research proposal on quantum cryptography

PhD Proposal: A Framework for Constructive Quantum Cryptography

The classical Constructive Cryptography framework simplifies cryptographic proofs by reasoning about systems at higher levels of abstraction and then moving to lower levels only as necessary. We begin by discussing constructive cryptography in the classical setting. This includes defining basic properties of systems within the framework, and algebraic rules for how systems compose together. For the final thesis, we want to address the question of whether the classical framework can be extended to quantum cryptographic protocols.An example of a system widely used in cryptographic protocols is a random bit generator. We introduce the notion of random bit generators in the constructive framework. This includes describing ideal and real random bit generators. In the quantum case, we consider ideal quantum random bit generators, then introduce some state preparation and bit-flip errors to define real quantum random bit generators. We show that the ideal and real generators are close to each other using a distance metric.Since we are interested in quantum protocols, we focus our attention to Quantum Key Distribution (QKD), which is a major branch within quantum cryptography. The goal of QKD is to establish a shared classical secret key between two parties, without leaking the key to an adversary. The devices used in the QKD protocol could be faulty, subject to noise, or even be programmed by the adversary. Device-independent QKD attempts to address this issue using maximally entangled quantum states and Bell inequalities that help identify if the statistics we see during the protocol are correct, and whether there is interference from an adversary. We develop a fully device-independent quantum key distribution protocol based on synchronous correlations, that is symmetric between the two parties involved in the protocol. By symmetric we mean that the actions performed by the two parties is completely interchangeable, which is typically not the case in existing DI-QKD protocols.Our QKD scheme uses random bits to select the measurements each player performs on their respective qubit. As a result, random bit generators are crucial components in the QKD scheme. The QKD scheme assumes that we use ideal random number generators, however, in a real world implementation, there are errors due to the environment and other factors, and so the ideal random bit generator is switched with a real random bit generator. The next natural step, and the proposed work for the dissertation is to show a composable proof of the QKD protocol using real random bit generators in the constructive framework.Examining Committee:

Chair:Co-Char:Department Representative:

Dr. Xiaodi Wu Dr. Brad LackeyDr. David Mount

An Exploration to the Quantum Cryptography Technology

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Post-quantum Cryptography

Cryptography in the era of quantum computers.

The private communication of individuals and organizations is protected online by cryptography. Cryptography protects our information as it travels over and is stored on the internet—whether making a purchase from an online store, uploading data to the cloud, or accessing work email remotely. Our research and engineering work has focused on protecting private information and communication from the possible threat of future quantum computers.

Quantum Computers will advance human knowledge in many fields. To balance that, we need to update some cryptography. Existing public-key cryptography (also known as asymmetric cryptography) is based on the difficulty of factoring and the difficulty of calculating elliptic curve discrete logarithms. Because those two problems will be readily and efficiently solved by a sufficiently large-scale quantum computer, we have been studying cryptography approaches that appear to be resistant to an attacker who has access to a quantum computer, and we have been developing cryptosystems whose security relies on different, hard mathematical problems that are resistant to being solved by a large-scale quantum computer.

Our work is open, open-source, and conducted in collaboration with academic and industry partners. The goal is robust, trusted, tested and standardized post-quantum cryptosystems.

This work started in 2014, with our first paper published in 2015. In the intervening years we’ve submitted candidates to the NIST Post-Quantum Project and shepherded them through several rounds. One candidate remains standing, the others are included below as both a record of the work and because perhaps it will inspire future innovations.

The key points: At the end of round 3, NIST picked for standardization CRYSTALS-Kyber for public-key encryption and key establishment, and CRYSTALS-Dilithium and two other algorithms for digital signatures. Meanwhile, ISO has approved FrodoKEM and two other algorithms for standardization.

What’s involved in post-quantum cryptography?

Any new cryptography has to integrate with existing internet protocols, such as TLS. A new cryptosystem must weigh:

• The size of encryption keys and signatures
• The time required to encrypt and decrypt on each end of a communication channel, or to sign messages and verify signatures, and
• The amount of traffic sent over the wire required to complete encryption or decryption or transmit a signature for each proposed alternative.

The new cryptosystems also require careful cryptanalysis, to determine if there are any weaknesses that an adversary could exploit. The work of developing new cryptosystems that are quantum-resistant must be done openly, in full view of cryptographers, organizations, the public, and governments around the world, to ensure that the new standards emerging have been well vetted by the community, and to ensure that there is international support.

And lastly, we must keep moving quickly because we don’t know exactly when today’s classic cryptography will be broken. It’s difficult and time-consuming to pull and replace existing cryptography from production software. Add to all that the fact that someone could store existing encrypted data and unlock it in the future once they have a quantum computer, and our task becomes even more urgent.

Crypto libraries, protocol integrations, and other resources

We are proud to participate in the Open Quantum Safe project where we help develop the liboqs library which is designed to further post-quantum cryptography. Additional information, protocol integrations, and related releases can be found on those sites.

Post-Quantum Crypto VPN

Post-quantum tls, post-quantum ssh, nist post-quantum project.

We focused first on the NIST Post-Quantum Project , which asked for cryptographers around the world to submit candidates for subsequent peer review and analysis. Our team is worked with academia and industry on four candidates for cryptography systems that can both withstand quantum computer capabilities, while still working with existing protocols.

Why four? We worked on two collaborations for key exchange, and one for signatures, as well as providing code in support of a second signature system. Each proposal had different strengths and weaknesses, and each was built upon a different mathematical “hard problem.” with different trade-offs regarding performance and key size. Pursuing multiple candidates is also appropriate as the post-quantum cryptography field is young, and many years of cryptanalysis are needed to determine whether any post-quantum proposal is secure.

Tell us what you think

Our community will only be able to come to a consensus on the right approach through open discussion and feedback. We would like you to test and verify our ideas. Please download, use, and provide feedback on our libraries and protocol integrations. You can talk to us at [email protected]

Research Team

Josh Benaloh

Senior Cryptographer

Craig Costello

Karen Easterbrook

Principal PM Manager

Senior Software Development Engineer

Principal Software Development Engineer

Patrick Longa

Michael Naehrig

Christian Paquin

Principal Research SDE

Greg Zaverucha

• Follow on Twitter
• Like on Facebook
• Follow on LinkedIn
• Subscribe on Youtube
• Follow on Instagram
• Subscribe to our RSS feed

Share this page:

• Share on Twitter
• Share on Facebook
• Share on LinkedIn
• Share on Reddit

Quantum-safe Cryptography Algorithms

Quantum-safe (sometimes also called “post-quantum”) cryptography is the design and implementation of protocols that are believed to be secure against the added computational capabilities of quantum computers. The two quantum algorithms that cause problems for current cryptography are Grover’s algorithm and Shor’s algorithm. Grover’s algorithm allows one to brute-force search a list in time that is smaller than the size of the list. This algorithm mostly affects the security of symmetric-key primitives (e.g. AES, SHA-256, etc.) and the protection against it generally requires one to simply double the key size. Shor’s algorithm, on the other hand, is more troublesome for the security of certain public-key primitives (e.g. RSA, EC-DSA, etc.). To withstand Shor’s algorithm, the key sizes of these schemes would need to increase exponentially, which would render them practically useless.

The field of quantum-safe cryptography deals with building public-key cryptography, which can be implemented on standard devices, that can resist quantum attacks. While quantum computers have the potential to devastatingly solve certain mathematical problems, there are many other problems that have been studied for several decades for which we don’t believe that quantum algorithms are at all helpful. Some of these problems come from the mathematical areas of lattices, codes, isogenies, and multivariate equations. Migrating to quantum-safe cryptography requires us to first design efficient foundational primitives based on the hardness of such problems, and later combine them into various protocols.

A current central research objective of our scientists is the design, implementation, and standardization of new quantum-safe cryptographic algorithms that can replace the classical non-quantum-safe ones. These include encryption and signature schemes that are currently undergoing standardization by NIST, as well as more advanced schemes from the area of privacy-preserving cryptography.

NIST Post-Quantum Standardization

From 2017 to 2022, NIST went through three rounds of a selection process to produce standards for quantum-safe encryption and digital signature schemes. There were 69 initial submissions that were judged on the basis of security and performance. The third and final round was completed at the end of March, and NIST announced the selection of new algorithms to recommend for standardization in July 2022. 

IBM Research scientists have been involved in creating many quantum safe algorithm designs. Below are the algorithms with IBM Research leadership and contributions in the NIST Post-Quantum Cryptography (PQC) finals and the selected standards.

IBM Research Scientists' Involvement in NIST PQC Public-Key Encryption/KEMs Finalists

Crystals-kyber.

🥇 NIST selected primary standard

Kyber is a public key encryption / key establishment mechanism based on the hardness of finding short vectors in Euclidean lattices. More specifically, Kyber is based on the module learning with errors problem. It offers high security, balanced key and ciphertext sizes, and leading performance on a diverse range of platforms.

IBM Research scientists Vadim Lyubashevsky and Gregor Seiler contributed to the design and implementation of Kyber.

IBM Research Scientists' Involvement in NIST PQC Digital Signature Finalists

Crystals-dilithium.

Similar to Kyber, Dilithium is a lattice-based signature scheme based on the module learning with errors and module short integer solution problems. Its construction follows the Fiat-Shamir with aborts paradigm that was invented by IBM Researcher Vadim Lyubashevsky. Unlike other signature schemes, Dilithium lends itself to high-confidence secure implementations and still offers very fast performance in optimized implementations. The combined key and signature size of Dilithium is the second smallest in the competition.

The Dilithium team is led by Vadim Lyubashevsky, and Gregor Seiler also contributed to the design and led the implementation of the scheme.

🥈 NIST selected standard

Falcon is also a lattice-based signature scheme. Compared to Dilithium, Falcon uses a different design paradigm and offers shorter key and signature sizes at the cost of higher implementation complexity and slightly worse performance, especially on constrained devices. The combined key and signature size of Falcon is the smallest in the competition.

IBM Researchers Vadim Lyubashevsky and Gregor Seiler contributed to the design of Falcon.

Relying only on the security of standard hash functions, SPHINCS+ is the most conservative signature scheme. This strong security guarantee comes at the cost of a somewhat large signature size or a somewhat large signing time, depending on which variant of SPHINCS+ is used. SPHINCS+ is closely related to the stateful eXtended Merkle Signature Scheme (XMSS), which is standardized by the IETF and recommended by NIST. Unlike XMSS, SPHINCS+ is not stateful, which makes SPHINCS+ suitable for general use.

Ward Beullens contributed to the design of SPHINCS+ since the third round of the NIST process.

Publications

• Luca De Feo
• David Kohel
• AsiaCrypt 2020
• Ward Beullens
• CRYPTO 2022
• Vadim Lyubashevsky
• Ngoc Khanh Nguyen
• Gregor Seiler
• Chi-Ming Marvin Chung
• Vincent Hwang
• IACR Transactions on Cryptographic Hardware and Embedded Systems
• Thomas Attema
• CRYPTO 2020
• Muhammed F. Esgin
• Carsten Baum
• Jonathan Bootle
• Crypto 2018

IBM scientists help develop NIST’s quantum-safe standards

Expanding the quantum-safe cryptography toolbox, preparing for the next era of computing with quantum-safe cryptography, is your cybersecurity ready to take the quantum leap, post-quantum cryptography - selected algorithms 2022, contributors.

Related projects

Quantum Threat and Quantum-safe Migration

• Cryptography
• Quantum Safe

Quantum-safe Systems

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/publications/post-quantum-cryptography-and-quantum-future-cybersecurity

Post-Quantum Cryptography, and the Quantum Future of Cybersecurity

Download paper, additional citation formats.

• Google Scholar

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

• Advanced Search
• Journal List

Quantum cryptography beyond quantum key distribution

Anne broadbent.

1 Department of Mathematics and Statistics, University of Ottawa, Ottawa, Canada

Christian Schaffner

2 Institute for Logic, Language and Computation (ILLC), University of Amsterdam, and Centrum Wiskunde & Informatica (CWI), Amsterdam, The Netherlands

Quantum cryptography is the art and science of exploiting quantum mechanical effects in order to perform cryptographic tasks. While the most well-known example of this discipline is quantum key distribution (QKD), there exist many other applications such as quantum money, randomness generation, secure two- and multi-party computation and delegated quantum computation. Quantum cryptography also studies the limitations and challenges resulting from quantum adversaries—including the impossibility of quantum bit commitment, the difficulty of quantum rewinding and the definition of quantum security models for classical primitives. In this review article, aimed primarily at cryptographers unfamiliar with the quantum world, we survey the area of theoretical quantum cryptography, with an emphasis on the constructions and limitations beyond the realm of QKD.

Introduction

The relationship between quantum information and cryptography is almost half-a-century old: a 1968 manuscript of Wiesner (published more than a decade later [ 233 ]), proposed quantum money as the first ever application of quantum physics to cryptography, and is also credited for the invention of oblivious transfer—a key concept in modern cryptography that was re-discovered years later by Rabin [ 195 ]. Still today, the two areas are closely intertwined: for instance, two of the most well-known results in quantum information stand out as being related to cryptography: quantum key distribution (QKD) [ 24 ] and Shor’s factoring algorithm [ 206 ].

There is no doubt that QKD has taken the spotlight in terms of the use of quantum information for cryptography (in fact, so much that the term “quantum cryptography” is often equated with QKD—a misconception that we aim to rectify here!); yet there exist many other uses of quantum information in cryptography. What is more, quantum information opens up the cryptographic landscape to allow functionalities that do not exist using classical 1 information alone, for example uncloneable quantum money. We note, however, that the use of quantum information in cryptography has its limitations and challenges. For instance, we know that quantum information alone is insufficient to implement information-theoretically secure bit commitment; and that a proof technique called rewinding (which is commonly used in establishing a zero-knowledge property for a protocol) does not directly carry over to the quantum world and must re-visited in light of quantum information.

In this paper, prepared on the occasion of the 25th anniversary edition of Designs, Codes and Cryptography , we offer a survey of some of the most remarkable theoretical uses of quantum information for cryptography, as well as a number of limitations and challenges that cryptographers face in light of quantum information. We assume that the reader is familiar with cryptography, but we do not assume any prior knowledge of quantum information. Quantum cryptography is a flourishing area of research, and we have chosen to give an overview of only a limited number of topics. The reader is, of course, encouraged to follow up by consulting the references. To the best of our knowledge, prior survey work on the topic of “quantum cryptography beyond key exchange” is limited to a 2006 survey by Müller-Quade [ 186 ] and a 1996 survey by Brassard and Crépeau [ 45 ]; see also an interesting personal account by Brassard [ 43 ]. A number of surveys that focus on QKD exist and are listed in Sect.  3.2 .

The predictions of quantum mechanics defy our everyday intuition: concepts such as superposition (a particle can be in multiple places or states at the same time), entanglement (particles are correlated beyond what is possible classically) and quantum uncertainty (observing one property of a particle intrinsically degrades the possibility of observing another) are partly responsible for the bewildering possibilities in the quantum world. Section  2 of this survey contains a brief introduction to the mathematical formalism of quantum information as it pertains to quantum cryptography (no prior knowledge of quantum mechanics is assumed). Topics covered in this section include the mathematical formalism for the representation and manipulation of qubits (the fundamental unit of quantum information). We also include a brief survey of concepts such as the quantum no-cloning theorem, entanglement and nonlocality—all of which play an important role in quantum cryptography.

Section  3 of this survey is devoted to quantum cryptographic constructions. The principal appeal in using quantum information for cryptography is in establishing a qualitative advantage. More precisely, the goal is to develop quantum cryptographic protocols that achieve some functionality in a way that is fundamentally advantageous compared to using classical information alone. This quantum advantage can be of the following types:

• a quantum protocol achieves statistical (information-theoretic) security; any classical protocol achieves this task with computational security at best;
• a quantum protocol achieves computational security; no classical protocol can achieve this task, even with computational security.

Many of the quantum constructions that we cover in this survey (whether they are of the first or second type) are inspired by the original proposal of Wiesner called conjugate coding . This construction embodies many unique features of quantum information, as we explain in Sect.  3.1 . In particular, conjugate coding is used in constructions for physically unforgeable quantum money (Sect.  3.1 ), as well as in QKD—a method that allows the information-theoretically secure expansion of shared keys (Sect.  3.2 ). Another application of conjugate coding in quantum cryptography is in showing that two basic cryptographic primitives, bit commitment and oblivious transfer are (information-theoretically) equivalent in the quantum world (Sect.  3.3 )—an equivalence that is provably false in the classical world. Technologically speaking, perfect quantum communication and storage is a challenge; in building protocols in the bounded- and limited-storage quantum models (collectively known as limited-storage models ), ingenious cryptographers have turned this challenge to their advantage (Sect.  3.4 )—once again, the key ingredient in the construction being conjugate coding. Motivated by the perspective that quantum computations will, in the future, be outsourced to remote locations (again, because of technological challenges involved in building quantum computers), cryptographers have studied protocols for the delegation of quantum computations , which we cover in Sect.  3.5 . In Sect.  3.6 , we review the possibility of quantum primitives that accomplish a security against malicious participants that is typically too weak for cryptographic applications (since it does not provide exponential security), yet is still of interest due to the advantage that quantum information provides: this is embodied in quantum protocols for weak coin flipping and imperfect bit commitment . Finally, we survey device-independent cryptography (Sect.  3.7 ) which can be seen as a culmination of many of the constructions already mentioned: thanks to this sophisticated technique, it is possible to achieve cryptographic tasks such as QKD and randomness expansion/amplification, with untrusted devices , which are quantum devices that are assumed to have originated from an adversary. The very possibility of achieving this result stems from one of the most mysterious quantum phenomena, namely nonlocality (which is introduced in Sect.  2.5 ).

While quantum information provides a number of advantages for cryptography, it also has its unique limitations and challenges, which we survey in Sect.  4 . The first limitations that we survey are in terms of impossibility results, namely the impossibility of information-theoretically secure quantum bit commitment (Sect.  4.1 ) and of information-theoretically secure two-party quantum computation (Sect.  4.2 ). Next, we cover two topics that are applicable to purely classical protocols, in which essentially the only concern is that the adversary is capable of quantum information processing: quantum rewinding (Sect.  4.3 ) and superposition attacks (Sect.  4.4 ). We emphasize that the cryptographic challenges encountered here are not related to the superior computational power of a quantum adversary, but rather stem from quantum phenomena such as the no-cloning theorem (which forces us to develop an alternative to the common rewinding method used in order to establish the zero-knowledge property of interactive protocols), and of quantum superposition (which requires a new framework describing interactions with oracles—namely in the quantum random oracle model ). Finally, in Sect.  4.5 , we survey the research area of position-based quantum cryptography, where players use their geographical position as cryptographic credential; while the current main result in this area is a no-go theorem for quantum protocols for the task of position verification, the possibility of position-based quantum cryptography against resource-bounded adversaries remains a tantalizing open question.

One of the lessons learned from all these impossibility results is that quantum security is definitely a tricky business—quantum cryptographers should take this as a warning: the desire to find a “quantum advantage” (i.e. an application where quantum information outperforms all classical solutions) is extremely strong, and cryptographers must be vigilant since the quantum world comes with an abundance of subtleties.

Further topics

Already, the literature on quantum cryptography is vast, and in this survey we have chosen to focus on only a few topics. We briefly mention here some topics that are not included in this survey:

• Everlasting security A protocol has everlasting security if it is secure against adversaries that are computationally unlimited after the protocol execution. This type of security is very difficult to obtain classically, even under strong setup assumptions such as a common reference string or signature cards [ 219 ]. Even though we do not treat the notion explicitly in this survey, many quantum-cryptographic protocols such as QKD (Sect.  3.2 ) and the limited-quantum-storage protocols (Sect.  3.4 ) come with the important benefit of everlasting security. In fact, everlasting security might be the most important reason to use QKD in the first place [ 211 ].
• Quantum functionalities In this survey, we focus mainly on classical functionalities, but quantum functionalities are of course also of interest: assuming full quantum computers for all parties, one can study the secure realization of a quantum ideal functionality. This includes topics such as the encryption of quantum messages in the information-theoretic [ 9 , 41 , 134 , 153 ], entropic [ 95 , 96 ] and computational [ 52 ] settings, quantum secret sharing [ 77 ], multi-party quantum computation [ 22 ], authentication of quantum messages [ 15 ], two-party secure function evaluation [ 98 , 99 ], quantum anonymous transmission [ 49 , 74 ], quantum one-time programs [ 54 ] and quantum homomorphic encryption [ 52 , 239 ].
• Key recycling Using quantum information, it is possible to detect eavesdropping such that key re-use is possible (if no eavesdropping is detected), while maintaining information-theoretic security [ 87 ].
• Quantum uncloneability Because quantum information cannot, in general, be duplicated, (see Sect.  2.4 ), we can achieve functionalities related to copy-protection that cannot be obtained in the classical world. These include uncloneable encryption [ 125 ], quantum copy-protection [ 1 ] and revocable time-release encryption [ 221 ].
• Isolation assumptions The multi-prover interactive proof scenario [ 21 ] enables the information-theoretic implementation of primitives that are unachievable in the single-prover setting. However, the study of quantum information has shed new light on the “isolation” assumptions that are required in order to establish security [ 84 ]. Related to this is the study of protocols which are secure against provers sharing correlations that are very strong, yet do not allow signalling: [ 110 , 139 ]. One particular way to enforce isolation is to spatially separate the players by a far enough distance: the relativistic no-signalling principle ensuring that no information can travel faster than the speed of light between the two sites. A relativistic (classical) bit-commitment scheme was first proposed by Kent [ 142 ] and lately improved and experimentally implemented [ 160 ]. See also related work [ 159 ].
• Leakage resilience using quantum techniques In leakage resilient computation , we are interested in protecting computations from attacks according to various leakage models. In one of these models (the “split-state” model), it was shown [ 93 ] that quantum information allows a solution to the orthogonal-vector problem , while no classical solution exists. Also, related work [ 151 ] shows that techniques from fault-tolerant quantum computation can be used to construct novel leakage-resilient classical protocols.
• Quantum cryptanalysis Historically, the study of quantum algorithms is closely related to quantum cryptanalysis , which is the study of quantum algorithms for cryptanalysis. This is evidenced by some of the very early work on quantum algorithms, including Shor’s algorithm for computing discrete logarithms and integer factoring in quantum polynomial-time [ 206 ], Grover’s search algorithm [ 40 , 126 ] (which provides a square-root speedup in term of query complexity, for searching in an unstructured database). Recent work in the area of quantum cryptanalysis includes [ 33 , 71 , 127 , 128 , 150 , 196 ]. See also [ 13 , 184 ] for surveys on quantum algorithms, as well as the Quantum Algorithm Zoo . 2
• Merkle puzzles in a quantum world The first unclassified proposal for secure communication over insecure channels was made by Merkle in 1974 (published years later [ 176 ]). The main idea is that honest parties can establish a secure communication channel by expending work proportional to N , yet any successful attack requires a computational effort proportional to N 2 . In a nutshell, Grover’s search algorithm [ 126 ] implies that quantum computers break the security of Merkle’s scheme. However, [ 50 ] show how to restore security in the quantum context: either by using a new classical protocol (in which case an adversary can break the scheme by expending work proportional to N 5 / 3 (which is shown to be optimal), or by using a quantum protocol (in which case the quadratic security can essentially be restored).
• From classical to quantum security What can we say about the relationship between security in the classical setting versus the quantum setting? In this context, Unruh [ 216 ] shows that if a protocol is statistically secure in the universal composability (UC) framework [ 63 , 216 ], then the same protocol is quantum UC secure as well, and Fehr, Katz, Song, Zhou and Zikas [ 113 ] classified the feasibility of cryptographic functionalities in the universal composability (UC) framework, 3 and showed that feasibility in the quantum world is equivalent (for a large family of functionalities) to classical feasibility, both in the computational and statistical setting. See also [ 129 , 210 ].
• Post-quantum cryptography The area of post-quantum cryptography [ 32 ] 4 finds alternatives to the RSA and discrete-log assumptions in (classical) cryptography, in order to circumvent quantum attacks stemming from Shor’s algorithm. This area is traditionally considered a topic related to classical cryptography, but the issues arising from the problem of quantum rewinding (Sect.  4.3 ) and the superposition model for oracle access (Sect.  4.4 ) may be considered part of post-quantum cryptography as well.
• Experimental implementations Experimental implementations of quantum cryptography are mostly focused on QKD (see [ 8 ]), but also include quantum coin flipping [ 31 , 182 , 189 ], quantum secret sharing [ 212 ], delegated quantum computation [ 17 , 114 ], limited-quantum-storage cryptography [ 105 , 188 ], and device-independent randomness generation [ 75 , 194 ].

Basics of quantum information

This section contains the rudiments of quantum information that are used in the main text; we assume of the reader only basic knowledge of linear algebra. The reader should be warned that quantum theory is actually much more rich, subtle and beautiful! Textbook references on quantum information include: [ 141 , 177 , 190 , 228 , 234 ].

State space

The bit is the fundamental unit of information for classical information processing. In quantum information processing, the corresponding unit is the qubit , which is described mathematically by a vector of length one in a two-dimensional complex vector space. We use notation from physics to denote vectors that represent quantum states, enclosing vectors in a ket , yielding, i.e. | ψ ⟩ . We can write any state on one qubit as a | ψ ⟩ = α | 0 ⟩ + β | 1 ⟩ , where the states | 0 ⟩ and | 1 ⟩ form a basis for the underlying two-dimensional vector space, and where α , β are complex numbers satisfying | α | 2 + | β | 2 = 1 . If neither α nor β are zero, then we say that  | ψ ⟩ is in a superposition (linear combination) of both | 0 ⟩ and | 1 ⟩ . The quantum state of two or more qubits can be described by a tensor product. Hence, the four basis states for two qubits are | 0 ⟩ ⊗ | 0 ⟩ , | 0 ⟩ ⊗ | 1 ⟩ , | 1 ⟩ ⊗ | 0 ⟩ , | 1 ⟩ ⊗ | 1 ⟩ which is usually abbreviated as | 00 ⟩ , | 01 ⟩ , | 10 ⟩ , | 11 ⟩ . Extending the concept of superposition to multiple qubits, we see that a system of  n qubits can be in any superposition of the n -bit basis states | 00 … 0 ⟩ , | 00 … 1 ⟩ , … , | 11 … 1 ⟩ . Hence, an n -qubit state is described by 2 n complex coefficients. In case of bipartite quantum states shared among Alice and Bob, subscripts can be used to indicate which player holds which qubits. For instance, the 2-qubit state | 0 ⟩ A ⊗ | 0 ⟩ B = | 00 ⟩ A B means that Alice and Bob both hold a qubit in state | 0 ⟩ .

Unitary evolution and circuits

Basic evolutions of a quantum system are described by linear operations that preserve the norm; formally, these operations can be expressed as unitary complex matrices (a complex matrix  U is unitary if U U † = I , where U † is the complex-conjugate transpose of  U ). Quantum algorithms are commonly described as circuits (rather than by quantum Turing machines) consisting of basic quantum gates from a universal set. Commonly used single-qubit gates are the negation ( X ), phase ( Z ) and Hadamard ( H ) gates, expressed by the following unitary matrices:

An example of a two-qubit gate is the controlled-not operation ( CNOT ):

Measurement

In addition to unitary evolution, we specify an operation called measurement , which, in the simplest case, takes a qubit and outputs a classical bit. If we measure a qubit | ψ ⟩ = α | 0 ⟩ + β | 1 ⟩ , we will get as outcome a single bit, which takes the value 0 with probability  α 2 and the value 1 with probability  β 2 . We further specify that, after the process of measurement, the quantum system collapses to the measured outcome. Thus, the quantum state is disturbed and it becomes classical : any further measurements have a deterministic outcome. We have described measurement with respect to the standard basis ; of course, a measurement can be described according to an arbitrary basis; the probabilities of the outcomes can be computed by first applying the corresponding change-of-basis, followed by the standard basis measurement. Measurements can actually be described much more generally: e.g. we can describe outcomes of measurements of a strict subset of a quantum system—the mathematical formalism to describe the outcomes uses the density matrix formalism, which we do not describe here.

As a simple example of quantum measurements, consider the states | ψ 1 ⟩ = | 0 ⟩ and | ψ 2 ⟩ = 1 2 ( | 0 ⟩ + β | 1 ⟩ ) . Then measuring the state | ψ 1 ⟩ yields the outcome 1 with unit probability and the state remains | 0 ⟩ , while measuring | ψ 2 ⟩ yields the outcome 0 or 1, each with probability  1 2 , and the post-measurement state is | 0 ⟩ if we observed outcome 0 and | 1 ⟩ if we observed 1.

Quantum no-cloning

One of the most fundamental properties of quantum information is that it is not physically possible, in general, to clone a quantum system [ 236 ] (i.e. there is no physical process that takes as input a single quantum system, and outputs two identical copies of its input). A simple proof follows from the linearity of quantum operations. 5 At the intuitive level, this principle is present in almost all of quantum cryptography, since it prevents the classical reconstruction of the description of a given qubit system. For instance, given a single copy of a general qubit α | 0 ⟩ + β | 1 ⟩ , it is not possible to “extract” a full classical description of α and β , because measuring disturbs the state. At the formal level, however, we generally require more sophisticated tools to prove the security of quantum cryptography protocols (see Sect.  3.1 ).

Quantum entanglement and nonlocality

A crucial and rather counter-intuitive feature of quantum mechanics is quantum entanglement , a physical phenomenon that occurs when quantum particles behave in such a way that the quantum state of each particle cannot be described individually. A simple example of such an entangled state are two qubits in the state ( | 00 ⟩ A B + | 11 ⟩ A B ) / 2 . When Alice measures her qubit (in system  A ), she obtains a random bit a ∈ { 0 , 1 } as outcome and her qubit collapses to the state | a ⟩ A she observed. At the same time, Bob’s qubit (in system  B ) also collapses to | a ⟩ B and hence, a subsequent measurement by Bob yields the same outcome b = a . It is important to realize that this collapse of state at Bob’s side occurs simultaneously with Alice’s measurement, but it does not allow the players to send information from Alice to Bob. It simply provides Alice and Bob with a shared random bit. In general, quantum entanglement does not contradict the fundamental non-signaling principle of the theory of relativity stating that no information can travel faster than the speed of light. 6

It turns out that by measuring entangled quantum states, Alice and Bob are able to produce correlations that are stronger than all correlations they could obtain when sharing only classical randomness. In this case, physicists say that the correlations violate a Bell inequality [ 20 ]. The most well-known example of such an inequality was proposed by Clauser, Horne, Shimony and Holt [ 76 ]. It can be described as a so-called non-local game among two players Alice and Bob. In this CHSH game, Alice and Bob can initially discuss in order to establish a joint strategy. Once the game starts, they are separated and cannot communicate. They receive as input uniformly random bits x and y and have to output bits a and b respectively. They win the game if and only if a ⊕ b = x ∧ y (imagine a third party, called a referee who chooses x and y , receives a and b and checks whether the relationship a ⊕ b = x ∧ y holds). A possible classical strategy for Alice and Bob is to ignore their inputs and always output a = b = 0 . This strategy lets them win the game with probability 3 / 4. It can be checked that there exist no better strategy for two classical players who are not allowed to communicate. In other words, we have the Bell inequality Pr [ classical players win CHSH ] ≤ 3 / 4 . However, if Alice and Bob share a maximally entangled state (e.g. an EPR pair ( | 00 ⟩ + | 11 ⟩ ) / 2 ), they can perform a quantum measurement which allows them to win the CHSH game with probability cos 2 ( π / 8 ) ≈ 0.85 which is strictly larger than 3 / 4, hence violating the Bell inequality. Many experimental tests of this inequality have been performed and consistently found violations of this inequality, thereby proving that the world is actually more accurately described by quantum mechanics rather than by classical mechanics.

Physical representations

The mathematical model of quantum mechanics is currently the most accurate description of the physical world. This theory is without doubt the most successful and well-tested physical theory of all times; it describes a wide range of physical systems, and thus offers a large number of possible physical systems which can serve as quantum devices. These possibilities include photonic quantum computing, superconduction qubits, nuclear magnetic resonance, ion trap quantum computing and atomic quantum computing (see, e.g. [ 94 ]). For our purposes, at the abstract level, all of these systems are described by the same formalism; however there may be experimental reasons to prefer one implementation over the other (e.g. photons are well-suited for long-distance quantum communications, but other systems such as superconducting qubits are better suited for quantum interactions).

Quantum cryptographic constructions

In this section, we survey a number of quantum cryptographic protocols (see Sect.  1.1 for a brief overview of these topics). Many of these protocols share the remarkable feature of being based on a very simple pattern of quantum information called conjugate coding . Because of its paramount importance in quantum cryptography, we first present this notion in Sect.  3.1 . We then show how conjugate coding is the crucial ingredient in the quantum-cryptographic constructions for quantum money (Sect.  3.1 ), QKD (Sect.  3.2 ), a quantum reduction from oblivious transfer to bit commitment (Sect.  3.3 ), the limited-quantum-storage model (Sect.  3.4 ) and delegated quantum computation (Sect.  3.5 ). Further topics covered in this section are quantum coin-flipping (Sect.  3.6 ) and device-independent cryptography (Sect.  3.7 ).

Conjugate coding

Conjugate coding [ 233 ] is based on the principle that we can encode classical information into conjugate quantum bases. This primitive is extremely important in quantum cryptography—in fact, the vast majority of quantum cryptographic protocols exploit conjugate coding in one way or another. Conjugate coding is also called quantum coding [ 30 ] and quantum multiplexing [ 26 ].

Example of conjugate coding

Note that, we use the abbreviation R for the rectilinear basis and D for the diagonal basis

The relevance of conjugate coding to cryptography is summarized by two key features that were, remarkably, already mentioned and exploited in Wiesner’s work [ 233 ]:

• Measuring in one basis irrevocably destroys any information about the encoding in its conjugate basis.
• The originator of the quantum encoding can verify its authenticity; however, without knowledge of the encoding basis, and given access to a single encoded state, no third party can create two quantum states that pass this verification procedure with high probability.

In order to explain the first property, recall the well-known Heisenberg uncertainty relation [ 135 ], which forbids learning both the position and momentum of a quantum particle precisely and simultaneously. In terms of photon polarization, and for a single photon, let us denote by P X the distribution of outcomes when measuring the photon in the rectilinear basis and by  Q X the distribution when measuring in the diagonal basis. Following Heisenberg, Maassen and Uffink [ 162 ] showed an uncertainty relation : H ( P X ) + H ( Q X ) ≥ 1 (where H is the Shannon entropy , an information-theoretic measure of uncertainty given by H ( P X ) = - ∑ x p x log 2 p x ). Intuitively, such a relation quantifies the fact that one can know the outcome exactly in one basis, but consequently has complete uncertainty in the other basis. Looking ahead, we will see that such uncertainty relations play a key role in proving security of quantum cryptographic protocols, e.g. in the limited-quantum-storage setting (Sect.  3.4 ). The second property above is explained by noting that a quantum encoding can be verified by measuring each qubit in its encoding basis and checking that the measurement result corresponds to the correct encoded bit. Intuitively, the no-cloning theorem (Sect.  2.4 ) prevents a third party from forging a state that would pass this verification procedure; however, formalizing this concept requires more work (see Sect.  3.1 ).

What is more, the technological requirements of conjugate coding are very basic: the single-qubit “prepare-and-measure” paradigm of conjugate coding is feasible with today’s technology—thus, many protocols derived from conjugate coding inherit this desirable property (which is, in fact considered the gold standard for “feasible” quantum protocols).

In the late 1960s, Wiesner [ 233 ] had the visionary idea that quantum information could be used to create unforgeable bank notes. His ideas were in fact so much ahead of their time that it took years to publish them! (According to [ 30 ], Wiesner’s original manuscript was written in 1968.)

Wiesner’s work was improved and extended in many ways: early work of Bennett, Brassard, Breidbart and Wiesner [ 26 ] showed how to combine computational assumptions with conjugate coding in order to achieve a type of public verifiability for the encoded states (they coined their invention unforgeable subway tokens ). Further work on publicly-verifiable (also called public-key quantum money) includes schemes based on the computational difficulty of some knot-theory related problems [ 107 ] (see also [ 3 ]), verification “oracles” [ 1 ] and hidden subspaces [ 2 ].

Returning to Wiesner’s scheme (which is often called private-key quantum money in order to distinguish it from the public-key quantum money schemes), we note that the first proof of security in the case of multiple qubits is based on semi-definite programming, and appeared only recently [ 181 ] (this result is tight, since it also gives an explicit optimal attack). We also note work on variants of Wiesner’s scheme in which quantum encodings are returned after validation: in all cases (whether the post-verification state is always returned [ 108 ], or the post-verification state is returned only for encodings that are deemed valid [ 55 ]), the resulting protocol has been found to be insecure.

We also note that further work has studied the possibility of private-key quantum money that can be verified using only classical interaction with the bank [ 116 , 181 ], quantum coins [ 185 ] (which provide a perfect level of anonymity), as well as noise-tolerant versions of Wiesner’s scheme [ 191 ].

Quantum key distribution

QKD is by far the most successful application of quantum information to cryptography. By now, QKD is the main topic of a large number of surveys (see, for instance, [ 23 , 45 , 56 , 109 , 120 ]). Due to abundance of very good references on this topic, we survey it only briefly here.

We briefly mention that the formal security of QKD was originally left open, and that a long sequence of works (e.g. [ 158 , 171 ]) culminated in a relatively accessible proof by Shor and Preskill, based on the use of quantum error correction [ 207 ]. Further work by Renner [ 198 ] showed a very different approach for proving the security of QKD based on exploiting the symmetries of the protocol (and applying a de Finetti style representation theorem), and splitting the security analysis into the information-theoretic steps of error-correction and privacy amplification. Other proofs of QKD are more directly based on the complementarity of the measurements [ 148 ]. It is a sign for the complexity of QKD security proofs that most articles on this topic focus only on subparts of the security analysis and only very recently did a first comprehensive analysis of security appear [ 213 ].

The huge success of QKD is due in part to the fact that it is readily realizable in the laboratory (the first demonstration appeared in 1992 [ 27 ]). In light of practical implementations, security proofs for QKD need to be re-visited in order to obtain concrete security parameters—this is the realm of finite-key security [ 133 , 204 , 213 , 214 ]. Furthermore, we note that when it comes to real-world implementations, QKD is vulnerable to side-channel attacks, which are due to the fact that physical implementations deviate from the idealized models used for security proofs (this is often referred to as quantum hacking [ 161 ]).

We further note that the assumption of an initial short shared secret (for authenticating the classical channel) in the implementation of QKD can be replaced with a computational assumption or an assumption about the storage capabilities of the eavesdropper (see Sect.  3.4 ). The result is everlasting [ 219 ] or long-term [ 211 ] security: information-theoretic security is guaranteed except during the short period of time during which we assume a computational (or memory) assumption holds.

Bit commitment implies oblivious transfer

Oblivious transfer (OT) and bit commitment (BC) are two basic and important primitives for cryptography. In the classical case, it is easy to show that OT implies BC (in the information-theoretic setting), but the implication in the other direction does not hold. 7 In stark contrast, OT and BC are known to be equivalent in the quantum world. In the following sections, we introduce these primitives (Sect.  3.3.1 ) and describe a quantum reduction from oblivious transfer to bit commitment (Sect.  3.3.2 ).

Oblivious transfer (OT) and bit commitment (BC)

Wiesner’s paper about quantum cryptography [ 233 ] introduced “a means for transmitting two messages either but not both of which may be received”. This classical cryptographic primitive was later rediscovered (under a slightly different form) by Rabin [ 195 ], and was given in the form of 1-out-of-2 Oblivious Transfer (OT) ) by Even, Goldreich and Lempel [ 106 ]. In OT, Alice sends two messages m 0 , m 1 to Bob who receives only one of the messages m c according to his choice bit c . Security for Alice (against dishonest Bob) guarantees that Bob receives only one of the two messages, whereas security for Bob (against dishonest Alice) ensures that Alice does not learn anything about Bob’s choice bit. 8 In the version by Rabin [ 195 ], this primitive is essentially a secure erasure channel where Alice sends a single bit to Bob. This bit gets erased with probability 1/2 (in this case Bob receives  ⊥ ), but Alice does not learn whether the bit was erased. In fact, it is known that Rabin OT is equivalent to 1-out-of-2 OT [ 81 ].

The importance of OT is embodied by the fact that it is universal for secure two-party computation [ 145 ] (i.e. using several instances of 1-out-of-2 OT, any function can be securely evaluated among two parties such that no dishonest player can learn any information about the other player’s input—beyond what can already be inferred from the output of the computed function). 9 Due to this universality, the innocent-looking OT primitive gives an excellent indicator for the cryptographic power of a model.

Bit Commitment (BC) is a cryptographic primitive that captures the following two-party functionality: Alice has a bit  b that she wants to commit to Bob, but she wants to prevent Bob from reading  b until she chooses to reveal it ( concealing or hiding ). Although Bob should not be able to determine  b before Alice reveals it, Alice should be unable to change the bit after it is committed ( binding ). A physical-world implementation of bit commitment would be for Alice to write  b on a piece of paper, lock it in a safe, and send the safe to Bob. Since Bob cannot open the safe, he cannot determine  b (concealing), and since Alice has physically given the safe to Bob, she cannot change  b after the commitment phase (binding). When Alice wishes to reveal the bit, she sends the key to Bob.

Quantum protocol for oblivious transfer

While it is easy to show that the above protocol is correct and secure against dishonest Alice (i.e. Alice does not learn anything about Bob’s choice bit c ), it is clearly insecure against a dishonest Bob who is able to store all quantum states until Alice tells Bob the basis string θ . Such a Bob can then measure all positions in the correct basis and hence recover both m 0 and m 1 . The idea of [ 29 ] was to force Bob to perform the measurement by requiring him to commit to the bases θ ′ and outcomes x ′ . Alice then checks a fraction of these commitments before Alice announces the basis string θ .

A long line of research [ 29 , 82 , 168 , 172 , 238 ] has worked towards proving the security of this protocol. However, the crucial tools for an actual proof were eventually developed by Damgård, Fehr, Lunemann, Salvail, and Schaffner [ 91 ] nearly two decades after the original protocol was proposed; Unruh subsequently used these techniques to formally establish the equivalence of BC and OT in the quantum UC model [ 216 ].

Limited-quantum-storage models

As we will see in Sect.  4.1 , bit commitment is impossible to construct in the quantum world. More generally, it has been shown (see Sect.  4.2 ) that secure two-party computation is impossible in the plain quantum model, without any additional restrictions on the adversaries. One option in order to obtain security is to make computational assumptions. However, as we discuss below, it is also possible to obtain information-theoretic security, while making instead some reasonable assumptions about the storage capabilities of the adversary.

One of the challenges in building quantum devices is the difficulty of storing quantum information in a physical system (such as atomic or phototonic systems) under stable conditions over a long period of time—building a reliable quantum memory is a major research goal in experimental quantum physics (see e.g. [ 208 ] for a review produced by the European integrated project Qubit Applications (QAP) ). Despite continuous progress over the last years, large-scale quantum memories that can reliably store quantum information are currently out of reach. As we discuss in this section, ingenious quantum cryptographers have turned this technological challenge into an advantage for quantum cryptography!

The bounded-quantum-storage model, introduced by Damgård, Fehr, Salvail and Schaffner in [ 86 ], is a model which assumes that an adversary can only store a limited number of qubits. Generally, protocols in this model require no quantum storage for the honest players, and are secure against adversaries that are unable to store a constant fraction of the qubits sent in the protocol.

This model is inspired by the classical bounded-storage model, as introduced by Maurer [ 62 , 167 ]. In this model, honest parties are required to store Θ ( n ) bits, but protocols (for OT and key agreement) are insecure against attackers with storage capabilities of Ω ( n 2 ) bits. Unfortunately, this gap between storage requirements for honest and dishonest players can never be bigger than quadratic [ 101 , 102 ]. Combined with the fact that classical storage is constantly getting smaller and cheaper, this quadratic gap puts the classical-bounded-storage assumption on a rather weak footing. In sharp contrast, the quantum bounded-storage model gives an unbounded gap between the quantum-storage requirements of the honest and dishonest players, making this model model robust to technological improvements.

In the bounded-quantum storage model, a protocol for OT was proposed [ 86 ]. Again, it is based on conjugate coding and is essentially identical to the protocol outlined in the previous Sect.  3.3.2 , except that there is a waiting time Δ t (say, 1 s) right after the quantum phase, before Alice sends her basis string θ to Bob. In this time, a dishonest receiver Bob is forced to use his (imperfect) quantum memory and therefore loses some information about Alice’s string x which intuitively leads to the security of the oblivious transfer. In a subsequent series of works [ 88 – 90 ], protocols for BC, OT and password-based identification (i.e. the secure evaluation of the equality function) were presented. For an overview of these results, see [ 109 , 205 ].

The noisy-quantum-storage model, as introduced by Wehner, Schaffner and Terhal [ 231 ] captures the difficulty of storing quantum information more realistically. Whereas in the bounded-quantum-storage model, the physical number of qubits an attacker can store is limited, dishonest players are allowed arbitrary (but imperfect) quantum storage in the noisy-quantum-storage model.

Beyond limited quantum storage Continuing the idea of assuming realistic technological restrictions on the adversary, researchers have developed protocols that are secure under the assumption that certain classes of quantum operations are hard to perform. A natural class to study consists of adversaries who can store perfectly all qubits they receive, but who cannot perform any quantum operations, except for single-qubit measurements (adaptively in arbitrary bases) at the end of the protocol. Such a model was first studied by Salvail [ 201 ], and later by Bouman, Fehr, Gonzáles-Guillén and Schaffner [ 39 ] and Liu [ 138 , 154 , 155 ] under the name of “isolated-qubit model”.

Cryptographic proof techniques In Sect.  3.1 , we mentioned uncertainty relations (and in particular entropic uncertainty relations—which quantify uncertainty in information-theoretic terms). These relations play a key role in the security proofs for protocols in the limited-quantum-storage model. We refer to [ 229 ] for a survey by Wehner and Winter on this topic. In fact, one can argue that the areas of limited-quantum storage models and entropic uncertainty relations have benefited a lot from each other, as research questions in one area have led to results in the other and vice versa. This fruitful co-existence is witnessed by a series of publications: [ 34 , 35 , 39 , 100 , 187 ].

Composability It is natural to ask whether limited-quantum-storage protocols for basic tasks such as OT can be composed to yield more involved two- or multi-party secure computations. This question was answered in the positive in a number of works, including: Fehr and Schaffner [ 111 ], Wehner and Wullschleger [ 230 ] (for sequential composition) and Unruh [ 217 ] (for bounded concurrent composition).

Implementations The technological requirements to implement limited-quantum-storage protocols in practice are modest and rather similar to already available QKD technology (often, the actual quantum phase is the same as in QKD). A small but significant difference is that it makes sense to run secure computations among players which are located within a few meters of each other, whereas the task of distributing keys demands large separations between players. This difference allows experimenters to optimize some parameters (such as the rate) differently for secure-computation protocols. The experimental feasibility of these protocols was analyzed theoretically in [ 232 ] and demonstrated practically in [ 105 , 188 ].

Delegated quantum computation

Quantum computers are known to enable extraordinary computational feats unachievable by today’s devices [ 126 , 184 , 206 ]. However, technologies to build quantum computers are currently in their infancy; the current state-of-the-art suggests that, when quantum computers become a reality, these devices are likely to be available at a few location only. In this context, we envisage the outsourcing of quantum computations from quantum computationally weak clients to universal quantum computers (a type of quantum cloud architecture). This scenario has appealing cryptographic applications, such as the delegated execution of Shor’s algorithm [ 206 ] for factoring, and thus breaking RSA public keys [ 200 ]. From the cryptographic point of view, this scenario raises many questions in terms of the possibility of privacy in delegated quantum computation.

Pioneering work of Childs [ 70 ] and Arrighi and Salvail [ 12 ] studied this problem for the first time. The first practical and universal protocol for private delegated quantum computation, called “universal blind quantum computation” (uBQC) was given by Broadbent, Fitzsimons and Kashefi [ 53 ]. In uBQC, the client only needs to be able to prepare random single-qubit auxiliary states (the client requires no quantum memory or quantum processor). Via a classical interaction phase, the client remotely drives a quantum computation of her choice, such that the quantum server cannot learn any information about the computation that is performed—with only the client learning the output. The uBQC protocol has been demonstrated experimentally [ 17 ].

We mention further that the verifiability of delegated quantum computations has been addressed in [ 5 , 54 ], and has been the object of an experiment [ 18 ], and that security has been analyzed in terms of a strong notion of  composability [ 97 ]. Furthermore, work of Reichardt, Unger and Vazirani shows that delegated quantum computation is achievable for a purely classical client, if we are willing to make the assumption of two universal quantum computers that cannot communicate [ 197 ] (see also Sect.  3.7 ).

Quantum protocols for coin flipping and cheat-sensitive primitives

In a classic cryptography paper [ 36 ], Blum describes how to “flip a coin over the telephone” with the help of bit commitment: Alice commits to a random bit a , Bob tells Alice another random bit  b , and Alice opens the commitment to  a . The outcome of the coin is a ⊕ b which cannot be biased by any of the two players (intuitively, because at least one random bit of an honest player was involved in determining the outcome). A coin flip with this property is called a strong coin flip. In contrast, for a weak coin flip, Alice and Bob have a desired outcome, i.e. Alice “wins” if the outcome is 0, and Bob “wins” if the outcome is 1. A weak-coin-flipping protocol with bias  ε guarantees that no dishonest player can bias the coin towards his or her desired outcome with probability greater than  ε . In the classical world, coin-flipping can be achieved under computational assumptions. However, in the information-theoretic setting, it was shown [ 130 , 136 ] that one of the players can always achieve his desired outcome with probability 1.

In the quantum world, we note that the general impossibility results for quantum two-party computation (Sect.  4.2 ) are not applicable to coin flipping, since the participants in a coin flipping protocol have no inputs, and instead aim to implement a randomized functionality. Nevertheless, Kitaev showed [ 146 ] (see also [ 10 ]) that any quantum protocol for strong coin-flipping is insecure since it can be biased by a dishonest player. Formally, the bias of any strong coin-flipping protocol is bounded from below by 1 2 - 1 2 . Interestingly, Mochon [ 180 ] managed to expand Kitaev’s formalism of point games to prove the existence of a weak coin-flipping protocol with arbitrarily small bias ε > 0 . Unfortunately, Mochon’s 80-page proof has never been peer-reviewed and is rather difficult to follow. Aharonov, Chailloux, Ganz, Kerenidis and Magnin [ 6 ] have managed to simplify this proof considerably.

Based on this result, Chailloux and Kerenidis [ 66 ] derived an optimal strong-coin-flipping protocol with the best possible bias 1 2 - 1 2 , matching Kitaev’s lower bound. Also based on a weak-coin flip, Chailloux and Kerenidis [ 67 ] gave the best possible imperfect quantum bit commitment. For the optimality, they prove that in any quantum bit commitment protocol, one of the players can cheat with significant probability. 10 Such a result shows that an imperfect bit commitment cannot be amplified to a perfect one—which severely limits the applicability of the scheme to the cryptographic setting.

Cheat sensitivity Quantum mechanics offers the possibility to construct imperfect cryptographic primitives in the sense that they are correct (as long as the players are honest), but they are insecure, i.e. they do allow one of the players (say Alice) to cheat. However, the other player Bob has the possibility to check if Alice has been cheating (possibly by sacrificing the protocol outcome he would have obtained if he followed the protocol without checking). Hence, a cheating Alice has non-zero probability to be detected. These protocols are called cheat sensitive [ 4 , 57 , 118 , 119 , 132 , 137 ]. In this context, it is argued that one could set up a game-theoretic environment: a player caught cheating has to pay a huge fine (or undergo another punishment) and is therefore deterred from actually doing it.

We note, however, that the applications of cheat sensitive protocols to the cryptographic setting are limited: while quantum protocols for imperfect and cheat-sensitive primitives can provide nice examples of separations between the classical and quantum worlds, they fulfill their purpose as long as they are considered as “final products”, for instance in case of private information retrieval. However, it is difficult to argue that a strong coin flip with a constant bias, an imperfect bit commitment, or imperfect OT are cryptographically useful primitives, because they do not inherit the cryptographic importance of their perfect counterparts which can be used as building blocks for more advanced cryptographic primitives. In the case of cheat sensitivity, it is often unclear how such primitives behave under composition. In fact, it is a challenging open question to come up with a composability framework for cheat-sensitive quantum primitives.

Device-independent cryptography

An exciting feature of quantum cryptography is that it allows the possibility of device-independent cryptography in the sense that protocols can be run on untrusted devices which have possibly been constructed by the adversary. The crucial insight is that the “quantumness” of two (or more) devices can be tested and guaranteed by using the devices to violate a Bell inequality, i.e. to produce correlations that are stronger than allowed by classical mechanics. As outlined in Sect.  2.5 , the most well-known example of such an inequality is the CHSH game [ 76 ]. The key observation of device-independent cryptography is that in order to violate the CHSH inequality, a certain amount of intrinsic quantum randomness has to be present in the players’ outputs. That we could exploit this relationship for cryptography was originally pointed out by Ekert [ 104 ], and further studied by Mayers and Yao [ 173 ] and Barrett, Hardy and Kent [ 16 ]. In fact, this latter work shows not only how to accomplish cryptography with untrusted devices, but also how to do away completely with assumptions on the validity of quantum mechanics: instead, it shows how to accomplish QKD solely based on the non-signaling principle [ 131 , 166 ]!

The relation between the CHSH violation and the amount of entropy in the outcomes of the measurements can be quantified exactly [ 194 ]. In fact, on the topic of self-testing quantum devices [ 163 , 174 , 175 , 178 ], Reichardt, Unger and Vazirani have shown a strong robustness result [ 197 ] in the sense that being close to winning the CHSH-game with optimal probability implies that the players must essentially be in possession of a state which is close to an EPR pair. This is an extremely powerful result which has various applications.

The two qubits of an EPR state are maximally entangled. Quantum mechanics forbids any third party to be entangled with such a state (a phenomenon called monogamy of entanglement ). Hence, measurements on an EPR state result in shared randomness which is guaranteed to be unknown to any eavesdropper. 11 In a similar vein, one can argue that the measurement outcomes of Alice and Bob while successfully playing the CHSH game cannot be known to any adversary even if this adversary has built the devices herself and is possibly still entangled with them .

This effect leads to the interesting cryptographic applications of device-independent randomness amplification and expansion and device-independent QKD . In randomness amplification , the task at hand is to obtain near-perfect randomness from a weak random source using untrusted quantum devices (without using any additional randomness); this idea was originally proposed by Colbeck and Renner [ 80 ]. In randomness expansion , one wants to expand a few truly random bits into more random bits, again using untrusted quantum devices; this idea was originally proposed by Colbeck and Kent [ 67 , 78 ]. Providing formal security proofs has turned out to be rather challenging and was first established against classical adversaries [ 112 , 193 , 194 ], and later also against quantum adversaries [ 179 , 224 ]. A combination of the latest protocols allows to arbitrarily amplify very weak sources of randomness in a device-independent fashion. Experimental realizations of device-independent randomness include [ 75 , 194 ].

In device-independent QKD, we make the additional assumption that there is no communication between the adversary and the quantum devices. The first formal proof for a device-independent QKD scheme was given by Vazirani and Vidick [ 225 ]. Current research in this area aims to propose more practical device-independent QKD schemes that retain their functionality at realistic levels of noise.

Quantum cryptographic limitations and challenges

In this section, we survey a number of limitations and challenges of quantum cryptography (see Sect.  1.1 for a brief overview of these topics). We cover the impossibility of information-theoretically secure quantum bit commitment (Sect.  4.1 ) as well as the impossibility of information-theoretically secure two-party quantum computation (Sect.  4.2 ). Next, we survey the challenges imposed by quantum information in the context of quantum rewinding (Sect.  4.3 ) and superposition access to oracles in a quantum world (Sect.  4.4 ). Finally, we discuss impossibility results for position-based quantum cryptography (Sect.  4.5 ).

Impossibility of quantum bit commitment

The 10-year period following the publication of the first QKD protocol [ 24 ] saw only a handful of cryptographers working in quantum cryptography. This era was a period of vivid optimism. Indeed, the concept that quantum mechanics could allow unconditionally secure key expansion is mind-boggling, so why stop there? The next natural step to examine was oblivious transfer , which is an important building block for cryptography [ 145 ] (see Sect.  3.3.1 for definitions of bit commitment and oblivious transfer ).

From this early period of quantum cryptography, we know of a quantum reduction from bit commitment to oblivious transfer [ 29 ] (see Sect.  3.3 ). Hence, the holy grail of oblivious transfer is achievable, if only we have access to a bit commitment ! Thus, researchers explored the possibility of quantum bit commitment (i.e. of using quantum information in order to build bit commitment), with the hopes of founding all of cryptography on the unique assumption of quantum mechanics. This line of work started in [ 44 ], culminating in a claim of a unconditionally secure quantum bit commitment protocol [ 46 ]. However, the optimism for quantum cryptography lasted only a few years as Mayers [ 169 ] found a subtle flaw in the original argument of security. This result was generalized to rule out all quantum protocols for bit commitment by Mayers, and Lo and Chau [ 157 , 170 ]. Note that the possibility of bit commitment in the limited-quantum-storage model (Sect.  3.4 ) introduces an extra physical assumption, and does not contradict the impossibility as discussed here!

We now briefly review the main impossibility argument [ 47 ] (for ease of presentation, we focus on the exact case). 12 First, consider the following sketch of impossibility for perfectly secure classical bit commitment: suppose such a protocol exists. Then by the information-theoretic security requirement, at the end of the commitment phase, Bob’s view of the protocol must be independent of  b (since, otherwise, the protocol would not be perfectly hiding). But this independence implies that Alice can choose to reveal either b = 0 or  b = 1 in the reveal phase, with both being accepted by Bob. Hence, the bit commitment cannot be binding. It is interesting that the same proof structure is applicable to the quantum case, albeit by invoking some slightly more technical tools. Namely, we first consider a purified version of the protocol, which consists in all parties acting at the quantum level (measurements are replaced by a unitary process via a standard technique). Next, by the information-theoretic hiding property, the reduced quantum state that Bob holds at the end of the commit phase must be identical, whether  b = 0 or b = 1 . This condition is enough to break the binding property, since it means [ 215 ] that Alice can locally perform a unitary quantum operation on her system in order to re-create a joint state consistent with either  b = 0 , or b = 1 , at her choosing. 13 Hence, she can chose to open either  b = 0 or b = 1 at a later time, and Bob will accept: the commitment scheme cannot be binding.

Going back to the original paper on quantum bit commitment [ 46 ], we note that a subtlety in the definition of the binding property is the origin of the false claim of security: while it is true that the protocol is such that Alice is unable to simultaneously hold messages that would unveil a commitment to b = 0 and as b = 1 (and thus, to be able to choose to open b = 0 and b = 1 ), this is insufficient to prove security, since in fact Alice is able to delay her choice of commitment until the very end of the protocol—at which point she can choose to open as either b = 0 or b = 1 (but not necessarily both at the same time!).

Impossibility of secure two-party computation using quantum communication

Given the impossibility of quantum bit commitment, the next question to ask is: are there any classical primitives that may be implemented securely using quantum communication? In fact, the possibility for OT was stated as a open problem in [ 45 ]. Unfortunately, this hope was shattered rather quickly, as impossibility results were given by Lo in [ 156 ] for one-sided computations (where only one party receives output). This result already shows the impossibility of 1-out-of-2 OT—the proof technique follows closely the technique developed for the impossibility of quantum bit commitment (see Sect.  4.1 ).

It took almost 10 years until Colbeck showed the first impossibility result for two-sided computations, namely that Alice can always obtain more information about Bob’s input than what is implied by the value of the function [ 79 ]. In a similar vein, Salvail, Schaffner and Sotakova proved in [ 202 ] that any quantum protocol for a non-trivial primitive leaks information to a dishonest player. What is worse, even with the help of a trusted party, the cryptographic power of any primitive cannot be “amplified” by a quantum-communication protocol.

Buhrman, Christandl and Schaffner [ 58 ] have strengthened the above impossibility results by showing that the leakage in any quantum protocol is essentially as bad as one can imagine: even in the case of approximate correctness and security, if a protocol is “secure” against Bob, then it is completely insecure against Alice (in the sense that she can compute the output of the computation for all of her possible inputs). For impossibility results in the universal composability (UC) framework, see [ 113 ].

Zero-knowledge against quantum adversaries: “quantum rewinding”

Zero-knowledge interactive proofs, as introduced by Goldwasser, Micali, and Rackoff [ 124 ] are interactive proofs with the property that the verifier learns nothing from her interaction with the honest prover, beyond the validity of the statement being proved. These proof systems play an important role in the foundations of cryptography, and are also fundamental building blocks to achieve cryptographic functionalities (see [ 121 ] for a survey).

In zero-knowledge interactive proofs, the notion that the verifier “learns nothing” is formalized via the simulation paradigm : if, for every cheating verifier (interacting in the protocol on a positive instance), there exists a simulator (who does not interact with the prover) such that the output of the verifier is indistinguishable from the output of the simulator, then we say that the zero-knowledge property holds. In the classical world, a common proof technique used for establishing the zero-knowledge property is rewinding : a simulator is typically built by executing the given verifier—except that some computation paths are culled if the random choices of the verifier are not consistent with the desired effect. This selection is done by keeping a trace of the interaction, thus, if the interaction is deemed to have followed an incorrect path, the simulation can simply reset the computation (“rewind”) to an earlier part of the computation (see [ 121 ] and references therein).

In the quantum setting, such a rewinding approach is impossible: the no-cloning theorem tells us that it is not possible, in general, to keep a secondary copy of the transcript in order to return to it later on. This problem is further aggravated by the fact that, in the most general case, the verifier starts with some auxiliary quantum information (which we do not, in general, know how to re-create)—thus even a “patch” that would emulate the rewinding approach in the simple case would appear to fail in the case of auxiliary quantum information. We emphasize that the above concerns about the zero-knowledge property are applicable to purely classical protocols: honest parties are completely classical, but we wish to establish the zero-knowledge property against a verifier that may receive, store and process quantum information (these concerns are independent of the computational power of the verifier—they simply relate to the computational model!).

The fundamental difficulty in proving the zero-knowledge property in the quantum world was first discussed by van de Graaf [ 223 ]; while some progress was made on this question [ 85 ], it is the breakthrough result of Watrous [ 227 ] that restored confidence that the zero-knowledge property of many standard classical zero-knowledge proofs is maintained in a quantum world.

In a nutshell, Watrous introduced the technique of quantum rewinding , which establishes that under some reasonable (and commonly satisfied) conditions, the success probabilities of certain processes with quantum inputs and outputs can be amplified. This technique therefore provides an alternative to the classical rewinding paradigm, and is used to show that the Goldreich-Micali-Wigderson graph 3-coloring protocol [ 122 ] is zero-knowledge against quantum attacks. We briefly mention that quantum rewinding is established using a technique resembling amplitude amplification [ 48 ] as is related to Grover’s quantum search algorithm [ 126 ].

Further work on quantum rewinding has dealt with extending the domain of applicability to proofs of knowledge [ 218 ]. However, [ 11 ] show limitations to this technique (so that, in fact—relative to an oracle—there exists classical protocols that are insecure against quantum adversaries). See also [ 85 ].

Superposition access to oracles: quantum security notions

Post-quantum cryptography [ 32 ] (see Sect.  1.2 ) investigates classical cryptographic schemes which remain secure in the presence of quantum adversaries. In classical cryptography, security is often defined in terms of an interactive game between an adversary and a challenger: a scheme is deemed secure if the adversary can only win the game with negligible probability. When such notions are used to prove post-quantum security, one must consider quantum adversaries which are potentially able to communicate quantumly with the challenger. An example is the chosen-plaintext-attack (CPA) learning phase that is present in game-based security definitions, for instance for defining indistinguishability (IND) security of encryption schemes [ 123 , 140 ], where it is natural to consider attackers that can query superpositions of plaintexts to be encrypted and are returned superpositions of according ciphertexts from the challenger.

Another important example relates to the random-oracle (RO) model. A common technique used in classical cryptography is to assume that hash functions are perfect random oracles which adversaries can evaluate. It is well-known in classical cryptography that the RO-methodology comes with a plethora of techniques that can be employed in order to give formal proofs. Unfortunately, most of these tricks do not work in a quantum context for the following reason: a quantum adversary can always evaluate a classical hash function on an arbitrary superposition of inputs. Therefore, in the quantum random oracle (QRO) model, it is necessary to give the adversary superposition access to the oracle. As a consequence, standard techniques from the classical RO model (such as planting the challenge in a random one of the RO queries of the adversary) fail in the more realistic QRO model setting (the adversary might make a single quantum query with all input values in superposition).

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, and Zhandry [ 38 ] first showed how to correctly define the random-oracle model in the quantum setting. They also showed a separation between the classical and quantum RO models. Zhandry [ 240 ] showed how to plant challenges in the QRO model at the beginning of the execution, and Unruh [ 222 ] showed how to reprogram the RO during runtime. Security definitions allowing superposition access have subsequently been studied by Boneh and Zhandry [ 37 , 240 ] in the context of encryption, digital signatures and the construction of pseudo-random functions. See also related work by Damgård, Funder, Nielsen and Salvail [ 92 ], who study superposition attacks on secret-sharing and multi-party protocols.

Position-based quantum cryptography

In cryptography, digital keys or biometric features are used to verify the identity of a person. The goal of position-based cryptography is to use the geographical position of an entity as a cryptographic credential. As a physical analogy, consider the scenario of a bank, where typically, the mere fact that a bank teller is behind the counter (her position ) suffices as a credential in order to initiate the exchange of sensitive information.

A central building block of position-based cryptography is the task of position verification , a problem previously studied in the field of wireless security [ 42 , 61 , 64 , 65 , 203 , 209 , 226 , 241 ]. The goal is to prove to a set of verifiers that one is at a certain geographical location. Protocols typically exploit the relativistic no-signaling principle that messages cannot travel faster than the speed of light. By responding to a verifier in a timely manner, one can guarantee that one is within a certain distance of that verifier [ 42 ]. It was shown in [ 69 ] that classical position-verification protocols based only on this relativistic principle can be broken by multiple attackers who simulate being at the claimed position while physically residing elsewhere in space. Because of the no-cloning property of quantum information (see Sect.  2.4 ), it was believed that with the use of quantum messages one could devise protocols that were resistant to such collaborative attacks. Several schemes were proposed [ 68 , 144 , 152 , 164 , 165 ] that later turned out to be insecure. Finally, Buhrman, Chandran, Fehr, Gelles, Goyal, Ostrovsky and Schaffner showed that also in the quantum case, no unconditionally secure schemes are possible [ 60 ], as long as the colluding adversaries share a large enough amount of entanglement: attackers can break the protocol if the number of pre-shared EPR pairs is exponential in the size of the messages of the protocol [ 19 ]. This exponential overhead in resources (in terms of entanglement and quantum memory) leads to the main open problem in this research area, namely to find quantum protocols which remain secure under the assumption that adversarial resources are restricted to a polynomial amount, while at the same time, honest players can perform the schemes efficiently.

Historically, position-based schemes were first studied by Kent, Monroe and Spiller in 2002 under the name of “quantum tagging”. A US-patent was granted in 2006 [ 143 ], but the results appeared in the scientific literature only in 2010 [ 144 ]. Some simple position-verification schemes are studied in [ 59 , 144 ]. The only quantum ingredient in these protocols is a single qubit sent to the prover who is required to route this qubit back to the correct verifier depending on the classical information he also receives from the verifiers. Note that the actions of the honest players are simple enough that they can be implemented using current quantum technology.

In order to analyze how much entanglement colluding adversaries need to break these simple schemes, a new model of (classical) communication complexity (called the garden-hose model ) was introduced by Buhrman, Fehr, Schaffner and Speelman [ 59 ]. This model connects attacks on position-based quantum protocols to various interesting problems in classical complexity theory and communication complexity, as witnessed in related work [ 73 , 147 ]. In particular, the garden-hose complexity of a function gives an upper bound on the amount of entanglement required to break the security of the position-verification protocol based on that function. However, it is an open question whether more advanced techniques will allow to also prove lower bounds on the entanglement required to break these simple position-verification protocols.

In [ 220 ], Unruh introduces a helpful methodology for analyzing quantum circuits in space-time and gives a position-verification protocol in three dimensions which is secure in the quantum-random-oracle model. Furthermore, [ 60 , 220 ] give schemes for position-based authentication which allows the verifiers to be convinced that a message originated from a certain location. However, it remains an open problem to find efficient schemes which do not use random oracles.

Conclusion and open problems

Since its inception almost 50 years ago, quantum cryptography has developed into an active and exciting multidisciplinary area of research that combines state-of-the-art techniques from cryptography, quantum physics, complexity theory, information theory and beyond. While experimental implementations are still at the prototype level, our theoretical understanding of the power and limitations of quantum cryptography is continuously expanding.

Ongoing work on quantum cryptography consists in improving existing schemes as well as finding further applications and proof techniques. As final words, we mention here some open problems of interest.

• What types of cryptosystems can quantum algorithms break? The area of post-quantum cryptography bases classical cryptography on computational problems which are hard even for quantum computers. More research on quantum algorithms for quantum cryptanalysis is needed to fully understand how difficult these problems are. This understanding is also crucial when choosing the security parameters for post-quantum cryptographic schemes.
• Can we make device-independent protocols that are feasible in practice? It is a challenging open problem to develop device-independent protocols (for key distribution, but possibly also for other applications) which can tolerate a realistic amount of noise.
• Can quantum protocols verify the position of a player? As outlined in Sect.  4.5 , one of the main open questions in the area of position-based cryptography is to find a protocol which can be executed efficiently (with current technology) by honest players, but requires an exponential amount of resources (such as entangled qubits) for attackers to break it.
• How can we construct quantum-secure pseudorandom permutations (qPRP)? Related to the topic of quantum security notions (Sect.  4.4 ), Zhandry [ 240 ] has shown how to construct quantum-security pseudo-random functions (qPRF). Classically, it is well-known that using the PRF in a three-round Feistel network yields a pseudo-random permutation. However, this construction is probably insecure in the quantum setting [ 149 ]. It is an open question how to construct quantum-secure pseudo-random permutations.
• Which cryptographic functionalities can be achieved by quantum protocols? The impossibility results from Sect.  4.2 are all concerned with deterministic classical functionalities. In Sect.  3.6 , we have seen that quantum protocols for (weak or biased strong) coin flipping exist. Hence what exactly is the set of randomized classical functionalities that can be implemented by quantum protocols? More generally, can these impossibility results be extended to quantum functionalities?
• Does quantum information allow for devices that hide the inner workings of a computer program? Due to its diverse and far reaching applications, program obfuscation has been long considered as a holy grail of cryptography. However, hopes of attaining highly secure obfuscation were diminished in 2011 by an impossibility proof [ 14 ] (note, however that weaker security notions are attainable [ 115 ]). The situation is completely different in the quantum case, since the proof technique is not applicable (essentially due to the no-cloning theorem). As such, a positive result establishing that quantum information allows program obfuscation would unleash a number of powerful primitives, and would yield another qualitative advantage of quantum information over its classical counterpart.
• What are the limits of the delegated quantum computation scenario? In Sect.  3.5 , we reviewed results on how a quantum computationally weak client can outsource a quantum computation. An open question that remains is to establish the ultimate limits in terms of the power of the client: can a fully classical client delegate a private quantum computation to a single quantum server, while ensuring privacy and/or verifiability? In the computational setting, this question is related to that of quantum fully homomorphic encryption : can we encrypt quantum data such that any quantum circuit can be applied to the encrypted data (without revealing the key, of course!)?
• Can we build quantum public-key money from standard assumptions? Current techniques for quantum public-key money rely on ad hoc assumptions (see Sect.  3.1 ). An open problem is to construct these primitives on standard cryptographic assumptions (such as the existence of quantum-secure one-way functions [ 7 , 183 , 192 ]).

Acknowledgments

It is a pleasure to acknowledge conversations with Gilles Brassard, Gus Gutoski, Serge Fehr and Louis Salvail in the preparation of this document. We thank Romain Alléaume, Matthias Christandl, Claude Crépeau, Ivan Damgård, Tommaso Gagliardoni, Andreas Hülsing, Stacey Jeffery, Raza Ali Kazmi, Anthony Leverrier, Renato Renner, Fang Song, Douglas Stebila, Dominique Unruh, Thomas Vidick, Stefan Wolf, and Ronald de Wolf for very useful feedback on an initial draft of this document. We also thank Ronald Mullin for his invitation to submit this paper to the 25th anniversary edition of Designs, Codes and Cryptography , and an anonymous reviewer for helpful comments. We are deeply indebted to Barbara Caiçara Santos for help in managing our references database. A.B.’s work is supported by Canada’s NSERC. C.S. is supported by an NWO VIDI grant, and the EU 7th framework project SIQS.

1 We use the word “classical” here and throughout to mean “non-quantum”.

2 http://math.nist.gov/quantum/zoo/ .

3 A primitive is feasible if it can be implemented in the UC model from secure channels only.

4 The term is quite well-established by now, but chosen somewhat unfortunately, because the research area is concerned with cryptography which is still secure at the beginning and not after the end of the era of large-scale quantum computers.

5 Assume a quantum operation A which takes as input a qubit in state | ψ ⟩ (together with a “helping” qubit in state | 0 ⟩ ) and outputs | ψ ⟩ | ψ ⟩ . Hence, A | 0 ⟩ | 0 ⟩ = | 0 ⟩ | 0 ⟩ and A | 1 ⟩ | 0 ⟩ = | 1 ⟩ | 1 ⟩ . By linearity of A , it must hold that A | 0 ⟩ + | 1 ⟩ 2 | 0 ⟩ = A | 0 ⟩ | 0 ⟩ + A | 1 ⟩ | 0 ⟩ 2 = | 0 ⟩ | 0 ⟩ + | 1 ⟩ | 1 ⟩ 2 which is not equal to the state | 0 ⟩ + | 1 ⟩ 2 ⊗ | 0 ⟩ + | 1 ⟩ 2 which we would expect as output from a perfect copying operation A . Hence, such an A does not exist.

6 However, this “spooky action at a distance” puzzled Einstein a lot, and was the inspiration for his very influential paper co-authored with Podolsky and Rosen [ 103 ]. Nowadays, we often call two qubits in the maximally entangled state ( | 00 ⟩ A B + | 11 ⟩ A B ) / 2 an EPR pair .

7 See [ 219 , Lemma 7] for a proof in the UC framework; the stand-alone impossibility is folklore and can be derived from the impossibility of OT in the plain model [ 156 ] (see also Sect.  4.2 ).

8 In fact, formalizing these innocent-looking requirements correctly turns out to be rather tricky [ 83 , 111 ].

9 A prime example of a secure two-party computation is Yao’s millionaire’s problem [ 237 ]: two millionaires want to compare their fortune without telling the other specifically how much money they own. This problem can be solved by the secure computation of the greater-than function.

10 Formally, max { P A ∗ , P B ∗ } ≥ 0.739 where P A ∗ is the average over the probabilities that a dishonest committer Alice successfully reveals bit b = 0 and successfully reveals b = 1 ; and P B ∗ is the probability that a dishonest verifier Bob guesses the committed bit b after the commitment phase. P A ∗ = P B ∗ = 1 2 holds for a perfect bit-commitment protocol.

11 In fact, the first formal security proof of QKD by Shor and Preskill [ 207 ] exploited this monogamy of entanglement by showing that a QKD protocol can be transformed (in a series of steps) into a protocol that distills pure EPR states which Eve cannot be entangled with. These EPR states are then measured by Alice and Bob to obtain the secure shared key.

12 See also a more recent proof exploiting “quantum combs” [ 72 ], as well as a more general result about the impossibility of “growing” quantum bit commitments [ 235 ].

13 Technically, Uhlmann’s theorem states that any two purifications of Bob’s reduced quantum state are related by a unitary transform.

This is one of several papers published in Designs, Codes and Cryptography comprising the 25th Anniversary Issue.

Contributor Information

Anne Broadbent, Email: ac.awattou@ebdaorba .

Christian Schaffner, Email: [email protected] .

This is a potential security issue, you are being redirected to https://csrc.nist.gov .

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock Locked padlock icon ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Post-Quantum Cryptography PQC

Project links, call for proposals.

In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will compromise the security of many commonly used cryptographic algorithms.

In particular, quantum computers would completely break many public-key cryptosystems, including RSA, DSA, and elliptic curve cryptosystems. These cryptosystems are used to implement digital signatures and key establishment and play a crucial role in ensuring the confidentiality and authenticity of communications on the Internet and other networks.

Due to this concern, many researchers have begun to investigate post-quantum cryptography (PQC) (also called quantum-resistant or quantum-safe cryptography). The goal of this research is to develop cryptographic algorithms that would be secure against both quantum and classical computers. These algorithms could serve as replacements for our current public-key cryptosystems to prepare for the eventuality that large-scale quantum computers become a reality.

At present, there are several post-quantum cryptosystems that have been proposed, including lattice-based cryptosystems, code-based cryptosystems, multivariate cryptosystems, hash-based signatures , and others. However, for most of these proposals, further research is needed in order to gain more confidence in their security (particularly against adversaries with quantum computers) and to improve their performance.

NIST has decided that it is prudent to begin developing standards for post-quantum cryptography now. This is driven by two factors. First, there has been noticeable progress in the development of quantum computers, including theoretical techniques for quantum error correction and fault-tolerant quantum computation, and experimental demonstrations of physical qubits and entangling operations in architectures that have the potential to scale up to larger systems.

Second, it appears that a transition to post-quantum cryptography will not be simple as there is unlikely to be a simple “drop-in” replacement for our current public-key cryptographic algorithms. A significant effort will be required in order to develop, standardize, and deploy new post-quantum cryptosystems. In addition, this transition needs to take place well before any large-scale quantum computers are built, so that any information that is later compromised by quantum cryptanalysis is no longer sensitive when that compromise occurs. Therefore, it is desirable to plan for this transition early.

NIST is beginning a process to develop new cryptography standards. These new standards will be used as quantum resistant counterparts to existing standards, including digital signature schemes specified in Federal Information Processing Standards Publication (FIPS) 186 and key establishment schemes specified in NIST Special Publications (SP) 800-56 A and B. The process is referred to as post-quantum cryptography standardization. The standards will be published as Federal Information Processing Standards (FIPSs) or Special Publications (SPs).

NIST is soliciting proposals for post-quantum cryptosystems and it will solicit comments from the public as part of its evaluation process. NIST expects to perform multiple rounds of evaluation, over a period of three to five years. The goal of this process is to select a number of acceptable candidate cryptosystems for standardization.

NIST anticipates that the evaluation process for these post-quantum cryptosystems may be significantly more complex than the evaluation of the SHA-3 and AES candidates. One reason is that the requirements for public-key encryption and digital signatures are more complicated. Another reason is that the current scientific understanding of the power of quantum computers is far from comprehensive. Finally, some of the candidate post-quantum cryptosystems may have completely different design attributes and mathematical foundations, so that a direct comparison of candidates would be difficult or impossible.

As a result of these complexities, NIST believes that its post-quantum standards development process should not be treated as a competition; in some cases, it may not be possible to make a well-supported judgment that one candidate is “better” than another. Rather, NIST will perform a thorough analysis of the submitted algorithms in a manner that is open and transparent to the public, as well as encourage the cryptographic community to also conduct analyses and evaluation. This combined analysis will inform NIST’s decision on the subsequent development of post-quantum standards.

NIST recognizes that some users may wish to deploy systems that use “hybrid modes,” which combine post-quantum cryptographic algorithms with existing cryptographic algorithms (which may not be post-quantum). These “hybrid modes” are outside of the scope of this document, which is focused on post-quantum cryptographic algorithms only.

Additional Pages

PQC Crypto Technical Inquiries [email protected]

Dr. Lily Chen

Dr. Dustin Moody

Dr. Yi-Kai Liu

Security and Privacy: post-quantum cryptography

Related Projects

Post-Quantum Cryptography Standardization Call for Proposals Example Files Round 1 Submissions Round 2 Submissions Round 3 Submissions Round 3 Seminars Round 4 Submissions Selected Algorithms 2022 Workshops and Timeline PQC Seminars External Workshops Contact Info Email List (PQC Forum) PQC Archive PQC Digital Signature Schemes Hash-Based Signatures

PQC Crypto Technical Inquiries [email protected] Dr. Lily Chen Dr. Dustin Moody Dr. Yi-Kai Liu

Cryptographic Standards and Guidelines Hash-Based Signatures Multi-Party Threshold Cryptography PQC Digital Signature Schemes

Researchers demonstrate that quantum cryptography can secure power grid

2/19/2013 by LANL Communications

Written by by LANL Communications

LOS ALAMOS, N.M., Feb. 14, 2013—Recently a Los Alamos National Laboratory quantum cryptography (QC) team successfully completed the first-ever demonstration of securing control data for electric grids using quantum cryptography.

The demonstration was performed in the electric grid test bed that is part of the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) project at the University of Illinois Urbana-Champaign (UIUC) that was set up under the Department of Energy’s Cyber Security for Energy Delivery Systems program in the Office of Electricity Delivery and Energy Reliability. TCIPG has its adminsitrative home in Illinois' Information Trust Institute .

Novel methods for controlling the electric grid are needed to accommodate new energy sources such as renewables whose availability can fluctuate on short time scales. This requires transmission of data to and from control centers; but for grid-control use, data must be both trustworthy and delivered without delays. The simultaneous requirements of strong authentication and low latency are difficult to meet with standard cryptographic techniques. New technologies that further strengthen existing cybersecurity protections are needed.

Quantum cryptography provides a means of detecting and defeating an adversary who might try to intercept or attack the communications. Single photons are used to produce secure random numbers between users, and these random numbers are then used to authenticate and encrypt the grid control data and commands. Because the random numbers are produced securely, they act as cryptographic key material for data authentication and encryption algorithms.

At the heart of the quantum-secured communications system is a unique, miniaturized QC transmitter invention, known as a QKarD, that is five orders of magnitude smaller than any competing QC device. Jane Nordholt, the Los Alamos principal investigator, put it this way: “This project shows that quantum cryptography is compatible with electric-grid control communications, providing strong security assurances rooted in the laws of physics, without introducing excessive delays in data delivery.”

A late-2012 demonstration at UIUC showed that quantum cryptography provides the necessary strong security assurances with latencies (typically 250 microseconds, including 120 microseconds to traverse the 25 kilometers of optical fiber connecting the two nodes) that are at least two orders of magnitude smaller than requirements. Further, the team’s quantum-secured communications system demonstrated that this capability could be deployed with only a single optical fiber to carry the quantum, single-photon communications signals; data packets; and commands. “Moreover, our system is scalable to multiple monitors and several control centers,” said Richard Hughes, the co-principal investigator from Los Alamos.

The TCIPG cyber-physical test bed provides a realistic environment to explore cutting-edge research and prove emerging smart grid technology in a fully customizable environment. In this demonstration, high-fidelity power simulation was leveraged using the real-time digital simulator to enable hardware in the loop power simulation to drive real phasor measurement units (PMUs), devices, deployed on today's electric grid that monitor its operation.

“The simulator provides a mechanism for proving technology in real-world scenarios,” said Tim Yardley, assistant director of test bed services. “We're not just using perfect or simulated data, so the results demonstrate true feasibility.”

The power simulation was running a well-known power-bus model that was perturbed by introducing faults, which drove the analog inputs on the connected hardware PMU. The PMU then communicated via the standard protocol to the quantum cryptography equipment, which handled the key generation, communication and encryption/decryption of the connection traversing 25 kilometers of fiber. A phasor data concentrator then collected and visualized the data.

"This demonstration represents not only a realistic power model, but also leveraged hardware, software and standard communication protocols that are already widely deployed in the energy sector,” said William H. Sanders, the Donald Biggar Willett Professor of Engineering at UIUC, director of the Coordinated Science Laboratory and principal investigator for TCIPG. “The success of the demonstration emphasizes the power of the TCIPG cyber-physical test bed and the strength of the quantum cryptography technology developed by Los Alamos.”

The Los Alamos team submitted 23 U. S. and foreign patent applications for the inventions that make quantum-secured communications possible. The Los Alamos Technology Transfer Division has already received two licensing inquiries from companies in the electric grid control sector, and the office plans an industry workshop for early 2013 when the team’s patents will be made available for licensing.

The Los Alamos team is seeking funding to develop a next-generation QKarD using integrated electro-photonics methods, which would be even smaller, more highly integrated, and open the door to a manufacturing process that would result in much lower unit costs.  

About Los Alamos National Laboratory

Los Alamos National Laboratory, a multidisciplinary research institution engaged in strategic science on behalf of national security, is operated by Los Alamos National Security, LLC, a team composed of Bechtel National, the University of California, The Babcock & Wilcox Company and URS Corporation for the Department of Energy’s National Nuclear Security Administration.

Los Alamos enhances national security by ensuring the safety and reliability of the U.S. nuclear stockpile, developing technologies to reduce threats from weapons of mass destruction, and solving problems related to energy, environment, infrastructure, health and global security concerns.

Share this story

This story was published February 19, 2013.

Quantum Advancements in Securing Networking Infrastructures

• Conference paper
• First Online: 10 April 2024
• Cite this conference paper

• Hadi Salloum 3 , 4 ,
• Murhaf Alawir 3 , 4 ,
• Mohammad Anas Alatasi 3 , 4 ,
• Saleem Asekrea 3 , 4 ,
• Manuel Mazzara 4 &
• Mohammad Reza Bahrami 4 , 5  

Part of the book series: Lecture Notes on Data Engineering and Communications Technologies ((LNDECT,volume 204))

Included in the following conference series:

• International Conference on Advanced Information Networking and Applications

This paper presents a exploration into the integration of Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC) within networking infrastructures, marking a groundbreaking advancement in network security. It meticulously examines the vulnerabilities inherent in classical and post-quantum cryptographic methods, underlining the pressing necessity for a shift towards quantum-based security paradigms. The crux of novelty lies in the comprehensive analysis of implementing QKD and PQC strategies within networking systems, providing innovative insights into their fusion for heightened security measures. This integration not only addresses existing cryptographic vulnerabilities but also spearheads a transformative approach to fortify networking infrastructures against evolving threats. Furthermore, the paper anticipates and scrutinizes the forthcoming threats and opportunities in the quantum era, offering a forward-thinking perspective to navigate the dynamic landscape of network security.

• Post-Quantum Cryptography
• Quantum Key Distribution
• Networking Infrastructures
• Quantum Computing

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Nurhadi, A.I., Syambas, N.R.: Quantum key distribution (QKD) protocols: a survey. In: 2018 4th International Conference on Wireless and Telematics (ICWT), pp. 1–5. IEEE (2018)

Google Scholar  

Huang, A., Barz, S., Andersson, E., Makarov, V.: Implementation vulnerabilities in general quantum cryptography. New J. Phys. 20 (10), 103016 (2018)

Article   Google Scholar  

Vaishnavi, A., Pillai, S.: Cybersecurity in the quantum era-a study of perceived risks in conventional cryptography and discussion on post quantum methods. J. Phys. Conf. Ser. 1964 (4), 042002 (2021)

Balamurugan, C., Singh, K., Ganesan, G., Rajarajan, M.: Post-quantum and code-based cryptography-some prospective research directions. Cryptography 5 (4), 38 (2021)

Ugwuishiwu, C.H., Orji, U.E., Ugwu, C.I., Asogwa, C.N.: An overview of quantum cryptography and Shor’s algorithm. Int. J. Adv. Trends. Comput. Sci. Eng. 9 (5), 1–9 (2020)

Van Assche, G.: Quantum Cryptography and Secret-Key Distillation. Cambridge University Press, Cambridge (2006)

Naber, G.: Foundations of Quantum Mechanics (2016)

Mackey, G.W.: Mathematical Foundations of Quantum Mechanics. Courier Corporation (2013)

Salloum, H., et al.: Integration of machine learning with quantum annealing. In: International Conference on Advanced Information Networking and Applications. Springer (2024)

Nejatollahi, H., Dutt, N., Ray, S., Regazzoni, F., Banerjee, I., Cammarota, R.: Post-quantum lattice-based cryptography implementations: a survey. ACM Comput. Surv. (CSUR) 51 (6), 1–41 (2019)

Charjan, S., Kulkarni, D.H.: Quantum key distribution by exploitation public key cryptography (ECC) in resource constrained devices. Int. J. 5 , 1–8 (2015)

Monz, T., et al.: Realization of a scalable Shor algorithm. Science 351 (6277), 1068–1070 (2016)

Article   MathSciNet   Google Scholar  

Rønnow, T.F., et al.: Defining and detecting quantum speedup. Science 345 (6195), 420–424 (2014)

McMahon, D.: Quantum Computing Explained. John Wiley & Sons, New York (2007)

Book   Google Scholar  

Mozaffari-Kermani, M., Azarderakhsh, R.: Reliable hash trees for post-quantum stateless cryptographic hash-based signatures. In: 2015 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFTS), pp. 103–108. IEEE (2015)

Mehic, M., et al.: Quantum key distribution: a networking perspective. ACM Comput. Surv. (CSUR) 53 (5), 1–41 (2020)

Stanley, M., Gui, Y., Unnikrishnan, D., Hall, S.R.G., Fatadin, I.: Recent progress in quantum key distribution network deployments and standards. J. Phys. Conf. Ser. 2416 (1), 012001 (2022)

Torres, N.N., Garcia, J.C.S., Guancha, E.A.V.: Systems security affectation with the implementation of quantum computing. Int. J. Adv. Comput. Sci. App. 12 (4), 1–11 (2021)

Althobaiti, O.S., Dohler, M.: Cybersecurity challenges associated with the Internet of Things in a post-quantum world. IEEE Access. 8 , 157356–157381 (2020)

Shor, P.W., Preskill, J.: Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85 (2), 441 (2000)

Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41 (2), 303–332 (1999)

Shor, P.W., Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A.: Quantum Money, vol. 19. MIT, Cambridge (2012)

Kuang, R., Perepechaenko, M., Barbeau, M.: A new post-quantum multivariate polynomial public key encapsulation algorithm. Quant. Inf. Process. 21 (10), 360 (2022)

Eddin, S., et al.: Quantum microservices: transforming software architecture with quantum computing. In: International Conference on Advanced Information Networking and Applications. Springer (2024)

Bajrić, S.: Enabling secure and trustworthy quantum networks: current state-of-the-art, key challenges, and potential solutions. IEEE Access 11 , 128801–128809 (2023)

Scarani, V., et al.: The security of practical quantum key distribution. Rev. Mod. Phys. 81 (3), 1301 (2009)

Usenko, V.C., Filip, R.: Trusted noise in continuous-variable quantum key distribution: a threat and a defense. Entropy 18 (1), 20 (2016)

Yang, Y.-H., et al.: All optical metropolitan quantum key distribution network with post-quantum cryptography authentication. Opt. Express. 29 (16), 25859–25867 (2021)

Download references

Author information

Authors and affiliations.

QDeep, Innopolis, Russia

Hadi Salloum, Murhaf Alawir, Mohammad Anas Alatasi & Saleem Asekrea

Innopolis University, Innopolis, Russia

Hadi Salloum, Murhaf Alawir, Mohammad Anas Alatasi, Saleem Asekrea, Manuel Mazzara & Mohammad Reza Bahrami

Samarkand International University of Technology, Samarkand, Uzbekistan

Mohammad Reza Bahrami

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Hadi Salloum .

Editor information

Editors and affiliations.

Department of Information and Communication Engineering, Fukuoka Institute of Technology, Fukuoka, Japan

Leonard Barolli

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Cite this paper.

Salloum, H., Alawir, M., Alatasi, M.A., Asekrea, S., Mazzara, M., Bahrami, M.R. (2024). Quantum Advancements in Securing Networking Infrastructures. In: Barolli, L. (eds) Advanced Information Networking and Applications. AINA 2024. Lecture Notes on Data Engineering and Communications Technologies, vol 204. Springer, Cham. https://doi.org/10.1007/978-3-031-57942-4_34

Download citation

DOI : https://doi.org/10.1007/978-3-031-57942-4_34

Published : 10 April 2024

Publisher Name : Springer, Cham

Print ISBN : 978-3-031-57941-7

Online ISBN : 978-3-031-57942-4

eBook Packages : Intelligent Technologies and Robotics Intelligent Technologies and Robotics (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

• PUBLICATIONS
• GRAPHICS WAREHOUSE
• SCRUTINY TOOLBOX

Quantum: What is it and where does the EU stand?

Quantum technologies, a growing branch of physics and engineering, encompass technologies that utilise quantum phenomena to achieve specific goals.

Written by Stefano De Luca.

The emergence of quantum information science and technologies marks a pivotal moment in technological progress. As the strategic importance of quantum gains global recognition, efforts are intensifying to harness its potential while also addressing security and regulatory challenges. With China, the United States and the European Union investing heavily in quantum, the race for technological dominance is well under way.

Introduction

Quantum technologies , a growing branch of physics and engineering, encompass technologies that utilise quantum phenomena to achieve specific goals. With new advances in these technologies, policymakers have started focusing on the opportunities and challenges they present, considering their potential impact in the future. However, the commercialisation of quantum technologies depends on the various quantum applications involved. Some experts predict that certain technologies, such as decryption using quantum computers, may take decades to become market-ready, while others, such as quantum‑sensing applications for biomedical research , could be ready sooner. In general, the different technologies are based on quantum information science (QIS), also referred to simply as quantum , which explores how information is processed and transmitted using quantum mechanical principles. QIS comprises what experts refer to as the main quantum technologies : quantum computing (with quantum simulation as a crucial subfield), quantum communication and quantum sensing. Many governments have realised that financial investment in quantum is crucial for the future, as it offers the possibility to solve complex tasks in a faster and more efficient way – something existing technologies cannot achieve. Currently, policy initiatives in the European Union ( EU ) and other regions are focusing primarily on funding research and development projects and creating an environment that fosters innovation.

Main quantum technologies

In quantum computing, the multiple positions of ‘ qubits ‘, the basic unit of information in a quantum computer, allow the performance of more complex calculations much faster than by classical computers, thanks to the ability to process a larger volume of data and run extremely intricate simulations. Opportunities for this technology lie, for example, in developing and testing new vaccines and drugs by simulating chemical reactions, saving time and reducing costs. Quantum communication , meanwhile, seeks to provide more secure long-distance communications, making use of two quantum features; first, the creation of encryption keys based on qubits makes it much harder for hackers to break into cryptographic systems; second, qubits are extremely sensitive to external influence, meaning that any third party attempt to intercept the transmitted communication introduces errors that can make the interception attempt visible to both the sender and the receiver. A safe quantum communication method is quantum key distribution (QKD); it enables the secure exchange of cryptographic keys between two parties based on the laws of quantum physics (e.g. entanglement and interference ). Quantum sensing uses the high sensitivity and accuracy of particles to measure the slightest changes in physical matter or geographical position. Quantum sensors could supersede the Global Positioning System (GPS) in navigation systems, eliminating the risk of external influence, such as the jamming of GPS signals. The high cost of quantum sensors and their size present major challenges to the broad adoption of this technology however.

How China and the United States are approaching quantum

China’s 14th five-year plan (2021-2025) provides insight into the country’s stance on quantum technology. The plan identifies QIS as a strategic priority for China in terms of strengthening its national defence and fostering economic growth. In accordance with the plan, China has become a pioneer in building quantum communication infrastructure , having established a network connecting Beijing and Shanghai through which data is reportedly transferred with absolute security. Furthermore, China is working on cutting-edge quantum communication satellites , such as the Micius Satellite project for quantum science experiments.

In 2018, the United States (US) released its national quantum strategy and launched legislative initiatives envisaging a coordinated approach at the federal level to improve research and development in quantum technology for economic and national security purposes. For example, the US has placed emphasis on advancing the standardisation of quantum-safe cryptography protocols , which involves developing new algorithms that are resistant to hacking, including by means of a supercomputer . Furthermore, the National Quantum Initiative allocates funding for investment to advance QIS research and development and to address a wide range of quantum challenges such as workforce development and industry engagement.

What the EU is doing

As part of its overarching digital transformation strategy – the Digital Decade – the EU aims to be ‘at the cutting edge of quantum capabilities by 2030’. To this end, the EU has been running a variety of programmes and initiatives, ranging from supporting research in quantum to deploying a quantum secure infrastructure. The Quantum Technologies Flagship initiative provides financial support for EU scientific and industrial excellence . In the area of infrastructure, the EU plans to have its first quantum computers by 2025, at six specific sites . Additionally, the European Quantum Communication Infrastructure Initiative ( EuroQCI ) envisages safeguarding sensitive data and critical infrastructure by utilising quantum communication technologies to build a terrestrial fibre network connecting strategic sites and space‑based secure connectivity using satellites (IRIS²). With its nearly €7 billion public investment in quantum, the EU ranks second only to China. Recognising the strategic value and dual-use nature (civilian and military) of quantum technologies, the Commission has identified them as critical for the EU’s economic security, as they are ‘considered highly likely to present the most sensitive and immediate risks related to technology security and technology leakage’. The Commission therefore recommends that Member States initiate collective risk assessments of quantum technology. In January 2024, it proposed new initiatives to strengthen economic security. For instance, in the proposal to review the existing regulation on the screening of foreign investments, the Commission proposed listing quantum technologies as crucial for EU security or for public order interests. Some Member States, such as France and Germany, have their own programmes to develop quantum technologies. Member States and the Commission are also working to shield the value chains of these technologies from outside players. In March 2024, 21 Member States committed to making Europe the ‘quantum valley’ of the world, by signing the European Declaration on Quantum Technologies. The EU cooperates on quantum internationally , for instance with Canada , Japan , South Korea and the US (not least through the EU-US quantum task force ).

Recommendations for an EU fit for the quantum age

In September 2023, the Commissioner for the Internal Market, Thierry Breton, announced that he was ‘working on a new strategy to make Europe the world quantum valley ‘. However, despite significant EU public funding for quantum, the EU continues to lags behind its major global competitors, such as the US, in terms of private investment in the sector. In view of this, the Commission’s 2023 Report on the state of the Digital Decade recommends supporting start-ups in the budding quantum ecosystem, in terms of technological needs and scaling up. The report also stresses the need to continue the work on establishing an EU federated quantum infrastructure to ensure a secure and hyper-connected quantum ecosystem. On the sovereignty and security front, the European Policy Centre (EPC) suggests using the European Chips Act to establish a future European quantum chips factory. However, it advises that restrictive export and import policies should be implemented cautiously, as quantum technologies have low maturity. Finally, the EPC argues that an EU coordinated action plan on the quantum transition is crucial to prevent cybersecurity loopholes and safeguard all Member States. It further recommends creating a new expert group on quantum within the EU Agency for Cybersecurity (ENISA). From an educational and technical standpoint, IBM advises organisations to prepare for potential quantum threats by educating policymakers and other key stakeholders on quantum-safe cryptography. This involves developing new algorithms that are immune to hacking by a quantum computer. Organisations should identify the potential vulnerabilities in their information technology systems and mitigate them by implementing quantum-safe cryptography. Once these measures are in place, they should adjust their operations to ensure that all data are protected.

Read this ‘at a glance’ note on ‘ Quantum: What is it and where does the EU stand? ‘ in the Think Tank pages of the European Parliament.

Members' Research Service

Eu-western balkans relations: macroeconomic situation and eu financial support, ai investment: eu and global indicators, medical devices and in vitro medical devices regulations: transitional provisions [eu legislation in progress], outcome of the meetings of eu leaders, 21-22 march 2024, artificial intelligence [what think tanks are thinking], preventing and countering the facilitation of unauthorised entry, transit and stay in the eu [eu legislation in progress], haiti in a spiral of violence, revision of the european works councils directive: stronger social dialogue in a multinational context [eu legislation in progress], outlook for the meetings of eu leaders, 21-22 march 2024, children’s participation in the democratic life of the eu, president biden’s 2024 state of the union address, expansion of brics: a quest for greater global influence.

Be the first to write a comment.

Leave a Reply Cancel reply

• What Europe does for me

EU legislation in progress

Download the EPRS App

• EP Plenary Sessions
• Cost of Non-Europe reports
• Latest Media
• Climate Change
• Russia's war on Ukraine

We write about

• Replies to campaigns from citizens
• What Europe does for you
• Economic and Social Policies
• EU Financing / Budgetary Affairs
• Institutional and Legal Affairs
• International Relations
• Policy Cycle
• Structural and Cohesion Policies

RSS Link to Members’ Research Service

Social media.

• EP Think Tank
• Write to the European Parliament
• EP Library catalogue

Disclaimer and Copyright statement

The content of all documents (and articles) contained in this blog is the sole responsibility of the author and any opinions expressed therein do not necessarily represent the official position of the European Parliament. It is addressed to the Members and staff of the EP for their parliamentary work. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy. For a comprehensive description of our cookie and data protection policies, please visit Terms and Conditions page. Copyright © European Union, 2014-2024. All rights reserved.

Discover more from Epthinktank

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

• Privacy Overview
• Strictly Necessary Cookies
• Cookie Policy

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

More information about our Cookie Policy .

The present website is hosted by WordPress.com, a service by Automattic. Automattic is a global company with thousands of servers located in several separate data centres around the world. While Automattic takes care of the security of the platform , we, the European Parliamentary Research Service, own the content of the blog. For more detailed information about the compliance of Automattic products and services with the EU General Data Protection Regulation (GDPR), please see their dedicated page .

Data collected

We do not collect any personal data that could identify an individual user. The users that are registered in WordPress.com should consult wordpress.com terms of service . We do collect anonymised aggregate data for statistical purposes. The data collected for this purposes include: number of visits/visitors per page, the country of the user, and aggregate numbers of incoming and outgoing clicks.

We determine unique page counts by using a “hashed” version of the visitor’s IP address. The visitor’s full IP address is deleted from our logs after a little over a month. That timeframe is how long the data is needed in order to allow us to calculate your stats on a monthly basis and no longer.

We collect your email address only if you proactively requested to be notified about the updates on the blog. You can always contact us to remove your email address from our records or unsubscribe from the notification service.

We can also see your name and email address if you made a comment to one of our posts. We do not make the email address visible on the comment. Nevertheless, on request, we can delete your comments.

We collect cookies only to facilitate your browsing experience, such as enabling you to share our posts via social media or comment on the post. The majority of cookies will be used only if you are a registered WordPress.com user. In this case, you are bound to WordPress.com terms of service .

Some pages embed content from third parties. In this case, you will need to actively consent to their terms in order to see the content.

We do not collect cookies to show advertisement nor resell any information collected with cookies to third parties. Read more about the wordpress.com cookie policy and the way to control cookies on their dedicated page .

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• My Account Login
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• Matters Arising
• Open access
• Published: 09 April 2024

Reply to: Quantum mechanical rules for observed observers and the consistency of quantum theory

• Lídia del Rio   ORCID: orcid.org/0000-0002-2445-2701 1 &
• Renato Renner   ORCID: orcid.org/0000-0001-5044-6113 1  

Nature Communications volume  15 , Article number:  3024 ( 2024 ) Cite this article

Metrics details

• Quantum mechanics
• Theoretical physics

Matters Arising to this article was published on 09 April 2024

The Original Article was published on 18 September 2018

replying to A. P. Polychronakos Nature Communications https://doi.org/10.1038/s41467-024-47170-2 (2024)

Wigner’s friend experiment

In 1967, Eugene Wigner proposed a thought experiment to test the range of validity of quantum theory 1 . The experiment features two agents, Wigner and his friend, whom we call Alice (Fig.  1 ). Alice works in a perfectly isolated lab, and her task is to measure an observable X of a quantum system S . Wigner’s task is to analyse the same experiment from the outside, treating Alice’s entire lab as a quantum system. Crucial to this setup is that, when applying quantum theory, the two agents split the world differently into quantum and classical parts—i.e., they choose different ‘Heisenberg cuts’ 2 . Alice only models S as a quantum system and treats the outcome of her measurement X as part of the classical domain, yielding a definite value, x . In contrast, Wigner models Alice’s entire lab as part of the quantum domain, including Alice herself and her memory of the measurement outcome. Hence, for Wigner, Alice’s measurement is a reversible entangling operation between her and S , and x has no definite value. Alice and Wigner’s conclusions regarding x are thus different, although, at this point, they are not strictly contradictory.

The experiment concerns two quantum mechanics, Alice and Wigner. Alice measures a system S and records an outcome x . Alice applies the Heisenberg cut around system S : she treats S as a quantum system but regards herself, her notebook, and the outcome x as classical. Wigner analyses the situation from the outside, applying the Heisenberg cut around Alice’s entire isolated lab: he models Alice, her notebook, her measurement instruments, and everything else in her lab as quantum systems undergoing a global reversible evolution.

The FR experiment

In 2018, Daniela Frauchiger and one of us (Renner) proposed an extension of Wigner’s thought experiment, often referred to as the ‘FR experiment’ 3 (see also 4 for a similar proposal). It involves a group of four agents tasked with making predictions about each other’s measurements. Crucially, each agent applies the Heisenberg cut subjectively and may choose to model some of the other agents as quantum systems. All agents share the same initial information about the experimental setting and protocol, but during the actual run of the experiment, each agent may have access to additional data based on their local observations. Each agent analyses the experiment from their perspective using the same reasoning rules described by (Q), (C), and (S) below. The key insight of the experiment is that the agents reach contradictory conclusions; this result was framed as the no-go theorem 3 restated here. For an in-depth analysis of the FR experiment in the light of different interpretations of quantum theory, we refer to 5 , 6 .

3 . No physical theory where it is possible to model the FR experiment is compatible with the reasoning rules (Q), (C), and (S).

Considered individually, each reasoning rule appears intuitive and unproblematic; nonetheless, Theorem 1 asserts that they are contradictory. For simplicity, we elucidate these reasoning rules by describing their use by an agent, Alice, who is deriving statements about the outcome x of a measurement specified by an observable X .

Validity of quantum theory at the relevant scales: Suppose that the observable X is defined on a quantum system S around Alice (i.e., Alice is not herself part of S ). Alice may then apply the standard formalism of quantum theory to describe S and calculate the probabilities for the potential measurement outcomes. In particular, if this analysis yields that the outcome is x with probability 1, Alice can conclude “I am certain that X  =  x .” (For concreteness, the ‘standard formalism’ can be the four quantum postulates of Nielsen & Chuang 7 , Section 2.2, applied to the system S and its subsystems).

Consistency among agents: Let Bob be another agent who reasons about the same measurement X . If Alice has deduced, “I am certain that Bob has concluded that he is certain that X  =  x ” then Alice can conclude, “I am certain that X  =  x .”

Single outcomes: If Alice has concluded both “I am certain that X  =  x ” and “I am certain that \(X={x}^{{\prime} }\) ” for \(x\ne {x}^{{\prime} }\) then she considers that a contradiction.

A simple experiment to test reasoning rules

The idea behind rules (Q), (C), and (S) is that they correspond to the building blocks of reasoning that physicists naturally employ to analyze standard experiments. To see this, we introduce a simple experimental setup, which we term the ‘Learned Prediction Experiment’ (Box  1 ): An agent, Alice, learns a prediction from another agent, Bob, where both agents use the reasoning rules above, as shown in Fig.  2 . An addition relevant to the later discussion is that a third agent, Wigner, may measure Bob’s lab at some point in the experiment. As we will see, different proposals to circumvent Theorem 1 will also lead to different conclusions about this experiment.

If we omit Wigner’s measurement, the analysis of this experiment is straightforward. For example, if Bob observes Y  = 1, he can use reasoning rule (Q) to infer the prediction P  = "I am certain that X  = 1.” Upon receiving and reading P , Alice may say “I am certain that Bob is certain that X  = 1.” Using (C) Alice immediately arrives at \({P}^{{\prime} }=\) "I am certain that X  = 1.” Finally, (S) demands that the outcome of Alice’s measurement must indeed match her prediction \({P}^{{\prime} }\) .

Box 1 Learned Prediction Experiment

t 0 : Alice and Bob receive qubits A and B respectively, jointly prepared in an entangled Bell state \(({\left\vert 0\right\rangle }_{A}\otimes {\left\vert 0\right\rangle }_{B}+{\left\vert 1\right\rangle }_{A}\otimes {\left\vert 1\right\rangle }_{B})\,/\sqrt{2}\) .

t Y : Bob measures qubit B in the computational basis \(\{\left\vert 0\right\rangle,\left\vert 1\right\rangle \}\) and registers his outcome y .

t P : Bob makes a prediction P for the outcome x of Alice’s measurement at t X (see ahead) and communicates P to Alice.

\({t}_{{P}^{{\prime} }}\) : Alice receives P and infers from this a prediction \({P}^{{\prime} }\) for the outcome x of her measurement at t X .

t X : Alice measures qubit A in the computational basis \(\{\left\vert 0\right\rangle,\left\vert 1\right\rangle \}\) and compares her outcome x to her prediction \({P}^{{\prime} }\) .

t W : Wigner carries out a measurement of his choice on Bob’s lab (which may include qubit B , Bob’s memory, measurement instruments, and environmental degrees of freedom).

The first four steps occur at fixed times ordered as \({t}_{0} < \, {t}_{Y} < \, {t}_{P} < \, {t}_{{P}^{{\prime} }} < \, {t}_{X}\) . Wigner’s measurement occurs at a time t W , which is also fixed but customizable. All agents are initially provided with a description of this protocol, including the timing of the steps. Furthermore, they know that all agents use the same set of reasoning rules to obtain their predictions.

Criticism of Theorem 1

A large number of recent works have criticised Theorem 1—not its technical statement or proof, but rather the nature of its assumptions, reasoning rules (Q), (C), and (S). This, of course, is precisely the point of the no-go theorem—it asserts that the combination of these reasoning rules leads to contradictions. Nonetheless, Theorem 1 is only of interest if the reasoning rules (Q), (C), and (S) accurately capture the way we reason about physical experiments. Works criticising theorem typically claim this is not true for some of these reasoning rules.

To warm up, we illustrate this with a common criticism, which was eloquently summarized by Scott Aaronson as ‘It’s hard to think when someone Hadamards your brain’ 8 . The term ‘Hadamard’ refers here to a particularly destructive measurement, applied to an agent’s lab, which is incompatible with the computational basis we would use to describe how the agent processes and stores information when reasoning. (This is also sometimes called a ‘Bell measurement’ or ‘cat measurement’ 9 because it often corresponds to a measurement in the Bell basis of the agent’s memory and the system they observed.) The argument may be expressed in terms of a restriction on using rule (C).

Restriction 1 . Reasoning rule (C) cannot be applied to predictions that Bob made after his memory was subjected to a destructive measurement.

In the case of the Learned Prediction Experiment, and assuming Wigner’s measurement is indeed destructive, Restriction 1 means that the use of (C) should be forbidden if t W  ≤  t P (Fig.  3 ).

Left: If Wigner measures Bob’s lab before Bob produces his prediction ( t W  <  t P ), Restriction 1 8 forbids Alice from applying reasoning rule (C). This restriction ensures that agents do not rely on predictions computed by a malfunctioning agent. (In the FR thought experiment, this requirement is taken care of by the appropriate timing of the protocol steps.) Right: Restriction 2 9 forbids Alice from applying (C) (as in Fig.  2 ) even if Wigner measures Bob’s lab after Bob sends his prediction.

Why Restriction 1 is sensible but irrelevant

We agree with this reasoning. In fact, Restriction 1 is already taken into account implicitly by the assumption that the agents all apply the same reasoning rules. Measurements that are so destructive that they disturb the agent’s reasoning process are thus ruled out. More importantly, however, Restriction 1 is irrelevant in the case of the FR thought experiment. While (potentially) destructive measurements are applied to agents, the timing of these measurements is such that an agent never needs to make or communicate a prediction after having been subjected to such a measurement. Hence, Restriction 1, while absolutely justified, does not resolve the contradiction between the reasoning rules (Q), (C), and (S).

A stronger restriction

In a recent comment 9 , Alexios Polychronakos analyses the FR thought experiment using an approach termed ‘unitary quantum mechanics’, which basically consists of putting the Heisenberg cut at the outside of the entire experiment. Technically, such an analysis corresponds to the one presented in 10 or 11 (the latter employs Bohmian mechanics; see the  Supplementary Information for more details as well as a clarification of their claim that Theorem 1 is invalid). Motivated by this analysis, the author argues that if agents reason based on information held by other agents, along the lines of rule (C), then they arrive at invalid predictions—in agreement with Theorem 1 3 . Because Restriction 1 does not rule out this use of rule (C), he suggests extending the restriction to destructive measurements that lie in the future. In the spirit of Aaronson’s slogan, this suggestion may be phrased as ‘It’s hard to think when someone will later Hadamard your brain.’

Restriction 2 . Reasoning rule (C) cannot be applied to predictions that Bob made if his memory is subjected to a destructive measurement — even if that measurement lies in the future.

Applied to the Simple Prediction Experiment, Restriction 2 would imply that our analysis above is invalid even if Wigner measures Bob in the far future, i.e., after Bob has sent his prediction P to Alice, and possibly also after Alice has completed her measurement to verify the prediction (Fig.  3 ). In fact, the proposal by Polychronakos goes even one step further and similarly restricts the use of rule (Q). The author concludes that, equipped with these additional restrictions, the reasoning rules no longer yield a contradiction in the setting of the FR thought experiment.

We agree with this conclusion but would like to point out that such restrictions on the agents’ reasoning entail various problems, which we detail in the following (see also the  Supplementary Information ).

Objection 1

Restrictions 1 and 2 are ambiguous . In the formulation of Restrictions 1 and 2 above, we used the term ‘destructive measurement’, which we believe is in the spirit of 8 and 9 (in these works, the terms ‘Hadamard’ and ‘cat measurement’ are used). But to make this unambiguous, it is necessary to characterise which measurements count as ‘destructive’. Clearly, the particular measurements on the friends’ labs in the FR experiment must be treated as destructive, but this is not sufficient; it would be easy to find variations of the FR experiment that also lead to contradictory conclusions with measurements that are just slightly rotated from the original ones. In that case, the safety induced by Restriction 2 would not be robust under small changes. On the other hand, if a proposal would extend the constraint to all settings where Alice’s brain will be under any measurement, it would implicitly rule out even all classical logical reasoning used today—because our inferences are stored in physical memories that will eventually interact with their environments. It is unclear whether there is any natural boundary between these extremes that avoids either issue.

Objection 2

Physical justification of Restriction 2 requires signalling . The constraint imposed by Restriction 2 on using reasoning rule (C) seems unnecessarily strict when applied to settings like our Learned Prediction Experiment. If Wigner measures Bob after Bob communicates his prediction P to Alice, one would not expect this to render P invalid. This intuition may be verified by modelling Bob as a quantum system that outputs P . The non-signalling property of quantum theory then implies that a measurement performed by Wigner on Bob at time t W  >  t X cannot be noticed by Alice at time t X .

Restriction 2 is just a constraint on the applicability of a reasoning rule and hence does not imply signalling per se. However, if Restriction 2 was physically justified in the sense of having a physical origin, then the use of rule (C) without this restriction should sometimes lead to wrong predictions in experiments. To illustrate this, consider the Learned Prediction Experiment. If Restriction 2 was necessary here, the prediction \({P}^{{\prime} }\) , computed by Alice using rule (C), would sometimes be wrong when Wigner measures Bob’s lab at a time t W  >  t X . Because Alice can verify her prediction at time t X , this would violate the non-signalling principle: Wigner, by measuring or not measuring at time t W , could send a signal to Alice at time t X , into the past. In this sense, a physical justification for Restriction 2 is incompatible with the non-signalling principle.

Objection 3

Restrictions on (C) impair reasoning . Rule (C) allows agents to combine and compress information, which facilitates processing and prediction-making. Restrictions on the use of this rule may thus impair reasoning even in standard settings, where agents typically hold only partial information about the physical setup and must apply (C) to piece together their local bits of knowledge.

In our Learned Prediction Experiment, we assumed that all agents were provided with a full description of the experimental protocol. This allows Alice, in principle, to reach her prediction \({P}^{{\prime} }\) without applying (C): Alice may reverse-engineer Bob’s reasoning to infer his outcome y from his prediction P , which was communicated to her. Knowing y she may then employ (Q) to come up with \({P}^{{\prime} }\) . However, this strategy for avoiding the use of (C) would not be available to Alice if her knowledge about the experimental setup was partial. An example of this would be a variant of the experiment where Alice’s initial information consists of a description of her local setup only, so that she cannot simulate Bob.

That agents have partial information is common in real-world examples and particularly dramatic in cryptography scenarios. For example, in quantum key distribution protocols, without (C), Alice cannot make the logical step from “Bob publicly announced that his measurement basis was X ” to “I know that Bob’s measurement basis was X .” It is unclear whether Alice and Bob, who in the setting trust each other but otherwise are embedded in an environment controlled by an adversary, can obtain any security guarantee for the distributed key without applying (C) 12 .

But even in the special case where all agents have full information about the global setup, so that (C) could be substituted by (Q), this comes with a complexity overhead. An agent who wants to incorporate knowledge communicated by another agent would need to simulate that agent as a quantum system. In general network scenarios with N agents whose individual predictions may depend on chains of reasoning across several agents, the (classical) memory required for this scales exponentially with N 13 .

Desiderata for resolutions of the paradox

We note that various other suggestions have been made in the recent literature to evade the contradiction in the FR experiment (see 14 , 15 , 16 , 17 , 18 , 19 , 20 for examples). Similarly to Restrictions 1 and 2 above, they postulate constraints on the reasoning rules, notably rules (Q) and (C). Likely, the objections discussed above are also relevant to them. More generally, any proposal to resolve the paradox faces the challenge of finding a fine balance. If the restriction on the reasoning rules is too moderate, they may still yield contradictory conclusions when applied to thought experiments like FR. Conversely, if the reasoning rules are constrained too much, their usability in everyday situations may be affected. To foster further research, we propose a list of desiderata for proposals for modified reasoning rules.

Clear: The proposed reasoning rules should be specified unambiguously (see Objection 1).

Usable: The proposed reasoning rules should be usable by an agent who is a physical system embedded in the physical world and who has only partial information about the world. In particular, the reasoning rules can only depend on information that is physically available to the agent and can be processed with the agent’s physical resources (see Objection 3).

Falsifiable: The proposed reasoning rules should reproduce the predictions of quantum theory in all regimes that have been experimentally tested, including scenarios where individual agents have only partial information about the overall setup. In particular, any data produced by a realistic experiment that would falsify quantum theory should also falsify the reasoning rules.

Consistent: The proposed reasoning rules should apply to any experiment describable within the standard formalism of quantum theory, including thought experiments such as the Wigner’s friend or the FR experiment, and should not yield contradictions.

Physical: The proposed reasoning rules should be physically justifiable; in particular, they should avoid the violation of basic physical principles (see Objection 2).

We urge those who propose modified reasoning rules to circumvent Theorem 1 not to be discouraged by the objections presented here. This is a recent and novel problem, and it is only natural that the appropriate tools to tackle it have not yet been developed. To study and test reasoning rules in view of the desiderata listed above, we leave the reader with two suggestions for such tools. For computational tests, the free software package for quantum thought experiments developed by Nurgalieva, Mathis and ourselves 13 allows a user to formulate bespoke reasoning rules in a computer-readable manner and test them in different experimental settings: the software outputs the predictions of different agents and whether they are contradictory. For a theoretical analysis of Wigner’s friend-type experiments, a promising approach is the framework of Vilasini and Woods 21 (see Supplementary Information ), which enforces an explicit specification of the choice of the Heisenberg cut by the different agents.

Data availability

No data sets were generated or analysed during the current study.

Wigner, E. P. Remarks on the mind-body question. In Symmetries and Reflections , 171–184 (Indiana University Press, 1967). https://doi.org/10.1007/978-3-642-78374-6_20 .

Heisenberg, W. Ist eine deterministische Ergänzung der Quantenmechanik möglich? In Hermann, A., von Meyenn, K. & Weisskopf, V. (eds.) Wolfgang Pauli. Wissenschaftlicher Briefwechsel mit Bohr, Einstein, Heisenberg , vol. II, 409–418 (Springer, 1985).

Frauchiger, D. & Renner, R. Quantum theory cannot consistently describe the use of itself. Nat. Commun. 9 , 3711 (2018).

Article   ADS   PubMed   PubMed Central   Google Scholar  

Brukner, Č. On the quantum measurement problem. In Bertlmann, R. & Zeilinger, A. (eds.) Quantum [Un]Speakables II: Half a Century of Bell’s Theorem , 95–117 (Springer, 2017). https://doi.org/10.1007/978-3-319-38987-5_5 .

Nurgalieva, N. & del Rio, L. Inadequacy of modal logic in quantum settings. Electron. Proc. Theor. Comput. Sci. 287 , 267–297 (2019).

Article   MathSciNet   Google Scholar  

Nurgalieva, N. & Renner, R. Testing quantum theory with thought experiments. Contemporary Phys. 61 , 193–216 (2020).

Article   ADS   Google Scholar  

Nielsen, M. A. & Chuang, I. L. Quantum Computation and Quantum Information (Cambridge University Press, 2010). https://www.cambridge.org/highereducation/books/quantum-computation-and-quantum-information/01E10196D0A682A6AEFFEA52D53BE9AE#overview .

Aaronson, S. It’s hard to think when someone Hadamards your brain (2018). Retrieved from https://scottaaronson.blog/?p=3975 on 19.7.2022.

Polychronakos, A. P. Quantum mechanical rules for observed observers and the consistency of quantum theory (2022).

Bub, J. Understanding the Frauchiger–Renner argument. Foundat. Phys. 51 , 36 (2021).

Article   ADS   MathSciNet   Google Scholar  

Lazarovici, D. & Hubert, M. How quantum mechanics can consistently describe the use of itself. Sci. Rep. 9 , 470 (2019).

Portmann, C. & Renner, R. Security in quantum cryptography. Rev. Mod. Phys. 94 , 025008 (2022).

Nurgalieva, N., Mathis, S., del Rio, L. & Renner, R. Thought experiments in a quantum computer https://arxiv.org/abs/2209.06236 (2022).

Narasimhachar, V. Agents governed by quantum mechanics can use it intersubjectively and consistently https://arxiv.org/abs/2010.01167 (2020).

Waaijer, M. & Neerven, J. V. Relational analysis of the Frauchiger-Renner paradox and interaction-free detection of records from the past. Found. Phys. 51 , 45 (2021).

Żukowski, M. & Markiewicz, M. Physics and metaphysics of Wigner’s friends: even performed premeasurements have no results. Phys. Rev. Lett. 126 , 130402 (2021).

Article   ADS   MathSciNet   PubMed   Google Scholar  

Di Biagio, A. & Rovelli, C. Stable facts, relative facts. Found. Phys. 51 , 30 (2021).

Elouard, C. et al. Quantum erasing the memory of Wigner’s friend. Quantum 5 , 498 (2021).

Article   Google Scholar  

Renes, J. M. Consistency in the description of quantum measurement: Quantum theory can consistently describe the use of itself https://arxiv.org/abs/2107.02193 (2021).

Federico, M. & Grangier, P. A contextually objective approach to the extended Wigner’s friend thought experiment https://arxiv.org/abs/2301.03016 (2023).

Vilasini, V. & Woods, M. P. A general framework for consistent logical reasoning in Wigner’s friend scenarios: subjective perspectives of agents within a single quantum circuit https://arxiv.org/abs/2209.09281 (2022).

Download references

Acknowledgements

We acknowledge support from the Swiss National Science Foundation through SNSF project No. 200021_188541 and the Quantum Center of ETH Zurich. LdR further acknowledges support from the FQXi large grant ‘Consciousness in the Physical World’. LdR is grateful for the hospitality of Perimeter Institute, where part of this work was carried out. Research at Perimeter Institute is supported in part by the Government of Canada through the Department of Innovation, Science and Economic Development and by the Province of Ontario through the Ministry of Colleges and Universities.

Author information

Authors and affiliations.

Institute for Theoretical Physics, ETH Zurich, Zurich, Switzerland

Lídia del Rio & Renato Renner

You can also search for this author in PubMed   Google Scholar

Contributions

L.d.R. and R.R. contributed equally to this work.

Corresponding authors

Correspondence to Lídia del Rio or Renato Renner .

Ethics declarations

Competing interests.

The authors declare no competing interests.

Peer review

Peer review information.

Nature Communications thanks the anonymous reviewer(s) for their contribution to the peer review of this work.

Additional information

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary information

Supplementary information, rights and permissions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ .

Reprints and permissions

About this article

Cite this article.

del Rio, L., Renner, R. Reply to: Quantum mechanical rules for observed observers and the consistency of quantum theory. Nat Commun 15 , 3024 (2024). https://doi.org/10.1038/s41467-024-47172-0

Download citation

Received : 15 September 2022

Accepted : 22 March 2024

Published : 09 April 2024

DOI : https://doi.org/10.1038/s41467-024-47172-0

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

By submitting a comment you agree to abide by our Terms and Community Guidelines . If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

• Data Centres
• Enterprise Security
• Banking & Finance
• Hospitality
• Manufacturing
• Trade & Logistics
• Case Studies
• Whitepapers
• CIO Middle East

Intelligent CIO North America

Providing Unparalleled Technology Intelligence

VIAVI introduces performance testing for Post-Quantum Cryptography deployments

VIAV has added performance testing capability for Post-Quantum Cryptography (PQC) system deployments.

TeraVM Security Test is trusted by leading network security infrastructure vendors, service providers, research institutes, governments and enterprises to emulate large-scale user endpoint traffic applications over secure access connections while measuring individual traffic flow performance across multiple quality vectors.

Quantum computers have the potential to break public-key cryptography once they begin operating at a large scale – an event not anticipated to occur for several more years.

The US federal government has mandated the migration of all existing public-key cryptographic systems including network security devices such as firewalls and VPN gateways to PQC.

TeraVM is the first cloud-enabled test platform to support PQC algorithms mandated by the US National Institute of Standards and Technology (NIST).

TeraVM Security Test enables benchmarking of the performance of enterprise devices, content delivery networks and endpoints that initiate or terminate IPSec Traffic using PQC. It is a software-based test tool which can be run on commercial-off-the-shelf (COTS) servers or on cloud platforms.

The platform is in wide use by network equipment manufacturers, network operators and research institutes.

“Our customers have announced significant initiatives to secure their networks from post-quantum threats without compromising their users’ workday experience,” said Ian Langley, Senior Vice President and General Manager, Wireless Business Unit, VIAVI.

“TeraVM Security Test will give them confidence in their capabilities through rigorous testing using standardized algorithms, emulated users, real office applications and loaded networks.”

Signup to the Intelligent CIO North America newsletter and never miss out on the latest news

A Lynchpin Media Brand

Privacy Policy

Intelligent Technologies

Intelligent verticals, other regions.

Browse our latest issue

View Magazine Archive