tptacek
This is an article about QKD, a physical/hardware encryption technology that, to my understanding, cryptography engineers do not actually take seriously. It's not about post-quantum encryption techniques (PQC) like structured lattices.
andutu
I've skimmed some literature on Quantum Crypto and from my understanding the outstanding issues currently are 1. How to make these work over long distances and 2. How to implement features found in PKI authentication (though QKD schemes are theoretically secure against MITM attacks, there still isn't a quantum cryptography scheme yet to ensure that you are talking to a non-adversary). There have been advances with the 1st problem, but the 2nd is trickier. Tbf, you don't strictly need PKE to have secure communication between 2 parties (look at Section 6 in https://signal.org/docs/specifications/sesame/).

A lot of real world implementations of quantum crypto have been with respect to satellite communications, which makes sense. The satellite is usually built by the same actors who set up the communication links from the ground the satellite and quantum particles can be transmitted by laser. But as the article points out, it probably won't see widespread use for a while. There was a paper that came out recently called "How (not) to Build Quantum PKE in Minicrypt" (https://arxiv.org/abs/2405.20295) and from my limited understanding of it, a quantum PKE system will likely have very little components from classical crypto incorporated into it. Not to mention that specially built devices have to be installed at ISPs, data centers, etc. for this to work.

Work in this space is valuable as a hedge against a world where all conventional crypto is broken. It also helps advance work in quantum mechanics more generally and other fields in physics and it's generally very interesting :)

edit: grammar corrections

cycomanic
What is really annoying about the quantum cryptography field is the dishonesty (in my opinion) that goes on with justifying the need. The need for QKD is often justified by quantum computers, shors algorithm and how cryptography will not be future proof once quantum computers will be around and that people can store all the data and already and decrypt sometime in the future. QKD is then brought in as the solution because channels are "physically secure" and often mention as alternatives to post quantum cryptography.

Apart from the big question marks around quantum computers, the argument is dishonest. Post quantum algorithms are primarily about assymetric encryption, QKD is not a solution for the same problem at all. QKD is simply a way of ensuring that your optical channel is secure, so you can distribute onetime pads. The encryption is the onetime pad. And nobody is thinking about having QKD links between individual desktop PCs (that seems completely unfeasible atm).

Essentially QKD is the same thing as sending a guard with a suitcase full of harddrives between your end points to distribute your keys (and in fact sending a guard is typically several orders of magnitude faster considering the current distances and data rates).

In addition to the dishonest argument about the need there is the issue when they mentioning rates and distances. Often when talking about best key distribution rates proponents mention the MB/s that you can achieve with continuous variable QKD, but in the same argument they talk about the ultimate security achievable with discrete variable QKD. But data rates for discrete variable QKD are much lower, while the security of continuous variable QKD relies on statistics and more susceptible to attacks. So the arguments make QKD much better then the reality.

cryptonector
QKD continues to be snake oil.
skywhopper
This article, like most things I’ve seen about quantum computing tech from ieee.org is a weird mish-mash of nonsense claims about entirely unrelated future technologies based entirely on assertions from a “quantum computing” consulting firm.

Post-quantum crypto and quantum key distribution have nothing to do with each other, beyond the word “quantum” in their names.

The article asserts post-quantum crypto algorithms might be vulnerable to quantum computing, merely based on the fact that you can’t prove they won’t be. But it doesn’t mention the fact that the actual threat to traditional public-key crypto from quantum computing is still decades away from being practical if it ever becomes so, and we know how that math would work.

But quantum computers do actually exist. Sure, they can only factor numbers smaller than 25 and get exponentially more error-prone with every added qubit. But they exist. As for quantum key distribution, it’s entirely theoretical. It depends on inventing a technology for distributing entangled photons securely ahead of time. If it can be developed at all (and the crypto shill they quote claims “5 to 10 years” which is code for “we have no clue how to build this”), it amounts to a very very expensive one-time pad.

OTPs are already “perfect” crypto, that can’t be broken by any computer... unless you attack the communication outside the bounds of the OTP. Steal the code book, or read the decrypted message, or just beat it out of the agent. QKD is no different, but it’s actually worse. Because the equipment would be unique and hyper-expensive, and because since the plaintext would be in a computer, it can then just as easily be surveilled, copied, or stored after decryption like any other plaintext.

The discussion of the supposed combination of the two technologies is complete and utter nonsense. Sure, you could do that, but there are so many other, better, simpler, cheaper ways to be far more secure. This is all a great way to bilk governments out of their money, very little more.

ackbar03
Where exactly are we with quantum computing? Last I remembered there was a lot of hooplah but the thing still wasn't working yet