### A game of quantum cats and mice

Cryptography is the art of secret. It has been used since the antiquity to ensure the confidentiality of diplomatic and military communication, a use that was still dominant during world war II. In the 1970s, new methods were developed to secure digital information, which enabled the age of information.

Throughout its history, cryptography has been a game of cats and mice between code designers and code breakers. The methods used to secure communications are often based on mathematical conjectures and it is very important to keep analyzing them to detect potential flaws and weaknesses. On the other hand, the search for new methods, systems and cryptographic constructions still has a big disruptive potential.

One of the most surprising development of cryptography is based on the use of quantum physics. The birth of quantum cryptography is a well-documented story. In 1979 on a beach in Puerto Rico, Gilles Brassard was approached by Charles Bennet who claimed to know how to secure communications using quantum states of light. In their protocol, the quantum states are used to establish a shared secret key, and the security follows from the fact that quantum information cannot be copied. Therefore, the legitimate parties can detect an eavesdropper trying to extract information from the quantum communication channel.

Building on the work of Stephen Wisner on quantum money, Bennett and Brassard, a physicist and a computer scientist, found a way to achieve something impossible using only classical digital information. Quantum key distribution (QKD) enables secret key establishment over an insecure communication channel. It even reaches the holy grail of encryption, which is *unconditional security.* No matter the effort spent by an eavesdropper, data encrypted through quantum key distribution remain secure forever.

Bennet and Brassard’s protocol is undoubtedly a great scientific discovery. It opened a new field of research, and provided new insight to quantum information. Arguably, the original motivation for QKD was to investigate the mysterious way information is processed at the quantum scale. They spent years trying to convince the scientific community of the relevance of this approach, eventually publishing it in 1984.

### Quantum cybersecurity in the real world

While the scientific motivation is clear, interpreting Bennet and Brassard’s work in terms of cybersecurity is a subtle task. Mathematically, quantum cryptography has an infinite added-value compared to classical methods. In the real world, things get more complicated. Firstly, the security of communication systems relies not only on confidentiality, but also on authentication of its participants. Quantum cryptography only applies to the first one, and designing a fully unconditionally secure cryptosystem using quantum key distribution is a difficult task. Classical authentication methods with unconditional security exist, but do not scale well in practice. This directly impacts both the design of quantum networks and the trust model of the security infrastructure.

Hardware constraints are an even bigger obstacle to the development of quantum communication networks. Encoding information at the quantum scale requires to process light at the single photon level. This cannot be done using standard telecom hardware, which immediately implies large hardware costs. In addition, when travelling in optical fiber, most photons are lost. This greatly limits the distance between two QKD nodes.

Even worse, each of these two hardware constraints push the design of quantum networks toward two opposite paradigms. On the one hand, the limitation on the distance QKD suggests deploying quantum key distribution at a small-scale. But on the other hand, the hardware cost reserves QKD to critical sites, which are in general not close to each other.

The best example of resolution of these constraints is the Chinese quantum communication network, which spans over more than 2000km and more than 30 nodes. The Chinese approach to the distance problem is to include trusted nodes to route keys between distant nodes. In this approach, the trust in trusted nodes is not cryptographic, but relies on a security guard preventing any attempt to compromise the node physically.

While the Chinese network is a perfectly legitimate solution to the problem, it is to a large extent irreproducible. It requires a very specific economic set-up both for the initial investment and for running up the network. Finding innovative ways to overcome the hardware barriers seems essential for a wide development of quantum networks. Increasing the distance and decreasing the costs are the two options to consider new network topologies. They are investigated by many startups working on integrated photonics, space communications or quantum information processing hardware.

### Breaking the barriers by VeriQloud

Our goal is to design fully optimized solutions to use-cases in cybersecurity based on quantum information processing. We do not limit ourselves to quantum key distribution, and we approach the problems from the software side. Our first step toward this direction was to re-examine the advantages of quantum resources in terms of cybersecurity.

An argument sometimes used is that the security of quantum cryptography relies on the laws of nature. This statement does not rest on any scientific ground. The security of quantum cryptography relies on the mathematical proof of its unconditional security. As mentioned above, getting this clear advantage implies a tricky network design. Nevertheless, as a mathematical fact, it also has a number of interesting consequences.

- Quantum cryptography can achieve long-term security, or even ever-lasting security. Most security agencies recommend cryptosystems for security up to 20 or 30 years, but rarely more.
- Unlike most currently used classical cryptography, quantum cryptography is safe against attacks by quantum computers.
- Since quantum information cannot be copied, it is not possible to store some information to decipher later. The security of a quantum crypto-system is not affected by future technological discoveries.

Carefully designed quantum cryptosystems can offer very high security guarantees. Also, designing a fully unconditional quantum cryptosystem (or rather hybrid, since classical authentication is also needed) can be tricky, but some advantages listed above can be achieved by relaxing requirements of the system. For example, achieving everlasting security does not require unconditionally secure authentication methods. It is thus possible to use authentication methods that scale well while keeping an advantage in terms of security over classical networks.

At VeriQloud, we have been investigating the various relaxations allowing a better scaling of quantum networks. In particular, one question that we have been obsessed with is the possibility of getting a good scaling of the cost for small-scale quantum networks. As we have seen, the hardware cost pushes toward country-wide, expensive networks. How can the advantage of quantum cybersecurity be brought to the size of, for instance an ethernet network? Quantum key distribution networks over small distances do not make much sense economically. Based on our software and use-case-driven approach, we have been able to devise an innovative solution to this problem.

### Quantum enhanced cybersecurity done right

We have listed some of the advantages derived from unconditional security of quantum key distribution. This would naturally enhance the security of data-centers, or distributed infrastructures. But at this scale, one can also consider applications beyond secure point-to-point communication. Rather counter-intuitively, QKD can be combined with classical data encoding to enhance the security of storage. It brings a long-term security to stored data that is cannot be achieved with only classical encoding. The idea is to distribute the data over different storages. Classical cryptography is used to ensure that the data on the storage do not reveal individually the original data, while quantum cryptography is used to distribute and update the information of each storage. This combination of classical and quantum cryptography implies a very high security guarantee. The data are safe for a very long time, and the only way to intercept original data illegitimately is to compromise several storages at the same time.

This application is very well suited for data center, in which storage is replicated to ensure data availability. Combining classical and quantum cryptography to ensure long-term storage protection has been proposed by researchers of TU Darmstadt and NICT in Japan. It has since been deployed over the Tokyo QKD network to secure medical data. A few companies are working on implementing both the classical and quantum protocols. The cost of deploying quantum cryptography over a small-scale QKD network with current hardware is, as mentioned previously, a strong obstacle to a wide development of this solution.

To overcome the hardware constraints in the short term, we have designed a quantum network architecture called the Qline which is particularly well-suited for small and mid-scale infrastructure. Our architecture is analogous to early solutions developed for classical networking, such as the original ethernet protocol or token ring networks. Using the Qline drastically reduces the price per bit of key in the regime of small distances. The price reduction follows from a reduction of the hardware. The Qline connects a number of nodes using a single optical fiber, with only one emitter and one detector at both ends of the line. The intermediate nodes can change the state of the light but don’t have the ability to create or measure it.

We mentioned that the high hardware cost follows from the exotic equipment used to manipulate quantum information. A closer look to quantum information processing hardware reveals that not all operations require exotic quantum hardware. Creating or measuring quantum information requires to work at single photon scale, excluding standard telecom equipment, even when working at standard telecom wavelengths. On the other hand, transforming the state of a photon can be done using a standard optical modulator. The modulator applies its modulation during some interval of time, which can in practice be long. For example, a frequency of emission of 10MHz corresponds to an interval of time of 100 ns, which is within the reach of standard hardware. To summarize, the creation and measurement of quantum information requires special hardware whereas the manipulation of the quantum state of photons can be done with standard hardware

### Quantum ethernet becomes feasible

The architecture is only the first piece of the puzzle. We also had to devise a protocol to establish shared keys on the Qline. Traditional quantum key distribution involves two parties, where the first party prepares and send quantum states and the second one receives and measures. Our main observation was that prepare-and-send and receive-and-measure can be decomposed into four distinct operations:

- Generating a single photon,
- Encoding information,
- Decoding information,
- Measuring the photon state.

On the Qline, generation and measurements are done at both ends of the line, whereas encoding and decoding are done by any pair of intermediate nodes using standard hardware. QKD is inherently bipartite, whereas the Qline is naturally multipartite.

This idea captures the core of our protocol but leaves aside a number of details. Firstly, the measurement is done at the end of the line and the result has to be transferred to the legitimate parties. Of course, we cannot assume a secured communication channel for that, since the goal is precisely to establish one. There is nevertheless an easy solution, which consist for the decoding party to inject some randomness to scramble the measurement’s result in such a way that only the decoder can learn the encoded information. The measuring party can thus announce the result to everyone, since the original information is scrambled. The protocol also requires some specific protections against side-channels attacks, which are attacks that take advantage of features absent from the mathematical model.

The Qline has more advantages, beyond the price. When a pair of nodes establish a shared secret key, they do not need the help of intermediate parties. This has two major consequences. Firstly, unlike QKD networks, keys are never routed on the Qline. On a QKD network, when non-adjacent nodes establish a shared secret key, intermediate nodes are used to route them, therefore consuming part of the previously established keys. Although the detectors of QKD networks can generate keys in parallel, the key consumption required for routing makes the Qline and its single detector as efficient for comparable architecture, for a reduced cost. Secondly, intermediate nodes never get any information about the keys established by others. This drastically simplifies the trust model of the Qline, compared to QKD networks.

To summarize, Quantum key distribution networks are constrained by two factors: the hardware cost and the limited distance. The network deployed over China epitomizes the solutions that satisfies these constraints: large span, many nodes, very high price and convoluted trust model. These constraints prevent using QKD networks over short distances. At VeriQloud, we have designed a new network model that enables quantum key establishment over short distances. This allows to bring the advantages of quantum resources to the scale of a datacenter or small-scale infrastructure, enabling new applications, such as the long-term storage security with minimum cost through minimum hardware requirement.

A few more remarks about the Qline. Firstly, its design is compatible with any implementation of quantum communication. It can be in fiber or free-space, can use discrete or continuous variable. Our work is independent of the physical layer of the network, which implies that it can be combined with any hardware development. Secondly, using the Qline for establishing shared keys is compatible with QKD networks. In other words, the Qline and QKD networks can be interconnected.

The Qline complements rather than competes with standard QKD networks. They are designed for different regimes and have different advantages. There is however, one feature of the Qline that is absent from QKD network. When looking closely at the Qline, we see that the parties are altogether running a single qubit computation. While such computation leads to no advantage in terms of computational complexity, single-qubit protocol may be useful in the future to improve the security of distributed computation. The Qline could be used for further protocol development whereas QKD networks are designed to run quantum key distribution only.

A technical paper is available upon demand.