The professional’s guide to Quantum Technology
- Preface: Why this guide?
- Part 1 – The background: Why are we so enthusiastic about Quantum Technology?
- Part 2 – The applications: What problems will we solve with Quantum Computers?
- Part 3 – The developments: Searching for a killer application, with a closer look at artificial fertilizer
- Part 4 – The applications of Quantum Networks
- Part 5 – Timelines: When can we expect a useful quantum computer?
- Part 6 – Getting started: What steps should your organization take?
- Part 7 – The hardware: Why you should care about different qubits
- Part 8 – The threat: The impact on cybersecurity
- Part 9 – Scaling up: Why we need error correction
- Further reading: An overview of resources
Part 4 – The applications of quantum networks
If we’re building computers that deal with qubits, superposition and entanglement, wouldn’t these computers also need some way to send qubits to each other? This is the dream of the quantum internet: a network that exchanges quantum-mechanical photons between devices all around the world, parallel to our well-known ‘classical’ internet.
There is a bit of a paradox here. On the one hand, a full-blown quantum internet is very, very far away: a network that reliably transports actual qubits is arguably harder to realize than a large quantum computer, as it will build upon the error correction technology that we’re only just figuring out. On the other hand, it is often said that ‘quantum networks’ have a higher Technology Readiness Level than computing. That sounds like a contradiction, right?
The main reason is that there are some applications for ‘imperfect’ quantum networks, in particular in the context of cryptography.
In that sense, quantum networking applications have always been ‘ahead’ of quantum computing. Already in 1984, long before quantum computers were seriously considered, researchers Benett and Brassard discovered a method to securely negotiate a secret key (think of a password) between two parties, based on sending individual photons. Their result is now famously known as the BB’84 protocol. Similarly, the commercialization of network technologies has long been ahead of computing. Early quantum startups like MagiQ Technologies and ID Quantique were founded around the new millennium, and brought their first commercial networking products to the market in 2003 and 2004. This technology, using a quantum network to establish a secret key between two endpoints, is called Quantum Key Distribution (QKD) – an application that we will address in much more detail below.
The promises of the quantum internet
There is a long list of arguments why we should be excited about the quantum internet. Here is a list of the applications that we hear most frequently:
- Clustering quantum computers: By connecting multiple smaller computers, one might build a much larger computer which has more combined memory and can tackle larger problems.
- Securing your classical communication. The main contender here is Quantum Key Distribution (QKD), sometimes dubbed the “unhackable” network. This allows two distant users to create a secret key (think of a password) that they can later use for further cryptographic applications.
- “Blind computing”: Encrypting your data while still allowing someone else to process it. What if you hire an Amazon cloud computer to do calculations on your data, but you don’t want Amazon to actually see your data? It turns out that you can make quantum computers do their computations even while keeping data encrypted, with some caveats.
Similarly, one could use ‘secret’ software to solve someone else’s problem without them discovering this algorithm. Such applications often go by the name of blind computing or private computing.
- Position verification: Can you prove that you are currently at a given location, in a way that cannot be spoofed?
- Complete protocols that require input from multiple parties, such as leader election or Byzantine agreement. You can find many more in the Quantum Protocol Zoo.
- Make quantum sensors more effective. There exist proposals to combine different telescopes or gravitational wave detectors, and plans to synchronize quantum clocks.
How useful is the quantum internet in practice?
Admittedly, many applications of the quantum internet will depend on how much we will use quantum computers. If quantum computers become widespread in the future, then communication between them also seems to be extremely worthwhile. On the other hand, our current outlook of quantum computers focuses on special-purpose devices that are used to solve isolated problems. It is not immediately clear why they would benefit from a quantum internet.
There is a clear road map to build a reliable quantum internet in the future (involving fascinating tricks like entanglement distillation and teleportation), but this would require multiple error-corrected quantum computers by itself! For that reason, in this guide, we’re not yet looking ahead at applications like clustering computers, multi-party computations, private computing, or making sensors more effective. Regarding clustered quantum computers, we frequently hear arguments that we can make a ‘bigger’ quantum computer by connecting individual ones. I’m always wondering why those computers are not just simply built next to each other. Connecting those is much, much easier than connecting them over a quantum internet.
In the foreseeable future, the first interesting applications are those that work over a “noisy” connection, and transport just one qubit at a time (or perhaps a handful of them). For practical interest, Quantum Key Distribution (QKD) is by far the most interesting application.
The case for QKD
To fully understand QKD, we will need to have a bit more background about cryptography, especially the “key distribution problem”. For a full account, we recommend first reading the chapter on cryptography. In short: we’re wondering how Alice can agree on a secret key with her distant friend Bob, in a world where everyone can read plain data sent over the internet. Surely they can’t just generate a random key and send it over to each other, without having any encryption in the first place! This problem is commonly solved using public key cryptography (which we know will be revamped in the following years). If you really don’t trust public-key cryptography, the main alternative is to physically transport a usb stick by a trusted courier.
Compared to conventional cryptography, the unique selling point of QKD is that it is fundamentally impossible for cybercriminals to obtain the secret key as it is being distributed. As long as our understanding of quantum mechanics is correct (arguably the most well-test theory in science), no amount of computational power or mathematical breakthroughs will let an attacker gain information about the key. Of course, this assumes that the protocol is executed precisely as prescribed, and there are no other vulnerabilities in the actual hardware or software used.
This is fundamentally different from today’s approach of public key cryptography, which must rely on certain mathematical assumptions. We know for sure that, with sufficient computational power, these codes can be broken, but we argue that this takes such an incredibly long time that nobody will bother (except for bragging rights and prize money). Still, such statements about computation times are based on assumptions, and our trust is purely based on our experience that no brilliant cryptanalyst has broken it yet. In fact, well-regarded cryptosystems do get broken from time to time, such as SIKE, which was in the race to become a new NIST standard.
That said, although QKD is “unhackable” in theory, the actual hardware and software are equally likely to contain vulnerabilities. Contrary to well-trusted public-key cryptography, no QKD system has received proper certification and accreditation, and a significant fraction of historical products have been hacked.
QKD requires specialised hardware — although it is much less demanding than other quantum internet applications we mentioned. It can already prove useful on a basic point-to-point network with just two connected parties, of which one should send photons, and the other receive them. This is orders of magnitude less complex than building a fully-featured internet. Moreover, the qubits need only be sent and measured one at a time: no quantum memory or extensive computation are needed. There have already been several demonstrations that use standard telecom fiber (the stuff that’s already in the ground), or satellite-based systems that communicate through air. QKD hardware is fancy and expensive, but not completely out of reach.
The major downside of QKD is that it has no way to confirm who the person on the other end of the line is. Some form of authentication is still needed – which is mostly done with secret keys that should already be present in the first place! This makes QKD just a partial solution to the key distribution problem.
Further reading
- A video explanation of QKD for laymen or experts.
- Companies like Toshiba and ID Quantique offer commercial QKD systems for distances of around 100 km.
- Chinese scientists achieve QKD through satellites over 1000 km.
- Nature commentary why practical long-range QKD is still out of reach.
What do experts say?
Cryptographers that have been working on securing classical computers are typically sceptical about QKD. In fact, all security authorities that we are aware of will advise against the use of QKD at this current point in time. They find the use of additional, uncertified hardware too large of a security risk, and stress that there is a better solution that works on conventional computers: post-quantum cryptography (PQC). From their perspective, PQC offers all the required functionalities, and is currently more practical to test, certify and implement.
Be careful not to confuse the abbreviations PQC and QKD. QKD is the stuff that requires a quantum network. PQC is the stuff that runs on classical computers.
Regarding QKD, it seems that physicists (optimistic) and cryptographers (pessimistic) often have strongly opposing views.
The cryptographers of the American NSA were one of the first to make a strong public statement about QKD. They note:
- “[…] NSA does not support the usage of QKD or [Quantum Cryptography] to protect communications in National Security Systems, and does not anticipate certifying or approving any QKD or QC security products for usage by NSS customers unless these limitations are overcome.”
They list several limitations, including the need to authenticate, the costs of special-purpose equipment, and the lack of certified hardware.
Other security authorities have published similar recommendations. The British NCSC:
- “NCSC does not endorse the use of QKD for any government or military applications. [..] We advise that any other organizations considering the use of QKD as a key agreement mechanism ensure that robust quantum-safe cryptographic mechanisms for authentication are implemented alongside them.”
The Dutch AIVD:
- “QKD without PQC is unsuitable for securing sensitive information against the threat of quantum computing.”
Some individual proponents of QKD find that this assessment is a bit harsh, arguing that the technical limitations can be solved by future engineering breakthroughs, whereas the ‘unconditional’ security will provide a long-term benefit. Here are some statements found in a rebuttal by scientists from ETH Zurich:
- “It is important to note that these limitations are not inherent to quantum cryptography but rather due to the early stage of the novel hardware required. Some of these limitations can be resolved in the medium-term future with the availability of cheaper and improved quantum technology “
- “Quantum cryptography has the potential to offer a true advantage over classical cryptography. Unlike traditional encryption schemes, which constantly need to be updated and strengthened to keep up with technological advancements, quantum cryptography breaks this cycle by providing protocol security that is invulnerable to all potential threats, including those posed by quantum computers.”
- “A combination of quantum key distribution (QKD) and post-quantum cryptography (PQC) in hybrid schemes currently offers the most secure approach to data encryption”
More responses to NSA’s criticism, but by startups that are heavily invested in QKD:
We don’t necessarily agree with the statements above, but nevertheless see these as valid arguments in an ongoing discussion.
A fair argument in favor of QKD, stems from the ‘harvest now, decrypt later’ attacks that could be done over today’s internet. These would imply that even the privacy of today’s messages is compromised. This could be a convincing reason for organizations to rapidly jump into a first QKD testbed. Still, for those who can risk the expenses, it might be more worthwhile to look at more mature and readily available solutions. For example, there exist certified solutions that rely on symmetric encryption with trusted couriers.
See also:
- Compumatica offers symmetric encryption with keys transported on SD-cards.
- TNO designed a ‘quantum-safe proxy’ as add-on to existing cryptography.
- StackOverflow question: “Why does the NSA find QKD impractical”?
What’s left is a very niche use-case for the most forward-thinking organizations that deal with extreme security requirements. It is somewhat of a pity that QKD is not so mature yet today, now that many organizations will start their security migrations. A widespread adoption of QKD would make it easier to expand to a large-scale quantum internet in the future. Nevertheless, since a quantum threat could be here as soon as the early 2030s, most companies are recommended to urgently migrate to post-quantum cryptography (PQC) first, and potentially consider QKD as an add-on for additional security later, if needed.
Conclusion
In conclusion, most applications of a quantum internet will not be immediately relevant in the foreseeable future, with an exception for QKD. And even QKD might not be the killer applications that many investors are hoping for – it most definitely shouldn’t be called “unhackable”.
Still, it seems unfair to us to dismiss a quantum internet because it would be ‘too technologically challenging’ or ‘too expensive’. These arguments are correct today, but perhaps naive on a scale of several decades. Would anyone from the 70’s have believed that today, more than half of the world population is streaming videos on a mobile phone for just a few dollars per month? Who knows what the quantum internet will look like 50 years from now.
