DOE CESER Quantum Cryptography


This project aims to develop a prototype for an ultimately secure system that combines real or near-real time computations on streaming data in transit within the network together with quantum-protected key exchange, all in the context of energy delivery. The main objective is to provide hack-proof encryption to data flowing between different sources and destinations in the network, while at the same time allowing intermediate smart network nodes to have access to the encrypted data and perform a desired set of computations, e.g., spatial-temporal load forecasting. The project is a joint effort led by Brookhaven National Laboratory (BNL) with Oak Ridge National Laboratory (ORNL), Los Alamos National Laboratory (LANL), and Stony Brook University (SBU) as partners. The team comprises E. Figueroa (SBU/BNL, PI) and D. Katramatos (BNL, Co-PI), B. Qi and N. Peters (ORNL Co-PIs), R. Thorson and T. Venhaus (LANL Co-PIs).


The project is a synergy of three state-of-the-art ideas, combining data protection using quantum-secure keys with real-time anomaly detection in streaming data into a quantum/classical hybrid system for ultimate secure transmission and analysis of power grid data.

First, the Analysis on the Wire (AoW) project, led by Brookhaven Lab, is developing a framework for performing distributed computations on streaming data in transit within the network. The AoW framework has the objective to perform general-purpose, distributed, in-network computations on streaming data in transit. A number of strategically selected network nodes can be enhanced with AoW capabilities to inspect and/or intercept raw packet traffic and perform computations on the payload, either individually or in coordination – forming an in-network distributed computer (figure 1 left). In the case of the Smart Grid, we’ve been researching techniques for performing real-time/near real-time data analysis on streaming measurement data. Each AoW node is assigned to process data of a specific grid domain, with the results of multiple nodes synthesizing a bigger picture for multiple domains (figure 1 right). There is a wide range of applications in this context, not only in management/operations, such as load forecasting and power system state estimation, but also, very importantly, in cybersecurity, such as detection of anomalous patterns in the data, indicating the possibility of malicious attacks on the power infrastructure. Detecting such patterns is critical, especially when attacks are focused on the data sources, e.g., tampering with Phasor Measurement Units (PMUs), which could allow injection of malicious data into the system even before any encryption can be applied. Second, in a project led by Stony Brook University, we have designed a prototype to perform memory-assisted measurement-device-independent quantum key distribution (MDI-QKD), which is a maximum-security scheme for key generation that enables real-time eavesdropping detection without the detection vulnerability of standard QKD. Finally, we will leverage post-quantum cryptography, also known as quantum-proof cryptography, which is the most powerful classical strategy for data encryption, robust even to attacks by quantum computers.

Figure 1: (left) AoW nodes, strategically located in a network, can be used for general-purpose processing of local data in real/near-real time and further coordinate to provide wider-scope perspectives. (right) For the Smart Grid use case, AoW nodes can be collocated with PDCs within the PMU-PDC communication architecture to analyze and provide early perspective on streaming PMU data.

We will develop a prototype that will use memory-assisted MDI-QKD to generate quantum-secure encryption keys and post-quantum encryption channels for sharing these keys with AoW nodes so that they can access encrypted data. This will establish a highly secure framework that can protect the data flows between sources and destinations in the communication network(s) servicing a Smart Grid. As has been pointed out, the communication protocols used are typically in clear text, relying on other available protection mechanisms and traffic between various systems and devices is often unencrypted. Here we posit that even when encrypted with standard encryption, the traffic between data/control centers and individual computer and storage systems, smart meters, phasor measurement units (PMUs), phasor data concentrators (PDCs), etc., still remains vulnerable to cyberattacks employing the help of a quantum computer. By using quantum-protected key generation with MDI-QKD and post-quantum channels, whose traffic cannot be decrypted by Shor’s algorithm, it is possible to distribute the encryption keys to any station that has a legitimate need to access the streaming data, which, in the present case, are AoW nodes. Using this hack-proof framework, it will be possible to employ AoW nodes securely in the network to analyze streaming data in real or near-real time. This will enable us to apply multiple algorithms and provide different perspectives on the data within the same time frame. For example, one could examine a data stream for anomalous patterns, which could imply a cyberattack, before using the data for power state estimation.


Using generators of polarization-defined single-photon-level pulses, we will create random sequences of qubits driven by a quantum random number generator. We will generate streams of telecom (1324 nm) qubits and transmit between the BNL, CEWIT, and SBU campuses over the existing fiber infrastructure (see figure 3). We will then perform Bell state measurements at an intermediate location (QIT 1 laboratory in SBU), assisted by quantum memories. The achieved coherence time of the memories will allow us to synchronize the qubits regardless of the time delay. This will allow us to implement key sifting, decoy state analysis, and MDI-QKD protocols. Once a suitable quantum key is generated, we will distribute it to other stations in the network as shown in figure 2.


Figure 2: Protecting the traffic within the PMU-PDC communication architecture all the way to the control center using quantum- secure key generation and post quantum channels for key distribution. Alice and Bob generate qubits which are send over fiber to Charlie where a Bell state measurement is performed. The shared quantum-secure encryption key can be propagated from Alice and/or Bob for use to all desired locations using post-quantum channels. Here, we consider as source a PMU and the control center as destination; a PDC node doubles as a location for an AoW node; the propagated key can be used to decrypt and access the data to apply analysis algorithms.

3.1 Design and development of O-band transmitters

In this context, LANL will leverage their prior work on C-band transmitters to produce optical transmitters capable of generating weak coherent pulses of polarized light in the O-band (1260 to 1360 nm). Rough performance targets will include: output wavelength between 1310 and 1330 nm, polarization continuously variable around a great circle on the Poincaré sphere, degree of polarization ≥ 95%, minimum pulse width ≤ 5 ns, pulse rate ≥ 10 MHz, pulse energy ≥ 106 photons/pulse, fiber coupled output in a small package ≤ 10 cm3.

3.2 Qubit generator drive electronics

LANL will also produce dedicated circuitry suitable to control the optoelectronics module mentioned above. This circuitry will create the high-speed analog voltages necessary to drive the polarization modulator, as well as the pulsed current supply to drive the laser. This task will draw upon our prior work in dedicated drive electronics, possibly requiring modification to accommodate interfaces with the BNL subsystem.

3.3 MDI-QKD prototype network

Within the 2-year planned lifetime of the project, we intend to build a prototype system combining MDI-QKD link protection and AoW nodes to demonstrate the feasibility of a hybrid quantum-classical communication system. We will simulate quantum-protected data streams from PMUs to PDCs flowing through the network that can be intercepted, decrypted and processed at an intermediate AoW node.

We will construct the first multi-node room- temperature memory-assisted quantum communication network using polarization qubits. This prototype of a quantum cryptographic network will combine several independent quantum nodes, including: (i) two independent polarization qubit generators working at rubidium transitions (installed in the BNL QIST laboratory), (ii) two ultra-low noise room-temperature quantum memories, and (iii) a Bell-state qubit decoder and reading station (installed in the SBU QIT laboratory). After storage and retrieval in the two portable quantum memories, we will measure a high-visibility Hong-Ou-Mandel interference between the outputs.

Two independent electro-optical modulator units (EOM) will temporally shape the probe fields. The EOMs are driven by two phase-locked signal generators. Two arbitrary signal wave generators will modulate the amplitude of the EOMs. These wave generators will be triggered by a master trigger FPGA to generate the probe pulses. Additional Electro-Optical Modulation units (EOM) will be in place to encode the desired polarization states on the probe pulses. We will modulate the output polarization based on the input applied voltage to the EOMs (usually in the range of ≈ 0 − 500V). After calibration, we will generate | H⟩, | V ⟩, | D⟩ and | A⟩ states. An FPGA-based circuit will control the high-voltage amplifiers for fast operation and trigger- synchronized control. The FPGA could be programmed to generate any sequence of polarizations including a fully random sequence. The qubits are delivered to another location via single-mode optical fibers connecting the BNL and SBU campuses (see Fig. 3).

Figure 3: Implementation of the quantum-secure testbed utilizing part of the LIQuIDNet infrastructure. Alice and Bob stations will be at BNL 535 and CEWIT correspondingly. The Charlie station with the BSM and the AoW node will be in the QIT I lab at Stony Brook. The fiber infrastructure necessary for this implementation is already in place. The red fibers are dedicated to the quantum signals. The green dashed lines represent the standard classical connectivity of the BNL, SBU, and CEWIT campuses that is currently in use.

We will prepare phase randomized weak coherent pulses (WCPs) in the four BB84 polarization states with our two-qubit sources. The untrusted relay Charlie will perform a Bell-state measurement projecting the incoming retrieved qubits into a Bell-state. We will evaluate the Quantum Bit Error Rates (QBER) for polarization qubits containing on average one photon. Our target will be to achieve QBERs of less than 1% for two orthogonal bases on both communication channels. Further insight into our current capabilities will be obtained by analyzing the QKD rate (R), which depends on the QBER and the mean photon number μ, given by: R = μ(e−μ(1 − H(Qx)) − H(Qz)f(Qz)), where Qx and Qz are the QBER for x = H,V and z = A,D bases, and H(x) is the binary Shannon entropy function.

We will also apply decoy-state techniques to estimate the gain and quantum bit error rate (QBER) for various input photon numbers in the input of the network. Charlie will use a public channel to announce the events where he has obtained a successful outcome in the relay. Alice and Bob will keep the data corresponding to these instances and discard the rest. They will post-select the events where they use the same basis in their transmission. Finally, either Alice or Bob will apply a bit flip to their data. The final objective is the realization of positive key-rate for MA-MDI-QKD using a network with room-temperature quantum memories (see Fig. 4 for detailed schematics of the experiment).

Figure 4: Prototype of a Memory-Assisted Measurement Device Independent quantum communication network. Left side: portable and tabletop polarization qubit sources. The sources use electro-optical modulators to generate random streams of polarization qubits. The controlling electronics are custom made using FPGA’s to drive high-voltage sources. Right side: The qubits travel through fiber optics connecting the SBU and BNL campuses, to a pair of independent dual-rail room-temperature portable quantum memories in two different distant locations. After storage and temporal wave-function matching the stored and retrieved qubits are sent to a Bell-state measuring station (upper right), where the cryptographic key rates are characterized.

After sifting of the raw data, we will perform the four following tasks related to the MDI-QKD protocol: 1) parameters estimation, 2) information reconciliation, 3) error verification and 4) privacy amplification. In 1), the gains (defined as the fraction of the detection events over a number of sent pulses) QZ and QX and the error rates EX and EZ in the two basis are determined. The bits obtained in the Z basis will be used for the key, while the bits obtained in the X basis are used for the detection of the Eavesdropper. From the sifted data, the gain Q11 and the phase error rate e11 can also be evaluated. Task 2) will be implemented using standard classical error-correction algorithms such as Winnow, LDPC code or CASCADE. Additionally, the leakage of information in the error-correction phase can be obtained as LE C = QZ f (EZ )H (EZ ), with f (EZ ) being the error-correction efficiency (∼1.1 for the aforementioned classical error-correction protocols). In step 3) the key hash for Alice and Bob will be compared to verify the proper functioning of the error- correction schemes. Lastly, in step 4) the final key will be obtained as: R = Q11[1 − H(e11)] − LEC, with H(x) being the binary entropy. The necessary parameters to evaluate the rate can be determined experimentally using: Q11 = ηAηBηdetμAμBe−μA−μB and QZ = ηAηBηdetμAμB, with μA and μB the mean photon num- bers at the transmitters and the ηA and ηB the overall channel transmissions. The defining parameter of this set of experiments is ηdet, which describes the efficiency of the Bell-state measurements provided the existence of simultaneous excitations in the quantum memories before the HOM interference. Achieving positive secure key-rates including quantum memory operation is the key to evaluate the feasibility of the network.

3.4 Theoretical analysis

ORNL will conduct theoretical analysis of the memory-assisted measurement-device-independent (MDI) quantum key distribution (QKD) network to be developed through this project. QKD is the only known solution which can provide long term, proven security against eavesdroppers with unlimited computing power. The MDI QKD protocol, co-invented by one of the investigators, is especially useful for constructing multi-user QKD networks for two reasons: (1) It is highly secure in practice by automatically closing all the security loopholes associated with the measurement device; (2) It is cost-effective by sharing the most expensive device in QKD, the single photon detector, among multiple users. By integrating MDI-QKD with the room-temperature quantum memory developed at Stony Brook University, the distance of QKD could be significantly extended. The resulting memory-assisted MDI QKD network could provide a scalable method of authentication and data protection for critical infrastructures in the U.S. ORNL will conduct theoretical investigation on three aspects of the proposed QKD network: security analysis, performance optimization, potential side-channel attacks and mitigation strategies, as detailed below.

3.4.1 Security analysis

The secure analysis of the proposed QKD network is a highly non-trivial task and will be carried out interactively through communications with the teams at BNL, Stony Brook and LANL. The introduction of quantum memories into MDI QKD could greatly improve the distance of QKD. In the meantime, the performance of a practical quantum memory, in terms of storage time, efficiency, fidelity, etc., must be taken into account in secure key rate calculation. The ORNL team will work closely with the Stony Brook team and the LANL team to develop noise models of quantum memory and quantum transmitters, and apply these models for performance evaluation and optimization.

3.4.2 Performance optimization

A practical QKD network could be highly dynamic: both the availability of quantum channels and the trustworthy of network nodes may change with time. We will leverage the concept of “reconfigurable” QKD to improve the performance of the network. More specifically, when a network node containing a set of measurement device is fully trustable, more efficient BB84 QKD protocol (with or without a quantum memory in front of the measurement system) can be executed; when the security of a network node is compromised, the network automatically switches to the MDI QKD. We will work closely with the hardware design teams to make sure the conversion between different protocols can be implemented easily through a computer control program. Another challenge to be dressed is the channel asymmetry in a practical reconfigurable network: each quantum channel may introduce different time delay, channel loss, background noise and decoherence to the quantum signals passing through it. Correspondingly, we need to optimize QKD parameters, such as decoy/signal state intensities and probabilities to achieve the optimal performance.

3.4.3 Side-channel attacks and mitigation strategies

While MDI-QKD can automatically close all the side channels associated with the measurement device, side channels may still exist at the transmitter’s side. Note that these potential loopholes are not intrinsic to the QKD protocols. Instead, they are due to imperfection in the real-life implementation of QKD. The ORNL team has extensive experience on identifying security loopholes in practical QKD systems, as evidenced by the discoveries of time-shift attack and phase-remapping attack in commercial QKD products.  In this project, we will carefully inspect the implementation details at the transmitter’s side during the design phase to evaluate potential side-channels. Possible options for mitigating or eliminating any discovered side-channel attacks will also be addressed.

The above research topics will be conducted parallelly through the whole project, in close collaboration with other teams. In the final year, we will evaluate field test data and provide a comparative analysis of the deployed system’s performance versus a modeled, ideal network configuration. An analysis of any potential attacks on the deployed system will be evaluated and reported.

3.5 Analysis on the Wire in a quantum network

The general principle behind the AoW effort is that the network devices (switches/routers) of an existing network could be programmed to recognize specific data flows and perform computations on the data of such flows before forwarding it to its destination. This requires mechanisms to select and forward packets, inspect packet payloads and reconstruct data sets, perform computations on the data, and again forward packets and analysis results to their destinations. Because typical, widely used network devices do not have significant general-purpose processing capabilities, we chose to augment the capabilities of standard network nodes by adding an external system that can be easily plugged into the network node. This add-on system, an AoW node, is conceptually depicted in figure 5 and comprises two main components: the selecting/forwarding logic, tasked with deciding which packets should be selected for processing and what type of processing should be applied to them, and the streaming data processor. The latter can contain a number of algorithmic modules and perform several different computations on the data. Simple, fast filtering (pre-selection) of traffic can happen in the original network switch, while more sophisticated selection can take place in the AoW node itself. This could involve passing the pre-selected traffic through an algorithm to further decide the appropriate course of action.

In the general case, an AoW node can comprise multiple selecting/forwarding modules and/or streaming data processors, to be able to process traffic in parallel. We follow a design based on the Service Function Chaining architecture (SFC). Using Software Defined Networking (SDN) technology we can implement the desired functionality of an AoW node with hardware and virtual components. In this context, a set of algorithmic modules are implemented as service functions hosted virtually and/or physically on one or more servers. The selecting/forwarding logic can also be implemented on physical SDN-supporting switches and/or virtually on the servers. Key in the process is the encapsulation of selected packets using Network Service Headers (NSHs) to route the packets to and from the service functions. Because of the additional overhead involved with encapsulating/decapsulating and redirecting packets, we use FPGA-based network accelerators to speed up packet processing. Compute accelerators are also used to reduce data processing overhead when executing algorithms comparatively to server CPUs. Depending on the application, lightweight data processing may also happen at the packet level as packets move through the network accelerators. In our prototype implementation we utilize a hybrid software/hardware architecture. An AoW node consists of a multi-core server equipped with a network (FPGA) and a compute (GPU) accelerator. The server is connected to the original network node router/switch and configured to accept and process traffic from that switch. We use a NetFPGA-SUME board in a switch configuration based on the SimpleSumeSwitch model as a network accelerator to reduce the overhead imposed by the NSH operations. The NetFPGA board encapsulates incoming data packets with NSH headers using the User Datagram Protocol (UDP) and redirects them to service functions hosted on the server for processing pushing them through the Peripheral Component Interconnect express (PCIe) bus of the server. Depending on the application, processing can take place on the available CPU cores of the server, or offloaded to the installed GPU.

In the context of the Smart Grid, we envisage deploying AoW nodes within the network servicing the data communication between different devices in the power system architecture. In previous research, we have demonstrated the feasibility of forecasting load demand in a streaming fashion. We are currently investigating the capabilities of the AoW framework to estimate power system states in real-time from high volume streaming μPMU data using deep neural networks.  Distribution system State Estimation (SE) provides a real-time quasi-static model of a microgrid under current operating conditions. The SE is used for power-flow and contingency analysis, voltage security, transient and small signal stability. Additionally, it assists in volt/VAr control, capacitor switching, reconfiguration of feeders, renewable energy optimization and locational marginal pricing. Clearly, tampering with measurement data can have severe ramifications in the operation of the grid. To achieve ultimate security, we believe a two-prong approach is necessary: first, we need to secure the communication channels in a future-proof way, which is where the quantum secure keys come into play; second, we need to make sure that we are using legitimate data for analysis and predictions.

3.5.1 Working with encrypted data

Handling encrypted data in transit requires the intermediate node be trusted with the encryption key and have an efficient way of decrypting/encrypting packet payloads. We intend to investigate methods to securely share the key used to encrypt the communication between two stations with an intermediate AoW node. In the context of the present project, the key will be quantum secure. The initial approach, which will proceed in parallel to the quantum efforts, will be to use classical encryption methods for protecting the sharing of the key. Alternatively, because the AoW node will be collocated with the BSM node (station “Charlie” in figure 2), we will consider this as a trusted node and obtain the key from there. Finally, we will consider post-quantum encryption algorithms. Currently, NIST is in the process of evaluating a number of candidate post-quantum algorithms for potential standardization. We will experiment with using such an algorithm in the sharing mechanism for the AoW nodes in year 2 of the project.

3.5.2 Attempting to detect false data injection attacks

Even with secure communications channels, one cannot preclude cases where measurement devices have been compromised and are used to inject intelligently falsified data and deliberately cause management havoc and operation disruptions. While SE is a fundamental tool in power grid operations, there exists a large volume of past and recent research works underlining its vulnerability to False Data Injection (FDI) attacks. While SE tools include Bad Data Detection (BDD) algorithms to filter out bad measurements, it has been shown that they cannot detect attacks with carefully manipulated data. Several approaches for FDI attack detection have been proposed in the literature. We plan to investigate the suitability of certain algorithms for streaming data. Due to the SFC architecture of an AoW node, it is possible to execute multiple passes on a data stream, in series or in parallel, by directing the data flow to the appropriate service function. Thus, it would be possible to examine measurement data for intelligent manipulations before attempting to perform state estimation.