Cutting through the hype – Post-Quantum Cryptography vs Quantum Key Distribution
Chris Erven, CEO at KETS, cuts through the hype surrounding post-quantum cryptography and quantum security technologies.
There is a lot of hype around quantum computing and quantum technologies, and I can only imagine the difficulties facing a CISO or CTO trying to cut through this. To help with this, I’ve had in my minds’ eye an apples-to-apples table comparing key quantum-safe information security technologies for a while.
Now I’m from a quantum security technologies company – so you might argue I’m biased, but I also used to be an academic – so I have a very hard time not being precise in what I say and write. Moreover, if you disagree with anything in this article – get in touch!
My goal is to establish clear information about quantum-safe technologies that industries and enterprises can use to make key decisions because it’s not just about looking ahead to what’s next but also what’s after that and then what’s after that. In addition, I also want you as individuals to have clear information about secure technologies for a post-quantum world to enable you to make informed decisions about the companies you use to store and transmit your personal data.
To start with, let’s establish definitions of a few key terms that can get butchered in the marketing:
- quantum-safe means cryptographic primitives and protocols that cannot efficiently be broken using either a conventional or a quantum computer;
- a post-quantum world means a world in which quantum computers exist;
- post-quantum cryptography (PQC) algorithms mean (in terms of the NIST competition) quantum resistant public-key cryptographic primitives of digital signatures and key encapsulation mechanisms;
- quantum key distribution (QKD) means a secure symmetric key distribution protocol which uses quantum systems (qubits) to distribute the key;
There has been a heated debate raging for years in academics of who “solves” cryptography, it has been a complete waste of time. The answer is clearly both. They are both key tools (along with many others) in our crypto toolbox to build next generation quantum-safe applications. Each has different trade-offs, and we’ll deploy the best ones for the job because there really is a lot of nuance that is use-case and application specific.
|Security||Conjectured security||Proven theoretical security
|QKD is the only cryptographic primitive that has been proven secure in theory assuming nothing more than the laws of quantum mechanics are correct.|
|Distance||Unlimited distance||Currently requires Trusted Nodes for unlimited distance||PQC algorithms have an unlimited distance because they operate at the software layer. A single QKD link is currently limited to a few 100 km’s with a sweet spot in the 20 – 50 km range. Work on quantum repeaters and satellite-QKD is on-going to extend the range.|
(full lifecycle costs not yet known)
(full lifecycle costs not yet known)
|Currently, PQC algorithms do have the advantage of cost, but with a chip-based approach to quantum security technologies their costs are rapidly coming down.|
|Authentication||Authentication methods included in PQC||Initial shared secret or use of PQC authentication methods
Secure key growth forever after
|Use an initial shared secret for QKD if you want to 100% verify you’re talking to who you think you are. Otherwise, use PQC for a first connection.
QKD efficiently generates key such that after the first session you can always save a small amount of key to authenticate the next session.
|Certification||Draft standards – NIST PQC Competition||Draft standards – ETSI, ITU-T, ISO, …||Neither PQC algorithms nor QKD have established standards – both are currently in draft form.|
(increased memory and/or time requirements and cost)
(increased hardware integration costs)
|New PQC algorithms generally have increased time or memory requirements and costs, while QKD systems require integration at the hardware level and an optical channel to distribute keys.|
|Implementation Security||Requires a security-by-design approach||Requires a security-by-design approach||Both PQC algorithms and QKD require a security-by-design approach and fail-safe mechanisms to ensure a secure implementation.|
|Security Assurance||Requires real-world vulnerability and security assessment||Requires real-world vulnerability and security assessment||Both require real-world vulnerability and security assessment. A key on-going need is the development of robust methods for these.|
The arrival of quantum computing has raised the awareness of how costly it is to upgrade our cryptosystems and how prohibitively costly it is to retrofit them. Cryptographic agility is a must in the future. Hopefully the above has been helpful to dispel some of the hype around quantum security technologies so that you can start to make key decisions about your own quantum-safe roadmap.
But remember it’s not just your next immediate step you should consider, soon securing our classical data in quantum-safe ways will be a given and you’ll need to start thinking about when you’ll be sending encrypted quantum information (qubits) into the cloud or when you’ll be playing with early incarnations of the quantum internet. If you want to not only make your company quantum-safe in a post-quantum world, but also want to set your company up to capitalise on the coming quantum revolution, now is the time to get involved testing all of the new quantum-safe tools.
The timing is perfect with a number of quantum-safe testbeds that seek to include all of these new quantum-safe tools in the toolbox including our Canada-UK Quantum Technologies project building quantum-safe testbeds in the UK and Canada, our ViSatQT and AQRNG projects focused on satellite-QKD and the assurance of quantum random number generators, the ParisQCI project where we are a key quantum security technology partner helping to build a quantum-safe core backbone network in Paris, or the wider EuroQCI project building a secure quantum communication network across the EU. Get in touch if you want to find out the latest about these and other projects and how our technology can help future-proof your cybersecurity.
And like I said from the outset, we’re interested to hear your thoughts, if you want to challenge any of the claims in the table, please get in touch. We will continue to update the so that you always have a comprehensive source of clear information to come back to about quantum-safe technologies.
 The temptation for many footnotes in this article was almost overwhelming!
 Since most symmetric cryptographic primitives (e.g. AES) are thought to be relatively easy to modify in a way that makes them quantum-resistant, efforts have focused on the public-key cryptography primitives named.