\documentclass[11pt,a4paper,notitlepage,twoside]{report}
\usepackage[ngerman, english]{babel}
\usepackage[utf8]{inputenc}
\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.8cm]{geometry}
\usepackage[T1]{fontenc}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{listings}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage{extdash}
\usepackage{amsthm}
\usepackage{mwe}
\usepackage{tabularx}
\usepackage{multirow}
\usepackage{multicol}
\usepackage{tikz}
\usepackage{mathtools}
\usepackage{setspace}
\usepackage{titlesec}
\usepackage{fancybox}
\usepackage{fancyhdr}
\usepackage[binary-units,per-mode=fraction]{siunitx}
\usepackage[hidelinks]{hyperref}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{ccicons}
\usepackage{subcaption}
\usepackage{float}
\usepackage{footmisc}
\usepackage{array}
\usepackage[underline=false]{pgf-umlsd}
\usetikzlibrary{calc}
\usepackage{epstopdf}
\usepackage{pdfpages}
\usepackage{etoolbox}
\usepackage{catchfile}
\usepackage{minitoc}
\usepackage{minted} % pygmentized source code
%\usepackage[pdftex]{graphicx,color}
%\usepackage{showframe} % Useful for page layout debugging

\DeclareSIUnit{\baud}{Bd}

\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil}
\DeclarePairedDelimiter{\paren}{(}{)}

\usepackage[
    backend=biber,
    style=numeric,
    natbib=true,
    url=false, 
    doi=true,
    eprint=false,
    ]{biblatex}
\addbibresource{../main.bib}
\DeclareSourcemap{
    \maps[datatype=bibtex]{
        \map{
            \step[fieldsource=doi,final]
            \step[fieldset=isbn,null]
            \step[fieldset=issn,null]
            \step[fieldset=url,null]
        }
        \map{
            \step[fieldsource=isbn,final]
            \step[fieldset=issn,null]
            \step[fieldset=url,null]
        }
    }
}

\renewcommand{\thesection}{\arabic{section}}
\renewcommand{\thesubsection}{\arabic{section}.\arabic{subsection}}
\renewcommand{\thesubsubsection}{\arabic{section}.\arabic{subsection}.\arabic{subsubsection}}

% Re-define heading formats to force single line spacing
\titleformat{\section}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{}
\titleformat{\subsection}{\normalfont\large\bfseries\singlespacing}{\thesubsection}{1em}{}
\titleformat{\subsubsection}{\normalfont\large\bfseries\singlespacing}{\thesubsubsection}{1em}{}

\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\definecolor{todoboxcolor}{RGB}{251 224 252}

\pagestyle{fancy}

\fancyhead[C]{}
\fancyhead[ER]{\footnotesize%
    \ifdefined\thesispreviewmode %
        (draft \texttt{\input{version.tex}\unskip}) %
    \fi %
\leftmark}
\fancyhead[OL]{\footnotesize\rightmark}
\fancyhead[EL,OR]{\thepage}

\fancyfoot[LCR]{}

\fancypagestyle{plain}{%
    \fancyhf{}%
    \renewcommand{\headrulewidth}{0pt}%
    \renewcommand{\footrulewidth}{0pt}%
}

\raggedbottom

\renewcommand{\chaptermark}[1]{\markboth{Chapter \thechapter: #1}{}}
\renewcommand{\sectionmark}[1]{\markright{\thesection\ #1}}
\addtolength{\headwidth}{\marginparsep}
\addtolength{\headwidth}{\marginparwidth}
\addtolength{\headwidth}{-1cm}

\newcommand{\todo}[1]{
    \ifdefined\thesispreviewmode
    \marginpar{
        \setlength{\fboxsep}{2mm}
        \shadowbox{
            \parbox{3cm}{
                \singlespacing
                \raggedright
                \textsf{
                    \small\textbf{To do}\\
                    \footnotesize#1
                }
            }
        }
    }
    \fi
}

\newcommand{\todoplaceholder}[1]{\textbf{TODO}\todo{#1}}

% https://tex.stackexchange.com/questions/30720/footnote-without-a-marker
\newcommand\blfootnote[1]{%
  \begingroup
  \renewcommand\thefootnote{}\footnote{#1}%
  \addtocounter{footnote}{-1}%
  \endgroup
}

\newcommand{\figurepath}{figures}
\graphicspath{{\figurepath}}
\newcommand{\figureattrib}[1]{%
    \input{\figurepath/#1.latex_meta} %
    \scriptsize
        \ifdefined\thesispreviewmode\resourcestate\ \resourcescale\\\fi%
        Resource: %
        \texttt{\resourcerepo/\resourcepath} %
        rev \texttt{\resourcerev} %
        (\underline{\href{\resourceurl}{link}})%
}

\newcommand{\draftgraphics}{\ifdefined\thesispreviewmode\textcolor{red}{\bfseries Not final graphics. }\fi}
\newcommand{\camerareadygraphics}{\ifdefined\thesispreviewmode Camera-ready graphics. \fi}
\newcommand{\scaledgraphics}[1]{\ifdefined\thesispreviewmode scaled-#1\else#1\fi}

\newcommand{\imgsource}[4]{\scriptsize%
    Image source: #1, #2 (\underline{\href{#4}{link}}). %
    Licensed #3.}

\hyphenation{a-me-na-ble}

\begin{document}
\dominitoc
\faketableofcontents

\chapter{Physical Security in Quantum Key Distribution}
\ifdefined\thesispreviewmode
{\Large \textbf{Draft build}, git revision \texttt{\input{version.tex}}}
\fi
\minitoc
\newpage
\setstretch{1.3}

\section{Cryptography in the Age of Quantum Computers}

For a decade or two now, Quantum Computing has been creating a buzz that nobody in Computer Science and adjacent fields
could evade. Originating in the 1980ies as a highly academic fusion applying concepts from Computer Science in Quantum
Physics, \todo{Add citation on QKD origins} its concepts have long found their way into popular science articles.
Quantum Computing encompasses a model of computation that is fundamentally different from the \emph{classical}\footnote{
    In Quantum Computing, the term \emph{classical} is used as the complement of \emph{quantum}, and refers to the
    digital computers we know and (sometimes) love. This terminology stems from the distinction between classical and
    quantum physics.} digital circuits that underly all of modern computing. While at first this might seem like a step
backwards into the era of early 1900s analog computing,\todo{Add citation on early analog computing}
the capabilites of a future quantum computer promise to far outpace those of contemporary classical computers. Key to
this improved processing capability is a property called \emph{Quantum Parallelism}. What this refers to is the fact
that a quantum computer's internal state can simultaneously represent a multitude of states of a classical, digital
computer, and the quantum computer can operate on all those states at once using a single quantum operation.

Applying Quantum Parallelism to practical problems is far more complicated than, e.g., translating a digital circuit
solving some equation to a quantum circuit, but for certain problems we already know \emph{quantum algorithms} that
for large inputs solve these problems much faster than any classical computer ever could. Two of these algorithms, one
by Shor and one by Grover \todo{Add citations on Shor's and Grover's algorithm} are what caused most of the buzz around
the field of quantum computing, because they spell trouble for a large part of modern cryptography.

Besides the computational speed-up promised by Quantum Parallelism, there is one more interesting aspect of Quantum
Computing where it radically deviates from classical computing. The reason modern cryptography exists is that when we
transmit (or store!) classical information through some channel (or storage!) that we do not control, there is nothing
we can do to prevent an attacker from reading this information. Even with cryptography we cannot prevent this, but
cryptography gives us tools to very effectively make whatever information the attacker is able to read useless to them.

A basic principle of Quantum Physics is the \emph{No-Cloning Theorem}, which states that it is impossible to create an
identical, independent copy of an arbitrary, unknown quantum state. \todo{Add citation on No-Cloning Theorem}
An implication of this theorem is that when we encode classical information into quantum states in just the right way,
we can make it so that an attacker atttempting to eavesdrop on our quantum information can only actually read this
information by destroying it in the process. This property can be exploited to replace a number of classical asymmetric
primitives in interactive settings, \todo{Add citation on substitution, check if interactive only} the most popular
application of which is replacing an asymmetric Diffie-Hellman key exchange \todo{Add citation on DH-Kex} with a quantum
process called Quantum Key Distribution that yields much of the same properties.

In the past decades, the field of cryptography has been fundamentally shaped by the development of Quantum Computing and
Quantum Key Distribution. However, the popular conception that all of today's cryptography will be broken and that we
have to start from scratch is not accurate. Quantum Computing poses an unique threat to modern cryptography, and Quantum
Key Distribution is a promising new tool, but the practical implications of both are much more subtle than how they may
be portrayed. In the remainder of this chapter, we will look into the practical implications of these quantum
technologies, and we will come to two major conclusions: First, that while the underlying cryptographic primitives will
change, apart from some minor engineering issues cryptography as a whole will remain largely the same. Second, that
while Quantum Key Distribution is hailed as a revolution for network security, its practical advantages will remain far
short of how it is usually conceptualized, and hardware security will assume a pivotal role in the practical security of
Quantum Key Distribution systems that is a stark departure from its relative irrelevance in today's applied
cryptography.

Building on these conclusions, we will end this chapter with a study of a use case that illustrates a practical design
for a secure network employing Quantum Key Distribution. Relying on both established classical and quantum primitives
with known security properties we will elaborate how one can construct a large-scale network from those primitives
that provides practical security to its users that goes beyond the (surprisingly limited) extents of quantum security
proofs.

\subsection{Computational Assumptions and Information\Hyphdash Theoretic Security}
\label{qc_comp_assum}

In the past paragraphs we have briefly mentioned that Quantum Computing provides a significant speed-up that can be
applied to solve many cryptographic problems fast enough for it to become a problem, but we have not elaborated on what
that means in practice. In this section, we will attempt to provide concrete numbers to quantify the threat that both
Shor's and Grover's algorithm pose to modern cryptography.

Shor's algorithm allows for the factorization of large numbers in polynomial time on a quantum
computer, a problem whose hardness (or the hardness of variants of which) is the foundation for the vast majority of
today's asymmetric cryptography.

While Shor's algorithm attacks the foundations of most modern asymmetric cryptography, Grover's algorithm can be applied
to hash functionss and symmetric cryptography. Fundamentally, Grover's algorithm is a search algorithm that allows a
quantum computer to find one target entry out of an \emph{unstructured} list of $N$ source entries in
$\mathcal{O}\left(\sqrt{N}\right)$ time instead of the $\mathcal{O}\left(N\right)$ time that a classical computer would
require for an exhaustive search. Applied to cryptography, we model the key space of a symmetric cipher as the
unstructured list that is input to the algorithm, and set it to search for the key that results in the successful
decryption of a given ciphtertext.

An important nuance applying these algorithms to cryptography is that while both provide significant speed-ups over
classical computers, the speed-up of Shor's algorithm is exponential and effectively breaks most modern asymmetric
cryptography as it erases the asymmetric nature of the underlying mathematical problem's computational complexity. That
is, for an asymmetric cryptosystem susceptible to Shor's algorithm, there is no set of parameters that is large enough
to be safe.

In contrast to this, while Grover's algorithm radically speeds up the breaking of a symmetric cryptosystem, this
speed-up is only quadratic. In practice this means that it halves the security level \todo{definition, citation of
security level} of a given symmetric cipher. While this is bad news for applications that parameterize these symmetric
primitives to a security level at the lower end of what is considered secure today, the advantage provided by Grover's
algorithm can easily be compensated by doubling key size. Longer key sizes require more storage or bandwidth for the
additional bits and result in slightly slower operation of the cipher, but this additional cost is easily manageable
even without any improvement in today's hardware.

\textcite{impagliazzoPersonalViewAveragecase1995} provided a colloquial but useful analysis characterizing the
implications of which kinds of hard problems are solvable in practice, based on the observation that the fact that an
\emph{average} problem out of a class like $NP$ is solvable does not mean that most, or even many \emph{practical}
problems are solvable. \textcite{impagliazzoPersonalViewAveragecase1995} was published after Shor's algorithm was
discovered, and before Grover's algorithm was published. Impagliazzo foresaw that fast quantum algorithms could threaten
public-key security, and their analysis remains relevant facing the outlook of quantum computing today.

Impagliazzo proposes a set of five scenarios that provide increasingly extensive computational hardness properies,
dubbed \emph{Algorithmica}, \emph{Heuristica}, \emph{Pessiland}, \emph{Minicrypt}, and \emph{Cryptomania}. In
Algorithmica, $P = NP$. In Heuristica, $P \ne NP$, but $NP$ problems are only intractable in the worst case, and
tractable on average. In Pessiland, problems exist that are hard on average, but there are no one-way functions and thus
there is no way to efficiently sample solved instances of hard problems.

The next scenario, Minicrypt is frequently cited in cryptographic works. In it, one-way functions exist, but there is no
public key cryptography. Minicrypt aligns well with a world in which fast quantum algorithms exist that solve the
computational problems underlying public-key cryptosystems. Impagliazzo's last scenario is Cryptomania, which extends
Minicrypt with public-key cryptography and aligns with the world view that is commonly assumed in cryptography today.

In Mincrypt, we assume that all computational problems that are amenable to public key cryptography fall. However, it is
not specified \emph{how} specifically this fall will happen---whether it will be classically, or by quantum
algorithms---leading to two sub-variants of the Minicrypt scenario. The pessimistic sub-variant is one where classical
algorithms solving all those problems are discovered. This scenario leads to identical conclusions to those Impagliazzo
drew. However, if we base our Minicrypt assumption instead on the availability of \emph{quantum } algorithms for these
problems, and thus on quantum computers being both powerful enough and generally available, we end up with an
interesting spin on the original Minicrypt scenario that recently has garnered some academic attention, receiving the
name Mini\textbf{Q}Crypt\cite{griloObliviousTransferMiniQCrypt2021, barootiPublicKeyEncryptionQuantum2023}. In
MiniQCrypt, on one hand, conventional public key cryptography falls before quantum computers, but the key observation is
that on the other hand, we can then use those quantum computers to do \emph{quantum} cryptography, re-gaining some of
what we have lost. The (im)possibility results for MiniQCrypt are nuanced, and provide something between the intact
conventional public-key cryptography in Cryptomania, and the total absence of it in classical Minicrypt.

In the discourse on quantum computing and its application to cryptography, it is important to be mindful of which
security notion the authors of some source, or the implementors of some device base their work on. Especially in
academic work, Pessiland assumptions are often implicitly made. In this model, we can use neither public-key nor
symmetric cryptography. In this framework, secret key rate becomes paramount because it is assumed that QKD keys will be
used with an information-theoretically secure encryption scheme, requiring a never-ending secret key stream. Key
expansion functions are based on one-way-functions, which are unavailable here.

While in academic sources Pessiland assumptions are common, commercial systems usually are based on Minicrypt
assumptions. That is, commercial systems propose QKD as an alternative to classical asymmetric cryptography for
cryptographic key exchange, but then continue to use classical symmetric cryptography for purposes such as key
derivation and secret-key encryption. Using a computationally secure key derivation function such as Argon 2, a small,
fixed amount of precious QKD secret key bits can be expanded into a key of almost unbounded length\footnote{Key
derivation functions have limited output size}. Similarly, a
computationally secure symmetric cipher such as AES can be used to encrypt almost arbitrary amounts of data using a
single, short key\footnote{
    We write that the amount of data that can be encrypted with a computationally secure block cipher is only
    \emph{almost} unbounded because the cipher operates on blocks of a fixed, short size and depending on the cipher
    mode, in most applications, collisions of two such blocks enable stochastic \emph{Birthday
    Attacks}\cite{giraultGeneralizedBirthdayAttack1988}. Usually, for a primitive of block size $n\;\unit{\bit}$, an
    amount of $2^\frac{n}{2}$ extracted blocks is used as an upper bound for safe usage. For a cipher using the
    currently common block size of \qty{128}{\bit}, this bound lies at \qty{256}{\exa\byte} of
    data\cite{bhargavanPracticalSecurity64bit2016,}.
}.

\section{The Practical Security Implications of Quantum Computing}
\label{qc-practical-implications}

Given that as of yet, noone has claimed to have a quantum computer powerful enough to pose a threat to current
cryptographic protocols, one may ask the fair question why the possible future development of such a machine would be
consequential for today's cryptographic practice. The answer to this question lies in \emph{Store-Now-Decrypt-Later}
attacks. In such attacks, the attacker records all data transmitted between a cryptographic protocol's parties. The
security of any key exchange protocol rests on a computational hardness assumption about some particular problem. When
this assumption falls, for example because of a powerful quantum computer becoming available, the attacker can then
retroactively break the security of those stored protocol instances and decrypt all traffic.

Modern cryptographic protocols such as TLS or the Signal messenger's key ratchet are designed with facilities to provide
some degree of protection against key compromise called \emph{(Perfect) Forward Secrecy}. Forward Secrecy means that a
compromise of keys at one protocol step will not break the secrecy of past protocol steps. Forward Secrecy is achieved
by repeatedly mixing fresh key material called \emph{Ephemeral Keys} into the protocol's secret state. For a
post-quantum attacker, this implies that to decrypt a run of a forward-secret cryptographic protocol, the quantum
algorithm breaking the protocol's computational assumption must be run a number of times, but this results only in a
linear increase of both protocol and attack complexity, which turns out to no advantage for the defender.

Store-Now-Decrypt-Later attacks are considered a serious threat today based on the stark discrepancy between the
capacity of today's inexpensive storage media, and the comparatively tiny bandwidth of cryptographic protocols in
applications such as \emph{End-To-End-Encrypted} text messaging. A single hard drive can conceivably store years of a
person's encrypted digital communications.

There has been ongoing work on quantum secure cryptographic algorithms, and standardization of several such algorithms
is progressing. However, in the time frame of cryptosystems, these algorithms are still rather young and the recent
discovery of a catastrophic key recovery attack against the Supersingular Isogeny Diffie-Hellman protocol
(SIDH)\cite{castryckEfficientKeyRecovery2023} illustrates the risk in the use of immature cryptographic primitives. Thus,
recommendations on the concrete steps that should be taken today to mitigate Store-Now-Decrypt-Later attacks vary. For
instance, Google's under its threat model as laid out in \textcite{schmiegGoogleThreatModel2024} recommends a list of
quantum secure counterparts to classically secure cryptographic algorithms, but recognizes the relative immaturity of
these quantum secure algorithms and consequently recommends \emph{Hybrid Deployment}, where a young, quantum secure
algorithm is paired with a mature classically secure algorithm such that \emph{both} algorithms would have to be broken
to compromise the composite protocol's security. Given that quantum secure public key cryptography tends to have both a
much larger key and/or ciphertext size and worse performance compared to state-of-the-art Elliptic Curve-based key
exchange or signature algorithms, pairing it with a classically secure alternative incurs only a negligible overhead in
key storage, network communication and computation costs.

\todo{research some more policies.}

\section{The Physics of Quantum Computing}
\todo{missing}

\section{Quantum Key Distribution}

As we discussed in Section \ref{qc_comp_assum}, quantum computers promise novel attacks on many contemporary
cryptographic systems. At the same time, quantum technology also promises new cryptographic primitives that support
security guarantees beyond what can be realized with the best classical computers. The core of this nascent field of
Quantum Cryptography is a set of methods that are collectively called Quantum Key Distribution.

Informally speaking, a Quantum Key Distribution system is a system that distributes a secret key between two\footnote{
    Although the key distribution problem can conceptually be framed for any number $n\ge 2$ of parties, practical
    treatment is almost always limited to the two-party case. In case of QKD, problem instances for $n > 2$ parties can
    trivially be reduced to $(n^2 - n)/2$ invocations of the two-party protocol, combined with any
    information-theoretically secure secret sharing scheme.
} parties such that after a successful execution of the protocol, each of the two parties holds a copy of a randomly
generated secret key, and the probability that an attacker was able to extract some portion of the key during the
protocol's execution can be bounded to some negligible $\epsilon$ by each of the parties.

Quantum Key Distribution provides a similar service as cryptographic key exchange protocols such as the classic
Diffie-Hellman key exchange provide. The core difference between QKD and cryptographic key exchange protocols is that
QKD provides information-theoretic security based on the No-Cloning Theorem, where cryptographic protocols provide only
computational security based on the computational hardness assumption underlying some public-key cryptosystem.

QKD is attractive in that it gives practically useful security guarantees without relying on any computational hardness
assumptions. This way, QKD would remain secure even in a scenario where a hybrid deployment of a classically secure but
mature algorithm paired with a quantum secure but young algorithm as discussed in Section
\ref{qc-practical-implications} poses too much of a risk---a scenario where both large quantum computers arrive and a
flaw in the quantum secure algorithm is found. Note that here, because we assume we have large quantum computers, the
possibility of a flaw in the quantum secure algorithm extends beyond mathematical flaws leading to practical attacks
with classical computers, and includes novel quantum algorithms.

\subsection{Security assumptions in QKD}

While QKD protocols provide information-theoretic security, part of these protocols is always an authenticated channel
that is used by the protocol's parties to exchange information necessary to align both parties' quantum measurements so
that they can reconstruct the same secret key bit stream. In the security model of QKD, this authenticated channel does
some heavy lifting. While the QKD protocol provides key exchange--an asymmetric primitive--based on this authenticated
channel--which in its most simple implementation requires only symmetric primitives, an implementation of QKD using
symmetric primitives such as HMAC or CMAC for the authenticated channel would not achieve information-theoretic
security. To acheive information-theoretic security, the authenticated channel itself must use an
information-theoretically secure authentication method. The issue with that is that information-theoretically secure
authentication methods are (provably)\todo{citation on ``provably''} rather inefficient in their key use. While
symmetric MACs can use a single, short key for a very long time, information-theoretically secure MACs need a continuous
stream of fresh key bits.

In QKD, the authenticated channel can be bootstrapped by taking these MAC key bits from the QKD channel itself. The
disadvantage of doing that is that it consumes a fraction of the system's precious secure key rate. As a consequence, at
this point there is ongoing research\todo{citations on ongoing research} on both systems based on symmetric MACs and
systems using information-theoretically secure MACs, with commercial systems often choosing the
latter\cite{bibakQuantumKeyDistribution2021} owing to the low secure key rates that are the state of the art.
\todo{Finish this section}

\subsection{The Technical Implementation of QKD}

On the technical level, QKD must be distinguished from general Quantum Computing. While QKD systems employ the
No-Cloning Theorem and sometimes quantum entanglement in their operation, the scope of their quantum operations is very
limited. QKD systems always operate on photons, while general quantum computers use a variety of physical
implementations for their qubits that include photons and squeezed light, but extend over atom nuclei, trapped ions,
various aspects of currents in superconducters into phonons\cite{berriosHighFidelityQuantum2012}.

\subsection{Practical Challenges}
\todo{I don't like this paragraph.}
The central challenge in general quantum computers is extending the lifetime of the quantum state encoding a qubit.
Quantum states are extremely sensitive to disturbances, and despite the best efforts to shield their quantum states
against external influence, their lifetime is still inconveniently short compared to the timescales required for quantum
computation, resulting in significant amounts of noise in the output of quantum algorithms run on contemporary quantum
computers. Quantum Key Distribution systems use photons and only perform a handful of operations on each photonic state
between generation and measurement, with the vast majority of the state's lifetime spent in transit between the two
endpoints of the QKD protocol.

While QKD systems are easy to build and operationally robust compared to general quantum computers, at their core they
still exchange information through quantum states that physically need to transit the distance from one endpoint to the
other. For classical computer networks, bridging distances of several hundred kilometers is no big challenge. Using
appropriate high-power transceivers, a single optical link can already bridge upwards of 100km. \todo{Citation on
distance} Longer ranges can easily be achieved by either logically chaining multiple links, or by using optical
amplifiers.

In contrast, the quantum states at the core of QKD systems must necessarily be ``weak''. A single quantum state on the
wire on average must consist of approximately a single photon. If the system's quantum states consisted of more than one
photon carrying the same information, this would enable a \emph{Photon Number Splitting Attack}, in which an attacker
extracts one of the state's photons for later analysis, and forwards the remaining photons to the receiver. The attacker
can then later measure the captured photon to extract the same information that the receiver measured.

The practical implication of this is that the optical brightness of a QKD system is directly proportional to the rate
at which the system can prepare, and later measure the individual quantum states. With today's electronics, rates up to
a few \unit{\GHz} are feasible. Alas, this brightness limit interacts poorly with the reality of optical communication,
especially through fibers. Even modern, high-quality fiber-optic cables have attenuation in the order of
\qty{0.5}{\dB\per\km},
which corresponds to roughly half of the signal being lost every \qty{5}{\km}. In classical optical networks, this can
be compensated by increasing transmit power--i.e. packing more photons into each bit--or by optically amplifying the
signal partway through the fiber. In QKD systems however, the signal cannot be amplified, and the system's bit rate
exponentially decreases with distance due to absorption. Some QKD systems can reach ranges of several hundred kilometer,
but the useable data rate (here called \emph{key rate}) of these systems usually is in the kilobits per second or worse.

QKD signals cannot be amplified because their security rests on the fact that each transmitted quantum state on average
only contains on the order of one photon each. Security rests on the No-Cloning Theorem, which implies that not just
attackers, but even the system's operators are unable to duplicate the quantum state in flight without destroying it.

When transmitted over a fiber, there are multiple effects that degrade the quantum-optical signal of a QKD system. We
can coarsely classify these degrading effects into two categories: \emph{Decoherence}, and \emph{Absorption}.
Decoherence effects result in the quantum state being changed in transit, which depending on the QKD implementation may
mean destroying information contained within the state such as by disturbing the pulse's polarization, or destruction of
entanglement between the in-flight state and another local state. In an optical channel affected by such decoherence
effects, a quantum state enters the channel, and subsequently exits it at the other end changed. In contrast, absorption
means the quantum state is not ever leaving the channel.

In practice, absorption limits the length of an individual fiber run, as it becomes problematic at short distances.
Decoherence is less relevant for the distance limitation, and mostly limits which fiber-optic technologies can be
utilized in the first place. Due to decoherence, QKD systems usually use Single-Mode (SM) fiber over Multi-Mode (MM)
fiber, and makes it more difficult to utilize Wavelength Division Multiplexing (xWDM) to send multiple either quantum or
classical optical signals through a single fiber.
\todo{go more into the details on xWDM, elaborate on decoherence mechanisms, especially crosstalk in the context of
xWDM.}

\todo{CV-QKD}

\subsection{Relaying}
\todo{(one?) term of the art seems to be "repeater"}

The No-Cloning Theorem prevents us from using conventional optical amplifiers to extend the range of a single continuous
QKD link. What remains as ways to extend the range of a QKD link are \emph{relaying} methods, where one QKD link is
terminated at the relay, and another is started, with the relay proxying information between the two. We can separate
relay implementations into two broad categories.

\todo{mention that one MDI-QKD range doubling hack}
\begin{description}
    \item[Classical relays] encompass the trivial implementation of a relay, where the QKD link is formed by simply
        stitching two QKD links together by connecting one link's receiver to the other link's transmitter. The key
        characteristic of classical relays is that inside the relay, the link's cryptographic payload information is
        handled in its classical plaintext form. Classical relays are practically feasible, but because they must handle
        the payload in plaintext form, they are security-critical.

    \item[Quantum relays] are relays that forward the QKD payload information from one link to the other in the quantum
        realm, without translating it to classical information and back. QKD relays are currently not practically
        feasible, but if they become available in the future, they would allow range extension without compromising the
        QKD link's security as the same tamper-detecting properties that the QKD links provide can be extended to cover
        the quantum forwarding process inside the relay.
\end{description}

\section{Quantum Networking}

So far we have focused on the range limitation of a single QKD link with classical relays as the only practical solution
at this point in time. Quantum Networks naturally follow from a relay-assisted QKD link, if we consider a type of
``relay'' that is connected to more than two links. Just like switches and routers can be meshed to construct complex
topologies in classical wide-area networks (WANs), such multi-fanout relays, or \emph{routers} can be used to provide
QKD services over complex network topologies.

There exists a large corpus of academic research on the theory of such large-scale QKD networks ranging from the
technical implementation of management protocols to specialized QKD systems for QKD networks that improve on standard
two-party QKD in areas such as complexity or performance. \todo{lots of citations here}
In the past decades, a number of proof-of-concept QKD networks have been put into practice. None of these systems
provide any practical utility yet, and their raison d'être lies in the political realm more than it arises out of
technical necessity considering that any of today's city-scale demonstrations can easily be simulated more compactly in
a lab using a few spools of fiber as a near-perfect stand-in for long-range fiber links.

Many of the technical challenges in the deployment of QKD networks coincide with similar technical challenges in
classical packet-switched networks. An unique challenge to QKD networks is how their routing problem is different to the
one in classical computer networks. In a classical network, each link has a known, fixed capacity. A router decides
which packet to send through which link, and when the rate of incoming packets momentarily exceeds the capacity of the
outgoing links, packets must either be dropped, or put into a growing queue. QKD networks are different in that
information is not exchanged through the network, but instead the network \emph{generates} information in the form of
secret key material. The measurement of individual pulses that underly key generation conform to a stochastic process,
but amortized across the large time spans required for the subsequent selection and privacy amplification steps that
converts these raw measurements into usable secret key bits, key generation rate is constant. Each node of a QKD network
thus accumulates secret key bits for each of its links, storing them for later use. The routing problem in this scenario
revolves around managing the levels of these key stores to avoid depletion.

\section{Securing QKD Networks with Inertial HSMs}

As we discussed above, when it comes down to practical, end-to-end security properties, Quantum Key Distribution
removes trust in the hardness of particular mathematical problems (good!), but increases trust in the physical
integrity of the transceivers of the QKD link (bad!). In scenarios where the communicating parties are all located
within physical proximity--in QKD, meaning within at most a few hundred kilometers from each other depending on secret
key rate requirements--this added trust is of no consequence because the communcating parties' hardware must be trusted
in either QKD-assisted or purely classical setups. However, this trust requirement becomes a burden as soon as at least
one party is too far away (or higher secret key rates are required), as now physically trusted relays become necessary.

Extrapolating to practical deployments, we can make two predictions. First, as QKD only solves key distribution, but the
actual data transfer still happens through normal off-the-shelf telecommunications components in QKD networks, there is
no reason for a practical QKD setup to \emph{not} also use classical cryptography as an additional layer for defense in
depth,
\todo{citation on defense in depth, and on this hybrid scenario}
meaning the QKD setup will at worst degrade to the same security a purely classical system would provide, never less.

The second prediction we can make is that any practical QKD network will have to use trusted relays to bridge large
distances. While in certain specialized applications such as the proposed financial QKD network in Switzerland
\todo{citation on swiss deployment} smaller, isolated networks are conceivable, in every telecommunication system from
the telegraph through the telephone system and up to the internet it has been shown conclusively that there is a real
demand for a global, interconnected network\footnote{In fact, history repeats, and the enthusiasm that Quantum Key
Distribution networks have kindled parallels the one that the first trans-atlantic telegraph cables brought forth as
described by \textcite{mullerWiringWorldSocial2016}. Both parallel not just in the extensive promises attributed to
their respective technologies, but also in the facade of technological determinism that in both cases hides a number of
social and political motivations.}\cite{mullerWiringWorldSocial2016}. \todo{at least one more citation on historic
networks}

In this section, we will outline a solution that provides practical, end-to-end security in large-scale QKD networks by
delegating the hardware trust issue of QKD relays to Inertial Hardware Security Modules. The primary design challenges
we will address are the systems' overall envelope design, optical passthroughs, and matching the cryptographic
assumptions behind the IHSM's heartbeat and alarm subsystem to those of the QKD application.

\subsection{The anatomy of a QKD node}

With the exception of special cases such as the middle node in a MDI-QKD system, a general QKD relay contains the same
components that the endpoint of a QKD connection uses. Only in a QKD relay, two transceivers are connected back-to-back
to one another. QKD provides physical security for the photons traversing the fiber that forms the systme's channel, and
the security envelope of the system begins where this fiber is terminated in the power splitters, single-photon
detectors, lasers, and interferometers of the QKD transmitter and receiver. To process the raw measurements of the QKD
system into a usable stream of secret key bits, in addition to these components implementing the physics of the QKD
system, a classical computer is needed. On top of the remote monitoring and management tasks that any piece of
networking equipment is expected to perform nowadays, this computer is tasked with the information reconciliation and
privacy amplification that form the information-theoretic part of the QKD system. Since this computer must necessarily
handle secret key bits in their plain text form, it, too, must be inside the relay node's physical protection envelope.

\subsection{Physical requirements of QKD transceivers}

Putting a QKD relay node and associated machinery inside of an IHSM, we first need to answer two key questions. First,
\emph{will it fit?}, and second, \emph{Can we hook it up?}. In the following paragraphs, we will go through several
aspects of these general questions one by one.

\paragraph{Physical dimensions.}
At this point, a number of commercial systems promising QKD exist. Common QKD protocols do not require any particularly
large or power-hungry components, and so commercial systems have generally adopted the 19 Inch rackmount enclosure
standard that is common to modern telecommunications equipment, with a width of $\approx\qty{50}{\centi\meter}$, a
height between $\approx\qtyrange{4}{30}{\centi\meter}$ and a depth below $\approx\qty{100}{\centi\meter}$.\todo{Re-check
these numbers shortly before submission} While something of this size would be infeasible to protect with the security
mesh of a traditional hardware security module, placed vertically, even without modifications any of these systems are
well within an envelope that can be protected with a single IHSM cage.

\paragraph{Power supply.}
QKD systems do not contain any particularly power-hungry components. Unlike quantum computers, most of the signal path
is optical, and as such can be implemented with room-temperature fiber-optic components. Only the single-photon
detectors may require cooling in some systems, but unlike something like an ion trap quantum computer's processor,
energy-intensive deep cryogenic cooling is not necessary. Most manufacturers don't quote the power requirements of their
systems, but we were able to find that IDQuantique specifies their QKD systems to be able to run off a single
\qty{300}{\watt} power supply. In an intertial HSM, power up to several \unit{\kilo\watt} can easily be transferred to
the payload with through-axis cables.

\paragraph{Cooling.}
While the few hundred watt of power that QKD systems require could easily be transported through the mesh of a a
traditional HSM as well, cooling that amount of thermal load purely by heat conduction through centimeters of epoxy
resin would make implementation infeasible in traditional HSM. In an IHSM, on the other hand, up to several
\unit{\kilo\watt} can easily be dissipated through forced-air cooling since the rotating security mesh can have an
arbitrary amount of longitudinal slots or holes.

\paragraph{Data and signals.}
A QKD transceiver has a number of ports in addition the port for the fiber optic quantum channel. Depending on the
system, one or more additional optical links may be necessary for clock distribution, allowing both endpoints to tune
their lasers into precise alignment. QKD protocols require a classical link used for information reconciliation, which
along with the key stream output and management links requires one or more classical network ports.

In a QKD relay node, the key stream never leaves the security envelope. The management and information reconciliation
links can be combined into a single, classical network link, requiring a single fiber when using a standard wavelength
division multiplexing transceiver. The QKD link's clock channel and the quantum channel require a dedicated fiber each,
adding up to a total of five fibers for a uni-directional QKD relay, or nine fibers for a bidirectional one. Since fiber
pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, this amount of fibers can be fed through an
IHSM's axis of rotation. The mechanical challenge in such a multi-fiber signal and data feedthrough is to observe the
fiber's minimum bending radius, which for common fibers is usually in the range of
\qtyrange{5}{10}{\milli\meter}\todo{Provide citation on bend radius. Maybe a small table of products by a few vendors?}.

Concluding the above paragraphs, a QKD node is not a particularly challenging payload for an IHSM. The most problematic
requirement is feeding through a number of fibers for its various input and output signals, but fundamentally it is no
different from any server or other piece of IT equipment. In the following section, we will present a design that
provides a combined power and multi-fiber passthrough that is sufficient for QKD applications.

\subsection{Multi-fiber passthrough with active secondary mesh}

The primary weak spot of a simple IHSM is its axis of rotation. While the stationary axis allows for wired data and
power connections to penetrate the mesh, it also provides an easy target for an attacker who wants to insert some sort
of physical probe into the IHSM's security envelope. While to a certain extent this attack vector can be made more
difficult though simple construction techniques such as making the shaft as thin as possible, and getting the mesh as
close to it as possible, as well as using a solid steel shaft on the motor end of the mesh, the level of security that
these mitigations provide is much below that of the rest of the mesh. Thus, a better solution is needed.

Previously, in Chapter \todoplaceholder{provide link to mesh protection overview from OG IHSM paper} we have alluded to
several \emph{shielding} methods that use a second, independently rotating mesh on the inside of the primary mesh,
located right next to the primary mesh's axis opening. In this section, we will go into some more detail on four
variations of this solution. In order of increasing complexity, these variations are a simple disc cover, coaxial
labyrinth meshes, offset labyrinth meshes, and interlocking gear meshes. We will demonstrate a functional prototype of
the simple disc cover, present a design and mechanical prototypes of the offset labyrinth meshes, and provide details on
the design of a interlocking gear mesh.

\subsection{Simple disc cover}

\todo{Update these graphics with final color scheme, and update caption text here}

\begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=1]{shaft_countermeasures_b.pdf}
    \caption[Coaxial disc mesh schema]{\draftgraphics Coaxial disc mesh schema, cross-section and top-down views. The
    outer mesh is shown in red, and the inner mesh in blue. The dashed line indicates the two meshes' shared axis of
    rotation. The gray areas indicate the shape of the volume that remains undisturbed by the mesh, and that is
    available for structural support and cable routing.}
    \label{qkd_fig_disc_mesh}
\end{figure}

In Chapter \todoplaceholder{Provide link to single-board IHSM chapter here}, we have shown how an IHSM that has been
shrunk to a single, disc-shaped PCB is still useful because we can delegate key management functionality to the mesh
monitoring circuit's microcontroller---or a separate processor sitting next to it---on the rotating mesh PCB, yielding a
solution close in both its cryptographic capabilities and its security level to commercial traditional HSMs, and
exceeding those of a smartcard. In the following paragraphs, we will show how we can deploy the same single-board IHSM
(SB-IHSM) as a mitigation for through-axis attacks, exploiting its mechanical shape and its simple, low-cost
implementation.

By placing an adapted single-board IHSM close to the primary mesh's axis opening as shown in Figure\
\ref{qkd_fig_disc_mesh}, an attacker is forced to either first circumvent the single-board IHSM through the primary
mesh's axis opening, then remove enough of it to gain direct access ot the payload behind it, or to conduct their attack
through the keyhole-sized opening in the primary mesh while bending their tool by approximately \qty{90}{\degree} at
least twice, once to avoid the SB-IHSM mesh, and once more to re-orient the tool towards the payload. The distance
between the inside of the primary mesh and the SB-IHSM is limited by the tolerance in mechanical alignment between the
two axes of rotation, by the space necessary for a sufficiently stable mount of the payload cage to the hollow shaft,
and by the minimum bend radius of the power and data wiring that needs to pass through the shaft. In QKD applications,
the fibers' minimum bend radius is the largest contributing factor. Power and electrical data signals can be supplied
through flexible flat cables that can be bent in sharp corners without issue. Optical fibers on the other hand are
limited in their minimum bend radius, as their optical loss rises sharply with decreasing bend radius\footnote{Note that
the issue here is not that the glass core of the fiber would degrade or break, as one might intuitively assume. Being
only a few dozen micrometers in diameter, an optical fiber's core is remarkably flexible. Instead, the issue is that
both multimode as well as singlemode fibers are optical waveguides. Bending them distorts the electromagnetic field
inside the waveguide, and allows some small portion of it to escape from the fiber's core, leading to loss in the form
of both attenuation and dispersion.}. With QKD being especially sensitive to even small amounts of loss, care has to be
taken to maximize the bend radius of the fiber optic connections. A common specification of minimum bend radius in
telecom singlemode fibers taking into account not just optical loss but also the mechanical stability of the fiber's
polymer coating is $10\times$ the coated fiber's diameter, which equates to \qty{9}{\milli\meter} for
common \qty{0.9}{\milli\meter} fiber pigtails.

\todo{cite bend radius spec. fs.com has some on their pigtails. thorlabs on their SM-28 fiber has no spec, but specs
loss at \qty{25}{\milli\meter} radius.}

\begin{figure}
    \centering
    \subcaptionbox[Helical transition of single fiber]{Single fiber}{\includegraphics[width=.45\textwidth]{\scaledgraphics{helix_transition.png}}}
    \hfill
    \subcaptionbox[Helical transition of fiber bundle]{Fiber bundle}{\includegraphics[width=.45\textwidth]{\scaledgraphics{helix_bundle.png}}}
    \caption[Helically coiling fibers inside the axis tube]{
        The necessary mesh spacing can be reduced by coiling the fibers inside of the axis tube. The coiled fibers enter
        the inter-mesh space at an angle equal to the helix lead angle, which reduces the amount of space necessary to
        complete the transition to horizontal along a circular arc. In this example, a \qty{6}{\milli\meter} outer
        diameter tube with a \qty{0.5}{\milli\meter} wall thickness is shown with 6 fibers with \qty{0.9}{\milli\meter}
        outer diameter coiled to a constant bend radius of \qty{9}{\milli\meter}. The lead angle of the resulting helix
        is \qty{61.5}{\degree}, and past the tube exit, only \qty{5.16}{\milli\meter} of inter-mesh space are necessary.
        \figureattrib{helix_transition.png}}
\end{figure}

Based on these specifications and adding some  \qty{10}{\milli\meter}, 

\todoplaceholder{Finish this part.}

\subsection{Coaxial labyrinth meshes}

\begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=4]{shaft_countermeasures_b.pdf}
    \caption[Coaxial labyrinth mesh schema]{\draftgraphics Coaxial labyrinth mesh schema, cross-section and top-down
    views.}
\end{figure}

To increase the difficulty of inserting a long and flexible tool through the axis shield, \todo{Axis shield might be a
nice term. Unify terminology for axis/shaft, the shield, the names of the two meshes, and the tabs sticking up from the
meshes. Also what do we call the space in between? Terminology for the sides with offset meshes?} the shape of the
interface layer between the two meshes can be made more complex. Introducing small mesh \emph{tabs} that stick out
into the inter-mesh space from both meshes creates a labyrinth-like structure between the axis opening and the IHSM's
inside. Structural support and cables can easily pass this structure in a series of \qty{90}{\degree} bends, while
inserting a probe avoiding both meshes would not be feasible as the probe would have to perform a series of sharp
bends.

\begin{figure}
    \centering
    \includegraphics[width=.7\textwidth]{\scaledgraphics{wikimedia_Four_Corners_Bank_Vault_cropped.jpg}}
    \caption[Photo of a bank vault door]{\camerareadygraphics Photo of a bank vault door at the Four Corners building in
    Bowling Green, Ohio, USA. The interface between the door and its frame is stepped all around to discourage would-be
    intruders from inserting any sort of tool through the small gap around the closed door. In this instance, because
    the door's sill is stepped, too, a small ramp has been placed over the sill so that people going in and out of the
    open door don't stumble over the steps.\\
    \imgsource{Wikimedia Commons user Mbrickn}{2019}{CC-BY-SA}{https://commons.wikimedia.org/wiki/File:Four_Corners_Bank_Vault.jpg}
    }
    \label{qkd_fig_vault_door}
\end{figure}

Designing this type of labyrinth mesh is similar to the design of the shape of the jamb of a safe door such as the one
shown in Figure\ \ref{qkd_fig_vault_door}, or of a high end apartment door. In these, the objective is to prevent
would-be burglars from inserting opening tools through the space between the closed door and its jamb and attacking the
door's interior handle or locking mechanism, not unlike an IHSM's defense against electrical or electromagnetic probes.
The one difference between these doors and what we can do in IHSMs is that these doors are limited to outwards-facing
steps because they must be opened and closed. In IHSM labyrinth meshes, we can use both outwards-facing and
inwards-facing steps.

Concentric labyrinth meshes allow for a wide range of different configurations. The pitch from one mesh tab to the
next is the sum of the required width of the inter-mesh space and the safety margin needed betwween any cables or the
inter-mesh bracket and the tabs. When the mesh is constructed using rigid PCB tabs that are inserted as-is, without
bending them, and when all tabs have the same width and thickness, the radial width of the swept area decreases from tab
to tab going outwards as shown in Figure\ \ref{qkd_fig_mesh_ring_reduction}. A consequence of this is that when the
design target are constant width inter-mesh spaces, the tabs' pitch decreases going outwards.

\begin{figure}
    \centering
    \includegraphics[width=\textwidth]{mesh_ring_reduction.pdf}
    \caption[Coaxial labyrinth mesh tab swept area]{\draftgraphics Top-down view of a coaxial labyrinth mesh
    with three tabs, with the area swept by each tab highlighted. When rigid, planar tabs of a single width $w$ are
    used, the radial width of the swept areas decreases and approaches the tabs' thickness $t$ as their radius $r$
    increases.
    }
    \label{qkd_fig_mesh_ring_reduction}
\end{figure}

The safety margin required to avoid collisions between the meshes and the stator\todo{stator is a nice word for the
entire non-rotating part of the assembly. stator/star bracket?} can be kept low for the primary mesh because this mesh
has high-quality bearings on both ends, leading to good axis alignment. In contrast, for the secondary mesh considerable
margins have to be included if the mesh is driven by a cooling fan motor, as the bearings in such fans are not very
precise. With loose bearings, angular axis misalignment can lead to several millimeters of deflection in both the radial
and axial dimensions as illustrated in Figure\ \ref{qkd_fig_mesh_ring_bearing_tolerance}.

\begin{figure}
    \centering
    \includegraphics[width=\textwidth]{mesh_ring_bearing_tolerance.pdf}
    \caption[Coaxial labyrinth mesh axis alignment tolerance illustration]{\draftgraphics Illustration of the effect of
    angular misalignment of the axis of rotation caused by tolerances in motor bearings in a coaxial labyrinth mesh with
    two tabs. The area swept by each tab, and its increase due to misalignment are highlighted. The left illustration
    shows the ideal and misaligned meshes, and the right illustration superimposes the area increase from the left
    illustration on the ideally aligned mesh.}
    \label{qkd_fig_mesh_ring_bearing_tolerance}
\end{figure}

\subsection{Offset labyrinth meshes}

\begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=2]{shaft_countermeasures_b.pdf}
    \caption[Offset labyrinth mesh schema]{\draftgraphics Offset labyrinth mesh schema, cross-section and top-down
    views. The two dashed lines indicate the two meshes' offset axes of rotation, shifted in $x$ direction in both
    views.}
    \label{qkd_fig_offset_lab_schema}
\end{figure}

In QKD applications, the simple disc cover design shown above has two main limitations. First, the distance between the
primary and secondary meshes must be large enough to allow for the fibers' minimum bend radius, resulting in more than
\qty{10}{\milli\meter} of space available to an attacker. Second, the attacker only has to bend their tool twice to
reach the payload. In this section, we will show a design and a mechanical prototype of an offset labyrinth mesh design
that improves both of these quantities by a large margin.

Our offset labyrinth mesh design combines an offset of the secondary mesh's axis of rotation with a three-dimensional
surface structure on both the inside of the primary mesh, and the facing side of the secondary mesh to create a series
of narrow, \qty{180}{\degree} turns that an attacker would have to overcome with their tool to reach the payload.
Structural support is provided using a CNC machined or 3D printed part, which also serves as a conduit for electrical
connections from the shaft to the payload using Flexible Flat Cable (FFC). While the FFC can easily conform to the
offset labyrinth's sharp corners, an optical fiber can not. Thus, instead of passing it straight through the labyrinth,
the payload's fiber optic connections are passed through the labyrinth in a three-dimensional spiral shape, avoiding the
meshes while simultaneously maximizing the fibers' bend radii.

\begin{figure}
    \centering
    \includegraphics[width=\textwidth]{\scaledgraphics{render_exp_1.png}}
    \caption[Offset labyrinth mesh assmbly exploded render]{\figureattrib{render_exp_1.png}}
\end{figure}

\begin{figure}
    \centering
    \includegraphics[width=\textwidth]{\scaledgraphics{render_exp_2.png}}
    \caption[Offset labyrinth mesh assmbly exploded render]{\figureattrib{render_exp_2.png}}
\end{figure}

\begin{figure}
    \centering
    \includegraphics[width=\textwidth]{example-image-10x16.pdf}
    \caption[Offset labyrinth mesh assmbly exploded render, section view]{\draftgraphics\\
    Section view of the labyrinth mesh assembly}
\end{figure}

\subsection{Interlocking gear meshes}

\begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=3]{shaft_countermeasures_b.pdf}
    \caption[Offset gear labyrinth mesh schema]{\draftgraphics Offset gear labyrinth mesh schema, cross-section and
    top-down views. In this example, the axis is shifted by about twice the offset from the previous offset labyrinth
    mesh schema in Figure\ \ref{qkd_fig_offset_lab_schema}.}
\end{figure}

The offset labyrinth design already achieves a high level of security through its complex passthrough shape, but its
construction provides some challenges. First, with increasing offset, the step size of one mesh ring's diameter to the
next increases as well. Even if we only use, say, four mesh rings, this results in a large outer diameter. Second, fiber
passthrough in the plain offset configuration is possible, but the fiber must be wound in a spiral to pass the two
meshes' rings alternating from one side to the other because the side with more space alternates from ring to ring.

Both of these disadvantages can be worked around using a design where the two meshes interlock like gears. This does
mean that the two meshes' rotation must be synchronized, but it allows for a tighter spacing even when using an offset
design. Additionally, in a gear setup, the wide sides of the inter-mesh zones can be aligned to lie on the same side, so
fiber passthrough can be realized more easily without the need to spiral the fiber around the axes of rotation.

\subsection{Mesh synchronization}

For geared meshes to work, both speed and phase of the rotation of the two meshes must be synchronized to a small error.
In this setup, the mesh tabs act like gear teeth. Depending on the ratio between both meshes' tap counts, the two
meshes do not have to rotate at the same rate of rotation. Instead, harmonic ratios are possible.

\begin{figure}
    \centering
    \subcaptionbox[Offset labyrinth mesh assembly render]{\figureattrib{render_side_1.png}}{\includegraphics[width=\textwidth]{\scaledgraphics{render_side_1.png}}}
    \subcaptionbox[Offset labyrinth mesh assembly render]{\figureattrib{render_side_2.png}}{\includegraphics[width=\textwidth]{\scaledgraphics{render_side_2.png}}}

    \caption{
        Renderings of the complete offset labyrinth mesh assembly with interlocking labyrinth.
    }
\end{figure}

\begin{figure}
    \centering
    \includegraphics[width=\textwidth]{gear_plan_1.eps}
    \caption[Offset overlapping gear mesh assmbly schema]{\figureattrib{gear_plan_1.svg}}
\end{figure}

\begin{figure}
    \centering
    \includegraphics[width=\textwidth]{gear_plan_2.eps}
    \caption[Offset overlapping gear mesh schedule]{\figureattrib{gear_plan_2.svg}}
\end{figure}

\begin{figure}
    \centering
    \includegraphics[width=\textwidth]{schema_wire.eps}
    \caption[Offset labyrinth mesh schema with fiber layout]{\figureattrib{schema_wire.svg}}
\end{figure}

\section{Outlook}

\newpage
\printbibliography[heading=bibintoc]

\appendix

\end{document}