idnits 2.17.1 draft-irtf-qirg-quantum-internet-use-cases-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (20 August 2021) is 951 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'I-D.dahlberg-ll-quantum' is defined on line 1257, but no explicit reference was found in the text == Unused Reference: 'RFC2119' is defined on line 1339, but no explicit reference was found in the text == Outdated reference: A later version (-11) exists of draft-irtf-qirg-principles-07 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 QIRG C. Wang 3 Internet-Draft A. Rahman 4 Intended status: Informational InterDigital Communications, LLC 5 Expires: 21 February 2022 R. Li 6 Kanazawa University 7 M. Aelmans 8 Juniper Networks 9 K. Chakraborty 10 The University of Edinburgh 11 20 August 2021 13 Application Scenarios for the Quantum Internet 14 draft-irtf-qirg-quantum-internet-use-cases-08 16 Abstract 18 The Quantum Internet has the potential to improve application 19 functionality by incorporating quantum information technology into 20 the infrastructure of the overall Internet. This document provides 21 an overview of some applications expected to be used on the Quantum 22 Internet, and then categorizes them using various classification 23 schemes. Some general requirements for the Quantum Internet are also 24 discussed. The intent of this document is to describe a framework 25 for applications, and describe a few selected application scenarios 26 for the Quantum Internet. This document is a product of the Quantum 27 Internet Research Group (QIRG). 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at https://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on 21 February 2022. 46 Copyright Notice 48 Copyright (c) 2021 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 53 license-info) in effect on the date of publication of this document. 54 Please review these documents carefully, as they describe your rights 55 and restrictions with respect to this document. Code Components 56 extracted from this document must include Simplified BSD License text 57 as described in Section 4.e of the Trust Legal Provisions and are 58 provided without warranty as described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 2. Terms and Acronyms List . . . . . . . . . . . . . . . . . . . 3 64 3. Quantum Internet Applications . . . . . . . . . . . . . . . . 6 65 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6 66 3.2. Classification by Application Usage . . . . . . . . . . . 6 67 3.2.1. Quantum Cryptography Applications . . . . . . . . . . 6 68 3.2.2. Quantum Sensing/Metrology Applications . . . . . . . 7 69 3.2.3. Quantum Computing Applications . . . . . . . . . . . 8 70 3.3. Control vs Data Plane Classification . . . . . . . . . . 9 71 4. Selected Quantum Internet Application Scenarios . . . . . . . 10 72 4.1. Secure Communication Setup . . . . . . . . . . . . . . . 11 73 4.2. Secure Quantum Computing with Privacy Preservation . . . 15 74 4.3. Distributed Quantum Computing . . . . . . . . . . . . . . 17 75 5. General Requirements . . . . . . . . . . . . . . . . . . . . 20 76 5.1. Background . . . . . . . . . . . . . . . . . . . . . . . 20 77 5.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 22 78 6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . 23 79 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 80 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 81 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25 82 10. Informative References . . . . . . . . . . . . . . . . . . . 25 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 85 1. Introduction 87 The Classical Internet has been constantly growing since it first 88 became commercially popular in the early 1990's. It essentially 89 consists of a large number of end-nodes (e.g., laptops, smart phones, 90 network servers) connected by routers and clustered in Autonomous 91 Systems. The end-nodes may run applications that provide service for 92 the end-users such as processing and transmission of voice, video or 93 data. The connections between the various nodes in the Internet 94 include backbone links (e.g., fiber optics) and access links (e.g., 95 WiFi, cellular wireless, Digital Subscriber Lines (DSLs)). Bits are 96 transmitted across the Classical Internet in packets. 98 Research and experiments have picked up over the last few years for 99 developing the Quantum Internet [Wehner]. End-nodes will also be 100 part of the Quantum Internet, in that case called quantum end-nodes 101 that may be connected by quantum repeaters/routers. These quantum 102 end-nodes will also run value-added applications which will be 103 discussed later. 105 The connections between the various nodes in the Quantum Internet are 106 expected to be primarily fiber optics and free-space optical lasers. 107 Photonic connections are particularly useful because light (photons) 108 is very suitable for physically realizing qubits. Qubits are 109 expected to be transmitted across the Quantum Internet. The Quantum 110 Internet will operate according to quantum physical principles such 111 as quantum superposition and entanglement [I-D.irtf-qirg-principles]. 113 The Quantum Internet is not anticipated to replace, but rather to 114 enhance the Classical Internet. For instance, quantum key 115 distribution can improve the security of the Classical Internet; the 116 powerful computation capability of quantum computing can expedite and 117 optimize computation-intensive tasks (e.g., routing modelling) in the 118 Classical Internet. The Quantum Internet will run in conjunction 119 with the Classical Internet to form a new Hybrid Internet. The 120 process of integrating the Quantum Internet with the Classical 121 Internet is similar to, but with more profound implications, as the 122 process of introducing any new communication and networking paradigm 123 into the existing Internet. The intent of this document is to 124 provide a common understanding and framework of applications and 125 application scenarios for the Quantum Internet. 127 This document represents the consensus of the Quantum Internet 128 Research Group (QIRG). It has been reviewed extensively by Research 129 Group (RG) members with expertise in both quantum physics and 130 Classical Internet operation. 132 2. Terms and Acronyms List 134 This document assumes that the reader is familiar with the quantum 135 information technology related terms and concepts that are described 136 in [I-D.irtf-qirg-principles]. In addition, the following terms and 137 acronyms are defined herein for clarity: 139 * Bell-Pairs - A special type of two-qubits quantum states. The two 140 qubits show a correlation that cannot be observed in classical 141 information theory. We refer to such correlation as quantum 142 entanglement. Bell-pairs exhibit the maximal quantum 143 entanglement. One example of a Bell-pair is 144 (|00>+|11>)/(Sqrt(2)). The Bell-pairs are a fundamental resource 145 for quantum communication. 147 * Bit - Binary Digit (i.e., fundamental unit of information in 148 classical communications and classical computing). 150 * Classical Internet - The existing, deployed Internet (circa 2020) 151 where bits are transmitted in packets between nodes to convey 152 information. The Classical Internet supports applications which 153 may be enhanced by the Quantum Internet. For example, the end-to- 154 end security of a Classical Internet application may be improved 155 by secure communication setup using a quantum application. 157 * Entanglement Swapping: It is a process of sharing an entanglement 158 between two distant parties via some intermediate nodes. For 159 example, suppose there are three parties A, B, C, and each of the 160 parties (A, B) and (B, C) share Bell-pairs. B can use the qubits 161 it shares with A and C to perform entanglement swapping 162 operations, and as a result, A and C share Bell-pairs. 164 * Fast Byzantine Negotiation - A Quantum-based method for fast 165 agreement in Byzantine negotiations [Ben-Or] [Taherkhani]. 167 * Hybrid Internet - The "new" or evolved Internet to be formed due 168 to a merger of the Classical Internet and the Quantum Internet. 170 * Local Operations and Classical Communication (LOCC) - A method 171 where nodes communicate in rounds, in which (1) they can send any 172 classical information to each other; (2) they can perform local 173 quantum operations individually; and (3) the actions performed in 174 each round can depend on the results from previous rounds. 176 * Noisy Intermediate-Scale Quantum (NISQ) - NISQ was defined in 177 [Preskill] to represent a near-term era in quantum technology. 178 According to this definition, NISQ computers have two salient 179 features: (1) The size of NISQ computers range from 50 to a few 180 hundred physical qubits (i.e., intermediate-scale); and (2) Qubits 181 in NISQ computers have inherent errors and the control over them 182 is imperfect (i.e., noisy). 184 * Packet - Formatted unit of multiple related bits. The bits 185 contained in a packet may be classical bits, or the measured state 186 of qubits expressed in classical bits. 188 * Prepare-and-Measure - A set of Quantum Internet scenarios where 189 quantum nodes only support simple quantum functionalities (i.e., 190 prepare qubits and measure qubits). For example, BB84 [BB84] is a 191 prepare-and-measure quantum key distribution protocol. 193 * Quantum Computer (QC) - A quantum end-node that also has quantum 194 memory and quantum computing capabilities is regarded as a full- 195 fledged quantum computer. 197 * Quantum End-node - An end-node hosts user applications and 198 interfaces with the rest of the Internet. Typically, an end-node 199 may serve in a client, server, or peer-to-peer role as part of the 200 application. If the end-node is part of a Quantum Network (i.e, 201 is a quantum end-node), it must be able to generate/transmit and 202 receive/process qubits. A quantum end-node must also be able to 203 interface to the Classical Internet for control purposes and thus 204 also be able to receive, process, and transmit classical bits/ 205 packets. 207 * Quantum Internet - A network of Quantum Networks. The Quantum 208 Internet is expected to be merged into the Classical Internet to 209 form a new Hybrid Internet. The Quantum Internet may either 210 improve classical applications or may enable new quantum 211 applications. 213 * Quantum Key Distribution (QKD) - A method that leverages quantum 214 mechanics such as no-cloning theorem to let two parties (e.g., a 215 sender and a receiver) securely establish/agree on a key. 217 * Quantum Network - A new type of network enabled by quantum 218 information technology where qubits are transmitted between nodes 219 to convey information. (Note: qubits must be sent individually 220 and not in packets). The Quantum Network will use both quantum 221 channels, and classical channels provided by the Classical 222 Internet. 224 * Quantum Teleportation - A technique for transferring quantum 225 information via local operations and classical communication 226 (LOCC). If two parties share a Bell-pair, then using quantum 227 teleportation a sender can transfer a quantum data bit to a 228 receiver without sending it physically via a quantum communication 229 channel. 231 * Qubit - Quantum Bit (i.e., fundamental unit of information in 232 quantum communication and quantum computing). It is similar to a 233 classic bit in that the state of a qubit is either "0" or "1" 234 after it is measured, and is denoted as its basis state vector |0> 235 or |1>. However, the qubit is different than a classic bit in 236 that the qubit can be in a linear combination of both states 237 before it is measured and termed to be in superposition. The 238 Degrees of Freedom (DOF) of a photon (e.g., polarization) or an 239 electron (e.g., spin) can be used to encode a qubit. 241 3. Quantum Internet Applications 243 3.1. Overview 245 The Quantum Internet is expected to be beneficial for a subset of 246 existing and new applications. The expected applications for the 247 Quantum Internet are still being developed as we are in the formative 248 stages of the Quantum Internet [Castelvecchi] [Wehner]. However, an 249 initial (and non-exhaustive) list of the applications to be supported 250 on the Quantum Internet can be identified and classified using two 251 different schemes. Note, this document does not include quantum 252 computing applications that are purely local to a given node (e.g., 253 quantum random number generator). 255 3.2. Classification by Application Usage 257 Applications may be grouped by the usage that they serve. 258 Specifically, applications may be grouped according to the following 259 categories: 261 * Quantum cryptography applications - Refers to the use of quantum 262 information technology for cryptographic tasks such as quantum key 263 distribution and quantum commitment. 265 * Quantum sensors applications - Refers to the use of quantum 266 information technology for supporting distributed sensors (e.g., 267 clock synchronization). 269 * Quantum computing applications - Refers to the use of quantum 270 information technology for supporting remote quantum computing 271 facilities (e.g., distributed quantum computing). 273 This scheme can be easily understood by both a technical and non- 274 technical audience. The next sections describe the scheme in more 275 detail. 277 3.2.1. Quantum Cryptography Applications 279 Examples of quantum cryptography applications include quantum-based 280 secure communication setup and fast Byzantine negotiation. 282 1. Secure communication setup - Refers to secure cryptographic key 283 distribution between two or more end-nodes. The most well-known 284 method is referred to as Quantum Key Distribution (QKD) [Renner], 285 which has been mathematically proven to be unbreakable. 287 2. Fast Byzantine negotiation - Refers to a Quantum-based method for 288 fast agreement in Byzantine negotiations [Ben-Or], for example, 289 to reduce the number of expected communication rounds and in turn 290 achieve faster agreement, in contrast to classical Byzantine 291 negotiations. A quantum aided Byzantine agreement on quantum 292 repeater networks as proposed in [Taherkhani] includes 293 optimization techniques to greatly reduce the quantum circuit 294 depth and the number of qubits in each node. Quantum-based 295 methods for fast agreement in Byzantine negotiations can be used 296 for improving consensus protocols such as practical Byzantine 297 Fault Tolerance(pBFT), as well as other distributed computing 298 features which use Byzantine negotiations. 300 3. Quantum money - The main security requirement of money is 301 unforgeability. A quantum money scheme aims to fulfill by 302 exploiting the no-cloning property of the unknown quantum states. 303 Though the original idea of quantum money dates back to 1970, 304 these early protocols allow only the issuing bank to verify a 305 quantum banknote. However, the recent protocols that are called 306 public-key quantum money [Zhandry] allow anyone to verify the 307 banknotes locally. 309 3.2.2. Quantum Sensing/Metrology Applications 311 The entanglement, superposition, interference, squeezing properties 312 can enhance the sensitivity of the quantum sensors and eventually can 313 outperform the classical strategies. Examples of quantum sensor 314 applications include network clock synchronization, high sensitivity 315 sensing, quantum imaging, etc. These applications mainly leverage a 316 network of entangled quantum sensors (i.e. quantum sensor networks) 317 for high-precision multi-parameter estimation [Proctor]. 319 1. Network clock synchronization - Refers to a world wide set of 320 atomic clocks connected by the Quantum Internet to achieve an 321 ultra precise clock signal [Komar] with fundamental precision 322 limits set by quantum theory. 324 2. High sensitivity sensing - Refers to applications that leverage 325 quantum phenomena to achieve reliable nanoscale sensing of 326 physical magnitudes. For example, [Guo] uses an entangled 327 quantum network for measuring the average phase shift among 328 multiple distributed nodes. 330 3. Quantum imaging - The highly sensitive quantum sensors show great 331 potential in improving the domain of magnetoencephalography. 332 Unlike the current classical strategies, with the help of a 333 network of quantum sensors, it is possible to measure the 334 magnetic fields generated by the flow of current through neuronal 335 assemblies in the brain while the subject is moving. It reveals 336 the dynamics of the networks of neurons inside the human brain on 337 a millisecond timescale. This kind of imaging capability could 338 improve the diagnosis and monitoring the conditions like 339 attention-deficit-hyperactivity disorder [Hill]. 341 3.2.3. Quantum Computing Applications 343 In this section, we include the applications for the quantum 344 computing. Note that, for the next couple of years we will have 345 quantum computers as a cloud service. Sometimes, to run such 346 applications in the cloud while preserving the privacy, the client 347 and the server need to exchange qubits. Therefore, such privacy 348 preserving quantum computing applications require a quantum internet 349 to execute. 351 Examples of quantum computing include distributed quantum computing 352 and secure quantum computing with privacy preservation, which can 353 enable new types of cloud computing. 355 1. Distributed quantum computing - Refers to a collection of remote 356 small capacity quantum computers (i.e., each supporting a 357 relatively small number of qubits) that are connected and working 358 together in a coordinated fashion so as to simulate a virtual 359 large capacity quantum computer [Wehner]. 361 2. Secure quantum computing with privacy preservation - Refers to 362 private, or blind, quantum computation, which provides a way for 363 a client to delegate a computation task to one or more remote 364 quantum computers without disclosing the source data to be 365 computed over [Fitzsimons]. 367 3. Quantum chemistry - Quantum chemistry is one of the most 368 promising quantum computing applications that can outperform the 369 classical strategy using only a few hundred qubits quantum 370 computers. Using the NISQ devices, the quantum algorithms manage 371 to determine the molecular energies of the small molecules within 372 chemical accuracy [YudongCao]. However, due to the short 373 coherence time of the quantum devices, it is still difficult to 374 simulate larger molecules. 376 3.3. Control vs Data Plane Classification 378 The majority of routers currently used in the Classical Internet 379 separate control plane functionality and data plane functionality 380 for, amongst other reasons, stability, capacity and security. In 381 order to classify applications for the Quantum Internet, a somewhat 382 similar distinction can be made. Specifically some applications can 383 be classified as being responsible for initiating sessions and 384 performing other control plane functionality (including management 385 functionalities too). Other applications carry application or user 386 data and can be classified as data plane functionality. 388 Some examples of what may be called control plane applications in the 389 Classical Internet are Domain Name Server (DNS), Session Information 390 Protocol (SIP), and Internet Control Message Protocol (ICMP). 391 Furthermore, examples of data plane applications are E-mail, web 392 browsing, and video streaming. Note that some applications may 393 require both control plane and data plane functionality. For 394 example, a Voice over IP (VoIP) application may use SIP to set up the 395 call and then transmit the VoIP user packets over the data plane to 396 the other party. 398 Similarly, nodes in the Quantum Internet applications may also use 399 the classification paradigm of control plane functionality versus 400 data plane functionality where: 402 * Control Plane - Network functions and processes that operate on 403 (1) control bits/packets or qubits (e.g., to setup up end-user 404 encryption); or (2) management bits/packets or qubits (e.g., to 405 configure nodes). For example, a quantum ping could be 406 implemented as a control plane application to test and verify if 407 there is a quantum connection between two quantum nodes. Another 408 example is quantum superdense coding (which is used to transmit 409 two classical bits by sending only one qubit). This approach does 410 not need classical channels. Quantum superdense coding can be 411 leveraged to implement a secret sharing application to share 412 secrets between two parties [ChuanWang]. This secret sharing 413 application based on quantum superdense encoding can be classified 414 as control plane functionality. 416 * Data Plane - Network functions and processes that operate on end- 417 user application bits/packets or qubits (e.g., voice, video, 418 data). Sometimes also referred to as the user plane. For 419 example, a data plane application can be video conferencing, which 420 uses QKD-based secure communication setup (which is a control 421 plane function) to share a classical secret key for encrypting and 422 decrypting video frames. 424 As shown in the table in Figure 1, control and data plane 425 applications vary for different types of networks. For a standalone 426 Quantum Network (i.e., that is not integrated into the Internet), 427 entangled qubits are its "data" and thus entanglement distribution 428 can be regarded as its data plane application, while the signalling 429 for controlling entanglement distribution be considered as control 430 plane. However, looking at the Quantum Internet, QKD-based secure 431 communication setup, which may be based on and leverage entanglement 432 distribution, is in fact a control plane application, while video 433 conference using QKD-based secure communication setup is a data plane 434 application. In the future, two data planes may exist, respectively 435 for Quantum Internet and Classical Internet, while one control plane 436 can be leveraged for both Quantum Internet and Classical Internet. 438 +----------+-----------+----------------+----------------------+ 439 | | | | | 440 | | Classical | Quantum | Hybrid | 441 | | Internet | Internet | Internet | 442 | | Examples | Examples | Examples | 443 +----------+-----------+----------------+----------------------+ 444 | Control | ICMP; | Quantum ping; | QKD-based secure | 445 | Plane | DNS | Signalling for | communication | 446 | | | controlling | setup | 447 | | | entanglement | | 448 | | | distribution; | | 449 ---------------------------------------------------------------| 450 | Data | Video | QKD; | Video conference | 451 | Plane | conference| Entanglement | using QKD-based | 452 | | | distribution | secure communication | 453 | | | | setup | 454 +--------------------------------------------------------------+ 456 Figure 1: Examples of Control vs Data Plane Classification 458 4. Selected Quantum Internet Application Scenarios 460 The Quantum Internet will support a variety of applications and 461 deployment configurations. This section details a few key 462 application scenarios which illustrates the benefits of the Quantum 463 Internet. In system engineering, a application scenario is typically 464 made up of a set of possible sequences of interactions between nodes 465 and users in a particular environment and related to a particular 466 goal. This will be the definition that we use in this section. 468 4.1. Secure Communication Setup 470 In this scenario, two banks (i.e., Bank #1 and Bank #2) need to have 471 secure communications for transmitting important financial 472 transaction records (see Figure 2). For this purpose, they first 473 need to securely share a classic secret cryptographic key (i.e., a 474 sequence of classical bits), which is triggered by an end-user banker 475 at Bank #1. This results in a source quantum node A at Bank #1 to 476 securely establish a classical secret key with a destination quantum 477 node B at Bank #2. This is referred to as a secure communication 478 setup. Note that the quantum node A and B may be either a bare-bone 479 quantum end-node or a full-fledged quantum computer. This 480 application scenario shows that the Quantum Internet can be leveraged 481 to improve the security of Classical Internet applications of which 482 the financial application shown in Figure 2 is an example. 484 One requirement for this secure communication setup process is that 485 it should not be vulnerable to any classical or quantum computing 486 attack. This can be realized using QKD which has been mathematically 487 proven to be information-theoretically secure and unbreakable. QKD 488 can securely establish a secret key between two quantum nodes, using 489 a classical authentication channel and insecure quantum communication 490 channel without physically transmitting the key through the network 491 and thus achieving the required security. However, care must be 492 taken to ensure that the QKD system is safe against physical side 493 channel attacks which can compromise the system. An example of a 494 physical side channel attack is when an attacker is able to 495 surreptitiously inject additional light into the optical devices used 496 in QKD to learn side information about the system such as the 497 polarization. Other specialized physical attacks against QKD have 498 also used a classical authentication channel and insecure quantum 499 communication channel such as the phase-remapping attack, photon 500 number splitting attack, and decoy state attack [Zhao]. 502 QKD is the most mature feature of the quantum information technology, 503 and has been commercially released in small-scale and short-distance 504 deployments. More QKD use cases are described in ETSI documents 505 [ETSI-QKD-UseCases]; in addition, the ETSI document 506 [ETSI-QKD-Interfaces] specifies interfaces between QKD users and QKD 507 devices. 509 In general, the prepare and measure QKD protocols (e.g., [BB84]) 510 without using entanglement works as follows: 512 1. The source quantum node A encodes classical bits to qubits. 513 Basically, the source node A generates two random classical bit 514 strings X, Y. Among them, it uses the bit string X to choose the 515 basis and uses Y to choose the state corresponding to the chosen 516 basis. For example, if X=0 then in case of BB84 protocol Alice 517 prepares the state in {|0>, |1>}-basis; otherwise she prepares 518 the state in {|+>, |->}-basis. Similarly, if Y=0 then Alice 519 prepares the qubit either |0> or |+> (depending on the value of 520 X), and if Y =1, then Alice prepares the qubit either |1> or |->. 522 2. The source quantum node A sends qubits to the destination quantum 523 node B via quantum channel. 525 3. The destination quantum node receives qubits and measures each of 526 them in one of the two basis at random. 528 4. The destination quantum node informs the source node of its 529 choice of basis for each qubit. 531 5. The source quantum node informs the destination node which random 532 quantum basis is correct. 534 6. Both nodes discard any measurement bit under different quantum 535 basis and remaining bits could be used as the secret key. Before 536 generating the final secret key, there is a post-processing 537 procedure over authenticated classical channels. The classical 538 post-processing part can be subdivided into three steps, namely 539 parameter estimation, error-correction, and privacy 540 amplification. In the parameter estimation phase, both Alice and 541 Bob use some of the bits to estimate the channel error. If it is 542 larger than some threshold value, then they abort the protocol 543 otherwise move to the error-correction phase. Basically, if an 544 eavesdropper tries to intercept and read qubits sent from node A 545 to node B, the eavesdropper will be detected due to the entropic 546 uncertainty relation property theorem of quantum mechanics. As a 547 part of the post-processing procedure, both nodes usually also 548 perform information reconciliation [Elkouss] for efficient error 549 correction and/or conduct privacy amplification [BTang] for 550 generating the final information-theoretical secure keys. 552 7. The post-processing procedure needs to be performed over an 553 authenticated classical channel. In other words, the source 554 quantum node and the destination quantum node need to 555 authenticate the classical channel to make sure there is no 556 eavesdroppers or man-in-the-middle attacks, according to certain 557 authentication protocols such as [Kiktenko]. In [Kiktenko], the 558 authenticity of the classical channel is checked at the very end 559 of the post-processing procedure instead of doing it for each 560 classical message exchanged between the quantum source node and 561 the quantum destination node. 563 It is worth noting that: 565 1. There are some entanglement-based QKD protocols such as 566 [Treiber], which work differently than above steps. The 567 entanglement-based schemes, where entangled states are prepared 568 externally to the source quantum node and the destination quantum 569 node, are not normally considered "prepare-and-measure" as 570 defined in [Wehner]; other entanglement-based schemes, where 571 entanglement is generated within the source quantum node can 572 still be considered "prepare-and-measure"; send-and-return 573 schemes can still be "prepare-and-measure", if the information 574 content, from which keys will be derived, is prepared within the 575 source quantum node the source quantum node before being sent to 576 the destination quantum node for measurement. 578 2. There are many enhanced QKD protocols based on [BB84]. For 579 example, a series of loopholes have been identified due to the 580 imperfections of measurement devices; there are several solutions 581 to take into account these attacks such as measurement-device- 582 independent QKD [PZhang]. These enhanced QKD protocols can work 583 differently than the steps of BB84 protocol [BB84]. 585 3. For large-scale QKD, QKD Networks (QKDN) are required, which can 586 be regarded as a subset of a Quantum Internet. A QKDN may 587 consist of a QKD application layer, a QKD network layer, and a 588 QKD link layer [Qin]. One or multiple trusted QKD relays 589 [QZhang] may exist between the source quantum node A and the 590 destination quantum node B, which are connected by a QKDN. 591 Alternatively, a QKDN may rely on entanglement distribution and 592 entanglement-based QKD protocols; as a result, quantum-repeaters/ 593 routers instead of trusted QKD relays are needed for large-scale 594 QKD. 596 4. Although the addresses of Source Quantum Node A and Destination 597 Quantum Node B could be identified and exposed, the identity of 598 users, who will use the secret cryptographic key for secure 599 communications, will not necessarily be exposed during QKD 600 process. In other words, there is no direct mapping from the 601 addresses of quantum nodes to the user identity; as a result, QKD 602 protocols do not disclose user identities. 604 5. QKD provides an information-theoretical way to share secret keys 605 between two parties in the presence of Eve. However, this is true 606 in theory, and there is a significant gap between theory and 607 practice. By exploiting the imperfection of the detectors Eve 608 can gain information about the shared key [FeihuXu]. To avoid 609 such side-channel attacks in [Lo], the researchers provide a QKD 610 protocol called Measurement Device-Independent (MDI) QKD that 611 allows two users (a transmitter "Alice" and a receiver "Bob") to 612 communicate with perfect security, even if the (measurement) 613 hardware they are using has been tampered with (e.g., by an 614 eavesdropper) and thus is not trusted. It is achieved by 615 measuring correlations between signals from Alice and Bob rather 616 than the actual signals themselves. 618 6. QKD protocols based on Continuous Variable (CV-QKD) have recently 619 seen plenty of interest as it only requires telecommunications 620 equipment that is readily available and is also in common use 621 industry-wide. This kind of technology is a potentially high- 622 performance technique for secure key distribution over limited 623 distances. The recent demonstration of CV-QKD shows 624 compatibility with classical coherent detection schemes that are 625 widely used for high bandwidth classical communication systems 626 [Grosshans] Note that we still do not have a quantum repeater for 627 the continuous variable systems; hence, this kind of QKD 628 technologies can be used for the short distance communications or 629 trusted relay-based QKD networks. 631 As a result, the Quantum Internet in Figure 2 contains quantum 632 channels. And in order to support secure communication setup 633 especially in large-scale deployment, it also requires entanglement 634 generation and entanglement distribution 635 [I-D.van-meter-qirg-quantum-connection-setup], quantum repeaters/ 636 routers, and/or trusted QKD relays. 638 +---------------+ 639 | End User | 640 |(e.g., Banker) | 641 +---------------+ 642 ^ 643 | User Interface 644 | (e.g., GUI) 645 V 646 +-----------------+ /--------\ +-----------------+ 647 | |--->( Quantum )--->| | 648 | Source | ( Internet ) | Destination | 649 | Quantum | \--------/ | Quantum | 650 | Node A | | Node B | 651 | (e.g., Bank #1) | /--------\ | (e.g., Bank #2) | 652 | | ( Classical) | | 653 | |<-->( Internet )<-->| | 654 +-----------------+ \--------/ +-----------------+ 656 Figure 2: Secure Communication Setup 658 4.2. Secure Quantum Computing with Privacy Preservation 660 Secure computation with privacy preservation refers to the following 661 scenario: 663 1. A client node with source data delegates the computation of the 664 source data to a remote computation node (i.e. a server). 666 2. Furthermore, the client node does not want to disclose any source 667 data to the remote computation node and thus preserve the source 668 data privacy. 670 3. Note that there is no assumption or guarantee that the remote 671 computation node is a trusted entity from the source data privacy 672 perspective. 674 As an example illustrated in Figure 3, a terminal node such as a home 675 gateway has collected lots of data and needs to perform computation 676 on the data. The terminal node could be a classical node without any 677 quantum capability, a bare-bone quantum end-node or a full-fledged 678 quantum computer. The terminal node has insufficient computing power 679 and needs to offload data computation to some remote nodes. Although 680 the terminal node can upload the data to the cloud to leverage cloud 681 computing without introducing local computing overhead, to upload the 682 data to the cloud can cause privacy concerns. In this particular 683 case, there is no privacy concern since the source data will not be 684 sent to the remote computation node which could be compromised. Many 685 protocols as described in [Fitzsimons] for delegated quantum 686 computing or Blind Quantum Computation (BQC) can be leveraged to 687 realize secure delegated computation and guarantee privacy 688 preservation simultaneously. 690 As a new client/server computation model, BQC generally enables: 1) 691 The client delegates a computation function to the server; 2) The 692 client does not send original qubits to the server, but send 693 transformed qubits to the server; 3) The computation function is 694 performed at the server on the transformed qubits to generate 695 temporary result qubits, which could be quantum-circuit-based 696 computation or measurement-based quantum computation. The server 697 sends the temporary result qubits to the client; 4) The client 698 receives the temporary result qubits and transform them to the final 699 result qubits. During this process, the server can not figure out 700 the original qubits from the transformed qubits. Also, it will not 701 take too much efforts on the client side to transform the original 702 qubits to the transformed qubits, or transform the temporary result 703 qubits to the final result qubits. One of the very first BQC 704 protocols such as [Childs] follows this process, although the client 705 needs some basic quantum features such as quantum memory, qubit 706 preparation and measurement, and qubit transmission. Measurement- 707 based quantum computation is out of the scope of this document and 708 more details about it can be found in [Jozsa]. 710 It is worth noting that: 712 1. The BQC protocol in [Childs] is a circuit-based BQC model, where 713 the client only performs simple quantum circuit for qubit 714 transformation, while the server performs a sequence of quantum 715 logic gates. Qubits are transmitted back and forth between the 716 client and the server. 718 2. Universal BQC in [Broadbent] is a measurement-based BQC model, 719 which is based on measurement-based quantum computing leveraging 720 entangled states. The principle in UBQC is based on the fact the 721 quantum teleportation plus a rotated Bell measurement realizes a 722 quantum computation, which can be repeated multiple times to 723 realize a sequence of quantum computation. In this approach, the 724 client first prepares transformed qubits and send them to the 725 server and the server needs first to prepare entangled states 726 from all received qubits. Then, multiple interaction and 727 measurement rounds happen between the client and the server. For 728 each round, the client computes and sends new measurement 729 instructions or measurement adaptations to the server; then, the 730 server performs the measurement according to the received 731 measurement instructions to generate measurement results (qubits 732 or in classic bits); the client receives the measurement results 733 and transform them to the final results. 735 3. A hybrid universal BQC is proposed in [XZhang], where the server 736 performs both quantum circuits like [Childs] and quantum 737 measurements like [Broadbent] to reduce the number of required 738 entangled states in [Broadbent]. Also, the client is much 739 simpler than the client in [Childs]. This hybrid BQC is a 740 combination of circuit-based BQC model and measurement-based BQC 741 model. 743 4. It will be ideal if the client in BQC is a purely classical 744 client, which only needs to interact with the server using 745 classical channel and communications. [HHuang] demonstrates such 746 an approach, where a classical client leverages two entangled 747 servers to perform BQC, with the assumption that both servers can 748 not communicate with each other; otherwise, the blindness or 749 privacy of the client can not be guaranteed. The scenario as 750 demonstrated in [HHuang] is essentially an example of BQC with 751 multiple servers. 753 5. How to verify that the server will perform what the client 754 requests or expects is an important issue in many BQC protocols, 755 referred to as verifiable BQC. [Fitzsimons] discusses this issue 756 and compares it in various BQC protocols. 758 In Figure 3, the Quantum Internet contains quantum channels and 759 quantum repeaters/routers for long-distance qubits transmission 760 [I-D.irtf-qirg-principles]. 762 +----------------+ /--------\ +----------------+ 763 | |--->( Quantum )--->| | 764 | | ( Internet ) | Remote | 765 | Terminal | \--------/ | Computation | 766 | Node | | Node | 767 | (e.g., Home | /--------\ | (e.g., QC | 768 | Gateway) | ( Classical) | in Cloud) | 769 | |<-->( Internet )<-->| | 770 +----------------+ \--------/ +----------------+ 772 Figure 3: Secure Quantum Computing with Privacy Preservation 774 4.3. Distributed Quantum Computing 776 There can be two types of distributed quantum computing [Denchev]: 778 1. Leverage quantum mechanics to enhance classical distributed 779 computing problems. For example, entangled quantum states can be 780 exploited to improve leader election in classical distributed 781 computing, by simply measuring the entangled quantum states at 782 each party (e.g., a node or a device) without introducing any 783 classical communications among distributed parties [Pal]. 784 Normally, pre-shared entanglement needs first be established 785 among distributed parties, followed by LOCC operations at each 786 party. And it generally does not need to transmit qubits among 787 distributed parties. 789 2. Distribute quantum computing functions to distributed quantum 790 computers. A quantum computing task or function (e.g., quantum 791 gates) is split and distributed to multiple physically separate 792 quantum computers. And it may or may not need to transmit qubits 793 (either inputs or outputs) among those distributed quantum 794 computers. Pre-shared entangled states may be needed to transmit 795 quantum states among distributed quantum computers without using 796 quantum communications, similar to quantum teleportation. For 797 example, [Gottesman] and [Eisert] have proved that a CNOT gate 798 can be realized jointly by and distributed to multiple quantum 799 computers. The rest of this section focuses on this type of 800 distributed quantum computing. 802 As a scenario for the second type of distributed quantum computing, 803 Noisy Intermediate-Scale Quantum (NISQ) computers distributed in 804 different locations are available for sharing. According to the 805 definition in [Preskill], a NISQ computer can only realize a small 806 number of qubits and has limited quantum error correction. In order 807 to gain higher computation power before fully-fledged quantum 808 computers become available, NISQ computers can be connected via 809 classical and quantum channels. This scenario is referred to as 810 distributed quantum computing [Caleffi] [Cacciapuoti01] 811 [Cacciapuoti02]. This application scenario reflects the vastly 812 increased computing power which quantum computers as a part of the 813 Quantum Internet can bring, in contrast to classical computers in the 814 Classical Internet, in the context of distributed quantum computing 815 ecosystem [Cuomo]. According to [Cuomo], quantum teleportation 816 enables a new communication paradigm, referred to as teledata 817 [VanMeter01], which moves quantum states among qubits to distributed 818 quantum computers. In addition, distributed quantum computation also 819 needs the capability of remotely performing quantum computation on 820 qubits on distributed quantum computers, which can be enabled by the 821 technique called telegate [VanMeter02]. 823 As an example, scientists can leverage these connected NISQ computer 824 to solve highly complex scientific computation problems such as 825 analysis of chemical interactions for medical drug development [Cao] 826 (see Figure 4). In this case, qubits will be transmitted among 827 connected quantum computers via quantum channels, while classic 828 control messages will be transmitted among them via classical 829 channels for coordination and control purpose. Another example of 830 distributed quantum computing is secure Multi-Party Quantum 831 Computation (MPQC) [Crepeau], which can be regarded as a quantum 832 version of classical secure Multi-Party Computation (MPC). In a 833 secure MPQC protocol, multiple participants jointly perform quantum 834 computation on a set of input quantum states, which are prepared and 835 provided by different participants. One of the primary aims of the 836 secure MPQC is to guarantee that each participant will not know input 837 quantum states provided by other participants. Secure MPQC relies on 838 verifiable quantum secret sharing [Lipinska]. 840 For the example shown in Figure 4, qubits from one NISQ computer to 841 another NISQ computer are very sensitive and should not be lost. For 842 this purpose, quantum teleportation can be leveraged to teleport 843 sensitive data qubits from one quantum computer A to another quantum 844 computer B. Note that Figure 4 does not cover measurement-based 845 distributed quantum computing, where quantum teleportation may not be 846 required. When quantum teleportation is employed, the following 847 steps happen between A and B. In fact, LOCC [Chitambar] operations 848 are conducted at the quantum computer A and B in order to achieve 849 quantum teleportation as illustrated in Figure 4. 851 1. The quantum computer A locally generates some sensitive data 852 qubits to be teleported to the quantum computer B. 854 2. A shared entanglement is established between the quantum computer 855 A and the quantum computer B (i.e., there are two entangled 856 qubits: q1 at A and q2 at B). For example, the quantum computer 857 A can generate two entangled qubits (i.e., q1 and q2) and sends 858 q2 to the quantum computer B via quantum communications. 860 3. Then, the quantum computer A performs a Bell measurement of the 861 entangled qubit q1 and the sensitive data qubit. 863 4. The result from this Bell measurement will be encoded in two 864 classical bits, which will be physically transmitted via a 865 classical channel to the quantum computer B. 867 5. Based on the received two classical bits, the quantum computer B 868 modifies the state of the entangled qubit q2 in the way to 869 generate a new qubit identical to the sensitive data qubit at the 870 quantum computer A. 872 In Figure 4, the Quantum Internet contains quantum channels and 873 quantum repeaters/routers [I-D.irtf-qirg-principles]. This 874 application scenario needs to support entanglement generation and 875 entanglement distribution (or quantum connection) setup 876 [I-D.van-meter-qirg-quantum-connection-setup] in order to support 877 quantum teleportation. 879 +-----------------+ 880 | End-User | 881 |(e.g., Scientist)| 882 +-----------------+ 883 ^ 884 |User Interface (e.g. GUI) 885 | 886 +------------------+-------------------+ 887 | | 888 | | 889 V V 890 +----------------+ /--------\ +----------------+ 891 | |--->( Quantum )--->| | 892 | | ( Internet ) | | 893 | Quantum | \--------/ | Quantum | 894 | Computer A | | Computer B | 895 | (e.g., Site #1)| /--------\ | (e.g., Site #2)| 896 | | ( Classical) | | 897 | |<-->( Internet )<-->| | 898 +----------------+ \--------/ +----------------+ 900 Figure 4: Distributed Quantum Computing 902 5. General Requirements 904 5.1. Background 906 Quantum technologies are steadily evolving and improving. Therefore, 907 it is hard to predict the timeline and future milestones of quantum 908 technologies as pointed out in [Grumbling] for quantum computing. 909 Currently, a NISQ computer can achieve fifty to hundreds of qubits 910 with some given error rate. In fact, the error rates of two-qubit 911 quantum gates have decreased nearly in half every 1.5 years (for 912 trapped ion gates) to 2 years (for superconducting gates). The error 913 rate also increases as the number of qubits increases. For example, 914 a current 20-physical-qubit machine has a total error rate which is 915 close to the total error rate of a 7 year old two-qubit machine 916 [Grumbling]. 918 On the network level, six stages of Quantum Internet development are 919 described in [Wehner] as follows: 921 1. Trusted repeater networks (Stage-1) 923 2. Prepare and measure networks (Stage-2) 925 3. Entanglement distribution networks (Stage-3) 926 4. Quantum memory networks (Stage-4) 928 5. Fault-tolerant few qubit networks (Stage-5) 930 6. Quantum computing networks (Stage-6) 932 The first stage is simple trusted repeater networks, while the final 933 stage is the quantum computing networks where the full-blown Quantum 934 Internet will be achieved. Each intermediate stage brings with it 935 new functionality, new applications, and new characteristics. 936 Figure 5 illustrates Quantum Internet application scenarios as 937 described in this document mapped to the Quantum Internet stages 938 described in [Wehner]. For example, secure communication setup can 939 be supported in Stage-1, Stage-2, or Stage-3, but with different QKD 940 solutions. More specifically: 942 In Stage-1, basic QKD is possible and can be leveraged to support 943 secure communication setup but trusted nodes are required to provide 944 end-to-end security. The primary requirement is the trusted nodes. 946 In Stage-2, the end users can prepare receive and measure the qubits. 947 In this stage the users can verify classical passwords without 948 revealing it. 950 In Stage-3, end-to-end security can be enabled based on quantum 951 repeaters and entanglement distribution, to support the same secure 952 communication setup application. The primary requirement is 953 entanglement distribution to enable long-distance QKD. 955 In Stage-4, the quantum repeaters gain the capability of storing and 956 manipulating entangled qubits in the quantum memories. Using these 957 kind of quantum networks one can run sophisticated applications like 958 blind quantum computing, leader election, quantum secret sharing. 960 In Stage-5, quantum repeaters can perform error correction; hence 961 they can perform fault-tolerant quantum computations on the received 962 data. With the help of these repeaters, it is possible to run 963 distributed quantum computing and quantum sensor applications over a 964 smaller number of qubits. 966 Finally, in Stage-6, distributed quantum computing relying on more 967 qubits can be supported. 969 +---------+----------------------------+------------------------+ 970 | Quantum | Example Quantum | | 971 | Internet| Internet Use | Characteristic | 972 | Stage | Cases | | 973 +---------+----------------------------+------------------------+ 974 | Stage-1 | Secure comm setup | Trusted nodes | 975 | | using basic QKD | | 976 |---------------------------------------------------------------| 977 | Stage-2 | Secure comm setup | Prepare-and-measure | 978 | | using the QKD with | capability | 979 | | end-to-end security | | 980 |---------------------------------------------------------------| 981 | Stage-3 | Secure comm setup | Entanglement | 982 | | using entanglement-enabled | distribution | 983 | | QKD | | 984 |---------------------------------------------------------------| 985 | Stage-4 | Secure/blind quantum | Quantum memory | 986 | | computing | | 987 |---------------------------------------------------------------| 988 | Stage-5 | Higher-Accuracy Clock | Fault tolerance | 989 | | synchronization | | 990 |---------------------------------------------------------------| 991 | Stage-6 | Distributed quantum | More qubits | 992 | | computing | | 993 +---------------------------------------------------------------+ 995 Figure 5: Example Application Scenarios in Different Quantum 996 Internet Stages 998 5.2. Requirements 1000 Some general and functional requirements on the Quantum Internet from 1001 the networking perspective, based on the above application scenarios, 1002 are identified as follows: 1004 1. Methods for facilitating quantum applications to interact 1005 efficiently with entangled qubits are necessary in order for them 1006 to trigger distribution of designated entangled qubits to 1007 potentially any other quantum node residing in the Quantum 1008 Internet. To accomplish this, specific operations must be 1009 performed on entangled qubits (e.g., entanglement swapping, 1010 entanglement distillation). Quantum nodes may be quantum end- 1011 nodes, quantum repeaters/routers, and/or quantum computers. 1013 2. Quantum repeaters/routers should support robust and efficient 1014 entanglement distribution in order to extend and establish high- 1015 fidelity entanglement connection between two quantum nodes. For 1016 achieving this, it is required to first generate an entangled 1017 pair on each hop of the path between these two nodes, and then 1018 perform entanglement swapping operations at each of the 1019 intermediate nodes. 1021 3. Quantum end-nodes must send additional information on classical 1022 channels to aid in transmission of qubits across quantum 1023 repeaters/receivers. This is because qubits are transmitted 1024 individually and do not have any associated packet overhead which 1025 can help in transmission of the qubit. Any extra information to 1026 aid in routing, identification, etc., of the qubit(s) must be 1027 sent via classical channels. 1029 4. Methods for managing and controlling the Quantum Internet 1030 including quantum nodes and their quantum resources are 1031 necessary. The resources of a quantum node may include quantum 1032 memory, quantum channels, qubits, established quantum 1033 connections, etc. Such management methods can be used to monitor 1034 network status of the Quantum Internet, diagnose and identify 1035 potential issues (e.g. quantum connections), and configure 1036 quantum nodes with new actions and/or policies (e.g. to perform a 1037 new entanglement swapping operation). New management information 1038 model for the Quantum Internet may need to be developed. 1040 6. Conclusion 1042 This document provides an overview of some expected application 1043 categories for the Quantum Internet, and then details selected 1044 application scenarios. The applications are first grouped by their 1045 usage which is a natural and easy to understand classification 1046 scheme. The applications are also classified as either control plane 1047 or data plane functionality as typical for the Classical Internet. 1048 This set of applications may, of course, naturally expand over time 1049 as the Quantum Internet matures. Finally, some general requirements 1050 for the Quantum Internet are also provided. 1052 This document can also serve as an introductory text to readers 1053 interested in learning about the practical uses of the Quantum 1054 Internet. Finally, it is hoped that this document will help guide 1055 further research and development of the Quantum Internet 1056 functionality required to implement the application scenarios 1057 described herein. 1059 7. IANA Considerations 1061 This document requests no IANA actions. 1063 8. Security Considerations 1065 This document does not define an architecture nor a specific protocol 1066 for the Quantum Internet. It focuses instead on detailing 1067 application scenarios, requirements, and describing typical Quantum 1068 Internet applications. However, some salient observations can be 1069 made regarding security of the Quantum Internet as follows. 1071 It has been identified in [NISTIR8240] that once large-scale quantum 1072 computing becomes reality that it will be able to break many of the 1073 public-key (i.e., asymmetric) cryptosystems currently in use. This 1074 is because of the increase in computing ability with quantum 1075 computers for certain classes of problems (e.g., prime factorization, 1076 optimizations). This would negatively affect many of the security 1077 mechanisms currently in use on the Classical Internet which are based 1078 on public-key (Diffie-Hellman) encryption. This has given strong 1079 impetus for starting development of new cryptographic systems that 1080 are secure against quantum computing attacks [NISTIR8240]. 1082 Interestingly, development of the Quantum Internet will also mitigate 1083 the threats posed by quantum computing attacks against Diffie-Hellman 1084 based public-key cryptosystems. Specifically, the secure 1085 communication setup feature of the Quantum Internet as described in 1086 Section 4.1 will be strongly resistant to both classical and quantum 1087 computing attacks against Diffie-Hellman based public-key 1088 cryptosystems. 1090 A key additional threat consideration for the Quantum Internet is 1091 pointed to by [RFC7258], which warns of the dangers of pervasive 1092 monitoring as a widespread attack on privacy. Pervasive monitoring 1093 is defined as a widespread, and usually covert, surveillance through 1094 intrusive gathering of application content or protocol metadata such 1095 as headers. This can be accomplished through active or passive 1096 wiretaps, traffic analysis, or subverting the cryptographic keys used 1097 to secure communications. 1099 The secure communication setup feature of the Quantum Internet as 1100 described in Section 4.1 will be strongly resistant to pervasive 1101 monitoring based on directly attacking (Diffie-Hellman) encryption 1102 keys. Also, Section 4.2 describes a method to perform remote quantum 1103 computing while preserving the privacy of the source data. Finally, 1104 the intrinsic property of qubits to decohere if they are observed, 1105 albeit covertly, will theoretically allow detection of unwanted 1106 monitoring in some future solutions. 1108 9. Acknowledgments 1110 The authors want to thank Michele Amoretti, Mathias Van Den Bossche, 1111 Xavier de Foy, Patrick Gelard, Alvaro Gomez Inesta, Wojciech 1112 Kozlowski, John Mattsson, Rodney Van Meter, Joey Salazar, and Joseph 1113 Touch, and the rest of the QIRG community as a whole for their very 1114 useful reviews and comments to the document. 1116 10. Informative References 1118 [BB84] Bennett, C. H. and G. Brassard, "Quantum Cryptography: 1119 Public Key Distribution and Coin Tossing", 1984, 1120 . 1123 [Ben-Or] Ben-Or, M. and A. Hassidim, "Fast Quantum Byzantine 1124 Agreement", SOTC, ACM, 2005, 1125 . 1127 [Broadbent] 1128 Broadbent, A. and et. al., "Universal Blind Quantum 1129 Computation", 50th Annual Symposium on Foundations of 1130 Computer Science, IEEE, 2009, 1131 . 1133 [BTang] Tang, B. and et. al., "High-speed and Large-scale Privacy 1134 Amplification Scheme for Quantum Key Distribution", 1135 Scientific Reports, Nature Research, 2019, 1136 . 1138 [Cacciapuoti01] 1139 Cacciapuoti, A.S. and et. al., "Quantum Internet: 1140 Networking Challenges in Distributed Quantum Computing", 1141 IEEE Network, January 2020, 2020, 1142 . 1144 [Cacciapuoti02] 1145 Cacciapuoti, A.S. and et. al., "When Entanglement meets 1146 Classical Communications: Quantum Teleportation for the 1147 Quantum Internet", 2019, 1148 . 1150 [Caleffi] Caleffi, M. and et. al., "Quantum internet: From 1151 Communication to Distributed Computing!", NANOCOM, ACM, 1152 2018, . 1154 [Cao] Cao, Y. and et. al., "Potential of Quantum Computing for 1155 Drug Discovery", Journal of Research and Development, IBM, 1156 2018, . 1158 [Castelvecchi] 1159 Castelvecchi, D., "The Quantum Internet has arrived (and 1160 it hasn't)", Nature 554, 289-292, 2018, 1161 . 1163 [Childs] Childs, A. M., "Secure Assisted Quantum Computation", 1164 2005, . 1166 [Chitambar] 1167 Chitambar, E. and et. al., "Everything You Always Wanted 1168 to Know About LOCC (But Were Afraid to Ask)", 1169 Communications in Mathematical Physics, Springer, 2014, 1170 . 1173 [ChuanWang] 1174 Wang, C. and et. al., "Quantum Secure Direct Communication 1175 with High-Dimension Quantum Superdense Coding", Physical 1176 Review A, American Physical Society, 2005, 1177 . 1179 [Crepeau] Crepeau, C. and et. al., "Secure Multi-party Quantum 1180 Computation", 34th Symposium on Theory of Computing 1181 (STOC), ACM, 2002, 1182 . 1184 [Cuomo] Cuomo, D. and et. al., "Towards a Distributed Quantum 1185 Computing Ecosystem", Quantum Communication, IET, 2020, 1186 . 1188 [Denchev] Denchev, V.S. and et. al., "Distributed Quantum Computing: 1189 A New Frontier in Distributed Systems or Science 1190 Fiction?", SIGACT News ACM, 2018, 1191 . 1193 [Eisert] Eisert, J. and et. al., "Optimal Local Implementation of 1194 Nonlocal Quantum Gates", Physical Review A, American 1195 Physical Society, 2000, 1196 . 1198 [Elkouss] Elkouss, D. and et. al., "Information Reconciliation for 1199 Quantum Key Distribution", 2011, 1200 . 1202 [ETSI-QKD-Interfaces] 1203 ETSI GR QKD 003 V2.1.1, "Quantum Key Distribution (QKD); 1204 Components and Internal Interfaces", 2018, 1205 . 1208 [ETSI-QKD-UseCases] 1209 ETSI GR QKD 002 V1.1.1, "Quantum Key Distribution (QKD); 1210 Use Cases", 2010, . 1213 [FeihuXu] Xu, F. and et. al., "Experimental Demonstration of Phase- 1214 Remapping Attack in a Practical Quantum Key Distribution 1215 System", New Journal of Physics, 12 113026, 2010, 1216 . 1219 [Fitzsimons] 1220 Fitzsimons, J. F., "Private Quantum Computation: An 1221 Introduction to Blind Quantum Computing and Related 1222 Protocols", 2017, 1223 . 1225 [Gottesman] 1226 Gottesman, D. and I. Chuang, "Demonstrating the Viability 1227 of Universal Quantum Computation using Teleportation and 1228 Single-Qubit Operations", Nature 402, 390-393, 1999, 1229 . 1231 [Grosshans] 1232 Grosshans, F. and P. Grangier, "Continuous Variable 1233 Quantum Cryptography Using Coherent States", Physical 1234 Review Letters, American Physical Society, 2002, 1235 . 1237 [Grumbling] 1238 Grumbling, E. and M. Horowitz, "Quantum Computing: 1239 Progress and Prospects", National Academies of Sciences, 1240 Engineering, and Medicine, The National Academies Press, 1241 2019, . 1243 [Guo] Guo, X. and et. al., "Distributed Quantum Sensing in a 1244 Continuous-Variable Entangled Network", Nature 1245 Physics, Nature, 2020, 1246 . 1248 [HHuang] Huang, H. and et. al., "Experimental Blind Quantum 1249 Computing for a Classical Client", 2017, 1250 . 1252 [Hill] Hill, R.M. and et. al., "A Tool for Functional Brain 1253 Imaging with Lifespan Compliance", Nature 1254 Communications 10, 4785(2019), 2019, 1255 . 1257 [I-D.dahlberg-ll-quantum] 1258 Dahlberg, A., Skrzypczyk, M., and S. Wehner, "The Link 1259 Layer service in a Quantum Internet", Work in Progress, 1260 Internet-Draft, draft-dahlberg-ll-quantum-03, 10 October 1261 2019, . 1264 [I-D.irtf-qirg-principles] 1265 Kozlowski, W., Wehner, S., Meter, R. V., Rijsman, B., 1266 Cacciapuoti, A. S., Caleffi, M., and S. Nagayama, 1267 "Architectural Principles for a Quantum Internet", Work in 1268 Progress, Internet-Draft, draft-irtf-qirg-principles-07, 4 1269 June 2021, . 1272 [I-D.van-meter-qirg-quantum-connection-setup] 1273 Meter, R. V. and T. Matsuo, "Connection Setup in a Quantum 1274 Network", Work in Progress, Internet-Draft, draft-van- 1275 meter-qirg-quantum-connection-setup-01, 11 September 2019, 1276 . 1279 [Jozsa] Josza, R. and et. al., "An Introduction to Measurement 1280 based Quantum Computation", 2005, 1281 . 1283 [Kiktenko] Kiktenko, E.O. and et. al., "Lightweight Authentication 1284 for Quantum Key Distribution", 2020, 1285 . 1287 [Komar] Komar, P. and et. al., "A Quantum Network of Clocks", 1288 2013, . 1290 [Lipinska] Lipinska, V. and et. al., "Verifiable Hybrid Secret 1291 Sharing with Few Qubits", Physical Review A, American 1292 Physical Society, 2020, 1293 . 1295 [Lo] Lo, H.-K. and et. al., "Experimental Demonstration of 1296 Phase-Remapping Attack in a Practical Quantum Key 1297 Distribution System", Physical Review Letters, American 1298 Physical Society, 2012, 1299 . 1301 [NISTIR8240] 1302 Alagic, G. and et. al., "Status Report on the First Round 1303 of the NIST Post-Quantum Cryptography Standardization 1304 Process", NISTIR 8240, 2019, 1305 . 1308 [Pal] Pal, S.P. and et. al., "Multi-partite Quantum Entanglement 1309 versus Randomization: Fair and Unbiased Leader Election in 1310 Networks", 2003, 1311 . 1313 [Preskill] Preskill, J., "Quantum Computing in the NISQ Era and 1314 Beyond", 2018, . 1316 [Proctor] Proctor, T.J. and et. al., "Multiparameter Estimation in 1317 Networked Quantum Sensors", Physical Review 1318 Letters, American Physical Society, 2018, 1319 . 1322 [PZhang] Zhang, P. and et. al., "Integrated Relay Server for 1323 Measurement-Device-Independent Quantum Key Distribution", 1324 2019, . 1326 [Qin] Qin, H., "Towards Large-Scale Quantum Key Distribution 1327 Network and Its Applications", 2019, 1328 . 1331 [QZhang] Zhang, Q., Hu, F., Chen, Y., Peng, C., and J. Pan, "Large 1332 Scale Quantum Key Distribution: Challenges and Solutions", 1333 Optical Express, OSA, 2018, 1334 . 1336 [Renner] Renner, R., "Security of Quantum Key Distribution", 2006, 1337 . 1339 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1340 Requirement Levels", BCP 14, RFC 2119, 1341 DOI 10.17487/RFC2119, March 1997, 1342 . 1344 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an 1345 Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 1346 2014, . 1348 [Taherkhani] 1349 Taherkhani, M.A., Navi, K., and R. Van Meter, "Resource- 1350 Aware System Architecture Model for Implementation of 1351 Quantum Aided Byzantine Agreement on Quantum Repeater 1352 Networks", Quantum Science and Technology, IOP, 2017, 1353 . 1355 [Treiber] Treiber, A. and et. al., "A Fully Automated Entanglement- 1356 based Quantum Cyptography System for Telecom Fiber 1357 Networks", New Journal of Physics, 11, 045013, 2009, 1358 . 1360 [VanMeter01] 1361 Van Meter, R. and et. al., "Distributed Arithmetic on a 1362 Quantum Multicomputer", 33rd International Symposium on 1363 Computer Architecture (ISCA) IEEE, 2006, 1364 . 1366 [VanMeter02] 1367 Van Meter, R. and et. al., "Architecture of a Quantum 1368 Multicompuer Optimized for Shor's Factoring Algorithm", 1369 2006, . 1371 [Wehner] Wehner, S., Elkouss, D., and R. Hanson, "Quantum internet: 1372 A vision for the road ahead", Science 362, 2018, 1373 . 1376 [XZhang] Zhang, X. and et. al., "A Hybrid Universal Blind Quantum 1377 Computation", Information Sciences, Elsevier, 2009, 1378 . 1381 [YudongCao] 1382 Cao, Y. and et. al., "Quantum Chemistry in the Age of 1383 Quantum Computing", Chemical Reviews, ACS Publications, 1384 2019, . 1386 [Zhandry] Zhandry, M., "Quantum Lightning Never Strikes the Same 1387 State Twice", 38th Annual International Conference on the 1388 Theory and Applications of Cryptographic Techniques, 1389 Darmstadt, Germany, May 19-23, 2019, Proceedings, Part 1390 III, 2019, . 1392 [Zhao] Zhao, Y., "Development of Quantum Key Distribution and 1393 Attacks against it", Journal of Physics, J. Phys, 2018, 1394 . 1397 Authors' Addresses 1399 Chonggang Wang 1400 InterDigital Communications, LLC 1401 1001 E Hector St 1402 Conshohocken, 19428 1403 United States of America 1405 Email: Chonggang.Wang@InterDigital.com 1407 Akbar Rahman 1408 InterDigital Communications, LLC 1409 1000 Sherbrooke Street West 1410 Montreal H3A 3G4 1411 Canada 1413 Email: rahmansakbar@yahoo.com 1415 Ruidong Li 1416 Kanazawa University 1417 Kakuma-machi, 1418 Ishikawa Prefecture 920-1192 1419 Japan 1421 Email: lrd@se.kanazawa-u.ac.jp 1423 Melchior Aelmans 1424 Juniper Networks 1425 Boeing Avenue 240 1426 Schiphol-Rijk 1428 Email: maelmans@juniper.net 1429 Kaushik Chakraborty 1430 The University of Edinburgh 1431 10 Crichton Street 1432 Edinburgh 1433 EH8 9AB, Scotland 1434 United Kingdom 1436 Email: kchakrab@exseed.ed.ac.uk