Quantum Key Storage for Efficient Key Management

TL;DR

This work addresses the bottleneck of on-demand quantum-secure key provisioning in QKD networks by analyzing existing key-storage designs and proposing a hybrid architecture that combines encryption/decryption storages with application-shared deques to pre-format keys for common sizes. Using the QKDNetSim simulator, the authors demonstrate that the novel design reduces supply-key CPU time and key-access collisions, achieving near-constant supply times across key sizes. The key rate model $K = n \cdot r \cdot (1 + a)$ is used to model demand and assess performance under varying application loads. The design offers practical benefits for enterprise-scale QKD services in critical infrastructure contexts, such as 5G, by enabling timely, scalable key provisioning and resilience to demand variability.

Abstract

In the ongoing discourse surrounding integrating QKD networks as a service for critical infrastructures, key storage design often receives insufficient attention. Nonetheless, it bears crucial significance as it profoundly impacts the efficiency of QKD network services, thereby shaping its suitability for diverse applications. In this article, we analyze the effectiveness of key storage designs developed through practical testbeds and propose a novel key storage design to increase the effectiveness of key creation and supply. All key storage designs underwent analysis using network simulation tools, and the findings demonstrate that the novel key storage design surpasses existing approaches in terms of performance.

Figures (9)

• Figure 1: Layered network architecture for quantum key distribution. Quantum keys generated through the QKD process at the quantum layer are gathered and processed by the key management layer. Within this layer, the key manager is responsible for storing, managing, relaying, and supplying keys as needed. These keys are then utilized in the service layer to ensure secure data transmission between various applications.
• Figure 2: The key storage design with a single common storage. The two applications, IPsec and TLS, are running concurrently. In a short time frame, key managers serve the same key (B6) to different applications, resulting in key access collision.
• Figure 3: The key storage design that includes encryption and decryption key storages. Key managers assign keys for encryption and decryption purposes to achieve seamless key relaying and supply. The two applications, IPsec and TLS, are running concurrently. Key managers supply (use) keys from their respective encryption key storages. Multiple applications share access to encryption and decryption key storages.
• Figure 4: The key storage design that includes application-specific storages. Key managers allocate keys to designated storages. The three applications, IPsec, TLS and MACsec, are running concurrently. Key managers provide the requested number of bytes, ensuring the seamless supply of keys of varying sizes. The illustration depicts unidirectional traffic flow at the service layer, from site A to site B. This implies that applications perform encryption at site A using keys from their respective key storages. Application-specific storages at site B are accessed by corresponding receiving applications for decryption. For bidirectional traffic flow, applications establish a pair of storages for encryption and decryption.
• Figure 5: The novel key storage design that includes encryption and decryption key storages and modified application-specific storages. To avoid time-consuming and resource-intensive key transformation operations during supply, stores containing pre-formatted keys of specific sizes are created. The established storages are shared by multiple applications with similar key size requirements. For example, the IPsec and TLS applications have compatible key size requirements, so their requests can be fulfilled using a single shared storage. The supply key for TLS application can be effectively created pulling two keys from the storage shared with IPsec. The illustration depicts unidirectional traffic flow at the service layer, from site A to site B. This implies that applications perform encryption at site A using keys from their respective key storages. Application-shared storages at site B are accessed by corresponding receiving applications for decryption. For bidirectional traffic flow, applications establish a pair of storages for encryption and decryption.