Optimizing the deployment of quantum key distribution switch-based networks

Quantum key distribution (QKD) networks provide an infrastructure for establishing information-theoretic secure keys between legitimate parties via quantum and authentic classical channels. The deployment of QKD networks in real-world conditions faces several challenges, which are related in particular to the high costs of QKD devices and the condition to provide reasonable secret key rates. In this work, we present a QKD network architecture that provides a significant reduction in the cost of deploying QKD networks by using optical switches and reducing the number of QKD receiver devices, which use single-photon detectors. We describe the corresponding modification of the QKD network protocol. We also provide estimations for a network link of a total of 670 km length consisting of 8 nodes, and demonstrate that the switch-based architecture allows achieving significant resource savings of up to 28%, while the throughput is reduced by 8% only.


I. INTRODUCTION
Quantum key distribution (QKD) is a technology that allows establishing provably secure keys between legitimate parties [1][2][3][4][5]. The QKD security is based on the fundamental laws of quantum physics, so QKD remains secure against any unforeseen developments, such as quantum computing [6]. In recent decades the QKD technology has attracted a significant deal of interest, which makes it one of the most widely studied research fields in quantum information technologies. Provably secure commercial QKD systems are now available. At the same time, the deployment of QKD systems in real-world conditions faces several challenges [5], which are related to the limitation in distance and secret key generation rates as well as the high cost of such devices. One of the most prominent ways to overcome the distance limitations of QKD systems, which is essentially related to optical losses, is to develop QKD networks [7]. QKD networks allow increasing the distance for key distribution and making this infrastructure available for multiple users. Several QKD networks have been deployed around the globe [7][8][9][10][11][12][13][14][15][16][17][18]. These QKD networks are based on the so-called trusted nodes paradigm. Trusted nodes allow distributing a pair of symmetric keys between two not nodes, which have no direct link, using the hop-byhop approach and the one-time pad (OTP) encryption. Building QKD networks without a trusted network requires quantum repeaters [19], which are now under active research [20,21], but not yet ready for industrial use. Thus, the problem of optimizations of the QKD networks deployment is of significant importance [22][23][24][25].
One of the ways for overcoming existing challenges in the QKD network development is to use optical switches, link lengths between the nodes and the switch, which is controlled by managing Bob 1. In (a) the star topology is shown. In (b) the backbone topology is illustrated.
which have been tested in several QKD networks [26,27]. Optical switches allow sharing the resources of the devices in the network, which makes it possible to reduce the number of devices. An idea behind using switches is that the optical channels of the existing telecommunication structure are very heterogeneous in terms of losses, so the key generation rate varies significantly in different segments. Therefore, at least in the case of the backbone quantum network configuration, it makes no sense to organize the continuous key generation in all sections -the key generation rate is limited by the slowest link. Thus, the use of optical switches in low-loss segments may help to reduce the overall cost of a quantum network significantly, while the secret key rate generation remains reasonably high. The use of optical switches in QKD networks of various topologies requires further optimization from the viewpoint of time, which is supposed to be fixed for a session between various parties of the network. Therefore, an optimization problem on the minimization of the cost of the deployment of the network without a significant reduction of the key generation rate appears to be crucial.
In this work, we analyze an architecture of QKD networks, which are based on using optical switches and reducing the number of QKD receiver devices, which use single-photon detectors. We describe the corresponding modification of the QKD network protocol. We use a realistic model of the performance of QKD devices in realistic experimental conditions. We present a general framework for optimizing switch-based backbone QKD networks. As an example, we provide estimations for a network link between of a total of 670 km length consisting of 8 nodes, and show that the switch-based architecture allows achieving significant resource savings of up to 28%, while the throughput is reduced by 8% only.
Our work is organized as follows. In Sec. II, we describe a switch-based QKD setup. We provide an analysis of its design and present a model for calculating key rates, which is in good agreement with experimental data. In Sec. III, we consider a general approach for configuration optimization of switch-based backbone QKD networks. In Sec. IV, we use our model of the QKD network to optimize the performance of the backbone QKD network between Moscow and Udomlya. We summarize the main results of our work and conclude in Sec. V.

II. SWITCH-BASED QKD NETWORKS
Here we briefly describe the extraction of the parameters of the QKD setup, which are further needed for the optimization of the network deployment. For this purpose, we develop a model of the performance of realistic QKD devices and compare the predictions of the model with experimental data. We then apply the developed model for estimating and optimizing the performance of a realistic QKD network using a standard approach for the deployment of (switch-free) backbone QKD networks as a reference.

A. Switch-based quantum networks
We use optical switches for deploying QKD networks on the basis of QKD setups, which operate using the plug&play scheme of the BB84 protocol (without decoy states; the scheme is described in Appendix A). As usual, we refer to devices where preparation and measurement of qubits is performed as Alice and Bob modules (or Alice and Bob, for short), correspondingly.
We test two elementary configurations of QKD networks: Star and backbone topologies (see Fig. 1). In the first case, all the optical channels are loaded continuously, the optical switch is used to commute pairs, for example, Alice 1-Bob 1 and Alice 1-Bob 2 (see Fig. 1). This configuration is suitable for the distribution of security keys, for example, in a branched urban infrastructure. Alternative topology, so-called the backbone topology, typically serves to increase the distance of QKD. For the case of the backbone topology optical switches can be used for optimizing the resources of the network. Both elementary configurations might be conveniently interconnected in the necessary order, which ensures the scalability.
The use of QKD devices with optical switched requires modifications of the QKD network protocol. To control the switches, we need a command from a single point. Therefore, when developing a protocol for the operation of a quantum network, we selected a "managing" Bob; all other nodes are "regular" Bobs (which we refer to as Bobs) and functionally indistinguishable Alices. We use standard commercially available optical switch Thorlabs-OSW22-2x2, which is controlled under the host level of the LabVIEW software (which is used for controlling QKD devices, see Appendix A). The timing diagram of the QKD realization between 4 nodes in the QKD network is shown in Fig. 2. The exchange is controlled by the "managing" Bob 1, which sends required informa-   tion via TCP/IP to the "regular" Bob 2. Bob uses optical switches and adjustment parameters (time windows, train period) and requests the corresponding Alice. Alice uses the optical switch, if present, and confirms that the connection is ready. For the connection with each Bob, Alice accumulates the generated key in a separate file. Alice also needs to change the attenuation value of the output signal, depending on the losses in the corresponding quantum channel. We note that Alice does not need to change other parameters: The value of the electric delay of the signal from the synchronization detector depends only on the length of the optical storage line of Alice. Further, the QKD sessions occur according to the scheme described above until Bob 1 switch the interacting nodes. Obviously, such a scheme can be easily scalable to more interacting nodes. We note that the commands in the network protocol can be additionally authenticated (or encrypted).

B. Adjusting a model for QKD devices performance
In Tab. I, we present our results for experimental measurement of the sifted key rate and quantum bit error rate (QBER) together with corresponding theoretical predictions given by Eqs. from Appendix B for the star topology [see Eqs. (B7) and (B4)]. To test and control the measured QBER in time, we split the accumulated sifted key into blocks of length 5000 bytes each, and compute QBER for each block. Typical QBER fluctuations, which arise mainly due to the imperfect environment of the experiment, are shown in Fig. 3.
Despite realistic (non-ideal) conditions, after some time since turning on the observed QBER is stabilized, and the fluctuations normally do not exceed 3% for the link Alice 1-Bob 1. For the line Alice 2-Bob 2 which uses SPD with better characteristics, QBER is found to be about 1%. The average values are given in Tab. I. One can see that there is a rather good agreement between the model and experiment.
Furthermore, in order to improve the generation rate, one can perform parameter optimization for the current setup by maximizing the lower bound on the secret key rate. For fixed and measured optical channel parameters and laser power, we have the following parameters to optimize: the mean number of photons µ, detector efficiency η det , dead time τ d and dark count rate (DCR). We use a finite set of points {η det , τ d , DCR}, extracted from the experimental data, and perform the maximization of the lower bound on the secret key rate with respect to µ as follows: where R sift is the sifted key generation rate, κ 1 is a fraction of bits in the verified key obtained from singlephoton pulses, E 1 and E µ are the single-photon and the overall QBER's respectively, f ec is the error correction efficiency (here we use f ec = 1.15 [28]), and H(·) is the binary Shannon entropy. The detailed discussion of Eq. (1) is presented in Appendix C.
In Fig. 4 we illustrate R sec (µ) for the fixed SPD parameters listed in Tab. II (in blue) and for the parameters optimized for each µ-value (in green). From the plot it is clearly seen that for the same µ 0.4 the gain in rate by approximately factor 1.5 can be achieved with respect to the current experimental setup (red dot) by just finding an optimal set of {η det , τ d , DCR}. Including µ into optimization variable list as well, numerically we find maximum for the following parameters: η det = 30%, τ d = 25 µs, DCR 990 Hz and µ 0.64. The corresponding maximum key rate is R sec 2.2 kbit/s. Thus, this simple example proves a clear advantage of parameter optimization.
We note that for our benchmark parameters in Tab. II the realized standard BB84 protocol can be considered secure, i.e. R sec > 0, only for the losses α opt up to about 5(10) dB or equivalently for distances up to 25(50) km for the link Alice 1(2)-Bob 1 (2). Therefore, for practical usage at distances ∼ 100 km one needs an implementation of some other QKD protocol, e.g. the commonly used BB84 with decoy states [29,30].

III. OPTIMIZING SWITCH-BASED BACKBONE QKD NETWORKS
In this section, we describe a general framework for optimizing configurations of switch-based backbone QKD networks. Consider a sequence of N consecutive QKD links with two edge nodes and N − 1 trusted nodes. Let R (i) sec with i = 1, 2, . . . , N be secret key generation rates achievable at each link [see Fig. 5(a)]. In the case of no switches in the network, i.e., where all trusted nodes are equipped with two devices (either two Alices, or two Bobs, or Alice and Bob), the resulting key generation rate between the edge node is given by min(R Then, let us consider the case where some trusted nodes are equipped with switches. We refer these nodes to as "switch-based" and denoted them by S. In contrast, we call trusted nodes with two devices as "full", and denote them by F. Thus, the configuration of the network is defined by a string X = (X 1 , X 2 , . . . , To calculate a rate for a switch-based backbone network, we split a sequence of all rates (R in such a way that 0 < N 1 < N 2 < . . . N m < N , all trusted nodes connecting links in each of clusters are switch-based, and all trusted nodes connecting links between adjacent clusters are full [see an example of splitting links into clusters in Fig. 5(a)]. The basic idea behind the splitting is that since clusters are separated by full trusted nodes, switch-based nodes inside each cluster are able to operate with switches in an independent manner. The resulting secret key generation between edge nodes in the network then can can be obtained as minimal key generation among all clusters. Consider a cluster of links with rates (R sec ). Since all the intermediate nodes within the cluster are switch-based, to achieve the maximal key generation rate through the whole cluster, at each time moment, it is preferable to turn on either all odd or all even links [see Fig. 5b]. Assuming that time for switching in negligible, the achievable rate is as follows: where p ∈ (0, 1) is a parameter determining percentage of time in "even" and "odd" modes. One can see that the maximal possible rate is given by achieved for p providing R odd = R even . The resulting (effective) key generation rate in the network takes the followng form: where R (i) subgroup is maximal rate of the ith subgroup calculated via Eq. (4), and the splitting of rates into subgroups is determined by the configuration X.
Using Eq. (5) one can consider finding the best configuration with a given number of switch-based nodes. Since in practical scenarios, the total number of nodes usually does not exceed several dozens, this problem can be solved by an exhaustive search approach by trying all possible configurations X and taking a maximum over of all R(X).
The next problem one can consider is an optimization over the cost of equipment related to a given configuration X. Let us introduce the following notations: let A(B) denote a node with a single Alice (Bob) device, SA(SB) denote a switch-based node with Alice (Bob) device, and AA, AB, BA, BB denote a full node with two devices. One can see that the configuration the same configuration X can be implemented in several ways: e.g. In Ref. [31] we provide an optimization script (upon the reasonable request), which allows one to obtain the cheapest implementation of a backbone network with a maximal key generation rate given a sequence of rates, number of switch-based nodes, and a cost of each type of node implementation (first, a configuration(s) X providing the maximal rate are obtained, and then the cheapest implementation(s) are identified).

IV. OPTIMIZATION OF THE QKD NETWORK DEPLOYMENT FOR A REALISTIC NETWORK
Here we incorporate our results on the analysis and simulation of QKD devices with switches to optimize QKD network deployments. Below we consider an example of a QKD network (a network link between Moscow and Udomlya). To estimate the order of magnitude of potential key rates for each link of the network, we use our model for the simulation of QKD devices based on the one-way BB84 with two decoy states.
For simplicity, we assume that all Bob modules in the network have identical pairs of SPDs with parameters listed in Tab. III. We choose these parameters as reference ones since they describe our currently used experimental decoy-state QKD setup and are studied in detail. Although we expect further progress in the impairment of SPD parameters, we use state-of-the-art detectors' parameters in this work.
By setting the typical order of magnitude values for the signal and decoy states intensities µ = 0.5, ν 1 = 0.1 and ν 2 = 0.01 respectively, we present in Tab. IV the sifted/secret key rate and QBER estimations for each link of the network (for details of R (i) sec estimation see Appendix C). We note that optimization of µ, ν 1 and ν 2 depending on the channel length is beyond this work, and therefore we assume that the intensities are the same for each link. One can see that the channel Gorodische-Torzhok has the lowest rate and turns out to be a bottle-neck of the network. For this reason, one can already conclude that it is unpreferable to put switches at Gorodische and Torzhok nodes.
In order to demonstrate how the key generation rates are affected by introducing switches in the network, we first consider the case of a single switch. According to Eq. (4), introducing a switc is equivalent to replacing a pair of adjacent links with secret key generation rates R (i) sec and R (i+1) sec with a single effective link with rate R sec ). In Fig. 6, we present the comparison of original key generation rate of all links and effective key generation rates appeared after introducing switches at different nodes. Since the resulting rate between edge nodes is given by minimum of all rates, putting switches in Uvarovka, Gagarin, or V. Volochek does not decrease the rate, though reduce the number of employed devices.
It turns out that the resulting effective key rate of 1 kbit/s does not decreases even in the case of putting switches at all three mentioned nodes (see Tab. V). With three switches, the total number of Alice and Bob modules equals to 11, while for the classic backbone line 14 modules are required. This trivial comparison demonstrates a clear economic benefit of the proposed switch line: If Alice and Bob devices had the same cost, naïvely the benefit would be 21%. We also note that the configuration of the network with switches in Uvarovka, Gagarin, and V. Volochek can be realized with different number of Alice and Bob modules. The configurations have the same number of switches and provide the same rate, however the first configuration has less number of Bob modules than the second one. Taking into account that Bob module contains more complex hardware components, in particular, SPD, that is not only a very important and sophisticated but also a rather sensitive and expensive device, having less Bob modules in the network apparently reduces the maintenance cost.
Further increase in the number of switches leads to a decreasing of the effective key generation rate as well as the total number of modules and corresponding equipment cost (see Tab. V). Note that using four switches compared to the case of no switches drops down the number of modules from 14 to 10 (≈ 28 % decrease), while decreases the effective key generation rate by 8 % only. Putting switches in all nodes results in decrease of the key generation rate down to 0.58 kbit/s and reducing the number of employed modules down to 8 units. Thus, we observe a clear tradeoff between the effective key generation rate and the implementation cost. The choice of switches number can be made based on requirements posed on the network by the surrounding infrastructure.

V. CONCLUSION AND OUTLOOK
In the present work, we investigated QKD network deployment based on intermediate nodes with optical switches. For the proof-of-principle, we realized in practice a laboratory BB84 plug&play scheme QKD network prototype with two Alice and two Bob nodes connected via an optical switch. A good agreement between the experimental key rates and our theoretical model estimations was found. Hence, we applied our results for making predictions for a QKD network between Moscow and Udomlya, which has 8 nodes and a total length of 670 km. We investigated possible line configurations with various Alice/Bob/switch device placing and proposed several configurations that provide the entire system maintenance cost reduction without essential loss in the overall rate. In particular, it was demonstrated that one could achieve cost savings of up to 28 % while reducing throughput by 8 %.

ACKNOWLEDGMENTS
This work is supported by the Russian Science Foundation under project 17-71-20146. We thank PJSC Rostelecom for providing data on the network between Moscow and Udomlya.

Appendix A: QKD setup
We use a two-pass auto compensation QKD plug&play scheme, which is based on the modular QKD platform for research and education [32,33]. It operates on the basis of the original BB84 protocol [1] with or without decoy states [29,30].
Each node of the hardware part of the platform (Alice or Bob) consists of a PC with the R-series board PCIe-4820R by National Instruments (NI) on which all control signals are generated. The control signals are sent via a stranded digital cable VHDCI to a specially designed motherboard. To this motherboard there can be connected up to 12 add-on cards, such as laser modules, phase and amplitude modulator drivers, the module with MEMS attenuator, a fast photodetector for synchronization in the plug&play scheme. On the motherboard, we placed the Spartan-6 FPGA chip whose main function is to route signals between the add-on cards and the NI R-series board. The software for each node of Alice or Bob consists of the FPGA level and the host level.
The FPGA level is responsible for the laser pulse generation, pulse-train formation and overall signal control, as ones for phase modulators, etc. Also at the FPGA level, the single-photon detector (SPD) signals are recorded in the FIFO memory, if the signals arrive within the correct time window. In order to simplify the setup and to reduce the cost of the device, we implement the scheme with one SPD in the free-running regime. To reduce the  For the preparation and measurement of quantum states, one needs to use a random number generator (RNG). In order to guarantee the security of the corresponding quantum-generated keys quantum random number generator should be used. The preparation and measurement bases and bits values, recorded in the FIFO FPGA, are transferred to the host software level and then the obtained raw key is sifted and distilled.
In order to calculate the QKD session time, we take into account only the FPGA level operation time (train generation, measurement of quantum states), because sifting and necessary post-processing procedures can be parallelized with the FPGA hardware operation. During one session we generate 1000 trains of 1200 laser pulses in each train. The train period T t was made as minimal as possible and ranged from 600 − 660 µs, depending on the length of the quantum channel. Even for not very powerful computers, for f = 5 MHz the operating time  Table V. Effective key rate in the backbone network R eff , required number of Alice (N A ) and Bob (N B ) modules, total number of modules (Ntot), and variants of implementation assuming that Bob module is more expensive than Alice one.
of the hardware exceeds the execution time of the host procedures.
Appendix B: Simulation of the QKD devices performance Here we describe a model of QKD devices performance, which is based on the standard plug&play scheme BB84 protocol but with only one single-photon detector (at the time of our experiments only one detector per Alice device was available; it can further be easily generalized for the one-way decoy-state protocol with two detectors).
For continuously sent periodic pulses, the sifted key rate can be simply written as follows: where p sig is the probability to emit and receive a signal pulse containing at least one photon, µ is the attenuated intensity of the pulse, going out of Alice back to Bob, and η is the overall efficiency of the transmission from Alice to Bob and further detection and is given by the following expression: with detector's efficiency η det , total internal losses at Bob α B and in the optical link α opt . Only the events when Alice and Bob have compatible bases are considered, therefore only half of the raw key is taken into account. We also do not consider errors when incompatible bases are used. Note that for the setup with only one detector Bob has to choose randomly not only the basis, but also the information bit that he plans to check in this basis. This in turn reduces the key rate by factor two compared to the scheme with two detectors. Due to high repetition rate the effects of Rayleigh backscattering in fiber can be non-negligible. Some strong pulses, still going to Alice, can be backscattered on fiber inhomogeneities during the intersection with already returning weakened pulses, and travel together back to Bob. Despite rather low backscattering probability, because of very high intensity the backscattered signals can induce false detection counts and thus increase the quantum bit error rate (QBER). To solve this problem, it is commonly used in plug&play schemes to introduce a storage line (SL) in Alice module. Bob emits pulses not continuously but in trains of N p = 1200 pulses per train that travel to Alice and fill SL. The SL length is adjusted such that 2 SL (N p − 1)T c/n fib 50 km, where T = 1/f is the pulse period in the train, and n fib 1.47 is the optical fiber refractive index. After the last pulse of the train is emitted, Bob waits for the time required to reach Alice and come back, and then sends the next train. Thus, the train period is chosen to be T t (N p − 1)T + 2( + SL )n fib /c 0.6 ms for = 10, 15 km. In this way, the intersection of forward and backward pulses takes place only in SL and not in the transmission line. Since SL is located after VOA, the intensity is significantly low, so that the probability of backscattering inside SL to induce false detections can be neglected. We note that the signal losses in SL are already taken into account when we estimate the required VOA attenuation in order to obatin the desired µ and therefore do not affect η. However, the effective repetition frequency and hence the key rate are reduced due to the time gaps while waiting for the previous train to come back before emitting a next one: One can mention that for the scheme with two SPDs the result in Eq. (B3) has to be multiplied by factor 2. The QBER value is defined can be expressed in terms of rates of receiving a false/correct detection per pulse as follows: QBER = false counts total counts p dark + (p sig + p dark )p after + p sig p opt p sig .
where p dark is the dark count probability, p opt is the probability of a photon to hit a wrong detector due to flipped and incorrectly determined polarization or phase, and can be related to the visibility as p opt = (1−V )/2; p after is the cumulated probability to register an afterpulse since the end of the detector's dead time τ d , which is triggered by a previously detected signal photon or dark count that yielded an avalanche. We note that with 50% of chance a dark count will occur when Bob chooses the correct bit value, and hence will not lead to an error but just to an additional count. Here we take into account only the events with compatible bases. In order to reduce the dark count contribution, the detector can be biased above the breakdown voltage during a short period of time, τ gate which is of order of pulse width. This gate is periodically repeated with pulse frequency f . In this way, the detector is sensitive only during the gates when the signal photons are expected. The dark count probability is then given by the following expression: where DCR stands for dark count rate in Hz (it is a key parameter of the detector). We do not impose the gated detection, and thus our detector works in the freerunning mode. In this case, we have simply τ gate = T . For example, for µ = 0.5 and η det = 10% and the typical probabilities p opt/after ∼ 1%, one can see from Fig. 7 that for distances 10-20 km the dark count contribution to the total QBER becomes significant or even dominant with respect to the optical or afterpulse contribution only for large DCR and wide τ gate .
We note that DCR and η det are not independent parameters. DCR increases with η det , as well as their ratio. In particular, DCR and η det both go up with increasing bias voltage U bias . Therefore, finding an optimal η det is a tradeoff between high key rate and low QBER.
Let us estimate the effects of the detector's dead time, τ d . We assume that the real events (both signal, dark counts and afterpulses) that occur during the dead period are lost and have no effect on the system. The fraction of all time that the detector is dead is simply the product R sift τ d , where R sift is the measured sifted key rate. Neglecting the small background contribution, the rate of loss can be written as follows: Solution to Eq. (B6) has the following form:  We note that Eq. (B7) is valid for both plug&play and one-way schemes. Apparently, reducing the dead time increases the detection statistics and thus increases the raw/sifted key rate. However, at the same time it increases DCR (see Fig. 8) and consequently QBER, then lowering the final key rate after information reconciliation [34][35][36]. Thus, as in the case with η det , the choice of τ d becomes a matter of tradeoff between high statistics and low QBER.
In the standard BB84 without decoy states, Q 1 and E 1 are not directly measured, only Q µ and E µ are. Eve is able to block single photon pulses and use ideal lossless channel to retransmit at most one photon from all multiphoton pulses to Bob. Therefore, in order to estimate the worst-case scenario secure key rate we have to assume that all losses and errors are from single-photon pulses. We also assume that Eve cannot break in Bob's device and control photon detectors. For this Eve's sub-optimal strategy, we get the lower bound on Q 1 (and hence κ 1 ) and the upper bound on E 1 , giving the lower bound on the key rate, Now let us consider the decoy-state BB84 protocol. Following Refs. [29,30], let µ, ν 1 and ν 2 be the signal, weak decoy and vacuum decoy state intensities respectively. Then the lower bounds on the background and one-photon yields can be estimated as follows: The upper bound on one-photon QBER is given by the following expression: The bound on the key rate is computed from Eq. (C5) using κ (l) 1 = Y (l) 1 µe −µ /Q µ and Eqs. (C6)-(C8). We note that since the state type is chosen randomly with corresponding probability p µ/ν1/ν2 (p ν2 = 1 − p µ − p ν1 ), Eq. (B3) must be multiplied by p µ when computing R sift (B7). In this work we set p µ = 0.5 and p ν1 = p ν2 = 0.25.