• Telecommunications

Toshiba Research: Quantum Key Distribution Over 600km Fiber

Toshiba Research

Toshiba's UK research lab demonstrated twin-field QKD over 600km of standard fiber optic cable, setting a distance record and achieving key rates sufficient for AES-256 key refresh in real financial networks.

Key Outcome
Achieved 600km QKD, surpassing the previous record of roughly 400km. Key rates were sufficient for real network use with AES-256 key refresh. Toshiba is commercializing QKD systems and has signed early contracts with financial institutions for quantum-safe communication links.

The Problem

The security of the internet depends on public-key cryptography. RSA and elliptic curve cryptography (ECC) protect banking transactions, government communications, and private messages. Their security rests on mathematical hardness assumptions: factoring large integers or computing discrete logarithms is computationally infeasible for classical computers.

Peter Shor’s 1994 algorithm showed that a sufficiently large quantum computer could break RSA and ECC in polynomial time. A fault-tolerant quantum computer with thousands of logical qubits could decrypt messages protected by today’s strongest classical encryption.

This threat is not hypothetical. Adversaries can intercept and store encrypted communications today, then decrypt them once quantum hardware matures. This “harvest now, decrypt later” attack means that data with a long secrecy horizon, classified government information, long-term financial records, medical data, is already at risk.

Two Responses: PQC and QKD

There are two complementary approaches to the quantum cryptography threat.

Post-quantum cryptography (PQC) replaces RSA and ECC with mathematical problems believed hard even for quantum computers. NIST standardized several PQC algorithms in 2022-2024. PQC is software-only and can be deployed on existing infrastructure.

Quantum key distribution (QKD) takes a different approach. Instead of harder math, it uses quantum physics to distribute encryption keys. Any eavesdropper attempting to intercept the quantum channel disturbs the quantum states, which is detectable. QKD security is information-theoretic, not computational: it holds even against an adversary with unlimited classical or quantum computing power.

Toshiba’s work is in QKD.

The BB84 Protocol

BB84, proposed by Bennett and Brassard in 1984, is the original QKD protocol. Alice and Bob exchange qubits encoded in photon polarization states, using randomly chosen bases. An eavesdropper cannot copy quantum states (no-cloning theorem) and cannot measure without disturbing. The following simulation shows the protocol logic:

import random
import hashlib

def bb84_simulation(n_bits=1000, error_rate=0.0):
    """
    Simulate BB84 key exchange protocol.
    Returns: (alice_key, bob_key, detected_eavesdropping)
    """
    # Step 1: Alice prepares random bits in random bases
    alice_bits = [random.randint(0, 1) for _ in range(n_bits)]
    alice_bases = [random.choice(["+", "x"]) for _ in range(n_bits)]

    # Step 2: Bob measures in random bases
    bob_bases = [random.choice(["+", "x"]) for _ in range(n_bits)]

    # Step 3: Simulate channel (with optional eavesdropper)
    bob_results = []
    for i in range(n_bits):
        if random.random() < error_rate:
            # Channel error or eavesdropper introducing noise
            bob_results.append(random.randint(0, 1))
        elif alice_bases[i] == bob_bases[i]:
            # Same basis: Bob gets the correct bit
            bob_results.append(alice_bits[i])
        else:
            # Different basis: Bob gets a random result
            bob_results.append(random.randint(0, 1))

    # Step 4: Sift -- keep only bits where bases matched (public announcement)
    sifted_alice = []
    sifted_bob = []
    for i in range(n_bits):
        if alice_bases[i] == bob_bases[i]:
            sifted_alice.append(alice_bits[i])
            sifted_bob.append(bob_results[i])

    # Step 5: Error estimation using a sample of sifted bits
    sample_size = len(sifted_alice) // 4
    sample_indices = random.sample(range(len(sifted_alice)), sample_size)
    errors = sum(sifted_alice[i] != sifted_bob[i] for i in sample_indices)
    qber = errors / sample_size  # Quantum Bit Error Rate

    # Step 6: Detect eavesdropping (QBER > ~11% indicates eavesdropping)
    eavesdropping_detected = qber > 0.11

    # Step 7: Remove sample bits, use remainder as raw key
    key_indices = [i for i in range(len(sifted_alice)) if i not in sample_indices]
    alice_key = [sifted_alice[i] for i in key_indices]
    bob_key = [sifted_bob[i] for i in key_indices]

    # Step 8: Privacy amplification via hashing (simplified)
    alice_str = "".join(map(str, alice_key))
    bob_str = "".join(map(str, bob_key))
    alice_final = hashlib.sha256(alice_str.encode()).hexdigest()
    bob_final = hashlib.sha256(bob_str.encode()).hexdigest()

    return alice_final, bob_final, eavesdropping_detected, qber

# Run simulation
alice_key, bob_key, detected, qber = bb84_simulation(n_bits=2000, error_rate=0.03)
print(f"QBER: {qber:.3f}")
print(f"Eavesdropping detected: {detected}")
print(f"Keys match: {alice_key == bob_key}")
print(f"Alice's key (first 32 chars): {alice_key[:32]}")

Twin-Field QKD: Breaking the Distance Barrier

Standard BB84 over fiber has a fundamental range limit. Photon loss in fiber grows exponentially with distance. Quantum repeaters could extend range but are not yet practical. Without repeaters, standard QKD degrades beyond about 200-300km.

Twin-field QKD (TF-QKD), proposed in 2018, overcomes this. Instead of Alice sending photons to Bob, both Alice and Bob send photons toward a central untrusted relay. The relay performs a measurement and announces results. This halves the effective transmission distance: a 600km link becomes two 300km half-links.

Toshiba’s 2021 demonstration achieved:

  • 600km of standard single-mode fiber (no specialty fiber)
  • Key rate of 0.33 bits per second at 600km (sufficient for AES-256 key refresh every few hours)
  • 4.98 bits per second at 400km (sufficient for frequent key rotation)

The 600km distance is significant: it spans London to Paris or New York to Boston, covering the distances between major financial centers that need secure communication.

Commercial Deployment

Toshiba partnered with BT to test QKD on live fiber infrastructure in the UK, including shared fiber already carrying classical internet traffic. The QKD photons and classical data occupy different wavelength channels on the same fiber.

Early commercial contracts focus on financial institutions. The use case is straightforward: QKD continuously generates fresh AES-256 symmetric keys. These keys encrypt communication that is already secured with classical encryption, adding a quantum-physics-backed layer. Even if classical encryption is later broken by a quantum computer, the AES keys were never transmitted over a classically-attackable channel.

QKD vs. Post-Quantum Cryptography

QKD and PQC are complementary, not competing. QKD requires dedicated hardware and fiber infrastructure, making it expensive and geographically limited. PQC is software-only and works on any internet connection.

For the highest-security use cases (inter-datacenter links, government secure communications, financial clearing networks), QKD provides a level of security assurance that PQC cannot match, because its security does not depend on any mathematical assumption that might be broken in the future.

For general internet security, PQC is the practical solution and is already being deployed.

Framework

Toshiba’s QKD hardware uses custom photonics and classical control software. The BB84 simulation above uses only Python’s standard library to illustrate the protocol logic. Real QKD systems require single-photon detectors, precise timing electronics, and low-noise optical fiber.

Learn more: Post-Quantum Cryptography Reference