Post-Quantum Cryptography and Quantum Key Distribution Table

QKD is the only cryptographic primitive that has been proven secure in theory assuming nothing more than the laws of quantum mechanics are correct. Further, if you use the keys correctly then the security of the data you encrypt is future proof. Every other primitive requires additional security assumptions. Any other cryptographic primitive or system requires additional assumptions for their security . PQC algorithms are conjectured to be secure and they have an increasing amount of evidence to back this up.

PQC algorithms have an unlimited distance because they operate at the software layer (or to be more precise at the Session or Transport layers of the OSI model). A single QKD link is currently limited to a few 100 km’s with a sweet spot in the 20 - 50 km range. Thus, QKD currently requires Trusted Nodes (locations where daisy-chained QKD links are connected and keys are XORed together, by definition they learn the secret keys produced along the each link and must be trusted) to extend distances. But work is on-going to alleviate this with quantum repeaters and satellite-QKD, and the more we trial it and engage with innovation projects and early testbeds, the more we will refine and improve its capabilities including its distance potential (recently a PoC of up to 600 km has been shown.

Naively people assume software is cheap – that is not necessarily the case . As we’re learning with the NIST competition and as companies start offering post-quantum solutions, it is expensive to replace large parts of the internet’s security infrastructure. I would argue the full lifecycle costs of either technology are not yet known. This is why testbeds and early demonstrations of these new technologies are so important – in part to answer exactly these types of questions. Currently, PQC algorithms likely do have the advantage of cost, but with a chip-based approach to quantum security technologies their costs are rapidly coming down. In the coming years, the benefits of QKD solutions are expected to be available at a fraction of the current cost.

Authentication almost always comes up in a discussion of PQC and QKD. PQC includes methods for authentication. In the wide deployment scenarios most envisage this implicitly means certificate-based authentication where a third-party trusted authority is used to verify someone’s public-key. QKD is perhaps poorly named and would have been better to have been called Quantum Key Growing. It requires an authenticated channel for its operation – one can either start with an initial shared secret for the ultimate security or use those same PQC algorithms – when you first boot up a QKD system . However, the protocol efficiently generates key such that once it initially authenticates a small amount of key can always be saved from the last session to authenticate the next session. If you do use a PQC algorithm to bootstrap the system, one must break that first communication before the next session gets started. Thus, forever after you have secure key growth. QKD is sometimes attacked for requiring an authenticated channel. This is unreasonable. Quantum mechanics does not yield special capabilities to ensure you’re speaking with who you think you are. The only way for someone to verify 100% they’re talking to who they think they are, is through having met them in the past and shared an initial, secure secret. While this is perhaps cumbersome for some applications, particularly where security is only required for a short amount of time, there are many others whether sharing an initial secret is a feasible task. Certainly, as we move to flexible software defined telecommunications networks or more automated critical infrastructure – these contain a countable number of devices, and I would hope their control planes are absolutely as rock solid secure as possible.

Neither PQC algorithms nor QKD have established standards yet. Both have drafts in progress.

PQC and QKD techniques each have different trade-offs when integrating into existing systems. New PQC algorithms generally have increased time or memory requirements, while QKD systems require integration at the hardware level and an optical channel to distribute keys.

It is sometimes wrongly implied that QKD systems are less secure in principle to PQC algorithms. As with any secure information system, both PQC algorithms and QKD require a security-by-design approach and fail-safe mechanisms to ensure a secure implementation.

Related to Certification. Again, it is sometimes implied the QKD systems require more security assurance in principle to PQC algorithms. While it is true that some of the methods one would use to attack a QKD system are different to the ones you would use to attack a PQC algorithm (e.g. optical attacks in addition to algorithmic) both require real-world vulnerability and security assessment, and a key need is the development of robust methods for these.