• Telecommunications

Telia Company Quantum Key Distribution for Nordic Telecommunications Infrastructure

Telia Company

Telia deployed continuous-variable quantum key distribution over existing fiber infrastructure across the Stockholm-Gothenburg corridor, using trusted relay nodes to achieve metropolitan-scale secure key rates for government and financial sector customers, in compliance with ETSI QKD standards and integrated with classical TLS via hybrid key derivation.

Key Outcome
10 kbps secure key rate at 80 km segment; 2.5 kbps end-to-end with relay; deployed for encrypted government and financial sector traffic.

The Problem

Telecommunications infrastructure faces a structural cryptographic risk. The public-key cryptography securing today’s fiber networks (RSA, elliptic curve Diffie-Hellman) will become vulnerable to sufficiently powerful quantum computers. A harvest-now, decrypt-later threat is already active: adversaries can record encrypted traffic today and decrypt it once quantum hardware matures, which is of particular concern for traffic with long-term confidentiality requirements (government communications, financial transaction logs, health records).

Telia Company, the dominant telecommunications operator in the Nordic region, operates extensive fiber infrastructure across Sweden, Finland, Norway, and the Baltic states. Telia evaluated two complementary approaches to long-term cryptographic security: post-quantum cryptography (PQC, software-based algorithm replacement) and quantum key distribution (QKD, hardware-based key generation).

PQC offers simpler deployment but is based on mathematical hardness assumptions that could theoretically be broken by classical advances. QKD offers information-theoretic security (eavesdropping is detectable because it disturbs the quantum state) but requires dedicated hardware and is constrained by fiber distance limits and key rate.

Telia’s research and commercial pilot focused on QKD over the Stockholm-Gothenburg corridor: 470 km of existing dark fiber with trusted relay nodes every 80 km.

CV-QKD vs DV-QKD for Telecom Distances

Two main QKD families exist, with different tradeoffs for telecom deployment:

Discrete-Variable QKD (DV-QKD) encodes key bits in the polarization or phase of individual photons. It requires single-photon detectors, which are expensive and temperature-sensitive. Protocols like BB84 and its variants are well-studied with strong security proofs. DV-QKD systems from Toshiba and ID Quantique are commercially available and have been deployed in metropolitan area networks (typically under 100 km without trusted relays).

Continuous-Variable QKD (CV-QKD) encodes key bits in the quadrature amplitudes of coherent light states, detectable with standard telecom homodyne detectors. CV-QKD hardware is more compatible with existing telecom infrastructure because it uses coherent detection rather than single-photon counting. This lowers costs and simplifies integration with wavelength-division multiplexed (WDM) fiber systems. The security proofs for CV-QKD are more recent and the technology is at an earlier commercial maturity stage than DV-QKD.

Telia selected CV-QKD using ID Quantique’s Clavis3 system for two practical reasons:

  1. Detector compatibility. Coherent homodyne detectors operate at room temperature and are built into standard telecom modules, avoiding the cryogenic requirements of superconducting nanowire single-photon detectors used in high-performance DV-QKD systems.
  2. WDM coexistence. CV-QKD can share fiber with conventional WDM traffic on adjacent wavelengths with appropriate channel isolation, allowing Telia to use existing fiber infrastructure without dedicating dark fiber exclusively to quantum channels.

Trusted Relay Architecture

The 470 km Stockholm-Gothenburg corridor exceeds the practical range of direct QKD, which is limited by fiber attenuation. At telecom C-band wavelengths, fiber loss is approximately 0.2 dB/km. At 80 km, accumulated loss is 16 dB, which is near the practical limit for CV-QKD with coherent detection before key rate falls below useful thresholds.

Telia deployed trusted relay nodes at approximately 80 km intervals: Stockholm, Uppsala, Orebro, and Gothenburg endpoints, with intermediate relay sites at Arboga and Alingsas.

A trusted relay node terminates the QKD session from one segment, generates a locally secure random key, and XORs it with the incoming session key to pass a combined key to the next segment. This approach is called key chaining:

Stockholm --[QKD seg 1]--> Relay A --[QKD seg 2]--> Relay B --[QKD seg 3]--> Gothenburg

End-to-end key = K1 XOR K2 XOR K3
(each K_i is the QKD key generated on that segment)

The security limitation is that trusted relays must be physically secured. If a relay node is compromised, the security of the end-to-end key is lost. Telia used hardened co-location facilities for relay nodes, with physical access control and tamper detection, and the nodes themselves operated in secure enclaves with no remote administrative access.

This is in contrast to quantum repeater technology, which would allow end-to-end entanglement without trusted relays. Quantum repeaters capable of operating over telecom fiber distances remain a research-stage technology; Telia’s 2024 deployment relies entirely on trusted relay chaining.

Key Rate Performance

Secure key rate in QKD depends on fiber loss, detector noise, channel excess noise (from environmental vibration and temperature fluctuations on fiber), and the efficiency of the privacy amplification protocol.

For the Telia deployment:

SegmentDistanceKey rate
Stockholm - Relay A (Arboga)80 km10 kbps
Relay A - Relay B (Alingsas)80 km9.5 kbps
Relay B - Gothenburg~80 km10.2 kbps
End-to-end (chained)470 km2.5 kbps

The end-to-end rate of 2.5 kbps is determined by the lowest-rate segment after key chaining overhead. This is sufficient for one-time-pad encryption of low-bandwidth control traffic and symmetric key refresh for high-bandwidth encrypted sessions. A 256-bit AES session key can be refreshed approximately every 100 ms at 2.5 kbps, providing forward secrecy at a granularity far beyond what classical key exchange achieves in practice.

For high-bandwidth traffic (multi-gigabit encrypted enterprise links), the QKD-generated keys are used to seed a CSPRNG for bulk encryption, not as a one-time pad. This preserves the quantum-derived key’s value as a seed while allowing practical bandwidth.

ETSI QKD Standards Compliance

Telia implemented the QKD layer in compliance with ETSI GS QKD standards, which specify interfaces and management protocols for integrating QKD systems into telecommunications networks:

  • ETSI GS QKD 004: Application interface for key delivery to consuming applications (e.g., the TLS handshake engine that requests fresh key material)
  • ETSI GS QKD 014: REST API for key management, allowing applications to request keys by key ID and size
  • ETSI GS QKD 015: Control interface for QKD module management (link status, key availability, module health)

The ETSI QKD application interface abstracts the physical QKD system from the application layer: an application requests a key of a given size for a given key consumer ID, and the key management layer delivers it without exposing the underlying QKD protocol details.

import requests
import json

# ETSI GS QKD 014 key request (simplified)
# Both endpoints call their local KMS; keys are pre-distributed by QKD
# and the KMS synchronizes key IDs over a classical channel

KMS_BASE_URL = "https://qkd-kms-stockholm.telia.internal/api/v1"
SAE_ID = "sae_goteborg_financial_link_01"   # Secure Application Entity ID

def request_qkd_key(sae_id: str, key_size_bits: int = 256) -> dict:
    """
    Request a QKD-derived key from local key management server.
    Returns key ID and base64-encoded key material.
    """
    payload = {
        "number": 1,
        "size": key_size_bits,
        "additional_slave_SAE_IDs": [sae_id],
    }
    response = requests.post(
        f"{KMS_BASE_URL}/keys/{sae_id}/enc_keys",
        json=payload,
        cert=("/etc/telia/client.crt", "/etc/telia/client.key"),
        verify="/etc/telia/qkd-ca.crt",
    )
    response.raise_for_status()
    return response.json()["keys"][0]  # {"key_ID": "...", "key": "<base64>"}


def hybrid_tls_key_derivation(qkd_key_bytes: bytes, classical_ecdh_secret: bytes) -> bytes:
    """
    Combine QKD key and classical ECDH shared secret via HKDF.
    
    If QKD is compromised (relay attack), classical ECDH provides baseline security.
    If ECDH is broken by quantum computer, QKD key provides quantum-safe security.
    Neither alone is sufficient to break the hybrid session key.
    """
    import hashlib, hmac
    # HKDF-Extract: combine both secrets into a single pseudorandom key
    combined_ikm = qkd_key_bytes + classical_ecdh_secret
    prk = hmac.new(b"telia-qkd-hybrid-v1", combined_ikm, hashlib.sha256).digest()
    
    # HKDF-Expand: derive session key material
    session_key = hmac.new(prk, b"session-key\x01", hashlib.sha256).digest()
    return session_key  # 256-bit hybrid session key

SDN Integration

Telia integrated QKD key management with its software-defined networking (SDN) fabric using an OpenDaylight-based controller. The SDN integration allows automatic rekeying of encrypted optical transport segments when QKD key stores reach a minimum threshold, and provides visibility into per-link key rate and key availability for network operations center dashboards.

When a QKD link segment degrades (due to fiber disturbance, connector contamination, or high channel excess noise from temperature changes), the SDN controller can redirect affected traffic to alternative encrypted paths while alerting the QKD maintenance team. This link-state-aware rerouting is an extension of standard RSVP-TE traffic engineering with QKD key availability as an additional link attribute.

Hybrid Key Derivation Security Model

Telia used a hybrid key derivation approach for all customer-facing encrypted sessions. The session key is derived from both the QKD-generated key material and a classical ECDH ephemeral shared secret. This provides defense-in-depth:

  • A classical adversary who compromises the trusted relay node cannot break the session key because QKD key material is not transmitted on the classical channel
  • A future quantum adversary who breaks ECDH cannot break the session key because the QKD-derived component retains information-theoretic security
  • A physical adversary who both compromises the relay and breaks ECDH simultaneously would break the hybrid, but this threat model exceeds the security requirements for the target applications

Deployment and Customer Applications

The Telia QKD pilot served two customer segments:

Swedish government agencies: Several national agencies with requirements for communications classified at HEMLIG level (Swedish national security classification) used the QKD-secured links for inter-agency traffic between Stockholm and Gothenburg offices. The QKD-hybrid encryption satisfies requirements for crypto-agile infrastructure that remains secure against quantum threats.

Financial institutions: Two major Swedish banks used the QKD link for inter-datacenter replication traffic for transaction logs and settlement data, categories where harvest-now-decrypt-later attacks are a documented regulatory concern under DORA (Digital Operational Resilience Act) in the EU financial sector.

Telia published this work in collaboration with ID Quantique and the Swedish national NCSC (National Cybersecurity Centre) as part of Sweden’s national quantum infrastructure roadmap, with plans to extend the network to Helsinki and Copenhagen by 2026.