 Quantum cryptography and that is we will learn how to exploit quantum mechanics for cryptography purposes And I think also we will do a little bit of relativity in it I don't really understand how you can combine quantum mechanics and relativity without getting loop quantum gravity or string theory But I guess we will find out and our teacher today will be Christian Schaffner who is currently at the University of Amsterdam Please give him a warm round of applause Thank you. Thank you very much So waiting for my slides Here we go. I Work at Qsoft, which is recently established research center for quantum software in Amsterdam And as you just heard, I'm also at the University of Amsterdam and I collaborate with CWI I'm very happy to be here and tell you a little bit more about my field of research quantum cryptography for the next hour or so And so to get started, please put on your 3d glasses. Oh You didn't bring any. I'm sorry for that. It doesn't matter too much I'll put on mine. So we're fine Ready Good So here we go in 1969 Man has first set foot on the moon as you can see here on this picture Send around the world by NASA But maybe they haven't actually so if you believe this kind of Conspiracy theories here on the internet then this scene has actually been filmed in some Hollywood studio. This is all fake and this leads to one of the Research questions that I'm Investigating namely, how can you actually prove that you are at a specific location? So I will come back to this question a little bit later in my talk First of all, here's a quick outline of what I'm gonna cover tonight. So Talking about quantum cryptography we can't do without Telling you a little bit about quantum mechanics So this is gonna be the first part of my talk and then I'm gonna focus on two applications The first one will be quantum key distribution and the second one will be position-based Cryptography basically coming back to that question that I just asked so here we go introduction to quantum mechanics now And For the purpose of this talk you can think of a qubit a quantum bit and as the polarization of a photon Mathematically speaking we're talking about the unit vector unit vector in a two-dimensional complex Hilbert space But don't worry. We're gonna make it way more practical Photons are just particles of light. So imagine you can have a light source You put some polarizing filter here and then this direction of this polarizing filter Basically, it will be the state of the qubit so it will be this vector you can actually turn this around so it this vector has length one and in quantum mechanics We kind of give some particular names to certain directions for instance this horizontal direction here We're gonna call the zero state. So just basically arbitrary naming We call this the zero state and we use this fancy notation with this brackets To denote that state in my talk. I'm just gonna use this symbol here So this round symbol with these horizontal arrows. That's gonna denote the zero state And actually yeah, so there the actual direction doesn't matter So it doesn't matter whether it points here to the right. It may also point to the left We're just gonna work with say the horizontal way of polarizing photons now And the polarization which is orthogonal to that we're gonna call the one state So here we have another state of our qubit and together they form a basis or orthogonal basis Of this vector space and we're just gonna use say the yellow color for it This is called a direct linear or the computational basis Let me get a little bit more practical and actually Like build this thing so we need a light source But wait a second. There's light sources all over the place Actually, I'm holding a light source here in my hand. So this laser perfect light source Now we need a polarizing filter And that's the time when you can take off your 3d glasses again And actually next time you go to the cinema just wrap some of them instead of delivering them at the end of the If the show kept some extra ones because they're actually really useful You can destroy them like this and take out the polarizing filters and so Doing that we can actually build such a quantum system here I have a light source I hold this polarizing filter in front of it and I can turn it the way I like And I basically built that system So Let me show you that a qubit a quantum bit is at least as good as a classical bit So here we have our two heroes Alice and Bob and Alice would like to communicate a bit to Bob Now what you could do is you could take our light source use a polarizing filter like that and and send that to Bob Now Bob on his side he could put another polarizing filter in the Orthogonally polarized and if no light comes through then he doesn't see any photons then he would say well Alice was actually sending a zero state. So I have prepared this little experiment over here now maybe You can switch to the camera So I have a laser pointer here another one and I'm shining Oh, yeah, I'm using little polar bears for polarization You can you can get them very cheap if you go Christmas shopping now. So Here's the laser and I shine through both of these lights and you see over there right now Alice is sending in zero and This other filter is 90 degrees polarized So there's basically almost no reflection here in the ground if I turn this and actually you see this Point there is getting much more brighter. So here's where about it's not the perfect filter, but it's pretty pretty good So now the light is almost gone Okay, you can see so maybe switch back to my slides you can see Using this technique we Can send classical information to from Alice to Bob and in particular if she's if Alice is sending the one state Then if Bob puts his filter the light will go through and therefore if he sees photon he knows Alice was sending a one So we can use QB to send Zeroes and ones and effect what we are doing quantum mechanically speeding is a so-called measurement So Alice is sending a state and we are doing a measurement in the computational basis The outcome of a quantum measurement is a classical bit It's either zero or one and this happens with a certain probability In this case if Alice is sending the one state then with probability one Bob will actually get one as a outcome And nothing changes in his state So far so good now let's do something more interesting and What you can do with a qubit is that you cannot only polarize it say in these two directions What you can do is you can do stuff in between you can just rotate your filter arbitrarily And we're gonna call this state which is kind of 45 degrees between zero and one we're gonna call that Zero state as well, but in another basis namely in the diagonal basis So we have two more states this one and that one and we're gonna use the red color for that in this talk And so these are these two states here the zero state in the diagonal basis and the one state in the diagonal basis Hadamard basis and together they form this another orthogonal basis So this state the zero state in fact In terms of linear algebra and you can interpret it as a linear Combination of the zero and one state So if you take this vector here zero and you add one and you properly Renormalize to have a unit vector then you actually get that zero state So in fact what we have is actually a superposition of zero and one So we have a cube we have a qubit in a state which is both zero and one at the same time Basically just using this diagonal polarization Now what happens if we go and measure that state in the computational basis? So again the outcome will be a classical bit, but now we're gonna have a probabilistic outcome So imagine I mean what happens if you send like diagonally polarized light and you put this filter Like Bob did before then roughly half of the light will go through now You saw me turning before and that the pulse was getting fainter So if you turn like 45 degrees then roughly half of the light will go through I would have to do this experiment with single photons, but then you can't see anything anymore, so In fact what quantum mechanic tells us is if you measure that state in the computational basis You're gonna get a random bit as outcome with probability one half You're gonna see a zero and in fact you're changing the state by observing it by measuring it in a space and because after you've seen A zero then the state is actually the zero state on the other hand if you With probability one half you will get outcome one and you change the state to one So whatever comes out of this filter is actually polarized in this horizontal in this vertical direction Now let me show you the following and this one can actually Demonstrate I'm gonna go back to the experiment so Sorry for all the work over there. Thanks a lot. So this same setups before You see hardly any pulse on the other side because it's now 90 degrees So if I turn I kept it got brighter now, so it's almost gone now What I'm gonna do is I'm gonna take another filter and I put this in between those two filters and What's gonna happen is that the point actually reappears See so this is something very strange. No, you have like nothing goes through and you put something More in between and actually it's gonna reappear Right. So what why what's going on here? So if you go back to the slides, here's the explanation so we started off with something that is polarized horizontally and Clearly if you put something 90 degrees, you don't see anything that was the setup now what we did is the following and We put another filter in between and it turns out that this zero state You can see it as a superposition of this zero diagonal zero state and the diagonal one state So it's a linear combination of these two It's a superposition of these two and once we put this diagonal filter in between we actually measure in that basis for instance obtaining The zero state only letting light through that is in this direction and in fact as I said before I have changed the state to that So I've changed the polarization of the light roughly half of the light is going through and from this Horizontal direction to the diagonal direction and now of course if I put another the other filter in between now Then roughly a quarter of the light is actually going through No, so by putting something in between actually Demonstrating that measurement actually changes the state because again you can Interpret that's here diagonal zero state as a superposition of the other two if you're going to measure you actually end up with with something Yeah So here that's the magic of quantum mechanics Thank you, so here's a quick summary What we've learned so far there are funny states you can actually produce them. It's not that hard We use the yellow and the red color for it what you can do is you can measure them Let's take the one state measure it in a computational basis You will get with probability one outcome one You don't change the state at all if you happen to measure the state in the wrong basis Say the this one state in the in the diagonal basis your outcome is a random bit with probably one half You see zero and you change the state to the zero state and with probably one half You get a one then you change it to the other state, so that's basically all we need to know for now With that in hands we actually enter the wonderland of quantum mechanics We've already seen stuff that can be zero and one at the same time It's kind of a superposition of zero and one and in fact Here is Schrodinger's cat you might have heard about this is a thought experiment a gedonken experiment Where you have some say qubit that is in a superposition of zero and one and it kind of in this box There's a setup so that say conditioned on the outcome being one There's some poison released inside this box that will actually kill the cat and If if the outcome is zero then nothing happens and actually the cat is alive So Schrodinger thought of this experiment don't do that at home and of this box where inside This kind of superposition should extend to this Microscopic object of a cat which is both that and a life at the same time So this hasn't actually been observed in reality yet, but there are Superpositions of saying Molecules for instance, so not not cats, but maybe we'll get there at some point With these things you can build quantum computers So maybe this is there may be a picture of the currently largest quantum computer we have you can count them There's maybe nine qubits This is from the UC For the group of Joe Martinez at UC Santa Barbara. They were bought by Google So there's a lot of development in this area, but that's not where I want to go in this talk I'm gonna focus on this part here below and I'm gonna explain you later in my talk what these things are all about so I Would like to give you a little another little demonstration Here I have a black box my hands here So this is a physical random number generator it's connected through a cable here to the USB port of my computer and What I can do with it is I can create random numbers. Let me switch to the application that does that and Now basically here. You don't see much. There's just a green LED flashing here and it's connected Here you can see the serial number then I can choose what I want to do Let's say I create indigent numbers between zero and one so bits maybe a thousand of them and press generate and Here we go random bits that nobody has ever seen before Great, thank you. So how does it work? if you Look that up and go to the producer's website today Contek in Switzerland They they tell you that inside this box There is a light source like this one that I'm holding in my hand a laser that emits Cubits like things states that we have seen before and they are shot onto a semi transparent mirror Again, this is like nothing fancy actually Yeah, the semi transparent mirror It lets this photons either go through to this side or being reflected to the other side And this just happened roughly with probability 50% here are some photon detectors that detect which side they took and Then there's some classical pre-prose post-processing and in the end you end up here with random numbers So there's a lot of stories to tell about this device Again, unfortunately, I don't really have time for that However, the point I want to make here is that for this you don't need any quantum computer And so there's no quantum computer inside here That's basically just technology and that we can actually build the only thing we need for this is quantum communication And so this is something that we can actually do nowadays So I get slowly but surely to to the first application namely the one of quantum key distribution and Here is pointer away In order to understand that there's one more thing I need to tell you and this is the so-called no cloning theorem So this is a mathematical statement. Let's ask the following Let's take one of these four states at random. Let's let's see notice with this question mark here So this is just selecting one of these four states At random and the goal is to make a clone. So this is Dolly the sheep That's that's we know how to clone sheep and the goal of this task here is to clone an unknown quantum state We'll take an unknown quantum state try to come up with a machine that makes a perfect copy a perfect clone out of this state Now it turns out that quantum mechanics does not allow us to do that So given whatever we can do by quantum mechanics measurements unitary operations, whatever We will not be able to do this. So there exists no cloning machine And this is the no cloning theorem And the proof of it is actually pretty easy. You can do that after say two hours of linear algebra because it turns out that Copying this operation here is simply a non-linear operation and You're only allowed linear operations by quantum mechanics So it's it's really pretty easy to prove that say in two lines if you know like how to formalize this properly and Somehow intuitively like you're forbidden to make a copy but you're forbidden by by law by by nature to make a perfect copy out of a State so this smells already a bit like cryptography, you know We should be able to use this in order to kind of secure information and indeed that's what we can do so To clever people and Charlie Bennett and Jill Brassar in back in 84 They came up with this scheme as quantum key distribution QKD scheme between Alice and Bob It works like that. There's a quantum phase where Alice sends some qubits to Bob So these are these dashed arrows here, and then they talk classically over an authenticated channel so there's an eavesdropper the eavesdropper and tries to kind of listen in in this conversation and she has full control over the quantum part of this transmission the Classical part is authenticated that means She's if is able to to read to to hear everything that the player say but she's not able to change the messages In this setup the goal is to come up with a key a classical key So this is just a classical bit string which is identical for Alice and Bob something like that and if has no clue What it is so whatever she does here. She will not be able to learn that key So this is a key distribution and protocol and I'm gonna explain in a second How this works in more details, but this offers a quantum solution to the key exchange problem And the funny thing is kind of that it does not rely on any computational assumptions such as factoring discreet Logarithms security of AES or char 3 etc. One can mathematically prove that the scheme is secure and It's a key exchange Setting so it puts players into the starting position to use symmetric key cryptography So once you have established you have established a key Then you can go and do your favorite task say encryption You can use a one-time path with that key that you generated here So in order to put this a little bit in a perspective, I've created this slide here So the quantum cryptographic landscape Also naming other things that have been covered here at this Congress So here on the x-axis there is the power of the attackers So we I'm considering here efficient classical attackers and efficient. I mean polynomial time. So attackers that run within like reasonable time frames Classical ones or in like as opposed to quantum attackers where they can use quantum computers But still they have to run efficiently and then there's the funny last column Which is called everlasting security so a term and that means that you're allowed to store Whatever is communicated on the line and then later At some point in the future actually after an infinite amount of time you can break it and Therefore all these things will fail to to a brute force attack So if you look at a yes or Shah and then they're pretty confident that this is cure against efficient classical attackers I mean, there's no proof for it, but that's what you believe people have looked at this for long They probably also secure against quantum attackers It just has to make sure that you use long enough keys and in case of hash functions that you use long enough outputs But of course they will fail against somebody who has just an infinite amount of time Um Then if you saw Dan's talk and then and Tania's talk yesterday, then there's source monster here So this is this big red box here where that will that will come and break RSA and discrete logs. So everything basically every public key crypto system that is currently used on the internet Will be broken by efficient quantum attackers Whereas we are confident that it's they resist classical attackers and Then the area of post quantum crypto kind of kicks in and tries to fix that and coming up with different New schemes and this was the topic of Dan and Tania's talk yesterday namely hash-based signatures the Mac Elise encryption scheme maybe lattice-based Crypto, but more research needs to be done in order to really be more confident than that these schemes actually do resist classical as well as quantum attacks And now what I'm gonna talk about and what my research is about is about this last column here and this is Basically giving like using more technology on the honest player side So it becomes more more difficult technically speaking and also money-wise to implement these things for instance You can use QKD which we can mathematically prove because we don't rely rely on any computational assumption that it's a cure and The and what I see as the biggest advantage of a QKD system is that the that the attacker actually has to act While the protocol is running So it really has to kind of attack it at the moment when it's run And if this attack is not successful then from then point on whatever key is generated will be secure forever and So of course, it's interesting to kind of take this technology if you can afford it if you can somehow implement it and Combine it with we say more conventional schemes to actually get the best of both worlds And that's also how current implementations do it All right, so Let me explain you in a bit more detail how how it works so In this protocol in this BB84 protocol Alice starts off picking random basis So she picks a string of say red yellow red yellow yellow at random She also picks a random string of bits say 0 1 1 1 0 and then she encodes these bits into that basis So we get back this kind of one of the four states. We've seen for each position as before And that's what Alice sends over the quantum channel to Bob now Bob He has no clue what these colors are you cannot see that from the qubits that he receives And so he has no idea what the basis is that Alice was actually using And what he's going to do is just pick another random basis So he picks another basis at random say yellow red red yellow yellow and measures in that basis So he doesn't need to store anything you can just do this beforehand and as soon as the qubit arrives You can then measure immediately So turns out if he was lucky and he picked the right basis Well, then he will also recover the right bit No that we have seen how that works if you will happen to measure in the wrong basis So you are yellow qubit in the red basis Well, then you just get a random bit which might agree with what Alice had in mind, but it also might not so we don't know So how to get to kind of solve this problem? Well, Alice is gonna classically tell Bob say look here This is the the string of basis that I was using say a red yellow red yellow yellow And now Bob knows where he actually measured correctly. No, so he sees. Oh, yeah This first two positions. They were no good. I measured them in the wrong basis So let's throw the results away and just keep the rest where I measured in the rest in the correct basis So you also have has to tell Alice about that so classically again He can tell Alice hey, let's throw away the first two positions. I didn't measure there correctly. So let's just throw those out Okay, and what remains they basically have as key, you know, so that becomes the key that they're sharing But wait a second, it's it's not that easy after all there's the eavesdropper so As I said, the eavesdropper has full control over this quantum communication here and that means that well Luckily, we kind of try to use this no cloning theorem because Well, if doesn't know the basis either so for her it just looks like one of these four states picked at random And we've seen that the no cloning theorem actually forbids her to make a perfect copy out of Classically, you could just copy everything that flies by on the line and you would be exactly in the same position as Bob is However, quantumly, it's not that easy because you cannot simply make a copy and therefore That's tricky parts the honest players Alice and Bob They can actually test whether somebody has interfered because if can try to make a copy But we have seen kind of measuring observing a state actually changes the state and therefore There's a kind of a trade-off the more she tries to learn about that state the more she will actually interfere with it And therefore there will be errors in that remaining part here And so in an additional step in the protocol that Alice and Bob they gonna check classically How many errors approximately are in the remaining in the remaining string? They will correct for that. They just use classical error correcting codes And then they do another step called privacy amplification to basically hash it down to something smaller And all this together will actually make sure that so they might have to sacrifice some more positions They might have to have to apply some additional operations But they eventually end up with a smaller key about which we can guarantee we can actually mathematically prove That Eve doesn't know anything about about it So in order to do this, this is really pretty tricky So mathematically speaking you actually have to follow say a whole course about Quantum information theory in order to give a mathematically sound proof of this statement that I just outlined here But intuitively, yeah, it's not that hard to to crash All right, so As I kind of showed with this device This is something that we can actually do the honest players They only need to generate some photons polarize them I've done it over there and Bob he just needs to measure them upon reception So it's technically feasible. We don't need any quantum computer about Eve might but we don't care I mean, we only care about the all the honest players We only need quantum communication and in fact this company that's producing these random number generators It's not the coincidence. They also produce quantum key distribution devices like this one over here So that's something that you can actually go into a store or a web store and buy it. It's pretty expensive However, these devices are out there and that means that they could also be hacked So we could just go and like open this thing up We will look like that inside this older on older model but this this kind of rack standard rack sized like boxes that are connected by some optical fiber and Well commercially available that means there's also people who actually hack them So this is a picture of Vadim Makarov. He's originally from Russia's now at the University of Waterloo He runs a quantum hacking lab and he has opened So this picture is done by him he's opened these devices and also the random number generator, of course And here's a little picture of him actually at at the camp in the Netherlands at Har hacking at random in 2009 where he brought his little suitcase well little his Eve's dropping suitcase that allowed him to actually hack commercially available QKD systems I don't want to know how he got through customs with that, but he actually managed He has lots of stories to tell about this Okay, so so that's kind of the state of the art of of quantum key distribution and Yeah, I think I'm approaching the last part of my talk So I'd like to come back to this question. Remember the question The moon. Yeah, how can you actually prove that you are at a certain location? so, let's see and Well, normally Cryptographic players and that's perfect theoretically very theoretical world. They use credentials cryptographic credentials Such as say secret information a password or a secret key that you store at some safe place Or say authenticated information like a passport or biometric features like your fingerprint your iris can something that distinguishes You from the rest of the crowd in this in this audience The question I would like to ask here is can the geographical location of a player be used as such a cryptographic credential So is it possible this to use just the fact that I'm on the stage and almost nobody else is Can that kind of dishingish me from from all of you? First of all, this sounds like a bit of a strange question But if you imagine say the the setting of a bank where you just walk in and you see some person behind the counter That you've never met before just the fact that this person is standing behind the counter kind of makes you trust this person with all your financial details No, it's of course the bank has made sure that only trustworthy people hopefully are actually behind the counter But nevertheless, it's kind of the place where it is where this person is that that that makes difference Maybe other applications if you are able to answer this question is like Why have you ever been to the moon are you actually on the moon for instance or say in a military context You want to make sure that a launching missile command actually comes from within your military headquarters and not from some nearby terrorist cell Maybe in the setting of this Congress you want to broadcast the message and you want to make sure that only at one particular assembly It can actually be read Wouldn't that be fun? Maybe you can try to kind of avoid this so-called pizza delivery problem avoid making fake calls to emergency services Like this poor guy over here who has been swatted by him by some fellow gamers And More many more. No, so like try to think of some nice applications and let me know if you come up with them So let's try to do this And of course so this now something happens that we that we always do if you kind of cook up a new question We abstract away all the the noisy details and we kind of try to simplify our world as much as possible And we studied a very basic task of position verification Initially, I'm gonna assume that everybody involved lives in one dimension Just on this line here, of course, that's not realistic actually believe in two maybe 3d maybe 4d But for now just assume that everybody lives on this line We have two verifiers and we have some prover in the middle and the prover would like to convince the verifiers that she is at This particular blue line here And this is a publicly known place as everybody knows what his blue line is And what we want to make sure is that? No coalition of fake Provers and I'm gonna go call fake Provers all everybody that is not at this blue line Except to verifiers. So for instance evil Alice and evil Bob Even even if they collaborate they shouldn't be able to convince the verifiers that one of them is at this blue line That's gonna be the task. I want I want to solve and even More unrealistically, I'm gonna assume I make a lot of oversimplifying assumptions For instance that communication between the players gonna happen at the speed of light Which actually not true in reality No, if you send even if you send information through optical fibers, it travels at less than the speed of light and I'm also assuming that Actually computation is instantaneous doesn't take any time to compute anything Of course, that's also not true and I assume some back channels for the verifiers that somehow they can coordinate their actions This is less of a point. Okay, let's try this Let's try like that. So the first try goes as follows. Let's say time goes downwards And we have the following protocol verifier one picks a random nonce some some random string X and sends that to the prover The prover is simply asked in a protocol to return that string X back to the verifier And the verifier measures the time it takes for the string to come back This technique is called distance bounding because it allows you to upper bound How far away the prover is from this verifier and imagine if the prover is further away Then it will take this message longer to get to the prover and also longer to return So if you know when the message arrives if it's the original message Then you can somehow put an upper bound on how far the prover is away And so if you do this also from the other side Let's say we choose another random string Y and let the prover return it over there Again, we'll measure the time it takes Then hopefully you were able to verify that somebody is at this blue line So let's try to break this setting up our evil Alice and evil Bob Actually, it's not very hard to break this protocol because what they can do is Alice can intercept This classical message X and they know where this blue line is so they know when the honest prover would return it So that just waits for the right amount of time and returns that message back To the verifier after that that amount of time and Bobby does the same thing intercepts why you wait a little Sends that back to why and to the verifiers these looks exactly as if somebody has been at this blue line So they cannot distinguish this situation of the attackers from the situation where there is an honest prover at the blue point So they completely break this protocol doesn't work Let's have a second try something more clever. Let's send this X and Y still Classical inputs so that they arrive at the same time at the prover and let the prover compute some function on these inputs Let's say they want us the prover is supposed to check whether X equals Y Let's say a is equal to be and it's equal to the bit that says whether X is equal to Y or not Then the prover but it can be an arbitrary function that is easy to compute So then the results would have to be sent back to the verifiers the verifiers They would check the time it takes for the for the messages to come back. So Computing doesn't take any time. That's what we assumed. We know how fast the messages travel. So hopefully that will that will work Let's try to break it. So let's set up Alice and Bob now What do they have to do? Yeah suspense so Alice can Intercept this X you can make a copy out of it. It's classical string So you can keep she can keep a copy for herself You can send another copy over to Bob and Bob you can do the same thing He takes this Y keeps a copy for herself sends another one over here and now Just in time. They both have X and Y and they just go along and basically compute the function themselves So this is a publicly known function say equality function Alice can check whether X equals Y and send that outcome in time back to the verifier and Bob you will do the same So again complete break of the protocol doesn't work However, if he and in fact turns out this is a generic problem Actually, no protocol for a classical position verification in this setting Will work. So these people here have shown actually, I should say all these references are actually hyperlinks If you download the slides you can click on them and it will take you to the research paper Which shows that actually this is a generic problem So you can never have any classical protocol that is secure in this sense And this holds not only in in one dimension, but in arbitrary dimensions because simply can set up Attackers between the claimed position and the verifiers They intercept everything that comes along and forward it to their fellow cheaters and they will be able to run the same Function as the honest proof or is supposed to run and thereby and making it look to the verifiers if somebody was there So this doesn't work. However, if you look at the attack So that's what they're doing. No, they're kind of taking a copy of these eggs and Share it with their fellow cheater and then compute the function themselves. This involves copying classical information And of course we have seen quantum no cloning theorem so Turns out that I mean, maybe you should use quantum information and we should make it hard Make it you should make it impossible for Alice and Bob to do this copying operation. So here we go. Let's try that Let's have the following protocol and the first verifier sends Say a random qubit This question mark can be say one of these four Quantum states we've seen before sense that over a quantum channel to the prover and Timed in the way that it arrives at the same time at the prover the other verifier sends a classical bit Just one bit zero one if the bid is zero Then the prover is supposed to send it back to the first verifier You can just put the mirror and then will be reflected back to the to the first verify who again will measure the time We'll make sure it is the original qubit that was sent. Let's assume that that's not a problem Then if the bid is one it's supposed to do nothing just let it pass through and kind of let it fly to the other verifier over here So that's the protocol. I want to look at and let's try to break it So here is the game that we have to play as as attackers Alice has a qubit Bob has a classical bit and if the bid is zero Alice needs to end up with a qubit if the bid is one Bob Needs to end up with a qubit so Bob just as classical information He can do the same thing as before he can make a copy out of his bit to keep on for himself forward one to the other side But Alice she's in trouble now because of the no cloning theorem she has to kind of and Try to make a copy here, but she cannot do to the no calling theorem She's kind of by the timing constraints. She's forced to make up her mind right now right here at this point But she doesn't know yet whether the bid is zero or the bid is one because it takes some time for this information to travel over here So she could of course she could guess she could say well the bid is probably zero I keep the qubit for myself and half of the time she will be lucky and she can send the qubit back But the other half she she doesn't have it She she the Bob needs the qubit and it's too late to send it No, it would arrive too late. So the other verifier would notice so it looks like And This is this is secure because there is some certain probability that things will go wrong There's a there's a non-zero probability that the verifiers can distinguish this situation of the attackers from the one that With an honest prover in the middle who will always succeed. It was very easy to run this protocol Honestly, you can just put the mirror or not and he will always succeed So there's a gap between these two probabilities So if you repeat it say a thousand times a million times then at some point very quickly actually the verifiers will see a Difference between this setting and the other set so that would actually prove security That's what we thought Turns out it's not true Actually, you can break this protocol and you can even break it perfectly So this was quite a this was quite a blow I mean we thought now that that cannot be and in order to understand how to break this protocol I need to explain you two more things I need to explain to you what EPR pairs are because they need kind of a magic resource Alice and Bob in order to do that and so EPR pairs They are named after these three very famous physicists Einstein Podolsky and Rosen and they come in pairs that's why they're called pairs and They somehow haven't made up what they want to be so there's all these arrows here So now it's it's kind of a mixed state and there's this magic glow between them So they are in a very interesting special state. They're entangled. So these are entangled qubits for shrink and It's possible to generate them So Alice for instance can generate them she cannot keep one for herself Bob can she can give the other one to Bob and in fact, they can be very far away from each other So they may be generated at the same place But then Bob can take it with him or say send it over some optical fiber. It can be hundreds of kilometers away However, they are still entangled and what that means is that for instance if Alice goes and measures her qubit So in a computational basis then because this guy hasn't really decided yet What he wants to be you will actually get a random bit as outcome with probably one half You're gonna get a zero and you collapse the state to the zero state and with probability one half Alice will get a one and she will collapse the state to one But the funny thing is that Simultaneously when she obtains her measurement outcome this state also collapses on Bob's side and so this is kind of them the EPR magic So this is kind of the funny thing of this of these quantum states and this is what Einstein called Spook of the Fern Wirkung a spooky action at a distance and he didn't like that So what that means is for instance if Alice observes a zero The zero state and Bob's state is also zero state It means if he goes and measures it again in the computational basis He will now get probability with probability one. He will get the outcome zero He will get you observe the same bit as Alice did before so To Einstein is looked like mmm. That's no good because that seems to contradict my theory of relativity However, it's actually not true. So I didn't quite understand but this EPR pairs They do not allow to communicate information So it's a difference whether so here they allow it allows them to get a shared random bit because when Alice measures She will get a random bit and Bob when he measures He will also get the same random bit. So it's just a shared classical random bit It's not information that Alice had in mind say I want to send a zero to Bob because once she does her measurement The outcome will be a random and that's the difference between sending information from Alice to Bob To just creating some some shared Correlation Now probably this is hard to grasp and don't worry. Yeah, very smart people had trouble with that So if you see this for the first time Relax, so it's okay If you have this Then we can actually do quantum teleportation So we're not gonna do the Star Trek version we're gonna do the version that was cooked up by these people over here Actually a long time ago 93 and it works as follows. So let's say Alice and Bob They have such an EPR pair. Actually, this has been demonstrated many many times Experimentally, so this is something that can actually do They share an EPR pair They might be far away from each other and on top of that Alice has an unknown qubit and that qubit This qubit over here in this unknown state that she doesn't know she would like to teleport to Bob So she would like this qubit to end up on Bob's side Now what she can do is she can do a kind of complicated measurement that I haven't talked about on her two qubits so she will do a so-called bell measurement and This is a measurement on two qubits It's the half of the EPR pair that she shares with Bob together with the qubit that she wants to teleport The outcome of this measurement is again going to be classical classical two Random bits actually random bits. So say say zero one two or three and Magically because of the entanglement this state will this qubit will appear on Bob's side However, it will not appear in the clear. It will appear in some encrypted form Actually, this is the analog on to the classical one-time pad so X soaring with a random bit This is actually the quantum one-time pad because it's actually X sort in a quantum way with two classical bits because if Alice Sends this classical outcome sigma over to Bob then he is able to unlock this encryption and actually recover the original qubit So this is the procedure how quantum teleportation works You have to do a bit. You have to have an EPR pair You have to do a bell measurement You get a classical outcome that outcome needs to be sent to the other person And once you know that you can undo the encryption of the state in order to recover this original qubit here And again, this is something that does not contradict relativity theory So this this kind of collapse here doesn't happen Instantaneously you can only recover this qubit after you've learned the classical information And so it takes some time for this classical information to travel from Alice to Bob No, if they're far apart And so there's there's no information going faster than the speed of light because you have to wait for the sigma before You actually get the state that was in Alice's hand before All right, so now with that attempt we can break our protocol Remember what it was the attack Alice had a qubit Bob had a bit the bit the qubit should end up at Alice's side if it was zero if this bit was one then Bob should end up with the qubit and If they share entanglement if they share say two EPR pairs like this and and why wouldn't they know they can just go and prepare that beforehand Then they can actually perfectly break this protocol because what they can do is Teleportation so here here we go Alice would do a teleportation measurement a bell measurement on this qubit that she holds Together with the first half of one of the EPR pairs. This will teleport this qubit over here to Bob Now actually it will not be here in a clear it will be encrypted But these keys you will just send these classical keys along here and Bob Bob he has the bit he knows whether he should keep the qubit or not So if the bit is one he will just not do anything and wait for these keys to arrive and uncover this this qubit So then he will hold the right qubit. However, if the bit is zero Then he will actually teleport it back to Alice. He will just do another teleportation measurement And kind of make this qubit now end up again on Alice's side So it's at the right place now. It's kind of double encrypted It's encrypted by this measurement and by that measurement But again, there's time for this classical information to travel So he would send along b and he would send along the outcome of this this measurement And then Alice at this point she learns oh b zero So I have to look at my second qubit here and I have to undo This measurement here that Bob that did to uncover and then I have to undo my own measurement that I did And I will end up with with the correct qubit so Hereby you actually perfectly break the protocol because again to the verifiers. It's going to look as if somebody is in the middle so Well, are there Actually protocols that cannot be broken and this is kind of the one of the main results we obtained In this research area. In fact, there is no secure protocol So what we have showed is a so-called no-go theorem that we've done back in 2010 That any position verification protocol even if it's a quantum protocol It can be broken using a huge number of entangled qubits So if you have enough resources an exponential and the amount of resources then you can break any Of these position verification protocols However, as always in science if you kind of answer a question and you prove a theorem It immediately leads to new questions and it here the obvious question is well Do you really need that many resources or is there a protocol? Such that it's easy to run if you're honest So honest provers and verifiers are efficient So they just need to do simple things But where we can guarantee that any attack on it requires a lot of entanglement But that would be great Then then we actually have a secure protocol And this is this is actually a research question that i'm currently studying And I invite you to have a look at my home page for some reason developments in this in this area I think that brings me to the end I hope you've learned something in this talk First of all about quantum mechanics what qubits are these four states You've seen the no cloning theorem You've encountered some funny new resource state that qubits that are entangled And you've seen how to use them to do teleportation In the first application I've talked about quantum key distribution and try to give you a little bit of context How where it fits in the world and in second part I've talked about position-based cryptography One of the currently active research areas Where it depends whether you can break the protocol if you have free enough resources And maybe you cannot if you don't have enough resources All right, thank you very much for your attention We now have some minutes left for q and a so please line up at the microphones And this is an exceedingly well miced room So you have eight microphones to choose from just line up at any one of them And I will call you when you can speak Yeah, and please try not to walk in front of the cameras when you leave This is very annoying for the people on the stream Also the people in the stream if you're on the isc channel or on twitter You can just ask questions there. We do have an internet person here that will read your questions Microphone number two, please Hello, um, yeah, thanks for the great talk and and But I have one question um concerning the quantum key distribution Using real machines and and you said they could be hacked and for my understanding And clarification. I assume that this hacking does not take place At the quantum part of this process, but it takes place at the specific Implementation and and the classic Channels, is that too? Yes, of course. So with any system you implement Even if you can show security improve security in our perfect mathematical model We have to make sure that we actually model the reality and in reality things are way more complicated You have to use photon detectors and in fact in this particular case It was the the photon detectors that were attacked So you were the Vadim was able to actually blind them by just shining in a lot of light So they are very sensitive They normally operate on a single photon level And and and thereby kind of getting out of the model that we that we use to prove security So so it's it's really an attack on the on the actual implementation But in fact, maybe I can say in general that I see this as a as a sign of maturity of this field I mean, that's the only way to go no somebody has to build the machine Then somebody comes and attacks it and kind of it's a cycle No, and so so things get better by by investigating actual implementations. Thanks Just a quick note to the people leaving right now This talk is going on for like three more minutes So please just wait three more minutes and stop being very annoying to everybody. Thank you Internet, please Thank you. First question. Is there anything you can do at home with limited budget? Um Well, you can definitely run this little experiments that I did I actually can have a lot of fun with polarizing glasses in general and But say of uh real cryptographic relevance That's going to be way harder because you do in order for this security proof to kick in You do have to operate on a single photon level And this is this is very uh delicate to handle. So you do need some photonic lap in order to do that Microphone number one, please So one comment because you were commenting on our talk from yesterday the post one talk I mean, if you are using uh as or if you're using any authentication code You are back to computational assumptions hardness assumptions. So when you had your overview table You were still claiming you have infinite long-term security While at the same time you're combining it and that's just not true. The other comment I have is So how about my mobile communications? How about the most common use of internet via wi-fi? Okay, um So, um You're Considering your first question. I think we should take this offline. I mean, I'm happy to explain it to you Your second comment, of course, uh, so in that sense, uh, this research is not I'm assuming a very strong model for this position verification where basically As I said, I call kind of fake provers all those that are not at this claim position and they can even It can be even coalitions. So in that sense, it's not realistically modeling A real world scenario I'm not talking about Into the mic, please I'm speaking into my key I'm not talking about the second part. I'm talking about like what would Qkd give me for the normal crypto applications. Oh, okay mobile phone wi-fi. Okay. Um, well, as you know, uh, it's quite a High demand say on the hardware site that you have to have in order to run this protocol Of course, there's also a lot of efforts to actually miniaturize those Devices so that maybe at least one part is actually Portable in sense And the the yeah the best kind of add-on that qkd Can offer is this everlasting security that you have to kind of Be active attacking Actively attacking at the point of execution and if you're not successful in that then then actually the rest of The time the security will be guaranteed. So I will have lasers. Sorry. We have lots of people queuing. Please discuss later. Thank you microphone for please And covered me if I'm wrong, but you need a direct line for this kind of thing to work, right? So if you have any routers or something in between then it won't work because you need to read it out or make a copy And just clarifying are you talking about the second part or the first part or both? I think Um, well for quantum key distribution, uh, that doesn't matter too much So you're you're perfectly fine routing your cables around corners. You're using optical fibers For the second part. It's actually kind of crucial. You're right. So it's all about timing there so and of course you have to Consider more realistic settings also the fact that you are not we are not communicating at the speed of light this will add additional constraints and so it will Way more work is required to to model say a more realistic setting where you might not have a straight line of sites Very very communication. Ashley has to take some corners And so you might end up not with one particular position you can verify but with a whole interval So where you can make sure that somebody is so but these are things that we are currently Working on to make to to to model things more realistically Mike number two, please Hello, I think kanya had a similar question But you said you have no computational assumptions for qkd But you need this authenticated channel And the authenticated channel you do it with classic crypto with either an h mac or rsa signature So you have the computational assumption again So I think this whole qkd thing is kind of circular. You're trying to replace Whatever an aes cipher, but you again need some Maybe a hash function or some signature from Traditional crypto to make it work in the first place. So I think it's a very expensive solution for a non-existing problem Okay Well, so in fact, you don't need to use a computational scheme to to do authentication there information theoretically secure authentication schemes, but You're right that you're using up this key So in a sense also what you can never prevent is that if just completely blocks all the communication And in that sense you will she will be able to kind of make you run out of key but what it does at is that that This this feature that I already told tanya namely that that you have to be active at the moment of execution So this this is kind of the the upgrade to say classical schemes Unfortunately, we are out of time. So please thank christian again