In our imperfect world filled with bad actors, the need for secure data transmission is plain. For this reason alone, the search for better security measures is always afoot, and many times quantum protocols are boldly cited as the future of encryption and security (especially by science popularizers). This may very well be true, but there is still a lot of ground to cover before we get there (and I'd be remiss not to mention that quantum protocols do nothing to prevent harvest now, decrypt later attacks). Still, it is true that quantum key distribution (QKD) protocols are information-theoretically secure (meaning they are immune to attackers with unlimited computational power), whereas all classical and post-quantum protocols are only as secure as our beliefs in many complexity-theoretic hardness conjectures to do with problems like factoring or ring learning with errors (RLWE).
Recently, the NSA (famous for being the only government agency that listens to the people (joke!)) published a web article detailing why they think quantum key distribution (QKD) and quantum cryptography (QC) are not suitable for "securing the transmission of data in National Security Systems".
Their argument cites five limitations, to which there is a great rebuttal by Renner and Wolf on the arXiv that I feel does a good job detailing why the NSA might be a bit premature to entirely dismiss this technology today (in fairness, however, the NSA does say that if the five limitations can be overcome, then the technology should be reconsidered). Here are the limitations they cite, together with my immediate thoughts (informed by the Renner and Wolf paper):
Limitation 1: "Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e. entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or preplaced keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile."
First of all, and this is underscored by Renner and Wolf, who ever said that QKD would solve authentication? Surely to authenticate anything requires a preshared something (or a trusted third party) to do the authentication! If there is nothing preshared, then how can anyone know if the message they receive is from the right person or not? Of course, there are classical key exchange protocols like Diffie-Hellman that are non-authenticated, but my understanding is that this forms the basis of a later authenticated protocol. Perhaps the critique by the NSA is there is no obvious Diffie-Hellman-like non-authenticated quantum protocol? Still, I don't feel that this is really a quantum problem.
Secondly, as I said above, post-quantum cryptography relies on hardness conjectures in complexity theory, whereas QKD is provably informationally secure. Surely that means its risk profile is better understood?
Limitation 2: "Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network, and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches."
Come on. This is a new technology, and that by definition means new software and hardware is needed to implement it. It's not something we can just get for Christmas, we need to build it, and the same was true for the computers we use today to do encryption: we had to build it. So yes, the infrastructure for classical cryptographic protocols is already there, but it wasn't 100 years ago. 100 years from now, I see no reason why the cryptographic protocols in place then must be the same as they are now. That said, I do get that in the near term QKD is not going to be used because of technological limitations. But everyone knows that (I hope!).
Limitation 3: "Quantum key distribution increases infrastructure costs and insider threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration."
I think in the near-term this is true, in part because unlike classical repeaters which first measure an incoming signal, copy it, and then send it along at a higher power, quantum repeaters must operate differently, as they cannot copy their input thanks to the no-cloning theorem. A quantum repeater is necessary, particularly if we store the quantum information in photons and transmit it via fiber optic cables, because the transmittance of a lossy bosonic channel scales like \[e^{-L / L'}\], where \[L\] is the length of the cable and \[L'\] is its attenuation distance. Thus, the most obvious solution is to have trusted relays, which, as the NSA says, would indeed be costly and introduce insider threats. However, as described in this review article on quantum repeaters, there is good work on quantum repeaters that would completely boot the need for trusted relay stations. I don't know what the state of the art is here, but I would bet that with the technology to do faithful QKD on short distances, we would pretty quickly come to the technology to do implement quantum repeaters.
Limitation 4: "Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than in most physical engineering scenarios making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems."
I feel this is a good point, and don't have too much to say about it. It seems right to me that we will never perfectly implement any QKD protocol, and thus there will always be side channel attacks. Therefore, recurring security patches will still be necessary, and they will plausibly be very intricate.
Limitation 5: "Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD."
This is true, basically because of state collapse. However, it assumes a point-to-point communication scheme. As Renner and Wolf correctly point out, if the scheme is not point-to-point but instead redundantly distributed over a network, then this is a non-issue. In their words, "this is not a problem that is intrinsic to QKD. Instead, it is a consequence of the high price tag of quantum communication technology, which currently prevents us from building quantum networks with many links"
All-in-all, I'm not on the same page as the NSA regarding this technology, at least in the semi-long run. Sure I buy all their arguments regarding the use of QKD in, say, the next five to ten years. But who knows where quantum technology will be in the future. Maybe it will be ubiquitous as the quantum over-hypers say, in which case I'll have a good job, or maybe it won't, and I'll be on the street somewhere. Time will tell.