Quantum Key Distribution (QKD) over Software-Defined Optical Networks

Optical network security is attracting increasing research interest. Currently, software-defined optical network (SDON) has been proposed to increase network intelligence (e.g., flexibility and programmability) which is gradually moving toward industrialization. However, a variety of new threats are emerging in SDONs. Data encryption is an effective way to secure communications in SDONs. However, classical key distribution methods based on the mathematical complexity will suffer from increasing computational power and attack algorithms in the near future. Noticeably, quantum key distribution (QKD) is now being considered as a secure mechanism to provision information-theoretically secure secret keys for data encryption, which is a potential technique to protect communications from security attacks in SDONs. This chapter introduces the basic principles and enabling technologies of QKD. Based on the QKD enabling technologies, an architecture of QKD over SDONs is presented. Resource allocation problem is elaborated in detail and is classified into wavelength allocation, time-slot allocation, and secret key allocation problems in QKD over SDONs. Some open issues and challenges such as survivability, cost optimization, and key on demand (KoD) for QKD over SDONs are discussed.


Introduction
As more than two billion kilometers of optical fibers deployed worldwide [1], optical networks have currently served as one of the most important underlying infrastructures. Large confidential data transferred daily over the Internet relies on the secrecy and reliability of data channels (DChs) in optical networks against several types of cyberattacks, e.g., physically tapping or listening to the residual crosstalk from an adjacent channel [2,3]. With the evolution of network intelligence, software-defined networking (SDN) [4] is emerging and developing toward practical application, which is a promising technique to add flexibility and programmability in the optical layer. Hence, software-defined optical networking (SDON) is potential to become the next generation optical network architecture [5]. However, the control and configuration signaling messages transferred via the control channels (CChs) are also facing a variety of security attacks, e.g., anomaly attacks and intrusion attacks [6]. Therefore, two essential channels (i.e., DChs transferring sensitive data/services and CChs interchanging control/configuration messages) are vulnerable to cyberattacks in SDONs.
Data encryption is an effective way to enhance the security of SDONs. However, classical key distribution methods are based on the mathematical and computational complexities, which will suffer from increased computational power and developed quantum computing in the near future [7]. Quantum key distribution (QKD) is a promising technique to secure key exchange and protect communications from security attacks in SDONs [8]. It can achieve information-theoretic security based on the fundamentals of quantum physics, such as the Heisenberg uncertainty principle and quantum no-cloning theorem [9,10]. Moreover, these fundamentals guarantee that the senders or receivers can detect the presence of any third party who is trying to obtain the secret keys. Optical fibers can be used in QKD systems to achieve good transmission performance of quantum signals. Nevertheless, the dark fibers utilized for QKD systems are inconvenient and expensive, while a potential solution is to use wavelength division multiplexing (WDM) technique for QKD integration in existing optical networks [11]. A lot of experiments and field trials have demonstrated the feasibility and practicability of integrating QKD into optical networks [12][13][14][15][16][17][18]. Therefore, based on above works, the objective of this chapter is to find how to deploy and employ QKD to enhance the security of SDONs.

Principle of point-to-point QKD
The basic principle of point-to-point QKD is introduced based on the first invented QKD protocol, i.e., BB84 protocol proposed by Bennett and Brassard in 1984 [19], as illustrated in Figure 1. Nowadays, BB84 protocol is widely used in practical QKD systems [20,21]. The BB84 protocol based QKD process is summarized in the following three stages. 1. Qubit exchange: QKD transmitter (called Alice) generates qubits and sends them to the QKD receiver (called Bob) via a quantum channel (QCh). The qubits are generated by encoding a string of classical bits into single-polarization photons with different states. For instance, the horizontal, vertical, and diagonal ±45° polarization states randomly selected from two conjugate bases (i.e., rectilinear + and diagonal × ) are encoded with 0 + , 1 + , 1 × , and 0 × , respectively. In order to achieve accurate qubit synchronization, a clock channel is also required here. Bob receives the incoming qubits and measures each single-polarization photon with one of the two conjugate bases (i.e., rectilinear + and diagonal × ), and it will record the measurement results and the selected bases.
2. Key sifting: Alice and Bob exchange their selected bases via a pubic channel (PCh), and then discard the qubits sent and measured with different conjugate bases. The remaining qubits will be decoded into a string of classical bits as sifted keys.
3. Key distillation: For error estimation and correction, a random substring of classical bits in sifted keys is exchanged and compared between Alice and Bob via the PCh. Finally, privacy amplification and authentication are implemented to decide the remaining secure bits as secret keys.
Additionally, to improve the secret key rate in QKD systems in practice, decoystate can be integrated with BB84 protocol to basically reach the single-photon sources performance and estimate the number of single-polarization photons detected by Bob more precisely [8].

Trusted repeaters for distance extension
The secret key rate and distance of QKD are limited due to the attenuation of weak quantum signals in QChs. This limitation can be overcome by using quantum repeaters, but they are beyond any practical technologies today [22]. A compromise and a practical solution to this challenge are using trusted repeaters, and this technique has been applied in the deployment of most QKD networks up to date [23][24][25]. In a QKD network based on trusted repeaters, the secret keys generated on the first QKD link can be relayed to the destination node by encrypting them with the secret keys generated in the intermediate nodes. One-time pad algorithm is applied for encryption to ensure the information-theoretic security of secret keys verified by Shannon [26], while the size of secret keys generated and encrypted here should be the same. Hence, secret keys are known by all intermediate nodes, making the secret key secure only as long as all the repeaters are trusted.
An example of QKD distance extension based on a trusted repeater between the source and destination nodes is illustrated in Figure 2. The QKD transmitter in the source node establishes a QKD link with the forthcoming QKD receiver in the intermediate node, whereas the QKD receiver in the destination node establishes a QKD link with the previous QKD transmitter in the intermediate node. Both QKD links produce, independently, secret keys Sk 1 and Sk 2 with the same key size. Then, the secret key Sk 1 is encrypted with the secret key Sk 2 and relayed to the destination node. Specifically, secret key Sk 1 can be used later to secure communications between the source and destination nodes. This relay process can continue with any amount of intermediate nodes, but each intermediate node with the trusted repeater will know the secret key information.

Quantum key pool (QKP) for secret key provisioning
Currently, the secret key rate in most QKD systems can only reach 1-2 Mbit/s over a 50 km fiber link [27]. Therefore, the efficient management of precious secret key resources is important. Recently, quantum key pool (QKP) technique is proposed in QKD networks to timely provision secret keys for satisfying the security demands of communications crossing the networks [6], which is beneficial to enhance secret key management when the QKD develops from point-to-point links to networks. The secret keys generated between the two end nodes can be stored in the key store (KS) which is embedded in each of the two end-nodes and can be managed by a QKP. QKP will know the real-time remaining number of secret keys in the KS, which can decide when to connect the QKD link for secret key provisioning. Hence, efficient QKP construction is beneficial for efficiently employing QKD.
An example of QKP between Node-A and Node-B is illustrated in Figure 3. The QKD node is composed of several components based on the existing QKD technologies, e.g., QKD transceiver, trusted repeater, and switch [23]. The generated secret keys between QKD Node-A and QKD Node-B can be stored in KS-A and KS-B, which are embedded in Node-A and Node-B, respectively. Specifically, the generated secret keys are managed by QKP A-B to monitor the real-time remaining number of secret keys and provision secret keys between Node-A and Node-B.

QKD over SDON Architecture
An architecture of QKD over SDONs is illustrated in Figure 4(a), which consists of four layers from top to bottom: application (App) layer, control layer, QKD layer,  and optical layer. This architecture is different from the previous QKD-integrated optical networks [11] and decouples QKD layer from the optical layer via constructing several QKPs in the QKD layer. Two types of QKPs are constructed to enhance the security of control signaling messages over the CChs, and confidential data services over the DChs, respectively. The QKP between the SDN controller and each node is called QKP-C (i.e., QKP-CCh), whereas the QKP between two nodes is called QKP-D (i.e., QKP-DCh). The SDN controller in the control layer controls and manages the QKD layer and optical layer via the southbound interface protocol (e.g., OpenFlow and NETCONF). Here we use OpenFlow protocol as an example. The SDN controller is capable of realizing flexible and programmable global optical network management, which can be utilized as the effective implementation technique for control layer. Moreover, it has been demonstrated in the recent study on time-shared QKD resources in SDN-controlled optical networks [28].
Optical layer and QKD layer can share the fiber bandwidth resources from existing WDM networks, in which at least two wavelengths need to be utilized as QCh and PCh to construct OpenFlow-enabled QKPs (OF-QKPs), and then the remaining wavelength resources can be utilized to transport confidential data services. The constructed OF-QKPs can provision secret keys to guarantee the security of CChs and DChs. In addition, OpenFlow-enabled optical cross connects (OF-OXCs) are placed in the optical layer. The SDN controller is capable of managing the entire network efficiently, whereas the OF-QKPs and OF-OXCs are capable of operating based on the instructions from SDN controller.
The App layer generates service requests with different security demands and interacts with control layer via the Restful API, in which Restful API is applied as northbound interface protocol. Based on the different security demands, CChs and DChs may require different number of secret keys. In particular, this QKD over SDON architecture can manage and control the network-wide secret key resources, which is beneficial to adapt diverse security demands and dynamic scenarios. Figure 4(b) illustrates the configuration signaling procedure among the four layers in QKD over SDON architecture. This procedure can be described in the following five stages: (1) upon receiving a service request (e.g., the service request from Node 1 to Node 2) from the App, SDN controller first computes/selects path and then implements OpenFlow handshake with related OF-OXCs as well as OF-QKPs on the selected path; (2) after the establishment of first stage, OF-QKP-C 1 and OF-QKP-C 2 are configured by the SDN controller to provision secret keys for control/configuration messages over the CChs; (3) OF-QKP-D 1-2 is configured by the SDN controller to provision secret keys for the service request from OF-OXC 1 to OF-OXC 2 over the DCh; (4) the SDN controller configures OF-OXC 1 and OF-OXC 2 to encrypt data and transport the service; and (5) at last, SDN controller replies to the App.

Wavelength allocation
Since three types of channels (i.e., QChs, PChs, and DChs) are coexisting in a single fiber with WDM technique, wavelength allocation for these three types of channels becomes an essential issue. The total number of wavelengths for QChs, PChs, and DChs should conform to existing WDM networks, e.g., 40 wavelengths (with 100 GHz channel spacing) or 80 wavelengths (with 50 GHz channel spacing). Given the DCh is usually located at C-band (1530-1565 nm) in existing WDM networks, some previous studies have demonstrated QKD at O-band (1260-1360 nm) [29,30] to achieve strong isolation from data transmission. Nevertheless, the faint quantum signals may suffer from more losses at O-band compared with C-band, which will limit the transmission distance and rate. Therefore, the three types of channels can be placed at C-band to achieve better quantum-signal transmission performance, as illustrated in Figure 5.
In particular, the physical layer impairments (e.g., Raman scattering and fourwave-mixing effects) induced by PCh and DCh may have negative impacts on the QCh transmission performance. Raman scattering effects can be effectively reduced by placing the QCh at high frequency [31], thereby the wavelength reserved as QCh starts from 1530 nm. Besides, four-wave-mixing effects can be reduced by allocating 200 GHz guard band between QCh and other classical channels (i.e., PChs and DChs) [17]. Moreover, appropriate channel isolation and stable QKD operation can be achieved by using multistage band-stop filtering technique [32]. The PCh that transmits classical signals for key sifting and distillation as introduced in the principle of point-to-point QKD can share the same wavelengths with DCh or utilize the dedicated wavelengths at fiber C-band. The latter can be selected to ensure one-to-one relationship between the PCh and QCh, although the wavelength resources for data transmission may be degraded. This is because allocating dedicated wavelengths for QCh and PCh is essential in a stable scenario. The intermediate nodes with trusted repeaters and erbium-doped fiber amplifiers (EDFAs) can be deployed for QCh and PCh/DCh, respectively, to extend quantum and classical signal transmission distance, in which EDFA bypass scheme [30,33] can be utilized for quantum and classical signal coexistence in a single fiber to suppress the noise from the EDFA's amplified spontaneous emission (ASE).

Time-slot allocation
Given the finite wavelength resources in a single fiber and the high cost of establishing QChs and PChs, each wavelength for QCh/PCh is segmented into multiple time slots according to optical time division multiplexing (OTDM) technique [34]. Hence, each time slot can be utilized to establish a QCh/PCh for improving resource utilization. We assume that the secret keys provisioned for a service request with specific security demand are exchanged between the source and destination nodes within a fixed time t, thereby each QCh/PCh occupies a time slot. On the basis of the principle of point-to-point QKD described above, t consists of channel estimation and calibration time, qubit exchange time, key sifting time, and key distillation time. In particular, the scattering and loss may impact the secret key rate between two nodes, which will lead to different number of secret keys shared between different node pairs within t in QKD over SDONs. In the network model, to fix t with a realistic and simplified manner, the size of t can be set as the secret key exchange time for a fixed key size (e.g., 128, 192, and 256 bit while using AES encryption algorithm [35]) under the worst scenario in QKD over SDONs.
Additionally, to prevent attacks for enhancing the data encryption security, the secret keys provisioned for each service request with specific security demand can be updated in a period T. The parameter, T, is the period after which the secret key must be changed between two nodes. The security level increases while decreasing the value of T. This is because the secret keys provisioned for a service request with specific security demand are updated more frequently, thereby increasing the difficulty of cracking the encryption key by a third party [36]. Accordingly, considering the key-updating period, time-slot allocation for QCh/PCh becomes a new topic to be studied. Also, routing, wavelength, and time-slot allocation (RWTA) strategy for establishing the three types of channels (i.e., QChs, PChs, and DChs) needs to be considered.
For instance, Figure 6 illustrates two security level configuration solutions, in which the parameter, t, is the secret key exchange time between the source and destination nodes for each service request with specific security demand, and the parameter, T, is the key-updating period (t < T, which guarantees that the secret keys can be exchanged within a period). In solution 1, we fix T for all the QCh/PCh wavelengths and each service request with specific security demand has the same security level value of T. Note that the QCh/PCh wavelengths are the wavelengths in WDM optical networks that are reserved as QCh/PCh. The solution 1 can only provide one security level, which may limit the flexibility of security demands of service requests. However, service requests triggered from numerous security-hungry applications may have different security demands with different security levels. Hence, each QCh wavelength has a flexible T values in solution 2, thereby different security levels can be provisioned. For different service requests with security demands, this solution can provision more security level types.

Secret key allocation
Data encryption algorithms need to be considered for CChs and DChs while performing secret key allocation. One-time pad (OTP) encryption algorithm was invented to achieve information-theoretic security, in which the secret key size should be as long as the data size [26]. Hence, OTP encryption algorithm requires much execution time/storage to perform data encryption, which is difficult to be utilized for high-bit-rate data encryption in SDONs and has negative impacts on the efficiency of SDONs. Nevertheless, symmetric encryption algorithms [37] can be used to perform large amount of data encryption with small secret key size and fast execution time. A commonly used symmetric encryption algorithm is advanced encryption standard (AES) algorithm, which can be integrated with QKD to implement high-bit-rate data encryption [38,39]. Using secret key lengths of 128, 192, and 256 bit, the AES algorithm can encrypt/decrypt large amount of data in blocks of 128 bit [35]. Hence, the secret key receiving module and data encryption module can be added in optical transport nodes to perform secret key communication and processing.
Nevertheless, the third party can eavesdrop a sequence of encrypted data to crack the secret keys while using AES algorithm. Then, two important factors, i.e., data size and data transmission time, need to be considered during a crack [40,41]. In order to degrade the probability of encrypted data being cracked, the secret key can be frequently changed between two nodes based on the key-updating period. Key updating is essential to enhance the security of data encryption while using AES algorithm to secure CChs and DChs. Accordingly, the time complexity and data complexity of attacks can be considered for key updating in which time complexity is the maximum available time for a secret key and data complexity is the maximum encrypted data size by a secret key. The security level increases with the increase of secret key length or the decrease of secret key-updating period. Therefore, we can qualitatively evaluate the security level based on secret key length and updating period.
Given the secret key resources are limited and precious in QKPs, the secret key allocation issue for CChs and DChs needs to be solved. The control/configuration messages transmitted over the CChs in SDONs are usually at megabit-per-second transmission rate, which are low compared with the data complexity of attacks [40]. Accordingly, secret key allocation and updating are accomplished for each CCh in the SDON to enhance its security. Through the path of a data service, each node along the path will be configured by the SDN controller via the corresponding CCh. According to the specific security demand of each CCh, QKP-C allocates the required secret keys between SDN controller and each node to enhance the security of each CCh. Hence, we can allocate different number of secret keys to CChs between SDN controller and each node for encrypting/decrypting the control/configuration messages. As illustrated with an example in Figure 7, Keyxy denotes the required number of secret keys in which x and y represent the node serial number and service serial number, respectively. Key 1-1 /Key 2-1 is allocated to CChs between the SDN controller and Node 1/Node 2 for Service 1, whereas Key 1-2 /Key 2-2 /Key 3-2 is allocated to CChs between the SDN controller and Node 1/Node 2/Node 3 for Service 2.
The required number of secret keys for each data service over the DChs is associated with the secret key length and updating period. The QKP-D can allocate the required number of secret keys to enhance the security of data services over the DChs in SDONs. As illustrated with an example in Figure 8, three data services (i.e., r 1 , r 2, and r 3 ) have different security demands. In Figure 8(a) and (b), we consider the time complexity of attacks (i.e., T y ) and data complexity (i.e., D y ) of attacks for secret key updating, respectively, in which the parameter, y, represents the data service serial number. Based on AES algorithm, the required secret key lengths of r 1 , r 2 , and r 3 are 128, 192, and 256 bit, respectively. Additionally, as shown in Figure 8(a), the required secret key-updating periods of r 1 , r 2 , and r 3 are T 1 , T 2 , and T 3 (T 1 < T 2 < T 3 ), respectively; whereas in Figure 8(b), the required secret key-updating periods of r 1 , r 2 , and r 3 are D 1 , D 2 , and D 3 (D 1 < D 2 < D 3 ), respectively. Specifically, the data service with longer secret key length and shorter secret keyupdating period demands shows higher security level and will require more secret keys to be allocated for data encryption. Thus, routing, wavelength, and secret key allocation (RWKA) strategy for CChs and DChs in a timely manner on demand is necessary to be considered.

Survivability for QKD over SDONs
QKD can provide secret keys for end-to-end paths and improve the security of SDONs. However, how to guarantee survivability in a QKD over SDON is an important topic. QCh and PCh should be protected simultaneously in a QKD over SDON. Especially due to the utilization of key-updating period (security level) with different time slots, protection action will occur at a subwavelength level. Synchronization might also be a difficult problem for QCh, PCh, and DCh.

Cost optimization for QKD over SDONs
In a QKD network, two types of nodes should be deployed, i.e., QKD node and intermediate node with trusted repeaters. Also, several wavelength channels in existing WDM optical networks should be planned as QChs and PChs. In practice, different number of nodes and QChs/PChs may produce different costs and performance for QKD over SDONs. Accordingly, how to optimize the cost of deploying QKD over SDONs while satisfying the performance requirements is another open issue.

Key on demand (KoD) for QKD over SDONs
The secret key rate (i.e., the generation of secret keys in bits per second) in current advanced QKD systems is extremely low compared with the gigabit data transmission over each wavelength in WDM optical networks. Increasing the number of nodes and QChs/PChs can further increase the secret key rate, but it will also drastically increase the system complexity and power consumption. Thus, the use of an efficient key on demand (KoD) scheme to achieve efficient secret key resource usage while satisfying security requirements of CChs and DChs is also essential for QKD over SDONs.

Conclusions
This chapter provides a brief introduction to the basic principles and enabling technologies of QKD. Based on the QKD-enabling technologies, an architecture of QKD over SDONs is presented. Resource allocation problem is elaborated in detail and is classified into wavelength allocation, time-slot allocation, and secret key allocation problems in QKD over SDONs. Finally, several open issues and challenges are discussed.
© 2018 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.