Internet Research Task Force (IRTF)                              C. Wang
Request for Comments: 9583              InterDigital Communications, LLC
Category: Informational                                        A. Rahman
ISSN: 2070-1721                                                 Ericsson
                                                                   R. Li
                                                     Kanazawa University
                                                              M. Aelmans
                                                        Juniper Networks
                                                          K. Chakraborty
                                             The University of Edinburgh
                                                               June 2024


             Application Scenarios for the Quantum Internet

Abstract

   The Quantum Internet has the potential to improve application
   functionality by incorporating quantum information technology into
   the infrastructure of the overall Internet.  This document provides
   an overview of some applications expected to be used on the Quantum
   Internet and categorizes them.  Some general requirements for the
   Quantum Internet are also discussed.  The intent of this document is
   to describe a framework for applications and to describe a few
   selected application scenarios for the Quantum Internet.  This
   document is a product of the Quantum Internet Research Group (QIRG).

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Research Task Force
   (IRTF).  The IRTF publishes the results of Internet-related research
   and development activities.  These results might not be suitable for
   deployment.  This RFC represents the consensus of the QIRG Research
   Group of the Internet Research Task Force (IRTF).  Documents approved
   for publication by the IRSG are not candidates for any level of
   Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc9583.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction
   2.  Terms and Acronyms List
   3.  Quantum Internet Applications
     3.1.  Quantum Cryptography Applications
     3.2.  Quantum Sensing and Metrology Applications
     3.3.  Quantum Computing Applications
   4.  Selected Quantum Internet Application Scenarios
     4.1.  Secure Communication Setup
     4.2.  Blind Quantum Computing
     4.3.  Distributed Quantum Computing
   5.  General Requirements
     5.1.  Operations on Entangled Qubits
     5.2.  Entanglement Distribution
     5.3.  The Need for Classical Channels
     5.4.  Quantum Internet Management
   6.  Conclusion
   7.  IANA Considerations
   8.  Security Considerations
   9.  Informative References
   Acknowledgments
   Authors' Addresses

1.  Introduction

   The Classical, i.e., non-quantum, Internet has been constantly
   growing since it first became commercially popular in the early
   1990s.  It essentially consists of a large number of end nodes (e.g.,
   laptops, smart phones, and network servers) connected by routers and
   clustered in Autonomous Systems.  The end nodes may run applications
   that provide service for the end users such as processing and
   transmission of voice, video, or data.  The connections between the
   various nodes in the Internet include backbone links (e.g., fiber
   optics) and access links (e.g., fiber optics, Wi-Fi, cellular
   wireless, and Digital Subscriber Lines (DSLs)).  Bits are transmitted
   across the Classical Internet in packets.

   Research and experiments have picked up over the last few years for
   developing the Quantum Internet [Wehner].  End nodes will also be a
   part of the Quantum Internet; in that case, they are called "quantum
   end nodes" and may be connected by quantum repeaters and/or routers.
   These quantum end nodes will also run value-added applications, which
   will be discussed later.

   The physical layer quantum channels between the various nodes in the
   Quantum Internet can be either waveguides, such as optical fibers, or
   free space.  Photonic channels are particularly useful because light
   (photons) is very suitable for physically realizing qubits.  The
   Quantum Internet will operate according to quantum physical
   principles such as quantum superposition and entanglement [RFC9340].

   The Quantum Internet is not anticipated to replace but rather to
   enhance the Classical Internet and/or provide breakthrough
   applications.  For instance, Quantum Key Distribution can improve the
   security of the Classical Internet, and quantum computing can
   expedite and optimize computation-intensive tasks in the Classical
   Internet.  The Quantum Internet will run in conjunction with the
   Classical Internet.  The process of integrating the Quantum Internet
   with the Classical Internet is similar to the process of introducing
   any new communication and networking paradigm into the existing
   Internet but with more profound implications.

   The intent of this document is to provide a common understanding and
   framework of applications and application scenarios for the Quantum
   Internet.  It is noted that ITU-T SG13-TD158/WP3 [ITUT] briefly
   describes four kinds of use cases of quantum networks beyond Quantum
   Key Distribution networks: quantum time synchronization use cases,
   quantum computing use cases, quantum random number generator use
   cases, and quantum communication use cases (e.g., quantum digital
   signatures, quantum anonymous transmission, and quantum money).  This
   document focuses on quantum applications that have more impact on
   networking, such as secure communication setup, blind quantum
   computing, and distributed quantum computing; although these
   applications were mentioned in [ITUT], this document gives more
   details and derives some requirements from a networking perspective.

   This document was produced by the Quantum Internet Research Group
   (QIRG).  It was discussed on the QIRG mailing list and during several
   meetings of the research group.  It has been reviewed extensively by
   the QIRG members with expertise in both quantum physics and Classical
   Internet operation.  This document represents the consensus of the
   QIRG members, of both experts in the subject matter (from the quantum
   and networking domains) and newcomers, who are the target audience.
   It is not an IETF product and is not a standard.

2.  Terms and Acronyms List

   This document assumes that the reader is familiar with the terms and
   concepts that relate to quantum information technology described in
   [RFC9340].  In addition, the following terms and acronyms are defined
   herein for clarity:

   Bell Pairs:  A special type of quantum state that is two qubits.  The
      two qubits show a correlation that cannot be observed in classical
      information theory.  We refer to such correlation as quantum
      entanglement.  Bell pairs exhibit the maximal quantum
      entanglement.  One example of a Bell pair is
      (|00>+|11>)/(Sqrt(2)).  The Bell pairs are a fundamental resource
      for quantum communication.

   Bit:  Binary digit (i.e., fundamental unit of information in
      classical communications and classical computing).  Bit is used in
      the Classical Internet where the state of a bit is deterministic.
      In contrast, qubit is used in the Quantum Internet where the state
      of a qubit is uncertain before it is measured.

   Classical Internet:  The existing, deployed Internet (circa 2020)
      where bits are transmitted in packets between nodes to convey
      information.  The Classical Internet supports applications that
      may be enhanced by the Quantum Internet.  For example, the end-to-
      end security of a Classical Internet application may be improved
      by a secure communication setup using a quantum application.
      Classical Internet is a network of classical network nodes that do
      not support quantum information technology.  In contrast, Quantum
      Internet consists of quantum nodes based on quantum information
      technology.

   Entanglement Swapping:  It is a process of sharing an entanglement
      between two distant parties via some intermediate nodes.  For
      example, suppose that there are three parties (A, B, and C) and
      that each of the parties (A, B) and (B, C) share Bell pairs.  B
      can use the qubits it shares with A and C to perform entanglement-
      swapping operations, and as a result, A and C share Bell pairs.
      Entanglement swapping essentially realizes entanglement
      distribution (i.e., two nodes separated in distance can share a
      Bell pair).

   Fast Byzantine Negotiation:  A quantum-based method for fast
      agreement in Byzantine negotiations [Ben-Or] [Taherkhani].

   Local Operations and Classical Communication (LOCC):  A method where
      nodes communicate in rounds, in which (1) they can send any
      classical information to each other, (2) they can perform local
      quantum operations individually, and (3) the actions performed in
      each round can depend on the results from previous rounds.

   Noisy Intermediate-Scale Quantum (NISQ):  NISQ was defined in
      [Preskill] to represent a near-term era in quantum technology.
      According to this definition, NISQ computers have two salient
      features: (1) the size of NISQ computers range from 50 to a few
      hundred physical qubits (i.e., intermediate-scale) and (2) qubits
      in NISQ computers have inherent errors and the control over them
      is imperfect (i.e., noisy).

   Packet:  A self-identified message with in-band addresses or other
      information that can be used for forwarding the message.  The
      message contains an ordered set of bits of determinate number.
      The bits contained in a packet are classical bits.

   Prepare and Measure:  A set of Quantum Internet scenarios where
      quantum nodes only support simple quantum functionalities (i.e.,
      prepare qubits and measure qubits).  For example, BB84 [BB84] is a
      prepare-and-measure quantum key distribution protocol.

   Quantum Computer (QC):  A quantum end node that also has quantum
      memory and quantum computing capabilities is regarded as a full-
      fledged quantum computer.

   Quantum End Node:  An end node that hosts user applications and
      interfaces with the rest of the Internet.  Typically, an end node
      may serve in a client, server, or peer-to-peer role as part of the
      application.  A quantum end node must also be able to interface to
      the Classical Internet for control purposes and thus be able to
      receive, process, and transmit classical bits and/or packets.

   Quantum Internet:  A network of quantum networks.  The Quantum
      Internet is expected to be merged into the Classical Internet.
      The Quantum Internet may either improve classical applications or
      enable new quantum applications.

   Quantum Key Distribution (QKD):  A method that leverages quantum
      mechanics such as a no-cloning theorem to let two parties create
      the same arbitrary classical key.

   Quantum Network:  A new type of network enabled by quantum
      information technology where quantum resources, such as qubits and
      entanglement, are transferred and utilized between quantum nodes.
      The quantum network will use both quantum channels and classical
      channels provided by the Classical Internet, referred to as a
      "hybrid implementation".

   Quantum Teleportation:  A technique for transferring quantum
      information via Local Operations and Classical Communication
      (LOCC).  If two parties share a Bell pair, then by using quantum
      teleportation, a sender can transfer a quantum data bit to a
      receiver without sending it physically via a quantum channel.

   Qubit:  Quantum bit (i.e., fundamental unit of information in quantum
      communication and quantum computing).  It is similar to a classic
      bit in that the state of a qubit is either "0" or "1" after it is
      measured and denotes its basis state vector as |0> or |1> using
      Dirac's ket notation.  However, the qubit is different than a
      classic bit in that the qubit can be in a linear combination of
      both states before it is measured and termed to be in
      superposition.  Any of several Degrees of Freedom (DOF) of a
      photon (e.g., polarization, time bib, and/or frequency) or an
      electron (e.g., spin) can be used to encode a qubit.

   Teleport a Qubit:  An operation on two or more carriers in succession
      to move a qubit from a sender to a receiver using quantum
      teleportation.

   Transfer a Qubit:  An operation to move a qubit from a sender to a
      receiver without specifying the means of moving the qubit, which
      could be "transmit" or "teleport".

   Transmit a Qubit:  An operation to encode a qubit into a mobile
      carrier (i.e., typically photon) and pass it through a quantum
      channel from a sender (a transmitter) to a receiver.

3.  Quantum Internet Applications

   The Quantum Internet is expected to be beneficial for a subset of
   existing and new applications.  The expected applications for the
   Quantum Internet are still being developed as we are in the formative
   stages of the Quantum Internet [Castelvecchi] [Wehner].  However, an
   initial (and non-exhaustive) list of the applications to be supported
   on the Quantum Internet can be identified and classified using two
   different schemes.  Note that this document does not include quantum
   computing applications that are purely local to a given node.

   Applications may be grouped by the usage that they serve.
   Specifically, applications may be grouped according to the following
   categories:

   Quantum cryptography applications:  Refer to the use of quantum
      information technology for cryptographic tasks (e.g., Quantum Key
      Distribution [Renner]).

   Quantum sensor applications:  Refer to the use of quantum information
      technology for supporting distributed sensors (e.g., clock
      synchronization [Jozsa2000] [Komar] [Guo]).

   Quantum computing applications:  Refer to the use of quantum
      information technology for supporting remote quantum computing
      facilities (e.g., distributed quantum computing [Denchev]).

   This scheme can be easily understood by both a technical and non-
   technical audience.  The next sections describe the scheme in more
   detail.

3.1.  Quantum Cryptography Applications

   Examples of quantum cryptography applications include quantum-based
   secure communication setup and fast Byzantine negotiation.

   Secure communication setup:  Refers to secure cryptographic key
      distribution between two or more end nodes.  The most well-known
      method is referred to as "Quantum Key Distribution (QKD)"
      [Renner].

   Fast Byzantine negotiation:  Refers to a quantum-based method for
      fast agreement in Byzantine negotiations [Ben-Or], for example, to
      reduce the number of expected communication rounds and, in turn,
      to achieve faster agreement, in contrast to classical Byzantine
      negotiations.  A quantum-aided Byzantine agreement on quantum
      repeater networks as proposed in [Taherkhani] includes
      optimization techniques to greatly reduce the quantum circuit
      depth and the number of qubits in each node.  Quantum-based
      methods for fast agreement in Byzantine negotiations can be used
      for improving consensus protocols such as practical Byzantine
      Fault Tolerance (pBFT) as well as other distributed computing
      features that use Byzantine negotiations.

   Quantum money:  Refers to the main security requirement of money is
      unforgeability.  A quantum money scheme aims to exploit the no-
      cloning property of the unknown quantum states.  Though the
      original idea of quantum money dates back to 1970, these early
      protocols allow only the issuing bank to verify a quantum
      banknote.  However, the recent protocols such as public key
      quantum money [Zhandry] allow anyone to verify the banknotes
      locally.

3.2.  Quantum Sensing and Metrology Applications

   The entanglement, superposition, interference, and squeezing of
   properties can enhance the sensitivity of the quantum sensors and
   eventually can outperform the classical strategies.  Examples of
   quantum sensor applications include network clock synchronization,
   high-sensitivity sensing, etc.  These applications mainly leverage a
   network of entangled quantum sensors (i.e., quantum sensor networks)
   for high-precision, multiparameter estimation [Proctor].

   Network clock synchronization:  Refers to a world wide set of high-
      precision clocks connected by the Quantum Internet to achieve an
      ultra precise clock signal [Komar] with fundamental precision
      limits set by quantum theory.

   High-sensitivity sensing:  Refers to applications that leverage
      quantum phenomena to achieve reliable nanoscale sensing of
      physical magnitudes.  For example, [Guo] uses an entangled quantum
      network for measuring the average phase shift among multiple
      distributed nodes.

   Interferometric telescopes using quantum information:
      Refers to interferometric techniques that are used to combine
      signals from two or more telescopes to obtain measurements with
      higher resolution than what could be obtained with either
      telescope individually.  It can make measurements of very small
      astronomical objects if the telescopes are spread out over a wide
      area.  However, the phase fluctuations and photon loss introduced
      by the communication channel between the telescopes put a
      limitation on the baseline lengths of the optical interferometers.
      This limitation can potentially be avoided using quantum
      teleportation.  In general, by sharing Einstein-Podolsky-Rosen
      pairs using quantum repeaters, the optical interferometers can
      communicate photons over long distances, providing arbitrarily
      long baselines [Gottesman2012].

3.3.  Quantum Computing Applications

   In this section, we include the applications for the quantum
   computing.  It's anticipated that quantum computers as a cloud
   service will become more available in future.  Sometimes, to run such
   applications in the cloud while preserving the privacy, a client and
   a server need to exchange qubits (e.g., in blind quantum computation
   [Fitzsimons] as described below).  Therefore, such privacy preserving
   quantum computing applications require a Quantum Internet to execute.

   Examples of quantum computing include distributed quantum computing
   and blind quantum computing, which can enable new types of cloud
   computing.

   Distributed quantum computing:  Refers to a collection of small-
      capacity, remote quantum computers (i.e., each supporting a
      relatively small number of qubits) that are connected and work
      together in a coordinated fashion so as to simulate a virtual
      large capacity quantum computer [Wehner].

   Blind quantum computing:  Refers to private, or blind, quantum
      computation, which provides a way for a client to delegate a
      computation task to one or more remote quantum computers without
      disclosing the source data to be computed [Fitzsimons].

4.  Selected Quantum Internet Application Scenarios

   The Quantum Internet will support a variety of applications and
   deployment configurations.  This section details a few key
   application scenarios that illustrate the benefits of the Quantum
   Internet.  In system engineering, an application scenario is
   typically made up of a set of possible sequences of interactions
   between nodes and users in a particular environment and related to a
   particular goal.  This will be the definition that we use in this
   section.

4.1.  Secure Communication Setup

   In this scenario, two nodes (e.g., quantum node A and quantum node B)
   need to have secure communications for transmitting confidential
   information (see Figure 1).  For this purpose, they first need to
   securely share a classic secret cryptographic key (i.e., a sequence
   of classical bits), which is triggered by an end user with local
   secure interface to quantum node A.  This results in a quantum node A
   securely establishing a classical secret key with a quantum node B.
   This is referred to as a "secure communication setup".  Note that
   quantum nodes A and B may be either a bare-bone quantum end node or a
   full-fledged quantum computer.  This application scenario shows that
   the Quantum Internet can be leveraged to improve the security of
   Classical Internet applications.

   One requirement for this secure communication setup process is that
   it should not be vulnerable to any classical or quantum computing
   attack.  This can be realized using QKD, which is unbreakable in
   principle.  QKD can securely establish a secret key between two
   quantum nodes, using a classical authentication channel and insecure
   quantum channel without physically transmitting the key through the
   network and thus achieving the required security.  However, care must
   be taken to ensure that the QKD system is safe against physical side-
   channel attacks that can compromise the system.  An example of a
   physical side-channel attack is to surreptitiously inject additional
   light into the optical devices used in QKD to learn side information
   about the system such as the polarization.  Other specialized
   physical attacks against QKD also use a classical authentication
   channel and an insecure quantum channel such as the phase-remapping
   attack, photon number splitting attack, and decoy state attack
   [Zhao2018].  QKD can be used for many other cryptographic
   communications, such as IPsec and Transport Layer Security (TLS),
   where involved parties need to establish a shared security key,
   although it usually introduces a high latency.

   QKD is the most mature feature of quantum information technology and
   has been commercially released in small-scale and short-distance
   deployments.  More QKD use cases are described in the ETSI document
   [ETSI-QKD-UseCases]; in addition, interfaces between QKD users and
   QKD devices are specified in the ETSI document [ETSI-QKD-Interfaces].

   In general, the prepare-and-measure QKD protocols (e.g., [BB84])
   without using entanglement work as follows:

   1.  The quantum node A encodes classical bits to qubits.  Basically,
       the node A generates two random classical bit strings X and Y.
       Among them, it uses the bit string X to choose the basis and uses
       Y to choose the state corresponding to the chosen basis.  For
       example, if X=0, then in case of the BB84 protocol, Alice
       prepares the state in {|0>, |1>}-basis; otherwise, she prepares
       the state in {|+>, |->}-basis.  Similarly, if Y=0, then Alice
       prepares the qubit as either |0> or |+> (depending on the value
       of X); and if Y =1, then Alice prepares the qubit as either |1>
       or |->.

   2.  The quantum node A sends qubits to the quantum node B via a
       quantum channel.

   3.  The quantum node B receives qubits and measures each of them in
       one of the two bases at random.

   4.  The quantum node B informs the quantum node A of its choice of
       bases for each qubit.

   5.  The quantum node A informs the quantum node B which random
       quantum basis is correct.

   6.  Both nodes discard any measurement bit under different quantum
       bases, and the remaining bits could be used as the secret key.
       Before generating the final secret key, there is a post-
       processing procedure over authenticated classical channels.  The
       classical post-processing part can be subdivided into three
       steps, namely parameter estimation, error correction, and privacy
       amplification.  In the parameter estimation phase, both Alice and
       Bob use some of the bits to estimate the channel error.  If it is
       larger than some threshold value, they abort the protocol or
       otherwise move to the error-correction phase.  Basically, if an
       eavesdropper tries to intercept and read qubits sent from node A
       to node B, the eavesdropper will be detected due to the entropic
       uncertainty relation property theorem of quantum mechanics.  As a
       part of the post-processing procedure, both nodes usually also
       perform information reconciliation [Elkouss] for efficient error
       correction and/or conduct privacy amplification [Tang] for
       generating the final information-theoretical secure keys.

   7.  The post-processing procedure needs to be performed over an
       authenticated classical channel.  In other words, the quantum
       node A and the quantum node B need to authenticate the classical
       channel to make sure there is no eavesdroppers or on-path
       attacks, according to certain authentication protocols such as
       that described in [Kiktenko].  In [Kiktenko], the authenticity of
       the classical channel is checked at the very end of the post-
       processing procedure instead of doing it for each classical
       message exchanged between the quantum node A and the quantum node
       B.

   It is worth noting that:

   1.  There are many enhanced QKD protocols based on [BB84].  For
       example, a series of loopholes have been identified due to the
       imperfections of measurement devices; there are several solutions
       to take into account concerning these attacks such as
       measurement-device-independent QKD [Zheng2019].  These enhanced
       QKD protocols can work differently than the steps of BB84
       protocol [BB84].

   2.  For large-scale QKD, QKD Networks (QKDNs) are required, which can
       be regarded as a subset of a Quantum Internet.  A QKDN may
       consist of a QKD application layer, a QKD network layer, and a
       QKD link layer [Qin].  One or multiple trusted QKD relays
       [Zhang2018] may exist between the quantum node A and the quantum
       node B, which are connected by a QKDN.  Alternatively, a QKDN may
       rely on entanglement distribution and entanglement-based QKD
       protocols; as a result, quantum repeaters and/or routers instead
       of trusted QKD relays are needed for large-scale QKD.
       Entanglement swapping can be leveraged to realize entanglement
       distribution.

   3.  QKD provides an information-theoretical way to share secret keys
       between two parties (i.e., a transmitter and a receiver) in the
       presence of an eavesdropper.  However, this is true in theory,
       and there is a significant gap between theory and practice.  By
       exploiting the imperfection of the detectors, Eve can gain
       information about the shared key [Xu].  To avoid such side-
       channel attacks in [Lo], the researchers provide a QKD protocol
       called "Measurement Device-Independent (MDI)" QKD that allows two
       users (a transmitter "Alice" and a receiver "Bob") to communicate
       with perfect security, even if the (measurement) hardware they
       are using has been tampered with (e.g., by an eavesdropper) and
       thus is not trusted.  It is achieved by measuring correlations
       between signals from Alice and Bob, rather than the actual
       signals themselves.

   4.  QKD protocols based on Continuous Variable QKD (CV-QKD) have
       recently seen plenty of interest as they only require
       telecommunications equipment that is readily available and is
       also in common use industry-wide.  This kind of technology is a
       potentially high-performance technique for secure key
       distribution over limited distances.  The recent demonstration of
       CV-QKD shows compatibility with classical coherent detection
       schemes that are widely used for high-bandwidth classical
       communication systems [Grosshans].  Note that we still do not
       have a quantum repeater for the continuous variable systems;
       hence, these kinds of QKD technologies can be used for the short
       distance communications or trusted relay-based QKD networks.

   5.  Secret sharing can be used to distribute a secret key among
       multiple nodes by letting each node know a share or a part of the
       secret key, while no single node can know the entire secret key.
       The secret key can only be reconstructed via collaboration from a
       sufficient number of nodes.  Quantum Secret Sharing (QSS)
       typically refers to the following scenario: the secret key to be
       shared is based on quantum states instead of classical bits.  QSS
       enables splitting and sharing such quantum states among multiple
       nodes.

   6.  There are some entanglement-based QKD protocols, such as that
       described in [Treiber], [E91], and [BBM92], which work
       differently than the above steps.  The entanglement-based
       schemes, where entangled states are prepared externally to the
       quantum node A and the quantum node B, are not normally
       considered "prepare and measure" as defined in [Wehner].  Other
       entanglement-based schemes, where entanglement is generated
       within the source quantum node, can still be considered "prepare
       and measure".  Send-and-return schemes can still be "prepare and
       measure" if the information content, from which keys will be
       derived, is prepared within the quantum node A before being sent
       to the quantum node B for measurement.

   As a result, the Quantum Internet in Figure 1 contains quantum
   channels.  And in order to support secure communication setup,
   especially in large-scale deployment, it also requires entanglement
   generation and entanglement distribution [QUANTUM-CONNECTION],
   quantum repeaters and/or routers, and/or trusted QKD relays.


        +---------------+
        |   End User    |
        +---------------+
              ^
              | Local Secure Interface
              | (e.g., the same physical hardware
              |  or a local secure network)
              V
        +-----------------+     /--------\     +-----------------+
        |                 |--->( Quantum  )--->|                 |
        |                 |    ( Internet )    |                 |
        |     Quantum     |     \--------/     |    Quantum      |
        |     Node A      |                    |     Node B      |
        |                 |     /--------\     |                 |
        |                 |    ( Classical)    |                 |
        |                 |<-->( Internet )<-->|                 |
        +-----------------+     \--------/     +-----------------+

                    Figure 1: Secure Communication Setup

4.2.  Blind Quantum Computing

   Blind quantum computing refers to the following scenario:

   1.  A client node with source data delegates the computation of the
       source data to a remote computation node (i.e., a server).

   2.  Furthermore, the client node does not want to disclose any source
       data to the remote computation node, which preserves the source
       data privacy.

   3.  Note that there is no assumption or guarantee that the remote
       computation node is a trusted entity from the source data privacy
       perspective.

   As an example illustrated in Figure 2, a terminal node can be a small
   quantum computer with limited computation capability compared to a
   remote quantum computation node (e.g., a remote mainframe quantum
   computer), but the terminal node needs to run a computation-intensive
   task (e.g., Shor's factoring algorithm).  The terminal node can
   create individual qubits and send them to the remote quantum
   computation node.  Then, the remote quantum computation node can
   entangle the qubits, calculate on them, measure them, generate
   measurement results in classical bits, and return the measurement
   results to the terminal node.  It is noted that those measurement
   results will look like purely random data to the remote quantum
   computation node because the initial states of the qubits were chosen
   in a cryptographically secure fashion.

   As a new client and server computation model, Blind Quantum
   Computation (BQC) generally enables the following process:

   1.  The client delegates a computation function to the server.

   2.  The client does not send original qubits to the server but does
       send transformed qubits to the server.

   3.  The computation function is performed at the server on the
       transformed qubits to generate temporary result qubits, which
       could be quantum-circuit-based computation or measurement-based
       quantum computation.  The server sends the temporary result
       qubits to the client.

   4.  The client receives the temporary result qubits and transforms
       them to the final result qubits.

   During this process, the server cannot figure out the original qubits
   from the transformed qubits.  Also, it will not take too much effort
   on the client side to transform the original qubits to the
   transformed qubits or transform the temporary result qubits to the
   final result qubits.  One of the very first BQC protocols, such as
   that described in [Childs], follows this process, although the client
   needs some basic quantum features such as quantum memory, qubit
   preparation and measurement, and qubit transmission.  Measurement-
   based quantum computation is out of the scope of this document, and
   more details about it can be found in [Jozsa2005].

   It is worth noting that:

   1.  The BQC protocol in [Childs] is a circuit-based BQC model, where
       the client only performs simple quantum circuit for qubit
       transformation, while the server performs a sequence of quantum
       logic gates.  Qubits are transmitted back and forth between the
       client and the server.

   2.  Universal BQC (UBQC) in [Broadbent] is a measurement-based BQC
       model, which is based on measurement-based quantum computing
       leveraging entangled states.  The principle in UBQC is based on
       the fact that the quantum teleportation plus a rotated Bell
       measurement realize a quantum computation, which can be repeated
       multiple times to realize a sequence of quantum computation.  In
       this approach, the client first prepares transformed qubits and
       sends them to the server, and the server needs to first prepare
       entangled states from all received qubits.  Then, multiple
       interaction and measurement rounds happen between the client and
       the server.  For each round:

       i.    the client computes and sends new measurement instructions
             or measurement adaptations to the server;

       ii.   the server performs the measurement according to the
             received measurement instructions to generate measurement
             results (in qubits or classic bits); and

       iii.  then the client receives the measurement results and
             transforms them to the final results.

   3.  A hybrid UBQC is proposed in [Zhang2009], where the server
       performs both quantum circuits like that demonstrated in [Childs]
       and quantum measurements like that demonstrated in [Broadbent] to
       reduce the number of required entangled states in [Broadbent].
       Also, the client is much simpler than the client in [Childs].
       This hybrid BQC is a combination of a circuit-based BQC model and
       a measurement-based BQC model.

   4.  It is ideal if the client in BQC is a purely classical client,
       which only needs to interact with the server using classical
       channels and communications.  [Huang] demonstrates such an
       approach where a classical client leverages two entangled servers
       to perform BQC with the assumption that both servers cannot
       communicate with each other; otherwise, the blindness or privacy
       of the client cannot be guaranteed.  The scenario as demonstrated
       in [Huang] is essentially an example of BQC with multiple
       servers.

   5.  How to verify that the server will perform what the client
       requests or expects is an important issue in many BQC protocols,
       referred to as "verifiable BQC".  [Fitzsimons] discusses this
       issue and compares it in various BQC protocols.

   In Figure 2, the Quantum Internet contains quantum channels and
   quantum repeaters and/or routers for long-distance qubits
   transmission [RFC9340].

        +----------------+     /--------\     +-------------------+
        |                |--->( Quantum  )--->|                   |
        |                |    ( Internet )    | Remote Quantum    |
        |  Terminal      |     \--------/     | Computation       |
        |  Node          |                    | Node              |
        |  (e.g., a small|     /--------\     | (e.g., a remote   |
        |  quantum       |    ( Classical)    | mainframe         |
        |  computer)     |<-->( Internet )<-->| quantum computer) |
        +----------------+     \--------/     +-------------------+

                      Figure 2: Bind Quantum Computing

4.3.  Distributed Quantum Computing

   There can be two types of distributed quantum computing [Denchev]:

   1.  Leverage quantum mechanics to enhance classical distributed
       computing.  For example, entangled quantum states can be
       exploited to improve leader election in classical distributed
       computing by simply measuring the entangled quantum states at
       each party (e.g., a node or a device) without introducing any
       classical communications among distributed parties [Pal].
       Normally, pre-shared entanglement first needs to be established
       among distributed parties, followed by LOCC operations at each
       party.  And it generally does not need to transfer qubits among
       distributed parties.

   2.  Distribute quantum computing functions to distributed quantum
       computers.  A quantum computing task or function (e.g., quantum
       gates) is split and distributed to multiple physically separate
       quantum computers.  And it may or may not need to transmit qubits
       (either inputs or outputs) among those distributed quantum
       computers.  Entangled states will be needed and actually consumed
       to support such distributed quantum computing tasks.  It is worth
       noting that:

       a.  Entangled states can be created beforehand and stored or
           buffered;

       b.  The rate of entanglement creation will limit the performance
           of practical Quantum Internet applications including
           distributed quantum computing, although entangled states
           could be buffered.

       For example, [Gottesman1999] and [Eisert] have demonstrated that
       a Controlled NOT (CNOT) gate can be realized jointly by and
       distributed to multiple quantum computers.  The rest of this
       section focuses on this type of distributed quantum computing.

   As a scenario for the second type of distributed quantum computing,
   Noisy Intermediate-Scale Quantum (NISQ) computers distributed in
   different locations are available for sharing.  According to the
   definition in [Preskill], a NISQ computer can only realize a small
   number of qubits and has limited quantum error correction.  This
   scenario is referred to as "distributed quantum computing" [Caleffi]
   [Cacciapuoti2020] [Cacciapuoti2019].  This application scenario
   reflects the vastly increased computing power that quantum computers
   can bring as a part of the Quantum Internet, in contrast to classical
   computers in the Classical Internet, in the context of a distributed
   quantum computing ecosystem [Cuomo].  According to [Cuomo], quantum
   teleportation enables a new communication paradigm, referred to as
   "teledata" [VanMeter2006-01], which moves quantum states among qubits
   to distributed quantum computers.  In addition, distributed quantum
   computation also needs the capability of remotely performing quantum
   computation on qubits on distributed quantum computers, which can be
   enabled by the technique called "telegate" [VanMeter2006-02].

   As an example, a user can leverage these connected NISQ computers to
   solve highly complex scientific computation problems, such as
   analysis of chemical interactions for medical drug development [Cao]
   (see Figure 3).  In this case, qubits will be transmitted among
   connected quantum computers via quantum channels, while the user's
   execution requests are transmitted to these quantum computers via
   classical channels for coordination and control purpose.  Another
   example of distributed quantum computing is secure Multi-Party
   Quantum Computation (MPQC) [Crepeau], which can be regarded as a
   quantum version of classical secure Multi-Party Computation (MPC).
   In a secure MPQC protocol, multiple participants jointly perform
   quantum computation on a set of input quantum states, which are
   prepared and provided by different participants.  One of the primary
   aims of the secure MPQC is to guarantee that each participant will
   not know input quantum states provided by other participants.  Secure
   MPQC relies on verifiable quantum secret sharing [Lipinska].

   For the example shown in Figure 3, we want to move qubits from one
   NISQ computer to another NISQ computer.  For this purpose, quantum
   teleportation can be leveraged to teleport sensitive data qubits from
   one quantum computer (A) to another quantum computer (B).  Note that
   Figure 3 does not cover measurement-based distributed quantum
   computing, where quantum teleportation may not be required.  When
   quantum teleportation is employed, the following steps happen between
   A and B.  In fact, LOCC [Chitambar] operations are conducted at the
   quantum computers A and B in order to achieve quantum teleportation
   as illustrated in Figure 3.

   1.  The quantum computer A locally generates some sensitive data
       qubits to be teleported to the quantum computer B.

   2.  A shared entanglement is established between the quantum computer
       A and the quantum computer B (i.e., there are two entangled
       qubits: q1 at A and q2 at B).  For example, the quantum computer
       A can generate two entangled qubits (i.e., q1 and q2) and send q2
       to the quantum computer B via quantum communications.

   3.  Then, the quantum computer A performs a Bell measurement of the
       entangled qubit q1 and the sensitive data qubit.

   4.  The result from this Bell measurement will be encoded in two
       classical bits, which will be physically transmitted via a
       classical channel to the quantum computer B.

   5.  Based on the received two classical bits, the quantum computer B
       modifies the state of the entangled qubit q2 in the way to
       generate a new qubit identical to the sensitive data qubit at the
       quantum computer A.

   In Figure 3, the Quantum Internet contains quantum channels and
   quantum repeaters and/or routers [RFC9340].  This application
   scenario needs to support entanglement generation and entanglement
   distribution (or quantum connection) setup [QUANTUM-CONNECTION] in
   order to support quantum teleportation.

                        +-----------------+
                        |     End User    |
                        |                 |
                        +-----------------+
                                 ^
                                 | Local Secure Interface
                                 | (e.g., the same physical hardware
                                 | or a local secure network)
                                 |
              +------------------+-------------------+
              |                                      |
              |                                      |
              V                                      V
      +----------------+     /--------\     +----------------+
      |                |--->( Quantum  )--->|                |
      |                |    ( Internet )    |                |
      |   Quantum      |     \--------/     |   Quantum      |
      |   Computer A   |                    |   Computer B   |
      | (e.g., Site #1)|     /--------\     | (e.g., Site #2)|
      |                |    ( Classical)    |                |
      |                |<-->( Internet )<-->|                |
      +----------------+     \--------/     +----------------+

                  Figure 3: Distributed Quantum Computing

5.  General Requirements

   Quantum technologies are steadily evolving and improving.  Therefore,
   it is hard to predict the timeline and future milestones of quantum
   technologies as pointed out in [Grumbling] for quantum computing.
   Currently, a NISQ computer can achieve fifty to hundreds of qubits
   with some given error rate.

   On the network level, six stages of Quantum Internet development are
   described in [Wehner] as a Quantum Internet technology roadmap as
   follows:

   1.  Trusted repeater networks (Stage-1)

   2.  Prepare-and-measure networks (Stage-2)

   3.  Entanglement distribution networks (Stage-3)

   4.  Quantum memory networks (Stage-4)

   5.  Fault-tolerant few qubit networks (Stage-5)

   6.  Quantum computing networks (Stage-6)

   The first stage is simple trusted repeater networks, while the final
   stage is the quantum computing networks where the full-blown Quantum
   Internet will be achieved.  Each intermediate stage brings with it
   new functionality, new applications, and new characteristics.
   Table 1 illustrates Quantum Internet application scenarios as
   described in Sections 3 and 4 mapped to the Quantum Internet stages
   described in [Wehner].  For example, secure communication setup can
   be supported in Stage-1, Stage-2, or Stage-3 but with different QKD
   solutions.  More specifically:

   *  In Stage-1, basic QKD is possible and can be leveraged to support
      secure communication setup, but trusted nodes are required to
      provide end-to-end security.  The primary requirement is the
      trusted nodes.

   *  In Stage-2, the end users can prepare and measure the qubits.  In
      this stage, the users can verify classical passwords without
      revealing them.

   *  In Stage-3, end-to-end security can be enabled based on quantum
      repeaters and entanglement distribution to support the same secure
      communication setup application.  The primary requirement is
      entanglement distribution to enable long-distance QKD.

   *  In Stage-4, the quantum repeaters gain the capability of storing
      and manipulating entangled qubits in the quantum memories.  Using
      these kinds of quantum networks, one can run sophisticated
      applications like blind quantum computing, leader election, and
      quantum secret sharing.

   *  In Stage-5, quantum repeaters can perform error correction; hence,
      they can perform fault-tolerant quantum computations on the
      received data.  With the help of these repeaters, it is possible
      to run distributed quantum computing and quantum sensor
      applications over a smaller number of qubits.

   *  Finally, in Stage-6, distributed quantum computing relying on more
      qubits can be supported.

    +================+==========================+=====================+
    | Quantum        | Example Quantum Internet | Characteristic      |
    | Internet Stage | Use Cases                |                     |
    +================+==========================+=====================+
    | Stage-1        | Secure communication     | Trusted nodes       |
    |                | setup using basic QKD    |                     |
    +----------------+--------------------------+---------------------+
    | Stage-2        | Secure communication     | Prepare-and-measure |
    |                | setup using the QKD with | capability          |
    |                | end-to-end security      |                     |
    +----------------+--------------------------+---------------------+
    | Stage-3        | Secure communication     | Entanglement        |
    |                | setup using              | distribution        |
    |                | entanglement-enabled QKD |                     |
    +----------------+--------------------------+---------------------+
    | Stage-4        | Blind quantum computing  | Quantum memory      |
    +----------------+--------------------------+---------------------+
    | Stage-5        | Higher-accuracy clock    | Fault tolerance     |
    |                | synchronization          |                     |
    +----------------+--------------------------+---------------------+
    | Stage-6        | Distributed quantum      | More qubits         |
    |                | computing                |                     |
    +----------------+--------------------------+---------------------+

        Table 1: Example Application Scenarios in Different Quantum
                              Internet Stages

   Some general and functional requirements on the Quantum Internet from
   the networking perspective, based on the above application scenarios
   and Quantum Internet technology roadmap [Wehner], are identified and
   described in next sections.

5.1.  Operations on Entangled Qubits

   Methods for facilitating quantum applications to interact efficiently
   with entangled qubits are necessary in order for them to trigger
   distribution of designated entangled qubits to potentially any other
   quantum node residing in the Quantum Internet.  To accomplish this,
   specific operations must be performed on entangled qubits (e.g.,
   entanglement swapping or entanglement distillation).  Quantum nodes
   may be quantum end nodes, quantum repeaters and/or routers, and/or
   quantum computers.

5.2.  Entanglement Distribution

   Quantum repeaters and/or routers should support robust and efficient
   entanglement distribution in order to extend and establish a high-
   fidelity entanglement connection between two quantum nodes.  For
   achieving this, it is required to first generate an entangled pair on
   each hop of the path between these two nodes and then perform
   entanglement-swapping operations at each of the intermediate nodes.

5.3.  The Need for Classical Channels

   Quantum end nodes must send additional information on classical
   channels to aid in transferring and understanding qubits across
   quantum repeaters and/or receivers.  Examples of such additional
   information include qubit measurements in secure communication setup
   (Section 4.1) and Bell measurements in distributed quantum computing
   (Section 4.3).  In addition, qubits are transferred individually and
   do not have any associated packet header, which can help in
   transferring the qubit.  Any extra information to aid in routing,
   identification, etc. of the qubit(s) must be sent via classical
   channels.

5.4.  Quantum Internet Management

   Methods for managing and controlling the Quantum Internet including
   quantum nodes and their quantum resources are necessary.  The
   resources of a quantum node may include quantum memory, quantum
   channels, qubits, established quantum connections, etc.  Such
   management methods can be used to monitor the network status of the
   Quantum Internet, diagnose and identify potential issues (e.g.,
   quantum connections), and configure quantum nodes with new actions
   and/or policies (e.g., to perform a new entanglement-swapping
   operation).  A new management information model for the Quantum
   Internet may need to be developed.

6.  Conclusion

   This document provides an overview of some expected application
   categories for the Quantum Internet and then details selected
   application scenarios.  The applications are first grouped by their
   usage, which is an easy-to-understand classification scheme.  This
   set of applications may, of course, expand over time as the Quantum
   Internet matures.  Finally, some general requirements for the Quantum
   Internet are also provided.

   This document can also serve as an introductory text to readers
   interested in learning about the practical uses of the Quantum
   Internet.  Finally, it is hoped that this document will help guide
   further research and development of the Quantum Internet
   functionality required to implement the application scenarios
   described herein.

7.  IANA Considerations

   This document has no IANA actions.

8.  Security Considerations

   This document does not define an architecture nor a specific protocol
   for the Quantum Internet.  It focuses instead on detailing
   application scenarios and requirements and describing typical Quantum
   Internet applications.  However, some salient observations can be
   made regarding security of the Quantum Internet as follows.

   It has been identified in [NISTIR8240] that, once large-scale quantum
   computing becomes reality, it will be able to break many of the
   public key (i.e., asymmetric) cryptosystems currently in use.  This
   is because of the increase in computing ability with quantum
   computers for certain classes of problems (e.g., prime factorization
   and optimizations).  This would negatively affect many of the
   security mechanisms currently in use on the Classical Internet that
   are based on public key (Diffie-Hellman (DH)) encryption.  This has
   given strong impetus for starting development of new cryptographic
   systems that are secure against quantum computing attacks
   [NISTIR8240].

   Interestingly, development of the Quantum Internet will also mitigate
   the threats posed by quantum computing attacks against DH-based
   public key cryptosystems.  Specifically, the secure communication
   setup feature of the Quantum Internet, as described in Section 4.1,
   will be strongly resistant to both classical and quantum computing
   attacks against Diffie-Hellman based public key cryptosystems.

   A key additional threat consideration for the Quantum Internet is
   addressed in [RFC7258], which warns of the dangers of pervasive
   monitoring as a widespread attack on privacy.  Pervasive monitoring
   is defined as a widespread, and usually covert, surveillance through
   intrusive gathering of application content or protocol metadata, such
   as headers.  This can be accomplished through active or passive
   wiretaps, through traffic analysis, or by subverting the
   cryptographic keys used to secure communications.

   The secure communication setup feature of the Quantum Internet, as
   described in Section 4.1, will be strongly resistant to pervasive
   monitoring based on directly attacking (Diffie-Hellman) encryption
   keys.  Also, Section 4.2 describes a method to perform remote quantum
   computing while preserving the privacy of the source data.  Finally,
   the intrinsic property of qubits to decohere if they are observed,
   albeit covertly, will theoretically allow detection of unwanted
   monitoring in some future solutions.

   Modern networks are implemented with zero trust principles where
   classical cryptography is used for confidentiality, integrity
   protection, and authentication on many of the logical layers of the
   network stack, often all the way from device to software in the cloud
   [NISTSP800-207].  The cryptographic solutions in use today are based
   on well-understood primitives, provably secure protocols, and state-
   of-the-art implementations that are secure against a variety of side-
   channel attacks.

   In contrast to conventional cryptography and Post-Quantum
   Cryptography (PQC), the security of QKD is inherently tied to the
   physical layer, which makes the threat surfaces of QKD and
   conventional cryptography quite different.  QKD implementations have
   already been subjected to publicized attacks [Zhao2008], and the
   National Security Agency (NSA) notes that the risk profile of
   conventional cryptography is better understood [NSA].  The fact that
   conventional cryptography and PQC are implemented at a higher layer
   than the physical one means PQC can be used to securely send
   protected information through untrusted relays.  This is in stark
   contrast with QKD, which relies on hop-by-hop security between
   intermediate trusted nodes.  The PQC approach is better aligned with
   the modern technology environment, in which more applications are
   moving toward end-to-end security and zero-trust principles.  It is
   also important to note that, while PQC can be deployed as a software
   update, QKD requires new hardware.  In addition, the IETF has a
   working group on Post-Quantum Use In Protocols (PQUIP) that is
   studying PQC transition issues.

   Regarding QKD implementation details, the NSA states that
   communication needs and security requirements physically conflict in
   QKD and that the engineering required to balance them has extremely
   low tolerance for error.  While conventional cryptography can be
   implemented in hardware in some cases for performance or other
   reasons, QKD is inherently tied to hardware.  The NSA points out that
   this makes QKD less flexible with regard to upgrades or security
   patches.  As QKD is fundamentally a point-to-point protocol, the NSA
   also notes that QKD networks often require the use of trusted relays,
   which increases the security risk from insider threats.

   The UK's National Cyber Security Centre cautions against reliance on
   QKD, especially in critical national infrastructure sectors, and
   suggests that PQC, as standardized by NIST, is a better solution
   [NCSC].  Meanwhile, the National Cybersecurity Agency of France has
   decided that QKD could be considered as a defense-in-depth measure
   complementing conventional cryptography, as long as the cost incurred
   does not adversely affect the mitigation of current threats to IT
   systems [ANNSI].

9.  Informative References

   [ANNSI]    French Cybersecurity Agency (ANSSI), "Should Quantum Key
              Distribution be Used for Secure Communications?", May
              2020, <https://www.ssi.gouv.fr/en/publication/should-
              quantum-key-distribution-be-used-for-secure-
              communications/>.

   [BB84]     Bennett, C. H. and G. Brassard, "Quantum cryptography:
              Public key distribution and coin tossing",
              DOI 10.1016/j.tcs.2014.05.025, December 2014,
              <https://doi.org/10.1016/j.tcs.2014.05.025>.

   [BBM92]    Bennett, C. H., Brassard, G., and N. D. Mermin, "Quantum
              cryptography without Bell's theorem", Physical Review
              Letters, American Physical Society,
              DOI 10.1103/PhysRevLett.68.557, February 1992,
              <https://link.aps.org/doi/10.1103/PhysRevLett.68.557>.

   [Ben-Or]   Ben-Or, M. and A. Hassidim, "Fast quantum byzantine
              agreement", STOC '05, Association for Computing Machinery,
              DOI 10.1145/1060590.1060662, May 2005,
              <https://dl.acm.org/doi/10.1145/1060590.1060662>.

   [Broadbent]
              Broadbent, A., Fitzsimons, J., and E. Kashefi, "Universal
              Blind Quantum Computation", 50th Annual IEEE Symposium on
              Foundations of Computer Science, IEEE,
              DOI 10.1109/FOCS.2009.36, December 2009,
              <https://arxiv.org/pdf/0807.4154.pdf>.

   [Cacciapuoti2019]
              Cacciapuoti, A. S., Caleffi, M., Van Meter, R., and L.
              Hanzo, "When Entanglement meets Classical Communications:
              Quantum Teleportation for the Quantum Internet (Invited
              Paper)", DOI 10.48550/arXiv.1907.06197, July 2019,
              <https://arxiv.org/abs/1907.06197>.

   [Cacciapuoti2020]
              Cacciapuoti, A. S., Caleffi, M., Tafuri, F., Cataliotti,
              F. S., Gherardini, S., and G. Bianchi, "Quantum Internet:
              Networking Challenges in Distributed Quantum Computing",
              IEEE Network, DOI 10.1109/MNET.001.1900092, February 2020,
              <https://ieeexplore.ieee.org/document/8910635>.

   [Caleffi]  Caleffi, M., Cacciapuoti, A. S., and G. Bianchi, "Quantum
              internet: from communication to distributed computing!",
              NANOCOM '18, Association for Computing Machinery,
              DOI 10.1145/3233188.3233224, September 2018,
              <https://dl.acm.org/doi/10.1145/3233188.3233224>.

   [Cao]      Cao, Y., Romero, J., and A. Aspuru-Guzik, "Potential of
              quantum computing for drug discovery", IBM Journal of
              Research and Development, DOI 10.1147/JRD.2018.2888987,
              December 2018, <https://doi.org/10.1147/JRD.2018.2888987>.

   [Castelvecchi]
              Castelvecchi, D., "The quantum internet has arrived (and
              it hasn't)", Nature 554, 289-292,
              DOI 10.1038/d41586-018-01835-3, February 2018,
              <https://www.nature.com/articles/d41586-018-01835-3>.

   [Childs]   Childs, A. M., "Secure assisted quantum computation",
              DOI 10.26421/QIC5.6, July 2005,
              <https://arxiv.org/pdf/quant-ph/0111046.pdf>.

   [Chitambar]
              Chitambar, E., Leung, D., Mančinska, L., Ozols, M., and A.
              Winter, "Everything You Always Wanted to Know About LOCC
              (But Were Afraid to Ask)", Communications in Mathematical
              Physics, Springer, DOI 10.1007/s00220-014-1953-9, March
              2014, <https://link.springer.com/article/10.1007/
              s00220-014-1953-9>.

   [Crepeau]  Crépeau, C., Gottesman, D., and A. Smith, "Secure multi-
              party quantum computation", STOC '02, Association for
              Computing Machinery, DOI 10.1145/509907.510000, May 2002,
              <https://doi.org/10.1145/509907.510000>.

   [Cuomo]    Cuomo, D., Caleffi, M., and A. S. Cacciapuoti, "Towards a
              distributed quantum computing ecosystem", IET Quantum
              Communication, DOI 10.1049/iet-qtc.2020.0002, July 2020,
              <http://dx.doi.org/10.1049/iet-qtc.2020.0002>.

   [Denchev]  Denchev, V. S. and G. Pandurangan, "Distributed quantum
              computing: a new frontier in distributed systems or
              science fiction?", ACM SIGACT News,
              DOI 10.1145/1412700.1412718, September 2008,
              <https://doi.org/10.1145/1412700.1412718>.

   [E91]      Ekert, A. K., "Quantum cryptography based on Bell's
              theorem", Physical Review Letters, American Physical
              Society, DOI 10.1103/PhysRevLett.67.661, August 1991,
              <https://link.aps.org/doi/10.1103/PhysRevLett.67.661>.

   [Eisert]   Eisert, J., Jacobs, K., Papadopoulos, P., and M. B.
              Plenio, "Optimal local implementation of nonlocal quantum
              gates", Physical Review A, American Physical Society,
              DOI 10.1103/PhysRevA.62.052317, October 2000,
              <https://doi.org/10.1103/PhysRevA.62.052317>.

   [Elkouss]  Elkouss, D., Martinez-Mateo, J., and V. Martin,
              "Information Reconciliation for Quantum Key Distribution",
              DOI 10.48550/arXiv.1007.1616, April 2011,
              <https://arxiv.org/pdf/1007.1616.pdf>.

   [ETSI-QKD-Interfaces]
              ETSI, "Quantum Key Distribution (QKD); Components and
              Internal Interfaces", V2.1.1, ETSI GR QKD 003, March 2018,
              <https://www.etsi.org/deliver/etsi_gr/
              QKD/001_099/003/02.01.01_60/gr_QKD003v020101p.pdf>.

   [ETSI-QKD-UseCases]
              ETSI, "Quantum Key Distribution; Use Cases", V1.1.1, ETSI
              GS QKD 002, June 2010,
              <https://www.etsi.org/deliver/etsi_gs/
              qkd/001_099/002/01.01.01_60/gs_qkd002v010101p.pdf>.

   [Fitzsimons]
              Fitzsimons, J. F., "Private quantum computation: an
              introduction to blind quantum computing and related
              protocols", DOI 10.1038/s41534-017-0025-3, June 2017,
              <https://www.nature.com/articles/s41534-017-0025-3.pdf>.

   [Gottesman1999]
              Gottesman, D. and I. Chuang, "Demonstrating the viability
              of universal quantum computation using teleportation and
              single-qubit operations", Nature 402, 390-393,
              DOI 10.1038/46503, November 1999,
              <https://doi.org/10.1038/46503>.

   [Gottesman2012]
              Gottesman, D., Jennewein, T., and S. Croke, "Longer-
              Baseline Telescopes Using Quantum Repeaters", Physical
              Review Letters, American Physical Society,
              DOI 10.1103/PhysRevLett.109.070503, August 2012,
              <https://link.aps.org/doi/10.1103/PhysRevLett.109.070503>.

   [Grosshans]
              Grosshans, F. and P. Grangier, "Continuous Variable
              Quantum Cryptography Using Coherent States", Physical
              Review Letters, American Physical Society,
              DOI 10.1103/PhysRevLett.88.057902, January 2002,
              <https://doi.org/10.1103/PhysRevLett.88.057902>.

   [Grumbling]
              Grumbling, E., Ed. and M. Horowitz, Ed., "Quantum
              Computing: Progress and Prospects", National Academies of
              Sciences, Engineering, and Medicine, The National
              Academies Press, DOI 10.17226/25196, 2019,
              <https://doi.org/10.17226/25196>.

   [Guo]      Guo, X., Breum, C. R., Borregaard, J., Izumi, S., Larsen,
              M. V., Gehring, T., Christandl, M., Neergaard-Nielsen, J.
              S., and U. L. Andersen, "Distributed quantum sensing in a
              continuous-variable entangled network", Nature Physics,
              DOI 10.1038/s41567-019-0743-x, December 20219,
              <https://www.nature.com/articles/s41567-019-0743-x>.

   [Huang]    Huang, H-L., Zhao, Q., Ma, X., Liu, C., Su, Z-E., Wang,
              X-L., Li, L., Liu, N-L., Sanders, B. C., Lu, C-Y., and
              J-W. Pan, "Experimental Blind Quantum Computing for a
              Classical Client", DOI 10.48550/arXiv.1707.00400, July
              2017, <https://arxiv.org/pdf/1707.00400.pdf>.

   [ITUT]     ITU-T, "Draft new Technical Report ITU-T TR.QN-UC: 'Use
              cases of quantum networks beyond QKDN'", ITU-T SG 13,
              November 2022,
              <https://www.itu.int/md/T22-SG13-221125-TD-WP3-0158/en>.

   [Jozsa2000]
              Josza, R., Abrams, D. S., Dowling, J. P., and C. P.
              Williams, "Quantum Clock Synchronization Based on Shared
              Prior Entanglement", Physical Review Letters, American
              Physical Society, DOI 10.1103/PhysRevLett.85.2010, August
              2000,
              <https://link.aps.org/doi/10.1103/PhysRevLett.85.2010>.

   [Jozsa2005]
              Josza, R., "An introduction to measurement based quantum
              computation", DOI 10.48550/arXiv.quant-ph/0508124,
              September 2005,
              <https://arxiv.org/pdf/quant-ph/0508124.pdf>.

   [Kiktenko] Kiktenko, E. O., Malyshev, A. O., Gavreev, M. A.,
              Bozhedarov, A. A., Pozhar, N. O., Anufriev, M. N., and A.
              K. Fedorov, "Lightweight authentication for quantum key
              distribution", DOI 10.1109/TIT.2020.2989459, September
              2020, <https://arxiv.org/pdf/1903.10237.pdf>.

   [Komar]    Kómár, P., Kessler, E. M., Bishof, M., Jiang, L.,
              Sørensen, A. S., Ye, J., and M. D. Lukin, "A quantum
              network of clocks", DOI 10.1038/nphys3000, October 2013,
              <https://arxiv.org/pdf/1310.6045.pdf>.

   [Lipinska] Lipinska, V., Murta, G., Ribeiro, J., and S. Wehner,
              "Verifiable hybrid secret sharing with few qubits",
              Physical Review A, American Physical Society,
              DOI 10.1103/PhysRevA.101.032332, March 2020,
              <https://doi.org/10.1103/PhysRevA.101.032332>.

   [Lo]       Lo, H-K., Curty, M., and B. Qi, "Measurement-Device-
              Independent Quantum Key Distribution", Physical Review
              Letters, American Physical Society,
              DOI 10.1103/PhysRevLett.108.130503, March 2012,
              <https://doi.org/10.1103/PhysRevLett.108.130503>.

   [NCSC]     National Cyber Security Centre (NCSC), "Quantum security
              technologies", Whitepaper, March 2020,
              <https://www.ncsc.gov.uk/whitepaper/quantum-security-
              technologies>.

   [NISTIR8240]
              Alagic, G., Alperin-Sheriff, J., Apon, D., Cooper, D.,
              Dang, Q., Liu, Y-K., Miller, C., Moody, D., Peralta, R.,
              Perlner, R., Robinson, A., and D. Smith-Tone, "Status
              Report on the First Round of the NIST Post-Quantum
              Cryptography Standardization Process",
              DOI 10.6028/NIST.IR.8240, NISTIR 8240, January 2019,
              <https://nvlpubs.nist.gov/nistpubs/ir/2019/
              NIST.IR.8240.pdf>.

   [NISTSP800-207]
              Rose, S., Borchert, O., Mitchell, S., and S. Connelly,
              "Zero Trust Architecture", NIST SP 800-207,
              DOI 10.6028/NIST.SP.800-207, August 2020,
              <https://doi.org/10.6028/NIST.SP.800-207>.

   [NSA]      National Security Agency (NSA), "Post-Quantum
              Cybersecurity Resources",
              <https://www.nsa.gov/Cybersecurity/Post-Quantum-
              Cybersecurity-Resources/>.

   [Pal]      Pal, S. P., Singh, S. K., and S. Kumar, "Multi-partite
              Quantum Entanglement versus Randomization: Fair and
              Unbiased Leader Election in Networks", DOI
              10.48550/arXiv.quant-ph/0306195, June 2003,
              <https://arxiv.org/pdf/quant-ph/0306195.pdf>.

   [Preskill] Preskill, J., "Quantum Computing in the NISQ era and
              beyond", DOI 10.22331/q-2018-08-06-79, July 2018,
              <https://arxiv.org/pdf/1801.00862>.

   [Proctor]  Proctor, T. J., Knott, P. A., and J. A. Dunningham,
              "Multiparameter Estimation in Networked Quantum Sensors",
              Physical Review Letters, American Physical Society,
              DOI 10.1103/PhysRevLett.120.080501, February 2018,
              <https://journals.aps.org/prl/abstract/10.1103/
              PhysRevLett.120.080501>.

   [Qin]      Qin, H., "Towards large-scale quantum key distribution
              network and its applications", June 2019,
              <https://www.itu.int/en/ITU-T/Workshops-and-
              Seminars/2019060507/Documents/Hao_Qin_Presentation.pdf>.

   [QUANTUM-CONNECTION]
              Van Meter, R. and T. Matsuo, "Connection Setup in a
              Quantum Network", Work in Progress, Internet-Draft, draft-
              van-meter-qirg-quantum-connection-setup-01, 11 September
              2019, <https://datatracker.ietf.org/doc/html/draft-van-
              meter-qirg-quantum-connection-setup-01>.

   [Renner]   Renner, R., "Security of Quantum Key Distribution", DOI
              10.48550/arXiv.quant-ph/0512258, September 2005,
              <https://arxiv.org/pdf/quant-ph/0512258.pdf>.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
              2014, <https://www.rfc-editor.org/info/rfc7258>.

   [RFC9340]  Kozlowski, W., Wehner, S., Van Meter, R., Rijsman, B.,
              Cacciapuoti, A. S., Caleffi, M., and S. Nagayama,
              "Architectural Principles for a Quantum Internet",
              RFC 9340, DOI 10.17487/RFC9340, March 2023,
              <https://www.rfc-editor.org/info/rfc9340>.

   [Taherkhani]
              Taherkhani, M. A., Navi, K., and R. Van Meter, "Resource-
              aware System Architecture Model for Implementation of
              Quantum aided Byzantine Agreement on Quantum Repeater
              Networks", DOI 10.1088/2058-9565/aa9bb1, January 2017,
              <https://arxiv.org/abs/1701.04588>.

   [Tang]     Tang, B-Y., Liu, B., Zhai, Y-P., Wu, C-Q., and W-R. Yu,
              "High-speed and Large-scale Privacy Amplification Scheme
              for Quantum Key Distribution", Scientific Reports,
              DOI 10.1038/s41598-019-50290-1, October 2019,
              <https://doi.org/10.1038/s41598-019-50290-1>.

   [Treiber]  Treiber, A., Poppe, A., Hentschel, M., Ferrini, D.,
              Lorünser, T., Querasser, E., Matyus, T., Hübel, H., and A.
              Zeilinger, "A fully automated entanglement-based quantum
              cryptography system for telecom fiber networks", New
              Journal of Physics 11 045013,
              DOI 10.1088/1367-2630/11/4/045013, April 2009,
              <https://iopscience.iop.org/
              article/10.1088/1367-2630/11/4/045013>.

   [VanMeter2006-01]
              Van Meter, R., Nemoto, K., Munro, W. J., and K. M. Itoh,
              "Distributed Arithmetic on a Quantum Multicomputer", 33rd
              International Symposium on Computer Architecture (ISCA
              '06), DOI 10.1109/ISCA.2006.19, June 2006,
              <https://doi.org/10.1109/ISCA.2006.19>.

   [VanMeter2006-02]
              Van Meter, R. D., "Architecture of a Quantum Multicomputer
              Optimized for Shor's Factoring Algorithm", DOI
              10.48550/arXiv.quant-ph/0607065, February 2008,
              <https://arxiv.org/pdf/quant-ph/0607065.pdf>.

   [Wehner]   Wehner, S., Elkouss, D., and R. Hanson, "Quantum internet:
              A vision for the road ahead", Science 362,
              DOI 10.1126/science.aam9288, October 2018,
              <http://science.sciencemag.org/content/362/6412/
              eaam9288.full>.

   [Xu]       Xu, F., Qi, B., and H-K. Lo, "Experimental demonstration
              of phase-remapping attack in a practical quantum key
              distribution system", New Journal of Physics 12 113026,
              DOI 10.1088/1367-2630/12/11/113026, November 2010,
              <https://iopscience.iop.org/
              article/10.1088/1367-2630/12/11/113026>.

   [Zhandry]  Zhandry, M., "Quantum Lightning Never Strikes the Same
              State Twice", Advances in Cryptology - EUROCRYPT 2019,
              DOI 10.1007/978-3-030-17659-4_14, April 2019,
              <http://doi.org/10.1007/978-3-030-17659-4_14>.

   [Zhang2009]
              Zhang, X., Luo, W., Zeng, G., Weng, J., Yang, Y., Chen,
              M., and X. Tan, "A hybrid universal blind quantum
              computation", DOI 10.1016/j.ins.2019.05.057, September
              2019,
              <https://www.sciencedirect.com/science/article/abs/pii/
              S002002551930458X>.

   [Zhang2018]
              Zhang, Q., Xu, F., Chen, Y-A., Peng, C-Z., and J-W. Pan,
              "Large scale quantum key distribution: challenges and
              solutions [Invited]", Optics Express,
              DOI 10.1364/OE.26.024260, August 2018,
              <https://doi.org/10.1364/OE.26.024260>.

   [Zhao2008] Zhao, Y., Fred Fung, C-H., Qi, B., Chen, C., and H-K. Lo,
              "Quantum hacking: Experimental demonstration of time-shift
              attack against practical quantum-key-distribution
              systems", Physical Review A, American Physical Society,
              DOI 10.1103/PhysRevA.78.042333, October 2008,
              <https://link.aps.org/doi/10.1103/PhysRevA.78.042333>.

   [Zhao2018] Zhao, Y., "Development of Quantum Key Distribution and
              Attacks against It", Journal of Physics: Conference
              Series, DOI 10.1088/1742-6596/1087/4/042028, 2018,
              <https://iopscience.iop.org/
              article/10.1088/1742-6596/1087/4/042028>.

   [Zheng2019]
              Zheng, X., Zhang, P., Ge, R., Lu, L., He, G., Chen, Q.,
              Qu, F., Zhang, L., Cai, X., Lu, Y., Zhu, S., Wu, P., and
              X-S. Ma, "Heterogeneously integrated, superconducting
              silicon-photonic platform for measurement-device-
              independent quantum key distribution",
              DOI 10.1117/1.AP.3.5.055002, December 2019,
              <https://arxiv.org/abs/1912.09642>.

Acknowledgments

   The authors want to thank Michele Amoretti, Mathias Van Den Bossche,
   Xavier de Foy, Patrick Gelard, Álvaro Gómez Iñesta, Mallory Knodel,
   Wojciech Kozlowski, John Preuß Mattsson, Rodney Van Meter, Colin
   Perkins, Joey Salazar, Joseph Touch, Brian Trammell, and the rest of
   the QIRG community as a whole for their very useful reviews and
   comments on the document.

Authors' Addresses

   Chonggang Wang
   InterDigital Communications, LLC
   1001 E Hector St
   Conshohocken, PA 19428
   United States of America
   Email: Chonggang.Wang@InterDigital.com


   Akbar Rahman
   Ericsson
   349 Terry Fox Drive
   Ottawa Ontario K2K 2V6
   Canada
   Email: Akbar.Rahman@Ericsson.Com


   Ruidong Li
   Kanazawa University
   Kakumamachi, Kanazawa, Ishikawa
   920-1192
   Japan
   Email: lrd@se.kanazawa-u.ac.jp


   Melchior Aelmans
   Juniper Networks
   Boeing Avenue 240
   1119 PZ Schiphol-Rijk
   Netherlands
   Email: maelmans@juniper.net


   Kaushik Chakraborty
   The University of Edinburgh
   10 Crichton Street
   Edinburgh, Scotland
   EH8 9AB
   United Kingdom
   Email: kaushik.chakraborty9@gmail.com



ERRATA