GB2640973A

GB2640973A - A quantum communication system and method

Info

Publication number: GB2640973A
Application number: GB2406663.1A
Authority: GB
Inventors: F Dynes James; Simpkins Andrew; Ian Woodward Robert; Walk Nathan
Original assignee: Toshiba Corp
Current assignee: Toshiba Corp
Priority date: 2024-05-10
Filing date: 2024-05-10
Publication date: 2025-11-12
Also published as: GB202406663D0

Abstract

A quantum communication system 100 for distributing a quantum key between a first party and a second party. The system comprises a first transmitter 214, a first receiver 222, a second transmitter 224 and a switching assembly comprising optical switches 216 and 226. The switching assembly is switchable between a first configuration and a second configuration. The first configuration is for distributing a quantum key and the second configuration is a testing configuration. In the first configuration the first transmitter and the first receiver are connected by a first optical path 240 and in the second configuration the second transmitter and first receiver are connected by a second optical path which is a trusted channel. The second transmitter and first receiver are under the control of the same party and may be located within a unit 220. A controller may be configured to operate the switching assembly and to randomly switch between the first and second configurations. A second testing configuration may be used that introduces an untrusted section into the second optical path, i.e. a part of the first optical path.

Description

A Quantum Communication System and Method

FIELD

Embodiments described herein relate to a quantum communication system and method.

BACKGROUND

In a quantum communication system, information is sent between a transmitter and a receiver by encoded single quanta, such as single photons. Each photon carries one bit of information which can be encoded upon a property of the photon, such as its polarization, phase etc. Quantum key distribution (QKD) is a technique which results in the sharing of cryptographic keys between two parties: a transmitter often referred to as "Alice"; and a receiver often referred to as "Bob". The attraction of this technique is that it provides a test of whether any part of the key can be known to an unauthorised eavesdropper, often referred to as "Eve". In many forms of quantum key distribution, Alice and Bob use two or more non-orthogonal bases in which to encode the bit values. The laws of quantum mechanics dictate that measurement of the photons by Eve without prior knowledge of the encoding basis of each causes an unavoidable change to the state of some of the photons. These changes to the states of the photons will cause errors in the bit values sent between Alice and Bob. By comparing a part of their common bit string, Alice and Bob can thus determine if Eve has gained information. However, the security of the system relies on the behaviour of the detectors.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic of a quantum communication system in accordance with an embodiment, where the system is configured to allow a quantum key to be distributed; FIG. 2 is a schematic of a quantum communication system of FIG. 1 embodiment, where the system is configured in a testing mode; FIG. 3A is a schematic of a transmitter which may be used in the quantum communication system of the embodiments; FIG. 3B is a schematic of a receiver which may be used in the quantum communication system of the embodiments; FIG. 3C is a schematic of a QKD system using phase encoding; FIG. 4 is a schematic of a detector which may be provided in the receiver of any of the embodiments; FIG. 5 is a schematic of a quantum communication system of FIG. 1, where the system is configured in a variation of the testing mode of FIG. 2; FIG. 6 is a schematic of a quantum communication system of FIG. 1, where the system is configured in a variation of the testing mode of FIGs. 2 and 5; FIG. 7 is a schematic of a quantum communication system in accordance with an embodiment, where the system is configured to allow a quantum key to be distributed and a transceiver is provided as the receiver and transmitter; and FIG. 8 is a schematic of a quantum communication system of FIG. 1, where the system is configured in a testing mode and a transceiver is provided as the receiver and transmitter.

DETAILED DESCRIPTION

In a first aspect, a quantum communication system for distributing a quantum key between a first party and a second party is provided, the system comprising: a first transmitter; a first receiver; a second transmitter; and a switching assembly, wherein the switching assembly is switchable between a first configuration and a second configuration, wherein the first configuration is for distributing a quantum key and the second configuration is a testing configuration, wherein in the first configuration the first transmitter and the first receiver are connected by a first optical path and in the second configuration, the second transmitter and first receiver are connected by a second optical path, the second transmitter and first receiver being under the control of the same party.

Quantum Key Distribution (QKD) is a technology which distributes digital keys where the security stems from monitoring physical effects rather than relying on computational approaches used by conventional key distribution schemes. There are principally two advantages of QKD over conventional key distribution schemes -firstly it enables the detection of an eavesdropper and secondly the security can be quantified. The second feature is realised by a careful implementation of the QKD security protocol on the QKD hardware platform.

The implementation should be close identical to the theoretical protocol otherwise it is possible to open up side-channels which could be exploited by an attacker. For instance, if one considers the single photon detectors used in the QKD receiver they are usually assumed in the QKD protocol to be binary detectors: i.e. when a single photon or more is detected this results in a single click or count However real-world single photons detectors are much more complicated which opens up potential side-channels.

The receiver will comprise detectors which are used to detect single photons. However, the security of the system can be impacted if characteristics of the detectors change over time or change with respect to one another. Also, the presence of an eavesdropper can sometimes be determined from changes in the detector characteristics. For example, InGaAs Geiger gated avalanche photodiodes (APDs), which are almost universally used in practical fibre based QKD systems, can suffer bright light attacks from an attacker taking them away from the (Geiger mode) single photon regime into the linear regime. Then the detector can be manipulated by the attacker to force "clicks" or "no clicks" as they desire and as a result mount a man-in-the-middle attack. In the worst case the attacker can learn the entire contents of the key being distributed without the legitimately communicating parties realising.

The above system allows the photon detector of a system's receiver to be periodically calibrated using another transmitter which is under the control of the same party as the receiver. A switching assembly is provided that allows the system to be switched between a testing mode and a mode for distribution of a quantum key.

In an embodiment, the second optical path is a trusted channel. A trusted channel is a channel where the security of the entire channel can be verified by the same party that control the second transmitter and first receiver. For example, the first receiver and second transmitter may be located within a first unit or node, the second optical path being provided within that unit. In an embodiment, the first unit comprises a transceiver, the transceiver comprising the second transmitter and the first receiver.

In a further embodiment, the switching assembly comprises a first optical switch and a second optical switch, wherein the first optical switch and the second optical switch are switchable between a configuration for distributing a quantum key, a first testing configuration and a second testing configuration, wherein in the first testing configuration the second optical path is trusted by the first party along its length and in the second testing configuration, the second optical path comprises an untrusted section, the untrusted section forming at least a part of the first optical path. The first testing configuration allows calibration of the detector and testing of its characteristics since the link from the transmitter to the receiver is trusted. The second testing configuration allows an untrusted part of the first optical path to be incorporated into the second optical path and to be tested to check for the presence of an eavesdropper.

The above can be extended further such that there are a plurality of optical switches supporting a plurality of testing configurations, wherein each of the plurality of testing configurations introduces a part of the first optical path into the second optical path. This potentially allows many parts of the untrusted part of the link to be tested.

In an embodiment, the system further comprises a controller, the controller is configured to operate the switching assembly to switch between the first configuration and the second configuration. The controller may be configured to operate the switching assembly to randomly switch between the first configuration and the second configuration.

The first transmitter may comprise an intensity modulator. This intensity modulator may be configured to more strongly supress the output of the transmitter in the second configuration when compared to the first configuration.

In an embodiment, the first transmitter comprises an encoder and the second receiver comprises a decoder. The above can be applied to any type of quantum communication system, for example, where the quantum communications system is a discrete variable (DV) QKD system, implementing a protocol such as (but not limited to) BB84, T12 or COW. The quantum communications system may also be a continuous variable (CV) QKD system.

In a further embodiment, the quantum communication system further comprises, a second receiver wherein in the first configuration the second transmitter and the second receiver are connected by a first optical path and in the second configuration, the first transmitter and second receiver are connected by a second optical path, the first transmitter and second receiver being under the control of the same party. Thus, in this arrangement, each party has a transmitter and a receiver under their control. Each party can then connect their own transmitter to their receiver in order to characterise/test their receiver. The provision of both parties having their own transmitter and receiver also allows both transmitters and receivers to be used to distribute the key, thus doubling the transmission rate.

In a second aspect, a method of operating a quantum communication system for distributing a quantum key between a first party and a second party is provided, the quantum communication system comprising: a first transmitter; a first receiver; a second transmitter; and a switching assembly, the method comprising: switching the switching assembly between a first configuration and a second configuration, wherein the first configuration is for distributing a quantum key and the second configuration is a testing configuration, wherein in the first configuration the first transmitter and the first receiver are connected by a first optical path and in the second configuration, the second transmitter and first receiver are connected by a second optical path, the second transmitter and first receiver being under the control of the same party.

The first receiver further comprises at least one detector, the method may further comprise performing measurements in the second configuration to determine at least one of: detector efficiency; dark counts; after pulses; or any other measurement for characterising, calibrating or testing the detector. If more than one detector is present in a receiver, the measurements performed may comprise comparing the characteristics of two detectors in the same receiver.

As noted above, the second optical path may be configured, via the use of the switches to comprises a least part of an untrusted section of the first optical path. This can allow the detection of an eavesdropper attempting to perform a blinding attack on a detector. In such an attack, the bias across a detector is below is breakdown bias.

As noted above, the switching assembly may be configured to switch randomly between the first configuration and the second configuration. In further embodiments, length of time over which a detector may be characterised is set. As capacitive drift may occur in electronics, the testing time may be subdivided to prevent drift. For example, if the test mode is configured to run for a first session with a first time period, the first session may be subdivided into a plurality of sub-sessions with the total duration of the sub-sessions being equal to or greater than the first time period.

Figure 1 shows a QKD system 100 in accordance with an embodiment. The QKD system 100 comprises two QKD transmitters and two QKD receivers.

First (local) transmitter 214 is connected via a first optical path 240 to a first (remote) receiver 222. Second (remote) transmitter 224 is connected via a second optical path 230 to second (local) receiver 212. The first optical path 240 and second optical path may be provided by optical fibres, free space optical paths or a combination of both.

Examples of possible transmitters and receivers will be explained with reference to FIGs. 3A and 3B.

The first optical path 240 passes through first 216 and second 226 optical switches. The first optical switch is configured to have first to fourth ports 251a, 251b, 251c and 251d. The output of first transmitter 214 is provided to the first optical switch 216 port 251a. In the configuration shown in Fig. 1 the first port 251a is connected to the fourth port 251d. Thus the output signal from the first transmitter 214 enters the first switch 216 at the first port 251a and exits the first switch 216 by fourth port 251d.

The second optical switch 226 is configured to have first to fourth ports 253a, 253b, 253c and 253d. The output of the forth port 251d of the first optical switch is then directed towards the second port 253b of the second optical switch 226. In the configuration shown in FIG. 1, the second port 253b of the second optical switch 226 is connected to the third port 253c of the second optical switch 226. Thus, the output signal is received by the second point 253b and output from the third port 253c towards first receiver 222.

The second optical path 230 passes through second 226 and first 216 optical switches. The output of second transmitter 224 is provided to the second optical switch 226 port 253d. In the configuration shown in FIG. 1 this signal is output by first port 253a.

The output of the first port 253a is then directed towards the third port 251c of the first optical switch 216. In the configuration shown in FIG. 1 this signal is output by the second port 251b towards second receiver 212.

In configuration of FIG.1, the first 251a and fourth 251d ports are connected and the second 251b and third ports 251c are connected. However, the first optical switch can be configured in a second configuration which is shown in FIG. 2. Here, the first 251a and second 251b ports are connected and the third 251c and fourth ports 251d are connected. This configuration allows the first transmitter 214 to be connected to the second receiver 212 via third optical path 250.

The first transmitter 214, second receiver 212 and optical switch 216 are shown within box 200 in FIGs. 1 and 2. Box 200 indicates that the first transmitter 214, second receiver 212 and optical switch 216 can be kept within a location allows a trusted link to be formed between the first transmitter 214 and second receiver 212 via the first optical switch 216, since the third optical path 250 remains within a trusted environment. The first transmitter 214, second receiver 212 and first optical switch 216 maybe provided within a single unit or otherwise located that allows their security to be verified along the optical path connecting the first transmitter 214 and second receiver 212. This second configuration allows calibration of the system.

Similarly, in the configuration of FIG.1, in the second optical switch 226, the first 253a and fourth 253d ports are connected and the second 253b and third ports 253c are connected. However, the second optical switch 226 can be configured in a second configuration which is shown in FIG. 2. Here, the first 253a and second 253b ports are connected and the third 253c and fourth ports 253d are connected. This configuration allows the second transmitter 224 to be connected to the first receiver 222 via a fourth optical path 260.

The second transmitter 224, first receiver 222 and second optical switch 226 are shown within box 220 in FIGs. 1 and 2. Box 220 indicates that the second transmitter 224, first receiver 222 and second optical switch 226 can be kept within a location allows a trusted link to be formed between the second transmitter 224 and first receiver 222 via the second optical switch 226. The second transmitter 224, first receiver 222 and second optical switch 226 maybe provided within a single unit or otherwise located that allows their security to be verified along the third optical path 260 connecting the second transmitter 224 and first receiver 222.

A basic quantum communication protocol which uses polarisation will now be explained. This can be used for transmission between a transmitter and a receiver. However, it should be noted that this is not meant as limiting and other protocols could also be used.

Further, the above system could be used with any QKD system and is not limited to uses with polarisation. For example, phase or energy/time based QKD protocols could also be used.

The protocol uses two bases wherein each basis is described by two orthogonal states. For this example, the basis of horizontal/vertical (H/V) and Diagonal/Antidiagonal D/A.

However, the left circularly polarized/right circularly polarized (L/R) basis could also be selected.

The transmitter in the protocol prepares states with one of H, V, D or A polarisation. In other words, the prepared states are selected from two orthogonal states (H and V or D and A) in one of two basis H/V and D/A. This can be thought of as sending a signal of 0 and 1 in one of two basis, for example H=0, V=1 in the H/V basis and D=0, A=1 in the D/A basis. The pulses are attenuated so that they comprise on average, one photon or less. Thus, if a measurement is made on the pulse, the pulse is destroyed. Also, it is not possible to split the pulse.

The receiver uses a measurement basis for the polarisation of a pulse selected from the H/V basis or the D/A basis. The selection of the measurement basis can be active or passive. In passive selection the basis is selected using fixed components, such as a beam splitter. In "active" basis choice, the receiver makes a decision which basis to measure in -e.g. using a modulator with an electrical control signal. If the basis used to measure the pulse at the receiver is the same as the basis used to encode the pulse, then the receiver's measurement of the pulse is accurate. However, if the receiver selects the other basis to measure the pulse, then there will be a 50% error in the result measured by the receiver.

To establish a key, the sender and receiver compare the basis that were used to encoder and measure (decode). If they match, the results are kept, if they do not match the results are discarded. The above method is very secure. If an eavesdropped intercepts the pulses and measures then, the eavesdropper must prepare another pulse to send to the receiver.

However, the eavesdropper will not know the correct measurement basis and will therefore only has a 50% chance of correct measuring a pulse. Any pulse recreated by the eavesdropper will cause a larger error rate to the receiver which can be used to evidence the presence of an eavesdropper. The sender and receiver compare a small part of the key to determine the error rate and hence the presence of an eavesdropper.

Although the above has been described in relation to polarisation this is as an illustration. Other QKD protocols could be used which are based on phase or other systems such as energy/time.

The above QKD requires two channels, a "quantum channel" which is used for the communication of pulses that contain, one average, one photon or less, and a classical channel which is used for discussion of the basis ("sifting"). Also, the classical channel can be used for further communication once the key has been established on the quantum channel. It should be noted that the term "channel" is used to refer to a logical channel.

The quantum and classical channels may be provided within the same physical fibre.

However, for sifting, the classical channel also needs to be authenticated. This means that, without doubt, it can be verified that the classical messages communicated between Alice and Bob were sent by the other party and not tampered with in transit. In other words, this avoids a man-in-the-middle attack. Authentication could be done using public key cryptography (e.g. RSA) or using a pre-shared symmetric key (PSK).

For completeness, it is noted that if two parties share a private key, they can authenticate each other using many different methods. One method involves the use of a message authentication code (MAC).

After the sifting, a small part of the sifted message is compared between Alice and Bob to determine a measure of the error rate. Privacy amplification is then performed to obtain a the QKD key.

Examples of possible receivers and transmitters will be described with reference to FIGs 3A to 3C.

An example of a possible transmitter is shown as 101 in FIG. 3A. The transmitter can be any type of quantum transmitter which is capable of emitting encoded photons. In this particular example, polarisation encoding will be discussed, but any type of encoding could be used, for example phase or other encoding types such as energy/time. In the example of FIG. 3A the transmitter 101 comprises four lasers, 105, 107, 109 and 111 each of which emit horizontally polarized light. The output from laser 105 is provided towards polarisation combining optics 139. The output from laser 107 is provided towards polarisation combining optics 139 via a half wave plate which is configured to convert the horizontally polarized light to diagonally polarized light. The output from laser 109 is provided towards polarisation combining optics 139 via a half wave plate which is configured to convert the horizontally polarized light to vertically polarized light. The output from laser 111 is provided towards polarisation combining optics 139 via a half wave plate which is configured to convert the horizontally polarized light to anti-diagonally polarized light.

Polarisation combining optics allows the different polarisations to be combined into a stream of pulses with randomly varying polarisations. This may be achieved in many different ways. For example, the lasers may be pulsed lasers and a controller (not shown) is provided to randomly select a laser from lasers 105, 107, 109 and 111 to randomly output a pulse such that one pulse at a time reaches the polarisation combining optics. In other embodiments, the polarisation combining optics or a further component may be configured to randomly select the output from one laser or randomly selectively block the output from three lasers to allow for the pulsed output stream. The pulses may be produced by pulses lasers or cw lasers may be used with a further component to chop the output into pulses.

An attenuator (not shown) is then used to attenuate the output of the pulses so that they contain on average less than one photon. Alternatively, single photon emitters can be used instead of lasers 105, 107, 109 and 111.

A simplified form of the receiver is shown in FIG. 3B. The receiver comprises a 50-50 beam splitter 105 which will direct the incoming pulse either along first measurement channel 107 or a second measurement channel 109. Since the pulses contain on average less than one photon, the 50-50 beam splitter 105 will direct the pulse randomly along one of the first measurement channel or the second measurement channel. This has the result of selecting a measurement basis to be the X (D/A) basis or the Z (H/V) basis. The non-polarising beam splitter 105 functions to allow random selection of one of the two bases.

The first measurement channel is for the X basis which corresponds to the D/A bases. Here, a half wave plate 111 is provided to rotate the polarisation by 45 degrees between the two detection branches, i.e. giving the 2 measurement bases X and Z. The output of the half wave plate 111 is then directed towards polarising beam splitter 113. Polarising beam splitter 113 directs pulses with anti-diagonal polarisation towards anti-diagonal detector 115 and pulses with a diagonal polarisation towards diagonal detector 117. Detectors 115 and 117 are single photon detectors, for example avalanche photodiodes.

Pulses directed along the second measurement channel are measured in the Z basis to determine if they are horizontal or vertical. Here, the pulses directed into the second measurement channel are directed toward polarising beam splitter 119 which directs vertically polarised pulses towards detector 121 and horizontally polarised pulses towards detector 123. Again, detectors 121 and 123 are single photon detectors.

If a photon is received which is polarised in the D/A bases and this is randomly sent to be measured in the Z bases along the second management channel 109, one of detectors 121, 123 are likely to register a count However, this result cannot be trusted as a photon received at polarising beam splitter 119 has a 50-50 chance of being directed towards either the vertical or the horizontal detector.

FIG. 3C is a schematic of an example of a receiver and transmitter in a QKD system which operates phase encoding. The transmitter "Alice" 1101 sends encoded photons to receiver "Bob" 1103 over optical fibre 1105. This system is shown to explain the type of receivers and transmitters that can be used for phase encoding. The system can be arranged with two transmitters and two receivers along with optical switches to achieve the arrangements described with reference to FIGS. 1 and 2.

Alice's equipment 1101 comprises a signal laser diode 1107, an hnbalanced fibre asymmetric Mach-Zehnder interferometer (AZMI) 1133 connected to the output of the signal laser diode, an attenuator 1137 connected to the output of the AMZI 1133, a bright clock laser 1102, a wavelength division multiplexing (WDM) coupler 1139 coupling the output from attenuator 1137 and clock laser 1102 and bias electronics 1109 connected to said signal laser diode 1107 and clock laser 1102.

The AZMI 133 comprises an entrance coupler 1130, one exit arm of entrance coupler 1130 is joined to long arm 1132, long arm 1132 comprises a loop of fibre 1135 designed to cause an optical delay, the other exit arm of entrance coupler 1130 is joined to a short arm 1131, short arm 1131 comprises phase modulator 1134 an exit polarising beam combiner 1136 is connected to the other ends of long arm 1132 and short arm 1131. All components used in Alice's AMZI 1133 are polarisation maintaining.

During each clock signal, the signal diode laser 1107 outputs one optical pulse. The signal diode laser 1107 is connected to biasing electronics 1109 which instruct the signal diode laser 1107 to output the optical pulse. The biasing electronics are also connected to clock laser 1102.

The signal pulses are then fed into the AZMI interferometer 1133 through a polarisation maintaining fibre coupler 1130. Signal pulses are coupled into the same axis (usually the slow axis) of the polarisation maintaining fibre, of both output arms of the polarisation maintaining fibre coupler 1130. One output arm of the fibre coupler 1130 is connected to the long arm 1132 of the AZMI while the other output arm of the coupler 1130 is connected to the short arm 1131 of the AZMI 1133.

The long arm 1132 of the AZMI 1133 contains an optical fibre delay loop 1135, while the short arm 1131 contains a fibre optic phase modulator 1134. The fibre optic phase modulator 1134 is connected to biasing electronics 1109. The length difference of the two arms 1131 and 1132 corresponds to an optical propagation delay of tdek". Typically the length of the delay loop 1135 may be chosen to produce a delay t&Iay -5ns. Thus, a photon travelling through the long arm 1132 will lag that travelling through the short arm 1131 by a time of tdel"y at the exit 1136 of the interferometer 1133.

The two arms 1131, 1132 are combined together with a polarisation beam combiner 1136 into a single mode fibre 1138. The fibre inputs of the polarisation beam combiner 1136 are aligned in such a way that only photons propagating along particular axes of the polarisation maintaining fibre, are output from the combiner 1136. Typically, photons which propagate along the slow axis or the fast axis are output by combiner 1136 into fibre 1138.

The polarising beam combiner 1136 has two input ports, an in-line input port and a 900 input port One of the input ports is connected to the long arm 1132 of the interferometer 1133 and the other input port is connected to the short arm 1131 of the interferometer 1133.

In this example, only photons polarised along the slow axis of the in-line input fibre of the in-line input port are transmitted by the polarising beam combiner 1136 and pass into the fibre 1138. Photons polarised along the fast axis of the in-line input fibre of the input port are reflected and lost. Meanwhile, at the 900 input port of the beam coupler 1136, only photons polarised along the slow axis of the 900 input fibre are reflected by the beam combiner 1136 and pass into the output port, while those polarised along the fast axis will be transmitted out of the beam combiner 1136 and lost This means that the slow axis of one of the two input fibres is rotated by 900 relative to the output port Alternatively, the polarisation may be rotated using a polarisation rotator (not shown) before one of the input ports of the polarising beam combiner 1136.

Thus, photon pulses which passed through the long 1132 and short arms 1131 will have orthogonal polarisations. The signal pulses are then strongly attenuated by the attenuator 1137 so that the average number of photons per signal pulse p <<1.

The signal pulses which are outputted by the combiner 1136 into single mode fibre 1138 are then multiplexed with a bright laser clock source 1102 at a different wavelength using a WDM coupler 1139. The multiplexed signal is then transmitted to the receiver Bob 1103 along an optical fibre link 1105. The biasing electronics 1109 synchronises the output of the clock source 1102 with the signal pulse.

Bob's equipment 1103 comprises WDM coupler 1141, a clock recovery unit 1142 connected to an output of coupler 1141, an AZMI 1156 connected to the output of output coupler 1141, two single photon detectors A 1161, B 1163 connected to the output arms of AZMI 1156 and biasing electronics 1143 connected to the detectors 1161, 1163. Bob's interferometer 1156 contains an entrance polarising beam splitter 1151 connected to both: a long arm 1153 containing a delay loop 1154; and a short arm 1152 containing a phase modulator 1155. The long arm 1153 and short arm 1152 are connected to an exit polarisation maintaining 50/50 fibre coupler 1158. All components in Bob's AZMI 1156 are polarisation maintaining.

Bob first de-multiplexes the transmitted signal received from Alice 1101 via fibre 1105 using the WDM coupler 1141. The bright clock laser 1102 signal is routed to an optical receiver 1142 to recover the clock signal for Bob 1103 to synchronise with Alice 1101.

The signal pulses which are separated from the clock pulses by WDM coupler 1141 are fed into a polarisation controller 1144 to restore the original polarisation of the signal pulses. This is done so that signal pulses which travelled the short arm 1131 in Alice's interferometer 1133, will pass the long arm 1153 in Bob's AZMI 1156. Similarly, signal pulses which travelled through the long arm 1132 of Alice's AZMI 1133 will travel through the short arm 1152 of Bob' interferometer.

The signal then passes through Bob's AZMI 1156. An entrance polarising beam splitter 1151 divides the incident pulses with orthogonal linear polarisations. The two outputs of the entrance polarisation beam splitter 1151 are aligned such that the two output polarisations are both coupled into a particular axis, usually the slow axis, of the polarisation maintaining fibre. This ensures that signal pulses taking either arm will have the same polarisation at the exit 50/50 polarisation maintaining coupler 1158. The long arm 1153 of Bob's interferometer 156 contains an optical fibre delay loop 1154, and the short arm 1152 contains a phase modulator 1155. The two arms 1152, 1153 are connected to a 50/50 polarisation maintaining fibre coupler 1158 with a single photon detector A 1161, B 1163 attached to each output arm.

Due to the use of polarising components, there are, in ideal cases, only two routes for a signal pulse travelling from the entrance of Alice's AZMI to the exit of Bob's AZMI: Alice's Long Arm 1132-Bob's Short Arm 1152 (L-S) and ii. Alice's Short Arm 1131-Bob's Long Arm 1153 (S-L).

By controlling the voltages applied to their phase modulators 1134, 1155, Alice and Bob determine in tandem whether paths (i) and (ii) undergo constructive or destructive interference at detectors A 1161 and B 1163. Thus, in the same way as described above for polarisation encoding, basis may be decided between Alice and Bob to allow the transmission of a key, for example Alice may set the voltage on her phase modulator to one of four different values, corresponding to phase shifts of 00, 90., 180°, and 270°. Phase 0. and 180. are associated with bits 0 and 1 in a first encoding basis, while 90. and 270.

are associated with 0 and 1 in a second encoding basis. The second encoding basis is chosen to be non-orthogonal to the first. The phase shift is chosen at random for each signal pulse and Alice records the phase shift applied for each clock cycle.

Meanwhile Bob randomly varies the voltage applied to his phase modulator between two values corresponding to 0. and 90.. This amounts to selecting between the first and second measurement bases, respectively. Bob records the phase shift applied and the measurement result (i.e photon at detector A 161, photon at detector B 163, photon at detector A 161 and detector B 163, or no photon detected) for each clock cycle. The above has referred to the BB84 protocol, but other protocols could be used.

In the above systems, the integrity of the single photon detectors contributes to the security of the system.

One possible type of single photon detector is a single photon avalanche diode (SPAD) which is based on an avalanche photodiode (APD).

FIG. 4 is a schematic of a SPAD 1 and its operating circuit. SPADs are photodiodes which comprise a p-n junction. The p-n junction can be illuminated with ionizing radiation. The p-n junction in the SPAD is operated at a high reverse bias which allows impact ionisation to occur which allows an avalanche current to develop. A large avalanche of current carriers grows exponentially and can be triggered from as few as a single photon-initiated carrier. A SPAD is able to detect single photons providing short duration trigger pulses that can be counted. These pulses are often referred to as "clicks" and this mode of operation for the SPAD 1 is termed "Geiger mode". In the arrangement of FIG. 4, the SPAD 1 is reverse biased using biasing circuit 3 which is connected to the avalanche photodiode. The SPAD 1 is connected to ground through a sensing resistor 5.

The transient voltage across this sensing resistor 5 is measured through circuit 7 which is connected between the SPAD 1 1 and the sensing resistor 5.

For single photon detection, the biasing circuit 3 is set so that the SPAD 1 is biased above its breakdown voltage. In this state, a single photon incident on SPAD 1 has a finite probability to induce an avalanche multiplication of the single photon induced charge, producing a macroscopic current This transient avalanche current is sensed as the voltage drop through sensing resistor 5. The transient voltage is then discriminated in the discriminator 6 against a predetermined voltage level, the discrimination level. When this discrimination level is overcome by the transient voltage, the discriminator outputs a well-defined electrical signal, for example, often as a TTL pulse, to feed the detector output, indicating a detection event Once a detection event registered, the avalanche current is quenched by bring the SPAD bias below the SPAD breakdown voltage, after which the SPAD is reset to be single-photon sensitive state. The avalanche quenching can be achieved either passively using a large quenching resistor or actively using the avalanche current to control the SPAD bias.

Alternatively, gated mode can also be used. In gated mode, a SPAD is biased above its breakdown voltage only for a short duration of time, typically a few nanoseconds, by a voltage gate. Outside the gate windows, the SPAD is biased below its breakdown voltage and therefore avalanches are quenched.

Although an avalanche detector is described above, other types of photon detectors could be used, for example, superconducting nanowire detectors which comprise, for example, niobium nanowires as the active detection elements.

The system described with reference to FIGs. 1 and 2, allows the characteristics of the detector to be monitored since a detector can be directly connected to a transmitter over a trusted link. The transmitter and the receiver sre both controlled by the same user.

For example, in the system of FIG. 2, the first transmitter 214 is directly connected to the second receiver 212 via a third optical path 250. These both reside within box 200, which indicates that both the first transmitter 214 and the second receiver 212 are under the same control. They may be co-located within a single unit or separated. However, if separated, they are still controlled by a single authority and the security of the link is also monitored by the same authority.

Thus, the authority can be used to precisely control the signals sent to the receiver. This allows the characteristics of the detector to be verified from time to time during the use of the system.

An example of some possible tests are provided below: (i) Detector Efficiency (ii) Dark counts (iii) After pulses (iv) Decoy pulses (v) Vacuum pulses (vi) Comparing characteristics of detectors in the same receiver (i) Detector Efficiency When the signal which is being sent to the detector is known, the detector efficiency can be determined using many different methods.

For example, the receiver is configured to emit pulses and the response of the detector to the pulses is measured. The efficiency being determined by the number of pulses detected by the detector.

When performing this measurement in the testing mode, the attenuation of the transmitter may be increased as the loss in the optical link will be reduced due to the shorter link.

This can be done by providing a variable optical attenuator in the transmitter. For some protocols, a variable optical attenuator is required and therefore, one might be already provided in the transmitter that can be used to attenuate the signal during the second mode.

For example, for a QKD system operating at a clock rate of 1GHz with a default intensity of 0.4 photons per pulse, assuming the internal loss is around 3dB and the detector efficiencies are 15%, then the expected count rate on each detector would be 15Mcps. If this is too high, the attenuation could be increased to reduce the count rate down to, for example, 1.5Mcps with 0.04 photons per pulse.

(ii) Dark Counts Dark counts can be measured by not activating the laser of the first transmitter 214 and counting the number of counts registered by the detector 212.

A high number of dark counts can indicate a problem with the detector.

(iii) Afterpulsing Single photon detector afterpulsing occurs when a detector registers two temporally separated pulses after receiving just one pulse.

The detector can be tested by sending pulses which are temporally separated to allow for afterpulses to occur and determining from the detector if afterpulses occur. For example, 1 optical pulse could be sent every 64ns. This can be achieved by using an intensity modulator (IM) to suppress some pulses. IMs are required for some protocols, for example, decoy based QKD schemes. Therefore, they are already present in many transmitters. In a further embodiment, the laser is switched off for a period of time, for example, the laser may be switched off every 63 ns and switched back on every 64 ns.

(iv) Decoy Pulses Decoy state protocols greatly improve the security of QKD. In a decoy state protocol, states, decoy states are prepared which, typically, have a lower intensity than the states sent to distribute the key. The sending of these decoy states makes it easier to spot the presence of an eavesdropper, especially one that is performing a photon number splitting attack. However, the security of decoy state protocols depends on being able to accurately measure the reception of decoy pulses (that contain the decoy states).

If the reception of decoy states for calibration and testing is performed over an untrusted link, then an eavesdropper can affect the calibration measurements of the decoy state protocol and thus substantially impact the security of the protocol. However, the testing configuration allows the decoy pulses to be characterized and measured over a trusted link. Thus, during testing, the pulses can be divided into subsets of standard pulses and decoy pulses, where the decoy pulses are weaker than the test pulses. For example, the decoy pulses may have an intensity which is of the order of 4 (or 6dB) of the test pulses.

In some embodiments, a plurality of intensities will be used for decoy pulses. To ensure the security of a decoy state protocol, an exact measurement of the ratio of the intensities of the signal pulses to the decoy pulses is required. The use of the test configuration allows the exact ratio of the signal pulses to the decoy pulses to be measured, safe in the knowledge that an eavesdropper cannot interfere in the calibration.

The test configuration allows the signal pulses and the decoy pulses to be measured with the same detector.

(v) Vacuum pulses Vacuum pulse protocols are similar to decoy state protocols, but use much weaker decoy states. Vacuum pulses have an intensity of at least a factor of 100 (approx. 20dB) smaller than that of the signal pulses. In some embodiments, vacuum pulses can be generated using an intensity modulator with a suitable extinction ratio.

As with the above described decoy states, the sending of vacuum states makes it easier to spot the presence of an eavesdropper, especially one that is performing a photon number splitting attack. However, the security of a protocol using vacuum states depends on being able to accurately measure the reception of vacuum pulses (that contain the vacuum states).

If the reception of vacuum states for calibration and testing is performed over an untrusted link, then an eavesdropper can affect the calibration measurements of the vacuum states and thus substantially impact the security of the protocol. However, the testing configuration allows the vacuum pulses to be characterized and measured over a trusted link. Thus, during testing, as above for decoy states. the pulses can be divided into subsets of signal pulses and vacuum pulses. To ensure the security of a protocol using vacuum states, an exact measurement of the ratio of the intensities of the signal pulses to the vacuum pulses is required. The use of the test configuration allows the exact ratio of the signal pulses to the vacuum pulses to be measured, safe in the knowledge that an eavesdropper cannot interfere in the calibration.

The test configuration allows the signal pulses and the vacuum pulses to be measured with the same detector and thus extra detectors are not required.

(vi) Comparing characteristics of detectors in the same receiver It is also possible to check if the count rates of detectors located in the same receiver are similar. If the count rate on two detectors in the same receiver was imbalanced the output from one detector would dominate. The receiver described with reference to FIG. 3B has 4 detectors. If one of detectors 115 and 117 was not working, then there is a risk that the key (in the X basis) would just be all l's or 0's. Further, if detectors 121 and 123 of FIG. 3B have lower count rates than detector 115 and 117, the one basis would dominate. As described above, the receiver of FIG. 3B is one example of a receiver where the measurement basis is passively determined. Receivers that use active basis selection may have just two detectors. Where, just two detectors are present, an imbalance in the detector efficiencies will result in a key which is dominated by the more efficient detector, i.e. the key will be dominated by l's or 0's.

The test mode allows periodic checking to ensure that both detectors have the same or at least similar count rates periodically. Asymmetric count rates may be caused by many different factors, for example drift of the electronics due to the environment temperature changing or possibly an eavesdropper.

The test mode allows a complete characterization of the first transmitter and second receiver running QKD. The performance and statistics of detection as described above during this session could provide valuable information to assess if the system is working optimally. This information can then be used for user information, for automatic retuning or for reporting to service teams to assist with product support / maintenance. In further embodiments, the standard deviation for received pulses should be less than or equal to 10% of the mean value.

The above has describe the test mode between the first transmitter 214 and the second receiver 212 which is controlled by optical switch 216. However, the above tests can also be run between the second transmitter 222 and first receiver which are connected via optical switch 226. The characterizing of the first transmitter 214 and second receiver 212 pair may be performed at the same time as the characterization of the second transmitter 224 and first receiver 222 pair.

After the test mode of FIG. 2, the switches 216 and 226 can be reconfigured to restore QKD mode which is shown in FIG. 1. If the detector parameters are found out of an acceptable range, then the QKD protocol can be aborted. For example, if the dark count is too high, if the efficiency of the detectors is too low, the afterpulsing of a detector is too high or the detector characteristics between two detectors in the receiver diverge. In an embodiment, the drift in the parameters is too high or too low if at least one of the following is detected: the drift in efficiency is equal to or greater than 10%; the drift in the level of dark counts is equal to or more than 15%; or the drift in the after pulse level is equal to or greater than 15%.

Typical response times of optical switches 216 and 226 are around 1 millisecond. For a detector efficiency of 15% without additional attenuation, the integration time for the calibration can be as short as a few tens of milliseconds. High speed switches with response times of the order 1ns can also be used.

As mentioned above, the detector parameters can be affected by the environment. However, they can also be affected by an eavesdropper. For example, a third party can control the SPAD detector using the so-called "blinding attack". In this attack, a detector within a receiver is blinded by a continuous beam of light and this causes the bias across the detector to fall so that the detector is below its breakdown bias. In the blinding regime, the SPAD no longer produces a macroscopic avalanche pulse for a single incident photon. The optical power for blinding ranges from a few nanowatts to a few milliwatts, depending the detector circuit configuration and the type of the SPAD.

Although macroscopic avalanches do not occur in the blinding state, the SPAD continues to be optically responsive to the incident optical illumination, converting the optical illumination into a photocurrent output with a finite gain. When the detector is in this state, a strong pulsed radiation can stimulate a transient current pulse which simulates a single-photon avalanche signal. Therefore, a third party (Eve) can send a pulse of radiation to force a detection click in the detector.

This attack can affect the characteristics of the detector in a persistent manner that can be detected by intermittent testing of the detectors.

A variation on the configuration of the first 216 and second 226 optical switches of FIG. 1 and FIG. 2 is shown in FIGs. 5 and 6. The configurations of FIGs. 5 and 6 are variations of the test mode of FIG. 2 and allow the integrity of the untrusted part of an optical path to be verified and hence can be used to directly detect a blinding attack.

To avoid any unnecessary repetition, like reference numerals will be used to denote like features. In the arrangement of FIG 5, the first transmitter 214 is connected to the second receiver 212 via fifth optical path 270. To provide the fifth optical path 270, the switch 216 has the same configuration as described with reference to FIG 1. However, the configuration of the second switch 226 is identical to the configuration disclosed in relation to FIG 2. This means, that the output signal of the first transmitter 214 passes through the first optical switch 216 to the second optical switch, 216. However, at the second optical switch 226, the signal is directed back towards the first optical switch 216 and then into the second receiver 212. This means that the integrity of the untrusted section of the optical path 270 can be verified. This is because the same trusted authority controls the first transmitter 214 and also the second receiver 212. Therefore, the output expected at the second receiver 212 is known. If there is an eavesdropper which tries to initiate a blinding attack, their presence will be detected since they will influence the second receiver 212 as described above.

In the arrangement of FIG 5, the second transmitter 224 is connected directly to the first detector 222 via the sixth optical path 280 which passes through second optical switch 226. This means that the first detector 222 can be calibrated in the same way as described above.

It is also possible to rearrange the configuration as shown in FIG 6. Here, the second transmitter 224 is connected to the first receiver 222 via seventh optical path 290. The seventh optical path 290 passes through the second optical switch 226 and the first optical switch 214. This means that the trusted authority that controls the first receiver 222 and second transmitter 224 can also verify the untrusted part of the optical path 290 as described above. In this configuration, the first transmitter 214 is directly connected to the second receiver 212 via eighth optical path 295 which passes through optical switch 216 which allows direct calibration of the second detector 212.

The test mode can be implemented during system start-up and then at periodic intervals. The test mode could also be made available on-demand for the quantum communications' systems users. In an embodiment, the communication system switches to test mode intermittently from QKD mode. For example, the test mode can be randomly interspersed throughout the QKD session.

The balance between running the system in the test mode and operational mode can be tweaked to improve the operation of the system. As explained above, the test mode can be interspersed between QKD modes.

For example, it is determined to run the system in test mode for a certain percentage of time of the QKD mode. In an example, this could be10%, for example 2Ons every 200ns, then a block of 20 clocks would be in test mode with the optical switch being set to the test state. Thus, for example, for a clock rate of 1GHz where each clock width is fns, 20 blocks will be 2Ons and the remaining 180 will be QKD High speed GHz electronics can be subject to capacitive drift if left in the same mode for a long time. Capacitive drift is not desirable as it would lead to changing optical losses through the optical switch 216 which could affect the photon flux calibration. Therefore, in some embodiments, the duration of each test mode could be reduced while still satisfying a certain percentage of the QKD mode. For example, instead of 20ns of test mode being provided every 200ns of QKD mode, 20x lns test states could be distributed among the full 200ns which would provide many transitions and keep any DC drift to a minimum.

The test mode may also be randomly dispersed throughout the QKD mode. If the test mode is randomly dispersed throughout the QKD mode, an Eavesdropper will not know when to launch hacking attacks. A hacking attack, such as a blinding attack sent during a test mode will have no effect.

If the test mode which is explained with reference to either of FIGs. 5 and 6 is randomly deployed during a QKD session, the presence of a blinding attack can be determined as the eavesdropper will not know when the test mode is being used. Therefore, injection of light by the eavesdropper will be noticed.

If during the test mode of operation and the vacuum count rate is above a pre-set threshold, then the system can raise an alarm. Equally checking (in the test mode) the efficiency of the detector with random signal pulses (again easily implemented with an IM already included in the system) would verify that the detector is still working in the single photon regime. It should be noted that that the switches have intrinsic loss on a per-port basis and this will be factored into any calibration algorithm.

In an embodiment, the first 216 and second 226 optical switches have isolation such that when in the QKD mode of operation (FIG. 1) they do not leak too much light from first transmitter to the second receiver and from the second transmitter to the first receiver into the adjacent Bob. They should also have enough isolation to guarantee that if the untrusted optical channel is being interfered with, the light from this should not leak into Bob during the calibration mode of operation. There is often an interplay between the optical isolation and the switching speed.

For the QKD mode of operation, the amount of isolation comes down to the maximum range or loss of the QKD system specification. For a 35dB untrusted optical link loss (175km range), then an isolation 30dB greater than this so in total > 65dB would be suitable. This should lead to a negligible increase in quantum bit error rate (QBER) at the furthest distances (since we want the two QKD systems to only leak an amount less than the expected number of correct counts). For lower losses, lower isolation values can be used.

For the test mode of operation, the minimum isolation is dependent on the optical power an attacker injects into the untrusted optical link. However, this can be somewhat bounded by using the laser damage threshold of single mode optical fibre. This was explored in Lucamarini et al. [Practical security bounds against the Trojan-Horse attack in quantum key distribution, Phys. Rev X S, 031030 (2015)]. In that paper an upper bound, based on experiments of damaging optical fibre was 102ophotons / second. This upper bound can be used to estimate the amount of light leakage though the optical switches from an attacker using such powers.

If the 65dB taken from the discussion in the above paragraph is used, then this corresponds to around 10-6W after the switch at a wavelength of 1550nm. This power is well below any blinding threshold for single photon detectors based on avalanche photodiodes. Furthermore, if the receivers are equipped with a so-called "watchdog photodiode detector" this excess light can be detected and then acted upon. In reality, the optical switch will have a lower laser damage threshold, usually 500mW. Using this as an upper bound and the same isolation value of 65dB, then the power after the optical switch will be ten times lower at around 10-7W.

The above have been described referring to pulse counting when investigating the operation of a detector. However, in other embodiments, the system is used with continuous wave (CW) protocols.

A further embodiment is shown in FIGs 7 and 8, here instead of a separate receiver and detector provided at a local and a remote connection, a first transceiver based QKD unit 310 is provided which incorporates the functions both the first transmitter 214 and the second receiver 212. By transceiver based, each QKD unit contains an Alice and Bob. This means that the box 310 represents the physical boundary of the each QKD unit. In an embodiment, and as shown here, the first optical switch 216 is incorporated inside the QKD unit 310 rather than having to be externally sited. In this embodiment a second transceiver based QKD unit 320 is also provided. The second QKD unit 320 comprises the second transmitter 224 and the first receiver 222. Similarly, in an embodiment, the second optical switch 226 is also part of the second QKD unit. The first 310 and second 320 QKD units perform in exactly the same manner as described with reference to FIGs. 1 and 2. To avoid any unnecessary repetition, like reference numerals will be used to denote like features. The optical switches in the QKD units may also be configured to provide the arrangement of FIGs. 5 and 6. In other embodiments, the QKD system is provided by one of the QKD units 310, 320 and a separate transmitter and receiver pair of the types described with reference to FIGs. 1 and 2.

The above embodiments provide direct calibration of the single photon detectors within a user's trusted security perimeter. This is akin to factory calibration but can instead be carried out in the field and in real time. The above embodiments rely on optical switch technology which is readily available. This can either be in the form of a standalone optical switch used at the same node as the QKD units or in the case of a QKD transceiver the optical switch can be incorporated inside the QKD unit, making the approach self-contained. Apart from the addition of an optical switch, no extra hardware is required.

The above embodiments provide a method for characterizing, testing or calibrating detectors which do not require additional components within the detector or receiver which could potentially cause losses during operation. Further, the system can pick up sophisticated attacks with tailored light over short intervals. It is also potentially vulnerable to laser damage attacks, possibly making the approach unusable.

While the above has largely focussed on QKD systems with InGaAs single photon detectors, any other type of QKD system which uses single photons detectors can still be vulnerable to attack from an adversary. These include, but are not limited to, avalanche photodiodes based on silicon or germanium, superconducting single nanowire detectors, superconducting transition edge sensor detectors, frequency upconversion detectors, visible-light photon counters and quantum dot based detection technology. For continuous variable (CV) QKD systems, there is still a need to calibrate the (homodyne) detectors even though they are not single photon sensitive. Therefore, the above system can also be used by CV QKD systems.

The above embodiments provide a solid countermeasure to any attacks on the single photon detectors in a QKD system. Furthermore, the above embodiments are becomes more and more practical when the number of QKD units at a given node increases. When building QKD networks at least a few QKD units are expected to be provided at any given node. With proper design considerations, this means there can be a mix of transmitters and receivers at the same physical location. These can be used to perform single photon detector calibration locally inside the node without needing to go outside the secure perimeter of the node.

Whilst certain embodiments have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of the inventions. Indeed, the novel devices, and methods described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions and changes in the form of the devices, methods and products described herein may be made without departing from the spirit of the inventions. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of the inventions.

Claims

CLAIMS: 1. A quantum communication system for distributing a quantum key between a first party and a second party, the system comprising: a first transmitter; a first receiver; a second transmitter; and a switching assembly, wherein the switching assembly is switchable between a first configuration and a second configuration, wherein the first configuration is for distributing a quantum key and the second configuration is a testing configuration, wherein in the first configuration the first transmitter and the first receiver are connected by a first optical path and in the second configuration, the second transmitter and first receiver are connected by a second optical path, the second transmitter and first receiver being under the control of the same party.
2. A quantum communication system according to claim 1, wherein the first receiver and second transmitter are located within a first unit
3. A quantum communication system according to claim 2, wherein the first unit comprises a transceiver, the transceiver comprising the second transmitter and the first receiver.
4. A quantum communication system according to claim 1, wherein the second optical path is a trusted channel.
5. A quantum communication system according to any of claims 1 to 3, wherein the switching assembly comprises a first optical switch and a second optical switch, wherein the first optical switch and the second optical switch are switchable between a configuration for distributing a quantum key, a first testing configuration and a second testing configuration, wherein in the first testing configuration the second optical path is trusted by the first party along its length and in the second testing configuration, the second optical path comprises an untrusted section, the untrusted section forming at least a part of the first optical path.
6. A quantum communication system according to any of claims 1 to 3, comprising a plurality of optical switches supporting a plurality of testing configurations, wherein each of the plurality of testing configurations introduces a part of the first optical path into the second optical path.
7. A quantum communication system according to any of claims 1 to 5, further comprising a controller, the controller being configured to operate the switching assembly to switch between the first configuration and the second configuration.
8. A quantum communication system according to claim 7, wherein the controller is configured to operate the switching assembly to randomly switch between the first configuration and the second configuration.
9. A quantum communication system according to any preceding claim, wherein the first transmitter comprises an intensity modulator.
10. A quantum communication system according to claim 9, wherein the intensity modulator is configured to more strongly supress the output of the transmitter in the second configuration when compared to the first configuration.
11. A quantum communication system according to any preceding claim, wherein the first transmitter comprises an encoder and the second receiver comprises a decoder.
12. A quantum communication system according to any preceding claim, further comprising, a second receiver wherein in the first configuration the second transmitter and the second receiver are connected by a first optical path and in the second configuration, the first transmitter and second receiver are connected by a second optical path, the first transmitter and second receiver being under the control of the same party.
13. A method of operating a quantum communication system for distributing a quantum key between a first party and a second party, the quantum communication system comprising: a first transmitter; a first receiver; a second transmitter; and a switching assembly, the method comprising: switching the switching assembly between a first configuration and a second configuration, wherein the first configuration is for distributing a quantum key and the second configuration is a testing configuration, wherein in the first configuration the first transmitter and the first receiver are connected by a first optical path and in the second configuration, the second transmitter and first receiver are connected by a second optical path, the second transmitter and first receiver being under the control of the same party.
14. A method according to claim 13, wherein the second optical path is a trusted channel.
15. A method according to claim 14, wherein the first receiver further comprises at least one detector, the method further comprising performing measurements, in the second configuration, to determine at least one of: detector efficiency; dark counts; and after pulses.
16. A method according to claim 13, wherein the first receiver further comprises a plurality of detectors, the method further comprising: performing measurements, in the second configuration, to determine at least one of detector efficiency; dark counts; after pulses; intensity ratio of decoy pulses to signal pulses; intensity ratio of vacuum pulses to signal pulses; and comparing the characteristics of receivers within the same detector.
17. A method according to claim 13, wherein the second optical path comprises a least part of an untrusted section of the first optical path.
18. A method according to claim 17, wherein the first receiver further comprises at least one detector, the method further comprising performing in the test configuration whether a bias across a detector is below is breakdown bias.
19. A method according to any of claims 13 to 18, wherein the switching assembly switches randomly between the first configuration and the second configuration.
20. A method according to any of claims 13 to 19, wherein the test configuration is configured to run for a first session with a first time period, and the first session is subdivided into a plurality of sub-sessions with the total duration of the sub-sessions being equal to or greater than the first time period.