0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/527 Thanks! 1 00:00:09,090 --> 00:00:11,309 Quantum cryptography, that is 2 00:00:11,310 --> 00:00:13,229 what we will learn, how to exploit 3 00:00:13,230 --> 00:00:15,239 quantum mechanics for cryptography 4 00:00:15,240 --> 00:00:17,369 purposes and I think also 5 00:00:17,370 --> 00:00:19,769 we will do a little bit of relativity 6 00:00:19,770 --> 00:00:21,959 in it. I don't really understand 7 00:00:21,960 --> 00:00:23,639 how you can combine quantum mechanics and 8 00:00:23,640 --> 00:00:25,229 relativity without getting loop quantum 9 00:00:25,230 --> 00:00:27,359 gravity or string theory, but I guess 10 00:00:27,360 --> 00:00:29,069 we will find out. And our teacher today 11 00:00:29,070 --> 00:00:31,079 will be Christian Shaffner, who is 12 00:00:31,080 --> 00:00:32,758 currently at the University of Amsterdam. 13 00:00:32,759 --> 00:00:35,519 Please give him a warm round of applause. 14 00:00:35,520 --> 00:00:36,520 Thank you. 15 00:00:42,970 --> 00:00:43,970 Thank you very much. 16 00:00:47,910 --> 00:00:51,059 So I'm waiting for my slides. 17 00:00:51,060 --> 00:00:52,060 Here we go. 18 00:00:52,950 --> 00:00:55,049 I work at QST, which 19 00:00:55,050 --> 00:00:57,599 is recently established Research 20 00:00:57,600 --> 00:01:00,209 Center for Quantum Software in Amsterdam. 21 00:01:00,210 --> 00:01:02,129 And as you just heard, I'm also at the 22 00:01:02,130 --> 00:01:03,959 University of Amsterdam and I collaborate 23 00:01:03,960 --> 00:01:05,369 with CWI. 24 00:01:05,370 --> 00:01:07,409 I'm very happy to be here and tell you a 25 00:01:07,410 --> 00:01:08,909 little bit more about my field of 26 00:01:08,910 --> 00:01:11,069 research, quantum cryptography for 27 00:01:11,070 --> 00:01:12,449 the next hour or so. 28 00:01:12,450 --> 00:01:14,549 And so to get started, please put 29 00:01:14,550 --> 00:01:16,320 on your 3-D glasses. 30 00:01:18,500 --> 00:01:20,569 Oh, you didn't bring any 31 00:01:20,570 --> 00:01:22,729 I'm sorry for that doesn't matter too 32 00:01:22,730 --> 00:01:23,699 much. 33 00:01:23,700 --> 00:01:25,809 Um, I'll put on mine, so we're 34 00:01:25,810 --> 00:01:26,719 fine. 35 00:01:26,720 --> 00:01:28,699 I'm ready. 36 00:01:30,740 --> 00:01:31,740 Good. 37 00:01:32,870 --> 00:01:33,870 So here we go. 38 00:01:36,080 --> 00:01:38,299 In 1969, 39 00:01:38,300 --> 00:01:40,399 man has first set foot on 40 00:01:40,400 --> 00:01:42,289 the moon, as you can see here on this 41 00:01:42,290 --> 00:01:44,419 picture sent around the world by 42 00:01:44,420 --> 00:01:45,420 NASA. 43 00:01:46,070 --> 00:01:48,469 But maybe they haven't, actually. 44 00:01:48,470 --> 00:01:51,319 So if you believe this kind of conspiracy 45 00:01:51,320 --> 00:01:53,419 theories here on the Internet, 46 00:01:53,420 --> 00:01:55,369 then this scene has actually been filmed 47 00:01:55,370 --> 00:01:56,539 in some Hollywood studio. 48 00:01:56,540 --> 00:01:58,459 And this is all fake. 49 00:01:58,460 --> 00:02:00,559 And this leads to one of the 50 00:02:00,560 --> 00:02:02,389 research questions that I'm 51 00:02:02,390 --> 00:02:04,429 investigating, namely, how can you 52 00:02:04,430 --> 00:02:06,589 actually prove that you are at 53 00:02:06,590 --> 00:02:07,760 the specific location? 54 00:02:11,380 --> 00:02:13,179 So I will come back to this question a 55 00:02:13,180 --> 00:02:15,549 little bit later in my talk. 56 00:02:15,550 --> 00:02:17,349 First of all, here's a quick outline of 57 00:02:17,350 --> 00:02:20,079 what I want to cover tonight. 58 00:02:20,080 --> 00:02:22,629 So talking about quantum cryptography, 59 00:02:22,630 --> 00:02:24,699 we can do without telling you a 60 00:02:24,700 --> 00:02:26,559 little bit about quantum mechanics. 61 00:02:26,560 --> 00:02:28,059 So there's going to be the first part of 62 00:02:28,060 --> 00:02:30,009 my talk and then I'm going to focus on 63 00:02:30,010 --> 00:02:31,329 two applications. 64 00:02:31,330 --> 00:02:32,709 The first one will be quantum key 65 00:02:32,710 --> 00:02:34,659 distribution and the second one will be 66 00:02:34,660 --> 00:02:36,309 position based cryptography. 67 00:02:36,310 --> 00:02:37,929 Basically coming back to that question 68 00:02:37,930 --> 00:02:39,729 that I just asked. 69 00:02:39,730 --> 00:02:42,009 So here we go, introduction 70 00:02:42,010 --> 00:02:42,939 to quantum mechanics. 71 00:02:42,940 --> 00:02:43,940 Now, 72 00:02:45,550 --> 00:02:47,229 for the purpose of this talk, you can 73 00:02:47,230 --> 00:02:49,869 think of a cubitt, a quantum bit, 74 00:02:49,870 --> 00:02:51,999 um, as the polarization of 75 00:02:52,000 --> 00:02:53,169 a photo. 76 00:02:53,170 --> 00:02:54,669 Mathematically speaking, we're talking 77 00:02:54,670 --> 00:02:56,949 about the UNIVAC unit vector in 78 00:02:56,950 --> 00:02:59,289 a two dimensional complex Hilbert space. 79 00:02:59,290 --> 00:03:00,969 But don't worry, we're going to make it 80 00:03:00,970 --> 00:03:02,349 way more practical. 81 00:03:02,350 --> 00:03:04,509 Photons are just particles of light. 82 00:03:04,510 --> 00:03:06,819 So I imagine you can have a light source. 83 00:03:06,820 --> 00:03:08,949 You put some polarizing filter here 84 00:03:08,950 --> 00:03:10,419 and then this direction of this 85 00:03:10,420 --> 00:03:12,099 polarizing filter, basically, it will be 86 00:03:12,100 --> 00:03:13,359 the state of the cubit. 87 00:03:13,360 --> 00:03:14,769 So it will be this vector. 88 00:03:14,770 --> 00:03:16,929 You can actually turn this around, 89 00:03:16,930 --> 00:03:18,699 this vector slang form. 90 00:03:18,700 --> 00:03:20,559 And in quantum mechanics, 91 00:03:21,610 --> 00:03:23,769 we kind of give some particular names to 92 00:03:23,770 --> 00:03:25,659 certain directions. For instance, this 93 00:03:25,660 --> 00:03:27,729 horizontal direction here, we're going to 94 00:03:27,730 --> 00:03:29,159 call the zero state. 95 00:03:29,160 --> 00:03:31,299 So just basically arbitrary naming. 96 00:03:31,300 --> 00:03:33,399 We call this the zero state and 97 00:03:33,400 --> 00:03:35,379 we use this fancy notation with this 98 00:03:35,380 --> 00:03:37,569 brackets to denote 99 00:03:37,570 --> 00:03:39,519 that state. In my talk, I'm just going to 100 00:03:39,520 --> 00:03:40,599 use this symbol here. 101 00:03:40,600 --> 00:03:42,639 So this round table with these horizontal 102 00:03:42,640 --> 00:03:44,619 arrows, that's going to denote the zero 103 00:03:44,620 --> 00:03:46,210 state, um, 104 00:03:47,230 --> 00:03:49,399 and actually so that 105 00:03:49,400 --> 00:03:50,979 the actual direction doesn't matter. 106 00:03:50,980 --> 00:03:52,749 So it doesn't matter whether it points 107 00:03:52,750 --> 00:03:54,179 here to the right. 108 00:03:54,180 --> 00:03:55,689 It may also point to the left, which is 109 00:03:55,690 --> 00:03:57,879 going to work with, say, the horizontal 110 00:03:57,880 --> 00:04:00,009 way of polarizing photons. 111 00:04:00,010 --> 00:04:02,139 Now, the polarization which 112 00:04:02,140 --> 00:04:03,669 is orthogonal to that, we're going to 113 00:04:03,670 --> 00:04:04,639 call the one state. 114 00:04:04,640 --> 00:04:06,669 So here we have another state of our 115 00:04:06,670 --> 00:04:07,689 covid. 116 00:04:07,690 --> 00:04:09,779 And together they form a basis, 117 00:04:09,780 --> 00:04:11,859 orthogonal basis of this 118 00:04:11,860 --> 00:04:13,389 vector space. And we're just going to 119 00:04:13,390 --> 00:04:14,979 use, say, the yellow color for it. 120 00:04:14,980 --> 00:04:16,838 This is called the rectilinear or the 121 00:04:16,839 --> 00:04:18,159 computational basis. 122 00:04:21,450 --> 00:04:23,449 Let me get a little bit more practical, 123 00:04:23,450 --> 00:04:25,109 um, and actually 124 00:04:26,220 --> 00:04:28,409 build this thing, so we need a light 125 00:04:28,410 --> 00:04:30,629 source, but wait a second, there's 126 00:04:30,630 --> 00:04:32,039 light sources all over the place. 127 00:04:32,040 --> 00:04:33,539 Actually, I'm holding a light source here 128 00:04:33,540 --> 00:04:34,139 in my hand. 129 00:04:34,140 --> 00:04:36,269 So this laser perfect light source, 130 00:04:36,270 --> 00:04:38,459 then we need a polarizing filter. 131 00:04:38,460 --> 00:04:40,559 And that's the time when you can take off 132 00:04:40,560 --> 00:04:42,239 your 3-D glasses again. 133 00:04:42,240 --> 00:04:44,309 And actually, next time you go to 134 00:04:44,310 --> 00:04:46,169 the cinema, just grab some of them 135 00:04:46,170 --> 00:04:47,939 instead of delivering them at the end of 136 00:04:47,940 --> 00:04:49,769 the after show, get some extra ones 137 00:04:49,770 --> 00:04:51,359 because they're actually really useful. 138 00:04:51,360 --> 00:04:53,489 You can destroy them like this and 139 00:04:53,490 --> 00:04:55,350 take out the polarizing filters. 140 00:04:56,640 --> 00:04:57,640 And so. 141 00:04:58,380 --> 00:05:00,779 Doing that, we can actually build 142 00:05:00,780 --> 00:05:02,129 such a quantum system here. 143 00:05:02,130 --> 00:05:03,629 I have a light source, I hold this 144 00:05:03,630 --> 00:05:05,549 polarizing filter in front of it and I 145 00:05:05,550 --> 00:05:07,679 can turn it the way I like. 146 00:05:07,680 --> 00:05:09,010 And I basically built that system. 147 00:05:10,870 --> 00:05:12,959 So let me 148 00:05:12,960 --> 00:05:15,089 show you that a cubit quantum 149 00:05:15,090 --> 00:05:17,279 bit is at least as good as 150 00:05:17,280 --> 00:05:18,569 a classical bit. 151 00:05:18,570 --> 00:05:20,339 So here we have our two heroes, Alice and 152 00:05:20,340 --> 00:05:22,979 Bob. And Alice would like to communicate 153 00:05:22,980 --> 00:05:24,119 a bit to Bob. 154 00:05:24,120 --> 00:05:26,229 Now, what you could do is she could take 155 00:05:26,230 --> 00:05:28,349 her light source, use a polarizing 156 00:05:28,350 --> 00:05:30,599 filter like that, and, um, and 157 00:05:30,600 --> 00:05:31,609 send that to Bob. 158 00:05:31,610 --> 00:05:32,519 Bob on his side. 159 00:05:32,520 --> 00:05:34,829 He could put another polarizing filter 160 00:05:34,830 --> 00:05:37,379 in the orthogonality polarized. 161 00:05:37,380 --> 00:05:39,629 And if no light comes through and then 162 00:05:39,630 --> 00:05:41,249 he doesn't see any photons, then he would 163 00:05:41,250 --> 00:05:43,289 say, well, Alice was actually sending a 164 00:05:43,290 --> 00:05:44,519 zero state. 165 00:05:44,520 --> 00:05:46,439 So I have prepared this little experiment 166 00:05:46,440 --> 00:05:47,440 over here. 167 00:05:48,400 --> 00:05:49,400 Now, maybe. 168 00:05:51,150 --> 00:05:53,939 You can, uh, switch to the camera, 169 00:05:53,940 --> 00:05:56,369 um, so I have a laser pointer 170 00:05:56,370 --> 00:05:58,049 here, another one. 171 00:05:58,050 --> 00:06:00,119 And I'm shining. 172 00:06:02,060 --> 00:06:04,399 Oh, yeah, I'm using little polar bears 173 00:06:04,400 --> 00:06:05,570 for polarization. 174 00:06:12,170 --> 00:06:14,509 You can you can get them very cheap 175 00:06:14,510 --> 00:06:16,159 if you go Christmas shopping now. 176 00:06:16,160 --> 00:06:19,069 So here's the laser 177 00:06:19,070 --> 00:06:21,139 eye shine through both of these 178 00:06:21,140 --> 00:06:23,089 lights and you see over there right now, 179 00:06:23,090 --> 00:06:25,519 Alice is sending in zero and this 180 00:06:25,520 --> 00:06:27,649 other filter is ninety degrees, so 181 00:06:27,650 --> 00:06:28,129 polarized. 182 00:06:28,130 --> 00:06:30,229 So there's basically almost no reflection 183 00:06:30,230 --> 00:06:31,999 here on the ground. And if I turn this 184 00:06:32,000 --> 00:06:34,429 and actually see this point, 185 00:06:34,430 --> 00:06:36,499 there is getting much more brighter. 186 00:06:36,500 --> 00:06:38,569 So here is where about it's not the 187 00:06:38,570 --> 00:06:40,579 perfect filter, but it's pretty, pretty 188 00:06:40,580 --> 00:06:43,699 good. So now the light is almost gone. 189 00:06:43,700 --> 00:06:44,659 OK, you can see. 190 00:06:44,660 --> 00:06:46,939 So maybe switch back to my slides. 191 00:06:46,940 --> 00:06:49,129 You can see using 192 00:06:49,130 --> 00:06:50,739 this technique, we 193 00:06:51,860 --> 00:06:54,199 can send classical information to 194 00:06:54,200 --> 00:06:55,549 from Alice to Bob. 195 00:06:55,550 --> 00:06:57,829 And in particular, if she's if Alice 196 00:06:57,830 --> 00:07:00,019 is sending out the one state, 197 00:07:00,020 --> 00:07:02,299 then if it's filtered, a light 198 00:07:02,300 --> 00:07:03,589 will go through. 199 00:07:03,590 --> 00:07:05,209 And therefore, if he sees photons, he 200 00:07:05,210 --> 00:07:07,279 knows Alice was sending a one so we can 201 00:07:07,280 --> 00:07:09,469 use Cubitt to send zeros 202 00:07:09,470 --> 00:07:11,389 and ones. And in fact, what we are doing, 203 00:07:11,390 --> 00:07:12,919 quantum mechanical is beating. 204 00:07:12,920 --> 00:07:14,389 It's a so called measurement. 205 00:07:14,390 --> 00:07:16,609 So Alice is sending a state and 206 00:07:16,610 --> 00:07:18,349 we are doing a measurement in the 207 00:07:18,350 --> 00:07:20,029 computational basis. 208 00:07:20,030 --> 00:07:22,069 The outcome of a quantum measurement is a 209 00:07:22,070 --> 00:07:24,559 classical bit inside a zero and one, 210 00:07:24,560 --> 00:07:25,729 and this happens with a certain 211 00:07:25,730 --> 00:07:26,779 probability. 212 00:07:26,780 --> 00:07:28,759 In this case, if Alice is sending to one 213 00:07:28,760 --> 00:07:31,009 state, then with probability one bulb 214 00:07:31,010 --> 00:07:33,169 will actually get one as 215 00:07:33,170 --> 00:07:34,879 an outcome and nothing changes in the 216 00:07:34,880 --> 00:07:36,199 state. 217 00:07:36,200 --> 00:07:37,849 So far, so good. 218 00:07:37,850 --> 00:07:39,619 Now let's do something more interesting. 219 00:07:39,620 --> 00:07:42,259 And what you can do with a cubit 220 00:07:42,260 --> 00:07:44,449 is that you cannot only polarized, 221 00:07:44,450 --> 00:07:45,889 say, in these two directions. 222 00:07:45,890 --> 00:07:47,569 What you can do is you can do stuff in 223 00:07:47,570 --> 00:07:49,669 between. You can just rotate 224 00:07:49,670 --> 00:07:51,769 your filter arbitrarily and they're 225 00:07:51,770 --> 00:07:53,419 going to call this state, which is kind 226 00:07:53,420 --> 00:07:55,479 of 45 degrees between zero and one. 227 00:07:55,480 --> 00:07:57,529 We're going to call that zero state as 228 00:07:57,530 --> 00:07:59,599 well. But in another basis, namely the 229 00:07:59,600 --> 00:08:00,979 diagonal basis. 230 00:08:00,980 --> 00:08:03,169 So we have two more states, this one and 231 00:08:03,170 --> 00:08:05,239 that one, and we're going to use 232 00:08:05,240 --> 00:08:07,609 the red color for that in this talk. 233 00:08:07,610 --> 00:08:09,159 And so these are these two states here at 234 00:08:09,160 --> 00:08:11,249 the zero state in the diagonal basis and 235 00:08:11,250 --> 00:08:13,459 the one state in a diagonal basis or 236 00:08:13,460 --> 00:08:14,599 demand basis. 237 00:08:14,600 --> 00:08:16,669 And together they form another 238 00:08:16,670 --> 00:08:17,670 orthogonal basis. 239 00:08:18,650 --> 00:08:20,749 So this state, the zero 240 00:08:20,750 --> 00:08:22,040 state, in fact, 241 00:08:24,020 --> 00:08:26,179 in terms of linear algebra, you can 242 00:08:26,180 --> 00:08:28,459 interpret it as a linear combination 243 00:08:28,460 --> 00:08:29,629 of the zero in one state. 244 00:08:29,630 --> 00:08:31,429 So if you take this vector here zero and 245 00:08:31,430 --> 00:08:34,279 you add one and you probably renormalize 246 00:08:34,280 --> 00:08:36,439 to have a unit vector, then you actually 247 00:08:36,440 --> 00:08:37,428 get that zero state. 248 00:08:37,429 --> 00:08:39,589 So in fact, what we have 249 00:08:39,590 --> 00:08:41,808 is actually a superposition of 250 00:08:41,809 --> 00:08:43,308 zero and one. 251 00:08:43,309 --> 00:08:45,529 So we have a we have a cubitt in a state 252 00:08:45,530 --> 00:08:47,599 which is both zero and one at 253 00:08:47,600 --> 00:08:48,600 the same time. 254 00:08:49,590 --> 00:08:51,329 Basically just using this diagonal 255 00:08:51,330 --> 00:08:52,829 polarization. 256 00:08:52,830 --> 00:08:54,869 Now, what happens if you go and measure 257 00:08:54,870 --> 00:08:57,059 that state in the computational 258 00:08:57,060 --> 00:08:58,199 basis? 259 00:08:58,200 --> 00:09:00,299 So again, the outcome will be a classical 260 00:09:00,300 --> 00:09:01,739 bit, but now we're going to have a 261 00:09:01,740 --> 00:09:02,849 probabilistic outcome. 262 00:09:02,850 --> 00:09:05,069 So imagine I mean, what happens if 263 00:09:05,070 --> 00:09:06,959 you send, like, diagonally polarized 264 00:09:06,960 --> 00:09:09,119 light and you put this filter 265 00:09:09,120 --> 00:09:10,529 like Bob did before? 266 00:09:10,530 --> 00:09:12,149 Then roughly half of the light will go 267 00:09:12,150 --> 00:09:14,069 through. Now, you saw me turning before 268 00:09:14,070 --> 00:09:16,109 and the pulse was getting fainter. 269 00:09:16,110 --> 00:09:18,179 So if you turn like 45 degrees, 270 00:09:18,180 --> 00:09:19,919 then roughly half of the light will go 271 00:09:19,920 --> 00:09:21,269 through. I would have to do this 272 00:09:21,270 --> 00:09:23,309 experiment with single photons, but then 273 00:09:23,310 --> 00:09:25,439 you can't see anything anymore. 274 00:09:25,440 --> 00:09:27,869 So, in fact, what quantum mechanics 275 00:09:27,870 --> 00:09:29,999 tells us is if you measure that state 276 00:09:30,000 --> 00:09:32,099 in the computational basis, you're going 277 00:09:32,100 --> 00:09:34,199 to get a random outcome with probably 278 00:09:34,200 --> 00:09:36,029 one half, you're going to see a zero. 279 00:09:36,030 --> 00:09:38,129 And in fact, you're changing the state 280 00:09:38,130 --> 00:09:39,989 by observing it, by measuring it in 281 00:09:39,990 --> 00:09:41,639 space. And because after you've seen a 282 00:09:41,640 --> 00:09:43,799 zero, then the state is actually the 283 00:09:43,800 --> 00:09:45,119 zero state. 284 00:09:45,120 --> 00:09:47,549 On the other hand, if you, um, 285 00:09:47,550 --> 00:09:48,839 with probability one half, you will get 286 00:09:48,840 --> 00:09:50,639 outcome one and you change the state to 287 00:09:50,640 --> 00:09:52,829 one. So whatever comes out of this filter 288 00:09:52,830 --> 00:09:54,959 is actually polarized in this 289 00:09:54,960 --> 00:09:57,389 horizontal in this vertical direction. 290 00:09:59,040 --> 00:10:01,289 Now, let me show you the following. 291 00:10:01,290 --> 00:10:03,929 And this one can actually demonstrate 292 00:10:03,930 --> 00:10:06,509 I'm going to go back to the experiment. 293 00:10:06,510 --> 00:10:08,019 So, um. 294 00:10:12,200 --> 00:10:13,999 Sorry for all the work over there. 295 00:10:14,000 --> 00:10:15,079 Thanks a lot. 296 00:10:15,080 --> 00:10:18,079 So this same set ups before, um, 297 00:10:18,080 --> 00:10:20,149 you see hardly any polls 298 00:10:20,150 --> 00:10:22,279 on the other side because it's now 299 00:10:22,280 --> 00:10:24,289 90 degrees over tonight. 300 00:10:24,290 --> 00:10:25,489 It got brighter now, though. 301 00:10:25,490 --> 00:10:27,379 It's almost gone. Now, what I'm going to 302 00:10:27,380 --> 00:10:29,269 do is I'm going to take another filter 303 00:10:30,650 --> 00:10:32,779 and I put this in between those two 304 00:10:32,780 --> 00:10:33,780 filters. 305 00:10:34,400 --> 00:10:35,849 And what's going to happen is that the 306 00:10:35,850 --> 00:10:37,700 point actually reappears. 307 00:10:42,780 --> 00:10:44,149 So this is something very strange. 308 00:10:44,150 --> 00:10:46,259 No, you have like nothing goes 309 00:10:46,260 --> 00:10:48,899 through and you put something more 310 00:10:48,900 --> 00:10:51,089 in between and actually it's going 311 00:10:51,090 --> 00:10:52,090 to reappear. 312 00:10:55,370 --> 00:10:57,589 Right. So why what's 313 00:10:57,590 --> 00:10:58,579 going on here? 314 00:10:58,580 --> 00:11:00,799 So if you go back to the slides, 315 00:11:00,800 --> 00:11:02,539 here's the explanation. 316 00:11:02,540 --> 00:11:04,399 So we started off with something that is 317 00:11:04,400 --> 00:11:06,079 polarized horizontally. 318 00:11:06,080 --> 00:11:07,909 And clearly, if you put something 90 319 00:11:07,910 --> 00:11:09,319 degrees, you don't see anything that was 320 00:11:09,320 --> 00:11:10,459 the set up. 321 00:11:10,460 --> 00:11:12,559 Now, what we did is the following. 322 00:11:14,630 --> 00:11:16,249 We put another filter in between. 323 00:11:16,250 --> 00:11:17,959 And it turns out that the zero state, you 324 00:11:17,960 --> 00:11:20,179 can see it as a superposition 325 00:11:20,180 --> 00:11:22,249 of this zero, a diagonal zero 326 00:11:22,250 --> 00:11:23,759 state and a diagonal one state. 327 00:11:23,760 --> 00:11:25,369 So it's a linear combination of these 328 00:11:25,370 --> 00:11:27,529 two. It's a superposition of these two. 329 00:11:27,530 --> 00:11:29,269 And once we put this diagonal filter in 330 00:11:29,270 --> 00:11:31,339 between, we actually measure 331 00:11:31,340 --> 00:11:34,759 in that basis, for instance, obtaining 332 00:11:34,760 --> 00:11:36,679 the zero state, only letting light 333 00:11:36,680 --> 00:11:38,479 through that is in this direction. 334 00:11:38,480 --> 00:11:40,429 And in fact, as I said before, I have 335 00:11:40,430 --> 00:11:41,629 changed the state to that. 336 00:11:41,630 --> 00:11:43,429 So I've changed the polarization of the 337 00:11:43,430 --> 00:11:45,589 light. Roughly half of the light is going 338 00:11:45,590 --> 00:11:47,749 through from this horizontal 339 00:11:47,750 --> 00:11:49,489 direction to the diagonal direction. 340 00:11:49,490 --> 00:11:51,709 And now, of course, if I put another the 341 00:11:51,710 --> 00:11:53,779 other filter in between now, then roughly 342 00:11:53,780 --> 00:11:55,459 a quarter of the light is actually going 343 00:11:55,460 --> 00:11:56,419 through. 344 00:11:56,420 --> 00:11:58,249 So by putting something in between, 345 00:11:58,250 --> 00:12:00,439 actually demonstrating that 346 00:12:00,440 --> 00:12:03,109 measurement actually changes the state 347 00:12:03,110 --> 00:12:05,389 because again, you can interpret that 348 00:12:05,390 --> 00:12:07,369 diagonal zero state as a superposition of 349 00:12:07,370 --> 00:12:08,839 the other two. If you're going measure, 350 00:12:08,840 --> 00:12:10,669 you actually end up with something. 351 00:12:12,390 --> 00:12:14,549 Yeah, so 352 00:12:14,550 --> 00:12:16,710 that's the magic of quantum mechanics. 353 00:12:22,760 --> 00:12:25,539 Thank you. So here's a quick summary 354 00:12:25,540 --> 00:12:27,859 of what we've learned so far. 355 00:12:27,860 --> 00:12:29,899 There are funny states you can actually 356 00:12:29,900 --> 00:12:31,309 produce them. It's not that hard. 357 00:12:32,390 --> 00:12:34,099 We use the yellow and the red color for 358 00:12:34,100 --> 00:12:35,509 it. What you can do is you can measure 359 00:12:35,510 --> 00:12:37,219 them. Let's take the one state, measure 360 00:12:37,220 --> 00:12:38,809 it in a computational basis. 361 00:12:38,810 --> 00:12:40,219 You will get with probability one 362 00:12:40,220 --> 00:12:41,119 outcome, one. 363 00:12:41,120 --> 00:12:42,889 You don't change the state at all. 364 00:12:42,890 --> 00:12:44,389 If you happen to measure the state in a 365 00:12:44,390 --> 00:12:46,459 wrong basis, say 366 00:12:46,460 --> 00:12:48,949 this one state in the diagonal basis, 367 00:12:48,950 --> 00:12:50,569 your outcome is a random bit. 368 00:12:50,570 --> 00:12:51,559 It's probably one half. 369 00:12:51,560 --> 00:12:53,569 You see zero and you change the state to 370 00:12:53,570 --> 00:12:54,919 the zero state. 371 00:12:54,920 --> 00:12:56,399 And with probably one of you get one, 372 00:12:56,400 --> 00:12:57,799 then you change it to the other state. 373 00:12:57,800 --> 00:12:59,149 So that's basically all we need to know 374 00:12:59,150 --> 00:13:00,150 for now. 375 00:13:01,280 --> 00:13:04,039 And with that enhanced, we actually enter 376 00:13:04,040 --> 00:13:06,049 the wonderland of quantum mechanics. 377 00:13:07,160 --> 00:13:09,349 We've already seen stuff that can 378 00:13:09,350 --> 00:13:12,079 be zero and one at the same time. 379 00:13:12,080 --> 00:13:13,849 It's kind of a superposition of zero and 380 00:13:13,850 --> 00:13:15,260 one. And in fact, 381 00:13:17,270 --> 00:13:19,309 here it's Schrodinger's cat you might 382 00:13:19,310 --> 00:13:20,509 have heard about. 383 00:13:20,510 --> 00:13:22,849 This is a thought experiment or 384 00:13:22,850 --> 00:13:25,399 an experiment where you have some 385 00:13:25,400 --> 00:13:28,009 say, Cubitt, that is in a superposition 386 00:13:28,010 --> 00:13:30,079 of zero and one and it kind of in this 387 00:13:30,080 --> 00:13:32,149 box there's a set 388 00:13:32,150 --> 00:13:34,369 up. So that is a conditioned 389 00:13:34,370 --> 00:13:35,869 on the outcome being one. 390 00:13:35,870 --> 00:13:37,819 There's some poison released inside this 391 00:13:37,820 --> 00:13:40,579 box that they'll actually kill the cat. 392 00:13:40,580 --> 00:13:42,859 And if if the outcome is zero, 393 00:13:42,860 --> 00:13:44,509 then nothing happens and actually the cat 394 00:13:44,510 --> 00:13:46,609 is alive. So Schrodinger thought of 395 00:13:46,610 --> 00:13:48,739 this experiment, don't do that 396 00:13:48,740 --> 00:13:50,839 at home of this box 397 00:13:50,840 --> 00:13:52,999 where inside and this kind 398 00:13:53,000 --> 00:13:55,129 of superposition should extend 399 00:13:55,130 --> 00:13:57,199 to this macroscopic object of a 400 00:13:57,200 --> 00:13:59,459 cat which is both dead and alive 401 00:13:59,460 --> 00:14:01,009 for the same time. 402 00:14:01,010 --> 00:14:03,409 So this hasn't actually been observed 403 00:14:03,410 --> 00:14:04,969 in reality yet. 404 00:14:04,970 --> 00:14:07,669 But there are superposition 405 00:14:07,670 --> 00:14:09,799 of the molecules, for 406 00:14:09,800 --> 00:14:12,349 instance, though not not cats, but 407 00:14:12,350 --> 00:14:13,759 maybe will get there at some point. 408 00:14:16,210 --> 00:14:18,159 With these things, you can build quantum 409 00:14:18,160 --> 00:14:20,409 computers, so maybe this is maybe a 410 00:14:20,410 --> 00:14:22,419 picture of the currently largest quantum 411 00:14:22,420 --> 00:14:23,889 computer we have, you can count them. 412 00:14:23,890 --> 00:14:25,130 There's maybe nine cubits. 413 00:14:26,440 --> 00:14:28,269 This is from the U.S., 414 00:14:29,350 --> 00:14:31,479 from the group of Joe Matinées at UC 415 00:14:31,480 --> 00:14:33,729 Santa Barbara. They were, uh, bought by 416 00:14:33,730 --> 00:14:36,339 Google. So there's a lot of development 417 00:14:36,340 --> 00:14:38,079 in this area. But that's not where I want 418 00:14:38,080 --> 00:14:39,609 to go in this talk. 419 00:14:39,610 --> 00:14:41,019 I want to focus on this part here, 420 00:14:41,020 --> 00:14:42,549 Willow, and I'm going to explain you 421 00:14:42,550 --> 00:14:44,169 later in my talk about these things are 422 00:14:44,170 --> 00:14:47,119 all about so. 423 00:14:47,120 --> 00:14:48,120 Um. 424 00:14:48,640 --> 00:14:50,469 I would like to give you a little another 425 00:14:50,470 --> 00:14:52,210 little demonstration 426 00:14:53,860 --> 00:14:55,929 here. I have a black box 427 00:14:55,930 --> 00:14:57,099 in my hands here. 428 00:14:58,360 --> 00:15:00,579 So this is a physical random 429 00:15:00,580 --> 00:15:02,279 number generator. 430 00:15:02,280 --> 00:15:04,509 It's connected through a cable here to 431 00:15:04,510 --> 00:15:07,599 the USB port of my computer. 432 00:15:07,600 --> 00:15:09,909 And what I can do with it is 433 00:15:09,910 --> 00:15:11,759 I can create random numbers. 434 00:15:11,760 --> 00:15:13,539 Let me switch to the application that 435 00:15:13,540 --> 00:15:14,469 does that. 436 00:15:14,470 --> 00:15:16,569 And now basically here you don't see 437 00:15:16,570 --> 00:15:18,939 much. There's just a green, uh, flashing 438 00:15:18,940 --> 00:15:20,509 here and it's connected. 439 00:15:20,510 --> 00:15:22,759 Uh, here you can see the serial number. 440 00:15:22,760 --> 00:15:24,399 Then I can choose what I want to do. 441 00:15:24,400 --> 00:15:26,199 Let's say I create integer numbers 442 00:15:26,200 --> 00:15:28,659 between zero and one. So bits, maybe, 443 00:15:28,660 --> 00:15:30,729 um, a thousand of them 444 00:15:30,730 --> 00:15:31,730 and press generate. 445 00:15:33,130 --> 00:15:35,259 And here we go, random 446 00:15:35,260 --> 00:15:37,629 bits that nobody has ever seen before. 447 00:15:39,460 --> 00:15:40,460 Great. 448 00:15:43,970 --> 00:15:44,899 Thank you. 449 00:15:44,900 --> 00:15:46,120 So how does it work 450 00:15:47,750 --> 00:15:49,939 if you look that up and go 451 00:15:49,940 --> 00:15:52,369 to the Producers website electic 452 00:15:52,370 --> 00:15:54,489 in Switzerland, they 453 00:15:54,490 --> 00:15:56,629 they tell you that inside this box there 454 00:15:56,630 --> 00:15:58,489 is a light source like this one that I'm 455 00:15:58,490 --> 00:16:00,949 holding in my hand, a laser that emits 456 00:16:00,950 --> 00:16:02,989 cubits like things, states that we have 457 00:16:02,990 --> 00:16:05,119 seen before and 458 00:16:05,120 --> 00:16:07,039 they are shot onto a semi transparent 459 00:16:07,040 --> 00:16:08,029 mirror. 460 00:16:08,030 --> 00:16:10,009 Again, this is like nothing fancy, 461 00:16:10,010 --> 00:16:11,010 actually. 462 00:16:12,320 --> 00:16:13,279 Um, yeah. 463 00:16:13,280 --> 00:16:15,499 This and transparent mirror, 464 00:16:15,500 --> 00:16:18,169 it lets the photons eye to go through 465 00:16:18,170 --> 00:16:20,269 to this side or being reflected 466 00:16:20,270 --> 00:16:22,279 to the other side. And this happened 467 00:16:22,280 --> 00:16:24,409 roughly with poverty, 50 percent. 468 00:16:24,410 --> 00:16:26,419 Here are some photon detectors that 469 00:16:26,420 --> 00:16:28,159 detect which side they took. 470 00:16:28,160 --> 00:16:29,909 And then there's some classical 471 00:16:29,910 --> 00:16:31,849 preprocess post-processing. 472 00:16:31,850 --> 00:16:33,829 And in the end, you end up with random 473 00:16:33,830 --> 00:16:35,059 numbers. 474 00:16:35,060 --> 00:16:37,339 So there's a lot of stories to tell about 475 00:16:37,340 --> 00:16:38,739 this device. 476 00:16:38,740 --> 00:16:40,219 Again, unfortunately, I don't really have 477 00:16:40,220 --> 00:16:41,299 time for that. 478 00:16:41,300 --> 00:16:43,159 Um, however, the point I want to make 479 00:16:43,160 --> 00:16:45,379 here is that for this, you don't 480 00:16:45,380 --> 00:16:46,879 need any quantum computer. 481 00:16:46,880 --> 00:16:49,279 So there's no quantum computer inside 482 00:16:49,280 --> 00:16:51,589 here. That's basically just technology 483 00:16:51,590 --> 00:16:53,029 that we can actually build. 484 00:16:53,030 --> 00:16:54,319 The only thing we need for this is 485 00:16:54,320 --> 00:16:55,909 quantum communication. 486 00:16:55,910 --> 00:16:57,199 And so this is something that we can 487 00:16:57,200 --> 00:16:58,849 actually do, uh, nowadays. 488 00:17:01,610 --> 00:17:04,318 Um, so I get 489 00:17:04,319 --> 00:17:06,709 slowly but surely to the first 490 00:17:06,710 --> 00:17:08,629 application they made one of their 491 00:17:08,630 --> 00:17:10,879 quantum key distribution 492 00:17:10,880 --> 00:17:13,409 and here is 493 00:17:13,410 --> 00:17:15,289 a pointer away. 494 00:17:15,290 --> 00:17:17,689 Um, uh, 495 00:17:17,690 --> 00:17:19,459 in order to understand that, there's one 496 00:17:19,460 --> 00:17:21,019 more thing I need to tell you. 497 00:17:21,020 --> 00:17:22,578 And this is the so-called no cloning 498 00:17:22,579 --> 00:17:24,469 theorem. So this is a mathematical 499 00:17:24,470 --> 00:17:26,929 statement that says the following. 500 00:17:26,930 --> 00:17:29,059 Um, let's take one of these four states 501 00:17:29,060 --> 00:17:30,889 at random. Let's let's see this with this 502 00:17:30,890 --> 00:17:31,879 question mark here. 503 00:17:31,880 --> 00:17:33,559 So this is just selecting one of these 504 00:17:33,560 --> 00:17:36,319 four states, uh, at random. 505 00:17:36,320 --> 00:17:38,419 And the goal is to make a clone. 506 00:17:38,420 --> 00:17:40,009 So this is Dolly the sheep. 507 00:17:40,010 --> 00:17:42,769 That's that's we know how to clone sheep. 508 00:17:42,770 --> 00:17:44,629 And the goal of this task here is to 509 00:17:44,630 --> 00:17:47,029 clone an unknown quantum state, 510 00:17:47,030 --> 00:17:49,069 will take an unknown quantum state, try 511 00:17:49,070 --> 00:17:50,719 to come up with a machine that makes a 512 00:17:50,720 --> 00:17:52,849 perfect copy, a perfect clone out 513 00:17:52,850 --> 00:17:53,850 of this state. 514 00:17:54,440 --> 00:17:56,749 Now, it turns out that quantum mechanics 515 00:17:56,750 --> 00:17:58,339 does not allow us to do that. 516 00:17:58,340 --> 00:18:00,169 So given whatever we can do by quantum 517 00:18:00,170 --> 00:18:01,939 mechanics, measurements, unitary 518 00:18:01,940 --> 00:18:04,039 operations, whatever, we will not be 519 00:18:04,040 --> 00:18:06,319 able to do this. So there exists no 520 00:18:06,320 --> 00:18:08,059 cloning machine. 521 00:18:08,060 --> 00:18:09,560 And this is the no cloning theorem. 522 00:18:10,640 --> 00:18:12,139 And the proof of it is actually pretty 523 00:18:12,140 --> 00:18:12,649 easy. 524 00:18:12,650 --> 00:18:14,659 You can do that after, say, two hours of 525 00:18:14,660 --> 00:18:16,999 linear algebra, because it turns out that 526 00:18:18,890 --> 00:18:21,049 copying this operation here is simply 527 00:18:21,050 --> 00:18:23,719 a nonlinear operation and 528 00:18:23,720 --> 00:18:25,459 you're only allowed linear operations by 529 00:18:25,460 --> 00:18:26,479 quantum mechanics. 530 00:18:26,480 --> 00:18:28,549 So it's it's really pretty easy to prove 531 00:18:28,550 --> 00:18:30,799 that in two lines if, you know, like 532 00:18:30,800 --> 00:18:32,180 how to formalize this properly, 533 00:18:33,260 --> 00:18:36,019 um, and somehow intuitively, 534 00:18:36,020 --> 00:18:38,329 like you're forbidden to make a copy, 535 00:18:38,330 --> 00:18:40,699 but you're forbidden by law, by by nature 536 00:18:40,700 --> 00:18:42,779 to make a perfect copy out of a state. 537 00:18:42,780 --> 00:18:44,539 So this is already a bit like 538 00:18:44,540 --> 00:18:46,189 cryptography. You know, you should be 539 00:18:46,190 --> 00:18:48,289 able to use this in order to kind of 540 00:18:48,290 --> 00:18:49,399 secure information. 541 00:18:49,400 --> 00:18:51,589 And indeed, that's what we can do. 542 00:18:51,590 --> 00:18:54,079 So two clever people, 543 00:18:54,080 --> 00:18:56,359 Charlie Bennett and Jill Barça in 544 00:18:56,360 --> 00:18:58,909 back in 84, they came up with this scheme 545 00:18:58,910 --> 00:19:01,609 as quantum key distribution dukedom 546 00:19:01,610 --> 00:19:04,339 scheme between Alice and Bob. 547 00:19:04,340 --> 00:19:05,959 Um, it works like that. 548 00:19:05,960 --> 00:19:07,949 There's a quantum phase where Alice send 549 00:19:07,950 --> 00:19:09,439 some cubits to Bob. 550 00:19:09,440 --> 00:19:11,569 So these are dashed arrows here. 551 00:19:11,570 --> 00:19:13,729 And then they talk classically over an 552 00:19:13,730 --> 00:19:15,799 authenticator channel. 553 00:19:15,800 --> 00:19:17,179 So there's an eavesdropper. 554 00:19:17,180 --> 00:19:19,279 The eavesdropper tries 555 00:19:19,280 --> 00:19:21,319 to kind of listen in on this conversation 556 00:19:21,320 --> 00:19:23,599 and she has full control over the quantum 557 00:19:23,600 --> 00:19:25,519 part of this transmission. 558 00:19:25,520 --> 00:19:28,399 The classical part is authenticated. 559 00:19:28,400 --> 00:19:30,739 That means, um, she's 560 00:19:30,740 --> 00:19:32,929 if she's able to to read to 561 00:19:32,930 --> 00:19:34,849 to hear everything that you're say, but 562 00:19:34,850 --> 00:19:37,069 she's not able to change the messages, 563 00:19:38,150 --> 00:19:40,009 um, in this set up, the goal is to come 564 00:19:40,010 --> 00:19:41,869 up with a key, a classical key. 565 00:19:41,870 --> 00:19:43,189 So these are just the classical bits 566 00:19:43,190 --> 00:19:45,019 string, which is identical for Alice and 567 00:19:45,020 --> 00:19:46,279 Bob, something like that. 568 00:19:46,280 --> 00:19:48,469 And Eve has no clue what it is. 569 00:19:48,470 --> 00:19:50,569 And so whatever she does here, she 570 00:19:50,570 --> 00:19:53,029 will not be able to learn that key. 571 00:19:53,030 --> 00:19:55,069 So this is a key distribution and 572 00:19:55,070 --> 00:19:56,419 protocol. And I'm going to explain in a 573 00:19:56,420 --> 00:19:58,489 second, uh, 574 00:19:58,490 --> 00:20:00,439 how this works and more details. 575 00:20:00,440 --> 00:20:02,329 But this offers a quantum solution to the 576 00:20:02,330 --> 00:20:03,889 key exchange problem. 577 00:20:03,890 --> 00:20:06,139 And the funny thing is kind of that 578 00:20:06,140 --> 00:20:08,269 it does not rely on any computational 579 00:20:08,270 --> 00:20:10,369 assumptions, such as factoring 580 00:20:10,370 --> 00:20:12,499 discrete logarithms, security of 581 00:20:12,500 --> 00:20:14,869 a free etc. 582 00:20:14,870 --> 00:20:16,549 One can mathematically prove that this 583 00:20:16,550 --> 00:20:18,170 scheme is, uh, secure. 584 00:20:19,670 --> 00:20:21,919 Um, and 585 00:20:21,920 --> 00:20:24,079 it's a key exchange, uh, setting. 586 00:20:24,080 --> 00:20:26,179 So it puts players into the starting 587 00:20:26,180 --> 00:20:28,459 position to use symmetric cryptography. 588 00:20:28,460 --> 00:20:29,809 So once you have established you have 589 00:20:29,810 --> 00:20:31,729 established the key, then you can go and 590 00:20:31,730 --> 00:20:34,159 do your favorite task, uh, say 591 00:20:34,160 --> 00:20:36,109 encryption. You can use that one time pad 592 00:20:36,110 --> 00:20:37,879 with that key that you, uh, generated 593 00:20:37,880 --> 00:20:38,880 here. 594 00:20:39,620 --> 00:20:41,509 So in order to put this a little bit in 595 00:20:41,510 --> 00:20:43,769 perspective, I've, uh, created 596 00:20:43,770 --> 00:20:45,049 this slide here. 597 00:20:45,050 --> 00:20:47,299 Um, so the quantum 598 00:20:47,300 --> 00:20:49,609 cryptographic landscape also 599 00:20:49,610 --> 00:20:51,019 naming all the things that have been 600 00:20:51,020 --> 00:20:51,629 covered here. 601 00:20:51,630 --> 00:20:53,309 It is, uh, Congress. 602 00:20:53,310 --> 00:20:55,879 Um, so here on the X axis, 603 00:20:55,880 --> 00:20:58,189 there is the power of the attackers. 604 00:20:58,190 --> 00:21:00,229 So we are considering here efficient 605 00:21:00,230 --> 00:21:02,149 classical attackers and efficient, I 606 00:21:02,150 --> 00:21:03,739 mean, polynomial time. 607 00:21:03,740 --> 00:21:05,929 So attackers that run within 608 00:21:05,930 --> 00:21:07,369 like reasonable time frames, 609 00:21:08,480 --> 00:21:10,669 classical ones or in, uh, 610 00:21:10,670 --> 00:21:13,489 like as opposed to quantum attackers 611 00:21:13,490 --> 00:21:15,469 or, uh, they can use quantum computers, 612 00:21:15,470 --> 00:21:17,509 but still they have to run efficiently. 613 00:21:17,510 --> 00:21:19,399 And then they're, Stefany, last column, 614 00:21:19,400 --> 00:21:21,529 which is called Everlasting Security. 615 00:21:21,530 --> 00:21:23,869 So a term that means that 616 00:21:23,870 --> 00:21:26,029 you're allowed to store whatever 617 00:21:26,030 --> 00:21:27,829 is communicated on the line. 618 00:21:27,830 --> 00:21:30,109 And then later, at some point 619 00:21:30,110 --> 00:21:32,059 in the future, actually, after an 620 00:21:32,060 --> 00:21:34,879 infinite amount of time, you can break it 621 00:21:34,880 --> 00:21:36,979 and therefore all these things will 622 00:21:36,980 --> 00:21:39,439 fail to to a brute force, uh, attack. 623 00:21:39,440 --> 00:21:42,199 So if you look at a yes or Shaar 624 00:21:42,200 --> 00:21:43,879 and then they're pretty confident that 625 00:21:43,880 --> 00:21:45,209 this is secure against sufficient 626 00:21:45,210 --> 00:21:46,789 classical attackers, I mean, there's no 627 00:21:46,790 --> 00:21:48,019 proof for it. But that's what you 628 00:21:48,020 --> 00:21:50,089 believe. People have looked at this, uh, 629 00:21:50,090 --> 00:21:51,379 for long. 630 00:21:51,380 --> 00:21:53,539 They probably also secure against 631 00:21:53,540 --> 00:21:55,489 quantum attackers to make sure that you 632 00:21:55,490 --> 00:21:57,589 use long enough keys and, 633 00:21:57,590 --> 00:21:59,269 uh, in case of hash functions that you 634 00:21:59,270 --> 00:22:01,379 use long enough outputs. 635 00:22:01,380 --> 00:22:02,729 But of course, they will fail against 636 00:22:02,730 --> 00:22:04,259 somebody who is just an infinite amount 637 00:22:04,260 --> 00:22:06,509 of time, and 638 00:22:06,510 --> 00:22:08,639 then if you saw 639 00:22:08,640 --> 00:22:10,649 dance talk and then Antonios talk 640 00:22:10,650 --> 00:22:12,599 yesterday, then their source monster 641 00:22:12,600 --> 00:22:15,239 here. So this is this big red box here 642 00:22:15,240 --> 00:22:17,849 where that will that will come and break 643 00:22:17,850 --> 00:22:20,069 RSA and discreet locks. 644 00:22:20,070 --> 00:22:22,259 So everything basically every public key 645 00:22:22,260 --> 00:22:23,999 crypto system that is currently used on 646 00:22:24,000 --> 00:22:26,339 the Internet will be broken by efficient 647 00:22:26,340 --> 00:22:28,469 quantum attackers, whereas we 648 00:22:28,470 --> 00:22:31,079 are confident that 649 00:22:31,080 --> 00:22:33,299 they resist classical attackers. 650 00:22:33,300 --> 00:22:35,729 And then the area of post quantum crypto 651 00:22:35,730 --> 00:22:38,069 kind of kicks in and tries to fix that. 652 00:22:38,070 --> 00:22:40,319 And coming up with different new 653 00:22:40,320 --> 00:22:42,479 schemes. And this was the topic 654 00:22:42,480 --> 00:22:44,309 of, uh, then Antonya told yesterday, 655 00:22:44,310 --> 00:22:45,929 namely hash based signatures, the 656 00:22:45,930 --> 00:22:48,269 McCauley's encryption scheme maybe 657 00:22:48,270 --> 00:22:50,339 let US based crypto, but 658 00:22:50,340 --> 00:22:52,019 more research needs to be done in order 659 00:22:52,020 --> 00:22:54,539 to be more confident and that 660 00:22:54,540 --> 00:22:56,129 these schemes actually do resist 661 00:22:56,130 --> 00:22:58,200 classical as well as quantum attacks. 662 00:22:59,280 --> 00:23:01,709 Um. Now, what I'm going to talk about 663 00:23:01,710 --> 00:23:03,719 and what my research is about is about 664 00:23:03,720 --> 00:23:06,149 this last, um, column here. 665 00:23:06,150 --> 00:23:08,609 And this is basically 666 00:23:08,610 --> 00:23:11,219 giving like using more technology 667 00:23:11,220 --> 00:23:12,539 on the honest player side. 668 00:23:12,540 --> 00:23:14,399 So it becomes more more difficult, 669 00:23:14,400 --> 00:23:16,709 technically speaking and also money wise, 670 00:23:16,710 --> 00:23:17,889 to implement these things. 671 00:23:17,890 --> 00:23:20,189 For instance, you can use Kadeem, which 672 00:23:20,190 --> 00:23:22,139 we can mathematically prove because we 673 00:23:22,140 --> 00:23:24,179 don't really rely on any computational 674 00:23:24,180 --> 00:23:25,769 assumption that it's secure. 675 00:23:25,770 --> 00:23:28,109 And and what I see as the biggest 676 00:23:28,110 --> 00:23:30,419 advantage of a KUKA system is that 677 00:23:30,420 --> 00:23:33,149 that the attacker actually has to act 678 00:23:33,150 --> 00:23:35,189 while the protocol is running. 679 00:23:35,190 --> 00:23:37,289 So it really has to kind of attack it 680 00:23:37,290 --> 00:23:38,699 at the moment when it's run. 681 00:23:38,700 --> 00:23:40,199 And if it if this attack is not 682 00:23:40,200 --> 00:23:42,359 successful, then from then point on, 683 00:23:42,360 --> 00:23:44,879 whatever key is generated will be secure 684 00:23:44,880 --> 00:23:46,379 forever. 685 00:23:46,380 --> 00:23:48,239 And so, of course, it's interesting to 686 00:23:48,240 --> 00:23:50,369 kind of take this technology, if you 687 00:23:50,370 --> 00:23:51,749 can afford it, if you can somehow 688 00:23:51,750 --> 00:23:53,849 implement it and combine it with, 689 00:23:53,850 --> 00:23:56,579 uh, we say more conventional schemes 690 00:23:56,580 --> 00:23:58,889 to actually get to the best of both 691 00:23:58,890 --> 00:24:01,199 worlds. And that's also how current 692 00:24:01,200 --> 00:24:02,340 implementations do with. 693 00:24:04,540 --> 00:24:06,609 All right, so let me 694 00:24:06,610 --> 00:24:08,799 explain you in a bit more detail how 695 00:24:08,800 --> 00:24:10,549 how it works. 696 00:24:10,550 --> 00:24:12,619 So in this protocol, in 697 00:24:12,620 --> 00:24:15,519 this BP 84 protocol, 698 00:24:15,520 --> 00:24:17,679 Alice starts off picking 699 00:24:17,680 --> 00:24:20,469 random basis. So she she picks a string 700 00:24:20,470 --> 00:24:22,539 of, say, red, yellow, red, 701 00:24:22,540 --> 00:24:24,429 yellow, yellow at random. 702 00:24:24,430 --> 00:24:26,499 She also picks a random string 703 00:24:26,500 --> 00:24:29,199 of bits, say zero one one one zero. 704 00:24:29,200 --> 00:24:31,419 And then she encodes these bits into that 705 00:24:31,420 --> 00:24:33,549 basis. So we get back this kind of 706 00:24:33,550 --> 00:24:35,379 one of the four states we've seen for 707 00:24:35,380 --> 00:24:36,839 each position that's before. 708 00:24:37,930 --> 00:24:40,059 And that's what Ali sends over the 709 00:24:40,060 --> 00:24:42,309 quantum channel to Bob. 710 00:24:42,310 --> 00:24:44,379 Now, Bob, he has no clue what these 711 00:24:44,380 --> 00:24:46,239 callers are. He cannot see that from the 712 00:24:46,240 --> 00:24:47,679 Cubists that he receives. 713 00:24:47,680 --> 00:24:49,629 And so he has no idea what the basis is 714 00:24:49,630 --> 00:24:51,549 that Alice was actually using. 715 00:24:51,550 --> 00:24:52,989 And what he's going to do is just pick 716 00:24:52,990 --> 00:24:54,189 another random basis. 717 00:24:54,190 --> 00:24:55,939 So he picks another basis at random. 718 00:24:55,940 --> 00:24:58,449 So yellow, red, red, yellow, yellow 719 00:24:58,450 --> 00:25:00,189 and measures in that basis. 720 00:25:00,190 --> 00:25:01,749 So he doesn't need to store anything. 721 00:25:01,750 --> 00:25:03,309 You can just do this beforehand and as 722 00:25:03,310 --> 00:25:05,169 soon as the arrives, he can then measure 723 00:25:05,170 --> 00:25:06,369 immediately. 724 00:25:06,370 --> 00:25:08,469 So it turns out if he was lucky and 725 00:25:08,470 --> 00:25:10,329 he picked the right basis, well then he 726 00:25:10,330 --> 00:25:12,579 will also recover the right bit 727 00:25:12,580 --> 00:25:14,439 that we have seen how that works. 728 00:25:14,440 --> 00:25:15,999 If you will happen to measure in the 729 00:25:16,000 --> 00:25:18,159 wrong basis for you a yellow cubitt in 730 00:25:18,160 --> 00:25:19,639 the red basis, well, then you just get 731 00:25:19,640 --> 00:25:21,699 the random bit, which might agree 732 00:25:21,700 --> 00:25:23,829 with what Alice had in mind, but it also 733 00:25:23,830 --> 00:25:24,729 might not. 734 00:25:24,730 --> 00:25:26,049 So we don't know. 735 00:25:26,050 --> 00:25:28,359 So how to get kind of solve 736 00:25:28,360 --> 00:25:29,829 this problem? Well, Alice is going to 737 00:25:29,830 --> 00:25:31,899 classically tell Bob, say, look 738 00:25:31,900 --> 00:25:34,059 here, this is the string of basis that 739 00:25:34,060 --> 00:25:36,519 I was using, say, a red, yellow, 740 00:25:36,520 --> 00:25:37,929 red, yellow, yellow. 741 00:25:37,930 --> 00:25:39,999 And now Bob knows very actually measured 742 00:25:40,000 --> 00:25:42,939 correctly. And also he says, oh, yeah, 743 00:25:42,940 --> 00:25:44,649 these first two positions, they were no 744 00:25:44,650 --> 00:25:46,359 good. I measured them in the wrong basis. 745 00:25:46,360 --> 00:25:48,579 So let's throw the results away 746 00:25:48,580 --> 00:25:50,419 and just keep the rest very measured in 747 00:25:50,420 --> 00:25:51,999 the rest in a correct basis. 748 00:25:52,000 --> 00:25:54,159 So you also has to tell Alice about that. 749 00:25:54,160 --> 00:25:56,019 So classically, again, he can tell Alice, 750 00:25:56,020 --> 00:25:57,759 hey, let's throw away the first two 751 00:25:57,760 --> 00:25:59,319 positions. I didn't measure there 752 00:25:59,320 --> 00:26:01,439 correctly, so let's just throw those out, 753 00:26:03,130 --> 00:26:05,649 OK? And what remains, they basically 754 00:26:05,650 --> 00:26:07,269 have ASCII. 755 00:26:07,270 --> 00:26:09,099 So that becomes the key that they're 756 00:26:09,100 --> 00:26:10,100 sharing. 757 00:26:11,350 --> 00:26:12,319 But wait a second. 758 00:26:12,320 --> 00:26:14,029 It's it's not that easy after all, 759 00:26:14,030 --> 00:26:15,849 there's the eavesdropper. 760 00:26:15,850 --> 00:26:17,919 So, as I said, the 761 00:26:17,920 --> 00:26:20,109 eavesdropper has full control over 762 00:26:20,110 --> 00:26:22,269 this quantum communication here. 763 00:26:24,370 --> 00:26:26,739 And that means that, well, 764 00:26:26,740 --> 00:26:28,989 luckily, we kind of try to use 765 00:26:28,990 --> 00:26:31,059 this no cloning theorem because, 766 00:26:31,060 --> 00:26:32,919 um, well, if doesn't know the basis 767 00:26:32,920 --> 00:26:34,149 either all for her. 768 00:26:34,150 --> 00:26:36,159 It just looks like one of these four 769 00:26:36,160 --> 00:26:37,599 states picked at random. 770 00:26:37,600 --> 00:26:39,189 And we've seen that the no cloning 771 00:26:39,190 --> 00:26:41,109 theorem actually forbids her to make a 772 00:26:41,110 --> 00:26:43,329 perfect copy out of the classically. 773 00:26:43,330 --> 00:26:45,219 You could just copy everything that flies 774 00:26:45,220 --> 00:26:47,289 by on the line and you would be exactly 775 00:26:47,290 --> 00:26:49,389 in the same position as Bob is, 776 00:26:49,390 --> 00:26:50,499 however, a quantum leap. 777 00:26:50,500 --> 00:26:51,879 It's not that easy because you cannot 778 00:26:51,880 --> 00:26:53,379 simply make a copy. 779 00:26:53,380 --> 00:26:55,449 And therefore, that's the tricky 780 00:26:55,450 --> 00:26:57,369 part. The honest players, Alison. 781 00:26:57,370 --> 00:26:59,289 But they can actually test whether 782 00:26:59,290 --> 00:27:01,509 somebody has interfered because you can 783 00:27:01,510 --> 00:27:02,859 try to make a copy. 784 00:27:02,860 --> 00:27:05,049 But we have seen kind of measuring 785 00:27:05,050 --> 00:27:06,969 observing a state actually changes the 786 00:27:06,970 --> 00:27:09,099 state and therefore 787 00:27:09,100 --> 00:27:10,359 there's a kind of a trade off. 788 00:27:10,360 --> 00:27:12,039 The more she tries to learn about the 789 00:27:12,040 --> 00:27:13,569 state, the more she will actually 790 00:27:13,570 --> 00:27:14,979 interfere with it. 791 00:27:14,980 --> 00:27:17,139 And therefore, there will be errors in 792 00:27:17,140 --> 00:27:18,969 that remaining part here. 793 00:27:18,970 --> 00:27:20,709 And so in an additional step in the 794 00:27:20,710 --> 00:27:22,749 protocol, the allies involved, they're 795 00:27:22,750 --> 00:27:25,149 going to check classically how many 796 00:27:25,150 --> 00:27:27,429 errors approximately are in the remaining 797 00:27:27,430 --> 00:27:29,589 in the remaining string. 798 00:27:29,590 --> 00:27:30,849 They will correct for that. 799 00:27:30,850 --> 00:27:32,949 They just use classical error, correcting 800 00:27:32,950 --> 00:27:34,869 codes, and then they do another step 801 00:27:34,870 --> 00:27:36,999 called privacy amplification to basically 802 00:27:37,000 --> 00:27:39,099 hash it down to something smaller. 803 00:27:39,100 --> 00:27:40,719 And all this together will actually make 804 00:27:40,720 --> 00:27:43,029 sure that so they might have to sacrifice 805 00:27:43,030 --> 00:27:44,049 some more positions. 806 00:27:44,050 --> 00:27:45,879 They might have to have to apply some 807 00:27:45,880 --> 00:27:47,709 additional operations, but they 808 00:27:47,710 --> 00:27:50,439 eventually end up with a smaller key 809 00:27:50,440 --> 00:27:52,149 about which we can guarantee we can 810 00:27:52,150 --> 00:27:54,309 actually mathematically prove that if 811 00:27:54,310 --> 00:27:57,099 doesn't know anything about it. 812 00:27:57,100 --> 00:27:59,349 So in order to do this, 813 00:27:59,350 --> 00:28:00,549 this is really pretty tricky. 814 00:28:00,550 --> 00:28:02,169 So mathematically speaking, you actually 815 00:28:02,170 --> 00:28:04,779 have to follow your whole course about 816 00:28:04,780 --> 00:28:06,459 quantum information theory in order to 817 00:28:06,460 --> 00:28:08,529 give a mathematically sound proof 818 00:28:08,530 --> 00:28:10,419 of this statement that I just outlined 819 00:28:10,420 --> 00:28:11,319 here. 820 00:28:11,320 --> 00:28:13,749 But intuitively, yeah, it's 821 00:28:13,750 --> 00:28:15,130 not that hard to to grasp. 822 00:28:17,190 --> 00:28:18,190 All right, so. 823 00:28:20,430 --> 00:28:21,969 I guess I kind of showed with this 824 00:28:21,970 --> 00:28:23,409 device, this is something that we can 825 00:28:23,410 --> 00:28:25,359 actually do, the honest players, they 826 00:28:25,360 --> 00:28:27,429 only need to generate some photons, 827 00:28:27,430 --> 00:28:29,499 polarize them. I've done it over there 828 00:28:29,500 --> 00:28:31,569 and Bob just needs to measure them upon 829 00:28:31,570 --> 00:28:32,829 the reception. So it's technically 830 00:28:32,830 --> 00:28:34,359 feasible. We don't need any quantum 831 00:28:34,360 --> 00:28:36,129 computer. Well, it might, but we don't 832 00:28:36,130 --> 00:28:37,959 care. I mean, we only care about the 833 00:28:37,960 --> 00:28:39,309 honest players. 834 00:28:39,310 --> 00:28:40,899 We only need quantum communication. 835 00:28:40,900 --> 00:28:42,549 And in fact, this company that is 836 00:28:42,550 --> 00:28:44,379 producing these random number generators, 837 00:28:44,380 --> 00:28:45,459 it's not a coincidence. 838 00:28:45,460 --> 00:28:47,289 They also produce quantum key 839 00:28:47,290 --> 00:28:49,209 distribution devices like this one over 840 00:28:49,210 --> 00:28:51,069 here. So that's something that you can 841 00:28:51,070 --> 00:28:52,869 actually go into a store or a Web store 842 00:28:52,870 --> 00:28:55,129 and buy it. It's pretty expensive. 843 00:28:55,130 --> 00:28:57,759 Um, however, 844 00:28:57,760 --> 00:28:59,859 these devices are out there and that 845 00:28:59,860 --> 00:29:02,109 means that they could also be hacked. 846 00:29:02,110 --> 00:29:03,969 So he could just go and, like, open this 847 00:29:03,970 --> 00:29:06,369 thing up. It will look like that inside 848 00:29:06,370 --> 00:29:07,899 the older, an older model. 849 00:29:07,900 --> 00:29:10,239 But this this kind of rec standard 850 00:29:10,240 --> 00:29:12,369 rec sized black boxes 851 00:29:12,370 --> 00:29:14,979 that are connected by some optical fiber 852 00:29:14,980 --> 00:29:17,199 and, um, well, commercially 853 00:29:17,200 --> 00:29:19,059 available, that means there's also people 854 00:29:19,060 --> 00:29:20,359 who actually hack them. 855 00:29:20,360 --> 00:29:23,279 So this is a picture of Musharraf 856 00:29:23,280 --> 00:29:24,969 is originally from Russia now at the 857 00:29:24,970 --> 00:29:25,899 University of Waterloo. 858 00:29:25,900 --> 00:29:28,239 He runs a quantum hacking lab 859 00:29:28,240 --> 00:29:30,099 and he has opened. So this picture is 860 00:29:30,100 --> 00:29:32,289 done by him. He's opened these devices 861 00:29:32,290 --> 00:29:34,359 and also the random number generator, 862 00:29:34,360 --> 00:29:36,339 of course. And here's a little picture of 863 00:29:36,340 --> 00:29:38,679 him, um, actually 864 00:29:38,680 --> 00:29:40,959 at, uh, at the camp 865 00:29:40,960 --> 00:29:43,119 in the Netherlands at HA hacking at 866 00:29:43,120 --> 00:29:45,309 random in 2009, where 867 00:29:45,310 --> 00:29:47,359 he brought his little suitcase. 868 00:29:47,360 --> 00:29:49,629 Well, little his 869 00:29:49,630 --> 00:29:51,849 eavesdropping suitcase that allowed 870 00:29:51,850 --> 00:29:54,099 him to actually hack commercially 871 00:29:54,100 --> 00:29:56,709 available, uh, security systems. 872 00:29:56,710 --> 00:29:57,999 I don't want to know how he got through 873 00:29:58,000 --> 00:30:00,339 customs with that, but he actually 874 00:30:00,340 --> 00:30:02,709 managed he 875 00:30:02,710 --> 00:30:04,360 has lots of stories to tell about this. 876 00:30:06,200 --> 00:30:07,200 OK, so 877 00:30:08,420 --> 00:30:10,549 that's kind of the state of the 878 00:30:10,550 --> 00:30:12,379 art of, uh, of of quantum key 879 00:30:12,380 --> 00:30:13,969 distribution. 880 00:30:13,970 --> 00:30:15,410 And, um, 881 00:30:16,760 --> 00:30:19,399 yeah, I think I'm approaching 882 00:30:19,400 --> 00:30:21,409 the, uh, the last part of my talk. 883 00:30:21,410 --> 00:30:22,879 So I'd like to come back to this 884 00:30:22,880 --> 00:30:24,709 question. Remember the question. 885 00:30:29,120 --> 00:30:31,309 The moon, yeah, how can you actually 886 00:30:31,310 --> 00:30:34,609 prove that you are at a certain location? 887 00:30:34,610 --> 00:30:36,079 So let's see. 888 00:30:36,080 --> 00:30:37,080 Um. 889 00:30:38,050 --> 00:30:39,510 Well, normally, um, 890 00:30:40,820 --> 00:30:42,919 cryptographic players 891 00:30:42,920 --> 00:30:45,019 and that's perfect, theoretically, very 892 00:30:45,020 --> 00:30:46,189 theoretical world. 893 00:30:46,190 --> 00:30:48,499 They use credentials, cryptographic 894 00:30:48,500 --> 00:30:50,629 credentials, such as, 895 00:30:50,630 --> 00:30:52,729 say, secret information, a password or a 896 00:30:52,730 --> 00:30:54,709 secret key that you store in some safe 897 00:30:54,710 --> 00:30:56,869 place or say 898 00:30:56,870 --> 00:30:59,449 authenticated information like a passport 899 00:30:59,450 --> 00:31:01,639 or biometric features like a fingerprint 900 00:31:01,640 --> 00:31:03,139 or iris scan, something that 901 00:31:03,140 --> 00:31:05,449 distinguishes you from 902 00:31:05,450 --> 00:31:07,609 the rest of the crowd in this in 903 00:31:07,610 --> 00:31:09,109 his audience. 904 00:31:09,110 --> 00:31:11,239 Um, the question I would like to ask 905 00:31:11,240 --> 00:31:13,879 here is, can the geographical location 906 00:31:13,880 --> 00:31:15,439 of a player be used as such a 907 00:31:15,440 --> 00:31:16,939 cryptographic credential? 908 00:31:16,940 --> 00:31:19,159 So is it possible to use just 909 00:31:19,160 --> 00:31:21,679 the fact that I'm on the stage and 910 00:31:21,680 --> 00:31:23,519 almost nobody else is? 911 00:31:23,520 --> 00:31:24,520 Um. 912 00:31:25,110 --> 00:31:27,329 Can that kind of distinguish me from 913 00:31:27,330 --> 00:31:28,330 from all of you? 914 00:31:30,450 --> 00:31:32,489 First of all, it sounds like a bit bit of 915 00:31:32,490 --> 00:31:34,349 a strange question, but if you imagine 916 00:31:34,350 --> 00:31:37,199 the idea and the setting of a bank 917 00:31:37,200 --> 00:31:39,209 where you just walk in and you see some 918 00:31:39,210 --> 00:31:40,619 person behind the counter that you've 919 00:31:40,620 --> 00:31:43,049 never met before, just the fact that 920 00:31:43,050 --> 00:31:44,219 this person is standing behind the 921 00:31:44,220 --> 00:31:46,079 counter kind of makes you trust this 922 00:31:46,080 --> 00:31:48,299 person with all your financial 923 00:31:48,300 --> 00:31:49,859 details. 924 00:31:49,860 --> 00:31:52,079 No, it's of course, the bank has made 925 00:31:52,080 --> 00:31:53,729 sure that only trustworthy people 926 00:31:53,730 --> 00:31:55,319 hopefully are actually behind the 927 00:31:55,320 --> 00:31:56,399 counter. 928 00:31:56,400 --> 00:31:58,019 But nevertheless, it's kind of the place 929 00:31:58,020 --> 00:32:00,629 where this person is that 930 00:32:00,630 --> 00:32:01,889 that makes a difference. 931 00:32:03,150 --> 00:32:05,729 Maybe other applications, 932 00:32:05,730 --> 00:32:07,649 if you are able to answer this question, 933 00:32:07,650 --> 00:32:10,769 is like, um, uh, 934 00:32:10,770 --> 00:32:12,179 why have you ever been to the moon? 935 00:32:12,180 --> 00:32:13,529 Are you actually on the moon, for 936 00:32:13,530 --> 00:32:15,899 instance, or seen a military context? 937 00:32:15,900 --> 00:32:17,959 You want to make sure that I launch a 938 00:32:17,960 --> 00:32:19,799 missile command actually comes from 939 00:32:19,800 --> 00:32:21,749 within your military headquarters and not 940 00:32:21,750 --> 00:32:23,640 from some nearby terrorist cell. 941 00:32:24,670 --> 00:32:26,429 Um, maybe in the setting of this 942 00:32:26,430 --> 00:32:28,169 Congress, you want to broadcast the 943 00:32:28,170 --> 00:32:30,389 message and you want to make sure that 944 00:32:30,390 --> 00:32:32,399 only at one particular assembly it can 945 00:32:32,400 --> 00:32:33,839 actually be threat. 946 00:32:33,840 --> 00:32:34,840 Wouldn't that be fun? 947 00:32:36,680 --> 00:32:39,169 Um, maybe you can 948 00:32:39,170 --> 00:32:41,389 try to kind of avoid this so-called 949 00:32:41,390 --> 00:32:43,699 pizza delivery problem or avoid 950 00:32:43,700 --> 00:32:46,659 making fake calls to emergency services 951 00:32:46,660 --> 00:32:49,099 like this poor guy over here 952 00:32:49,100 --> 00:32:51,449 who has been swatted by 953 00:32:51,450 --> 00:32:52,669 by some fellow gamers. 954 00:32:56,160 --> 00:32:58,359 And more many more so like try 955 00:32:58,360 --> 00:33:00,689 to think of some nice applications and 956 00:33:00,690 --> 00:33:02,020 let me know if you come up with them. 957 00:33:03,780 --> 00:33:06,209 So let's try to do this. 958 00:33:06,210 --> 00:33:07,979 And of course, so this now something 959 00:33:07,980 --> 00:33:09,719 happens that we that we always do. 960 00:33:09,720 --> 00:33:11,739 If you kind of cook up a new question, 961 00:33:11,740 --> 00:33:13,889 the abstract away, all the the 962 00:33:13,890 --> 00:33:15,989 noisy details, and you kind of try 963 00:33:15,990 --> 00:33:17,909 to simplify our world as much as 964 00:33:17,910 --> 00:33:20,039 possible. And we studied a very basic 965 00:33:20,040 --> 00:33:22,629 task of position verification. 966 00:33:22,630 --> 00:33:24,749 Additionally, I'm going to assume that 967 00:33:24,750 --> 00:33:28,019 everybody involved lives in one dimension 968 00:33:28,020 --> 00:33:29,369 just on this line here. 969 00:33:29,370 --> 00:33:30,809 Of course, that's not realistic. 970 00:33:30,810 --> 00:33:32,489 Actually, we live in two, maybe three, 971 00:33:32,490 --> 00:33:33,749 maybe four days. 972 00:33:33,750 --> 00:33:35,789 But for now, just assume that everybody 973 00:33:35,790 --> 00:33:38,099 lives on this line. We have to verifiers 974 00:33:38,100 --> 00:33:39,839 and we have some approver in the middle 975 00:33:39,840 --> 00:33:41,519 and approver would like to convince the 976 00:33:41,520 --> 00:33:43,649 verifiers that she is at this particular 977 00:33:43,650 --> 00:33:44,650 blue line here 978 00:33:45,750 --> 00:33:47,759 and this is a publicly known place. 979 00:33:47,760 --> 00:33:50,309 So everybody knows why this blue line is. 980 00:33:50,310 --> 00:33:52,709 And what we want to make sure is that 981 00:33:52,710 --> 00:33:55,259 no coalition of fake approvers 982 00:33:55,260 --> 00:33:57,539 and I'm going to call fake approvers all 983 00:33:57,540 --> 00:34:00,539 everybody that is not at this blue line 984 00:34:00,540 --> 00:34:03,119 to verify her. So, for instance, evil 985 00:34:03,120 --> 00:34:05,369 is an evil volp even 986 00:34:05,370 --> 00:34:07,439 even if they collaborate, they shouldn't 987 00:34:07,440 --> 00:34:09,388 be able to convince the verifiers that 988 00:34:09,389 --> 00:34:11,459 one of them is at this blue line. 989 00:34:11,460 --> 00:34:13,079 That's going to be the task I want I want 990 00:34:13,080 --> 00:34:14,080 to solve. 991 00:34:15,170 --> 00:34:17,479 And even 992 00:34:17,480 --> 00:34:19,738 more unrealistically, I'm going to assume 993 00:34:19,739 --> 00:34:21,709 I make a lot of oversimplifying 994 00:34:21,710 --> 00:34:23,329 assumptions, for instance, that 995 00:34:23,330 --> 00:34:24,829 communication between the players is 996 00:34:24,830 --> 00:34:26,629 going to happen at the speed of light. 997 00:34:26,630 --> 00:34:28,339 It's actually not true in reality, no. 998 00:34:28,340 --> 00:34:30,649 If you said even if you send information 999 00:34:30,650 --> 00:34:33,169 through optical fibers, it travels 1000 00:34:33,170 --> 00:34:35,238 at less than the speed of 1001 00:34:35,239 --> 00:34:36,239 light. 1002 00:34:36,710 --> 00:34:39,559 I'm also assuming that 1003 00:34:39,560 --> 00:34:41,869 actually computation is instantaneous, 1004 00:34:41,870 --> 00:34:43,339 doesn't take any time to compute 1005 00:34:43,340 --> 00:34:44,319 anything. 1006 00:34:44,320 --> 00:34:45,709 Of course, that's also not true. 1007 00:34:45,710 --> 00:34:47,839 And I assume some back channels for the 1008 00:34:47,840 --> 00:34:49,399 verifiers that somehow they can 1009 00:34:49,400 --> 00:34:51,349 coordinate their actions. 1010 00:34:51,350 --> 00:34:53,119 This is less of a point. 1011 00:34:53,120 --> 00:34:54,888 OK, let's try this. 1012 00:34:54,889 --> 00:34:55,928 Let's try like that. 1013 00:34:55,929 --> 00:34:57,559 So the first strike goes as follows. 1014 00:34:57,560 --> 00:34:59,120 Let's say time goes downwards 1015 00:35:00,290 --> 00:35:01,609 and we have to. Following protocol, 1016 00:35:01,610 --> 00:35:03,679 Verifier one picks a random 1017 00:35:03,680 --> 00:35:05,959 NUNC some some random string X 1018 00:35:05,960 --> 00:35:07,879 and then started approver the proof very 1019 00:35:07,880 --> 00:35:10,039 simply asked in a protocol to return that 1020 00:35:10,040 --> 00:35:12,679 string X back to the verifier. 1021 00:35:12,680 --> 00:35:14,149 And the verifier measures the time it 1022 00:35:14,150 --> 00:35:15,809 takes for the string to come back. 1023 00:35:15,810 --> 00:35:17,929 Well, this technique is called 1024 00:35:17,930 --> 00:35:20,209 distance pounding because it allows 1025 00:35:20,210 --> 00:35:22,519 you to upper bound how far away 1026 00:35:22,520 --> 00:35:24,139 to prove arrays from this verifier. 1027 00:35:24,140 --> 00:35:26,749 Imagine if the approver is further away, 1028 00:35:26,750 --> 00:35:28,669 then it will take this message longer to 1029 00:35:28,670 --> 00:35:30,559 get to the proofer and also longer to 1030 00:35:30,560 --> 00:35:32,659 return. So if you know when the message 1031 00:35:32,660 --> 00:35:35,089 arrives and if it's the original message, 1032 00:35:35,090 --> 00:35:36,949 then you can somehow put an upper bound 1033 00:35:36,950 --> 00:35:38,749 on how far the proof is away. 1034 00:35:38,750 --> 00:35:40,819 And so if you do this also from the other 1035 00:35:40,820 --> 00:35:43,219 side, let's say we choose another random 1036 00:35:43,220 --> 00:35:45,379 string Y and let the proofer return 1037 00:35:45,380 --> 00:35:47,629 it over there again, we will measure 1038 00:35:47,630 --> 00:35:48,889 the time it takes. 1039 00:35:48,890 --> 00:35:50,719 Then hopefully you are able to verify 1040 00:35:50,720 --> 00:35:52,280 that somebody is at this blueline. 1041 00:35:53,420 --> 00:35:55,609 So let's try to break this setting up 1042 00:35:55,610 --> 00:35:57,320 our evil ellyson evil Bob. 1043 00:35:58,490 --> 00:36:00,529 And actually it's not very hard to break 1044 00:36:00,530 --> 00:36:02,599 this protocol because 1045 00:36:02,600 --> 00:36:04,519 what they can do is Alice can intercept 1046 00:36:04,520 --> 00:36:06,649 this classical message X and they know 1047 00:36:06,650 --> 00:36:08,419 where this blueline is, so they know when 1048 00:36:08,420 --> 00:36:09,949 the honest proofer would return it. 1049 00:36:09,950 --> 00:36:11,749 So it just waits for the right amount of 1050 00:36:11,750 --> 00:36:14,449 time and returns that message back 1051 00:36:14,450 --> 00:36:16,579 to the verifier after that, that amount 1052 00:36:16,580 --> 00:36:18,109 of time. And BOPE does the same thing. 1053 00:36:18,110 --> 00:36:20,179 Intercepts, while you wait a little sense 1054 00:36:20,180 --> 00:36:22,489 that backed away until the verifiers. 1055 00:36:22,490 --> 00:36:24,859 This looks exactly as if somebody 1056 00:36:24,860 --> 00:36:26,149 has been at this blueline. 1057 00:36:26,150 --> 00:36:27,949 So they cannot distinguish this situation 1058 00:36:27,950 --> 00:36:30,049 of the attackers from the situation where 1059 00:36:30,050 --> 00:36:31,489 there is an honest, proven Atapattu 1060 00:36:31,490 --> 00:36:32,419 point. 1061 00:36:32,420 --> 00:36:34,159 So they completely break this protocol. 1062 00:36:34,160 --> 00:36:35,749 It doesn't work. 1063 00:36:35,750 --> 00:36:37,339 Let's have a second try something more 1064 00:36:37,340 --> 00:36:39,679 clever. Let's send this X and Y 1065 00:36:39,680 --> 00:36:42,409 still classical inputs 1066 00:36:42,410 --> 00:36:44,629 so that they arrive at the same time 1067 00:36:44,630 --> 00:36:46,699 at the proofer and let the proofer 1068 00:36:46,700 --> 00:36:49,039 compute some function on these inputs. 1069 00:36:49,040 --> 00:36:51,319 Let's say they want to see the proof 1070 00:36:51,320 --> 00:36:53,599 is supposed to check whether X equals 1071 00:36:53,600 --> 00:36:55,729 Y, let's say is equal to be and 1072 00:36:55,730 --> 00:36:58,039 it's equal to the bit that says whether X 1073 00:36:58,040 --> 00:36:59,329 is equal to Y or not, 1074 00:37:00,350 --> 00:37:01,589 then the. 1075 00:37:01,590 --> 00:37:03,259 But it can be an arbitrary function that 1076 00:37:03,260 --> 00:37:05,509 is easy to compute. So then the results 1077 00:37:05,510 --> 00:37:06,859 would have to be sent back to the 1078 00:37:06,860 --> 00:37:08,539 verifiers, the verifiers. 1079 00:37:08,540 --> 00:37:10,439 They would check the time it takes for 1080 00:37:10,440 --> 00:37:11,929 the for the messages to come back. 1081 00:37:11,930 --> 00:37:14,149 So, uh, computing doesn't take any 1082 00:37:14,150 --> 00:37:15,449 time. That's what we have assumed. 1083 00:37:15,450 --> 00:37:18,139 We know how fast the messages travel. 1084 00:37:18,140 --> 00:37:20,869 So hopefully that will that'll work. 1085 00:37:20,870 --> 00:37:22,489 Let's try to break it. 1086 00:37:22,490 --> 00:37:24,559 So let's set up Alice and 1087 00:37:24,560 --> 00:37:26,659 Bob now. 1088 00:37:26,660 --> 00:37:27,679 What do they have to do? 1089 00:37:37,630 --> 00:37:40,539 Yeah, suspense, so 1090 00:37:40,540 --> 00:37:42,639 Alice can intercept 1091 00:37:42,640 --> 00:37:44,709 this X, you can make a copy 1092 00:37:44,710 --> 00:37:46,779 out of it. It's classical string so you 1093 00:37:46,780 --> 00:37:48,849 can keep you can keep a 1094 00:37:48,850 --> 00:37:50,649 copy for herself. You can send another 1095 00:37:50,650 --> 00:37:52,509 copy over to Bob and Bob. 1096 00:37:52,510 --> 00:37:53,589 You can do the same thing. 1097 00:37:53,590 --> 00:37:55,719 You can takes this. Why keeps a copy 1098 00:37:55,720 --> 00:37:57,909 for herself. Sends another one over here 1099 00:37:57,910 --> 00:38:00,219 and now just in time, 1100 00:38:00,220 --> 00:38:02,289 they both have X and Y and they just go 1101 00:38:02,290 --> 00:38:04,269 along and basically compute the function 1102 00:38:04,270 --> 00:38:05,769 themselves. So this is a publicly known 1103 00:38:05,770 --> 00:38:07,770 function, say a quality function. 1104 00:38:08,830 --> 00:38:10,959 Alice can check whether X equals Y 1105 00:38:10,960 --> 00:38:13,029 and send that outcome in time 1106 00:38:13,030 --> 00:38:14,949 back to the verifier and Bob will do the 1107 00:38:14,950 --> 00:38:15,969 same. 1108 00:38:15,970 --> 00:38:18,099 So again, complete break of the protocol. 1109 00:38:18,100 --> 00:38:19,599 It doesn't work. 1110 00:38:19,600 --> 00:38:21,759 However, if he and in fact, turns 1111 00:38:21,760 --> 00:38:23,469 out this is a generic problem, actually 1112 00:38:23,470 --> 00:38:25,599 no protocol for a classical 1113 00:38:25,600 --> 00:38:28,209 position. Verification in the setting 1114 00:38:28,210 --> 00:38:30,159 will work. So these people here have 1115 00:38:30,160 --> 00:38:32,409 shown, I should say all 1116 00:38:32,410 --> 00:38:34,179 these references are actually hyperlinks. 1117 00:38:34,180 --> 00:38:35,709 If you download the slides, you can click 1118 00:38:35,710 --> 00:38:37,779 on them and it will take you to the 1119 00:38:37,780 --> 00:38:39,609 research paper, which shows that actually 1120 00:38:39,610 --> 00:38:41,199 this is a generic problem. 1121 00:38:41,200 --> 00:38:42,639 So you can never have any classical 1122 00:38:42,640 --> 00:38:44,409 protocol that is secure in this sense. 1123 00:38:44,410 --> 00:38:46,719 And this holds not only in 1124 00:38:46,720 --> 00:38:48,639 one dimension, but in arbitrary 1125 00:38:48,640 --> 00:38:51,099 dimensions, because simply can set up 1126 00:38:51,100 --> 00:38:53,079 attackers between the claimed position 1127 00:38:53,080 --> 00:38:54,219 and the verifiers. 1128 00:38:54,220 --> 00:38:55,629 They intercept everything that comes 1129 00:38:55,630 --> 00:38:57,159 along and forward it to their fellow 1130 00:38:57,160 --> 00:38:59,169 cheaters and they will be able to run the 1131 00:38:59,170 --> 00:39:01,299 same function as the honest proofer is 1132 00:39:01,300 --> 00:39:03,519 supposed to run and thereby 1133 00:39:03,520 --> 00:39:05,319 making it look to the verifiers if 1134 00:39:05,320 --> 00:39:06,699 somebody was there. 1135 00:39:06,700 --> 00:39:07,719 So this doesn't work. 1136 00:39:07,720 --> 00:39:09,729 However, if you look at the attack, so 1137 00:39:09,730 --> 00:39:10,659 that's what they're doing now. 1138 00:39:10,660 --> 00:39:13,029 They're kind of taking a copy of this X 1139 00:39:13,030 --> 00:39:15,069 and share it with their fellow cheater 1140 00:39:15,070 --> 00:39:17,019 and then compute the function themselves. 1141 00:39:17,020 --> 00:39:19,269 This involves copying 1142 00:39:19,270 --> 00:39:20,500 classical information. 1143 00:39:21,880 --> 00:39:24,249 And of course, we have seen quantum 1144 00:39:24,250 --> 00:39:26,499 no cloning theorem, so. 1145 00:39:27,910 --> 00:39:30,039 Turns out that maybe you should 1146 00:39:30,040 --> 00:39:31,329 use quantum information and we should 1147 00:39:31,330 --> 00:39:33,399 make it hard, make it should make 1148 00:39:33,400 --> 00:39:35,589 it impossible for Alice and Bob to 1149 00:39:35,590 --> 00:39:37,329 to do this copying operation. 1150 00:39:37,330 --> 00:39:39,999 So here we go. Let's try that and 1151 00:39:40,000 --> 00:39:41,709 let's have the following protocol. 1152 00:39:41,710 --> 00:39:44,169 And the first verifier sends, 1153 00:39:44,170 --> 00:39:46,599 say, a random Cupitt to this 1154 00:39:46,600 --> 00:39:48,279 question. Where can we see one of these 1155 00:39:48,280 --> 00:39:50,949 four quantum states we've seen before 1156 00:39:50,950 --> 00:39:52,929 since that were a quantum channel to the 1157 00:39:52,930 --> 00:39:55,299 proofer and timet 1158 00:39:55,300 --> 00:39:56,379 in the way that it arrives? 1159 00:39:56,380 --> 00:39:58,119 At the same time at Approver, the other 1160 00:39:58,120 --> 00:40:00,009 verifier sends a classical bit, just one 1161 00:40:00,010 --> 00:40:01,179 bit zero one. 1162 00:40:01,180 --> 00:40:03,339 If the bid is zero, then Approver 1163 00:40:03,340 --> 00:40:05,079 is supposed to send it back to the first 1164 00:40:05,080 --> 00:40:05,689 verifier. 1165 00:40:05,690 --> 00:40:07,689 Just put the mirror now and then it will 1166 00:40:07,690 --> 00:40:09,939 be reflected back to the twenty first 1167 00:40:09,940 --> 00:40:11,049 verifier again. 1168 00:40:11,050 --> 00:40:12,309 Will we'll measure the time will make 1169 00:40:12,310 --> 00:40:14,049 sure it is the original Cubitt that was 1170 00:40:14,050 --> 00:40:16,179 sent. Well let's assume that that's not 1171 00:40:16,180 --> 00:40:17,829 a problem then. 1172 00:40:17,830 --> 00:40:20,019 If the bid is what I'm supposed to do, 1173 00:40:20,020 --> 00:40:22,509 nothing. Just let it pass through 1174 00:40:22,510 --> 00:40:24,339 and kind of let it fly to the other 1175 00:40:24,340 --> 00:40:25,340 verifier over here. 1176 00:40:26,560 --> 00:40:29,049 So that's the protocol I want to look at 1177 00:40:29,050 --> 00:40:30,659 and let's try to break it, 1178 00:40:31,930 --> 00:40:34,059 so here is the game that we have to 1179 00:40:34,060 --> 00:40:36,219 play as as attackers, at 1180 00:40:36,220 --> 00:40:38,289 least as a Cubitt Volp, as a classical 1181 00:40:38,290 --> 00:40:40,449 bit. And if the bid is zero, at 1182 00:40:40,450 --> 00:40:41,829 least needs to end up with the cubitt. 1183 00:40:41,830 --> 00:40:43,959 If the bid is one, Bob needs to end 1184 00:40:43,960 --> 00:40:45,939 it. So, Bob, just as classical 1185 00:40:45,940 --> 00:40:47,439 information, he can do the same thing as 1186 00:40:47,440 --> 00:40:49,679 before. He can make a copy out of his bid 1187 00:40:49,680 --> 00:40:51,669 to keep one for himself forward, one for 1188 00:40:51,670 --> 00:40:52,779 the other side. 1189 00:40:52,780 --> 00:40:54,519 But at least she's in trouble 1190 00:40:55,540 --> 00:40:57,819 now because of the no cloning theorem. 1191 00:40:57,820 --> 00:41:00,099 She has to kind of try 1192 00:41:00,100 --> 00:41:02,159 to make a copy here, but she cannot do 1193 00:41:02,160 --> 00:41:03,249 it. You no calling theorem. 1194 00:41:03,250 --> 00:41:05,379 She's kind of by the time constraints, 1195 00:41:05,380 --> 00:41:07,449 she's forced to make up her mind right 1196 00:41:07,450 --> 00:41:09,759 now, right here at this point. 1197 00:41:09,760 --> 00:41:11,319 But she doesn't know yet whether to be 1198 00:41:11,320 --> 00:41:12,999 desirable or to be this one because it 1199 00:41:13,000 --> 00:41:14,589 takes some time for this information to 1200 00:41:14,590 --> 00:41:16,149 travel over here. 1201 00:41:16,150 --> 00:41:17,919 So she could of course, you could guess 1202 00:41:17,920 --> 00:41:19,299 she could say, well, the rate is probably 1203 00:41:19,300 --> 00:41:21,309 zero. I keep to keep it for myself and 1204 00:41:21,310 --> 00:41:23,109 half of the time she'll be lucky and she 1205 00:41:23,110 --> 00:41:24,699 can send the Cuban back. 1206 00:41:24,700 --> 00:41:26,379 But the other half, she she doesn't have 1207 00:41:26,380 --> 00:41:28,629 it. She she she 1208 00:41:28,630 --> 00:41:30,459 needs the cubitt and it's too late to 1209 00:41:30,460 --> 00:41:31,879 send, you know, it would arrive too late 1210 00:41:31,880 --> 00:41:34,059 so the other verifier wouldn't notice. 1211 00:41:34,060 --> 00:41:35,060 So it looks like, 1212 00:41:36,310 --> 00:41:38,469 uh, this is this is secure 1213 00:41:38,470 --> 00:41:40,599 because there is some certain probability 1214 00:41:40,600 --> 00:41:42,009 that things will go wrong. 1215 00:41:42,010 --> 00:41:44,499 There's a there's a non-zero probability 1216 00:41:44,500 --> 00:41:46,719 that the verifiers can distinguish 1217 00:41:46,720 --> 00:41:48,819 this situation of the attackers 1218 00:41:48,820 --> 00:41:51,249 from the one that, um, the 1219 00:41:51,250 --> 00:41:53,139 with an honest proof in the middle who 1220 00:41:53,140 --> 00:41:54,189 will always succeed. 1221 00:41:54,190 --> 00:41:55,599 Oh, it was very easy to run this 1222 00:41:55,600 --> 00:41:57,789 protocol. And honestly, he could just 1223 00:41:57,790 --> 00:41:58,929 put them mirror or not, and he will 1224 00:41:58,930 --> 00:42:00,909 always succeed. So there's a gap between 1225 00:42:00,910 --> 00:42:02,409 these two probabilities. So if you repeat 1226 00:42:02,410 --> 00:42:05,019 it a thousand times, a million times, 1227 00:42:05,020 --> 00:42:07,359 then at some point very quickly, actually 1228 00:42:07,360 --> 00:42:09,429 the verifiers will see a difference 1229 00:42:09,430 --> 00:42:11,239 between this setting and the other set. 1230 00:42:11,240 --> 00:42:13,959 So that would actually prove security. 1231 00:42:13,960 --> 00:42:15,519 That's what we thought. 1232 00:42:15,520 --> 00:42:16,719 Turns out it's not true, 1233 00:42:17,830 --> 00:42:19,899 actually. You can break this protocol 1234 00:42:19,900 --> 00:42:21,340 and you can even break it perfectly. 1235 00:42:23,290 --> 00:42:25,179 So this was quite this was quite a blow. 1236 00:42:25,180 --> 00:42:27,159 I mean, we thought now that that cannot 1237 00:42:27,160 --> 00:42:29,529 be. And in order to understand 1238 00:42:29,530 --> 00:42:30,999 how to break this protocol, I need to 1239 00:42:31,000 --> 00:42:32,169 explain it to more things. 1240 00:42:33,370 --> 00:42:35,859 I need to explain to you what 1241 00:42:35,860 --> 00:42:37,959 EPR pairs are because they need 1242 00:42:37,960 --> 00:42:40,059 kind of a magic resource element, Bob, 1243 00:42:40,060 --> 00:42:41,539 in order to do that. 1244 00:42:41,540 --> 00:42:43,629 And so if you are pairs, they 1245 00:42:43,630 --> 00:42:45,879 are named after these three very famous 1246 00:42:45,880 --> 00:42:48,729 physicist Einstein Podolsky Rosann, 1247 00:42:48,730 --> 00:42:50,079 and they come in pairs. 1248 00:42:50,080 --> 00:42:52,299 That's why they're called pairs and 1249 00:42:52,300 --> 00:42:54,249 they somehow haven't made up what they 1250 00:42:54,250 --> 00:42:55,659 want to be. So there's all these arrows 1251 00:42:55,660 --> 00:42:57,729 here. Somehow it's it's kind 1252 00:42:57,730 --> 00:42:59,859 of a mixed state and there's this magic 1253 00:42:59,860 --> 00:43:00,999 glow between them. 1254 00:43:01,000 --> 00:43:03,219 So they are in a very interesting special 1255 00:43:03,220 --> 00:43:04,419 state. They're entangled. 1256 00:43:04,420 --> 00:43:06,579 So these are entangled cubits for 1257 00:43:06,580 --> 00:43:07,580 strength. 1258 00:43:09,320 --> 00:43:11,659 And it's possible to generate 1259 00:43:11,660 --> 00:43:13,309 them so at least, for instance, can 1260 00:43:13,310 --> 00:43:14,209 generate them. 1261 00:43:14,210 --> 00:43:16,339 Can keep them for himself, Popken she 1262 00:43:16,340 --> 00:43:18,109 can give the other one to Toubab and in 1263 00:43:18,110 --> 00:43:19,759 fact, they can be very far away from each 1264 00:43:19,760 --> 00:43:21,349 other. So they may be generated at the 1265 00:43:21,350 --> 00:43:23,299 same place, but then Bob can take it with 1266 00:43:23,300 --> 00:43:25,399 him or say send it over some optical 1267 00:43:25,400 --> 00:43:27,229 fiber. It can be hundreds of kilometers 1268 00:43:27,230 --> 00:43:30,529 away. However, they are still entangled. 1269 00:43:30,530 --> 00:43:31,939 And what that means is that, for 1270 00:43:31,940 --> 00:43:33,919 instance, if Alice goes and measures her 1271 00:43:33,920 --> 00:43:36,499 Cubitt saying a computational basis, 1272 00:43:36,500 --> 00:43:38,089 then because this guy hasn't really 1273 00:43:38,090 --> 00:43:40,009 decided yet what he wants to be, he will 1274 00:43:40,010 --> 00:43:41,749 actually get the random outcome. 1275 00:43:41,750 --> 00:43:42,829 It's probably one half. You're going to 1276 00:43:42,830 --> 00:43:44,899 get a zero and you collapse the state or 1277 00:43:44,900 --> 00:43:46,699 the zero state. And with probability one 1278 00:43:46,700 --> 00:43:48,499 half, Alice will get one and she will 1279 00:43:48,500 --> 00:43:50,209 collapse the state or one. 1280 00:43:50,210 --> 00:43:52,159 But the funny thing is that 1281 00:43:52,160 --> 00:43:54,529 simultaneously she obtains 1282 00:43:54,530 --> 00:43:55,609 her measurement outcome. 1283 00:43:55,610 --> 00:43:58,189 This state also collapses 1284 00:43:58,190 --> 00:43:59,239 on bombsite. 1285 00:43:59,240 --> 00:44:01,939 And so this is kind of the epic magic. 1286 00:44:01,940 --> 00:44:04,039 So this is kind of the funny thing 1287 00:44:04,040 --> 00:44:05,989 of this of these quantum states. 1288 00:44:05,990 --> 00:44:08,089 And this is what Einstein called spooky 1289 00:44:08,090 --> 00:44:09,589 after Fennville. 1290 00:44:09,590 --> 00:44:11,479 Spooky action at a distance. 1291 00:44:11,480 --> 00:44:12,480 And he didn't like that. 1292 00:44:15,770 --> 00:44:17,659 So what that means is, for instance, if 1293 00:44:17,660 --> 00:44:19,849 Alice observes a zero and 1294 00:44:19,850 --> 00:44:21,709 the zero state and bombsight is also 1295 00:44:21,710 --> 00:44:23,569 zero, state means if he goes and measures 1296 00:44:23,570 --> 00:44:25,699 it again in the computational basis, 1297 00:44:25,700 --> 00:44:27,679 he will now get probabilities with 1298 00:44:27,680 --> 00:44:29,299 probability. One, he will get the outcome 1299 00:44:29,300 --> 00:44:31,669 zero. He will get observe the same bit 1300 00:44:31,670 --> 00:44:33,769 as early stage before. 1301 00:44:33,770 --> 00:44:37,009 So to Einstein is looked like 1302 00:44:37,010 --> 00:44:38,899 that's no good because that seems to 1303 00:44:38,900 --> 00:44:42,139 contradict my theory of relativity. 1304 00:44:42,140 --> 00:44:44,299 However, it's actually not true. 1305 00:44:44,300 --> 00:44:45,949 So I didn't quite understand. 1306 00:44:45,950 --> 00:44:48,229 But this EPR pairs, they do not 1307 00:44:48,230 --> 00:44:50,489 allow to communicate information. 1308 00:44:50,490 --> 00:44:52,699 So it's a difference whether so here 1309 00:44:52,700 --> 00:44:54,769 they allow it allows them to get 1310 00:44:54,770 --> 00:44:56,839 a shared random bit because when Alice 1311 00:44:56,840 --> 00:44:59,029 measures, she will get random bit 1312 00:44:59,030 --> 00:45:00,979 and Bob, when he measures, he will also 1313 00:45:00,980 --> 00:45:02,539 get the same random bit. 1314 00:45:02,540 --> 00:45:04,819 It's just a shared classical random 1315 00:45:04,820 --> 00:45:06,949 bit. It's not information that Alice 1316 00:45:06,950 --> 00:45:07,759 had in mind. 1317 00:45:07,760 --> 00:45:09,889 Say I'm on a Zenda zero two bob, because 1318 00:45:09,890 --> 00:45:11,629 once he does a measurement, the outcome 1319 00:45:11,630 --> 00:45:12,919 will be random. 1320 00:45:12,920 --> 00:45:14,539 And that's the difference between sending 1321 00:45:14,540 --> 00:45:16,909 information from Alice to Bob 1322 00:45:16,910 --> 00:45:19,099 to just creating some some 1323 00:45:19,100 --> 00:45:21,209 shared, uh, correlation. 1324 00:45:22,310 --> 00:45:24,559 Now, probably this is hard 1325 00:45:24,560 --> 00:45:26,749 to grasp and don't worry, very 1326 00:45:26,750 --> 00:45:28,309 smart people had trouble with that. 1327 00:45:28,310 --> 00:45:30,859 So if you see this for the first time and 1328 00:45:30,860 --> 00:45:31,999 relax. So 1329 00:45:33,020 --> 00:45:34,020 it's OK. 1330 00:45:34,970 --> 00:45:35,970 Um. 1331 00:45:37,910 --> 00:45:40,219 If you have this, then 1332 00:45:40,220 --> 00:45:42,589 we can actually do quantum teleportation, 1333 00:45:42,590 --> 00:45:44,809 so we're not going to do the Star 1334 00:45:44,810 --> 00:45:46,099 Trek version. We're going to do the 1335 00:45:46,100 --> 00:45:47,449 version that was cooked up by these 1336 00:45:47,450 --> 00:45:49,939 people over here, um, 1337 00:45:49,940 --> 00:45:52,549 actually a long time ago in 93. 1338 00:45:52,550 --> 00:45:53,899 It works as follows. 1339 00:45:53,900 --> 00:45:56,059 So let's say Alice and Bob 1340 00:45:56,060 --> 00:45:57,919 and they have such an epic pair. 1341 00:45:57,920 --> 00:45:59,299 Actually, this has been demonstrated 1342 00:45:59,300 --> 00:46:01,159 many, many times experimentally. 1343 00:46:01,160 --> 00:46:02,419 So this is something that can actually 1344 00:46:02,420 --> 00:46:03,319 do. 1345 00:46:03,320 --> 00:46:05,629 Um, they share any power parity, 1346 00:46:05,630 --> 00:46:06,889 might be far away from each other. 1347 00:46:06,890 --> 00:46:08,839 And on top of that, Alice has an unknown 1348 00:46:08,840 --> 00:46:09,769 cubitt. 1349 00:46:09,770 --> 00:46:11,989 And that cubitt this committee over here 1350 00:46:11,990 --> 00:46:13,309 and this unknown state that she doesn't 1351 00:46:13,310 --> 00:46:15,229 know she would like to teleport Bob. 1352 00:46:15,230 --> 00:46:17,029 So she would like this Cubitt to end up 1353 00:46:17,030 --> 00:46:18,469 on bombsite. 1354 00:46:18,470 --> 00:46:20,599 Now, what she can do is she can do a 1355 00:46:20,600 --> 00:46:22,229 kind of complicated measurement that I 1356 00:46:22,230 --> 00:46:24,619 haven't talked about on her two cubits. 1357 00:46:24,620 --> 00:46:26,029 So she will do a so-called BELAL 1358 00:46:26,030 --> 00:46:27,169 measurement. 1359 00:46:27,170 --> 00:46:29,569 And this is a measurement on two cubits. 1360 00:46:29,570 --> 00:46:31,699 It's the half of the EPA that she 1361 00:46:31,700 --> 00:46:33,409 shares with Bob together with a cubit 1362 00:46:33,410 --> 00:46:34,909 that she wants to teleport. 1363 00:46:34,910 --> 00:46:36,619 The outcome of this measurement is again 1364 00:46:36,620 --> 00:46:39,169 going to be classical, classical to 1365 00:46:39,170 --> 00:46:40,999 random bits, actually random bits. 1366 00:46:41,000 --> 00:46:43,219 So they say zero one, 1367 00:46:43,220 --> 00:46:44,719 two or three. 1368 00:46:44,720 --> 00:46:47,179 And magically, 1369 00:46:47,180 --> 00:46:49,279 because of the entanglement this 1370 00:46:49,280 --> 00:46:51,649 Stateville, this, it will appear 1371 00:46:51,650 --> 00:46:53,959 on bombsite. However, it will not appear 1372 00:46:53,960 --> 00:46:56,089 in the clear. It will appear in some 1373 00:46:56,090 --> 00:46:57,409 encrypted form. 1374 00:46:57,410 --> 00:46:59,299 Actually, this is the analogous to the 1375 00:46:59,300 --> 00:47:01,849 classical one time pad exploring 1376 00:47:01,850 --> 00:47:02,869 with a random bit. 1377 00:47:02,870 --> 00:47:05,239 This is actually the quantum one time pad 1378 00:47:05,240 --> 00:47:06,949 because it's actually explored in a 1379 00:47:06,950 --> 00:47:09,709 quantum way with two classical bits, 1380 00:47:09,710 --> 00:47:12,619 because if ellis' 1381 00:47:12,620 --> 00:47:14,689 since this classical outcome sigma 1382 00:47:14,690 --> 00:47:16,789 over to, then he's able to 1383 00:47:16,790 --> 00:47:18,979 unlock this encryption and actually 1384 00:47:18,980 --> 00:47:20,600 recover the original cubitt. 1385 00:47:22,000 --> 00:47:24,249 So this is the procedure, how quantum 1386 00:47:24,250 --> 00:47:26,439 teleportation works, you have to do what 1387 00:47:26,440 --> 00:47:28,299 you have to have an prepare, you have to 1388 00:47:28,300 --> 00:47:29,439 do a belt measurement, you get a 1389 00:47:29,440 --> 00:47:30,339 classical outcome. 1390 00:47:30,340 --> 00:47:32,079 That outcome needs to be sent to the 1391 00:47:32,080 --> 00:47:33,999 other person. And once you know that you 1392 00:47:34,000 --> 00:47:36,009 can undo the encryption of the state in 1393 00:47:36,010 --> 00:47:37,989 order to recover this original Cupitt 1394 00:47:37,990 --> 00:47:39,129 here. 1395 00:47:39,130 --> 00:47:40,419 And again, this is something that does 1396 00:47:40,420 --> 00:47:42,969 not contradict relativity theory. 1397 00:47:42,970 --> 00:47:45,159 So this this kind of collapses, doesn't 1398 00:47:45,160 --> 00:47:46,479 happen instantaneously. 1399 00:47:46,480 --> 00:47:48,489 You can only recover this Cubitt after 1400 00:47:48,490 --> 00:47:50,379 you've learned the classical information. 1401 00:47:50,380 --> 00:47:52,149 And so it takes some time for this 1402 00:47:52,150 --> 00:47:53,859 classical information to travel from 1403 00:47:53,860 --> 00:47:56,139 Alice to Bob. No, if they're far apart. 1404 00:47:56,140 --> 00:47:58,209 And so there's there's no information 1405 00:47:58,210 --> 00:47:59,829 going faster than the speed of light 1406 00:47:59,830 --> 00:48:01,269 because you have to wait for the signal 1407 00:48:01,270 --> 00:48:02,829 before you actually get to the states. 1408 00:48:02,830 --> 00:48:04,600 That was in Alice's hand before. 1409 00:48:06,550 --> 00:48:08,199 All right, so now with that attempt, we 1410 00:48:08,200 --> 00:48:10,299 can break our protocol, remember 1411 00:48:10,300 --> 00:48:12,569 what it was, the attack I 1412 00:48:12,570 --> 00:48:14,649 always had a cubitt Bob had a bit to the 1413 00:48:14,650 --> 00:48:16,149 cubit should end up at Alice's side. 1414 00:48:16,150 --> 00:48:18,219 If it was zero, if this bit was one that 1415 00:48:18,220 --> 00:48:21,219 Bob should end up with a cubitt, and 1416 00:48:21,220 --> 00:48:22,899 if they share entanglement, if they 1417 00:48:22,900 --> 00:48:25,089 share, say, to EPR pairs like 1418 00:48:25,090 --> 00:48:27,219 this and and why wouldn't they know 1419 00:48:27,220 --> 00:48:28,689 they could just go and prepare that 1420 00:48:28,690 --> 00:48:30,819 beforehand, then they can 1421 00:48:30,820 --> 00:48:32,649 actually perfectly break this protocol 1422 00:48:32,650 --> 00:48:34,029 because what they can do is 1423 00:48:34,030 --> 00:48:35,049 teleportation. 1424 00:48:35,050 --> 00:48:36,849 So here here we go. 1425 00:48:36,850 --> 00:48:38,949 Alice would do a teleportation 1426 00:48:38,950 --> 00:48:40,659 measurement, a bell measurement on the 1427 00:48:40,660 --> 00:48:42,759 cubitt that she holds together with 1428 00:48:42,760 --> 00:48:45,159 the first half of of one of the EPR 1429 00:48:45,160 --> 00:48:47,259 pairs. This will teleports 1430 00:48:47,260 --> 00:48:49,389 this and Cubitt over 1431 00:48:49,390 --> 00:48:51,009 here to Bob. 1432 00:48:51,010 --> 00:48:52,809 Now, actually, it will not be here in the 1433 00:48:52,810 --> 00:48:54,399 clear. It will be encrypted. 1434 00:48:54,400 --> 00:48:56,169 But these keys, you'd be able to send 1435 00:48:56,170 --> 00:48:58,489 these classical keys along here. 1436 00:48:58,490 --> 00:49:00,609 And Bob, Bobby has 1437 00:49:00,610 --> 00:49:02,709 to beat. He knows whether he should keep 1438 00:49:02,710 --> 00:49:03,729 the cubitt or not. 1439 00:49:03,730 --> 00:49:05,679 So if the bit is one, he will just not do 1440 00:49:05,680 --> 00:49:08,199 anything and wait for his keys to arrive 1441 00:49:08,200 --> 00:49:09,909 and uncover this. 1442 00:49:09,910 --> 00:49:11,589 Cupitt so then he will hold the right 1443 00:49:11,590 --> 00:49:12,549 Cupitt. 1444 00:49:12,550 --> 00:49:14,829 However if the bit the zero 1445 00:49:14,830 --> 00:49:16,719 then he will actually teleport it back to 1446 00:49:16,720 --> 00:49:18,819 Aliceville. Just do another teleportation 1447 00:49:18,820 --> 00:49:21,129 measurement and kind of make 1448 00:49:21,130 --> 00:49:23,349 this cubitt now end up again on 1449 00:49:23,350 --> 00:49:24,609 Alice's side. 1450 00:49:24,610 --> 00:49:25,959 So it's at the right place now. 1451 00:49:25,960 --> 00:49:27,549 It's kind of double encrypted, it's 1452 00:49:27,550 --> 00:49:29,409 encrypted by this measurement and by that 1453 00:49:29,410 --> 00:49:31,689 measurement. But again, there's time 1454 00:49:31,690 --> 00:49:33,609 for this classical information to travel. 1455 00:49:33,610 --> 00:49:35,739 So he would send along the 1456 00:49:35,740 --> 00:49:37,389 and he would send along the outcome of 1457 00:49:37,390 --> 00:49:38,429 this this measurement. 1458 00:49:38,430 --> 00:49:39,849 And then Alice, at this point, she learns 1459 00:49:39,850 --> 00:49:41,169 o be zero. 1460 00:49:41,170 --> 00:49:42,789 So I have to look at my second Cubitt 1461 00:49:42,790 --> 00:49:45,039 here and I have to undo this 1462 00:49:45,040 --> 00:49:47,109 measurement here that what that did 1463 00:49:47,110 --> 00:49:48,969 to uncover and then I have to undo my own 1464 00:49:48,970 --> 00:49:49,989 measurement that I did. 1465 00:49:49,990 --> 00:49:51,759 And I will end up with the correct 1466 00:49:51,760 --> 00:49:52,760 cubitt. 1467 00:49:53,440 --> 00:49:54,440 So. 1468 00:49:55,390 --> 00:49:57,159 Here, are you actually perfectly break 1469 00:49:57,160 --> 00:49:59,289 the protocol because again, 1470 00:49:59,290 --> 00:50:00,969 to the verifiers, it's going to look as 1471 00:50:00,970 --> 00:50:02,800 if somebody is in the middle, 1472 00:50:04,180 --> 00:50:05,180 so. 1473 00:50:05,760 --> 00:50:08,549 Well, are there actually 1474 00:50:08,550 --> 00:50:10,589 protocols that cannot be broken and this 1475 00:50:10,590 --> 00:50:12,569 is kind of one of the main results we 1476 00:50:12,570 --> 00:50:14,699 obtained in this research 1477 00:50:14,700 --> 00:50:16,979 area. In fact, there is no secure 1478 00:50:16,980 --> 00:50:18,779 protocol. So what we've showed is the 1479 00:50:18,780 --> 00:50:20,819 so-called no go theorem that we've done 1480 00:50:20,820 --> 00:50:23,099 back in 2010, that any 1481 00:50:23,100 --> 00:50:25,229 position verification protocol, even if 1482 00:50:25,230 --> 00:50:27,389 it's a quantum protocol, it can be broken 1483 00:50:27,390 --> 00:50:29,549 using a huge number of entangled 1484 00:50:29,550 --> 00:50:31,829 qubits. So if you have enough resources, 1485 00:50:31,830 --> 00:50:33,929 an exponential and the amount of 1486 00:50:33,930 --> 00:50:36,899 resources, then you can break any 1487 00:50:36,900 --> 00:50:38,699 of these position verification protocols. 1488 00:50:39,870 --> 00:50:42,419 However, as always, in science, 1489 00:50:42,420 --> 00:50:44,489 if you kind of answer a question 1490 00:50:44,490 --> 00:50:47,039 and you prove a theorem, it immediately 1491 00:50:47,040 --> 00:50:48,389 leads to new questions. 1492 00:50:48,390 --> 00:50:50,189 And it's here. The obvious question is, 1493 00:50:50,190 --> 00:50:52,529 well, do you really need that many 1494 00:50:52,530 --> 00:50:55,319 resources or is there a protocol 1495 00:50:55,320 --> 00:50:57,479 such that it's easy to run if you're 1496 00:50:57,480 --> 00:50:59,699 honest, so honest approvers and verifiers 1497 00:50:59,700 --> 00:51:01,709 are efficient or they just need to do 1498 00:51:01,710 --> 00:51:03,959 simple things, but very can guarantee 1499 00:51:03,960 --> 00:51:06,509 that any attack on it requires 1500 00:51:06,510 --> 00:51:07,809 a lot of entanglement. 1501 00:51:07,810 --> 00:51:09,299 But that would be great. 1502 00:51:09,300 --> 00:51:10,949 Then then we actually have a secure 1503 00:51:10,950 --> 00:51:12,179 protocol. 1504 00:51:12,180 --> 00:51:13,919 And this is this is actually a research 1505 00:51:13,920 --> 00:51:15,809 question that I'm currently, uh, 1506 00:51:15,810 --> 00:51:16,919 studying. 1507 00:51:16,920 --> 00:51:19,229 And I invite you to have a look at 1508 00:51:19,230 --> 00:51:21,089 my home page and for some reason, 1509 00:51:21,090 --> 00:51:23,459 developments in this in this area. 1510 00:51:25,810 --> 00:51:28,539 I think that brings me to the end. 1511 00:51:28,540 --> 00:51:30,489 I hope you've learned something in this 1512 00:51:30,490 --> 00:51:31,490 talk. 1513 00:51:32,440 --> 00:51:33,999 First of all, about quantum mechanics. 1514 00:51:34,000 --> 00:51:36,399 What cubits are these four states? 1515 00:51:36,400 --> 00:51:38,559 You've seen the no cloning theorem. 1516 00:51:38,560 --> 00:51:40,729 You've encountered some funny 1517 00:51:40,730 --> 00:51:42,849 in your resource state 1518 00:51:42,850 --> 00:51:45,039 that cubits that are entangled 1519 00:51:45,040 --> 00:51:47,499 and you've seen how to use them and 1520 00:51:47,500 --> 00:51:50,289 to to do teleportation 1521 00:51:50,290 --> 00:51:51,489 in the first application. 1522 00:51:51,490 --> 00:51:52,419 I've talked about quantum key 1523 00:51:52,420 --> 00:51:54,099 distribution and try to give you a little 1524 00:51:54,100 --> 00:51:56,469 bit of context how where it fits 1525 00:51:56,470 --> 00:51:57,369 in the world. 1526 00:51:57,370 --> 00:51:59,259 And in second part, as I've talked about, 1527 00:51:59,260 --> 00:52:01,389 position based cryptography in one of 1528 00:52:01,390 --> 00:52:04,539 the currently active research areas 1529 00:52:04,540 --> 00:52:06,549 where it depends whether you can break 1530 00:52:06,550 --> 00:52:08,649 the protocol if you have enough 1531 00:52:08,650 --> 00:52:10,749 resources and maybe you cannot if 1532 00:52:10,750 --> 00:52:12,909 you don't have enough resources. 1533 00:52:12,910 --> 00:52:14,469 All right. Thank you very much for your 1534 00:52:14,470 --> 00:52:15,579 attention and. 1535 00:52:29,290 --> 00:52:31,509 We now have some 1536 00:52:31,510 --> 00:52:33,699 minutes left for Q&A, so please 1537 00:52:33,700 --> 00:52:35,139 line up at the microphones. 1538 00:52:35,140 --> 00:52:37,269 This is an exceedingly well miked room. 1539 00:52:37,270 --> 00:52:39,189 So you have eight microphones to choose 1540 00:52:39,190 --> 00:52:41,409 from. Just line up at any one 1541 00:52:41,410 --> 00:52:43,569 of them and I will call you when you can 1542 00:52:43,570 --> 00:52:44,570 speak. 1543 00:52:45,360 --> 00:52:46,919 Yeah, and please try not to walk in front 1544 00:52:46,920 --> 00:52:48,329 of the cameras when you leave. 1545 00:52:48,330 --> 00:52:49,769 This is very annoying for the people on 1546 00:52:49,770 --> 00:52:51,899 the street and also the people in 1547 00:52:51,900 --> 00:52:54,239 the stream. If you're on the icy channel 1548 00:52:54,240 --> 00:52:56,159 on Twitter, you can just ask questions 1549 00:52:56,160 --> 00:52:58,379 there. We do have an Internet person 1550 00:52:58,380 --> 00:53:00,569 here that will read your questions. 1551 00:53:00,570 --> 00:53:03,269 Microphone number two, please. 1552 00:53:03,270 --> 00:53:04,199 Hello. 1553 00:53:04,200 --> 00:53:05,819 Yeah, thanks for the talk. 1554 00:53:05,820 --> 00:53:07,919 And and but 1555 00:53:07,920 --> 00:53:10,559 I have one question concerning 1556 00:53:10,560 --> 00:53:13,229 the quantum key distribution 1557 00:53:13,230 --> 00:53:15,059 using Wiggill machines. 1558 00:53:15,060 --> 00:53:17,159 And and you said they could 1559 00:53:17,160 --> 00:53:20,009 be hacked. And from my understanding 1560 00:53:20,010 --> 00:53:22,679 and clarification, I assume that 1561 00:53:22,680 --> 00:53:25,349 this hacking does not take place 1562 00:53:25,350 --> 00:53:27,629 at the quantum part of this 1563 00:53:27,630 --> 00:53:29,399 process, but it takes place at the 1564 00:53:29,400 --> 00:53:31,739 specific implementation 1565 00:53:31,740 --> 00:53:34,829 and and the classic 1566 00:53:34,830 --> 00:53:36,629 channels. Is that, too? 1567 00:53:36,630 --> 00:53:37,539 Yes, of course. 1568 00:53:37,540 --> 00:53:40,289 So with any system you implement, 1569 00:53:40,290 --> 00:53:42,629 even if you can show security, 1570 00:53:42,630 --> 00:53:45,149 improve security, in our perfect 1571 00:53:45,150 --> 00:53:47,279 mathematical model, we have to make 1572 00:53:47,280 --> 00:53:49,229 sure that we actually model the reality. 1573 00:53:49,230 --> 00:53:50,729 And in reality, things are way more 1574 00:53:50,730 --> 00:53:52,709 complicated. You have to use photon 1575 00:53:52,710 --> 00:53:54,479 detectors. And in fact, in this 1576 00:53:54,480 --> 00:53:56,639 particular case, it was the the 1577 00:53:56,640 --> 00:53:58,559 photon detectors that were attacked. 1578 00:53:58,560 --> 00:54:00,629 So you were the most able 1579 00:54:00,630 --> 00:54:02,939 to actually blind them by shining 1580 00:54:02,940 --> 00:54:03,929 in a lot of light. 1581 00:54:03,930 --> 00:54:05,249 So they are very sensitive. 1582 00:54:05,250 --> 00:54:07,619 They normally operate on a single photon 1583 00:54:07,620 --> 00:54:09,719 level and and thereby kind 1584 00:54:09,720 --> 00:54:11,969 of getting out of the model that we 1585 00:54:11,970 --> 00:54:13,629 that we use to improve security. 1586 00:54:13,630 --> 00:54:15,809 So so it's it's really an attack on the 1587 00:54:15,810 --> 00:54:17,639 on the actual implementation. 1588 00:54:17,640 --> 00:54:19,139 But in fact, maybe I can say in general 1589 00:54:19,140 --> 00:54:21,269 that I see this as a sign of maturity 1590 00:54:21,270 --> 00:54:22,619 of this field. I mean, that's the only 1591 00:54:22,620 --> 00:54:24,149 way to go. No, somebody has to build the 1592 00:54:24,150 --> 00:54:26,309 machine. Then somebody comes and attacks 1593 00:54:26,310 --> 00:54:28,109 it. And kind of it's a cycle. 1594 00:54:28,110 --> 00:54:30,169 And so so things get better by 1595 00:54:30,170 --> 00:54:33,179 by investigating actual implementations. 1596 00:54:33,180 --> 00:54:34,469 Thanks. 1597 00:54:34,470 --> 00:54:36,029 Just a quick note to the people leaving 1598 00:54:36,030 --> 00:54:37,859 right now. This talk is going on for like 1599 00:54:37,860 --> 00:54:39,449 three more minutes. So please just wait 1600 00:54:39,450 --> 00:54:41,549 three more minutes and stop being very 1601 00:54:41,550 --> 00:54:42,809 annoying to everybody. 1602 00:54:42,810 --> 00:54:43,859 Thank you. 1603 00:54:43,860 --> 00:54:45,439 Internet, please. 1604 00:54:45,440 --> 00:54:47,069 Thank you. First question, is there 1605 00:54:47,070 --> 00:54:48,929 anything you can do at home with limited 1606 00:54:48,930 --> 00:54:49,930 budget? 1607 00:54:52,180 --> 00:54:54,369 Well, you can definitely run this 1608 00:54:54,370 --> 00:54:56,499 little experiments that I did actually 1609 00:54:56,500 --> 00:54:57,979 can have a lot of fun with polarizing, 1610 00:54:57,980 --> 00:55:00,309 glassless in general and, um, 1611 00:55:00,310 --> 00:55:03,009 but say of 1612 00:55:03,010 --> 00:55:04,659 real cryptographic relevance, that's 1613 00:55:04,660 --> 00:55:06,549 going to be way harder because you do in 1614 00:55:06,550 --> 00:55:08,409 order for these security proofs to kick 1615 00:55:08,410 --> 00:55:09,939 in, you do have to operate on a single 1616 00:55:09,940 --> 00:55:11,049 photon level. 1617 00:55:11,050 --> 00:55:13,719 And this is this is very delicate 1618 00:55:13,720 --> 00:55:15,899 to handle. So you do need some photonic 1619 00:55:15,900 --> 00:55:17,250 slap in order to do that. 1620 00:55:19,310 --> 00:55:21,099 Microphone number one, please. 1621 00:55:22,220 --> 00:55:24,259 So one comment because you were 1622 00:55:24,260 --> 00:55:25,529 commenting on our talk from yesterday, 1623 00:55:25,530 --> 00:55:27,589 the post one talk, I mean, if 1624 00:55:27,590 --> 00:55:29,869 you are using yes. 1625 00:55:29,870 --> 00:55:31,729 Or if you're using any authentication 1626 00:55:31,730 --> 00:55:33,859 code, you are back to 1627 00:55:33,860 --> 00:55:35,719 computational assumptions, hardens 1628 00:55:35,720 --> 00:55:37,819 assumptions. So when you had two of 1629 00:55:37,820 --> 00:55:39,559 your table, you are still claiming you 1630 00:55:39,560 --> 00:55:41,779 have infinite long term security 1631 00:55:41,780 --> 00:55:43,269 while at the same time you're combining. 1632 00:55:43,270 --> 00:55:44,959 And that's just not true. 1633 00:55:44,960 --> 00:55:47,269 The other comment I have is, 1634 00:55:47,270 --> 00:55:50,359 so how about my mobile communications? 1635 00:55:50,360 --> 00:55:52,759 How about the most common use of Internet 1636 00:55:52,760 --> 00:55:53,760 via Wi-Fi? 1637 00:55:55,560 --> 00:55:57,809 OK, um, 1638 00:55:57,810 --> 00:56:00,419 so you're 1639 00:56:00,420 --> 00:56:01,649 concerning your first question, I think 1640 00:56:01,650 --> 00:56:02,969 we should take this offline. 1641 00:56:02,970 --> 00:56:05,729 I mean, I'm happy to explain to you 1642 00:56:05,730 --> 00:56:07,709 your second comment, of course. 1643 00:56:07,710 --> 00:56:09,869 So in that sense, 1644 00:56:09,870 --> 00:56:12,509 this research is not and 1645 00:56:12,510 --> 00:56:14,429 I'm assuming a very strong model for this 1646 00:56:14,430 --> 00:56:17,609 position of verification where basically, 1647 00:56:17,610 --> 00:56:19,739 as I said, I call kind of fake proofers, 1648 00:56:19,740 --> 00:56:21,059 all those that are not at this claim 1649 00:56:21,060 --> 00:56:23,099 position and they can even it can be even 1650 00:56:23,100 --> 00:56:24,869 coalitions. So in that sense, it's not 1651 00:56:24,870 --> 00:56:26,280 realistically modeling 1652 00:56:27,390 --> 00:56:29,280 a real world scenario. 1653 00:56:31,670 --> 00:56:33,819 Into the McLeese, I'm speaking to 1654 00:56:33,820 --> 00:56:36,169 Mark, I'm not talking about the second 1655 00:56:36,170 --> 00:56:39,079 part, I'm talking about like, what would 1656 00:56:39,080 --> 00:56:41,329 you give me for the normal tripto 1657 00:56:41,330 --> 00:56:43,909 application? OK, mobile phone wi. 1658 00:56:43,910 --> 00:56:46,309 OK, well, as you know, 1659 00:56:46,310 --> 00:56:48,499 it's quite a high 1660 00:56:48,500 --> 00:56:50,629 demand, say, on the hardware side 1661 00:56:50,630 --> 00:56:52,219 that you have to have in order to run 1662 00:56:52,220 --> 00:56:53,179 this protocol. 1663 00:56:53,180 --> 00:56:54,919 Of course, there's also a lot of efforts 1664 00:56:54,920 --> 00:56:57,409 to actually miniaturize those devices 1665 00:56:57,410 --> 00:56:59,299 so that maybe at least one part is 1666 00:56:59,300 --> 00:57:01,849 actually portable 1667 00:57:01,850 --> 00:57:02,850 a sense. 1668 00:57:04,130 --> 00:57:06,289 And the yeah, the best 1669 00:57:06,290 --> 00:57:09,149 kind of add-on that you 1670 00:57:09,150 --> 00:57:11,479 can offer is this everlasting security 1671 00:57:11,480 --> 00:57:13,849 that you have to kind of be 1672 00:57:13,850 --> 00:57:16,219 active attacking, actively 1673 00:57:16,220 --> 00:57:18,559 attacking at the point of execution. 1674 00:57:18,560 --> 00:57:20,119 And if you are not successful in that, 1675 00:57:20,120 --> 00:57:23,029 then then actually the rest of 1676 00:57:23,030 --> 00:57:25,159 the time the security will be guaranteed. 1677 00:57:25,160 --> 00:57:26,509 So I will have lasers. 1678 00:57:26,510 --> 00:57:28,669 Sorry, we have lots of people queuing. 1679 00:57:28,670 --> 00:57:30,079 Please discuss later. 1680 00:57:30,080 --> 00:57:31,189 Thank you. 1681 00:57:31,190 --> 00:57:33,049 Microphone for please. 1682 00:57:33,050 --> 00:57:35,149 And correct me if I'm wrong, but 1683 00:57:35,150 --> 00:57:37,219 you need a direct line for 1684 00:57:37,220 --> 00:57:39,029 this kind of thing to work, right. 1685 00:57:39,030 --> 00:57:41,479 So if you have any routers 1686 00:57:41,480 --> 00:57:44,089 or something in between and it won't work 1687 00:57:44,090 --> 00:57:46,159 because you need to read it out 1688 00:57:46,160 --> 00:57:48,079 or make a copy. 1689 00:57:48,080 --> 00:57:49,559 I'm just clarifying. 1690 00:57:49,560 --> 00:57:50,839 Are you talking about the second part or 1691 00:57:50,840 --> 00:57:52,639 the first part of both? 1692 00:57:52,640 --> 00:57:54,829 I think, um, well, for 1693 00:57:54,830 --> 00:57:56,809 quantum key distribution, that doesn't 1694 00:57:56,810 --> 00:57:59,029 matter too much. So you're perfectly fine 1695 00:57:59,030 --> 00:58:01,369 routing your cables around corners 1696 00:58:01,370 --> 00:58:03,349 using optical fibers. 1697 00:58:03,350 --> 00:58:05,329 For the second part, it's actually kind 1698 00:58:05,330 --> 00:58:06,259 of crucial. You're right. 1699 00:58:06,260 --> 00:58:08,519 So it's all about timing there. 1700 00:58:08,520 --> 00:58:10,879 So, of course, you have to 1701 00:58:10,880 --> 00:58:12,619 consider more realistic settings. 1702 00:58:12,620 --> 00:58:14,719 Also the fact that you are not we are not 1703 00:58:14,720 --> 00:58:16,429 communicating at the speed of light. 1704 00:58:16,430 --> 00:58:18,559 This will add additional constraints. 1705 00:58:18,560 --> 00:58:20,779 And so it will way more work 1706 00:58:20,780 --> 00:58:22,729 is required to model, say, a more 1707 00:58:22,730 --> 00:58:24,259 realistic setting where you might not 1708 00:58:24,260 --> 00:58:26,659 have a straight line of sight, very, very 1709 00:58:26,660 --> 00:58:28,309 communication. Ashley has to take some 1710 00:58:28,310 --> 00:58:30,529 corners. And so you might end up not 1711 00:58:30,530 --> 00:58:32,089 with one particular position you can 1712 00:58:32,090 --> 00:58:34,459 verify, but with the whole interval 1713 00:58:34,460 --> 00:58:35,899 somewhere you can make sure that somebody 1714 00:58:35,900 --> 00:58:37,129 is so. 1715 00:58:37,130 --> 00:58:38,239 But these are things that we are 1716 00:58:38,240 --> 00:58:40,329 currently working on to make to 1717 00:58:40,330 --> 00:58:42,440 to to model things more realistically. 1718 00:58:43,550 --> 00:58:45,589 Mike, number two, please. 1719 00:58:45,590 --> 00:58:46,519 Um, hello. 1720 00:58:46,520 --> 00:58:48,769 Uh, I think Tanya had a similar question, 1721 00:58:48,770 --> 00:58:50,599 but, uh, you said you have no 1722 00:58:50,600 --> 00:58:53,089 computational assumptions for Cookie, 1723 00:58:53,090 --> 00:58:55,639 but you need this authenticated RNA 1724 00:58:55,640 --> 00:58:57,319 and the authenticated RNA. 1725 00:58:57,320 --> 00:58:59,509 You do it with classic crypto, with 1726 00:58:59,510 --> 00:59:02,359 either an H mag or RSA signature. 1727 00:59:02,360 --> 00:59:04,549 So you have the computational 1728 00:59:04,550 --> 00:59:05,719 assumption again. 1729 00:59:05,720 --> 00:59:07,819 So I think this whole thing is kind 1730 00:59:07,820 --> 00:59:08,929 of circular. 1731 00:59:08,930 --> 00:59:11,059 You're trying to replace, uh, 1732 00:59:11,060 --> 00:59:12,949 whatever and a cipher. 1733 00:59:12,950 --> 00:59:15,079 But you, again, need some, 1734 00:59:15,080 --> 00:59:17,149 uh, maybe a 1735 00:59:17,150 --> 00:59:19,729 hash function or some signature from 1736 00:59:19,730 --> 00:59:21,799 traditional crypto to make 1737 00:59:21,800 --> 00:59:22,999 it work in the first place. 1738 00:59:23,000 --> 00:59:25,189 So I think it's a very 1739 00:59:25,190 --> 00:59:27,469 expensive solution for a non-existent 1740 00:59:27,470 --> 00:59:28,339 problem. 1741 00:59:28,340 --> 00:59:30,499 OK, um, well, so 1742 00:59:30,500 --> 00:59:32,209 in fact, you don't need to use a 1743 00:59:32,210 --> 00:59:33,889 computational scheme to to do 1744 00:59:33,890 --> 00:59:35,419 authentication or information, 1745 00:59:35,420 --> 00:59:37,339 theoretically secure authentication 1746 00:59:37,340 --> 00:59:39,719 schemes. But, um, 1747 00:59:39,720 --> 00:59:41,899 uh, you're right that, uh, 1748 00:59:41,900 --> 00:59:43,159 you're using up this key. 1749 00:59:43,160 --> 00:59:44,779 So in a sense, also what you can never 1750 00:59:44,780 --> 00:59:47,119 prevent is that it just completely blocks 1751 00:59:47,120 --> 00:59:48,349 all the communication. 1752 00:59:48,350 --> 00:59:50,269 And in that sense, you will she will be 1753 00:59:50,270 --> 00:59:52,579 able to kind of make you run out of key. 1754 00:59:52,580 --> 00:59:54,859 But what it does add is 1755 00:59:54,860 --> 00:59:56,959 that that, uh, this this 1756 00:59:56,960 --> 00:59:58,609 feature that I already told Tarnya, 1757 00:59:58,610 --> 01:00:00,679 namely that that you have to be active at 1758 01:00:00,680 --> 01:00:01,939 the moment of execution. 1759 01:00:01,940 --> 01:00:04,369 So this this is kind of the upgrade 1760 01:00:04,370 --> 01:00:05,690 to, say, classical schemes. 1761 01:00:07,120 --> 01:00:08,949 Unfortunately, we are out of time, so 1762 01:00:08,950 --> 01:00:11,409 please thank Christian again. 1763 01:00:11,410 --> 01:00:12,410 Thank you.