All-Photonic Quantum Repeaters Could Lead To a Faster, More Secure Global Quantum Internet

"University of Toronto Engineering professor Hoi-Kwong Lo and his collaborators have developed a prototype for a key element for all-photonic quantum repeaters, a critical step in long-distance quantum communication," reports Phys.Org. This proof-of-principle device could serve as the backbone of a future quantum internet. From the report: In light of [the security issues with today's internet], researchers have proposed other ways of transmitting data that would leverage key features of quantum physics to provide virtually unbreakable encryption. One of the most promising technologies involves a technique known as quantum key distribution (QKD). QKD exploits the fact that the simple act of sensing or measuring the state of a quantum system disturbs that system. Because of this, any third-party eavesdropping would leave behind a clearly detectable trace, and the communication can be aborted before any sensitive information is lost. Until now, this type of quantum security has been demonstrated in small-scale systems. Lo and his team are among a group of researchers around the world who are laying the groundwork for a future quantum Internet by working to address some of the challenges in transmitting quantum information over great distances, using optical fiber communication.

Because light signals lose potency as they travel long distances through fiber-optic cables, devices called repeaters are inserted at regular intervals along the line. These repeaters boost and amplify the signals to help transmit the information along the line. But quantum information is different, and existing repeaters for quantum information are highly problematic. They require storage of the quantum state at the repeater sites, making the repeaters much more error prone, difficult to build, and very expensive because they often operate at cryogenic temperatures. Lo and his team have proposed a different approach. They are working on the development of the next generation of repeaters, called all-photonic quantum repeaters, that would eliminate or reduce many of the shortcomings of standard quantum repeaters. "We have developed all-photonic repeaters that allow time-reversed adaptive Bell measurement," says Lo. "Because these repeaters are all-optical, they offer advantages that traditional -- quantum-memory-based matter -- repeaters do not. For example, this method could work at room temperature."

not trusting

[phantomfive]

You can't trust the data as soon as it leaves your computer. If it hasn't been encrypted by that point, it doesn't really matter if AT&T encrypts their transmission lines.

Governments and Internet Ad companies hate this

[louzer]

Governments and Internet Ad companies hate this because they won't be able to listen into our traffic. So this technology will not be available for us plebs.

Re:What problem is being addressed?

[quenda]

Wrong. Quantum communication solves this problem. A quantum comm channel cannot be spied upon,

My understanding is that the quantam channel is difficult and low bandwidth, so only used for key exchange. Are you suggesting they can encrypt all my communications quantumly??

Wrong, and that is the point. "Man in the middle" is not possible with quantum communication. Either the signal stream is lost, or delayed.

Nah. Your quantum endpoint is the man in the middle. I'm talking about the specific case where you have no authentication, remember?

Re:Pre-shared randomness.

[drinkypoo]

Of course, once you know about the Intel Management Engine, hacked firmware, and even dopant-level hardware backdoors ... or just somebody breaking into your building and/or using a $3 wrench, you realize that *if* you need *that* level of protection, even *perfect* encryption won't help you.

It will help you, but only as part of defense in depth. You're also going to need to be surrounded by guards, and you'll need physical security for your equipment (more guards.) And then you need to pay the guards well, and have guards for the guards, so they can't simply be bribed away. And then when you die, you can realize that was all a lot of wasted effort which had to be spent only because the system of the world is designed to be unfair.

Re:Pre-shared randomness.

[v1]

'm being told, XOR encryption is "mathematically proven" to be "perfect".

It's basically a "one-time pad", and yes, that method itself is theoretically unbreakable. Attacks will all be focused on the peripheral though, things like trying to intercept your key exchange. Key exchange and key size are the problems for OTP's. You have to have some secure way to get that random data to the other party (and keep it secure on both sides), and it needs to be big enough to serve your needs until the next exchange can occur.

The minute you say "we ran out of padding early, we need to re-use it", it immediately becomes beatable. That's how enigma was initially broken, as it was (at the time) an incredibly good source for essentially random data. The germans goofed exactly once, repeating a single transmission, which laid the groundwork for it being broken. (they were trained not to reuse it, it was "operator error")

Re:What problem is being addressed?

[coofercat]

Article is mostly nonsense as far as I can tell too. Also, I do love how slashdot editors feel the need to tell us what repeaters are.

However, if quantum computing ever works, then your nice RSA or AES encrypted data stream is (so the thinking goes) highly vulnerable to quantum cracking, which (so goes the hype) is thousands if not millions of times faster then regular computing. Thus, in any post-Von-Neumann world, you're going to need a way to transmit data without it being snooped or cracked later. For that, only quantum transmission stands a chance of being secure.

Potentially quantum communication does also allow for the sender and receiver to know they're being snooped. Current optical communication can detect a 'bend attack', but it's tricky to get the measurements right without getting false positives. On long cable runs where you have repeaters, every repeater needs to do the same detection, and then somehow tell the sender or receiver that it's happening. All this pretty much makes it possible in theory, but hard in practice. Quantum properties mean the receiver is automatically notified of a snooper in ways that wouldn't be confused with a reduction in signal strength.

Taking the example of a transatlantic cable, you need a few repeaters over that length. Clearly, with quantum communication that's going to be tricky - every repeater would need to full receive the signal, then re-send it along the next bit of the cable. That's practically impossible at the moment because senders and receivers are absolute-zero, super complex machines. If these folks have found a way to repeat the signal without quantum-altering it along the way, then it means long range comms becomes possible. That's also something of a 'must have' if quantum computing ever becomes a real thing.

So yeah, quantum comms offers you nothing today that you can't get somewhere else. However, if the NSA or whomever gets a quantum computer, then all the worlds encryption is at risk, and for that, we need some sort of defence.

Re:What problem is being addressed?

[quenda]

then your nice RSA or AES encrypted data stream is (so the thinking goes) highly vulnerable to quantum cracking,

Actually, from what I read, symmetric encryption like AES is safe, it is the public key (RSA), which is used to transmit the symmetric key, that is at risk.
So the hardware encryption is safe, you just need a software upgrade to improve the public key side if quantum computing ever gets close to cracking it.

QT works and has been tested many times

[gotan]

Quantum theory is the best theory we have to explain many experimental results, e.g. why light "behaves like particles" (i.e. photoelectric effect) or electrons show diffraction effects you'd expect from waves. QT is used successfully to model all kinds of physics, e.g. properties of atoms, or even strange properties of the vacuum like the Casimir effect, and in that sense QT is a working product. It was noticed early on (EPR-"paradoxon"), that QT predicts some strange things including what we call "entanglement". The strangeness lies in the nonlocality that it implies for QT, which is at odds with a "classical" (in the sense of non-QT) world view and manifests itself in "entanglement" i.e. some strange "connection" between particles in different locations. But the strange behavior predicted by QT was tested, specifically by testing the Bell-inequality. The result of these tests is not only, that the strange predictions of QT are indeed what we measure experimentally, but also that it will be impossible to explain these results with a "classic" theory that is based on locality and causality, even any (finite) number of "hidden" variables don't help. Another test of entanglement are "Delayed Choice Quantum Eraser" experiments which also confirm the strange predictions of QT.

QT is far from perfect, as it doesn't go well together with general relativity, but for nonrelativistic phenomena on the scale where quantum effects are of relevance it's the best we have. It can also be shown how "classical" Newtonian physics emerges for large (many particle) objects from QT.

Some people think that QT must be wrong because it clashes with their "classical" picture of the world, a picture humans grow accustoms to since their life usually doesn't confront them with phenomena on the scale of single atoms, electrons and photons, but why should the universe conform to our personal world view or preferences?

But anyone claiming that QT is wrong (apart from known limitations i.e. incompatibility with GR) should point out where it makes wrong predictions, and anyone presenting a "better" theory should make that theory specific and detailed enough so it can be tested experimentally, and of course that theory should also explain all that experimental findings that are perfectly well explained by QT. As it stands QT is the best explanation of all the stuff we find experimentally, but also the nature of atoms as we know them.

Specific to light we have QED (quantum electrodynamics), see also the book "QED: the strange theory of light and matter" by R:P: Feynman:
https://en.wikipedia.org/wiki/...

The point is: While we can't ultimately prove of any physical theory if it is "correct" under all circumstances (because we don't know and can't monitor all circumstances), we can test if the predictions of a theory match experimental results and is consistent with what we "know" about the world (i.e. all those other theories, observations etc.). In that sense QT is the best theory we currently have, and we do know that classical theories that preserve "locality" and "causality" are in contradiction with at least some experimental findings (e.g. bell inequality tests).

Re:that's not the problem

[ledow]

That surely only applies if you are transmitting things unencrypted.

One of the prime reasons to use encryption is because it operates over even an insecure channel to secure it. Someone faking or stealing IP traffic still can't read your encrypted data because that's the entire point.

Obviously, if you're worried about it, you use proper cryptographic endpoint verification. Then it doesn't matter. You'll notice tampering immediately. You *EXPECT* your enemy to record every single byte of everything you send. Because it literally won't help them one jot. Not even if they know what you were sending at some point in the future (known-plain-text attacks aren't possible with modern encryption).

People fussing over DNS interception, BGP routing etc. are missing the critical point. They may affect *connectivity*. i.e. can you talk to the intended endpoint. What they can never affect is *veracity*. You are either talking to the chosen endpoint or you're not. People can't pretend to be the endpoint unless they've got the correct private key, etc. etc.

This is why SSH, TLS, IPSec, etc. all exist.

Treat the Internet as an untrusted network medium (why on Earth would you do anything else!?) and apply security accordingly. Pretending that a BGP announcement, even from your own ISP, is in any way secure is stupidity. You secure it IN SPITE of that. Even Google's inter-data-centre links weren't secure because they just assumed the medium was secure and didn't encrypt. Only when it was revealed that certain agencies were sniffing that traffic did they solve the problem - by encryption.

Sod the honour system, the honour system is in people assuming they are talking to the endpoint without checking, no matter who says.

BGP etc. routing attacks become useless precisely the second that you encrypt traffic by default. You can no more fake being "Facebook.com" than you can being some IP address. Without the right certificate the other end, the correct certificate signing chain, the correct certificate authority, the correct certificate pinning, etc. then modern sites and browsers will throw errors no matter what you do to try to pretend to be a secured endpoint, or act as a man-in-the-middle.

The problems come from people assuming security exists, rather than assuming it doesn't, and layering more on top anyway.

Hell, WPA2 isn't secure, because anyone can pretend to be the BSSID of any advertised Wifi point. It's secured by the endpoints layering over encryption. You should be VPN'ing over even internal wireless.

You can't secure something like the Internet en masse. So don't. Secure the endpoint, and just assume that EVERYONE can see every byte out of your connection.

Re:What problem is being addressed?

[gotan]

It doesn't work like that. The problem is, that public key algorithms rely on "trap door algorithms" that are "easy" to do in one direction (e.g. multiplying two prime numbers) but "very hard" in the other direction. "Easy" usually means "requires a number of operations that is polynomial in "N" (N=number of digits), "hard" means "requires a number of operations that goes exponential with N. E.g. counting up to the product (or its square root) and testing each number if it divides it is "hard". Public key cryptography relies on this, an attacker has to solve a "hard" problem to crack the key. What compromised some key length previously was not that "hard" became "easy", but that with better and more hardware and improved algorithms the "hard" problem became doable. This can be easily fixed by using a higher key length. (one problem with all that is, that AFAIK we don't have mathematical proof that "hard" problems are really "hard", see P=NP, but that's another subject entirely)

Now some problems that (we think) are "hard" to do in classical computing are "easy" in quantum computing, prime factoring is one example of this. With that the basic premise falls, and that can't be helped by adjusting the key length. Maybe there are trap door algorithms out there that can't be made "easy" by quantum computing, or maybe we'll find that some problems we previously thought to be hard really aren't.

But quantum key distribution could solve that problem, since it provides a way of generating a common one time pad and check if anyone eavesdropped. That one-time-pad can then be used to transmit a key for the symmetric encryption e.g. in place of RSA.

The OP is right, that that doesn't solve the problem of authentication. Still a secure (in the sense that eavesdropping can be detected) distribution of exactly two instances of a one-time pad on the basis that authentication has happened certainly has its uses.

Re:Pre-shared randomness.

[v1]

Modern cryptography uses a function that not only varies at each byte of the encode, but also each byte encoded influences the future of the pad. So changing a single character in the middle of the message causes all of the cyphertext after that point to change. The engima wasn't quite that good, the wheels, wheel arrangement, and plugobard settings created a long random pad, and the passcode used to pre-set the position of the wheels selected at what point in the string to start using the pad. This means changing one character in a message only changes ONE CHARACTER in the ciphertext. (as long as you don't insert or delete characters) You could look at enigma as a method that changes every character in the message using a different function, based on its place in the message. (but having nothing to do with any prior part of the message) And that's precisely what a one-time pad does. It's the re-use of the formula and merely changing the start position that makes it not a "pure" OTP.

The reason they do [either of these methods] is because it's easier and more secure to exchange a machine or formula once and a short passcode frequently, than it is to exchange large amount of OTP regularly. The big problem for GB was the u-boats using it, and they had especially big problems with getting updates so for them the enigma was an enormous help. They went out to sea with a fresh littl code book full of short passcodes (wheel and plugboard arrangements, and passcodes for each day) rather than a telephone book full of OTP. Back then, to change the "method" of the code required changing the machine itself, and that was "top secret", you can't just go transporting those all over the place all the time. They DID change wheels occasionally though. It's much easier to get them a new little code book every few months, and you could even give different groups different books, without having to design dozens of different machines, or even different wheels for the different groups.

On the surface, enigma may not look like a one-time pad, but it basically is, though there is the "can't output the same as the input" limitation. That weakness was most useful for "breaking wheels" once they'd figured out the method. (go look that up, that's a good keyword to get you where you need to be)

After the wheels were broken, they needed to figure out the "day code". (and work out the plugboard settings) The weather reports you're mentioning were very useful for that, but were only useful AFTER they had figured out how it worked, and had wheels broken. Again, this tells you at what point in the (very long for enigma) cycle to start using for the OTP. So, technically, it's not a ONE-TIME pad, but it's a very long, fixed pad, which you can start at some arbitrary, pre-arranged point at for each new message. Computers today could just shift through a pad like enigma made, and (fairly quickly) find the right position, but that level of processing was unavailable during WW2.

The big initial break was made when a transmission was sent across a "secure cable" (that wasn't secure, it was being monitored). They don't explicitly SAY it, but I'm pretty sure they interrupted the transmission cable during the message, so the british had a full copy and the receiver didn't. Due to how OTPs work, you have to stay in sync. If you lose a character or two, your pad is shifted, the pad gets out of sync with the ciphertext, and the rest of the message turns into white noise. The coders were under strict orders to never re-use a day code, as this basically meant reusing a OTP, because that opens the door to crypto-analysis. NORMALLY this would be OK, as long as you sent the exact same message again. But they committed a compounding error - the sender was in a hurry, and to make resending it faster, he replaced several words with abbreviations. This created a ciphertext that started the same, and suddenly become completely different, (where the first abbreviation was encountered) whil