Quantum Key Distribution Networks: Challenges and Future Research Issues in Security

A quantum key distribution (QKD) network is proposed to allow QKD protocols to be the infrastructure of the Internet for distributing unconditional security keys instead of existing public-key cryptography based on computationally complex mathematical problems. Numerous countries and research institutes have invested enormous resources to execute correlation studies on QKD networks. Thus, in this study, we surveyed existing QKD network studies and practical field experiments to summarize the research results (e.g., type and architecture of QKD networks, key generating rate, maximum communication distance, and routing protocol). Furthermore, we highlight the three challenges and future research issues in the security of QKD networks and then provide some feasible resolution strategies for these challenges.


Introduction
In response to the rapid development of the Internet and Internet of Things (IoT) technologies, digital applications/services have become mainstream in today's world. This trend allows more information and data to be transmitted over the Internet. Therefore, the provision of complete cryptography mechanisms for protecting the confidentiality and integrity of data and ensuring authentication between the sender and the receiver are some of the important issues in the digital age, among which establishing secure cryptography keys through untrusted networks is a fundamental cryptography task. Although existing public-key cryptography based on computationally complex mathematical problems (e.g., RSA or Diffie Hellman key exchange protocol) can provide the session key distribution for end users/applications, the session keys distributed by these algorithms belong to theoretical computational security. That is, the computational security keys can be broken using quantum computation. To overcome this issue, some feasible solutions have been proposed, including quantum cryptography, which uses quantum mechanics to design secure communication protocols, and post-quantum cryptography, which shows that complex computational problems are secure against attacks by quantum computers to design cryptographic algorithms.
In quantum cryptography, Bennet and Brassard [1] used the properties of quantum mechanics to propose the first quantum key distribution (QKD) protocol-the BB84 protocol-which allows two end users/applications to distribute the session keys between each other. Furthermore, some studies [2][3][4] have proved that the BB84 protocol is an unconditional security protocol; that is, the session key distributed by the BB84 protocol belongs

Background to Quantum Key Distribution (QKD) Networks
The QKD network is used to extend the range of the QKD protocol, and it consists of several static quantum nodes that have complete quantum capabilities (e.g., generating a single photon/entanglement state, storing qubits, and performing the quantum unitary operation). The quantum nodes execute the QKD protocol (e.g., the BB84 protocol) to distribute secure keys (also called local keys) between the neighboring nodes, and then, the hop-by-hop manner is adopted to assist the remote end users/applications to distribute unconditional security session keys.
The QKD network comprises quantum nodes and quantum links, and the framework of the QKD network can be divided into three layers: a communication layer, a key management layer, and a quantum layer (shown in Figure 1). The communication layer (the top layer) manages the routing tasks and provides the application interface (API) to allow the end users/applications to access the secure session keys generated by QKD protocols. The middle layer-the key management layer-is responsible for managing key generation and storage to effectively utilize the resources of quantum devices in the quantum layer. The quantum layer (the bottom layer) comprises several quantum devices and an authenticated public classical channel, and it is responsible for executing the QKD protocol for sharing local keys with neighbor nodes.
ci. 2021, 11, x FOR PEER REVIEW 3 of 15 The QKD network comprises quantum nodes and quantum links, and the framework of the QKD network can be divided into three layers: a communication layer, a key management layer, and a quantum layer (shown in Figure 1). The communication layer (the top layer) manages the routing tasks and provides the application interface (API) to allow the end users/applications to access the secure session keys generated by QKD protocols. The middle layer-the key management layer-is responsible for managing key generation and storage to effectively utilize the resources of quantum devices in the quantum layer. The quantum layer (the bottom layer) comprises several quantum devices and an authenticated public classical channel, and it is responsible for executing the QKD protocol for sharing local keys with neighbor nodes. Because of limited spaces, we only focus on the quantum layer technologies to introduce quantum nodes and quantum links, and the details of classical technologies are not provided here. This study introduces the following two main components.

Quantum Node
A quantum node is equipped with quantum devices that are necessary for executing the QKD protocol, including qubit generators, qubit measurement devices, and qubit memories. The technologies and types of quantum device adopted depend on the types of QKD protocols (e.g., discrete-variable-based QKD or continuous variable-based QKD).
Quantum nodes can be categorized into three types according to the function of the quantum node: (1) the repeater node, (2) the access node, and (3) the central control node. The repeater node assists the others in transmitting packets of session keys using a suitable routing path, and the main function of the access node is to provide the API which allows end users/applications to access the session keys. In a specific QKD network (i.e., the client-server architecture), the central control node is the routing server that is respon- Because of limited spaces, we only focus on the quantum layer technologies to introduce quantum nodes and quantum links, and the details of classical technologies are not provided here. This study introduces the following two main components.

Quantum Node
A quantum node is equipped with quantum devices that are necessary for executing the QKD protocol, including qubit generators, qubit measurement devices, and qubit memories. The technologies and types of quantum device adopted depend on the types of QKD protocols (e.g., discrete-variable-based QKD or continuous variable-based QKD).
Quantum nodes can be categorized into three types according to the function of the quantum node: (1) the repeater node, (2) the access node, and (3) the central control node. The repeater node assists the others in transmitting packets of session keys using a suitable routing path, and the main function of the access node is to provide the API which allows end users/applications to access the session keys. In a specific QKD network (i.e., the client-server architecture), the central control node is the routing server that is responsible for controlling and managing the entire routing table of the QKD network. In addition, because the key generation rate and key service demand are dynamic, it is impossible to maintain a balance between the key supply and demand at all times. Therefore, the quantum node must require a buffer (known as the key storage) to store the local keys to enhance the tolerance of the dynamic environment in the QKD network. Protecting local keys in the key storage is an important task. Therefore, an applicable key management mechanism must be adopted to manage and protect key generation, storage, and usage within key storage.

Quantum Link
A quantum link, in which a logical connection exists between two remote QKD nodes, comprises a quantum channel and an authenticated public classical channel (shown in Figure 2). The quantum channel is used for transmitting qubits, and the public channel implemented by the classical channel and classical cryptography technologies (e.g., universal hash function [49]) is used for post-processing the exchanged information of the QKD protocol (e.g., public discussion, error-correction, and privacy amplification processes). sible for controlling and managing the entire routing table of the QKD network. In addition, because the key generation rate and key service demand are dynamic, it is impossible to maintain a balance between the key supply and demand at all times. Therefore, the quantum node must require a buffer (known as the key storage) to store the local keys to enhance the tolerance of the dynamic environment in the QKD network. Protecting local keys in the key storage is an important task. Therefore, an applicable key management mechanism must be adopted to manage and protect key generation, storage, and usage within key storage.

Quantum Link
A quantum link, in which a logical connection exists between two remote QKD nodes, comprises a quantum channel and an authenticated public classical channel (shown in Figure 2). The quantum channel is used for transmitting qubits, and the public channel implemented by the classical channel and classical cryptography technologies (e.g., universal hash function [49]) is used for post-processing the exchanged information of the QKD protocol (e.g., public discussion, error-correction, and privacy amplification processes). Two main methods can be employed to practically implement quantum channels: direct optical fibers and free line-of-sight in a point-to-point (P2P) manner. Although optical fibers can be applied and are common for transmitting qubits, installing dedicated fibers for executing QKD protocols is not practical under all situations. A free space link is sometimes convenient, although it has its drawbacks; for example, appropriate atmospheric conditions, a visible light path, an acceptable signal-to-noise ratio are required, and so on. It is worth noting that [50] proved the feasibility of transmitting the quantum and classical information over the shared optical fibers; that is, the quantum nodes can use the same optical fiber to transmit the classical and quantum information. From a deployment perspective, the technology could significantly reduce the installation costs for additional optical fiber links. In addition, different types of quantum channel correspond to different types of QKD protocol. In other words, discrete-variable-based QKD protocols are usually implemented in the fiber channel, whereas continuous variable-based QKD protocols are implemented in a free space link. The communication distance and key generation rate are the main considerations for implementing quantum links. Although the key generation rate decreases exponentially when the communication distance increases, which is known to all, improving both the performance of the communication distance and key generation rate is still an important research issue in the field of QKD networks. Generally, using fiber channels to implement a QKD network can achieve better performance in terms of both the communication distance and key generation rate than using a free space link; however, the costs (including those of an accurate single-photon detector and of establishing dedicated fibers) are still high. A previous study [51] achieved a breakthrough in the free space link using the free space link to accomplish a satellite-to-ground QKD protocol over a distance of 645 to 1200 km. In addition, Lucamarini, M. et al. [52] proposed the twin-field QKD (TF-QKD) protocol to reach 550 km communication distance using Two main methods can be employed to practically implement quantum channels: direct optical fibers and free line-of-sight in a point-to-point (P2P) manner. Although optical fibers can be applied and are common for transmitting qubits, installing dedicated fibers for executing QKD protocols is not practical under all situations. A free space link is sometimes convenient, although it has its drawbacks; for example, appropriate atmospheric conditions, a visible light path, an acceptable signal-to-noise ratio are required, and so on. It is worth noting that [50] proved the feasibility of transmitting the quantum and classical information over the shared optical fibers; that is, the quantum nodes can use the same optical fiber to transmit the classical and quantum information. From a deployment perspective, the technology could significantly reduce the installation costs for additional optical fiber links. In addition, different types of quantum channel correspond to different types of QKD protocol. In other words, discrete-variable-based QKD protocols are usually implemented in the fiber channel, whereas continuous variable-based QKD protocols are implemented in a free space link. The communication distance and key generation rate are the main considerations for implementing quantum links. Although the key generation rate decreases exponentially when the communication distance increases, which is known to all, improving both the performance of the communication distance and key generation rate is still an important research issue in the field of QKD networks. Generally, using fiber channels to implement a QKD network can achieve better performance in terms of both the communication distance and key generation rate than using a free space link; however, the costs (including those of an accurate single-photon detector and of establishing dedicated fibers) are still high. A previous study [51] achieved a breakthrough in the free space link using the free space link to accomplish a satellite-to-ground QKD protocol over a distance of 645 to 1200 km. In addition, Lucamarini, M. et al. [52] proposed the twin-field QKD (TF-QKD) protocol to reach 550 km communication distance using current technology under the standard optical fiber. Some studies [53][54][55][56][57] have further demonstrated the performance of the TF-QKD protocol in an experimental manner. Therefore, future mainstream technologies still need to be evaluated and observed further.

QKD Network Type
In terms of the QKD network type, we have summarized the existing practical experiments and research reports to group QKD networks into three distinct classes: (1) active optical switch networks, (2) trusted node networks, and (3) quantum repeater networks. Here, note that a practical QKD network can be implemented by the hybrid types of network rather than only one type; for example, we can adopt the active optical switch and the trusted node networks to build a QKD network. This study describes the following three types of network.

Active Optical Switch Network
In the active optical switch network, an active optical switch mechanism is employed to establish a direct optical P2P quantum channel between any two quantum nodes (shown in Figure 3a) [58]. Using the switching mechanism, any two quantum nodes can be employed to establish a direct connection and execute the QKD protocol without any assistance from other nodes; however, this framework has two drawbacks: (1) the communication distance of the QKD network is not extended, that is, the distance is still bounded by the maximum communication distance between any two quantum nodes, and (2) all quantum technologies applied in the network must be consistent, which may restrict the application. However, the implementation challenges of the active optical switch in the physical layer still affect the performance of qubit communication. For example, the use of active optical switch will cause additional amount of photon losses and leads to shorten the maximum distance of quantum channels [59]. Therefore, it is an important issue to develop an active optical switch with minimal loss and noise, and without disturbing the states of qubits [60][61][62].
Appl. Sci. 2021, 11, x FOR PEER REVIEW 6 of 15 complete environment than the other networks in terms of applications, the quantum repeater technology is not mature enough, and the cost of the quantum repeater is still high. Thus, a quantum repeater cannot be generally adopted in existing QKD networks.

Key Results of Existing QKD Networks
This section surveys existing research studies and reports to summarize the key results in existing QKD networks. To prove the practicality of QKD networks, some countries and research institutes have invested enormous resources in practical field experiments on QKD networks. BBN Technologies and Harvard and Boston Universities [20][21][22] proposed the first QKD network-the DARPA quantum network-which has 10 quantum nodes and adopts a hybrid network type (i.e., active optical switch and trusted node networks). The DARPA network adopts the BB84 protocol to generate unconditional security keys and achieved the best performance of key generating rate of 400 bps over 29 km.
Subsequently, in 2004, the European Commission's (EC) integrated FP6 Project Secure Communication based on Quantum Cryptography (SECOQC) launched a major project-SECOQC QKD Network [23][24][25]-to define the practical applications of QKD networks and to further analyze the issues associated with QKD networks, including their security, design and architecture, communications protocols, and implementation methods. SECOQC clearly indicates that QKD networks are the infrastructure for providing key distribution and secure communication in future Internet environments. The SECOQC QKD network adopts a trusted node network framework and has six quantum nodes. In addition, six different technologies (including attenuated laser pulse, one-way

Trusted Node Network
In contrast to the active optical switch network, any quantum node only establishes a quantum channel with its neighboring nodes (shown in Figure 3b), and thus, it can only generate security materials with its neighbors. Thus, the two remote nodes cannot distribute the security key using the QKD protocol directly. Therefore, if the two remote nodes want to distribute security keys, they need help from other nodes using a hop-by-hop communication strategy. For example, in Figure 3b, when node A wants to distribute the session keys with node F, it needs the help of nodes B and C. However, any node on the routing path can know the session key that the source node wants to distribute to the destination node because of the hop-by-hop communication strategy; thus, the quantum node must be assumed to be trusted (i.e., they must protect the session keys without leaking any information to attackers). Although the assumption of a quantum node is not realistic in real Internet environments, a trusted node network is still the mainstream framework in existing practical field experiments because it is not limited by communication distance or node numbers and can be made up of different QKD devices implementing different QKD technologies.

Quantum Repeater Network
The network topology of a quantum repeater network is similar to that of a trusted node network; however, the main difference is that the quantum node is equipped with a quantum repeater [63], which uses quantum teleportation [64,65] or entanglement swapping [66], which assists the two remote quantum nodes in transmitting single photons or sharing entanglement states. Although the quantum repeater network can provide a more complete environment than the other networks in terms of applications, the quantum repeater technology is not mature enough, and the cost of the quantum repeater is still high. Thus, a quantum repeater cannot be generally adopted in existing QKD networks.

Key Results of Existing QKD Networks
This section surveys existing research studies and reports to summarize the key results in existing QKD networks. To prove the practicality of QKD networks, some countries and research institutes have invested enormous resources in practical field experiments on QKD networks. BBN Technologies and Harvard and Boston Universities [20][21][22] proposed the first QKD network-the DARPA quantum network-which has 10 quantum nodes and adopts a hybrid network type (i.e., active optical switch and trusted node networks). The DARPA network adopts the BB84 protocol to generate unconditional security keys and achieved the best performance of key generating rate of 400 bps over 29 km.
Subsequently, in 2004, the European Commission's (EC) integrated FP6 Project Secure Communication based on Quantum Cryptography (SECOQC) launched a major project-SECOQC QKD Network [23][24][25]-to define the practical applications of QKD networks and to further analyze the issues associated with QKD networks, including their security, design and architecture, communications protocols, and implementation methods. SECOQC clearly indicates that QKD networks are the infrastructure for providing key distribution and secure communication in future Internet environments. The SECOQC QKD network adopts a trusted node network framework and has six quantum nodes. In addition, six different technologies (including attenuated laser pulse, one-way weak coherent pulse, entanglement photons, and free space) are used to establish quantum links, and five different QKD protocols are adopted to distribute the local keys. The best performance in terms of the key generation rate of 3.1 kbps over 33 km was achieved by the SECOQC QKD network. The SECOQC network lays the groundwork and provides a guide for IP and routing protocols for implementing QKD networks.
The Tokyo UQCC (Updating Quantum Cryptography and Communication) QKD testbed network was launched in Japan [26,27] since 2010. It employs four access nodes and six repeater nodes to form the infrastructure of the QKD network and distribute the local keys via both the BB84 and BBM92 [5] protocols. A live demonstration of secure TV conferencing using the key distribution service of this QKD network was presented in October 2010. The best performance in terms of the key generation rate achieved by the Tokyo UQCC QKD network was 304 kpbs over 45 km.
The QKD networks have been implemented and tested on a large scale in China, and four main QKD network trials have been performed-the Beijing-Shanghai QKD network [28][29][30], the Jinan Government Private QKD Network [31][32][33], the Wuhan QKD Network [29], and the Hefei-Chaohu-Wuhu QKD Network [28,29,35]. The four QKD networks all adopted the trusted node network and the BB84 protocol to provide services of QKD networks. The numbers of quantum nodes in these QKD networks were 32, 32, 71, and 9, respectively. Notably, the Jinan government private QKD network and Wuhan QKD network use the client-server architecture to organize quantum nodes, that is, a central control node to manage the routing tables and services. The best performance in terms of key generation rate achieved among the four QKD networks was 250 kbps over In addition to improving the key generation rate and communication distance, enhancement of the routing algorithm and QoS are important and interesting research issues. The DARPA QKD network adopts the open shortest path first (OSPF) algorithm [67] to design the routing protocol. To accelerate the development process of the SECOQC QKD Network, a modified OSPFv2 protocol [67] was adopted, even though QoS cannot be supported by the OSPFv2 protocol. In another study [36], Dijkstra's algorithm was used to design the routing protocol of the QKD network, and two performance indicators were proposed to evaluate the proposed routing protocol. Tanizawa et al. [37] also used the OSPF algorithm to design a routing protocol and evaluated its performance via simulation implemented by the AIT QKD software [68]. Yang et al. [38] proposed a routing protocol using a dynamic routing scheme that includes three components: a Hello protocol, a routing protocol, and a link state update mechanism. The Hello protocol helps quantum nodes share the network topology information, the routing protocol is used to determine the suitable routing path, and the link state update mechanism is adopted to update the routing tables. Mehic et al. [39] highlighted that the QKD network is similar to the ad hoc network in terms of the routing method, used the greedy perimeter stateless routing protocol to design the routing protocol, and then, proposed a QoS mechanism for the QKD network; a simulation was performed to evaluate the performance of the proposed routing method. Another study [40] used the local complementation technique to share P2P entanglement; the proposed routing protocol could efficiently reduce the number of measuring qubits within the quantum repeater, thus enhancing the performance of the QKD network. For the hybrid QKD network framework formed by the quantum repeater and trusted node networks, Amer et al. [41] proposed three routing protocols and evaluated the performance of the proposed routing protocol via simulations.
For security issues and assumptions of the QKD network, Tanizawa et al. [46] showed how to allow end users/applications to access the QKD network's service securely is an open question; then, they used the OpenSSL [69] API to solve the question. However, Tanizawa et al. [46] proposed a method that decays the security level to computational security rather than unconditional security. Salvail et al. [44] used a multiple-path strategy to avoid the unrealistic assumption that the trustworthiness of a quantum node must be trusted, and proved that the QKD network can still provide key distribution services with unconditional security under t-bound situations (i.e., at most t untrusted nodes among n nodes). In addition, Tang et al. [45] proved that the MDI QKD protocol in an active optical switch network framework over 200 km is secure against untrustworthy nodes.

Challenges and Research Issues
Existing studies and experiments have provided fruitful results in terms of the network framework, key generation rate, communication distance, and routing protocol. However, there are still some challenges and issues that must be resolved. This study focusses on security issues (i.e., security assumptions and applications) to indicate important challenges and issues associated with QKD networks, describes these challenges and the feasible solutions and strategies for researchers to understand these challenges easily, and then, provides a basis for them to propose the appropriate solutions. The challenges are as follows: (1) Lacking point-to-multipoint (P2M) mechanisms in QKD networks: the key distribution service of the existing QKD network only provides point-to-point (P2P)) key distribution and lacks the P2M mechanism. (2) Many quantum node resources are consumed by a multiple-path strategy: although a multiple-path strategy can avoid the assumption that all quantum nodes must be trusted, many quantum node resources (e.g., the local keys that are used to help transmit the session key) are consumed to accomplish the multiple-path strategy. (3) No suitable security interface between the classical end users/applications and the quantum nodes: allowing classical end users/applications to have access to the key distribution service of QKD networks securely within the quantum computing environment is an important issue.
The proposed feasible resolutions for these challenges are discussed in detail as follows.

Lacking the Point-to-Multipoint (P2M) Mechanism in QKD Networks
The existing QKD networks only provide P2P key distribution services (i.e., allow two remote end users/applications to distribute the session keys). However, some information applications (e.g., broadcast) need P2M key distribution services (i.e., let one end user/application share session keys with n remote end users/applications). Although we can also use the P2P key distribution method to obtain the same results as the P2M key distribution, numerous resources of the quantum nodes must be consumed. For example, in Figure 4a, Alice wants to distribute a session key S A to Bob, Charlie, and David. Here, the quantum node N4 must consume three local keys (i.e., K (2,4) , K (1,4) , and K (3,4) ) and perform three encryptions to perform this task. This affects the performance of QKD networks. When the load of the QKD network increases continuously, the influence tends to become serious. Reducing this burden is an important issue for enhancing the performance of QKD networks. Therefore, for this challenge, a feasible solution is to adopt the quantum conference key distribution (QCKD) protocol, which allows a multiparty to simultaneously share a conference key. For the aforementioned task, if N4 had shared a conference key with N1, N2, and N3, N4 will only consume one conference key and perform the encryption once (shown as Figure 4b); that is, a QCKD protocol is required in the QKD network. However, an efficient integration of QKD and QCKD protocols into QKD networks remains an important issue that needs to be studied further. Except for the QCKD protocols, some physical layer technologies can also be used to tackle this P2M challenge as well. For example, the time-division multiplexing (TDM) based concept will be a suitable technology. Based on the TDM-based multiuser scheme [70], Zavitsanos et al. [71] proposed an indicative P2MP technology for ultra-dense QKD networks, in which the multiple users can be served with acceptable secret key rates.

Numerous Quantum Node Resources Are Consumed by the Multiple-Path Strategy
The QKD network must use the hop-by-hop method to distribute the security session key owing to the limitation of the qubit communication distance. Any node on the routing path can know the session keys distributed from the source node to the destination node.

Numerous Quantum Node Resources Are Consumed by the Multiple-Path Strategy
The QKD network must use the hop-by-hop method to distribute the security session key owing to the limitation of the qubit communication distance. Any node on the routing path can know the session keys distributed from the source node to the destination node. In the DAPRA QKD network, after the routing path is decided, the source node (node N1 in Figure 5) sends reservation requests to all nodes (N2, N3, and N4 in Figure 5) in the routing path and the destination node (N5 in Figure 5). Then, these nodes use the XOR operation to encrypt the corresponding local key or session key to assist the source, and the distance nodes share the session key. By observing this session key transmission method of the DAPRA QKD network, we can determine that the session key may be leaked if the part nodes (e.g., N4 or N2) are compromised. Taking the situation in Figure 5 as an example, N4 has the local key K (4,5) ; thus, N4 can intercept the ciphertext K (4,5) ⊕SK that is sent from N5 to N1 and then perform K (4,5) ⊕K (4,5) ⊕SK to obtain SK; likewise, N2 can intercept the ciphertexts K (4,5) ⊕SK, K (3,4) ⊕K (4,5) , and K (2,3) ⊕K (3,4) sent from N5, N4, and N3 to N1, respectively. It can then perform the calculation as shown in the following equation: (3,4) )⊕(K (3,4) ⊕K (4,5) )⊕(K (4,5) ⊕SK).

Numerous Quantum Node Resources Are Consumed by the Multiple-Path Strategy
The QKD network must use the hop-by-hop method to distribute the security session key owing to the limitation of the qubit communication distance. Any node on the routing path can know the session keys distributed from the source node to the destination node. In the DAPRA QKD network, after the routing path is decided, the source node (node N1 in Figure 5) sends reservation requests to all nodes (N2, N3, and N4 in Figure 5) in the routing path and the destination node (N5 in Figure 5). Then, these nodes use the XOR operation to encrypt the corresponding local key or session key to assist the source, and the distance nodes share the session key. By observing this session key transmission method of the DAPRA QKD network, we can determine that the session key may be leaked if the part nodes (e.g., N4 or N2) are compromised. Taking the situation in Figure 5 as an example, N4 has the local key , ; thus, N4 can intercept the ciphertext , ⨁ that is sent from N5 to N1 and then perform , ⨁ , ⨁ to obtain ; likewise, N2 can intercept the ciphertexts , ⨁ , , ⨁ , , and , ⨁ , sent from N5, N4, and N3 to N1, respectively. It can then perform the calculation as shown in the following equation: Because the associative properties of the XOR function, ⨁ ⨁ ⨁ ⨁ and N2 owns the local keys, , and , , in which it can extract . The SECOQC QKD network adopts a similar method to transmit the session key, as shown in Figure 6. This session key transmission method allows any node in the routing path to decrypt the ciphertext of the session key, re-encrypts the session key with the local key shared between it and the next node and, then, sends fresh ciphertext to the next node. Because the associative properties of the XOR function, A⊕(B⊕C) = (A⊕B)⊕C and N2 owns the local keys, K (1,2) and K (2,3) , in which it can extract SK.
The SECOQC QKD network adopts a similar method to transmit the session key, as shown in Figure 6. This session key transmission method allows any node in the routing path to decrypt the ciphertext of the session key, re-encrypts the session key with the local key shared between it and the next node and, then, sends fresh ciphertext to the next node. In other words, any node in the routing path can obtain the session key directly; thus, the session key will be revealed if any node among the routing path is compromised. In other words, any node in the routing path can obtain the session key directly; thus, the session key will be revealed if any node among the routing path is compromised. Although Salvail et al. [44] used the multiple-path strategy to prevent the aforementioned problem-the partial quantum nodes were compromised, and the multiple-path strategy consumed numerous resources of quantum nodes, in which the consumption of local keys was the most important because of the high cost of generating local keys. Let us take an example to explain this. Alice wants to distribute a session key to Bob with the help of the source node NS. If NS selects m paths for transmitting the session key to the Although Salvail et al. [44] used the multiple-path strategy to prevent the aforementioned problem-the partial quantum nodes were compromised, and the multiple-path strategy consumed numerous resources of quantum nodes, in which the consumption of local keys was the most important because of the high cost of generating local keys. Let us take an example to explain this. Alice wants to distribute a session key to Bob with the help of the source node NS. If NS selects m paths for transmitting the session key to the destination node ND, m times the number of local keys will be used to achieve this task (also shown in Figure 7). Although Salvail et al. [44] used the multiple-path strategy to prevent the aforeme tioned problem-the partial quantum nodes were compromised, and the multiple-pa strategy consumed numerous resources of quantum nodes, in which the consumption local keys was the most important because of the high cost of generating local keys. L us take an example to explain this. Alice wants to distribute a session key to Bob with th help of the source node NS. If NS selects m paths for transmitting the session key to th destination node ND, m times the number of local keys will be used to achieve this tas (also shown in Figure 7). Therefore, reducing the consumption of the local key and avoiding the unrealist assumption of the trustworthiness level of quantum nodes is an interesting research issu To address this issue, we propose a feasible solution: each node in the routing path ca share the secret shadow using the QSS protocol [72][73][74][75]. Only nodes in the routing pa cooperate here, and the session key can be extracted; otherwise, no information regardin the session key can be revealed to anyone. Taking an example (shown in Figure 8) to e plain the resolution, Alice wants to distribute a session key with Bob with the help source node N1. All nodes in the routing path (i.e., N4, N8, and N9) share the secret shad ows (i.e., , , and ) with N1, respectively, using a secure QSS protocol. After N N8, and N9 perform XOR operation on their secret shadows and the ciphertext sent fro the previous node, the session key SK can be extracted. If N4 or N8 is compromised, th session key cannot be obtained because it cannot obtain the assistance of all agents (i. N4 and N9). Note that the source and destination nodes must still be trusted; howeve the other nodes can be released from this unrealistic assumption. However, the routin paths within the QKD network are dynamic; thus, letting the nodes in each routing pa share the secret shadows effectively is crucial for the proposed solution. This issue shou be addressed in future research. Therefore, reducing the consumption of the local key and avoiding the unrealistic assumption of the trustworthiness level of quantum nodes is an interesting research issue. To address this issue, we propose a feasible solution: each node in the routing path can share the secret shadow using the QSS protocol [72][73][74][75]. Only nodes in the routing path cooperate here, and the session key can be extracted; otherwise, no information regarding the session key can be revealed to anyone. Taking an example (shown in Figure 8) to explain the resolution, Alice wants to distribute a session key with Bob with the help of source node N1. All nodes in the routing path (i.e., N4, N8, and N9) share the secret shadows (i.e., SS 1 , SS 2 , and SS 3 ) with N1, respectively, using a secure QSS protocol. After N4, N8, and N9 perform XOR operation on their secret shadows and the ciphertext sent from the previous node, the session key SK can be extracted. If N4 or N8 is compromised, the session key cannot be obtained because it cannot obtain the assistance of all agents (i.e., N4 and N9). Note that the source and destination nodes must still be trusted; however, the other nodes can be released from this unrealistic assumption. However, the routing paths within the QKD network are dynamic; thus, letting the nodes in each routing path share the secret shadows effectively is crucial for the proposed solution. This issue should be addressed in future research.

No Suitable Security Interface between the Classical End Users/Applications and Quantum Nodes
Because the construction cost of quantum nodes is still very high, it is not feasible to let each end user/application have a dedicated quantum node for accessing the service of the QKD network. Therefore, several end users/applications must share one quantum

No Suitable Security Interface between the Classical End Users/Applications and Quantum Nodes
Because the construction cost of quantum nodes is still very high, it is not feasible to let each end user/application have a dedicated quantum node for accessing the service of the QKD network. Therefore, several end users/applications must share one quantum node (i.e., the access node mentioned in Section 2) in a real time environment. Therefore, the end users/applications still use the classical network to link the quantum nodes (shown in Figure 9); that is, designing a complete security mechanism for the communication between the end users/applications and the quantum nodes is an important issue. Although Tanizawa et al. [46] proposed a strategy using OpenSSL for this issue, the strategy is still not perfect within the quantum computing environment because OpenSSL is a computingbased security method.

PEER REVIEW
12 of 15 SSL, TLS and so on) will need to be studied further to evaluate and optimize its performance. Figure 9. Security interface between the quantum node and end users/applications.

Conclusions
The QKD network is a key infrastructure that allows end users/applications to access the key distribution service with unconditional security. To date, various countries and research institutes have invested numerous resources to execute theoretical studies and practical field experiments on QKD networks. This study surveys and summarizes the existing results of these studies and experiments and then proposes three security challenges: (1) the lack of a P2M mechanism in QKD networks, (2) many quantum node resources being consumed by the multiple-path strategy, and (3) no suitable security interface between the classical end users/applications and quantum nodes. In addition, some feasible solutions and strategies for these challenges are indicated to allow researchers to understand these challenges easily and to inspire them to propose the appropriate solutions.  To address this issue, we believe that post-quantum cryptography (PQC) is the optimal strategy for designing a security mechanism for the interface between the quantum node and the end users/applications. Here, PQC can be used to complete the authentication and session key transmission between the quantum and classical end user/application. After the end users/applications obtain the session keys with the quantum node using postquantum public-key cryptography, they can use the OTP or symmetric key cryptography to communicate securely. Although using an OTP to encrypt the messages transmitted between the quantum node and the end users/applications can provide unconditional security, this method has a higher cost than using symmetric key cryptography because of the heavy demand for encryption/decryption keys. However, using symmetric key cryptography cannot provide unconditional security for the end users/application to access the session keys from the quantum node; however, the security of this method is better than that of other currently existing methods (e.g., SSL protocol) because the encryption/decryption keys are obtained from algorithms that cannot be broken by a quantum computer. We can select the suitable encryption/decryption methods depending on the practical context; that is, if the application's security requirement is not high but the communication traffic is heavy, symmetric key cryptography will be applicable; otherwise, an OTP can be used to provide the best security protection. For demonstrating the feasibility of the integrating PQC and QDK protocol, Wang et al. [76] used an experimental approach to verify the efficiency and stability of the PQC algorithm in QKD authentication. However, the National Institute of Standards and Technology (NIST) is currently working on the new generation of quantum-resistant key encapsulation and authentication schemes, the implementation of integrating the PQC key exchange and the authentication into the standard cryptographic protocols of the classical network (e.g., SSL, TLS and so on) will need to be studied further to evaluate and optimize its performance.

Conclusions
The QKD network is a key infrastructure that allows end users/applications to access the key distribution service with unconditional security. To date, various countries and research institutes have invested numerous resources to execute theoretical studies and practical field experiments on QKD networks. This study surveys and summarizes the existing results of these studies and experiments and then proposes three security challenges: (1) the lack of a P2M mechanism in QKD networks, (2) many quantum node resources being consumed by the multiple-path strategy, and (3) no suitable security interface between the classical end users/applications and quantum nodes. In addition, some feasible solutions and strategies for these challenges are indicated to allow researchers to understand these challenges easily and to inspire them to propose the appropriate solutions.