#### Abstract

The growing importance of underwater networks (UNs) in mission-critical activities at sea enforces the need for secure underwater communications (UCs). Classical encryption techniques can be used to achieve secure data exchange in UNs. However, the advent of quantum computing will pose threats to classical cryptography, thus challenging UCs. Currently, underwater cryptosystems mostly adopt symmetric ciphers, which are considered computationally quantum robust but pose the challenge of distributing the secret key upfront. Post-quantum public-key (PQPK) protocols promise to overcome the key distribution problem. The security of PQPK protocols, however, only relies on the assumed computational complexity of some underlying mathematical problems. Moreover, the use of resource-hungry PQPK algorithms in resource-constrained environments such as UNs can require nontrivial hardware/software optimization efforts. An alternative approach is underwater quantum key distribution (QKD), which promises unconditional security built upon the physical principles of quantum mechanics (QM). This tutorial provides a basic introduction to free-space underwater QKD (UQKD). At first, the basic concepts of QKD are presented, based on a fully worked out QKD example. A thorough state-of-the-art analysis of UQKD is carried out. The paper subsequently provides a theoretical analysis of the QKD performance through free-space underwater channels and its dependence on the key optical parameters of the system and seawater. Finally, open challenges, points of strength, and perspectives of UQKD are identified and discussed.

#### 1. Introduction

Secure underwater communications (UCs) play a key role in mission-critical activities at sea; hence, effective cryptosystems, specifically tailored to underwater applications, are needed [1–4]. Classical encryption techniques can provide confidentiality, integrity, and authentication in underwater networks [4–6]. However, the advent of quantum computing will pose threats to classical cryptography and will thus challenge also the security of UCs [7, 8]. In principle, a quantum computer running the Shor algorithm can efficiently solve the complex mathematical problems currently used in the most popular public key distribution schemes [9]. As a consequence, these schemes, which are computationally robust to classical computer-based attacks, are vulnerable to quantum attacks [10–12]. Conversely, it is widely acknowledged that symmetric block ciphers will offer computational quantum robustness until 2050 and beyond [8, 13]. The Grover quantum algorithm can speed up brute force attacks to these schemes. In particular, it can reduce the required number of steps to perform the full search of an *n*-bit secret key in an unstructured space of elements, from to over classic algorithms [14]. Nonetheless, the security of symmetric ciphers can be easily restored by increasing the secret key length [8, 13]. Symmetric key cryptography, however, relies on the fundamental requirement that legitimate communicating nodes must share the secret key in advance. This requirement has opened the key distribution problem (KDP), which is challenging in terrestrial networks and can be critical or even insurmountable in the harsh environments, such as those in which underwater networks operate [2–4]. To overcome the KDP, standardization bodies and security agencies presently recommend the use of post-quantum public-key (PQPK) protocols [10–12]. These schemes do not require any preshared information; conversely, they can establish asymmetric pairs of keys through an authenticated public channel, based only on some complex mathematical problems, which neither classical nor quantum computers are known to efficiently solve [10, 12]. To counteract quantum threats, in 2016, the National Institute of Standards and Technology (NIST) started the “Post Quantum Cryptography” contest, with the aim of selecting and standardizing cryptographic schemes capable to withstand both quantum and classical attacks [11]. This initiative recently completed the third round of its evaluation process [11]. As a result of this contest, one public key algorithm was selected for standardization, and four additional public key schemes were chosen as candidates for standardization in the next round [15]. The security of PQPK algorithms, however, cannot be theoretically proved; it only relies on the experimental evidence that a given mathematical problem is computationally hard both for known quantum-enabled and classic algorithms to solve (four weeks after NIST announced the results of the third round of evaluation [15], a practical attack to SIKE (one of the four candidate public key algorithms selected for potential standardization in the fourth round) was published [16]. The software used for the attack could obtain the secret key in about one hour time, when executed on a single core of a standard computer running at 2.6 GHz. An attack to Rainbow, a digital signature scheme also included in the Post Quantum Cryptography standardization contest, had been published just a few months earlier [17]) [12, 16, 18]. Furthermore, PQPK schemes typically operate on power-hungry computers and servers. Therefore, using them in resource-constrained networks, such as underwater acoustics, may necessitate additional complex software or hardware optimization efforts in order to be practical [12]. Ongoing research and standardization efforts are being devoted to solve this problem. For instance, in [19], the authors present a memory-optimized version of the quantum-safe public key Classic McEliece cryptosystem, a NIST candidate for future standardization, which necessitates a one-megabyte public key. The proposed implementation can run on a memory-constrained processor like an ARM Cortex-M4, by streaming small chunks of the public key calculated at run time from the private key. This way, the algorithm memory footprint can be significantly reduced. Nonetheless, the transmission of such a large public key in an underwater acoustic network remains a daunting problem [4]. With the widespread diffusion of Internet of Things (IoT) devices and sensor networks, the deployment of computationally demanding cryptographic algorithms onto processors with constrained resources has become a compelling problem also outside the UC domain. The NIST Lightweight Cryptography project focuses on authenticated encryption and hashing schemes suitable for computationally and bandwidth-constrained environments. However, this standardization initiative does not include any proposal for lightweight public key cryptography, at least in its first phase [20].

Physical layer security (PLS) is another potential way for key generation and distribution in underwater acoustic networks. PLS utilizes the physical characteristics of wireless acoustic channels to enable two legitimate parties to share a secret key [21–23]. It assumes that the two unidirectional wireless channels connecting two legitimate nodes are highly correlated and unique, so that a shared secret key can be originated by suitably processing their impulse responses. An eavesdropping adversary attempting to obtain the secret key will not possess sufficient knowledge about the state of the environment to accurately reproduce those unique channels on a computer and thus will be unable to calculate the secret key.

Quantum key distribution (QKD) addresses KDP in a different way. Specifically, it allows two legitimate parties that can transmit photons through a quantum channel to securely share a secret key, by exploiting the physical principles of quantum mechanics (QM) [8]. Any adversary trying to obtain the secret key will unavoidably alter the quantum states of the transmitted photons and will thus reveal its activity to the legitimate users. Moreover, a QKD system can continuously generate additional secret key bits, starting from a short initial secret key [8]. As a result, the newly generated secret bits can be used by a One Time Pad (OTP) cipher to transmit unconditionally secure messages, i.e., their confidentiality is independent from the amount and quality of resources available to attackers and cannot be harmed by technological advances [8, 24]. In the case of using the OTP, it is important to emphasize that in order to transmit *n* data bits, an equally long secret key of *n* is necessary. Alternatively, QKD can be combined with a classic symmetric block cipher, with the advantage of using the same short secret key to encrypt a large number of different messages. This latter combination cannot provide unconditional security [8]. Nevertheless, existing quantum algorithms currently lack the efficiency required to compromise its security. Moreover, it allows the potential bottlenecks due to the low secret key generation rates currently achievable by existing QKD systems to be overcome [8].

In 1984, Bennet and Brassard presented BB84, the first QKD protocol [25]. Since then, QKD has become a very active and fast-growing research field in fiber cable and satellite communications. The practical security of QKD systems in real-life scenarios is still debated, due to some well-identified limitations (such limitations originate from the need of entity authentication on the QKD public channel, the challenge of securing and validating real-life QKD systems, the lack of flexibility, the costs and risks associated with the use of bespoke hardware equipment, and the sensitivity to denial of service attacks [26]) [10, 26]. Nonetheless, terrestrial QKD is rapidly evolving towards in-field testing and industrial prototypes [18, 27]. Conversely, the application of QKD over free-space underwater channels is at an earlier stage. The first experiment showing free-space underwater QKD (UQKD) feasibility was carried out in 2017, at a distance of 3.3 m [28]. Furthermore, the first UQKD system implementing the complete BB84 protocol was successfully demonstrated in 2019, at a distance of 2.37 m [29]. At present, UQKD is confined to lab experiments and proof-of-concept prototypes. The current limitations of UQKD systems in terms of achievable data rates and operating distance make their use in real-life scenarios still an open problem. Nonetheless, theoretical studies and extrapolation of experimental results indicate that UQKD can be successfully achieved at distances of tens to hundreds of meters, thus rendering this technique a potentially attractive solution in various undersea applications.

##### 1.1. Tutorial Outline and Contributions

UQKD is a multidisciplinary technology, ranging from QM and information theory, to ocean optics and underwater networking. This tutorial aims at presenting selected concepts and results from these disciplines, so as to provide the reader with a complete and homogeneous view on UQKD. Specifically, the paper focuses on the problem of distributing a secret key using free-space UQKD. We stress that the problem of using the shared secret key to securely transmit data through classic free-space underwater channels (optical or acoustic) is not covered in the tutorial.

The paper is organized as follows. Section 2 summarizes the fundamental concepts of QKD. Specifically, it presents an overview of the major QKD protocols available today, with a particular focus on BB84, owing to the specific relevance of this protocol to UQKD. For a deep and practical understanding of BB84, the reader is guided through all the steps of a simple but complete key generation example. We then discuss the performance of BB84 in terms of two fundamental indexes, i.e., the quantum bit error rate (QBER) and the secret key (SK) generation rate (SKGR), for which simple analytical bounds are given in closed form. Section 3 guides the reader through the analysis of UQKD performance limitations. In particular, we express the general bounds on QBER and SKGR as functions of typical seawater optical parameters. The underwater quantum channel is analyzed, a model used in this development is introduced and discussed, and all the steps to obtain the closed-form expressions of the UQKD performance bounds are explained. The section provides links to selected bibliographic references, offering interested readers direct access to a wider and deeper view on this subject, and then proceeds to discuss the effects of the most relevant system and channel parameters on overall performance. This session also provides a discussion about the classification of ocean waters based on their optical properties. Section 4 introduces the reader to the UQKD state-of-the-art. A thorough survey of UQKD simulation-based studies, UQKD experimental activities, and UQKD systems is presented. Finally, we briefly go through the few works on underwater continuous variable QKD techniques currently available in the literature. Section 5 introduces the challenges and prospects of UQKD. The technology readiness level (TRL) of UQKD is compared to the TRL of fiber cable and satellite QKD. We also identify and discuss some UQKD ancillary functions, such as pointing acquisition and tracking (PAT) and synchronization, which are mandatory for the practical deployment of UQKD systems at sea. We then discuss the problem of providing authentication capabilities over the underwater QKD public channel. Section 6 outlines the conclusions of this work.

#### 2. QKD Fundamentals

In this section, we offer a concise survey of the most extensively studied and promising QKD protocols, with a particular emphasis on the popular BB84 protocol. Subsequently, we present a numerical illustration and define QBER and SKGR as two pivotal performance metrics in this domain.

##### 2.1. QKD Protocols

Based on the wave-particle duality of light, discrete variable or continuous variable protocols can be developed, which treat light either as photons or waves. Discrete variable QKD protocols exploit the particle nature of light and encode information at the single photon state. Continuous variable QKD protocols build upon the wave nature of light and encode information onto its amplitude and/or phase.

Discrete variable QKD schemes are of two types, specifically, prepare and measure (PaM) protocols and entanglement-based (EB) protocols [30]. The earliest QKD protocols utilized the PaM method, which involves creating a qubit (in quantum computing, a quantum bit (qubit) is the counter-representations of classical bit. Unlike a classical bit which can be either 0 or 1, a qubit is a superposition of 0 and 1) state and subsequently transmitting it to the recipient party. These types of approaches require that one legitimate party possesses a trusted device to send the qubits and has access to a true random number generator to originate the initial bit string [31]. Subsequently, EB protocols emerged, in which two parties can originate the secret key by performing measurements on a shared quantum state [7]. This approach does not require that one communicating node possesses the joint state source, nor that this source is trusted. In fact, the quantum correlations between the measurements performed by the legitimate parties on the joint states can be tested, by using the inequalities given by Bell’s theorem (for the sake of simplicity, the authors briefly summarize here Bell’s theorem version based on the so-called Clauser–Horne–Shimony–Holt (CHSH) inequality [7]. The Bell theorem assumes that Alice and Bob perform repeated independent measurements on a sequence of joint states, each choosing randomly one out of two possible measurement setups. Assuming that (i) the observed physical quantities exist independently of observation (realism), and (ii) Alice’s measurements do not influence Bob’s measurements and vice versa (locality), one can evaluate a statistical index as a function of the obtained measurement correlations, such that the CHSH inequality is always satisfied. Conversely, using the laws of QM, one obtains , which is a result clearly in contrast with the CHSH inequality [7, 32]. Assumptions (i) and (ii) together are usually referred to as local realism. Thus, QM is incompatible with the assumption of local realism. Experimental results are all in favour of QM [7]). A malicious adversary manipulating the joint states would alter such quantum correlations and could thus be detected [31, 32]. While EB protocols provide an extra layer of security since there is no need for trusted quantum source, PaM protocols are more prevalent owing to their greater simplicity. Table 1 summarizes the major QKD protocols.

The initial proposal for a QKD protocol, presented by Bennett and Brassard, has become widely recognized in academic circles as BB84 [25]. BB84 is a PaM protocol, founded on the principle of quantum coding first introduced by Wiesner [42]. It employs polarization to map information bits into orthogonal photon quantum states. It is worth noting that, besides polarization encoding, the techniques of time-phase encoding and phase encoding have also captured the interest of numerous researchers in the field. In particular, time-phase encoding in QKD involves encoding quantum states in specific time bins and using interference-based measurements to recover the time-encoded information at the receiver’s end. This approach enhances security by making eavesdropping attempts detectable and enables the establishment of a secure cryptographic key between Alice and Bob. Due to the possible multiple scattering events and propagation delay of the emitted photons, time-phase encoding may be a challenging task for underwater environment [43]. Phase encoding in QKD involves encoding quantum states with specific phase information. The randomness of the phase encoding and the security properties of quantum mechanics ensure that eavesdropping efforts can be detected, allowing for the establishment of a secure cryptographic key between Alice and Bob. The main drawback of phase-encoded QKD systems is the inherent phase drift caused by environmental changes and the system’s nonlinearity [44]. In this paper, we mainly focus on polarization encoding.

Initially, the transmitter (i.e., Alice) randomly chooses a random bit string. For each bit, she prepares a qubit, by selecting between the rectilinear polarization basis (with polarizations 0° or +90°, corresponding to the bit values 0 or 1, respectively), and the diagonal polarization basis (−45° or +45°, corresponding to 0 or 1). She then transmits to the legitimate receiver (i.e., Bob) the sequence of prepared qubits. Bob determines the potential incoming qubit by randomly selecting either the or basis. If both Alice and Bob use the same basis, they will both obtain the same bit value. If Alice sends a qubit in the basis and Bob measures it using the basis, there is a 50%–50% chance that Bob gets −45° or +45°. Furthermore, if Alice sends the qubit in the basis and Bob measures it using the basis, there is a 50%–50% chance that Bob obtains either 0° or +90°. After all the photons have been transmitted, Alice and Bob determine which qubits were successfully received, and which were measured in the correct bases, by exchanging messages through a public classic channel. The secure key is constructed only from those qubits that both Alice and Bob measure on the same basis. The process of retaining only the bits measured on the same basis, usually referred to as “sifting,” will be described in detail in the following.

Since the BB84 protocol needs to operate at single photon level, laser pulses should be attenuated in practical implementation. These sources sometimes produce pulses containing two or more photons. In case of multiphoton emission, an adversarial eavesdropper (usually referred as Eve) is able to launch the photon-number-splitting (PNS) attack. In a PNS attack, Eve intercepts and blocks all single-photon signals. Additionally, she splits multiphoton signals by retaining one portion, and forwarding the remainders to the intended recipient. The retained photon can reveal its actual polarization to Eve, if she can perform her polarization measurement using the proper basis. To this end, Eve could keep the photons in a quantum memory and perform her measurements after Alice has publicly discussed with Bob the used bases. This way, an eavesdropper could in principle obtain full information about the generated key. The most common counter measure to protect QKD systems from PNS attacks combines BB84 with the decoy-state method [45]. The decoy-state method requires the variation of intensity during pulse generation, so as to create signal states and decoy states [46]. Decoy states were first introduced by Hwang in [35]. In 2005, Lo et al. provided the first comprehensive security proof of the decoy method, considering an infinite number of intensities [47]. In a decoy-state protocol, the sender transmits a sequence of decoy-state pulses (which do not contain any useful information) along with the signal pulse sequence. As Eve cannot discriminate between decoy states from useful signals, her attempts at performing a PNS attack result in variations in the expected yields of both the signal and decoy states. In the decoy-state protocol, Alice can originate the useful signal pulses at a higher intensity than in the original BB84 protocol [45]. For instance, in the UQKD system described in [48], BB84 was implemented with , while in the decoy-state protocol the signal pulse intensity was chosen equal to , with a mixture of signal and decoy-state signals equal to 50%–50%. As a result, in the experiments, the secret key generation ratio was equal to 563 kbps with the BB84 protocol, to 711 kbps with the decoy-state protocol. In general, it has been shown that [45] the decoy state can substantially increase both the distance and the key generation rate of QKD in lossy channels.

In 1992, Bennett proposed B92 protocol, i.e. a protocol with only two polarization states (i.e., 0° to encode “0” and +45° to encode “1”) [33]. As in BB84, Bob randomly decides in which basis he will measure the qubit, i.e., in the or in the basis. As an example, assume Alice sends a qubit with polarization +45°, and Bob has made the decision to take measurements of it using the basis, with possible outcomes 0° or +90°. If the measurement outcome is +90°, Bob can infer that Alice sent the polarization state +45°; otherwise, he will discard the qubit because the outcome is inconclusive. In a high loss environment, however, Eve could intercept and measure all the qubits sent by Alice, discarding those on which she obtained inconclusive measurements, and resending to Bob correct copies of the others. As a countermeasure to this attack, Alice and Bob can encode the phase of the qubits with respect to a strong reference pulse, also transmitted from Alice to Bob. If Eve tries to suppress the strong pulse or the qubits, she will originate errors, so that she will be detected [45]. Tamaki et al. explored the security of B92 under the assumption of single-photon source in [49, 50]. Koashi also examined the B92 implementation using strong phase-reference coherent light in [51]. Additionally, it was demonstrated in [52] that B92 provides better eavesdropper detection compared to BB84.

Scarani et al. [36] proposed the SARG04 protocol which has a robust performance against PNS attacks. The SARG04 protocol uses two nonorthogonal quantum states, similar to the B92 protocol. However, the bit is encoded in the basis rather than the state in SARG04. Furthermore, in distinction to BB84, Alice does not disclose her basis to Bob. In the sifting phase, Bob reveals the bits he measured from the incoming qubits. If a bit revealed by Bob is different from the corresponding bit sent by Alice, then Alice and Bob can conclude that they used different polarization bases to prepare and measure that bit. In this case, Alice tells Bob to accept the bit, and Bob chooses the bit value associated to the basis that he did not use in that measurement. This protocol was further generalized to quantum states in [53].

In [34], Bruß presented a six-state protocol that utilizes three conjugate bases. Such states lie on the positive and negative directions of the *x-*, *y-*, and *z*-axes on the Bloch sphere (the Bloch Sphere is a unit three-dimensional sphere that effectively visualizes the state of any qubit. In the Bloch Sphere, qubit “0” and “1” usually lie on the *z*-axis, with coordinates and , respectively). It was shown that this protocol is more secure than BB84 protocol since Eve possesses less mutual information. However, the key distribution rate is reduced by 2/3 compared to reduction in BB84 [54].

Bennett, Brassard, and Mermin developed BBM92, a version of BB84 based on entanglement [38]. In this protocol, Alice and Bob carry out measurements on the photons received from a central source. If they use the same basis, they will obtain perfectly correlated results. However, if they choose different bases (for example, Alice chooses and Bob chooses ), their results will not match. Waks et al. analyzed the security of BBM92 against individual attacks, considering a realistic and untrusted source, in [55]. They showed that BBM92 has the same average collision probability as BB84, but it can achieve a higher data rate. The key advantage of BBM92 is that Alice and Bob can detect Eve’s malicious interference with the source. It is worth mentioning that the requirement of a trustworthy central source for producing entangled photons is not necessary.

Ekert introduced the E91 protocol [37] by utilizing the generalized Bell’s theorem to detect eavesdropping. In E91, a central source sends a series of shared states to Alice and Bob. The following are the definitions of two compatible cases: (1) if Alice (Bob) measures spin up, Bob (Alice) measures spin down; (2) if Alice (Bob) measures spin down, then Bob (Alice) measures spin up. We stress that the measurement order is irrelevant, i.e., whoever measures the first pair will cause the other to collapse accordingly. E91 allows for the detection of Eve by determining whether Alice and Bob’s measurement results are perfectly correlated or not. Ekert originally proposed the use of three bases both for Alice (0°, 45°, and 90°) and for Bob (45°, 90°, and 135°), with a probability of measurements with compatible bases equal to 1/3. Like the BB84 protocol, Alice and Bob publicly announce their chosen bases and discard any results obtained from incompatible bases. In a study by Ilic [56], various aspects of error correction, privacy amplification, and violations of Bell’s theorem were explored in the context of the E91 protocol. Acin et al. [57] proposed a simplified version of the E91 protocol, where it only involves three bases on one side (e.g., Alice’s) and two bases on the other side (e.g., Bob’s). A comparative summary of aforementioned QKD protocols is provided in Table 2.

To overcome the secret key capacity of the lossy communication channel [58], known as the Pirandola–Laurenza–Ottaviani–Banchi (PLOB) bound, the measurement-device-independent (MDI)-QKD protocol has been proposed. This protocol is built upon the concept of correlating measurements of a two-photon state [39]. Despite the technical challenges in practical experiments, the transmission distance of MDI-QKD has almost doubled compared to BB84 [40]. Two variations of MDI-QKD protocols are twin-feld- (TF-) QKD [40] and phase-matching- (PM-) QKD [41] which were proposed to improve the key rate. TF-QKD and PM-QKD share fundamental similarities; TF-QKD pertains to the states used for carrying the keys, while PM-QKD concerns the methodology behind key generation. Based on such results, recent research efforts have significantly contributed to narrow the discrepancy between the theoretical security of QKD systems and their practical implementation. In [59], the authors prove the practical security of a four-phase (FP) MDI-QKD protocols against all possible practical flaws of the used photon source. Moreover, they prove the feasibility of the proposed technique through a proof-of-principle implementation of the presented protocol. To further improve the performance of MDI-QKD and simplify its practical implementation, a new variant called asynchronous MDI-QKD has been recently proposed. With respect to TF-QKD, asynchronous MDI-QKD does not require stringent phase tracking capabilities; hence, it is easier to implement and can also extend the maximum achievable distance in fibre-cable QKD networks [60–64].

Continuous variable QKD protocols transmit information using light instead of single photons. The idea was proposed separately by Ralph [65] and Hillery [66]. A continuous version of the BB84 protocol was introduced in [66] that uses squeezed states of light and homodyne detection. Leverrier and Grangier [67] suggested two continuous variable QKD protocols that use discrete modulation and involve two or four coherent states. In [68], Brádler et al. introduce a protocol using ternary-phase-shift keying (TPSK) of coherent states with homodyne detection as an alternative to an earlier protocol using binary-phase-shift keying (BPSK) [69]. Later, in [70], Guo et al. propose a method to boost the maximum secret key rate in eight-state continuous variable quantum key distribution by utilizing optical amplifiers to mitigate imperfections in Bob’s equipment with the cost of a minor reduction in transmission range. They further investigate the effectiveness of two types of amplifiers, phase-insensitive amplifiers and phase-sensitive amplifiers, both of which yield approximately equivalent performance enhancements in the eight-state continuous variable QKD system. Recently, Papanastasiou and Pirandola [71] introduced a continuous variable QKD protocol that employs a discrete-alphabet encoding method. In [72], the authors propose a homodyne detection protocol using quadrature phase shift keying, with better tolerance to excess noise.

Most QKD protocols use binary signal formats, represented by qubits, i.e., by two-dimensional quantum systems. To utilize higher dimensional quantum states, orbital angular momentum (OAM) has been applied in designing QKD systems [73, 74]. These systems use quantum states belonging to a higher dimensional Hilbert space, represented by qudits instead of qubits. Different QKD protocols have been demonstrated in successful experiments with different transmission ranges and data rates, as discussed in [75] and references therein.

##### 2.2. BB84 Protocol

As an example to illustrate the principles of QKD, we consider the BB84 protocol, which is also commonly used in commercial QKD products. The schematic diagram in Figure 1 shows a typical QKD transmitter and receiver implementing BB84.

**(a)**

**(b)**

At the transmitter side, a random bit sequence is mapped to a pulse sequence with an average power of photons per pulse. The already introduced rectilinear and diagonal polarization bases are used in the encoding phase. The transmitted polarized photons travel through the propagation medium, which might be a wireline or wireless channel. Figure 1(b) illustrates the QKD receiver. In the shown scheme, after filtering against background light, Bob utilizes a passive 50 : 50 beam splitter (BS) to randomly send the received photons towards two different paths. On each path, a polarizing beam splitter (PBS) is connected to two single-photon avalanche photodiodes (APDs), which work in Geiger-mode to count photons. Let denote the fraction of received photons at the receiver side. The average signal power per pulse entering each PBS is photons/pulse. The half-wave plate (HWP) in the vertical path properly adjusts the incoming photon polarization, so that the same APDs can be used to detect both bases ( and ) of the system.

If a polarized photon entering a PBS and the PBS itself share the same polarization basis, the incoming photon will be systematically forwarded to the designated APD. Consequently, the entire average signal power will be forwarded to such APD, while the second APD on the same path will receive a null average signal power . Conversely, if the polarization bases of the incoming photon and of the selected PBS are different, the photon will randomly proceed towards one of the two APDs. In this case, the average signal power will be equally split, resulting in an average signal power of at the input of both APDs. In practice, aside from any potential interference by Eve, the raw key also includes errors due to background noise and dark counts in Bob’s detectors. The background noise per polarization affects the transmitted pulses, and each APD experiences dark-count noise with an average power of , resulting in an average noise power of for each APD. The overall average signal power before reaching to an APD can therefore be expressed aswhere .

Alice and Bob create a secure key from the bits received during instances where both parties selected the same basis and only one of the two APDs detected a photon. These instances are referred to as “sift” events. Alice and Bob are able to determine the sift events by informing each other of the basis they selected, without revealing the value of their raw keys, through a publicly accessible classical communication channel (e.g., optical or acoustic signaling for underwater use). Any data obtained using different bases is discarded. To assess the system’s security against potential eavesdropping, a subset of the sifted key is used to estimate the QBER. If the estimated QBER is suitable for cryptography, the key is established; otherwise, the QKD system ends the key exchange. To ensure that both Alice and Bob have uniform keys, they use public information exchanged over the classic channel to correct errors in the sifted keys. The amount of disclosed information about the key can be reduced to maintain privacy through privacy amplification techniques, but this comes at the cost of key length.

##### 2.3. Numerical Example

As a numerical example to demonstrate how the BB84 protocol works, consider a raw key with the length of 100 bits (see Table 3). Alice prepares the raw key in the form of a bit sequence which is mapped to the pulse sequence (according to the polarization rule) having an average power of photon/pulse. Then, the prepared qubits are sent to Bob through the propagation medium. Due to imperfections associated with the medium, Bob only receives a certain fraction of transmitted photons. The ND notation in Table 3 indicates “no detection” and represents the qubit that has not arrived at Bob side and therefore cannot be detected by the APDs. The corresponding bit is therefore not available at Bob’s side, i.e., NA. For the sake of readability, in Table 3, the rectilinear basis is indicated as H/V, while the diagonal basis is indicated as *D*.

As defined in the previous section, the sifted events are the bit intervals where both Alice and Bob use the same bases for the measurement. Table 4 represents the sift events extracted from Table 3 where the compatible bases are indicated by a yellow box. It can be noted that, in this example, bits were discarded, i.e., almost half of the transmitted bits.

The next step is to estimate the QBER to determine whether the secure key can be established, or the key exchange should be restarted/terminated. In this phase, Alice and Bob announce the value of some measured bits. In this example, we choose 13 qubits (out of 52 sifted bits) for this purpose, which are indicated by a yellow box in Table 4. In this subset, only one measured bit is wrong (bit interval 40). The estimated QBER can then be calculated as . It is widely acknowledged that the BB84 protocol can withstand a complex quantum attack if the QBER is below 0.11 [45]. In our example, this condition is satisfied; therefore the QKD protocol continues to generate the shared key. These 13 qubits used to estimate the QBER are deleted to prevent data leakage.

The process continues with the rest of sifted keys, i.e., bits (see Table 5). In this example, we employ a simple error detection scheme. Alice and Bob calculate the parity bits every 3 bits and announce these values to each other. The parity bit ensures that the total number of 1-bits in the string is even. For example, consider the first 3 bit intervals, i.e., 3, 5, and 9 where their corresponding bit value is “110” and “100” for Alice and Bob, respectively. As a result, the corresponding parity bit for Alice is 0 while it is calculated as 1 from the Bob’s measurement which indicates the error occurrence. The error detection is unable to correct the error, and Alice and Bob simply discard the bits with inconsistent parity bits.

Table 6 represents the 30 bit long shared key after performing the error detection process. Now, the privacy amplification is performed on the error-free bits. In this example, we simply discard the middle bit of every 3 consecutive bits used in the error detection process to cancel any further possible information obtained by Eve. The final shared error-free key is presented in Table 7, with size equal to 20 bits. The SKGR in this example becomes since there are 20 shared error-free key out of 52 sifted key.

##### 2.4. QBER and SKGR Performance

In the performance evaluation of QKD protocols, two key metrics are QBER and SKGR. QBER is calculated as the ratio between the number of incorrectly decoded bits and the bit length of the overall sifted key. SKGR is given by the difference between the mutual information shared by Alice and Bob and the information that Eve might have obtained about the key [76]. In the following, we present the derivations of QBER and SKGR.

Let the polarization of the transmitted qubit be represented by . Furthermore, let denote the polarization of an APD, i.e., [77]. Table 8 summarizes the average signal power that any APD in the scheme of Figure 1 can receive. In that table, is the quantum efficiency of Geiger-mode APDs, while the received average signal power is obtained by multiplying by the PBS output average signal power , which is given by (1).

The probability that a pulse contains photons is provided by the Poisson distribution as where denotes the mean value. Accordingly, the probability of detecting or photon in a given pulse can be represented as and , respectively. The sift event can occur in two cases, i.e., error-free sift and erroneous sift events. In the first case, both detectors connected to one of the two PBSs shown in Figure 1 register a photon count of . Specifically, this occurs on the receiver path where the PBS polarization basis and the incoming photon polarization basis are different. Meanwhile, on the other path (where the PBS and the incoming photon polarization bases match), one of the detectors registers a photon count of , while the other one, with differing polarization with respect to the photon, registers a photon count of . As a result, the probability in the case of an error-free sift event can be calculated aswhere , with can assume the values reported in Table 8. In the second case (erroneous sift event), photon is detected by the APD with the same basis but a different polarization with respect to the incoming photon. Concurrently, the other APD on that path, with the same polarization as the transmitted photon, erroneously detects photon, while the two APDs on the other path both detect photon. The error probability can be calculated as

The definition of QBER is the error rate in the sifted key, which can be computed as

Replacing (2) and (3) in (4), we obtain

As earlier discussed, the BB84 protocol is assumed to be secure against advanced quantum attacks if the value is below 0.11 [45].

In Figure 2, we plot the QBER in (5) as a function of the fraction of received photons (i.e., ) for an atmospheric channel. We assume , , and [78]. As expected, QBER decreases as increases. The amount of captured photons is greatly affected by various channel effects, including diffraction, atmospheric turbulence, and losses caused by absorption and scattering. For the sake of simplicity, we assume here that the channel is affected only by attenuation loss (the impact of diffraction and turbulence will be considered in Section 3, in the analysis of the underwater quantum channel). The path loss can be taken into account by the Beer–Lambert law, so thatwhere and denote link distance and extinction coefficient, respectively. Figure 3 illustrates the QBER versus the link distance for dB/km, i.e., for an atmospheric channel operating in clear weather conditions, with visibility of 10 km [78]. As the link distance increases, the effect of path loss becomes more noticeable, thus increasing the QBER.

The mathematical representation of SKGR can be obtained by modeling the BB84 quantum channel as a binary symmetric channel (BSC), with a QBER crossover probability. The entropy function determines the smallest amount of Shannon information that Alice and Bob must exchange through a public channel to attain key bit strings that are completely correlated. The entropy functionin fact, accounts for the uncertainty of the legitimate receiver about the sender key string, due to possible transmission errors in the quantum channel [79]. Thus, the sender must disclose through the public channel an equivalent amount of information to let the receiver correct the wrongly received bits. The fraction of perfectly correlated secret bits after the error correction phase will then be , which formally corresponds to the mutual information between Alice’s and Bob’s raw keys [79]. To destroy the additional amount of information that Eve could have gained about the key from the transmitted photons, a fraction of bits must be further removed from . Under the assumption of single-photon source, it can be shown that the maximum information achievable by Eve is [79]. Finally, SKGR for BB84 can be expressed as (a similar analysis can be performed for the more realistic case of nonsingle photon source and the decoy-state protocol. The interested reader can find the details in [79]):where the rate is

In (9), is a parameter accounting for the efficiency of the adopted reconciliation algorithm, and its value is dependent on the error correction code used [79]. Any practical error correction technique, in fact, will require an amount of information greater than to reconcile the raw keys. In the ideal case, i.e., setting in (9), Eve’s information equals Alice’s and Bob’s mutual information when . This QBER value corresponds to the BB84 security threshold already introduced in subsection 2.3. When the quantum channel QBER is higher than this value, any bit shared by Alice and Bob can be known to Eve, and no secure bit can be produced (i.e., ). A critical design choice is the type of error correction that determines the reconciliation efficiency of . As an example, take into account the use of Low Density Parity Check (LDPC) codes, which have been optimized on BSCs, for the error reconciliation phase [79]. The reconciliation efficiency parameter can expressed as [80]with denoting the code rate. Here, the highest possible value of that can be corrected when the length of the code becomes infinite is represented by . Table 1 in [79] lists the code rates and threshold values for optimized LDPC codes. Under the assumption of LDPC codes, the rate in (9) takes the form of

#### 3. The Underwater Quantum Channel

Section 2.4 has presented derivations for QBER and SKGR in a generic quantum channel. This section will now provide closed-form bounds for these parameters when applying the BB84 protocol in free-space underwater channels. We consider the impact of diffraction, turbulence, path loss, and other important factors, as reported in studies [81, 82]. We will then analyze and discuss the effects of various channel and system parameters on the performance of UQKD to practically demonstrate the utility of the provided analytical tools.

##### 3.1. QBER and SKGR Evaluation in Underwater Quantum Channels

Assume that Alice sends her key bit string to Bob by transmitting a normalized beam pattern from a circular exit pupil, denoted as , with a diameter of located on the plane through a free-space underwater quantum channel. The average photon number to represent a bit value is . On the receiving end, Bob collects a fraction of the photons from Alice using a pupil with diameter located at the plane . The reduction in the number of photons collected by Bob, quantified by the fraction , is caused by various impairments originating in the underwater environment. Additionally, Bob’s receiver will detect an average of noise photons reaching each detector. As discussed in Section 2.4, the secret key transmission performance can be assessed by evaluating the corresponding QBER. To this end, however, we must first evaluate and for the quantum underwater channel.

###### 3.1.1. Evaluation of

To determine , we will consider the impact of diffraction, turbulence, and path loss on the free-space underwater quantum channel (other system impairments related to, e.g., synchronization and alignment, are beyond the scope of this paper and can be found in [45]). We assume that, for laser diode transmitters with collimated light sources, the impact of geometrical loss is negligible, and the path loss only depends on the attenuation loss due to absorption and scattering. Let , , be the optical pattern sent by Alice from her pupil , where is the transmitted power in photons/s, and

Based on the extended Huygens–Fresnel principle and the paraxial approximation, the received optical pattern at Bob’s pupil iswhere , while is the underwater quantum channel impulse response for a monochromatic waveform of wavelength and wavenumber propagating from to through a turbulent environment, i.e., [77]

In (14), is the attenuation loss in the path from to ; the second fractional term is the deterministic impulse response of a loss-less, nonturbulent underwater quantum channel, and accounts for diffraction [83]. Finally, and model the random log-amplitude and phase fluctuations induced by turbulence, which (in the weak-turbulence regime) can be described as jointly Gaussian random processes with known first and second moments [77]. The fraction of useful photons captured at Bob’s side can be obtained from (13) and (16) as

In the presence of turbulence is a random quantity, whose statistical description is very hard to evaluate. To simplify its analysis, we will follow the approach proposed in [77], and express by its functional singular value decomposition:where , , and are the modal transmittivities, is a set of complete orthonormal (CON) functions in (input modes), and is a set of CON functions in (output modes) [77, 84]. We remark that, in the presence of turbulence, , , and are random quantities. By inserting (16) into (13), one can easily see that the transmission of the *i-*th input mode (i.e., ) originates the field pattern at , and the resulting fraction of captured photons (15) is . As shown in [77, 81], to find a practical lower bound on the underwater quantum channel QBER, we can limit our efforts to evaluating a lower bound on the expected value of the maximum modal transmittivity , i.e., a value such that [81]. It can be shown thatwhere is the Fresnel number and is the first-order Bessel function of the first kind [77, 81]. The wave structure function in (17) is associated with the spatial power spectrum of the refractive index [85]. For a spherical wave, a specified transmission distance of , and a set separation distance between two points on the phase front perpendicular to the axis of propagation, it is expressed as [81, 86]where the variables within (18) are related to the characteristics of the underwater medium and defined in Table 9.

The analysis of the underwater quantum channel carried out so far has focused on the impact of diffraction and turbulence on the achievable QBER, which can be summarized by the parameter given by (17) and (18). However, the most important and range-limiting effect in both quantum and classical underwater optical communications is the attenuation loss . In the ocean, the attenuation loss is due to the absorption and scattering of the propagating photons by water molecules, dissolved salts, and dead or decaying organic matter, and is typically characterized by the extinction parameter . The extinction parameter is dependent on the wavelength , and results from the sum of the absorption coefficient and the scattering coefficient , i.e., [87, 88]. This parameter was firstly introduced in subsection 2.4, where it was generally related to the attenuation loss through the Beer–Lambert formula (6) [87]. For the underwater propagation medium, the attenuation loss can be expressed as [89]based on a modified version of the Beer–Lambert formula. In (19), represents the full width of the transmitter beam divergence angle and is a correction factor chosen according to the type of water, as described in [89]. Also, the characterization of the attenuation loss introduced by seawater can be a very challenging problem. The results of extensive studies on light attenuation in the ocean were first summarized by the Jerlov classification scheme, which has been widely used in many works in classical and quantum underwater communications. Thus, for the sake of clarity and completeness, we introduce here Jerlov’s taxonomy of seawaters, together with some more recent, alternative classification schemes also used in the literature.

###### 3.1.2. Classification of Water Types

Jerlov’s classification of water types is a convenient one-parameter classification scheme to describe ocean water clarity [87, 90]. Proposed in 1951, this scheme is still used in underwater optical communications, e.g., when typical classes of water conditions are considered. Jerlov classification is based on the diffuse attenuation coefficient , which is the vertical attenuation in the ocean of the spectral downward irradiance, expressed as a function of wavelength and depth . When averaged over depth, this parameter varies in a systematic way with through a wide range of water bodies, from very clear to very turbid, while remaining rather insensitive to external environmental conditions [87, 90]. Consequently, Jerlov proposed to classify ocean waters into two main groups, open ocean waters and coastal waters, based on observed values of the averaged diffuse attenuation coefficient . He further split open ocean waters into types I, IA, IB, II, and III, and classified coastal waters as 1, 3, 5, 7, and 9 [87]. Type I is the clearest open ocean water, and type III is the most turbid one. Moreover, types 1 and 9 are the clearest and the most turbid coastal waters, respectively. In Table 10, the measured values of , averaged over a depth of 10 m from the sea surface and multiplied by a factor of 100 (for graphical clarity), are reported for the different water types [87]. In the table, the columns span wavelength values, while the rows correspond to the different water types. As a useful practical reference, the study [87] also provides a geographical map illustrating the distribution of Jerlov water types in the world oceans. An updated map of Jerlov’s water types in the Nordic Seas is available in [91].

The relevance of Jerlov classification to UQKD relies on the fact that typically results close to the extinction parameter and can thus be related to the attenuation loss through (6) or (19).

In [88], Mobley proposed a different classification of sea waters, based on selected measured values of the extinction parameter at wavelengths corresponding to blue/green light. Such reference values are reported in Table 11, together with the corresponding absorption and scattering coefficients, for four different types of waters. In particular, the measured values given in such table were obtained at wavelength 514 nm for pure sea water; at 530 nm for clear ocean, coastal ocean, and turbid harbor waters. This water classification scheme has been adopted in several papers available in the literature, e.g., [82, 89, 92–94]. However, it should be remarked that some works strictly adopt the values proposed by Mobley in [88] for the extinction, absorption, and scattering parameters. Other works (e.g., [82, 89, 93, 94]), conversely, though adopting the same water types, use slightly different numeric values for those coefficients. With respect to Jerlov classification, Mobley classification applies to a narrower interval of the light spectrum, centered at wavelength = 530 nm. Nonetheless, it provides a significantly wider interval of extinction coefficient values, since it goes from 0.043 for pure seawater to 2.190 for turbid harbor water, while in Jerkov classification, the averaged diffuse attenuation coefficient at = 530 nm assumes a maximum value of 0.78 for Type 9 water.

###### 3.1.3. Average Number of Noise Photons

To complete the analysis of the underwater quantum channel, we finally need to characterize the effect of noise photons. Bob’s receiver will collect background photons per polarization on average, and each of his detectors will be subject to an average equivalent dark current photon number of . Background noise consists of photons that scatter into the receive aperture but are not part of the transmitting signal, while the dark current noise is caused by thermally generated electrons in the detector. By considering the dark current and the irradiance of the environment, the average number of noise photons reaching each of Bob’s detectors can be obtained by [95]where is the dark current count rate, is the wavelength, is the receiver aperture area, is the field of view (FoV) of the detector, is Planck’s constant, is the speed of light, is the filter spectral width, is the bit period, and is the receiver gate time. is the irradiance of the environment and given by where denotes the irradiance of the underwater environment at the sea surface, denotes the underwater depth, and is the asymptotic value of the spectral diffuse attenuation coefficient for spectral downwelling plane irradiance [88]. The typical total irradiances at sea level in the visible wavelength band for some atmospheric conditions are provided in [96].

###### 3.1.4. QBER of the Free-Space Underwater Quantum Channel

Based on the lower and upper bounds for sift and error probabilities obtained in [77] over a turbulent channel, we can finally obtain a lower bound on QBER, given by [81]

For the sake of clarity, we recall that, in (21), is given by (20), is given by (17) and (18), and is given by (19). For the nonturbulent underwater path, it was shown in [81] that QBER can be approximated aswhere represents the largest eigenvalue obtained from the singular value decomposition of the loss-less, nonturbulent underwater quantum channel impulse response (which can be obtained from (13) with ), as described in [97].

Alternatively, for short distance links where the Fresnel number (i.e., ) is high (as those considered in UQKD systems), one can assume . We stress that all results relative to nonturbulent water environments presented in the following will be based on (22), with . A lower bound on SKGR for the BB84 protocol can be straightforwardly calculated by replacing the upper bound on QBER (21) or (22) into (9), for turbulent or nonturbulent channels, respectively.

##### 3.2. Effects of Channel Parameters

Based on the analytical expressions provided in the previous section, we now discuss the effect of various free-space underwater channel parameters, i.e., water type, turbulence, and atmospheric conditions, on the QBER and SKGR performance of BB84. We will consider the Mobley seawater classification, in order to be concise and to include also turbid waters as those observed in harbors. For the purpose of this study, we presume that the transmitter and receiver pupil diameters are both equal to 10 cm, FoV is = 180°, and that the atmospheric conditions are clear at night with a full moon unless otherwise indicated [30]. For the sake of clarity and conciseness, Table 12 summarizes the relevant parameters used in the following examples.

###### 3.2.1. Effects of Water Type

Figure 4 illustrates QBER and SKGR results for nonturbulent underwater environments. We consider clear ocean, coastal ocean, and turbid harbor waters as water types, and assume that a QBER less than 0.11 is targeted. Figure 4(a) shows the QBER as a function of the free-space link distance . Under this performance metric, the achievable distances for turbid harbor, coastal ocean, and clear ocean waters are, respectively, 6.4 m, 59.3 m, and 155.4 m. This clearly demonstrates that the type of water significantly affects the performance. As the turbidity increases, the transmission distance strongly decreases. We highlight that perfect error correction has been assumed to attain the achievable distances mentioned above (i.e., in (9)). To determine the achievable transmission distances using practical coding methods, the SKGR performance is shown in relation to the link length in Figure 4(b). In the error correction phase, we have used an LDPC code with rate of , which has been optimized for a BSC with a QBER threshold of approximately 0.11 (calculated as ) [79] (one should note that it is possible to utilize other LDPC codes in [79] designed for lower QBER values to improve SKGR. However, the maximum achievable distance will remain the same since the highest QBER that can be tolerated to obtain nonzero SKGR should be less than 0.11). It can be seen that a nonzero SKGR value can only be achieved over a maximum distance of 6 m in turbid water. The result is slightly lower than the achievable distance of 6.4 m obtained through the analysis performed above assuming perfect error correction. Similar patterns can be seen for other water types and turbulence levels. For instance, the maximum transmission distances for coastal ocean and clear ocean water in nonturbulent conditions are 59 m and 155 m, respectively, when evaluated using SKGR and the LDPC code with rate of for practical error correction. The corresponding analysis, performed under the assumption of perfect error correction, gives corresponding distances of 59.3 m and 155.4 m. Thus, since the two analysis approaches reveal similar results, for the sake of simplicity in the following, we will only consider QBER as the performance metric, and we will always assume perfect error correction.

**(a)**

**(b)**

###### 3.2.2. Effects of Turbulence

The optical signal can also be impacted by turbulence, i.e., by sudden changes in the refractive index due to ocean currents causing variations in water temperature and pressure, which leads to fluctuations in the signal known as fading. In Figure 5, we investigate the effect of turbulence on QBER using (21) and by modelling the turbulent channel based on a subset of parameters given in Table 9. We assume 1/deg, m, , , and which corresponds to strong turbulence. It can be seen from Figure 5 that the impact of turbulence in turbid water is negligible, and the primary factor affecting the signal loss is path loss. As the clarity of the coastal and clear water increases, the distance that can be achieved also increases and the effect of turbulence becomes more apparent. For example, consider the clear ocean. The achievable distance to maintain is around 155.4 m for the case of no turbulence. This reduces to 106.7 m for strong turbulence condition. In coastal water, for the same QBER target, achievable distances are observed as 59.3 m and 53.7 m for the nonturbulent and turbulent cases, respectively.

###### 3.2.3. Effect of Atmospheric Conditions

In Figure 6, the impact of various atmospheric conditions on the performance of the QKD system is explored. The clear ocean with high turbulence is considered and five different atmospheric conditions are taken into account. These are as follows:(1)Scenario 1: clear atmosphere, full moon near the zenith (i.e., )(2)Scenario 2: heavy overcast, sun near the horizon (i.e., )(3)Scenario 3: hazy atmosphere, sun near the horizon (i.e., )(4)Scenario 4: heavy overcast, sun at the zenith (i.e., )(5)Scenario 5: clear atmosphere, sun at the zenith (i.e., )

In particular, the underwater environment irradiance takes different value for each atmospheric condition, which consequently affects the background noise (cf. (20)). It can be observed from Figure 6 that the maximum transmission distance for underwater QKD systems during the day decreases significantly compared to nighttime conditions, resulting from an increase in background noise. For instance, the maximum transmission distance in Scenario 2 (heavy overcast with the sun near the horizon) is 49.5 m, while it drops to 22.3 m and 6.7 m for Scenario 4 and Scenario 5 (heavy overcast and clear atmosphere with the sun at the zenith), respectively. These are much shorter than the 106.7 m that can be achieved at night under clear atmosphere conditions with a full moon.

##### 3.3. Effects of System Parameters

In the previous subsections, we discussed the effect of various channel parameters on the QBER and SKGR performance for given values of system parameters. In this subsection, we now discuss how to select two critical system parameters, namely field-of-view and aperture size.

###### 3.3.1. Effects of FoV

In Figure 7, the impact of FoV on the QKD system performance is explored. The scenario is set with a clear ocean with strong turbulence, and two of the previously studied atmospheric conditions, Scenario 1 and Scenario 2, are taken into consideration. Here, we consider three FoV values, = 10°, 60°, and 180°. It is observed from Figure 7 that FoV has minimal effect on the QBER during nighttime, as all three FoV values yielded the same result. However, during daylight, the achievable transmission distance improves as the FoV narrows, due to a reduction in background noise. The maximum transmission distance was found to be 49.5 m for FoV of 180°, increasing to 62.8 m for FoV of 60°, and reaching 94 m for FoV of 10°.

###### 3.3.2. Effects of Aperture Size

The effect of the aperture size on the underwater QKD system’s performance is investigated in Figure 8. Both the receiver and transmitter aperture sizes are assumed to be the same, with diameters of = 5, 10, 20, and 30 cm. In the night time, the maximum transmission distance improves as the pupil diameter increases. For example, a maximum transmission distance of 89.9 m is achieved for a 5 cm pupil diameter, while this distance increases to 106.7 m, 130 m, and 151.9 m for pupil diameters of 10, 20, and 30 cm, respectively. The increase in background noise caused by the larger pupil diameter is negligible at night. Conversely, during daylight, the maximum transmission distance decreases as the pupil diameter increases. For example, a maximum transmission distance of 52.3 m is achieved for a 5 cm pupil diameter, while this decreases to 49.5 m, 39 m, and 29.3 m for pupil diameters of 10, 20, and 30 cm, respectively.

#### 4. State-of-the-Art in Underwater QKD

Here, a thorough survey of UQKD is summarized. We will consider separately simulation studies, experimental studies, UQKD systems, and, finally, continuous variable UQKD.

##### 4.1. Simulation Studies

Free-space UQKD was first discussed by Lanzagorta in 2012 [95]. In [98], the authors theoretically investigate the performance of a vertical quantum channel between the sea surface and a submerged vehicle, about 100 m deep. The analysis relies on a closed-form expression of the QBER achievable by BB84 in free space, obtained as a function of depth and some key environmental and system parameters [99]. The results suggest that secure BB84 (i.e., with ) [45] can be achieved up to a depth of 60 m in Jerlov Type I ocean water; conversely, BB84 secure only against simple intercept-and-resend attacks is possible up to 110 m. In Jerlov Type III water, the maximum achievable distance between two UQKD nodes falls to about 6 m. In the analysis, scenarios with coordinated underwater vehicles and surface/aerial assets are also considered. In [100], Shi et al. investigate the scattering and absorption properties of photons in seawater by means of Monte Carlo simulations, based on the vector radiative transfer theory. Numerical results confirm that, under environmental conditions of starlight only and Jerlov Type I ocean water, secure BB84 UQKD is feasible up to a depth of 60 m; the corresponding SKGR is equal to 207 kbps. In the considered scenario, if the QBER threshold is relaxed to , UQKD can reach 107 m, with SKGR of 45 kbps. In [101], the authors analyze the QKD performance through the air-water interface. The effects of the photon incident angles to the air-water interface are considered, and performance bounds in different types of water types are evaluated. Further theoretical studies are carried out in [29, 102], where the analysis is extended to the decoy-state protocol applied to UQKD, and in [103], which considers horizontal submarine-to-submarine UQKD. All these works further conclude the feasibility of horizontal/vertical UQKD at distances up to about 100 m, based on the assumption that a stable optical link between Alice and Bob can be established. Moreover, they also confirm that the performance in terms of SKGR can be improved if the decoy-state protocol is adopted. To overcome range limitations due to absorption, scattering, and turbulence, in [82], a multihop UQKD system is investigated, where intermediate nodes support the key distribution process. In [81], the BB84 QBER and SKGR performances in underwater channels are analyzed. To this end, the authors first present an upper bound for the QBER as a function of path loss and average power transfer function. To analytically model the path loss, they use a modified Beer–Lambert formula taking into account also the scattering effect. Furthermore, they evaluate a closed-form expression of the average power transfer function based on the near-field analysis presented in [77]. Similarly, they can obtain a lower bound for the SKGR. This way, the performance of the BB84 protocol in terms of QBER and SKGR can be investigated in different types of water (clear, coastal, and turbid) and under different atmospheric conditions (clear, hazy, and overcast). The effects of system parameters such as aperture size and detector field-of-view on QBER and SKGR are also assessed by numerical simulations. In the considered scenario, for clear ocean waters, the maximum achievable distance is 155 m. The distance reduces to 107 m, under strong turbulence conditions. In turbid water, the prevailing factor is the path loss, and the maximum distance that can be achieved is around 6 m. The main results of the (comparable) simulation studies discussed above are summarized in Table 13. As one can easily see, all studies confirm the feasibility of UQKD in open ocean water, at a distance of at least 60 m.

##### 4.2. Experimental Studies

The first experimental evidence of UQKD feasibility was obtained in 2017. This experiment, as well as all the other experiments reported in this and in the following section, was performed in a laboratory or in a controlled environment, where a stable quantum channel between Alice and Bob had been previously established by an operator by means of a manual alignment procedure. Specifically, in [28], the authors show that certain physical properties of photons, such as polarization and entanglement, can be preserved after the transmission through an artificial tube filled with Jerlov Type I seawater. In the reported experiment, the underwater quantum channel length was 3.3 m. For single photons at 405 nm wavelength in the blue-green window, an average process fidelity above was observed. In [104], the effect of turbulence on the QBER achievable by UQKD was analyzed. To this end, the OAM of light, also known as twisted photons, was used. Since OAM states lie in a Hilbert space with unbounded dimension, they can be used to implement high-dimensionality QKD. This way, 2-, 3-, 4-dimensional BB84 and the six-state protocol could be tested. The experiments were performed in an outdoor pool exposed to temperature variations between 17° and 27°, to create a temperature gradient mixed with built-in water jets. The feasibility of high-dimensional secure QKD was demonstrated through a quantum channel of length equal to about 3 m. The authors could then calculate the corresponding QBER and SKGR values from probability-of-detection matrices obtained during the experiments. In [105], the transmission of optical beams with various polarizations and spatial modes was studied through the Ottawa River. The experiments were carried out through a quantum channel of length equal to 5.5 m. The paper analyzed the effects of turbulence in the underwater channel, due to differences of temperature and salinity through the optical link. In [106], the achievable performance of a UQKD system based on polarization states, BB84, and the decoy-state protocol was analyzed in a laboratory flume tank. In the presence of turbulence, UQKD could be achieved at a distance of 30.5 m, with a SKGR of about 100 kbps, in clear water. Extrapolation of the obtained experimental data shows that a quantum channel length not far from 80 m is achievable, with an estimated key rate between 100 and 1000 bps. Finally, in [107, 108], the persistence of polarization and OAM states of photons were, respectively, verified, by applying quantum tomography techniques, through 55 m long underwater channels.

##### 4.3. UQKD Systems

The results discussed in the previous subsection have been mostly obtained by a combination of ad hoc laboratory setups, commercial instrumentation, and on off-line postprocessing procedures, with the aim of experimentally demonstrating the feasibility of UQKD; hence, they have been classified as experimental feasibility tests in this state-of-the-art survey. Conversely, the first complete underwater UQKD system, capable to autonomously carry out the original BB84 process in view of its practical implementation, was demonstrated only in 2019 [109]. Since then, to the best of the authors’ knowledge, five UQKD systems have been presented in the available literature. All these systems are based on the BB84 protocol and polarization encoding. The most relevant aspects of such systems are summarized in Table 14. The first column points at the reference paper that describes the system. The following columns outline the most relevant system features, such as the complete implementation of the BB84 protocol, the real-time execution of all the protocol phases, the used wavelength, the distance between transmitter and receiver in the system validation experiments, the achieved QBER and SKGR, and the implementation of the Decoy-State protocol in the system. Moreover, a common high-level scheme representing the main functional blocks of all systems is shown in Figure 9. As will be discussed in more detail in Section 5, all systems can be operated only in a lab environment, with the quantum underwater channel implemented by a pipe or a water tank. The quantum state transmitter and receiver are described, at the logical level, in Figure 1. However, the technological solutions adopted in the implementations can be quite different. For instance, the quantum state transmitter in [48] is based on a single laser diode and a rotation controller operating on a half-wave-plate. Conversely, in the system presented in [113], the quantum states are generated by four distinct lasers and the originated light pulses are then collimated onto the same path by the following transmitter optical circuit. Moreover, each system includes a public channel, a synchronization system, and an additional functional block to support the pointing, acquisition, and tracking function. Also, the solutions adopted to implement such functions vary significantly through the five systems. We let the interested reader refer to the literature for the implementation details. In the following, we will briefly describe and discuss each single system of Table 14.

The system in [109] did not include a true quantum random number generator, and the error correction and privacy amplification phases were not executed in real time. Specifically, this paper described an experimental validation of BB84, over a 2.37 m artificial water channel, using a laser in the blue-green optical window (488 nm wavelength), originating photon pulses at a frequency of 1 MHz. The system described, tested through air, gave an experimental SKGR equal to 422.96 bps, with QBER of . The SKGR and the QBER were then measured through the water channel, with the water attenuation coefficient ranging from m^{−1} to m^{−1}. Correspondingly, the SKGR reduced from 337.2 bps to 37.9 bps, while the QBER increased from to . The obtained QBER values were always below the threshold of BB84; hence, secure QKD could be achieved in all tests. Extrapolation of the obtained experimental data indicated that secure UQKD could potentially reach a maximum distance of about 54 m, with a water attenuation coefficient equal to m^{−1} at 488 nm wavelength (Jerlov Type I water); in such a case, SKGR and QBER would be close to 37.9 bps and , respectively. The paper in [48] provided useful reference values of the SKGR and QBER for UQKD systems, obtained in a controlled laboratory environment. The described experiments were carried out using the BB84 protocol, at a distance of 10 m through a tank, with a single laser diode transmitter at a wavelength of 520 nm, operating at a pulse rate of 20 MHz. In the experiments, the outputs of four single photon detectors were collected by means of an oscilloscope, for off-line signal processing. The measured path loss in the tank at 520 nm wavelength was equal to 0.08 m^{−1}, close to Jerlov Type II water. The UQKD system presented could run with or without the support of the decoy-state protocol. Without decoy-state, the system achieved a lower bound SKGR of 563.41 kbps, with QBER of 0.0036. Conversely, using the decoy-state protocol, the SKGR could arrive up to 711.29 kbps, with QBER equal to 0.0095. With Jerlov Type II water, the maximum transmission distance, predicted by simulations, equalled to 19.2 m. Nonetheless, extrapolating the achieved SKGR from Jerlov Type II water to Jerlov Type I water (attenuation coefficient equal to m^{−1} at 520 nm), the authors claimed that the system could operate up to 237 m. The work in [110] describes a UQKD system implementing BB84 with a 3-decoy-state protocol (with blue-green lasers at 450 nm originating photon pulses at 50 MHz) achieving an average SKGR of 595 bps, with QBER lower than through a 30 m long artificial quantum channel in Jerlov Coastal water, between water Type 1 and 3. The water was experimentally characterized by using laser beams at two wavelengths, 450 nm and 520 nm. By extrapolation, the authors claim that the system can operate at a distance of 345 m in Jerlov Type I water. The authors implemented a software tool in MATLAB for real-time postprocessing, including sifting, error estimation, error correction, and privacy amplification.

In [111], the authors presented a UQKD system operating over a 10.4 m channel Jerlov Type II seawater channel; the system is an evolution of the project presented in [109], and uses a blue laser (450 nm) transmitting pulses at 20 MHz. By using BB84, the decoy-state protocol and polarization encoding, this system could achieve a SKGR of 1.82 kbps, with QBER of . By extrapolation, the authors showed that the system could be used up to 300 m in Jerlov Type I water, with SKGR of 27.4 bps. One significant step forward with respect to [109] was the integration of some fundamental ancillary functions, which are necessary for the application of UQKD in real-life scenarios. Specifically, a classical optical channel was integrated in the system, so that the two UQKD end nodes could autonomously communicate, without any interaction through a laboratory local network. Besides providing a public channel as required by BB84, this integrated optical link could be used for end-node synchronization, and to support pointing and tracking capabilities, as required when operating in a real-life scenario. Also, a further step towards space and power minimization consumption is achieved through the use of field programmable gate array- (FPGA-) based boards. The FPGA boards were responsible for sifting the keys and then sent the sifted keys to two personal computers at each end. The software tool on the computers handled the correction of errors, checking for errors, and privacy amplification. With this UQKD system, real-time secret keys could be generated.

In [112, 113], Kebapci et al. demonstrated a practical implementation of an UQKD system that uses the BB84 protocol enabling to run in real time. It was constructed using a combination of an FPGA and an on-board computer (OBC) connected to optical components. The FPGA was utilized to perform real-time photon counting. Both the transmitting and receiving units were powered by an external uninterruptible power supply and could be monitored from a connected computer. Additionally, the system included a visible laser and an alignment indicator to aid in manual alignment verification. The public channel was implemented using a dedicated Ethernet cable. Experimental results that validated the system at a distance of 7 m in clear water were reported.

##### 4.4. Continuous Variable UQKD

The currently available UQKD systems are mostly based on discrete variable protocols, which exploit the properties of single photons to convey information. The use of single photons, which are highly vulnerable to path loss in their transmission through seawater, is the main origin of most of the weaknesses and performance limitations of this approach [8]. A possible alternative, widely investigated in terrestrial networks, is the use of continuous variable protocols (CVPs). CVPs rely on the measurement of quadrature components of light, performed by optical homodyne detection [8]. CVP-based systems can offer various advantages because they transmit light beams composed of many photons rather than single photons. In particular, they are compatible with the highly capable and relatively inexpensive off-the-shelf devices used in commercial optical communication equipment, which now makes CVP-based QKD a hot topic in the terrestrial telecommunication realm. However, few papers aimed at analyzing the application of CVP to UCs are available in the literature. Moreover, they are mostly based on computer simulations rather than experimental work [114, 115].

#### 5. Challenges and Future Prospects

In this section, we delve into two crucial aspects of QKD networks. Firstly, we assess the TRL of UQKD, comparing its current status to established QKD applications. Secondly, we explore the challenging issue of authenticating the UQKD public channel, highlighting the unique considerations and limitations in underwater communication networks.

##### 5.1. Technology Readiness Level of UQKD

From the survey carried out in the previous section, we can infer that the TRL of UQKD is significantly lower than the TRL of QKD applications in fiber/satellite links, which is assumed close to 7 (“system prototyping demonstration in an operational environment”) [116]. Nevertheless, some evolution trends in the path towards the practical adoption of UQKD can be identified. Presently, all reported activities on UQKD are based on proof-of-concept systems operating in lab environments [48, 110–112, 114]. With the development and validation of the equipment discussed in subsection 4.3, the TRL of UQKD systems has evolved from 1–3 (“Basic Research, Concept Stage”) to 4 (“Laboratory research, Validation”). Also, experimental setups are evolving: from the first lab tests carried out through pipes, the most recent experiments are being carried out in open pools, in some cases with controlled level of turbulence, on platforms built in a river [104, 105] or in a large-scale marine test platform [110].

The UQKD systems described in subsection 4.3 can only operate in a lab or in a highly controlled environment. One reason is that dimension, weight, and power consumption of such systems make them hardly usable in a real-life scenario, for instance, integrated in an underwater autonomous vehicle. Nonetheless, there is a clear trend towards space and power consumption reductions through the adoption of small size and low-power devices such as field programmable gate arrays [111, 112]. Furthermore, some fundamental ancillary functionalities are needed to apply UQKD in real-life environments, such as the classic QKD public channel, time synchronization between UQKD nodes, and the pointing, acquisition, and tracking technology needed to establish a stable and low noise quantum channel in free space [117]. Some UQKD implementations aimed at integrating these mandatory functional blocks are ongoing. The problem of aligning transmitter and receiver is an active research field in underwater optical communications [118]. However, studies about the development of such ancillary functions specifically designed for UQKD systems are not available yet, at least in the open literature, and a complete solution is still missing [111].

A debated aspect of UQKD is the range (i.e., the maximum distance between Alice and Bob) at which a UQKD system can operate. The plot in Figure 10 shows some selected experimental and theoretical BB84-SKGR values available in the literature, expressed as a function of the distance between Alice and Bob. One can observe some significant performance gaps among the obtained SKGR results. Such gaps can be explained by relevant differences both in the adopted experimental setups and in the performance of the used hardware components. For instance, the authors in [48, 106, 109] operate the laser photon source at different frequencies, i.e., 1 GHz, 20 MHz, and 1 MHz, respectively, thus originating a greatly different number of photons per time unit; the authors in [48, 109] perform experiments with different water attenuation coefficients: m^{−1} in [48], versus values in the range 0.11 to m^{−1} in [109]. Nevertheless, the available experimental results clearly confirm the feasibility of UQKD. Moreover, it can be reasonably assumed that current UQKD systems can successfully operate at distances of about 30 m in lab tests. Finally, both extrapolation of experimental results and values provided by theoretical studies agree on the fact that it should be possible, in a near future, to extend the quantum channel length up to 80–100 m, with a SKGR in the range 100 to 1000 bps. In this case, UQKD can become a useful technique to implement key distribution in a number of real-life UC scenarios.

##### 5.2. Authentication of the UQKD Public Channel

QKD systems require authentication in the classical public channel because they are vulnerable to the man-in-the-middle type of attacks [8, 119]. In a man-in-the-middle attack to a system with two legitimate parties, Eve impersonates one legitimate party to the other. For instance, in a public key cryptosystem, Eve could send her public key to Alice, pretending she is Bob. She could then impersonate Alice towards Bob, thus creating an encrypted communication channel between Alice and Bob under her complete control [8, 24]. Similarly, in a QKD scenario, Eve could create a quantum channel between Alice and herself, pretending to be Bob, and a second independent quantum channel between herself and Bob, pretending to be Alice. Finally, she could share two different symmetric secret keys, one with Alice and one with Bob, and copy and decrypt all the encrypted data exchanged by Alice and Bob.

In terrestrial classical networks, public key infrastructures typically rely on a hierarchical system based on certificates released by certification authorities (CAs) to guarantee that a certain public key really belongs to a given entity [8, 24]. As an example, web browsers usually have built-in CA public keys. This way, they can verify certificates of other keys and establish secure connections with any website with certified public keys [8]. However, the use of hierarchical systems based on certificates and CA still is very hard to implement in underwater networks due to bandwidth restrictions [4].

In the literature, the authentication problem for underwater acoustic networks (UANs) has been specifically addressed [4, 5, 120]. In the underwater domain, symmetric key-based authentication is usually employed. In the case of secret key shared by multiple nodes, the typical assumption is that, having a legitimate key, the network nodes are trusted and none of them is misbehaving by impersonating other identities [4, 6]. Conversely, if entity authentication is required, a dedicated secret key must be used for each point-to-point connection. However, the use of a symmetric key scheme for authentication would reintroduce the KDP, as discussed in the Introduction. Public key-based authentication can overcome such a drawback, providing a much higher degree of flexibility. The use of public key cryptography in UANs has been proven, based on elliptic curve cryptography techniques and the adoption of implicit certificates. Implicit certificates can implement and securely validate the association between a node identity and its public key without using an explicit signature mechanism [5]. Moreover, they can use data structures of smaller size with respect to the X.509 certificates, usually adopted in terrestrial networks, which can have a size of hundreds of bytes, and are therefore unusable in restricted resource environments such as UANs [5]. Unfortunately, the public key-based authentication schemes currently available for UANS (such as those given in [5, 120]), being based on elliptic curve cryptography techniques, are quantum vulnerable [8]. The problem of applying quantum-safe authentication schemes to the QKD public channel is an ongoing research activity for terrestrial networks [119, 121] and for the IoT [122]. Experimental efforts are also currently being spent to implement (terrestrial) quantum networks that can offer confidentiality, integrity, authentication, and nonrepudiation relying on quantum digital signatures [123]. However, to the best of the authors’ knowledge, the UQKD public channel authentication problem has not been addressed yet, at least in the open literature.

#### 6. Conclusions

In 1984, Bennet and Brassard presented BB84, the first QKD protocol. Since then, QKD has become a fast-growing technology in fiber cable and satellite communications and is rapidly moving towards in-field testing and technological prototypes. Conversely, the application of QKD to the underwater domain is at a very early stage, still confined to lab experiments and proof-of-concept prototypes. Nonetheless, theoretical studies and extrapolations of experimental results indicate that UQKD can successfully achieve distances of tens to hundreds of meters depending on the turbidity of the environment. With such knowledge at hand, one may envision future UQKD systems operating in various undersea applications. Yet, to reach the required level of technical maturity, it is essential we transition from focused laboratory research to underwater field experiments; only such a transition will accurately characterize system performance. In addition, such field testing will provide insight about issues often hidden in laboratory setups, such as the operational system size, power consumption, and cost and overall robustness in diverse conditions.

#### Disclosure

Preprints of this paper have previously been published [124–126].

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This review is supported by the NATO Allied Command Transformation, Norfolk, USA.