So, when I prepared this talk, I reminded myself that I was already here last year in Darmstadt, already giving a talk on quantum cryptography, probably kind of the same title more or less, and so I decided that I don't want just to repeat myself, so this talk will be non-technical and, okay, you will see what comes, but it will not be the same

as last year. And maybe the first point, I mean, also the chairman reminded us that I'm in the field since many years, I don't know, more than 20 years for sure, I had plenty of time to

realize that, okay, in the field we have, of course, physicists and we have cryptographers, and when physicists talk about cryptography, they tend to say things which are, well, at best, imprecise, at worst, completely wrong, and when cryptographers talk about physics,

it's not better, and so there is a real lack of communication between these two communities, and I'm very grateful that Johannes and co-workers are organizing this meeting here where we can try to talk to each other and hopefully better understand each other.

Okay, so let me start with something that impressed me a lot, it was not long ago visiting China, and China is developing a huge project to connect Beijing to Shanghai, 2,000 kilometers,

with quantum key distribution, so quantum communication, this quantum cryptography, and actually they started that, they announced that, well, three years ago, and it will be,

and they announced that it will be finished this year, and in China, they really do it, so actually there will be a conference in November in Shanghai for the inauguration of this impressive realization, QTD over 2,000 kilometers, with trusted nodes, as you see,

you go from one point to the next town, I mean, village, but a Chinese village has at least a million inhabitants, and this is not all, because if you can't see it, because it's not on the screen, but if you go lower than Shanghai, below Shanghai,

there's another town, again, 6 million inhabitants, Hanzhou, and there is also another network, another quantum backbone going south, I know actually of another one also, so they are not stopping there, this is not just a demonstration, it's really the start of an extremely ambitious plan, and when I visited there, I could see this Shanghai-Hanzhou link,

I mean, the fiber is already installed, the quantum network, I mean, you see these boxes here, Ron, I mean, this is the quantum network, which is now, or was at that time on the test, and is now being deployed in the field, so that's also very impressive,

it goes on, and actually the next thing which impressed me there is the Chinese quantum satellite, I don't know if you see much, I don't see too much, can we not turn off the lights, which are in front, can you see it, I mean, it doesn't matter if I don't see it,

but if you don't see it, it's, so China has really also very ambitious plan to really launch what we call a quantum satellite, so a satellite, low orbit satellite, which is going to, oh, now I'm bad on the picture, very sorry about that, thank you, no, no, that's much better,

I think, hopefully, so they're going to launch that, and that's going to do a quantum cryptography with different places in China, and this is not the far future, this one will be launched next month, so in a month time, of course, it will not run immediately,

and so on, but I mean, they're extremely serious, and you can also see that they're very serious in this title, which for convenience, I translated for you, it's taken from the 13 five-year plan

for economic and social development of China, and in this five-year plan, you know that China is not a democracy, and the good point of not being a democracy, especially coming from Switzerland is that the time we need in Switzerland to start discussing about something in China,

they made the discussion, the decision, and they have implemented it, so they are not, well, they are just developing at a different speed, so in this five-year plan, you have this very important part of it, especially what is in red, which you find again here, so it is a

section on industry, cutting-edge industry, not R&D industry, and they want to turn quantum communication into a real industry, so they have enormous plans there, so clearly, quantum cryptography was invented in part in the US with Bibi, Bennett and Bressard, and also

in Europe with Artur Kert, and was, Canada, oh la la, thank you, thank you for correcting that, yes, yes, if Gilles would have been here, is not Claude here? Claude must be sleeping then. Okay, anyway, of course, Canada, and okay, the UK, which is still part of Europe today,

so it was invented here and developed in Europe quite a lot and quite successfully, but, and also in Japan, for instance, but this probably will be implemented actually in China. Okay, so that's one of the impressive things going on. Another impressive thing is also what

is going on now in the field of quantum technologies in general, where you see Microsoft, Lockheed Martin, IBM, Google, Intel, and all with very significant numbers, Canada also, and so on, and also Europe has announced a few months ago a flagship project on

quantum technologies, so it goes beyond quantum communication, but it will include quantum communication, and they plan one billion euro over 10 years for that. So the environment is kind of exciting. Now, how does a QKD box, QKD means quantum key distribution,

so this is one of the two main applications of quantum cryptography, the other one I will mention later is quantum random number generator. So how does a quantum key distribution, QKD box look like? Well, it looks like that, and so if a telecom engineer has one of these boxes

in his hand, he will not even notice that this is a quantum box, it is just a box with standard interfaces, I mean of course you need a power supply, 220 volts or whatever, and you have also

some optical connections on it, like all modern communication systems, and it is in a standard Atka format, so that the size is standardized and all that, so I'm not really in that, but it's a very standard architecture and format. If you look into the box, you will mostly find

electronics, so you will mostly find FPGAs and this kind of stuff, like in any other box. You will also find quantum random number generator, we'll come back to that,

and by the way of course this should be in any cryptographic systems, because I guess we all, whatever the cryptographic application is, we need a source of entropy. But what you find in addition is also a telecom, optical telecom components, like a laser intensity modulator,

a few more of these components, but all these components are total standard optical communication components, extremely reliable, working for decades and decades without any problem, that's on the source side, the one we call usually Alice. On the receiver side, you also have some standard

optical components, but you also have something which is not standard, these are the detectors, single photon detectors. Alice and Bob send, or Alice sends to Bob single photons, single individual particles of light, and you need to detect them, and they are not easy to

detect because this is very little energy, so you need a special detector, not good enough to have a standard detector. So this is new, but this is now pretty well mastered and goes also in the boxes I just showed you before. Okay, I was more or less at that point,

now just to show you how these QKD boxes look like, and then showing you also what is inside, and telling you that mostly the difference with any other telecom boxes are these single photon detectors. This is really non-standard, the rest being just standard electronics or standard

optics. Yeah, and then once you have these kind of boxes, you can really try to go to this limit, go to long distance, and here has still a slide of K of last year where my colleague Hugo Zwinden demonstrated 300 kilometers, and actually a few weeks ago, Chinese again

demonstrated even 400 kilometers, with the bit rate always being extremely low. So you can go to longer and longer distances, and probably someday there will be 450 kilometers, so on, but as Norbert told you already, going beyond 500 kilometers becomes impossible

because of the attenuation of the channels you just heard. So the research is no longer so much on going to longer distances, but increasing the bit rate, so improving on the secret bit rate, so you know here even on 100 kilometers, you're at a few tens of thousands of bits per second.

And here I have to say that there is no fundamental limit, and I'm sure that there will soon be QKD demonstrations producing one gigabit per second. If it doesn't happen this year, it will be next year, so that's something which is really coming.

And even, okay, you may say that compared to classical communication, one gigabit is still slow. You should go now to 10 or 100, whatever, and I don't see anything that limits us. So even 10 gigabits or terabits per second over short distances is certainly something absolutely possible. It's an engineering problem. It's not a simple problem, but there is

fundamental limiting us here. Okay, so just one picture of, probably many of you have seen that. That's probably the QKD system. The box at that time was a bit larger than today. So that was installed in 2011, and that's probably the commercial system that has been

running continuously seven days a week and 24 hours a day in the world. There are older systems, but the older systems, to my knowledge, have all had interruptions.

So what does QKD achieve? We already heard about that. And the fact that you have this single photon detector, which is also something new, and so something that has to be tested and so on, has to go into these security models. But the good thing is that it's able to detect single photons. And single photons, in our language we say it's a quantum bit or a qubit,

is something that, contrary to the classical bits, you cannot copy. So you cannot just make a copy of everything as you do with standard classical communication, and then say, okay, I store it today. I will analyze it tomorrow, or even in 10 years or in 15 years here.

Single photons you cannot copy. It's a very, very fundamental law of nature. And if that would be wrong, I mean, not only would quantum mechanics be completely wrong, but also relativity would go wrong. So everything in physics would go wrong. So this is an extremely solid piece of science that you cannot copy. And hence, any attack has to be launched, as Norbert was also saying,

on the spot. If you come a millisecond too late, it is too late. You cannot just store it and wait a bit. Okay, so what can QKD achieve? So we already heard that, okay, that's what I just said, so attacks have to be launched on the spot.

And so if we have only the assumption of a proper implementation, of course, for any crypto device, you need a proper implementation, it is key expansion, because you start from these initial keys to do the authentication, as we just heard before. And also, we also just heard that

if you assume that you have a short-term secure one-way function, so maybe secure over a minute, or quite really short, or a few seconds would be actually enough, then you could use that to really do key distribution, starting from nothing. But you need this secure one-way function for the authentication again. And again, if it's secure only for a few seconds,

that's good enough, because afterwards, it's just too late anyway. Okay, now if you combine it with one-time pad, of course, then we have information vertical everlasting security. But okay, we know that the key then has to be as long

as the message, which is completely impractical. So usually what we do is to combine it with AES, and Snob had said, why AES? Well, because that's the standard of today, but it's no, since we change the key every few seconds, we don't really use AES in its full power,

for its initial purpose for which it was developed, and so there might be better ways actually to combine 2KD with standard cryptography and encrypt us. Okay, now despite of all that, you find this kind of news also, namely that, for instance here,

commercial quantum cryptography has been tackled by an international collaboration and things like that. And there may be two points here. First of all, this kind of attacks is indeed an international collaboration that also involves the QKD industry. So it is not something that is

actually against this industry. It's done together because we know that we need the systems to be tested and certified. I mean, that's the normal way of doing it. And most of the attacks have really to do with the detectors, with single photon detectors, the components which

are very specific to QKD. And for instance, in one of the very first attack was kind of stupid but easy to understand. You had these two detectors, let's say for the zero and one, and they were active during two nanoseconds. And now if the active time that were actually

shifted one from the other, then for the adversary, it's very easy. You just intercept everything and you send a photon which matches only one of the two time windows. And then whenever there was a detection, you knew or the adversary would know in which detector actually detected this photon. And two nanoseconds that corresponds to about 40 centimeters of optical fiber.

So very clearly the initial implementation of QKD was badly done because if you make a mistake of 40 centimeters, it's just not very precise. And it's actually very easy to cut the fiber to at least a millimeter or even a tenth of a millimeter accuracy. So that was a mistake and

had of course to be corrected, but it's kind of trivial mistake. And again, even that kind of mistake had no impact on what has happened already earlier. Another kind of attack now was again on the single photon detector by blinding them. Okay, so I'm not going into

the details here, but indeed now you need to make sure that you cannot just blind the detectors and just saturate them. But the main message here is that the principle of QKD, that will never be attacked because the principle, the theory, you know, once you have this model and you just look at the principle, this is sure. That's a mathematical theorem and that will remain

correct. But the implementation of course may be faulty. So the implementation needs to be modeled and analyzed. And this should also be done by people different from those that develop the QKD system because you're never very good at criticizing your own child.

So the implementation must be checked, which is clear. Maybe just to show you a picture of a quantum hacker, that's Lars Linderson, who was a student of Makarov, and he was attacking one of these boxes, QKD boxes. And that's a picture that was taken actually in my lab

in Geneva. So we were really collaborating and he was in the lab, but you see that we were really giving him full control of the box. And in order to launch some of his attacks, he had to do very careful measurements of the capacity of some diodes on these electronic

boards. It just does not work if you have a box out there somewhere in the basement of a bank and you have no access to that box. And I have to say, if you give access to the box, well the easiest is probably just to add a little emitter into the box. And then anyway, whether it is quantum or not, it's not going to be secure.

So there has not been any real attack on any running QKD system today. And here is also a way of trying to work against or to mitigate these attacks on the detectors, something we call a decoy detector. And it's quite easy to understand if the efficiency

of the detector is randomly changed and the adversary then does not know which efficiency he has or she has to simulate, then she will not be able to do it without getting a

code. So for instance, one way of implementing that would be just to have a highly unbalanced coupler where 90% of the photons go to this detector, 10% to this one. So of course, this detector has to be nine times more efficient than that one. How are you going to do that if you

just have access to this input, not to the other input, to this input? That's the only thing coming from the outside. So this is an example where almost still modeling is required and people I know better should work on that. But you see that there are quite simple solutions to this

problem. And again, the fact that we have these new detectors makes it easy to understand that the weak points will be these new components. So let me come to the other main area in quantum cryptography, namely quantum random number generator. So if you just have a beam splitter

and every piece of glass is a beam splitter, maybe not 50-50, but if you have sunglasses, it's essentially a 50-50 polarizer, let's say. And then if you send photons on it, there is one chance out of two that it gets reflected. If it's a sunglass, it gets absorbed. And one chance out of two, it gets transmitted. And then if one detector,

you count it as a one and the other one as a zero, you have here a very simple entropy source. And you know exactly, it's easy to understand what is happening. You can also monitor the noise, for instance. And if you put that into a little box, so actually this is going into this

little box, which is about one centimeter cube. And so in that you have the LED, so these photon source, the detectors. Of course, these detectors are not compatible with optical fiber. So these are CMOS detectors, which would not see the photons that pass through the optical fibers. It's different wavelengths. So these detectors are much more

simple. Okay, and then you need some electronics to drive it. There's also some electronics to do the extraction of the randomness and deliver 50-50 balanced bits at the end. And that goes into these boxes that deliver four megabits per second

of quantum randomness. And this you can certify. Okay, here we have some certification, maybe last year, from the French military to collaborate with the local BSI here in Germany. So that is, in terms of certification, much more advanced quantum key distribution.

And here we have an example of a collaboration with a German company, Chemile, a medium-sized company that is specialized in critical infrastructure,

for instance. And okay, together we developed this board, which is a standard encryption board. Again, if you look on that, you may wonder what is quantum on that board. And actually what is quantum? I think it's here or here, I don't know. One of these things is not a standard electronic component, it is actually a quantum random number generator,

working on the principle I showed you before, the laser source, LED source, beam splitter, two single photon detectors, CMOS technology. The future of quantum random number generator,

one possible way, is the following. We demonstrated, okay, it was published two years ago, that this kind of camera that you all have on your smartphone is extraordinarily sensitive and extremely high quality. It's quite amazing

everything we carry in our smartphones. Anyway, and actually this little thing, a millimeter or not even in size, has an incredible resolution in terms of photons. So if you send photons on it, so if you send very, very few photons, just less than 10,

let's say, the mean is essentially zero. So the variance over the mean goes up to infinity, essentially. Essentially that doesn't work. Then from about 10 to about 450, you have that the variance is equal to the mean. So that's where it is functioning,

really just detecting a Poissonian distribution. That's for every single pixel, and you have, of course, millions of pixels in a camera. And then if you go above about 450 photons per pixel, then you saturate. And if you saturate, the variance goes to zero.

There's no fluctuations any longer. It's a constant coming up. But you have a huge area here where you can actually really distinguish the optical fluctuations, quantum fluctuations from the noise. And you see it better on that slide here. So here in blue is the signal for this pixel when there is no photon. So you have some

photoelectrons still, but you see it's essentially around zero. Well, if you send now photon in, of course, everything gets displaced. But with respect to the center, so with respect to the mean photon number, you now have a Poisson distribution,

which essentially looks like a Gaussian. And you see so that now the green is really the quantum fluctuation in the number of photons in a standard optical pulse, unavoidable fluctuation that you have in any optical pulse. And the blue is the technical

noise that you have to remove. So you see that if you use a good extractor, you don't even need something really magic here. The difference is so large. You can actually extract randomness out just of your smartphone. Now a smartphone is not a cryptographic device, but you see that you can use that and try to turn it into a device. And that's actually what is done by this

company here. And they want to produce quantum random number generator chips. Here they say five millimeters. I don't know. It doesn't exist yet to my knowledge. But it will be just a chip. And it is extremely likely that in five years, most of us will have

a quantum random number generator in our smartphone, whether we want it or not. It will come and it will also exist in the servers, in every computer. In this kind of computer, it will maybe crash for other reasons in five years. And hopefully it will not be due to the

quantum random number generator. But it will become just a standard component that will cost a few tenths of cents, I don't know, something like that. There's nothing here in which makes it costly. No reason for that to be costly. I forgot to say one thing about the other detector, the one you need for quantum key distribution, because these ones you want to be compatible

with optical fibers. So different wavelengths, less energy, more complicated detectors. And these detectors so far, we all buy them in the US. The good news is that there are two companies that are developing their own. So there will be now some competition which will lower the price, which is good. The bad news is that the two companies are in

Asia and Europe is once again nowhere on that kind of map. Okay, it's a Swiss guy telling that to the Europeans in the audience. Okay, anyway, so that's the situation where we are with quantum random number generator.

So the conclusion of this talk in two parts is, well, let me again say that I really think that it's important for us to replace this statement that physics is different from cryptography. We again heard this Bernstein paper. I mean, sorry, it's a stupid thing.

It's incredibly stupid. Indeed, if you have side channels, yeah, if you have side channels, then you have side channels and you don't need to write a paper on that. And it has nothing specifically to do with quantum. And then to invoke the, what does he do? Yeah, this holographic principle, which is a conjecture which holds in some versions

of string theory, which is certainly not part of physics. And if that is correct, then assuming that our brain is nothing more than a computer, you can read directly in the brain of anyone at the distance. Indeed, it is correct that if you can read

in the brain of people, then privacy is gone. I don't think it deserves a paper. Okay, so instead of doing just this kind of stupid no discussion, we should just talk and collaborate. It's very clear that we, the physicists, don't understand cryptography, and Bernstein, it's very clear that he doesn't understand physics.

China's efforts in quantum communication are really truly impressive and really goes beyond mere prestige. Maybe being the first launching a satellite, that's prestige. Maybe being the first to do this enormous quantum backbone, it looks like prestige. But they are going seriously

way beyond that. It is not just prestige. And QKD boxes look like any telecom boxes, except for the detectors, which is also what limits the distance. It's what is guaranteeing the security, but also limiting the distance. And quantum offers truly random processes

and truly random sequences of bits. With that, thank you again, and sorry for these incidents