All-Photonic Quantum Repeaters Could Lead To a Faster, More Secure Global Quantum Internet

"University of Toronto Engineering professor Hoi-Kwong Lo and his collaborators have developed a prototype for a key element for all-photonic quantum repeaters, a critical step in long-distance quantum communication," reports Phys.Org. This proof-of-principle device could serve as the backbone of a future quantum internet. From the report: In light of [the security issues with today's internet], researchers have proposed other ways of transmitting data that would leverage key features of quantum physics to provide virtually unbreakable encryption. One of the most promising technologies involves a technique known as quantum key distribution (QKD). QKD exploits the fact that the simple act of sensing or measuring the state of a quantum system disturbs that system. Because of this, any third-party eavesdropping would leave behind a clearly detectable trace, and the communication can be aborted before any sensitive information is lost. Until now, this type of quantum security has been demonstrated in small-scale systems. Lo and his team are among a group of researchers around the world who are laying the groundwork for a future quantum Internet by working to address some of the challenges in transmitting quantum information over great distances, using optical fiber communication.

Because light signals lose potency as they travel long distances through fiber-optic cables, devices called repeaters are inserted at regular intervals along the line. These repeaters boost and amplify the signals to help transmit the information along the line. But quantum information is different, and existing repeaters for quantum information are highly problematic. They require storage of the quantum state at the repeater sites, making the repeaters much more error prone, difficult to build, and very expensive because they often operate at cryogenic temperatures. Lo and his team have proposed a different approach. They are working on the development of the next generation of repeaters, called all-photonic quantum repeaters, that would eliminate or reduce many of the shortcomings of standard quantum repeaters. "We have developed all-photonic repeaters that allow time-reversed adaptive Bell measurement," says Lo. "Because these repeaters are all-optical, they offer advantages that traditional -- quantum-memory-based matter -- repeaters do not. For example, this method could work at room temperature."

not trusting

[phantomfive]

You can't trust the data as soon as it leaves your computer. If it hasn't been encrypted by that point, it doesn't really matter if AT&T encrypts their transmission lines.

Re:not trusting

[necro81]

You can't trust the data as soon as it leaves your computer. If it hasn't been encrypted by that point, it doesn't really matter if AT&T encrypts their transmission lines.

While this is true to a degree, it is an impractical standard for modern communications. How do you propose to have extensive communications between Alice and Bob without having a quick and easy mechanism for sharing and updating encryption keys? This new solution allows for the sharing of keys without (undiscovered) eavesdropping.

Re: not trusting

[phantomfive]

Most of the traffic is encrypted on the web through use of pre-signed public keys. This adds nothing.

What problem is being addressed?

[quenda]

Article seems like nonsense to me. We already have secure transmission by end-to-end encryption.
Securing the transmission channel further will do nothing to enhance that, and nothing to stop the hacking mentioned in the article.

What possible use is quantum key distribution?
If you can authenticate, you already have secure key distribution, and if not, you are still vulnerable to man-in-the-middle, no?

Re:What problem is being addressed?

[quenda]

There is probably nothing wrong with the academic publication, or the field of research.

It is the "University of Toronto" press release masquerading as a news article that is nonsense.

Re:What problem is being addressed?

[quenda]

Wrong. Quantum communication solves this problem. A quantum comm channel cannot be spied upon,

My understanding is that the quantam channel is difficult and low bandwidth, so only used for key exchange. Are you suggesting they can encrypt all my communications quantumly??

Wrong, and that is the point. "Man in the middle" is not possible with quantum communication. Either the signal stream is lost, or delayed.

Nah. Your quantum endpoint is the man in the middle. I'm talking about the specific case where you have no authentication, remember?

Re:What problem is being addressed?

[TFlan91]

Nah. Your quantum endpoint is the man in the middle. I'm talking about the specific case where you have no authentication, remember?

Wouldn't the act of just using quantum communication BE the act of authentication? I don't think quantum communication works in a "http" mode

Re:What problem is being addressed?

[coofercat]

Article is mostly nonsense as far as I can tell too. Also, I do love how slashdot editors feel the need to tell us what repeaters are.

However, if quantum computing ever works, then your nice RSA or AES encrypted data stream is (so the thinking goes) highly vulnerable to quantum cracking, which (so goes the hype) is thousands if not millions of times faster then regular computing. Thus, in any post-Von-Neumann world, you're going to need a way to transmit data without it being snooped or cracked later. For that, only quantum transmission stands a chance of being secure.

Potentially quantum communication does also allow for the sender and receiver to know they're being snooped. Current optical communication can detect a 'bend attack', but it's tricky to get the measurements right without getting false positives. On long cable runs where you have repeaters, every repeater needs to do the same detection, and then somehow tell the sender or receiver that it's happening. All this pretty much makes it possible in theory, but hard in practice. Quantum properties mean the receiver is automatically notified of a snooper in ways that wouldn't be confused with a reduction in signal strength.

Taking the example of a transatlantic cable, you need a few repeaters over that length. Clearly, with quantum communication that's going to be tricky - every repeater would need to full receive the signal, then re-send it along the next bit of the cable. That's practically impossible at the moment because senders and receivers are absolute-zero, super complex machines. If these folks have found a way to repeat the signal without quantum-altering it along the way, then it means long range comms becomes possible. That's also something of a 'must have' if quantum computing ever becomes a real thing.

So yeah, quantum comms offers you nothing today that you can't get somewhere else. However, if the NSA or whomever gets a quantum computer, then all the worlds encryption is at risk, and for that, we need some sort of defence.

Re:What problem is being addressed?

[quenda]

then your nice RSA or AES encrypted data stream is (so the thinking goes) highly vulnerable to quantum cracking,

Actually, from what I read, symmetric encryption like AES is safe, it is the public key (RSA), which is used to transmit the symmetric key, that is at risk.
So the hardware encryption is safe, you just need a software upgrade to improve the public key side if quantum computing ever gets close to cracking it.

Re:What problem is being addressed?

[necro81]

The key point here is that man-in-the-middle attacks require that the MITM be undiscovered, otherwise you'll know you're being eavesdropped. Quantum key distribution allows for Alice and Bob to share a set of quantum keys without Chuck discovering those keys by MITM attack. Or, Chuck can discover those keys, but not without Alice and Bob knowing that Chuck has done so.

The result may be a denial of service (Alice and Bob can't talk, because they know Chuck will always discover their keys), but a silent MITM attack is not possible.

Re:What problem is being addressed?

[lrichardson]

"Wrong. Quantum communication solves this problem. A quantum comm channel cannot be spied upon, because the very act of receiving any of the signal will destroy/mark it so the intended recipient notices. Re-generating the quantum signal also fails, at the very least there will be noticeable delay."

Theoretically, yes, practically, no. Quantum communication has already been hacked. The implementation allows for a certain error rate. The hack - using a very low level sampling - kept the error rate below the defined threshold.

Re:What problem is being addressed?

[Fly+Swatter]

They obviously need more grant money.

Re:What problem is being addressed?

[gotan]

It doesn't work like that. The problem is, that public key algorithms rely on "trap door algorithms" that are "easy" to do in one direction (e.g. multiplying two prime numbers) but "very hard" in the other direction. "Easy" usually means "requires a number of operations that is polynomial in "N" (N=number of digits), "hard" means "requires a number of operations that goes exponential with N. E.g. counting up to the product (or its square root) and testing each number if it divides it is "hard". Public key cryptography relies on this, an attacker has to solve a "hard" problem to crack the key. What compromised some key length previously was not that "hard" became "easy", but that with better and more hardware and improved algorithms the "hard" problem became doable. This can be easily fixed by using a higher key length. (one problem with all that is, that AFAIK we don't have mathematical proof that "hard" problems are really "hard", see P=NP, but that's another subject entirely)

Now some problems that (we think) are "hard" to do in classical computing are "easy" in quantum computing, prime factoring is one example of this. With that the basic premise falls, and that can't be helped by adjusting the key length. Maybe there are trap door algorithms out there that can't be made "easy" by quantum computing, or maybe we'll find that some problems we previously thought to be hard really aren't.

But quantum key distribution could solve that problem, since it provides a way of generating a common one time pad and check if anyone eavesdropped. That one-time-pad can then be used to transmit a key for the symmetric encryption e.g. in place of RSA.

The OP is right, that that doesn't solve the problem of authentication. Still a secure (in the sense that eavesdropping can be detected) distribution of exactly two instances of a one-time pad on the basis that authentication has happened certainly has its uses.

Re:What problem is being addressed?

[Aighearach]

Existing quantum algorithms would require multiple orders of magnitude improvement in quantum computing hardware just to crack 32 bit keys. The difficulty goes up exponentially as you increase the size, because of the basic design of the machine and the difficulty of entangling electrons. (or photons)

A regular computer scales in a linear fashion; you simply add more transistors. And you can divide up the problems between a large number of computers. You can't do that with a quantum algorithm; you need a bigger computer, with more qubits, and more qubits means a more difficult problem in entangling them.

The key sizes that they can realistically hope to crack in 100 years are smaller than the keys that you can already brute-force with current computers! But nobody uses 32 bit keys.

Existing quantum computers can't even crack an 8 bit key. A human can do that with a pencil. A programmable calculator can do it easily.

Governments and Internet Ad companies hate this

[louzer]

Governments and Internet Ad companies hate this because they won't be able to listen into our traffic. So this technology will not be available for us plebs.

Re:Governments and Internet Ad companies hate this

[dohzer]

Sure they will. Just make the repeater intercept the traffic and make the software in your computer tell you the connection is secure. Done.

Also

[joao.cordeiro]

Faster porn!
The problem with internet security is 100% developer responsibility. Lack of investment on security and no update plans for almost every IoT device are the main problems
How is quantum logic going to prevent bad, outdated code?

Flux capacitor?

[ReneR]

Just asking for a friend, ..?

Re:Flux capacitor?

[havana9]

Wrong time-travel device. I suppose, you are confusing Michael J Fox with Scott Bakula

Re:Flux capacitor?

[Aighearach]

If the Flux Capacitor wasn't a quantum technology, why would it be needed for time travel?

Where did you think flux energy came from?!

Time is a form of quantum entanglement, this acts like friction when you move backwards. That's also why you get an electrical fire if you go backwards without a flux capacitor; as the electrons disentangle from time, they get stuck instead to the time travel device. You have to re-entangle them inside the flux capacitor.

Re:Pre-shared randomness.

[drinkypoo]

Of course, once you know about the Intel Management Engine, hacked firmware, and even dopant-level hardware backdoors ... or just somebody breaking into your building and/or using a $3 wrench, you realize that *if* you need *that* level of protection, even *perfect* encryption won't help you.

It will help you, but only as part of defense in depth. You're also going to need to be surrounded by guards, and you'll need physical security for your equipment (more guards.) And then you need to pay the guards well, and have guards for the guards, so they can't simply be bribed away. And then when you die, you can realize that was all a lot of wasted effort which had to be spent only because the system of the world is designed to be unfair.

Re:Pre-shared randomness.

[v1]

'm being told, XOR encryption is "mathematically proven" to be "perfect".

It's basically a "one-time pad", and yes, that method itself is theoretically unbreakable. Attacks will all be focused on the peripheral though, things like trying to intercept your key exchange. Key exchange and key size are the problems for OTP's. You have to have some secure way to get that random data to the other party (and keep it secure on both sides), and it needs to be big enough to serve your needs until the next exchange can occur.

The minute you say "we ran out of padding early, we need to re-use it", it immediately becomes beatable. That's how enigma was initially broken, as it was (at the time) an incredibly good source for essentially random data. The germans goofed exactly once, repeating a single transmission, which laid the groundwork for it being broken. (they were trained not to reuse it, it was "operator error")

Remember the Enigma

[lfp98]

For thousands of years, coders have promised "to provide virtually unbreakable encryption". Hackers cracked all of them, usually quite quickly. I'll wager quantum encryption will fare no better.

Department of redundancy department

âoeThese repeaters boost and amplify the signalsâoe

Whats the difference between boost and amplify?

They boost and amplify and enlarge and reinforce and swell and grow and increase and embiggen the signals.

Re:Pre-shared randomness.

[K.+S.+Kyosuke]

Doesn't using OTP bit sequences for symmetric session keys work well enough?

Re: Talk to me

[Seewhatidonehere]

Quantum internet, this just sounds like snake oil. There are cheaper, existing methods of delivering coded information uncracked. Thing is, for every deliberately altered packet of message there has to be a certain key to uncode them and a machine or AI that is able to apply the code. This code or key cannot surpass the abilities of any decoder. There are physical and mathematical limits to information flow.

Re: Pre-shared randomness.

[phantomfive]

Key size is no longer a problem for one-time-pad unless you are encrypting video or something very very large. Key exchange can still be problematic.

QT works and has been tested many times

[gotan]

Quantum theory is the best theory we have to explain many experimental results, e.g. why light "behaves like particles" (i.e. photoelectric effect) or electrons show diffraction effects you'd expect from waves. QT is used successfully to model all kinds of physics, e.g. properties of atoms, or even strange properties of the vacuum like the Casimir effect, and in that sense QT is a working product. It was noticed early on (EPR-"paradoxon"), that QT predicts some strange things including what we call "entanglement". The strangeness lies in the nonlocality that it implies for QT, which is at odds with a "classical" (in the sense of non-QT) world view and manifests itself in "entanglement" i.e. some strange "connection" between particles in different locations. But the strange behavior predicted by QT was tested, specifically by testing the Bell-inequality. The result of these tests is not only, that the strange predictions of QT are indeed what we measure experimentally, but also that it will be impossible to explain these results with a "classic" theory that is based on locality and causality, even any (finite) number of "hidden" variables don't help. Another test of entanglement are "Delayed Choice Quantum Eraser" experiments which also confirm the strange predictions of QT.

QT is far from perfect, as it doesn't go well together with general relativity, but for nonrelativistic phenomena on the scale where quantum effects are of relevance it's the best we have. It can also be shown how "classical" Newtonian physics emerges for large (many particle) objects from QT.

Some people think that QT must be wrong because it clashes with their "classical" picture of the world, a picture humans grow accustoms to since their life usually doesn't confront them with phenomena on the scale of single atoms, electrons and photons, but why should the universe conform to our personal world view or preferences?

But anyone claiming that QT is wrong (apart from known limitations i.e. incompatibility with GR) should point out where it makes wrong predictions, and anyone presenting a "better" theory should make that theory specific and detailed enough so it can be tested experimentally, and of course that theory should also explain all that experimental findings that are perfectly well explained by QT. As it stands QT is the best explanation of all the stuff we find experimentally, but also the nature of atoms as we know them.

Specific to light we have QED (quantum electrodynamics), see also the book "QED: the strange theory of light and matter" by R:P: Feynman:
https://en.wikipedia.org/wiki/...

The point is: While we can't ultimately prove of any physical theory if it is "correct" under all circumstances (because we don't know and can't monitor all circumstances), we can test if the predictions of a theory match experimental results and is consistent with what we "know" about the world (i.e. all those other theories, observations etc.). In that sense QT is the best theory we currently have, and we do know that classical theories that preserve "locality" and "causality" are in contradiction with at least some experimental findings (e.g. bell inequality tests).

Re:that's not the problem

[ledow]

That surely only applies if you are transmitting things unencrypted.

One of the prime reasons to use encryption is because it operates over even an insecure channel to secure it. Someone faking or stealing IP traffic still can't read your encrypted data because that's the entire point.

Obviously, if you're worried about it, you use proper cryptographic endpoint verification. Then it doesn't matter. You'll notice tampering immediately. You *EXPECT* your enemy to record every single byte of everything you send. Because it literally won't help them one jot. Not even if they know what you were sending at some point in the future (known-plain-text attacks aren't possible with modern encryption).

People fussing over DNS interception, BGP routing etc. are missing the critical point. They may affect *connectivity*. i.e. can you talk to the intended endpoint. What they can never affect is *veracity*. You are either talking to the chosen endpoint or you're not. People can't pretend to be the endpoint unless they've got the correct private key, etc. etc.

This is why SSH, TLS, IPSec, etc. all exist.

Treat the Internet as an untrusted network medium (why on Earth would you do anything else!?) and apply security accordingly. Pretending that a BGP announcement, even from your own ISP, is in any way secure is stupidity. You secure it IN SPITE of that. Even Google's inter-data-centre links weren't secure because they just assumed the medium was secure and didn't encrypt. Only when it was revealed that certain agencies were sniffing that traffic did they solve the problem - by encryption.

Sod the honour system, the honour system is in people assuming they are talking to the endpoint without checking, no matter who says.

BGP etc. routing attacks become useless precisely the second that you encrypt traffic by default. You can no more fake being "Facebook.com" than you can being some IP address. Without the right certificate the other end, the correct certificate signing chain, the correct certificate authority, the correct certificate pinning, etc. then modern sites and browsers will throw errors no matter what you do to try to pretend to be a secured endpoint, or act as a man-in-the-middle.

The problems come from people assuming security exists, rather than assuming it doesn't, and layering more on top anyway.

Hell, WPA2 isn't secure, because anyone can pretend to be the BSSID of any advertised Wifi point. It's secured by the endpoints layering over encryption. You should be VPN'ing over even internal wireless.

You can't secure something like the Internet en masse. So don't. Secure the endpoint, and just assume that EVERYONE can see every byte out of your connection.

Re:Pre-shared randomness.

[OneHundredAndTen]

You are oversimplifying things. First, Enigma had nothing to do with OTP. Second, what the Germans were doing wrong was to include known data in their encrypted messages - e.g. protocol headers and weather reports. This provided the cribs that the Bletchley Park people leveraged to break Enigma, based on a heck of a lot of donkey work done by the Poles immediately before the war. Another thing that the Brits are indebted to the Poles for.

Com man der

[Impy+the+Impiuos+Imp]

Quantum key distribution (QKD). QKD exploits the fact that the simple act of sensing or measuring the state of a quantum system disturbs that system. Because of this, any third-party eavesdropping would leave behind a clearly detectable trace, and the communication can be aborted before any sensitive information is lost. Until now, this type of quantum security has been demonstrated in small-scale systems.

Existing repeaters for quantum information are highly problematic. They require storage of the quantum state at the repeater sites, making the repeaters much more error prone, difficult to build, and very expensive because they often operate at cryogenic temperatures.

Commander Data continued, "Using the deflection dish, though, it should scale up enough to allow us to detect the warp anomaly and free the USS Maelstrom."

Re: Talk to me

[Aighearach]

I guess the neckbeards managed to run most of them off by trolling.

Re:Pre-shared randomness.

[v1]

Modern cryptography uses a function that not only varies at each byte of the encode, but also each byte encoded influences the future of the pad. So changing a single character in the middle of the message causes all of the cyphertext after that point to change. The engima wasn't quite that good, the wheels, wheel arrangement, and plugobard settings created a long random pad, and the passcode used to pre-set the position of the wheels selected at what point in the string to start using the pad. This means changing one character in a message only changes ONE CHARACTER in the ciphertext. (as long as you don't insert or delete characters) You could look at enigma as a method that changes every character in the message using a different function, based on its place in the message. (but having nothing to do with any prior part of the message) And that's precisely what a one-time pad does. It's the re-use of the formula and merely changing the start position that makes it not a "pure" OTP.

The reason they do [either of these methods] is because it's easier and more secure to exchange a machine or formula once and a short passcode frequently, than it is to exchange large amount of OTP regularly. The big problem for GB was the u-boats using it, and they had especially big problems with getting updates so for them the enigma was an enormous help. They went out to sea with a fresh littl code book full of short passcodes (wheel and plugboard arrangements, and passcodes for each day) rather than a telephone book full of OTP. Back then, to change the "method" of the code required changing the machine itself, and that was "top secret", you can't just go transporting those all over the place all the time. They DID change wheels occasionally though. It's much easier to get them a new little code book every few months, and you could even give different groups different books, without having to design dozens of different machines, or even different wheels for the different groups.

On the surface, enigma may not look like a one-time pad, but it basically is, though there is the "can't output the same as the input" limitation. That weakness was most useful for "breaking wheels" once they'd figured out the method. (go look that up, that's a good keyword to get you where you need to be)

After the wheels were broken, they needed to figure out the "day code". (and work out the plugboard settings) The weather reports you're mentioning were very useful for that, but were only useful AFTER they had figured out how it worked, and had wheels broken. Again, this tells you at what point in the (very long for enigma) cycle to start using for the OTP. So, technically, it's not a ONE-TIME pad, but it's a very long, fixed pad, which you can start at some arbitrary, pre-arranged point at for each new message. Computers today could just shift through a pad like enigma made, and (fairly quickly) find the right position, but that level of processing was unavailable during WW2.

The big initial break was made when a transmission was sent across a "secure cable" (that wasn't secure, it was being monitored). They don't explicitly SAY it, but I'm pretty sure they interrupted the transmission cable during the message, so the british had a full copy and the receiver didn't. Due to how OTPs work, you have to stay in sync. If you lose a character or two, your pad is shifted, the pad gets out of sync with the ciphertext, and the rest of the message turns into white noise. The coders were under strict orders to never re-use a day code, as this basically meant reusing a OTP, because that opens the door to crypto-analysis. NORMALLY this would be OK, as long as you sent the exact same message again. But they committed a compounding error - the sender was in a hurry, and to make resending it faster, he replaced several words with abbreviations. This created a ciphertext that started the same, and suddenly become completely different, (where the first abbreviation was encountered) whil