetectors. Photodetectionis currently the bottleneck for the performance of QKD systems, but it is important to keep in mind that, even on that side, although there aremanytechnicalproblemstoovercome,thereareveryfewfundamentallimitationsfor rateanddistance[49,50,51]. Anotherapproach,knownas“ContinuousVariablesQKD”, and also implemented in SECOQC, uses only standard PIN photodiodes, but requires more sophisticated data processing in order to extract the secret key [48]. It is also very importanttonotethatQKDwouldremainsecure(unconditionally)evenintheadventof aquantumcomputer. Inaddition,legitimate users(Alice and Bob)can performuncondi- tionallysecureQKDevenwithoutpossessingthemselvesaquantumcomputer,andQKD can thus be deployed today in order to secure communication networks. Studying how such QKD networkscan be built and operatedis the main focus of the SECOQC project andwewilldeveloponthisaspectinSection4. 2.5 Trusted CouriersKeyDistribution (TCKD) Thetrustedcouriermethodisknownsincetheancienttimes: atrustedcouriertravelsbe- tweenthedifferentlegitimate userstodistributethesecretkeys,hopefullywithoutbeing intercepted or corrupted on his way by any potential opponent. Only practical security can be invoked in this case, which has to be backed by the enforcement of an appropri- ate set of security measures. Although trusted couriers become costly and unpractical whenimplementedon large systems,thistechniquehas remained in usein somehighly- sensitive environments such as government intelligence, or defence. The trusted courier method is also usedby banks to solve the very common, but highly strategic problem of distributingtheircreditcardPINnumberstothebankcustomers7. The Trusted Couriers Key Distribution (TCKD) is probably the method used in the frameworkofnetworksecurityforwhichtheanalogywithQKDistheclosest: LikeQKD,TCKDisamethodrelyingonthephysicalsecurityofthecommunication • 6 and it will always lag behind in terms of rate and distance. However, since current classical systems arenow reachingrates of Terabit/s, there definitivelyremains someroom- and thus reasonsto hope - for improvements. 7ThesolutionadoptedtodaybythebanksistosendthecardsandthePINnumbersindifferentenvelopes tominimizethepossibilitythatsomeonecouldstealboth. 8