Topological optimization of hybrid quantum key distribution networks

With the growing complexity of quantum key distribution (QKD) network structures, aforehand topology design is of great significance to support a large-number of nodes over a large-spatial area. However, the exclusivity of quantum channels, the limitation of key generation capabilities, the variety of QKD protocols and the necessity of untrusted-relay selection, make the optimal topology design a very complicated task. In this research, a hybrid QKD network is studied for the first time from the perspective of topology, by analyzing the topological differences of various QKD protocols. In addition, to make full use of hybrid networking, an analytical model for optimal topology calculation is proposed, to reach the goal of best secure communication service by optimizing the deployment of various QKD devices and the selection of untrusted-relays under a given cost limit. Plentiful simulation results show that hybrid networking and untrusted-relay selection can bring great performance advantages, and then the universality and effectiveness of the proposed analytical model are verified.

switches [22] and the technology immaturity of quantum-relays [23,24], trusted-relay is the most practical approach at present [11]. This approach carries the risk of information leakage at trusted-relays. To reduce the risk, several efforts have been made in recent years [25][26][27], such as the exclusive-or based key storage [28] and the game-theory based multi-path transmission [29]. However, the premise of the exclusive-or strategy is that the network owner has an efficient node attack detection capability, while the precondition of the game-theory strategy is that the network adversary can only attack limited number of nodes. Therefore, the applicability of these strategies is still limited in the real-life multi-user QKD networks. In order to provide ITS communication service in a real-life hybrid QKD network, the credibility of each trusted-relay must be controlled, which leads to the introduction of credibility control cost. It is generally assumed that all relay nodes are trusted-relays in the previous researches related to trusted-relay based QKD networks [12,14]. As a result, the total credibility control cost of a whole network is proportional to the total number of relay nodes. However, for a hybrid QKD network, untrusted-relays, which do not consume credibility control cost, can also be used to connect some types of QKD devices [30], such as MDI-QKD and TF-QKD. By selecting some cheap untrusted-relays to reduce the total number of trusted relays, the total credibility control cost can be effectively saved. Taking advantage of the saved cost to deploy more QKD devices can certainly generate more quantum keys. Therefore, in contrast to the traditional default scenario where all relay nodes are considered to be trusted-relays, it is worth speculating that efficient selection of untrusted-relays can provide better communication services.
The variety of QKD protocols and the necessity of untrusted-relay selection, coupled with several intrinsic characteristics of QKD devices, such as the exclusivity of quantum channels and the limitation of key generation capabilities [18,[31][32][33], make the optimal design of a hybrid QKD network a very complicated task [34][35][36][37][38]. In this research, we study the optimal design of QKD network from the perspective of topology. The main function of topology design is to provide the best communication service within a given cost limit by carefully deploying QKD devices and selecting untrusted-relays. In the literature [3] and [39], several cost optimization models for QKD network construction have been designed through the deployment of QKD devices and the construction of new relay nodes. However, it is hard to construct a new relay node according to the optimal working distance calculated by literature [3] in a real network which is restricted by the physical geography. In addition, MDI-QKD protocol, TF-QKD protocol, and other QKD protocols that rely on two solid fibers have not been studied in these works. Furthermore, all nodes in their QKD networks are considered to be trusted-relays, i.e., the selection of untrusted-relays has not been considered.
• In this research, to study the hybrid QKD network, the topological differences between the client-to-client (C2C-QKD) protocol and the client-server-client (CSC-QKD) protocol were analyzed.
• To make full use of hybrid networking, an analytical model for optimal topology calculation was proposed to calculate the optimal network performance under a given cost limit, and then obtain the optimal deployment of various QKD devices and the selection of untrusted-relays.
• To verify the universality and effectiveness of this work, a comprehensive simulation based on random topology and real topology was designed. Simulation results demonstrated the advantages of hybrid networking and untrusted-relay selection.
The paper is organized as follows: In Section 2, the topological differences are presented in detail. Based on the method, an analytical model for optimal topology calculation are proposed in Section 3. In Section 4, the simulations of topology calculation, based on the proposed analytical model, are presented and the results are analyzed. Section 5 presents the concluding remarks.

Topological differences of various QKD protocols
For all types of QKD protocols, quantum state transmission is an important step. Its dependence on quantum channels leads to a typical problem of quantum channel exclusiveness for QKD devices. To solve this problem, researchers have put forward many approaches, such as wavelength-division-multiplexing and orthogonal-frequency-division-multiplexing, to realize the multiplexing of quantum channels on existing optical fibers, so as to provide quantum keys without changing existing communication facilities. As a result, the dependence problem on the existing optical fibers, i.e. fiber dependency, emerges. According to the distinction on fiber dependency, existing various QKD protocols can be divided into C2C-QKD protocol and CSC-QKD protocol, as shown in Fig. 1. The C2C-QKD protocol refers to the protocol that only one optical fiber is needed to connect a communication pair, such as BB84-QKD or E91-QKD. In contrast, the CSC-QKD protocol requires the participation of an untrusted third party (UTP), which is actually an untrusted-relay. Meanwhile, both of the two communication parties should connect to the UTP through one optical fiber. MDI-QKD and TF-QKD are the representatives of this kind. For demonstration purposes, we define the two communication parties of a C2C-QKD device as two C2C-clients and label the quantum channel connecting two C2C-clients as a C2C-edge. Similarly, the two communication parties of a CSC-QKD device are defined as two CSC-clients, the UTP is called a CSC-server, and the two quantum channels connecting CSC-clients and CSC-server are labeled as two CSC-edges. In a hybrid QKD network, each node may plays one or more roles as a C2C-client, a CSC-client or a CSC-server, and each edge may contain one or more C2C-edges or CSC-edges.

Notations and definitions
We summarize the notations used throughout the rest of this paper in Table 1 and make the following explanations. Ratio of key length to plaintext length in the adopted encryption algorithm To expand the discussion more smoothly, it is necessary to explain in detail the definition and meaning of SoD, G-SoD and MG-SoD, the three main concepts used for topology evaluation, as shown below.  (SoD), B s,t , is the ratio of its total key consumption, A s,t , to its total key demand [11], i.e., where A s,t can be calculated by the total difference between the flows into and out of the source node s, i.e., ), B, is defined as the worst performance of all communication pairs [11]. Thus, B can be calculated by the minimum value of all SoDs, i.e.,

Definition 3.1.2 (G-SoD) For a QKD network with a given topology G = (V, E), its global satisfaction degree of all communication demands (G-SoD
Definition 3.1.3 (MG-SoD) For a QKD network topology G = (V, E), its optimal performance is defined as the maximum of all possible G-SoDs (MG-SoD), each of which is defined as the worst performance of all communication pairs over a possible flow assignment [11].

The proposed analytical model
To make full use of hybrid networking, an analytical model, which is essentially an optimization formulation, is designed to solve the problem of the optimal deployment of various QKD devices and the selection of untrusted-relays for a hybrid QKD network. The input items of this formulation mainly include the existing classical network, the communication demand, the key generation capability and the limited construction cost. (i) The existing classical network is represented as a directed graph G = (V, E). Then, the set of all optional C2Cedges is E and the set of all optional CSC-edges isÊ The communication demand is defined as D s,t and the key consumption ratio as β s,t . Therefore, the requested key demand is D s,t · β s,t for each communication pair (s, t) (s ∈ V, t ∈ V). In particular, β s,t = 1 indicates that the one-time-pad algorithm is adopted to achieve ITS communication and β s,t = 0 indicates that the adopted encryption algorithm does not require quantum keys. (iii) The key generation capability for each C2C-QKD device arranged on the C2C-edge (u, v) ∈ E is denoted as R (u,v) , and the key generation capability for each CSC-QKD device arranged on the CSC-edge (u, p, v) ∈Ê is denoted asR (u, p,v) . (iv) The total cost for QKD network construction is limited to C, which mainly includes the manufacturing cost of QKD devices and the credibility control cost of trusted-relays.
The decision variables of this formulation mainly contain three types: integer variable, boolean variable and continuous variable. (i) The integer variable S (u,v) represents the number of C2C-QKD devices arranged on the C2C-edge (u, v), andŜ (u, p,v) represents the number of CSC-QKD devices arranged on the CSC-edge (u, p, v). (ii) The boolean variable T (v) indicates whether node v is a trusted-relay and whether credibility control is required for this node. (iii) The continuous variable F s,t (u,v) represents the flow amount of the communication pair (s, t) [11,40,41] passing through the C2C-edge (u, v),F s,t (u, p,v) represents the flow amount of the communication pair (s, t) passing through the CSC-edge (u, p, v), and B represents the quality of a QKD network topology, which can be measured by the G-SoD [11].
The complete formulation is then given by, Maximize: Subject to: where The objective function is expressed in Eq. (4), which maximizes the G-SoD. Constraints Eqs. (5, 6) state the capacity constraint condition, i.e., the total flow amount through an edge must be lower than the total key generation capability on this edge. Constraint Eq. (7) expresses the flow conservation condition, i.e., the total flow amount that enters a non-source-sink node must be equal to the total flow amount that exits this node. Constraints Eqs. (8)(9)(10) prove that sufficient key materials from the source node to the sink one is available to satisfy the key demand between the two nodes. Constraint Eq. (11) requires the actual cost must be no higher than the limited cost. Here, we use the price of a C2C-QKD device as the basis of cost calculation. Besides, the price of a CSC-QKD device is assumed to be q 1 times the base value, and the credibility control cost of a trusted-relay be q 2 times the base value. Constraint Eq. (12) carries out the selection of untrusted-relays, which have neither been C2C-client nor CSC-Client.
In this formulation, all other constraints are linear functions, except the Eq. (12) which is a piecewise function. To facilitate the solution, we transform the Eq. (12) into a linear expression by means of approximation, making this formulation a standard mixed-integer linear programming (MILP) model. More specifically, the Eq. (12) is rewritten as Eq. (14) by introducing additional boolean decision variable T (v) and continuous decision variable T (v), where M is an arbitrarily large real number.
The decision variables of this standard MILP formulation are listed below: As a typical MILP model, this formulation can be solved by a mature linear programming solver, Gurobi [42,43]. After optimization, the proposed model is convenient to retrieve the MG-SoD (i.e., the objective function value), the number of QKD devices to be installed on each edge (i.e., S (u,v) andŜ (u, p,v) ), the nodes to be selected as untrusted-relays (i.e., T (v)), and the paths to be selected for each communication pair to route the encrypted messages (i.e., F s,t (u,v) and F s,t (u, p,v) ).

Optimal topology calculation of several random graphs
We evaluate the calculation results of our proposed analytical model on 13 random graphs, which are generated based on the ER model [44,45]. These random graphs are set as follows: each family consists of 10 instances with a fixed number of nodes, an average nodal degree of 3, a set of edge lengths uniformly distributed at [10, 500] kilometers, and a uniform traffic matrix established at [100, 500] kbps between one fifth of nodes allowing the remaining four-fifths the opportunity to act as untrusted-relays. The simulation platform adopted in this research is detailed in Table 2. In addition, we adopt the decoy-QKD protocol [38] to prepare C2C-QKD devices, and the SNS-TF-QKD [17] protocol to prepare CSC-QKD devices. To simplify the analysis, we assume that the parameters of all C2C-QKD devices are the same, and the parameters of all CSC-QKD devices are also the same. It should be noted that the proposed analytical model supports the configuration of different parameter setting for each QKD device. The main cost of a decoy-QKD device mainly comes from two single-photon detectors, similarly, the main cost of a SNS-TF-QKD device also mainly comes from the same detectors. Therefore, q 1 is assumed to be 1, by taking the price of a decoy-QKD device as the basis of cost calculation. Considering the complexity of credibility control, which is usually realized by physical protection [46][47][48][49][50], q 2 is assumed to be 100. In addition, the overall cost for network construction is limited to 10000.
To demonstrate the advantages of hybrid networking and untrusted-relay selection clearly, the average values of all MG-SoDs obtained from 13 families of random graphs are standardized. Specifically, the simulation result in the case of hybrid networking and untrusted-relay selection is normalized as 100%, and the remaining results are normalized as the ratio to the above values, for each graph size. In Fig. 2, we report the standardized MG-SoDs of hybrid networks, pure-C2C networks and pure-CSC networks versus the graph size with or without untrusted-relay selection, respectively. As can be seen from the figure, higher MG-SoDs can be achieved when using multi-type QKD protocols: the value of hybrid network curves, which are orange, is always higher than that of green and blue curves. Higher MG-SoDs can be achieved by carefully selecting untrusted-relays: the value of the solid lines is always higher than the dotted lines. In addition, as the number of nodes increases, the performance of pure-C2C networks drops sharply, while such performance drop of pure-CSC networks is not always obvious. Furthermore, without untrusted-relay selection, the performances of all three types of QKD networks decrease monotonically with the increase of graph size.
To show the solving difficulty of our proposed analytical model more intuitively, we report the runtime results of different networking schemes in Fig. 3. As can be seen from the figure, the addition of hybrid networking and untrusted-relay selection makes the solving more difficult: the value of hybrid network curves, which are orange, is always higher than that of green and blue curves, and the value of the solid lines is always higher than the dotted lines. More obviously, as the number of nodes increases, the runtime of hybrid networks with untrusted-relay selection is always the longest, followed by the pure-CSC networks with untrusted-relay selection. By contrast, the runtimes of the remaining four schemes are much shorter, because they have fewer decision variables and fewer constraints. In addition, the optimal solution cannot be obtained within 7200 seconds, when the number of nodes reaches 55. It is worth to mention that, it is essential to design corresponding heuristic algorithm [51,52] to accelerate the calculation of optimal solution for large-scale network construction, which is also the research focus of our future work.

Optimal topology calculation of a real NSFNET topology
Although the above results are sufficient to prove the universality of this study, another simulation based on a real NSFNET topology (14 nodes and 21 edges) [11], as shown in Fig. 4, is conducted to further verify the effectiveness of the proposed analytical model. Under the same assumptions, the corresponding optimal design is shown in Table 3, where Hyd. SoD, C2C. SoD, and CSC. SoD are used to indicate the MG-SoDs of hybrid network, pure-C2C network and pure-CSC network, respectively. From the data in the table, it can be concluded that both the hybrid networking and the untrusted-relay selection play a critical role in optimal topology design; therefore, the effectiveness of this study is verified.
Furthermore, it should be pointed out that, although the above simulation only gives the results of a set of specific input parameters due to the length limit, the conclusions are also established for various input parameters.

Conclusion
In conclusion, we have proposed an analytical model to find the optimal deployment of various QKD devices and the selection of untrusted-relays under a given cost limit, and then to create a high-quality hybrid QKD network with the existing classical network. Through simulation, the universality and effectiveness of this study have been verified. In the process of research, the proposed model is calculated by using existing computing tools, Gurobi. However, in the face of large-scale QKD networks, specific heuristic algorithms should be designed to accelerate the calculation of the proposed model, which is also the research focus of our future work. In addition, to further improve the topology performance, we will study the physical protection of trusted-relays thoroughly based on existing works, to quantify and reduce the physical protection cost in our future work. We anticipate that the proposed model could contribute a significance for researchers to accelerate the construction process of QKD networks.

Funding
Space Science and Technology Advance Research Joint Funds (6141B06110105); National Natural Science Foundation of China (NSFC) (61301099).