In short: QKD has perfect theoretical security, and next-to-zero of practical security (implementation).
-- V/R, Uri There are two ways to design a system. One is to make it so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. C. A. R. Hoare From: John Mattsson <[email protected]> Date: Monday, March 23, 2026 at 12:22 To: Yaakov Stein <[email protected]>, Salz, Rich <[email protected]>, Andrei Popov <[email protected]> Cc: [email protected] <[email protected]> Subject: [EXT] [TLS] Re: LS on the work item related to QKD and TLS integration framework in SG13 This Message Is From an External Sender This message came from outside the Laboratory. Code-based and hash-based cryptography are from the 70-ties. QKD might have deployments, but it is not at all mature as a practical security technology, marketing is mostly snake-oil, current deployment are practically insecure, and both vendors and users of QKD have very little understanding of security. Many statements from QKD vendors and users are truly horrendous. Any company claiming that QKD is practical is a major red flag, indicating either a lack of understanding of security or a disregard for it. Anybody that have invested in QKD should see it as a sunk cost. >It also, unlike PQC algorithms, has a (physical) proof that if it succeeds >then the information exchanged is indeed private. No, protection against MITMs is based purely on classical (non-quantum) cryptography. Cheers, John Preuß Mattson From: Yaakov Stein <[email protected]> Date: Monday, 23 March 2026 at 17:06 To: Salz, Rich <[email protected]>, Andrei Popov <[email protected]> Cc: [email protected] <[email protected]> Subject: [TLS] Re: LS on the work item related to QKD and TLS integration framework in SG13 From: Salz, Rich <[email protected]> Sent: Monday, March 23, 2026 2:31 PM To: Andrei Popov <[email protected]> Cc: [email protected] Subject: [TLS] Re: LS on the work item related to QKD and TLS integration framework in SG13 It can be as simple as The TLS working group feels that QKD is still too premature to be a secure solution to any problem. We note that other organizations also feel this way [refs to UKNCSC, NSA if needed]. We are unlikely to do any work in this area now. We suggest that you look at the QCRG, in our related organization the IRTF, which has active QKD discussions. WHAT???? QKD is a much more mature technology than PQC, dating back to 1984. (I used QKD in the 1990s). There are multiple vendors with significant sales – the market size exceeded $600M in 2025 with a CAGR of 30%. It also, unlike PQC algorithms, has a (physical) proof that if it succeeds then the information exchanged is indeed private. Sure, QKD can be expensive, may be limited in range, doesn’t presently do DSA, and (despite the proof) there are implementation and timing attacks, but saying that it is “premature” may be “simple”, but is certainly incorrect. Y(J)S This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
