How QKD Networks Secure Communications: A One‑Page Technical Overview

1. Point‑to‑point QKD workflow

The core of every quantum communication product is QKD (Quantum Key Distribution). Photons cannot be perfectly copied; any eavesdropping alters their state, instantly alerting the communicating parties. The process consists of three stages: key generation, encryption of plaintext, and decryption of ciphertext.

Step 1 – QKD modules generate a shared key

Quantum channel : QKD modules emit single photons carrying random bits (e.g., "10110100") through a quantum fiber such as the 1,147‑km link in Hefei.

Classical channel : Both sides compare measurement bases over a conventional network (e.g., mobile signal). Only bits measured in the same basis are kept, forming the shared secret key.

Security point : If an eavesdropper intercepts the quantum channel, the photon state changes, causing an abnormal error rate during the comparison step, and the key is discarded.

Step 2 – Encryption at the sender

The encryption device retrieves the shared key (e.g., "10110100").

Plaintext (e.g., "11111111") is encrypted into ciphertext (e.g., "01001011" with a lock‑like garble).

Ciphertext is transmitted over the application communication link (ordinary network) to the receiver.

Step 3 – Decryption at the receiver

The receiver’s QKD module holds the same shared key.

The decryption device uses this key to restore the original plaintext.

Both parties obtain identical information.

One‑sentence summary : QKD modules create a one‑time key, the encryption device locks the message with that key, and the receiver unlocks it – the key never travels over the network, so eavesdroppers cannot obtain or use it.

2. Layered architecture of a quantum metropolitan network (YD/T 4301‑2023)

The point‑to‑point flow is supported by a four‑layer architecture, each layer performing a single function.

Application layer (top)

Core module : Cryptographic applications such as quantum‑secure messaging apps.

Function : Uses the generated key to encrypt messages or calls, providing the visible security service to end users.

Control layer

Core module : QKD controller.

Function : Schedules network resources – routing, access control, and key‑distribution policies – similar to traffic‑light management.

Key‑management layer

Core module : Key Management Agent (KMA) and Key‑Supply Agent (KSA).

Function : KMA stores and forwards keys; KSA delivers keys to applications and can combine multiple keys for enhanced security.

Quantum layer (bottom)

Core module : QKD modules.

Function : Generates raw quantum keys via quantum communication and key extraction, forming the security foundation.

Network‑management layer (optional, right side of the diagram)

Function : Monitors device health, key availability, and handles fault recovery to keep the network running without interruption.

Architecture summary : Quantum layer creates keys → Key‑management layer stores and distributes them → Control layer orchestrates the network → Application layer consumes the keys, turning “secure communication” into a usable service.

3. Scenario‑driven walk‑through: ALICE ↔ BOB using a prepare‑measure QKD protocol

Key generation pipeline

Random‑number generator in QKD module : Produces true random bits (e.g., "10011010") from quantum uncertainty.

Quantum‑channel synchronization : High‑precision clock signals align the emission and detection of photons between Alice (city A) and Bob (city B) to nanosecond accuracy.

Quantum communication & channel multiplexing : Encodes random bits onto single photons (horizontal polarization = 0, vertical = 1) and sends them over a shared fiber that also carries conventional data, using wavelength‑division to avoid interference.

Optical switch + quantum‑repeater nodes : For distances > 100 km, switches route photons to dedicated quantum‑repeater paths; repeaters use entanglement to faithfully relay photons, preventing attenuation loss.

Key extraction : Bob’s QKD module measures photon states, then Alice and Bob compare bases over the classical channel. Only bits measured in the same basis are kept, yielding an effective key fragment (e.g., "10110100").

QKD‑key provision : The validated key fragment is handed to the KMA for storage and later distribution.

Application encryption

KSA synchronizes the key to Alice’s and Bob’s terminals.

Alice encrypts the sensitive file with the one‑time key, producing ciphertext.

The ciphertext travels over the ordinary network to Bob.

Bob decrypts with the same key; the key is destroyed after use, and a new key will be generated for the next session.

4. Frequently asked questions

Why can’t the key be intercepted?

Quantum photons cannot be copied; measurement inevitably changes their polarization, which is detected as an increased error rate.

The prepare‑measure “sifting” step compares bases; eavesdropping raises the error rate from < 3 % to > 10 %, causing the key to be discarded.

Why are quantum keys more secure than traditional keys?

Traditional keys are pseudo‑random, generated by algorithms that may be broken by quantum computers.

Quantum keys are truly random, derived from inherent quantum uncertainty.

Each key is used only once and then destroyed, eliminating reuse‑based attacks.

What about long‑distance transmission?

Quantum‑repeater nodes act as mid‑point stations, using entanglement to forward photons without loss.

Channel‑multiplexing lets quantum and classical signals share the same fiber, preserving stability.

What if the one‑time key supply runs out?

The quantum layer can generate keys on demand, theoretically providing unlimited supply.

The key‑management layer keeps a reserve of pre‑generated keys and can trigger accelerated generation during traffic spikes.

Overall conclusion : Quantum security relies on immutable physical laws and protocol design, making eavesdropping detectable and keys uncrackable. The YD/T 4301‑2023 layered architecture enables large‑scale deployment of absolutely secure keys, which underpins quantum‑secure messaging, encrypted lines, and other high‑security services in cities such as Hefei and Shanghai.