►
From YouTube: IETF-QIRG-20220202-1200
Description
QIRG meeting session at IETF
2022/02/02 1200
https://datatracker.ietf.org/meeting//proceedings/
A
B
A
So
first
hi
everybody
we're
gonna,
have
a
talk
given
by
mark
kaplan
from
very
cloud,
but
before
we
get
to
that,
I'm
gonna
go
through
the
note.
Well,
I'm
going
to
kind
of
leave
it
on
the
screen
as
usual
and
go
through
the
slides
for
you
to
just
slowly
absorb
them.
A
And
yeah
just
to
wrap
up
the
not
well
iotf
is
their
research
organization,
not
a
standard
organization
like
the
itf.
So
do
keep
that
in
mind
and
our
focus
is
fostering
collaboration
and
talking
about
research.
A
Introduce
our
speaker,
so
our
speaker
for
today
is
mark
kaplan,
mark
kaplan
graduated
from
the
university
of
paris
suit,
and
he
has
worked
in
montreal
with
universal
and
in
edinburgh,
with
alan
kashifi
and
before
founding
very
cloud.
His
research
was
focused
on
using
quantum
algorithms
to
break
classical
cryptographic.
Systems
on
the
design
of
customers
and
alternatives
and
mark
is
from
very
cloud
which
is
a
startup
based
in
paris,
as
founded
by
mark
alam
and
alain
kashafi
and
joshua,
as
focuses
on
developing
solutions
for
long-term
security
based
on
quantum
communication
networks.
A
C
Hi
paycheck
hi
hi
everyone
thanks
a
lot
for
the
invitation
and
the
introduction.
Can
you
hear
me
no
problem?
No.
C
All
right,
so
I'm
going
to.
C
C
Right
so
I
will,
I
will
present
our
work
at
very
cloud.
Actually,
what
I'm
going
to
present
is
the
core
of
my
work,
but
I
want
to
to
start
with
a
quick
intro
about
who
we
are
and
what
what
we're
doing
took
a
bit
at
the
end
of
more
longer
term
longer-term
goals,
also
in
terms
of
research.
C
A
C
And
the
the
ambition
that
put
us
together
is
that
quantum
communication
is,
of
course,
a
great
great
realization,
but
in
order
to
to
transfer
what
we
knew
about
the
technology
to
to
to
the
industry,
we
believe
that
there
was
a
lot
of
work
to
be
done
on
the
on
the
software
level
right.
It's
not
only
about
building
better
and
better
devices,
but
also
adapting
those
devices
to
match
specific
use
cases
right.
C
So
so
everything
I'm
going
to
tell
about
is
new
work
that
we
performed
at
very
clouds,
but
just
keep
in
mind
that
we
don't
do
anything
new.
Regarding
the
physics
there
at
very
cloud,
all
of
our
work
is
on
the
the
abstract
layers
of
quantum
networks
and,
of
course,
one
important
thing
I'll
talk
about
it
at
the
end.
C
Is
that
we're
driven
by
this
long-term
vision
that,
of
course,
everybody
there
likes
a
lot
of
building
a
quantum
internet,
so
global
quantum
network,
and
especially
the
work
of
el,
am
on
secure
quantum
cloud
computing
was
a
strong
driving
force
to
to
to
start
very
cloud
in
the
first
place
right.
So,
as
I
was
saying
this,
this
is
the
this.
Is
the
core
of
our
work,
but
but
we
also
participate
to
a
few
research
projects,
including
the
quantum
internet
alliance.
C
So
so,
if
you're
interested
into
you
know,
partnering
through
research
in
research
projects,
don't
hesitate
to
to
contact
me
all
right,
so
this
are
actually
all
the
people
that
are
involved
into
this
work
about
about
q-line,
and
although
we've
been
developing
this
this
architecture
for
a
long
time,
the
the
paper
summarizing
all
the
results
is
still
under
under
publication.
C
So
josh
elem
and
I
worked
on
the
core
idea
and
the
realization
girl
here
is
the
photonics
person
in
charge
of
the
application
and
ann
and
mina
work
more
on
the
security
proofs
and
and
software
aspects
right.
So
probably
one
thing
that
I
don't
have
to
tell
here,
but
I
like
to
remind
to
people
when
I
talk
about
quantum
quantum
technologies,
is
that
quantum
networks
is
already
a
rather
mature
field
in
the
sense
that
we
can
find
quantum
networks
in
the
world.
Some
of
them
already
exist.
C
Some
are
in
development,
the
main
one
or
the
most
important
one
today
is
the
chinese
quantum
quantum
communication
network
in
europe.
There
is
a
strong
push
toward
this
euro
european
quantum
communication
infrastructure
project,
with
lots
of
local
initiatives
now
being
built,
local
local
quantum
network
by
local.
I
mean
at
the
scale
of
the
city,
for
example,
and
connections
between
them
using
using
satellites
right.
C
So
when
we
talk
about
quantum
technologies
and
in
particular
quantum
computers,
we're
talking
about
something
that
is
long
term,
quantum
networks
are
still
at
the
beginning,
I
would
say,
but
but
it's
something
that
that
is
happening
now,
as
you
all
know
here,
but
it's
always
good
to
to
remind
it
to
to
to
audiences
in
general
right,
and
why
do
people
do
that?
C
So
this
is
a
very
short
summary,
of
course,
a
summary
of
years
and
years
of
research
and
also
I'm
summarizing
the
story
more
from
the
from
the
user
point
of
view
or
the
customer
point
of
view.
I
should
say,
of
course,
with
quantum
key
distribution
that
you
can
run
on
quantum
network.
You
get
this
unconditional
security,
which
implies.
I
mean
it
has
lots
of
very
nice
implications.
C
Your
data.
Can
you
can
guarantee
the
security
of
your
data
for
very
long
term,
which
becomes
more
and
more
relevant
since
the
value
of
the
data
has
sold
over
the
last
decade?
I
would
say:
yeah.
C
One
thing
that
is
really
cool
is
that
you
can
use
quantum
key
distribution
in
combination
with
symmetric
cryptography,
to
make
it
more
efficient,
and
I
don't
I
don't
think
that's
downgrading
the
security.
It's
not
unconditional
anymore,
of
course,
but
what
you
get
in
the
end
is
a
quantum
safe
system
using
I
mean
for
the
encryption
part
using
only
only
standardized
algorithms,
which
I
believe
is
a
somewhat
a
very
interesting
feature
of
quantum
key
distribution
right
and
other
other
other
consequences.
C
You
can
prevent
data
harvesting
all
the
attacks
of
the
type
type
of
storing
outbreak
later,
and
it
changes
the
way
you
can
think
of
encryption
in
general
right.
So
whether
you
believe
that
this
is
important
for
for
your
use
case
or
not,
is
debatable,
but
but
there
are
some
some
advantages,
not
only
theoretical,
but
in
practice,
when
you,
when
you
deploy
a
qkt,
you
can
you
can
have
these
these
advantages,
but
now,
of
course,
we're
talking
about
quantum
technologies
and,
as
always,
the
main
issue
with
quantum
technologies
is
scaling
here
by
scaling.
C
We
don't
we're
not
talking
about
having
more
qubits
but
having
more
nodes
in
the
network
and
the
way
qkd
networks
are
scaled.
Today
is
a
little
bit
embarrassing
in
the
sense
that
it's
first,
it's
very
expensive,
because
qkd
is
a
point-to-point
task.
So
when
you
want
to
add
more
nodes,
you
add
more
point-to-point
or
more
more
edges,
in
fact
to
your
to
your
network
and
also
in
order
to
distribute
keys
in
your
network.
What
you
do
in
general
is
using
trusted
nodes
to
route
keys.
C
C
We
wanted
to
address
very
specific
use
cases
for
for
quantum
key
distribution
and
what
we
came
out
with
is
a
novel
quantum
network
architecture
and
with
this
architecture
the
goal
is
not
to
develop
a
nationwide
network,
but
networking
to
do
quantum
networking
at
the
local
area
scale-
or,
I
would
say
local
or
metropolitan
area
scale-
we'll
talk
more
about
the
scale
later,
but
but
I
like
to
think
about
it
as
a
quantum
ethernet,
because
in
fact
it's
also
very
reminiscent
to
the
the
very
first
version
of
the
ethernet
protocol
in
terms
of
architecture
and
in
this
very
specific
regime,
so
local
or
short
distance.
C
What
we
get
is
a
with
the
q
line
is
a
fully
connected
quantum
communication
infrastructure,
meaning
any
any
pair
of
nodes
can
communicate
securely
or
establish
keys
in
our
case
without
using
trusted
nodes.
So
this
is
the
first,
the
first
property
then
also
the
scaling
is
somewhat
better
because
you
don't
use.
We
use
mostly
standard
telecom
components,
rather
than
as
opposed
to
to
quantum
specific
components,
as
you
will
see,
and
also
we,
because
we
have
this
long-term
vision.
C
We
are
also
talking
about
when
connecting
these
these
architecture
to
quantum
computers,
I'll
show
you
how
this
can
be
done
at
the
end
of
the
talk
all
right.
So
what
I
want
to
to
show
you
today
is
what
is
the
the
q-line
protocol?
It's
an
architecture
with
a
protocol.
C
Again
everything
happens
at
the
at
the
abstract
level,
what
we
can
show
or
what
we
can
say
about
the
tier,
the
the
security
of
qli,
how
you
prove
security
in
theory
and
what
what
it
means
in
practice
and
then
discuss
the
use
cases
for
today
and
for
for
the
future
all
right.
So
it's
a
good
time
to
to
stop
and
ask
if
there
are
questions
before
entering
into
the
technical
description
of
the
protocol
or
the
somewhat
technical
description
of
the
protocol.
C
If
not,
I
can
sorry
stephen.
E
C
Okay,
thanks!
So
the
way
I
mean
there
are
multiple
ways
of
of
introducing
the
the
protocol.
The
way
I
like
to
do,
it
is
well
first,
it's
at
my
very
computer
science
level
level.
C
I'm
not
going
to
talk
again
about
physics
in
this
in
this
in
this
talk
and
and
compare
it
with
the
standard
qkd
right.
So
one
way
of
thinking
about
ukd
is
on
the
left.
Here
you
have
two
two
parties
alice
and
bob,
and
you
can
think
about
alice,
generating
a
quantum
state,
a
qubit
and
encoding
some
information
in
some
basis
in
this
quantum
state.
These
are
the
role
of
these
two
operators
x
and
h,
and
then
sending
this
state
to
bob
bob
chooses
he
does
performs
these
two
operations.
C
He
chooses
a
measurement
basis
for
the
qubit.
This
is
the
row
of
this
operator
h
and
then
performs
the
measurement,
and
if
you
write
everything
down
you,
you
can
have
that
the
the
the
mathematics
tell
you
that
if
they
chose
the
same
basis,
meaning
r
equals
s,
then
a
is
the
measured
value
by
bob
right
and
based
on
that
you
can
derive
the
whole
protocol
and
and
security
proof.
C
C
I
introduce
these
two
parties
in
the
middle,
charlie,
1
and
charlie
2,
and
I
would
redistribute
the
roles
at
least
generates
the
qubit
again
sends
it
to
to
charlie.
Of
course,
the
qubit
is
a
photon
in
the
standard
implementation,
charlie
encodes
the
information
and
chooses
a
basis,
charlie
two
chooses
the
measurement
basis
and
bob
performs
the
measurement
right.
So
at
this
stage
you
can't
do
much
because
the
result
is
known
by
bob
only
and
if
he
announces
the
result
then
then
well,
everybody
would
know
what
is
the
the
secret
key.
C
But
oh
here
it
is
the
the
fix
is
very
simple:
it
surprises
to
re-inject
some
randomness
right.
So,
oh
sorry,
I
should
I
should
precise
here.
The
goal
is
for
c1
and
c2.
So
let
me
go
back
here.
C1
and
c2
want
to
establish
a
shared
the
shared
bit
in
this
case.
So
if
bob
announces
the
bt,
then
everybody
would
know
it
and
not
only
c1
and
c2,
but
the
fix
is
quite
simple.
It
surprises
for
c2
to
re-inject
some
randomness
with
this
operator
x
to
the
b
here
and
now.
C
C
Okay,
let's
continue
anyway.
The
protocol
has
a
few
more
steps
and
if
the
question
comes,
I
can
interrupt
again
right
so
so
this
the
role
of
this
x
to
the
b
here,
is
to
re-inject
some
some
randomness
into
the
into
the
information
to
keep
it
private
to
c1
and
c2
and
in
fact,
it's
very
easy
to
see
that
this
is
still
not
secure,
and
you
also
need
in
fact,
to
read
to
inject
randomness
at
all
of
the
stages
of
the
protocol.
C
So
a
would
start
with
a
random
random
state,
random
bb-84
state,
for
example,
or
from
the
same
state,
a
set
of
states,
c1
and
c2,
and
the
rest
of
the
protocol
follows
as
long
as
you
take
into
account
the
required
corrections.
Yes,
paycheck.
A
So
the
question
was
asked
in
the
chat,
so
I'm
just
going
to
read
the
question.
Scott
asks,
who
selected
a
and
b
and
there's
a
similar
question.
So
I
might
as
well
already
straight
away,
is
and
who
selects
r
and
s.
C
Yes,
so
the
the
selections
are
made
locally,
meaning
c1
chooses
a
which
is
the
the
bit
the
random
bit.
That
would
be
the
the
key
in
the
end
and
r
is
also
the
the
the
basis
of
encryption
is
also
chosen
by
c1,
but
they
are
kept
private.
They
are
not
broadcasted,
and
similarly
c2
chooses
b
and
s
here
right,
so
at
the
end
they
can
just
select
on
so
at
the
end.
After
all,
the
measurements
are
done.
C
They
only
keep
the
bit
if
r
equals
s,
they
chose
the
same
basis,
and
in
this
case
a
plus
b
is
the
result
of
the
measurement.
This
is
broadcasted.
C
C
You
can
broadcast
this
a
plus
b
in
the
end,
and
it
gives
you
the
it
gives
you
it
gives
you
the
it
allows
only
the
legitimate
parties
to
learn
the
the
shared
secret
beat,
which
is
a
at
the
end.
A
C
My
goal
here
is
to
build
a
network
from
from
a
qkd
network.
So
qkd
is
point
to
point
here,
I'm
adding
more
nodes
to
the
network.
So
in
this
example
here
I
have
a
four
node
network
with
alice
here,
bob
at
the
other
end
and
and
c1
and
c2
in
the
middle
charlie,
one
and
charlie
two
intermediate
the
reason
I
I
keep
a
and
b
at
the
x
as
extreme
points
is
because
they
will
be
in
terms
of
information
processing
or
what
they
can
do
physically.
C
They
are
equivalent
to
the
a
alice
and
bob
of
ukds
right,
whereas,
as
we
see,
c1
and
c2
are
much
lighter
in
terms
of
physical
components
required
to
to
implement
them
right.
So
I
have
a
four
node
network.
I
started
so
to
say
from
a
and
b
which
are
standard,
qkd
devices,
and
I
added
to
the
network.
These
two
nodes,
c1
and
c2,.
C
C
The
bob
at
the
very
end,
has
this
very
specific
and
costly
component,
very
specific
for
qkd,
which
is
a
single
photon
detector
right.
So
when
I
want
to
build
uk
a
qkd
network,
I
have
to
put
all
those
components
in
at
all
the
nodes
of
my
my
network,
whereas
with
qline
the
the
intermediate
nodes
are
just
standard,
photon
modulators.
C
This
is
a
standard
piece
of
telecom
component
and
literally
something
that
sorry
literally,
something
that
you
can
buy
online
by
you
know,
drag
and
dropping
it
to
your
cart
and
pay
with
your
credit
card
right
which
which,
as
far
as
I
know,
you
cannot
do
with
single
photon
detectors.
For
example,
now
the
the
the
counterpart
is
that,
as
I
was
saying,
this
is
not
for
this
is
not
a
replacement
for
qkd.
It's
a
different
regime,
because
in
a
standard
qkd
network
I
would
have
around,
let's
say:
100.
C
Kilometers
between
each
node,
whereas
with
q
line
now
it's
the
distance
between
the
laser
that
emits
the
photon
and
the
single
photon
detector.
At
the
end,
this
complete
distance
has
to
be
roughly
100
kilometers
right
and
I'm
hiding
a
bit
of
details
because
all
the
modulators
here
might
or
will
induce
a
little
bit
more
noise.
So
the
more
nodes
you
add
to
your
system,
the
the
shorter
the
shorter
the
distance
you
can
reach
will
become.
So
it's
a
trade-off
between
between
those
two
parameters
that
you
can
reach.
C
Let's
say
that
four
to
five
nodes
is
the
normal
regime
for
q9,
but
it's
very
good
for
some
of
the
use
cases
that
we
want
to.
We
want
to
reach,
as
I
would
explain,
or
it's
good
enough
for
the
for
the
use
cases
that
we
want
to
reach
all
right.
The
first
remark:
people
might
people
that
have
been
involved
into
into
qkd
networks.
Might
you
know
already
see
that
they
don't
work
the
same
in
terms
of
key
establishment
right?
C
What
happens
in
key
sorry
in
ukd
in
the
qkd
network
is
that
each
pair
of
each
pair
of
devices
will
establish
a
shared
key
or
each
pair
of
adjacent
devices
or
connected
devices
will
will
establish
a
pair
of
key
and
everything
will
happen
in
parallel
right.
So
here,
if
I
sort
of
keep
the
same
topology,
I
have
alice
charlie
1,
charlie
2
and
bob.
We
might
remember
these
qkd
devices,
so
they
have
all
they
can
do
a
single
photo
measurement
and
then
coding
decoding
everything.
C
So
I
would
have
at
a
given
time
bin.
I
would
have
a
bit
or
a
shared
key,
let's
say
established
here
and
in
parallel
here
and
there
right.
So
it
seems
that
it
seems
very,
very,
very
good
or
very
efficient,
but
now
the
thing
is
that
in
practice
on
the
qkd
network,
you
also
want
to
establish
keys
between
non-adjacent
devices,
and
for
this
you
need
to
use
key
routing.
C
Tier
routing
is
just
done
by
you
know,
choosing
a
key
at,
for
example,
addis
sending
it
encrypted
to
to
charlie
one
and
then
charlie,
one
re-encrypt
and
transmits
to
charlie
2.,
and
this
is
how
alice
and
charlie
2
would
would
establish
a
shared
key,
which
is
in
this
dotted
arrow.
C
The
first
noted
arrow
on
top
here,
so
this
this,
this
pink
dot
in
the
middle
means
that
charlie
one
is
in
fact
a
trusted
node
in
the
sense
that
you
will
get
a
clear
copy
of
the
the
key
that
is
established
by
alice
and
charlie
too,
but
also
another.
Another
important
thing
is
that
sending
or
routing
the
keys
to
non-adjacent
parties
will
also
consume
some
of
the
primary
keys,
the
keys
that
were
established
in
the
first
place
right.
So
so
I
have
one.
C
C
Some
some
some
round
robin
scheduling,
for
example,
or
we
we
we
use
time
multiplexing,
it's
a
better
term
by
giving
to
each
pair
of
node
a
dedicated
amount
of
time.
The
the
protocol
that
I
showed
you
earlier
allows
the
charlie
one
and
charlie
two
to
establish
keys,
but
if
you
want
to
have
keys
between
alice
and
charlie
two
or
alice
and
charlie
one,
you
just
leave
the
other,
the
other
devices
passing
during
this
round.
So
it's
not
it's
not
a
big
dinner.
C
C
C
While
the
number
of
pairs
grows,
quadratically,
you
don't
need
key
routing
and
if
well
again,
once
again,
whether
it's
good
or
better
than
qkd.
I
don't
think
it's
the
right.
The
right
way
of
assessing
the
question
you
need
to
to
look
at
very
specific
use
cases,
but
what
we
can.
C
What
we
can
show
is
that,
under
following
assumptions
that
every
the
keys
are
uniformly
distributed
among
pairs
of
nodes,
meaning
each
pair
of
nodes
equally
need
a
key
key
establishment
and
that
the
cost
of
the
system
is
dominated
by
by
the
by
the
cost
of
the
detector.
C
Then
the
price
per
bit
of
key
is
the
same
as
with
qkt
right,
so
q
line
and
qkd
with
this
figure
of
merit
under
these
assumptions,
are
comparable
right,
but
once
again
it
depends
a
lot
on
what
use
case
you
want
to.
You
want
to
choose
that
you
want
to
you
want
to
solve
if
you
want
to
make
a
precise
comparison,
a
more
precise
comparison,
how
about
security,
so
the
the
security
of
q-line
for
the
theoretical
part?
I
wouldn't
say
it's
easy,
but
it's
as
as
easy
as
you
can
think
of.
C
We
have.
We
have,
and
it
took
a
lot
of
time
to
to
get
them,
but
we
have
good
good
frameworks
for
proving
the
security
of
ukd
and
in
our
case
we
we
we
rely
on
the
work
of
toma,
mikhail
and
very
for
for
proving
the
the
security
of
quantum
key
distribution,
and
so
in
my
example
here
I
only
have
one
center
node,
but
it's
the
same.
C
I
mean
it's
the
same
for
for
when
you
add
more
and
more
chinese,
the
goal
is
to
show
that,
if
you
can,
if
you
can
attack
the
q9
protocol,
then
you
also
get
a
an
attack
on
the
understandable
utility
right
and
the
reason
based
on
the
protocol.
It's
quite
straightforward
is
because,
at
all
the
steps
of
the
protocol
of
queue
line,
this
is
how
it's
designed
for
sure
and
standard
ukd
and
ifs
dropper
will
see
exactly
the
same.
The
same
state
right.
So
this
is
the
the
the
core
idea.
C
Now,
of
course,
translating
it
into
a
formal,
formal
scientific
argument
takes
like
half
a
dozen
pages,
but
but
this
is
exactly
how
how
the
proof,
the
proof
works
or
the
core
argument
of
the
proof.
C
Another
very
important
chapter
of
security
in
the
world
of
ukd
are
the
side
channel
attacks
so
that
we
know
that
we
know
that
the
the
the
the
there
are
differences
between
the
the
theory,
the
mathematical
model
of
of
qkd
and
its
implementation,
with
physic
physical,
physical
components,
and
in
fact
you
can
exploit
those
discrepancies
to
to
attack
it
so
well,
of
course,
we
we
have
all
the
the
qkd
the
side,
channel
attacks
of
qkd
that
still
hold
in
our
case,
but
but
since
the
extension
of
the
qkd
protocol
to
a
q-line
protocol
happens
at
at
the
cubic
level,
all
the
physical
implementation
can
is
compatible
with
what
we're
doing
so.
C
In
particular,
if
you
want
to
use
decoy
state
protocols,
it's
still
possible
with
with
q9,
it
doesn't
change
anything
now.
There
are
other
other
types
of
attacks
that
that
that
are
possible,
in
particular,
I'm
talking
about
trojan
horse
attacks
that
consists
in
injecting
light
into
the
the
system
for
the
east
dropper
to
to
try
to
measure
what's
happening
at
in
charlie.
C
But
there
are
also
more,
I
would
say,
elaborate
attacks,
relying
on
non-destructive
photon,
counting,
so
some
devices
that
are
much
more
difficult
to
to
build
today
and,
as
as
I
know,
I'm
not
not
commercially
available.
C
So
this
is
we're
still
performing
some
some
research
and
development
in
order
to
close
these
attacks
that
might
be
be
available
in
the
in
the
future
for
futurist
chopper
all
right.
So
this
was
the
this
was
the
the
theory
part
of
of
the
peer
representation
of
q
line
protocol
and
and
security.
C
C
So
you
remember
that
the
the
the
sorry
when
you
want
to
scale
quantum
networks
or
qkd
networks-
you
usually
what
you
do
is
just
using
sorry
just
using
key
routing
to
to
to
to
to
route
keys
to
another
json
party.
C
So
these
these
connections
happen
at
the
software
level
right,
so
q
line
is
complete,
is
compatible
with
any
other
qkd
implementation,
in
the
sense
that
you
can
combine
them
all
together
to
build
a
large-scale
network,
and
this
view
here
it's
an
artistic
view,
but
this
is
this:
is
the
the
work
in
progress
in
this
euro
qci
project
european
communication
architecture?
You
see
that
there
are.
C
There
exist
several
layers
with
satellites,
probably
locally.
You
would
have
a
backbone
a
high-speed
backbone,
and
what
we
do
with
with
q9
is
is
the
the
last
kilometer
or
last
mile
of
the
of
the
network,
how
to
distribute
the
keys
at
the
local
area
scale
so
one.
So
we
are
deploying
this
architecture
testing
in
real
field.
Now,
with
the
deutsche
telekom
in
berlin,
it's
actually
more
involved
than
that
we
want
to
do
is
show
that
q-line
can
be
used
to
build
complex
metropolitan
architecture.
It's
just
one
building
block
of
the
global
global
network.
C
So,
yes,
it
is
a
token
ring,
but
you
can
also
you
can
also
use
it
in
combination
with
other
techniques
to
build
complex
networks
and
in
in
paris,
for
example,
orange
the
the
french
telco
is
building
a
quantum
communication
architecture
at
the
paris
region
level
and
q
line
will
be
deployed
at
the
level
of
a
city
that
has
several
critical
infrastructures
in
the
south
of
paris.
A
A
Sorry,
I'm
gonna,
I'm
gonna,
just
I'm
gonna
clarify
that.
I
guess
the
question
is:
could
you
network
without
trusted?
Okay,
sorry,
qkd
networks
without
trusted
nodes
can
be
built
with
optical
switches.
Is
there
any
advantage
compared
of
q
line
compared
to
that?
That's
the
question.
C
C
Yes,
okay,
yeah!
No,
I
see
no
so
that
again,
this
is
this
is
the.
C
C
A
Sorry,
there's
a
follow-up
in
case
you're
we're
running
out
of
time.
We
can
leave
some
of
these
questions
for
the
end
by
the
way
mark.
So
just
let
me
know
if
you
have
a
lot
of
material.
E
C
No
yeah,
I
think
I
see
what
it
means
would
be
interesting
to
to
compare
it
for
a
specific
for
a
specific
network
topology,
for
example,
or
a
specific
use
case.
You
know
how
how
you
can
take
advantages
of
this
of
this
fully
connected
architecture.
For
example,
I'm
going
to
I'm
going
to
show
an
example
of
usage
in
a
moment-
and
this
is
something
that
can
be
as
far
as
understand
realized
exactly
the
same
with
the
with
optical
switching.
C
So
I'm
going
to
show
an
example
where
there
is
no
advantage
of
q
line
over
optical
switching
but
but
yeah
might
not
always
be
the
case.
I
mean
not
the
second
one.
Actually,
so,
let's
try
to
to
see
if
these
questions
make
sense
for
the
for
the
next
two
examples
or
if
we
can.
C
A
Is
a
slightly
unrelated
question
so
I'll
I'll
ask
it
mate
as
well.
Just
can
you
expand
how
q
line
would
work
on
a
fully
quantum
network,
one
that
shares
entangled
qubits
and
what
advantages
would
it
have
over
simpler
approaches.
C
I'm
not
sure
I
can
say
something
about
this
right
now,
but
but
this
is
so
for
of
of
our
full
quantum
network
that
can
transport
and
tangle
qubits.
You
could
also
have
intermediate
nodes,
I'm
not
sure,
I'm
not
sure,
in
which
case
it's
interesting
like
you
could
you
could
ask
the
same
chinese,
but
I'm
not
sure
in
which
yeah
something
that
we
need
to.
A
C
Yeah,
so
I'm
I'm
going
to
show
an
example
at
the
very
end
where
it's
interesting
in
the
the
the
furthest
term
networks,
so
even
beyond
beyond
quantum
and
entanglement.
But
for
the
specific
of
for
the
specific
question
of
entanglement,
I
don't
know.
C
C
We
know
that
it's
not
something
that
we
invented,
but
we
know
that
it's
possible
to
combine
quantum
quantum
key
distribution
and
classical
cryptography
to
protect
not
only
communication
but
also
storage,
and
a
full
specification
of
the
protocol
was
given
in
the
in
the
paper
put
it
here,
and
I
think
it's
a
beautiful,
beautiful
idea
by
by
combining
qkd
with
with
a
secret
sharing
scheme
that
distributes
those
shares
here
over
several
servers,
you
can
get
very
highly
secure
storage.
C
The
the
classical
cryptography
protects
against
data
leakage.
You
can
ensure
that
corrupting
one
server
is
not
enough
to
to
recover
the
original
data,
and
in
fact
this,
the
number
of
servers
that
need
to
be
corrupted
is
very
easy
to
to
parameterize
in
the
system.
C
With
the
quantum
communication
you
protect
against
data
interception
and
by
continuously
re-encrypting
the
shares,
you
can
make
sure
that
an
evs
dropper
that
wants
to
learn
your
data
needs
to
need
to
attack
several
servers
within
the
time
slot
of
re-encryption
right.
So
it's
a
very
strong
idea.
The
only
thing
that
we
the
well
the
the
new
thing
that
we
bring
here
right
now,
what
I
can
tell
you
is
that
q-line,
since
it
doesn't
have
trusted
nodes,
it
also
has
less
vulnerabilities.
C
So
it's
it's
just
a
better
way
of
doing
it
and
it's
also
compatible
with,
for
example,
the
notion
of
sorry
the
concept
of
cloud
availability
zones
that
usually
you
know
when
you
store
your
data
to
the
cloud
they
are
distributed
on
several
servers
all
in
the
same
metropolitan
area.
So
it's
the
right
scale
for
for
deploying
the
cuban
another
thing,
but
it's
still
also.
C
I
mean,
I
think
it's
not
it's
not
only
a
research
topic,
it's
known
that
this
secret
sharing.
I
mean
it's
known
that
some
secret
sharing
protocols
also
it's
possible
to
compute
on
top
of
shares,
so
you
can
run
some
computation
with
some
overhead,
of
course,
to
to
to
to
to
compute
on
the
shares
without
reconstructing
the
the
information
without
recentralizing
the
information
which
would
be
a
security
breach.
C
C
Similar
to
queue
line
in
order
to
do
secret,
sharing,
classical
sequel
sharing
protocols,
so
it
seems
possible
to
do
some
computation,
assisted
with
the
with
the
some
classical
computation,
assisted
with
the
the
the
quantum
quantum
communication
right
quantum
communication,
classical
computation,
quantum
assisted
classical
computing.
C
Okay,
last
but
not
least,
and
another
application
that
we
just
putting
forward
when
we
when
we
talk
about
q
line
in
in
practical
environments,
it's
a
very
practical
question
again
right.
So
suppose
you
want
to
build
these
global
quantum
networks.
C
You
would
have
at
some
point
an
interconnection
between
the
between
the
two
to
two
networks
operated
by
two
different
operators
right,
so
you
have
your
first
network
on
the
left
second
network
on
the
right,
and
if
you
want
to
make
this
connection
you
have
to
you
have
to
to
to
rely
on
a
trusted
node
here
in
the
middle,
and
the
dotted
line
here
says
that
the
trustee
node
is
operated
by
the
operator
of
qkd
network
2
on
the
right.
C
But
it's
actually
an
issue
right.
How
do
you?
How
do
you
know
or
how
do
you
establish
the
trust
between
the
two
operators?
They
might
have
different
different
standards
on
what
trusted
nodes
are
and
how
they
are
implemented
in
practice.
C
Here,
it's
just
completely
straightforward
application.
I
I
built
two
queue
lines
that
overlap
right
and
now
I
have
two
routes
to
two
independent
path:
to
route
keys
without
trusting
nodes
right.
The
green
one
and
the
blue
and
here
are
completely
independent.
C
So
now
I
don't
rely
on
the
trusted
node
anymore,
in
the
sense
that,
if
an
if
dropper
wants
to
learn
the
key
established
by
network
one
and
two
they
will,
they
would
have
to
attack
the
two
nodes
on
the
left
and
on
the
right
right.
C
So
it's
it's
a
very
straightforward,
straightforward
application
of
the
or
straightforward
consequence
of
the
fact
that
we
we
can
have
multiple
paths
using
using
qri,
but
for
for
a
practical
problem
and
my
my
understanding
now
for
this
problem
is
that
there
will
be
no
advantage
over
of
switching
as
it
was
mentioned
earlier.
As
far
as
I
understand
the
technique.
C
All
right,
the
just
to
before,
before
concluding
another
thing
that
we
are
investigating,
which
is
more
for
this
future
applications
is
the
connection
with
quantum
computers
and
one
thing
that
people
here
might
might
know,
or
otherwise
are
just
reminding
very
very
quickly.
Is
that
once
you
can
connect
quantum
computers
to
networks,
you
unlock
secure
quantum
cloud
computing
and
by
secure
here
I
mean
verifiable
and
blind
right.
C
So
in
the
picture
here
you
have
a
quantum
computer
and
you
have
a
distant
party
that
okay,
I'm
cheating
a
little
bit
here.
I'll
just
explain
the
details
on
the
next
slide,
but
with
the
device
that
is
somewhat
similar
to
what
ukd
is
doing
today
it
can
delegate
the
computation
to
the
server
with
blindness,
meaning
the
server
does
not
learn
the
computation
it's
executing
and
verify
verifiability,
meaning
that
you
can.
C
This
is.
This
is
the
work
of
many
people,
but
in
particular
I
have
to
quote
my
my
my
co-founder
ellen
kashifi
for
her
work
on
the
verifiable
blind
quantum
computing
here
and
now
you
remember
that,
with
q
line,
we
started
with
two
devices
that
are
similar
to
to
qkd
as
well.
In
fact,
it's
easy
to
see
that
you
can.
You
can
do
the
same
here
to
to
delegate
your
quantum
computation
you
can
rather
than
starting
from
ukd.
C
You
start
with
q
line
and
you
replace
the
end
node
one
of
the
end
nodes
with
a
quantum
computer
as
if
it
was
easy
to
do,
and
then
what
you
have
is
the
ability
for
multiple
clients
to
delegate
their
computation
to
the
to
the
to
the
server
right.
So
what
we
get
is
a
somewhat
scalable
architecture
for
secure
quantum
cloud
application.
You
can
also
run
some
distributed
quantum
computing
on
this
with
this
type
of
architecture.
C
Now
the
only
the
only
detail,
I
would
say
in
addition
to
having
a
quantum
computer
is
that
first,
it's
not
known
when
I
said
here
you
start
from
a
qkd
device.
You
know
that
in
practice,
qkd
devices,
especially
the
the
part
that
emits
the
photon
can
be,
can
be
done
very
easily
using
attenuated
states.
C
It's
not
known
that
you
can
do
it
with
attenuated
state
for
for
secure
quantum
cloud
computing,
so
you
might
need
true
single
photon
generators
which
are
not
easy
to
to
to
build,
and
in
order
to
connect
your
quantum
computer
to
the
network,
you
might
need.
For
example,
this
looks
very
much
like
a
superconducting
qubit,
so
you
might
need
some
frequency
conversion,
which
is
also
difficult
to
to
implement,
but
at
the
end
of
the
day,
these
devices,
I
believe
that
they
are
simpler
to
build
than
a
quantum
computer
in
the
first
place
right.
C
So
so
so
there
are
lots
of
details
in
the
implementation.
Even
even
you
know,
if
the
research
or
the
development
of
quantum
computers
is
doing
well
these
days,
there
is
a
lot
more
to
do
to
to
to
get
this
kind
of
application
right.
So
so
this
is
exactly
well.
This
is
one
of
the
things
that
we
spend.
Research
effort
on
is
to
try
to
show
that
this
is
this
vision
that
we
have
is
possible
in
practice.
C
Okay,
so
let
me
let
me
conclude
here:
I
introduced
this
architecture,
the
queue
line
we
like
to
think
about
it
as
a
quantum
ethernet.
It's
using
these.
C
Sorry,
this
scalability
with
a
standard
telecom
component,
so
it's
possible
to
it's
possible
to
to
well,
we
get,
let's
say
a
better
node
connectivity
for
for
a
given
cost
in
the
in
the
network.
This
this
architecture
is
scalable
in
the
sense
that
we
can
add
and
it's
easier
to
add,
more
nodes
in
the
system
and
also
secure
because
it's
not
using
trusted
nodes.
We
get
some.
C
I
have
introduced
some
application
and
this
very
cool
vision
in
the
future
that
also
we
can
use
it
in
combination
with,
with
quantum
class,
sorry
with
the
quantum
computers
to
perform
secure
quantum
cloud
computing.
C
So
this
is
sort
of
the
roadmap
that
we
have
at
very
cloud
with
this
euro
qci,
but
also
initiatives
outside
of
europe.
We
have
a
very
nice
playground
for
secure
communication.
We
can.
We
can
deploy
these
this
hardware
and
all
the
quantum
communication
networks
that
are
being
built
today.
C
C
On
top
of
these
stored
data,
by
running
mostly
classical,
I
mean
for
classical
computing,
but
also
a
quantum
assisted,
classical
computing,
and
the
long-term
vision
is
that
all
these
things
should
evolve
toward
a
quantum
internet,
where
we
will
be
able
to
to
run
these
algorithms
that
were
developed
for
secure
quantum
cloud
computing
thanks
a
lot
everyone.
A
Thank
you
mark
so
first,
I
guess
a
digital
applause,
thanks
for
the
talk
and
now
open
as
mark
asks
floors
open
to
questions.
So
please
ask
your
questions.
Ideally,
you
could
raise
your
hand
and
ask
them
with
your
microphone,
but
if
that's
not
possible
for
you
try
the
chat
but
you'll
likely
get
a
faster
response
by
raising
your
hand
and
asking
with
a
microphone.
A
B
So
thanks
mark
this
is
a
really
interesting
talk.
I'm
not
sure
what
limits
the
scalability
of
the
system
you're
designing.
You
initially
presented
it
as
lan
or
maybe
maybe
metro
area
scale
systems,
but
I'm
I'm
uncertain
what
limits
the
inter-node
distance
and
the
maximum
number
of
nodes
you
might
use.
C
Well,
I
would
say,
as
always,
with
the
quantum
communication,
the
limit
comes
from
the
losses
in
the
fiber,
which
you
know,
apart
from
being
very
careful
with
the
fiber.
We
cannot
do
much
so
so
the
so.
C
Ultimately,
this
distance
here
is
limited
by
I
mean
what
we,
the
limit
is
the
distance
between
the
the
first
node
that
emits
the
qubits
and
the
last
node
that
measures
the
qubits,
regardless
of
the
number
of
intermediate
nodes,
you
have
an
inherent
limit,
but
also
in
addition
to
that,
each
of
the
intermediate
nodes
they
add
some
losses
to
the
to
the
systems
and
here
well,
the
best
you
can
do
is
do
very,
very
nice
engineering,
but
but
well,
I
guess
we
will
always
have
some
losses
that
will
that
will
decrease
the
maximum
distance
that
we
that
we
can
get
with
the
system.
B
So
your
modulators
here
are
just
they're
modifying
the
photons,
but
but
they're
not
regenerating.
C
B
C
A
E
I
just
want
to
ask:
do
you
think
there's
an
advantage
if
some
of
the
mods,
like
the
intermediate
nodes,
have
the
ability
to
detect
like
do
you
get
more,
maybe
more
robustness
or
something
it
means
more
expensive
though,
but.
C
Yeah
well
yeah,
so
you
get
advantages
also
for
the
security,
for
example,
the
for
the
you
know
for
these.
C
Attacks
but
I
guess,
if
you
ask,
if
you
add
a
modulator,
this
would
be
very
sorry
if
you
add
a
detector,
the
intermediate
nodes.
This
will
be
also
very
similar
to
to
the
to
the
switching
that
was
mentioned
earlier.
A
C
The
way
I
mean
what
I
believe
is
so
indeed,
because
the
cost
or
the
the
scalability,
let's
say
for
a
given
cost
you
have,
you
can
have
more
nodes,
is
one
thing,
but
also
the
fact
that
it
does
not
use
trusted
nodes
when
you,
when
you
scale
it
to
a
to
a
network
but
you're,
going
to
have
a
connected
fully
connected
network
without
trusting
nodes.
A
So
with
that
thanks
again
mark
it's
a
great
talk
and
thank
you,
this
is,
I
think
this
is.
These
kind
of
trucks
are
a
great
contribution,
especially
I
think
they're,
at
their
quite
the
right
level.
So
I
really
appreciate
that
physics
was
very
limited
and
the
maths
was
kept
outside
so
as
good
as
very
focused
on
networks
and
the
kind
of
advantages
so
yeah.
So
I
I
I
like
the
level
of
the
talk.
So
thanks
a
lot,
and
hopefully
we'll
see
you
at
the
qrg,
otherwise.
C
A
Thanks
ronnie,
do
you
have
anything
to
add.
B
No
just
again,
then,
thanks
for
for
doing
the
talk
mark,
I
I
let
go
that
was.
It
was
really
good
and
I
think
it
was
about
the
right
level
for
this
audience
and
thanks
for
making
it
on
time,
because
I'm
sure
lots
of
people
have
various
other
things
on
their
schedule
for
the
day.
So
it's
nice
to
squeeze
it
actually
in
an
hour
wojtek.
Do
you
and
I
have
any
any
other
announcements
that
we're
ready
to
make
in
front
of
the
group.
Yet
no.