A blueprint for large-scale quantum-network deployments

TL;DR

The paper presents MadQCI as a comprehensive, multi-domain, multi-vendor testbed for integrating quantum key distribution (QKD) into production optical networks, achieving end-to-end quantum-secured services with software-defined management. It details the architectural decisions, component provisioning, and coexistence strategies that enable joint operation of quantum and classical resources while adhering to standards such as ETSI GS QKD 015. Through demonstrations across 9 facilities, 130+ km of fibre, and 26 QKD modules, the work provides concrete blueprint patterns for large-scale deployments, including inter-domain orchestration, cross-vendor key management, and security considerations. The study indicates that a scalable, standards-driven quantum network can be deployed within existing telecom ecosystems, supporting diverse use cases and paving the way for EuroQCI and future satellite-enabled quantum networks. Overall, MadQCI offers proven architectural guidance, interoperability insights, and actionable results to accelerate practical adoption of quantum-secure communications in real networks.

Abstract

Quantum Communications is a field that promises advances in cryptography, quantum computing and clock synchronisation, among other potential applications. However, communication based on quantum phenomena requires an extreme level of isolation from external disturbances, making the transmission of quantum signals together with classical ones difficult. A range of techniques has been tested to introduce quantum communications in already deployed optical networks which also carry legacy traffic. This comes with challenges, not only at the physical layer but also at the operations and management layer. To achieve a broad acceptance among network operators, the joint management and operation of quantum and classical resources, compliance with standards, and quality and legal assurance need to be addressed. This article presents a detailed account of solutions to the above issues, deployed and evaluated in the MadQCI (Madrid Quantum Communication Infrastructure) testbed. This network is designed to integrate quantum communications in the telecommunications ecosystem by installing quantum-key-distribution modules from multiple providers in production nodes of two different operators. The modules were connected through an optical-switched network with more than 130 km of deployed optical fibre. The tests were done in compliance with strict service level agreements that protected the legacy traffic of the pre-existing classical network. The goal was to achieve full quantum-classical compatibility at all levels, while limiting the modifications of optical transport and encryption and complying with as many standards as possible. This effort was intended to serve as a blueprint, which can be used as the foundation of large-scale quantum network deployments. To demonstrate the capabilities of MadQCI, end-to-end encryption services were deployed and a variety of use-cases were showcased.

Figures (15)

• Figure 1: This figure illustrates the complexity and diversity of optical communications. On the left, two access networks are shown, an enterprise and a home network based on passive optics. In the centre, two (highly simplified) nodes of a typical optical network are depicted, one dedicated to the aggregation of multi-purpose subscriber traffic---and possibly with FOADM optics---and one backbone for handling large volumes of traffic, typically with equipment such as ROADMs. On the right is a data centre of a digital service provider, operating over-the-top of the network operator. In terms of subscriber provision, the optical network is delivering two services: [1] provision of lightpaths and [2] carrying and processing of traffic. The target is to integrate quantum communication technology with all types of traditional (classical) optical fibre-based communication.
• Figure 2: Main scheme to deliver end-to-end quantum-secured cryptography using QKD. The symmetric quantum-distributed key is delivered to both ends of a cryptography system. For this, either a point-to-point QKD link exists, or an approach, based on trusted nodes, that allows hop-by-hop key forwarding is used.
• Figure 3: The architecture of a node in a software-defined QKD network as specified in the ETSI GS QKD 015 specification and implemented in MadQCI.
• Figure 4: The image shows the set of components that would enable the coexistence of quantum and classical communication technologies in optical networks. It includes all the elements necessary for the provision of the service: 1) the cryptographic applications that will consume the key, 2) the network and key control systems and 3) the network elements (NE) both QKD-specific and signal-forwarding NEs. These last elements that guide, aggregate or switch signals do not necessarily have to be located at the trusted nodes, since quantum protocols ensure security over the lightpath, but it is desirable to have control over them. Both NEs are called the (quantum) forwarding plane if the network is SD-QKD, as described in the text. It is also relevant that it includes the forwarding module (FM) that transports the key. Despite routing not being a key management functionality NIST_800seriesOnKM, it has been usually assumed to be part of the LKMS in the QKD literature.
• Figure 5: MadQCI overview. 26 QKD modules from different manufacturers were installed in the 9 production facilities of RM and TID. More than 130 km of fibre optic pairs supported both classical and quantum signals including, in some cases, third party traffic. Three OSI level 1 encrypted links were deployed, as well as 6 level 2 Ethernet encrypting devices. A single pair of optical fibres was used in each inter-node connection, but different schemes of coexistence were implemented. The link between Quevedo and Norte was co-managed as a border connection.