Lelde Lace

In just very few recent years Quantum Key Distribution (QKD) has witnessed major advances regarding the maturity and availability of commercial QKD devices as well as adaptation and testing of the technology in a number of large-scale projects (in particular in the EU). QKD provides a key exchange mechanism that is completely secure against eavesdropping according to the laws of the physics. Although such level of security might not be fully matched by current devices, here we will assume that QKD networks are able to generate identical bit streams at K nodes of our choice with perfect security against eavesdropping (for K>2, however, an appropriate key-relay protocol is additionally required). The development of QKD networks, however, poses two major challenges: 1) QKD does not provide any inherent authentication mechanism. Currently OTP-based authentication is usually adapted, but it lacks scalability and for larger networks private/public key authentication schemes will be eventually needed. Given well justified concerns about the possibility of future attacks by quantum computers on classical asymmetric cryptography, post-quantum algorithm (PQC) based schemes essentially remain the only viable authentication option. 2) In foreseeable term QKD networks will remain limited to connections between larger data centres and to benefit 'ordinary users' provision of QKD as a service (QaaS) will be needed. Connections of such users to QKD network will remain to be on based asymmetric cryptography, which again leaves PQC as the only secure option. This leads to the problem of integration of two expectedly secure, but somewhat competing cryptographic techniques - QKD and PQC - into communication networks in such a way, that the strengths of these both approaches are fully exploited and the overall security is increased from complementary usage of both of them. The proposals for such integrated communication network solutions are sometimes called 'software-based QKD networks', however, most of these proposals only outline the overall architecture , but does not provide implementation details at the level of specific protocols an algorithms that could be used. To address these shortcomings, in our previous work we have developed a 'butterfly protocol' that provides QaaS by integrating both QKD and PQC techniques and is secure against a successful attack on any single communication link it uses. The full benefits of using this protocol, however, still partially rely on additional assumptions on comparative security of communication links within different subnetworks. In the current work we examine the problem of QKD and PQC integration and provision of QaaS from a somewhat different perspective. We consider larger multi-node QKD networks with dynamic topology -- i.e. in which new QKD nodes and links can be added or removed, and we also assume that there could be few network nodes that are compromised and can not be trusted. The network topology is regarded as generally known, but it is not centrally managed, the network nodes can can gradually gather the information about the overall topology by communicating with their neighbour nodes. Within this setting we are developing protocols for the two following scenarios. Multi-node key relay. This requires generation of identical QKD keys at K>2 freely chosen nodes (with typical values being K=3 and K=4) in a way that is secure against attack by any single node involved in key material routing - i.e. any such attack should be unable to compromise key stream in more than a single node. The availability of the same key material from more than 2 nodes allows to overcome a single link vulnerability of QaaS by providing independent set of nodes at which the negotiated QKD keys can additionally verified. The schemes for key relay between multiple nodes have been well studied, but usually without the assumptions of the potential presence of a malicious node. Multi path routing. This requires establishing of at least two non-intersecting routing paths between any pair of nodes (provided that at least two non-intersecting paths between them exists). Using two distinct routing paths protects against an attack from a single malicious node on any of them. The possibility of such an attack has been assessed already in the context of SECOQC project. The authors propose a key relay protocol over two independent paths, however, its efficiency can be improved, and the authors do not address the problem of establishing such independent routing paths. For establishing such non-intersecting paths between any pairs of network nodes we have adapted a version of maximum flow algorithm that is executed asynchronously and locally at each of the nodes. The algorithm actually guarantees finding the maximum number of independent routing paths between any pair of nodes, however, it is comparatively inefficient (especially when compared with algorithms for establishing single routes), and potentially can be improved, if we require finding of at least two, but not not the all disjoint paths . As far as we know, the problem of presence of malicious nodes in QKD has been occasionally studied before, but mainly form the perspective of impact on overall performance and without focus on identifying and neutralising malicious nodes.