 Hello, everybody. We are coming to the end of the show. Before we come there, I have to do the announcement about the t-shirts. If you have pre-ordered one, then, well, I know it's raining. But they have opened the shop. Get it there, because they will not ship it. And there are also some leftovers. So if you didn't get one, I just bought my hoodie. You can get additional ones now again. Speaking about those shirts, did you see the backside of the shirt? There was a nice lineup about all the crypto failures that we had over the years. So a news thing was introduced. And it was marked as, oh, no, it's broken. Then the next one came, and it was broken. And the next one came, it was broken. And now we are speaking about quantum cryptography. And Vady Makarov is leading the quantum hacking lab. And the question is, what is it with the quantum cryptography? So can quantum physics break cryptographic curves? Vady Makarov. Thank you. Can you hear me? You sound good. Good volume. Good. So today, I will give you an overview, talk about the current status of quantum cryptography, including its deployment across the world, and, of course, hacking of quantum cryptography and certification of security. And I decided to keep this talk to just today's technology, technology which is available today. You can purchase it. You can install it in the networks. So I will not be talking about scientific problems which are in development, but something which is commercial today. And there is a lot of material to cover, so I have to go fast in some parts. But please, if you feel like you completely lost track, feel free to stop me and ask a question. Just to give me a notice, I should explain more. So cryptography is extremely important for our modern society. We all rely on it daily. All communications with your electronic devices are encrypted, authenticated with cryptography. All the software updates are authenticated. Any kind of communication, phone, email, a lot of other communications are encrypted. And, of course, the more traditional uses, governments, military companies need cryptography. So everybody uses it. And it makes our society a lot more efficient. We can do more, have more fun in less time. So if we lost the ability to communicate securely, that will be a big step back. So how do we keep this ability to communicate securely? If you look at the history of cryptography, and that's a long history, it stretches back to millennia. You see that the history of cryptographic development of encryption ciphers is a history of failures and a history of one generation of technology replacing another. So some smart guy invents a cipher. And then some time later, another panzit figures out how to break that cipher. And then a more complicated method of encryption is invented and broken again. And a more complicated method again is invented and broken again. And this cycle continues through the years with increasing level of technology. So this was this you could do with pen and paper, pre-computer age. For this, in the middle of the last century, you needed the electromechanical machines because it was too much to do by hand. And now, of course, we use computers. So we go through the cycle of breaking, a generation of encryption, inventing the new, more complicated generation of encryption. Today, 99% of our communication in the internet is encrypted by this pair of ciphers. Public key cryptography, Rivi Shamir Adleman, or Lipty Curve, used for key distribution, and symmetric key cryptography for doing the bulk encryption once you have the key. So that's AES standard currently. And we are in a unique situation. We already know that the public key cryptography is going to be broken once a quantum computer is built because there is an efficient algorithm for factoring large numbers on a quantum computer. So of course, the next generation of cryptography is in preparation, though the mathematical community is actively developing different algorithms for public key cryptography, which are hopefully resistant to a quantum computer. So I have a big respect for that community for doing their job. And they have their own difficulties in doing it. So the next generation is on the way of mathematical cryptography, and it will replace the previous generation. It has to because this one is becoming insecure in some number of years. What is the problem with this approach, replacing one cryptography with another? The problem is that when you are using cryptography, which has not been known to be broken today, your communications are secure for the time being. But somebody or anybody actually could be recording the encrypted communication and storing it. And once the decryption technology becomes available, all your encrypted secrets become decoded public or known in the future. So you only have a certain length of time for which your communications are secure. So if you have the kind of information that needs long-term encryption, medical records, banking, private information, commercial secrets, military government, a good fraction of your secrets need long-term protection. Most of it doesn't, but a significant fraction of important information needs long-term protection. Then today you need to be using the encryption technology, which is going to last secure for the number of years for the length of time that you have to keep your communication secure. So your information has a lifetime. Another thing, when you are going from one generation to another, you cannot do it at an instant. The new technology has to be developed, standards developed, the companies grow, certification, and finally you need to install it in a company. This also takes a number of years. So even if the technology to decrypt our current cryptography is still some number of years in the future, because of those length of time you need to protect your secrets and the length of time needed to change the infrastructure, we already have the problem today, like burning, because we now, in the future, with the advent of quantum computer, we are going to have the problem. So our secrets, today's secrets, recorded secrets, will become insecure. So we need to do something today. And of course it's good to be replacing, so its problem is already urgent. An interesting question is, can we do better than keep replacing the generations of cryptography? One mathematical cipher to another. So notice that here, there is no proof that the next generation of cryptography is unbreakable. Actually, the history tells us, it probably will be broken and there will be more generations of it in the future. So this is not the end of the replacement cycle. It's again another complexity and somebody will figure how to crack those, likely. We don't know, but likely there will be a crack again. Can we do better? Can we invent cryptography which is unbreakable to end the scuttle-mouth cycle? There are two important developments in the history of cryptography. One is the one-time pad. An unbreakable cipher which has been proven, secure, absolutely secure by Shannon in 1949. Who knows, can you raise your hand if you know what is one-time pad and how it works? Too few, I will show you briefly. Because that's uninteresting and important, ah, it's my mouse. So the one-time pad is a very simple cipher. You can literally do it by hand. If you want to use encrypt by one-time pad, first you have to distribute a random secret key between the sender Alice and the receiver Bob. This is a random sequence of bits you generated by throwing dice or by other kind of physical random process and Alice and Bob have the same copy of the secret key. Then you have a message to encrypt. So what you do, you take one bit of the message and one bit of the key and sequentially one bit of the message, one bit of the key, you add them by the module of module two. So zero plus zero is zero, zero plus one is one, and one plus one is zero again. And send this over. Now this is your encrypted communication. You send it over the communication line. For decryption, you perform the same operation. You do addition by module two again, XOR again, and you get back your message. The catch is, so this is unbreakable because the communication in the line is as a random. It has the same amount of entropy as the random key. So there is nothing in this bit stream which tells about what the message is. It's pure randomness for somebody who does not know the key. So the key has to stay secret, of course. And the other catch, you can only use the key once. And it has to be as long as your message. If you reuse the key, both your messages are going to be read. So one single use, one time path. So this is the problem, but this makes the Cypher very inconvenient because you have to have a very large constant supply of key which is as long as big as the bandwidth of your communication channel. Not really that convenient, so it's not very much used today. Another kind of cryptography, important development in cryptography is the invention of quantum cryptography. And this is the entirely new kind of cryptography. It is based on a loss of quantum physics on the basic loss of nature. The security is based on quantum physics instead of assumptions on mathematical and computational complexity. One important application of cryptography is encryption. So for encryption, Alice and Bob have first have to distribute a random secret key between them. And then they can use symmetric Cypher to encrypt and decrypt the messages. So this symmetric Cypher can be one time path if you want to be paranoid or it can be AES Cypher, which is by the way more resistant to a quantum computer. So the difficult part of this scheme is the key distribution because any physical communication channel in principle can be ifs dropped passively in principle a copy of the information and transit can be made. Right now this task is solved by public key cryptography but we know what the problem with that cryptography is. Quantum cryptography can do several things but the only thing which is practical today is quantum key distribution. So this is one protocol which is commercial you can buy it today. So quantum key distribution solves this problem of key distribution between Alice and Bob. So quantum key distribution is not encryption. You still do encryption using the classical symmetric Cypher but you can distribute random secret key using the laws of physics over an optical communication channel. For example, optical fiber in a way that you encode the information on incompatible quantum properties. So essentially the security of quantum cryptography is based on the Heisenberg uncertainty principle. So you know if you have a particle and the particle is moving, you can measure its position. You know here my particle is at this position in space. At that moment you lose information how fast it was moving. It is randomized. Or you can choose to measure how fast the particle was moving and you got the exact speed. But the moment you read the exact speed you lose the position in space. It just jumps to a random position and you don't know where it was. So you can choose to measure one quantum property but not the other. Such quantum properties also exist for photons. So photons are the convenient communication carriers that can go long distance without interacting. You can do hundreds and thousands of kilometers with photons. They don't get absorbed if it's clean air or clean optical fiber. And photons also have such pairs of incompatible quantum properties. So a quantum key distribution protocol uses for example polarized photons. The sender Alice decides randomly to prepare to encode random secret bits in vertical or horizontal polarization of photons. Or she can randomly choose to encode them in the diagonal, two diagonal polarizations. So Bob and Alice they agreed that this horizontal and this diagonal is zero and the other two represent bit one. And Alice chooses randomly which one to apply. And this vertical horizontal basis is incompatible with the diagonal basis. So if you make a measurement in the diagonal basis but your photon was vertical you get a wrong result, random result. Bob also makes his own random choice of which basis to measure in and so they can run the protocol and extract half the bits sent because half the times the basis will match. The problem for the eavesdropper in this protocol though the eavesdropper trying to measure the polarization sent over the optical communication line. She does not know in which basis they are encoded. So she has no clue whether the photon coming is vertical horizontal or this diagonal. And she will have the time measuring the wrong basis. So she will change the state of polarization and introduce a lot of errors in the transmission. And then Alice and Bob can check for the presence of errors in the final key and if they see errors this means there has been eavesdropping. This is the basic principle behind all quantum key distribution protocols. There are actually more than 20 different protocols and they have different details. How to do this error checking? How to do the reconciliation and classical post-processing? How exactly how to check for the presence of eavesdropper? The security proofs which prove that this is actually a secure way of distributing are also complicated. So I don't want to go into those technical details. So this is the key principle and believe me that all quantum key distribution protocols are based on this principle. You encode in two incompatible bases and the eavesdropper does not know in which basis you are encoding. So therefore if she tries to read she will be caught. This is commercial. You can buy those systems now. So for example, this is the 10 years old quantum key distribution system. This one is from IDQuantique, Swiss company. It has been sold, I think the first one has been sold 11 or 12 years ago. So this is now old technology. And those two quantum key distribution boxes each one is connected to another remote node and they generate random keys. Then they pass the generated keys up to the classical encryption equipment. So those boxes do AES cipher on VPN networks and they encrypt all the traffic on the fiber optic networks between those three nodes. So this is already a part of a small network. In principle, the communication distance of quantum key distribution is limited. So this network was implemented using optical fiber. If you have never seen an optical fiber, here it is. I have one meter of optical fiber here as an example. And this is very fantastic stuff. So have a look, if you look at the ends there, so you can see a little black dot at each end of the connector and this is where the light comes in and then it comes out of the other side. And this is one meter. So practically all the photons you can put in the fiber will come out of the other end. And what you see most is mostly plastic. So this is one millimeter plastic made, so you can hold it in hands. But the actual light propagating core is just nine micrometers and 10 micrometers in diameter. So it's very, very small and it's a very clean glass. In order to lose half the photons which you put on one end, if you want to lose half the photons to absorption in the fiber, you need 15 kilometers of this fiber. So 50% loss, 15 kilometers of this fiber. So it's very, very transparent. I will pass it through the, can you grab it and pass along the rows so you people can see. You can try to put light in one end and then you will see a little bright dot at the other end. Yeah, using a flashlight is a good idea. Just hold it straight and then you see why dot at the other end, so light is propagating. But the problem is even the optical fiber is very transparent. If you keep adding 15 kilometers, 15 kilometers, 15 kilometers, eventually after two or 300 kilometers of fiber, you have virtually no photons left. So your key generation speed drops to impractically low speed, like one bit per second or less. Absorption, loss of photons by itself is not a problem for the protocol. You still generate secret key just at a lower, slower rate. But eventually the rate drops to zero. So you cannot run this communication line for too long. The practical limit seems to be about 50 to 100 kilometers. And then you have to repeat this procedure. So what is being built are quantum key distribution networks organized pretty much like internet. So it's a mesh of links, mesh of quantum key distribution links with pairs of boxes generating their own pairs of keys. And it's literally a network like a net with many nodes interconnected by many cables. And no single link is longer than 100 kilometers. But, but if two nodes on this network want to get copies of secret key between them, and they do not have a direct optical link between, they send the request to the network software and the network software figures, which path to use to generate the key. It tells this node to do XOR of one key with the other. So it takes two keys from the store, one time paths, one with another. So adds them by module two and by this operation, those two nodes share perfect secret key. So it can be passed then to application if you want to encode it with one time pattern created with your chat, you can do it. So this is then makes the key distribution extendable to an arbitrary large distances as long as you trust all the intermediate nodes because here you have the secret information in the clear text. So the network has to be provided trusted provider like your government, telecom company or something. This has been demonstrated in many countries, Japan, Great Britain, United States and many more. And the biggest commercial deployment to the date is in China. So China has just installed 2000 kilometers backbone quantum key distribution link over 32 trusted repeater nodes. This backbone is connected to metropolitan size networks in four cities, literally hundreds of nodes right now deployed and they started becoming used by banks and government entities in China. This is the network Chinese network control center. They started letting people in to take pictures since last year. So here you can see the health of the backbone and all the status and everything. So China has heavily invested in this technology and they are really doing this deployment. The next question is, so we can do the deployment. We are doing the deployment on the scale of a city, a region, even a country. How can we go to global distances? How can we cross oceans with quantum key distribution cables? Yes, like what? How can we do quantum key distribution with moon or Mars? I can tell you, we built a sufficiently large telescope on the moon of Mars and then your problems are solved. If you put 20-meter telescope on Mars and 20-meter telescope on moon, all your photos go through vacuum and there's zero loss in the vacuum. You can communicate, do QQD with Alpha Centauri if you want because most photos you send from Earth actually arrive to Alpha Centauri. A little bit of problem will be diffraction so you need to have sufficiently large optics. This is an inconvenience. But in principle, there is no problem. You can do QQD with stars. So the future is bright. But terrestrial distribution in Earth is more. Yes. Okay, great. Now we go back to the details of the implementation of the protocol. The question is, here is Alice, here is Bob. Can Eve just insert he a copy of Alice and copy of Bob and pretend to Alice she is Bob and pretend to Bob she is Alice? The answer is, we need authentication. And authentication can be done either by manually distributing a short secret key between Alice and Bob, like 100 bits. And then once they use this key for authentication using Weigman Carter authentication protocol which is unconditionally secure, unbreakably secure and they start growing their own key then they can use part of that growing key for subsequent authentications. And the good news is that you don't even need to distribute you can actually use public key cryptography for initial authentication because that initial authentication does not have to have long-term security. As long as you can trust that it's not broken before the first QQ decision, then you don't no longer need to rely on the security of the initial authentication. So yes, there should be authentication between Alice and Bob. Otherwise, you don't know that Alice is connecting to Bob. Bob doesn't know you are connecting to Alice. And this is done essentially by classical means a certain authentication infrastructure. Yeah, so now we go into more details of the protocol which I hope to skip just to show you on overview developments. But we can talk later about it. So to cross global distances, this is a physical challenge. In principle, we can sink, make this chain to cross across ocean. We can sink a number of trusted repeater stations on the bottom of the ocean, provide the power and they will function. And this key distribution line is going to be secure against any nation that does not have a submarine. And we now many nations have submarines. So this is perhaps not the best idea. The better idea is to put a trusted node on a satellite. So you launch a polar orbit, low earth orbit, polar orbit satellite and you let it go from between south pole and north pole around the earth like this. The earth rotates underneath the daily rotation. So the satellite is going to be visible in the sky approximately twice a day from any point of the earth, as long as there are no clouds. And then you can let your ground station, optical ground station with the telescope, acquire the view of the satellite. So here is the promotional video from Canada and this is our kind of future Canadian Quantum Satellite Camps interview. And the ground station begins doing quantum key distribution or air between the satellite and the ground station. It's in the sky for approximately four, five minutes and during this time with present day technology you can do a fraction of a megabit of secret key distribution between the ground and satellite. 40 minutes later the satellite flies over a different continent and does another QQD session between another ground station. Then the satellite exsorts the key so he uses one time path to encode one key with the other and the two ground stations suddenly share a secret key. A single satellite can cover the entire earth with a key distribution network. Nice. China has this satellite. Yes, yes, the satellite has to be trusted so you have to trust the nation or the provider that has launched the satellite because with present day technology your keys are in the clear text in the satellite. Future technology when you have quantum memories, quantum repeaters, I'm not going to speak about this today in the future you don't need to trust a repeater. With present day technology you have to trust the satellite provider which is perfect for China. The government is trusted then your QQD is trusted. So China has launched the satellite last year and they just a month ago they have published a very successful project, it's amazing technology. China is years ahead of everybody else in this technology so they have demonstrated entanglement distribution between two ground stations separated by 1200 kilometers. They have actually an entangled pair sourced in the satellite and two separate optical systems which are the same time tracked two ground stations separated by 1200 kilometers. They did a belt test, demonstrated dot yeah, entanglement service over more than 1000 kilometers so this is the basic physics. They did satellite to ground QQD using one beam so they have a photon source here encoded like I have shown different polarizations sent down to ground get decoded. It's about at one kilobit per second to exactly what is expected, it works. They also did quantum teleportation from ground to the satellite. Fancy stuff, I mean I'm not going to talk about China. Call somebody from China to present at the conference. This is, there is a little space race going on so there are also several other countries trying to build their own quantum satellites. One of them is Canada so the most difficult thing is here is not the technology, of course there are technical challenges but the most challenging is to get your government to fund your project and Chinese have been very successful and not Canada is the runner up. One month before the Chinese published their results from their satellite, the Canadian government decided to fund the Canadian Quantum Satellite. So good, we are number two now in the race. This is the project of my colleague at University of Waterloo, Thomas Yenevein. I just helped a little bit in this project. So in our Canadian Quantum Satellite design this is a small satellite, about 60 kilograms satellite. It has the size of a small refrigerator and most of it as you see is the optical system receiving telescope 30 centimeters in diameter and then photon receiver and pilot. The particular interesting thing about our satellite is that we put the photon receiver, the photon decoder in the satellite. So the source of photons is in the ground and the photon receiver is in the satellite and this configuration potentially has some operational advantages. So for right now the photon receiver is the more complex part. So if you want to have many ground stations you want to put simpler technology in the ground station and the more complex technology in the satellite. And this developing has been going on for several years in Canada before we got the final decision that the entire launch is funded. So we have those modules, the satellite payload at a high level of technology readiness. And last year just to test that it works we put the entire payload on an airplane. This is twin engine small airplane. It flew with door removed and inside the airplane we mounted our tracking telescope and photon detector and everything. We also had a ground station with its own photon source and the tracking telescope and we did quantum key distribution from the ground to the airplane. This you can see it at night so the ground station is tracking the dose on a trace from the navigation lights of the plane as it flies past and does QQD. We flew two kinds of paths. So around the ground station we flew circular paths in a circle around in an arc around the ground station and we also flew linear paths. This linear path is more representative of what you will have in a satellite transit because the angular in the satellite is more or less varying distance. It goes approximately in a straight line pass ground station and the angular speed of the airplane about one degree per second is also the same as it will be with the satellite. Those other results of QQD between in those passes. So this is the arc pass and you see that the distance or time delay between ground and the airplane stays approximately constant so the distance is about constant and as soon as the system on the airplane optically locks the angular alignment with the ground station, it locks on the beam. The fine point in here goes to zero and then you know you are actually receiving the optics the photons, the optics is aligned and immediately they have a jump in the photon detection rate and we conduct QQD with error quantum meter rate about two, three percent. So in this session which only lasted about four minutes we generated about zero to megabit shared secret key which is not much of a one time path it's only good for text messages but if say you want to rekey your AES cipher this is already a thousand keys for your AES cipher which is pretty good and in this pass we had 40 decibel loss. So out of 10,000 photons sent from the ground station on average only one was detected on the airplane and the vehicle still generated the key with this huge loss and with the linear pass it also worked the loss is higher, the key is less key but it also shows that our tracking technology and everything works. I want to show you a little bit of nuts and bolts of what goes in the satellite parallel because my lab actually works with it. So one important part of the satellite is the single photon detector and this is one of the prototypes of compact low power consumption single photon detector modules so all our custom electronics, remote controlled, nice, only draws a couple of watts for four channel detector. For the single photon detection we use commercial silicon Avalanche photo diodes so those are little semiconductor devices that if you apply high bias voltage across it so this is high voltage generator across it then when it gets hit by a photon you get a pulse of current out of it so the amplification takes place internally in the Avalanche photo diodes. Here by the way I have one so this is one of the actual photo diodes used in the project. I will pass it along and you can see if you look at this glass window and the photo diodes you can see a little black dot, half a millimeter in diameter and this is where the photosensitive area is so if you hit a photon and you apply high bias voltage 200 volts across it will make your current pulse so it's pretty easy 50% detection probability pass it through. One problem with putting those Avalanche photo diodes in orbit is that there is ionizing radiation in orbit. A lot of it. Charged particles of different kinds flying through your device and the problem is semiconductor. Silicon is very sensitive to those charged particles. They damage when they hit the crystal lattice they make permanent damage, permanent defects in the crystal lattice and this is very bad for single photon detectors. The defects become generation centers for carriers and the dark noise of the detector raises a lot so it sits in the darkness, no photons but it reports as if a lot of photons were detected. And this is of course bad for QQD because this becomes noise and eventually your protocol stops working and actually very sensitive. So we had to test how the silicon photo diodes respond to radiation so we went to a cyclical facility, put them under a proton beam which in a short amount of time simulates the exposure over several years in space and we tested three different kinds of APDs. So this particular one is now making its passes. Don't worry, that sample has not been radiated. Okay, so and as you see, as we simulate two years radiation exposure so your initially very low dark count rate detectors raise their dark count rate, several orders of magnitude and become very noisy detectors. So there are also ways to heal the radiation damage. The best method of healing so far we have discovered in my lab is to eliminate the APD for a short amount of time, 60 seconds, by a powerful laser beam. One, two watt laser we focus it on the APD and we heat it a lot. And this treatment with this barbaric treatment of APDs actually heals the radiation damage. They puts them back in the working order. And there is an amazing big factor of improvement so the dark count rate after this short treatment it drops by a large factor. And the final dark count rate is in a single digits of dark counts per second. It's about as good as a fresh not radiated sample. So it's interesting. So there are ways to heal them. Now, how much time do I have left? Five, past two, good. So we have enough time to talk about security. So you have seen QQD technology and I hope you believe or actually this technology is being deployed. It is starting getting used for actual applications by companies and government entities. Now, we need to prove, we need to ensure we have certification system. We have to certify that the implementations of this technology, this new technology are secure. So how do they prove this? The security model of quantum cryptography begins with the laws of physics. So you take quantum mechanics the best physical theory we know today. According to our best understanding of this physical world, this is how nature works on a microscopic level. There is nothing behind it. So we begin with the physical theory. Then several QQD protocols have a strict security proof. So if you start with the laws of physics you can prove that your protocol is secure. It gives you a shared secret key that nobody can in principle have any bit of. But there is a third component in the security model and that is the implementation of the protocol. The actual hardware consisting of tens of optical components, thousands of electronics components, thousands, thousands of lines of the program code. So the simple protocol which can take one or two pages on paper takes a lot of complexity to implement and the actual machine that will run will calibrate properly, will not lose drugs, synchronization and so on and so forth. And this actual equipment, very often it has deviations, differences between the model of equipment and what is it supposed to do according to the theory and the actual behavior of equipment. There are differences. So first, optical components have imperfections. There is no such thing as vertical polarization, 90 degree polarization. It's always a little bit less, 89.5 or a little bit more, 93.2, you can never align perfectly. So there are small imperfections. The components, optical and electronic components have different modes of operation. So for example, a single photon detector is supposed to detect single photons but it also has a different mode of operation like bright light operation and an attacker can trick the detector to go into a different mode without the equipment, without the protocol realizing it. So there are ways to go around to disturb the proper operation. And finally, the machines are made by people, by engineers and people are imperfect. They face deadlines, they have to deliver, they face trade-offs, their knowledge is limited because they didn't spend years in a quantum hiking club learning how to do it securely. They just came from the electronics degree and they need to put together an electronic socket which does this protocol. And sometimes they don't understand how to implement it securely. Sometimes they are too pressed to pay enough attention. Sometimes they just plainly make mistakes. They leave differences, leave loop holes. So in the end, there are many differences between the actual equipment and the ideal model. And that is the only remaining problem with quantum cryptography. So we look for those differences and when we find a discrepancy between the model and the implementation, very often we can construct an efficient attack that actually breaks the security of the protocol without, at least I'm not realizing it. We publish the attack, what happens next? Of course the developers rush to update their protocol, update their equipment to fix the loophole, to make the implementation insensitive to this particular imperfection. And this is the process which is absolutely happening with every implementation of secure technology. Classical or quantum or physical like logs, mathematical cryptography, quantum cryptography. This loophole, implementation loophole process is conceptually the same. So we are going through this in quantum cryptography and the idea is after enough of those iterations, we will find all important imperfections in the equipment. And then we will have the next generation that is actually secure to hack. So we are going through this process now and I believe we'll be there in a few years. And also we want to have the same certification standards and the whole ecosystem with the labs which can take a formal standard and certify your equipment and your government can set requirements that if you are banked and your QKD equipment should be certified to a certain common criteria level. And so we are now have started building the same certification and standards ecosystem in quantum cryptography. This is done by a working group at the European Telecommunications Standards Institute and all the key players in QKD are members of this group. So this process has started. A little bit of clarification on the threat model, security model which we are dealing with. In quantum cryptography, we are dealing with a very strong case. So first we assume Alice's and Bob's equipment are physically secure. So the eavesdropper cannot physically access the equipment. So they are inside secure server rooms. But the eavesdropper can do anything whatsoever allowed by the laws of physics to the optical communication channel, anything. The photons going through, the light going through. The eavesdropper can use quantum computer, quantum memory, any arbitrary quantum operations are allowed. She can use high power lasers, low power lasers, whatsoever through this communication channel. Anything that is in principle possible, the eavesdropper can do it to the communication channel. And she has a full copy of the classical communication between Alice and Bob as well. Another assumption, we assume that the eavesdropper knows the precise content of Alice's and Bob's equipment, including all the equipment parameters, all the imperfections, precisely. And this might sound like an overkill, but this is actually a very good principle called Kerchoff's principle. So you assume that the eavesdropper knows everything about your equipment, except the explicit secrets. And this is the proper assumptions as the last century of history shows. So we work in quantum cryptography, we have to use imperfect today's technology to implement systems which are secure against this omnipotent eavesdropper on the optical line. We protect the optical line and the eavesdropper, which now who knows everything about the characteristics of the equipment. This is the, I think this is the strongest settings you can ever have in cryptography. So we are working in those assumptions. And you can see the many research, several research groups are working on implementation imperfections. So this is a partial abridged list of attacks. So there are different attacks published which exploit target imperfections and different optical and electronic components in the QQD systems. Nowadays, most of the imperfections are experimentally confirmed on commercial quantum distribution systems. So there is a whole activity going on in this small research community studying attacks. In the remaining time, I will show you example of one attack. One attack just to give you a feeling what kind of optical problems we are facing in this new technology. Attacks are different. You will see one example now. We will study the implementation security of this polarization receiver. This is the prototype for the quantum satellite. So it gets single photons from the optical channel to the satellite on one end and then splits them in four polarizations into four optical fibers on the other end. This is the rugged implementation for the satellite which you can actually launch in space. But most of our experimental tests were made on equivalent research prototype which has the same optical scheme but it's a little bit more accessible so it's a little bit easier to see what is going on. In this receiver, this is the standard polarization receiver. You have beam of polarized photons coming from Alice. It passes the telescope to compress to reduce the diameter of the beam, goes through a beam splitter, non-polarizing beam splitter, randomly splits the photons into one arm or another arm. In each arm, there is a polarizing beam splitter so vertically polarized photons go this way, are focused in the core of a multi-mode fiber and through the fiber go to a single photon detector for vertical photons. Horizontal photons, another detector to horizontal photons. In this arm, which is rotated for 45 degrees, you get diagonal, anti-diagonal, those two polarizations. In this optical scheme, in the normal operation, in normal optical alignment, when the tracking systems of Alice and Bob are locked to each other, all photons from Alice, after splitting, they are actually coupled to all four fibers and they can reach all four detectors. We have tested the resilience of this detector to Eve, who starts tampering with the spatial distribution of light at the optical input of Bob. In particular, Eve can tilt the optical beam by an angle. She can do this because she can tilt it using a prism and she doesn't need to measure the polarization of photons. Tilting the beam is not the information carrying quantity. She doesn't measure the polarization. She uses something else, an under degree of freedom to probe the receiver. And she can always do this. This does not introduce errors. There will be angles at which the photons, so as the tilt angle increases, the photons start missing the core of the fiber so they are focused in the cladding and get lost. So photons do not reach this detector and do not reach this detector and this detector. But because of inevitable optical imperfections, alignment imperfections and optical assembly, there will be an angle at which the photons still couple to the one detector. Then, when Eve tilts the photons at this angle and Bob says, oh, I had a detection. I succeeded to receive a photon. He tells it publicly. Eve knows that only one detector was actually sensitive to photons. So she knows the secret beat value, complete breakdown of security. We have confirmed this attack works. Unfortunately, it works on this type of receiver. What is a good countermeasure against this attack? So one good countermeasure is to put a spatial filter in the focal plane of the first telescope. So this spatial filter, it's a little piece of foil with a little hole, micrometer-sized hole in the middle. It restricts the acceptance angles of these optical systems to a narrower angle than that angle which is restricted by the course of fiber. And this is actually a good countermeasure. It has been integrated into the satellite receiver after our tests. So here you can see the spatial sensitivity diagrams of the four channels, four detector channels, HVDA. And this is the vertical deflection angle and this is the horizontal deflection angle. You see, so the bright color is good, high detection sensitivity, and the dark color is four orders of magnitude below. So this is 10,000 times. It's a big dynamic range. And you see at the normal optical alignment, zero, zero between Alice and Bob, all four channels are sensitive. But if Eve deflects photons to this angle, to this angle, then this detector channel, H, is sensitive. But the other three, this one is not, this is not. So photons deflected to this angle make only one detector sensitive. Likewise, there are angles to address the other three detectors. We modeled the attack and concluded that Eve can actually execute this attack and break the security of the protocol without Alice and Bob noticing. But after installation of the pinhole, the spatial sensitivity, angular sensitivity diagrams become identical and no attack is no longer possible. So good. We have a problem and we have a countermeasure. Are we good hackers? How about inventing a counterattack? How do you think we can break this countermeasure? Any ideas? Remember, we have a laser. So let's take a high power laser, several watt. Put it briefly into the communication beam and shine so much light at this pinhole, though the foil material melts and evaporates and we physically eliminate, destroy the countermeasure. Good. This is the pinhole, before and after. So we did this test, thank you. We did this test carefully. We did not touch the Bob, we aligned the Bob between Alice and Bob exactly as it will do for QQD. We did not touch anything inside. We put our laser 26 meters away so a good distance away from Bob as it will be if the attack is done from the communication channel. But we did one more thing. We put a little periscope here in front of the pinhole and carefully film it. What happens just for fun? What happens to the pinhole during the attack? This is the microscopic movie. This is the pinhole, the original pinhole, 20 micron diameter pinhole. Who wants to start the laser? Him? Sure. Wait, wait, I have to arm the trigger. Take and press the button when you like it. It just makes a bigger pinhole so now it's not 20 micron, it's 140 diameter pinhole. The countermeasure has been destroyed. Another good news, nothing else in Bob's setup has been destroyed. We got lucky, it remained fully operational after this treatment, nothing else got burned. So Bob happily continued QQD but now complete again insecure. Okay, so people do things like this a lot. But so far this research community has worked with the individual attacks. So my research group has decided we need to take this activity at the next level. We need to approach certification and we need to do complete analysis of new commercial implementations. So my research group started partnering with commercial companies and I must say that the companies are very positive to this collaboration. We signed a non-disclosure agreement, we got complete access to all the engineering documentation of new systems and then we do analysis of documentation. The aim of this analysis is to notice all potential implementation problems and describe them and describe how the company can test them and then this can be followed by the second stage when the company or we or the lab or we together work to test and see if the countermeasures are good, if the problems are good. To do this complete testing. And this is an example of initial security analysis report. Sorry, it's efficiently redacted. So I can show it to you. So we list potential implementation problems in QKD systems and optical electronics layer. We describe the problem and we also describe what is needed to confirm or rule out or the problem actually exists, what kind of testing, additional analysis is needed. So most often we will need optical testing in the laboratories for most problems as it turns out. And then importantly, we also rank the problems. We tell the company where the limited resources should be focused. We rank higher the problems which are bought more likely to exist according to our subjective expert judgment and exploitable using today's technology like this laser attack you can build today because many exploits require future technology like quantum computer or lossless lines or quantum memory, but there are sufficient number of attacks that are exploitable today and those are higher prioritized for the company to take care of. And this work is now going on. So we have been doing this with IDK-1-C with the new generation, next generation high-speed clavistry, cow-based protocol. So this is this new system which has been sold since last year. So we are analyzing its security. The Chinese company Quantum C-Tech which supplies systems for the Chinese market. So we've tested one or more systems. We are analyzing security and we are also working with research labs who want to go into commercial development. And this will become a stepping stone to the certification process. So we are participating in this work group and our experience in this informal security audit will hopefully become the basis of a standard. So this work is going on. So last thing, so after this talk you might have an impression that quantum cryptography is not yet good for deployment. Look, it has implementation insecurities and there is no standards, no certification ecosystem. So let's wait. No, actually the way the quantum cryptography is deployed it does not replace classical key distribution. It is used as an additional layer to the classical key distribution. So this is the classical system with the public key cryptography. And in addition you have QQD and the two keys are XOR together to form the master key. And this master key is then used for encryption and this master key is as strong as the strongest of the two. So if one of the systems is broken you still rely on the security of the other. So you have this two layers of redundancy. So today I focus it on today's problems, today's security problems and commercial solutions, technology which is available today. I intentionally did not touch advanced topics. I did not tell you about any other quantum cryptography protocols. You can do fancy stuff. You can do digital signatures. You can do coin flipping. You can do delegated private computation. This is all in developing and research labs but it's not commercial today. Also the trusted repeater network is today's technology. In the future we will have quantum repeaters. We will have quantum memories. 20, 30 years in the future you will not have to trust your repeater. But this again is a future technology and it's a topic for another talk. Today was the realistic today's technology which is getting deployed today. The research results you have seen have been developed in three labs of the University of Waterloo. Thomas Yenevein's lab, Norbert Lugtinghaus' labs and my lab. And we, the satellite technology we work in collaboration with three Canadian companies specialists in single photon detectors satellite technology. And this is my lab, my research group and also some of my collaborators in this picture. As you see to do security testing for quantum cryptography you do need as of today a fully equipped optical lab. So this is a bit of barrier to entry but we have it. This is a normal kind of normal optical lab. Finally, if you want to learn more about different QQD protocols, different aspects of quantum information, quantum computers, other things you can do with quantum cryptography. If you want to see more examples of attacks this is information about two advanced research workshops several days workshops that you can consider attending and if you have questions about any of those ask me. Thank you. Wadi Makarov. So are there any questions left? We have one or two minutes left for questions. Yeah, thank you for this very clear and informative talk and also entertaining I think. My question is this. You had talked about the satellites where a lot of very sensitive and expensive equipment is brought up in the sky and what seems to me more easy and cheap is just to use mirrors and more ground stations. Of course you have to align the mirrors nicely but that also is a case with normal laser communication. So this has not been done or maybe it is but maybe you can then explain me why. Yes, so the question is why don't we launch a mirror instead of a full station? So first problem is you have to launch the mirror so that it is simultaneously visible from different sides of the earth and then you have to go as high as geostationally orbit and if you do this your distance becomes one or two orders of magnitude longer than to lower the orbit and then you have diffraction problem and you need to use huge telescopes like many meters telescopes to overcome diffraction and beam spreading. It turns out it's impractical to use this with small size, reasonably small size optics like something you can put on the roof of a building. You have to do low earth orbit and then the satellite cannot be simultaneously visible from different sides. So you have to do it sequentially. I understand but you can do so. This is the geometry, earth geometry. You can make many ground stations they are not as expensive as this one in the sky so you just take 10 times as much ground stations and use more mirrors than... Of course, but you still need to build a mirror chain and the distance still becomes large and you have the beam spreading problem so the requirement on the sides of optics explodes, unfortunately. It has been studied and it wouldn't put aside. Maybe, maybe. Okay, yeah, but let's talk about it later. Maybe this is realistic but so far I understand this is limitation. Yeah. Thank you. I don't think that we have time for another question. That's very easy. Very, very, very quick one. Just a remark that if you put up a satellite like that, just a strong laser might shoot it out of the sky and you're without keys. Yes, but then you are talking about the laser weapon program of Aga-style nation and then you drop the nuclear bomb on the nation or make a diplomatic note so you are not going to be happy for... Quantum key distribution does not protect against denial of service. It is okay if the communication goes down. Quantum key distribution protects against the key leaking to a third party and notice it. Denial of service is fine outcome, actually. Vadim Makarov with... Can quantum physics break cryptographic's curse? Please give him another warm applause. Thank you. Thank you for coming. I think this was a very explosive talk. Sorry, I do want my samples back. All of them. Please.