In case you also want an industry perspective, on top of the perspective of NSA, GCHQ, BSI, every other European cybersecurity agency, and probably many others I'm forgetting saying that QKD is not a deployable solution, and does not appear to be a deployable solution any time soon, here is Google's blog post on this topic:
https://bughunters.google.com/blog/googles-commitment-to-a-quantum-safe-future-why-pqc-is-googles-path-forward-and-not-qkd On Mon, Mar 23, 2026 at 9:21 AM John Mattsson <john.mattsson= [email protected]> wrote: > Code-based and hash-based cryptography are from the 70-ties. QKD might > have deployments, but it is not at all mature as a practical security > technology, marketing is mostly snake-oil, current deployment are > practically insecure, and both vendors and users of QKD have very little > understanding of security. Many statements from QKD vendors and users are > truly horrendous. Any company claiming that QKD is practical is a major > red flag, indicating either a lack of understanding of security or a > disregard for it. > > Anybody that have invested in QKD should see it as a sunk cost. > > >It also, unlike PQC algorithms, has a (physical) proof that if it > succeeds then the information exchanged is indeed private. > > No, protection against MITMs is based purely on classical (non-quantum) > cryptography. > > Cheers, > John Preuß Mattson > > *From: *Yaakov Stein <[email protected]> > *Date: *Monday, 23 March 2026 at 17:06 > *To: *Salz, Rich <[email protected]>, Andrei Popov > <[email protected]> > *Cc: *[email protected] <[email protected]> > *Subject: *[TLS] Re: LS on the work item related to QKD and TLS > integration framework in SG13 > > > > > > *From:* Salz, Rich <[email protected]> > *Sent:* Monday, March 23, 2026 2:31 PM > *To:* Andrei Popov <[email protected]> > *Cc:* [email protected] > *Subject:* [TLS] Re: LS on the work item related to QKD and TLS > integration framework in SG13 > > > > It can be as simple as > > The TLS working group feels that QKD is still too premature to be a secure > solution to any problem. We note that other organizations also feel this > way [refs to UKNCSC, NSA if needed]. We are unlikely to do any work in this > area now. We suggest that you look at the QCRG, in our related organization > the IRTF, which has active QKD discussions. > > > > WHAT???? > > > > QKD is a much more mature technology than PQC, dating back to 1984. > > (I used QKD in the 1990s). > > There are multiple vendors with significant sales – > > the market size exceeded $600M in 2025 with a CAGR of 30%. > > It also, unlike PQC algorithms, has a (physical) proof that if it succeeds > then the information exchanged is indeed private. > > > > Sure, QKD can be expensive, may be limited in range, doesn’t presently do > DSA, > > and (despite the proof) there are implementation and timing attacks, > > but saying that it is “premature” may be “simple”, but is certainly > incorrect. > > > > Y(J)S > > > > > This message is intended only for the designated recipient(s). It may > contain confidential or proprietary information. If you are not the > designated recipient, you may not review, copy or distribute this message. > If you have mistakenly received this message, please notify the sender by a > reply e-mail and delete this message. Thank you. > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
