Of course, it also tells a dedicated adversary with L1 access exactly where to tap your cables.
How do QKD systems key and timecode repeaters?
Isn't it possible to measure a photon state without causing state collapse by measuring adjacent particles affected by the passing photon? Is it possible to have entanglement communications without such measurement capacity?
A lot of real world implementations of quantum crypto have been with respect to satellite communications, which makes sense. The satellite is usually built by the same actors who set up the communication links from the ground the satellite and quantum particles can be transmitted by laser. But as the article points out, it probably won't see widespread use for a while. There was a paper that came out recently called "How (not) to Build Quantum PKE in Minicrypt" (https://arxiv.org/abs/2405.20295) and from my limited understanding of it, a quantum PKE system will likely have very little components from classical crypto incorporated into it. Not to mention that specially built devices have to be installed at ISPs, data centers, etc. for this to work.
Work in this space is valuable as a hedge against a world where all conventional crypto is broken. It also helps advance work in quantum mechanics more generally and other fields in physics and it's generally very interesting :)
edit: grammar corrections
Apart from the big question marks around quantum computers, the argument is dishonest. Post quantum algorithms are primarily about assymetric encryption, QKD is not a solution for the same problem at all. QKD is simply a way of ensuring that your optical channel is secure, so you can distribute onetime pads. The encryption is the onetime pad. And nobody is thinking about having QKD links between individual desktop PCs (that seems completely unfeasible atm).
Essentially QKD is the same thing as sending a guard with a suitcase full of harddrives between your end points to distribute your keys (and in fact sending a guard is typically several orders of magnitude faster considering the current distances and data rates).
In addition to the dishonest argument about the need there is the issue when they mentioning rates and distances. Often when talking about best key distribution rates proponents mention the MB/s that you can achieve with continuous variable QKD, but in the same argument they talk about the ultimate security achievable with discrete variable QKD. But data rates for discrete variable QKD are much lower, while the security of continuous variable QKD relies on statistics and more susceptible to attacks. So the arguments make QKD much better then the reality.
There is reputable science to be done, the experiments are worth funding as basic science. The snake oil part is all the talk about applications being just around the corner (or viable at all). Applications are decades away at least, and maybe also just impossible.
That tons of reputable scientists talk about applications anyways is based on the necessity of securing funding. Nobody founds basic science, at least not as well as a next-big-thing-application right after the funding period ends...
The physicist will see "totally confidential channel" as a great useful application. Because he lacks the knowledge that a confidential channel is totally useless without authentication. At best, the authentication will be hand-waved away in the grant application as "out of scope" or "future work".
The credentialist approach we take to all specialty knowledge has its limits, and we must acknowledge that. Credentials do not limit one's expertise, nor really do they prove it.
Post-quantum crypto and quantum key distribution have nothing to do with each other, beyond the word “quantum” in their names.
The article asserts post-quantum crypto algorithms might be vulnerable to quantum computing, merely based on the fact that you can’t prove they won’t be. But it doesn’t mention the fact that the actual threat to traditional public-key crypto from quantum computing is still decades away from being practical if it ever becomes so, and we know how that math would work.
But quantum computers do actually exist. Sure, they can only factor numbers smaller than 25 and get exponentially more error-prone with every added qubit. But they exist. As for quantum key distribution, it’s entirely theoretical. It depends on inventing a technology for distributing entangled photons securely ahead of time. If it can be developed at all (and the crypto shill they quote claims “5 to 10 years” which is code for “we have no clue how to build this”), it amounts to a very very expensive one-time pad.
OTPs are already “perfect” crypto, that can’t be broken by any computer... unless you attack the communication outside the bounds of the OTP. Steal the code book, or read the decrypted message, or just beat it out of the agent. QKD is no different, but it’s actually worse. Because the equipment would be unique and hyper-expensive, and because since the plaintext would be in a computer, it can then just as easily be surveilled, copied, or stored after decryption like any other plaintext.
The discussion of the supposed combination of the two technologies is complete and utter nonsense. Sure, you could do that, but there are so many other, better, simpler, cheaper ways to be far more secure. This is all a great way to bilk governments out of their money, very little more.
Isn't that not the case? OTPs are authentication, not encryption? The underlying algorithms are what people are concerned about quantum computing breaking. OTPs still rely on these algorithms?
This is a reasonable overview.
It works and exists, but is not faster than classical computing. We need many orders of magnitude improvement before we get a cryptographically relevant quantum computer to break RSA etc.
It’s not clear when that will happen. 10 years or 100?