On Mon, Mar 23, 2026 at 5:59 PM Yaakov Stein <ystein= [email protected]> wrote:
> There is a lot in the Google page with which I completely agree. > > The range limitations, the low throughput, and especially - > > > > For a global network at Google's scale, replacing existing hardware > with specialized QKD equipment > > in our data centers is not a practical or scalable solution. > > > > The main problem with QKD is scaling. > > You need a QKD transmitter at one end and a receiver at the other end of > every link. > > This means the scaling is O(N^2). > > > > This is a perfectly legitimate statement, but does not rule out its use > for p2p usage or small networks. > > > > And there are people who believe in conspiracy theories regarding the > disparaging of QKD by NSA and GCHQ. > > > > I am not a great fan of QKD; I was just objecting to calling a 50-year old > technology “premature”. > > > > And as a physicist I object to saying that QKD relies on classical > mechanisms for detecting eavesdropping. > There is a difference between eavesdropping and MITM. > > > And as someone who participated in SG13 meetings for 2 decades, > > I would really like a polite and accurate response to be sent. > > Y(J)S > > > > *From:* Sophie Schmieg <[email protected]> > *Sent:* Monday, March 23, 2026 6:37 PM > *To:* John Mattsson <[email protected]> > *Cc:* Yaakov Stein <[email protected]>; Salz, Rich <[email protected]>; > Andrei Popov <[email protected]>; [email protected] > *Subject:* [EXTERNAL] Re: [TLS] Re: LS on the work item related to QKD > and TLS integration framework in SG13 > > > > In case you also want an industry perspective, on top of the perspective > of NSA, GCHQ, BSI, every other European cybersecurity agency, and probably > many others I'm forgetting saying that QKD is not a deployable solution, > and does not appear to be a deployable solution any time soon, here is > Google's blog post on this topic: > > > > > https://bughunters.google.com/blog/googles-commitment-to-a-quantum-safe-future-why-pqc-is-googles-path-forward-and-not-qkd > > > > On Mon, Mar 23, 2026 at 9:21 AM John Mattsson <john.mattsson= > [email protected]> wrote: > > Code-based and hash-based cryptography are from the 70-ties. QKD might > have deployments, but it is not at all mature as a practical security > technology, marketing is mostly snake-oil, current deployment are > practically insecure, and both vendors and users of QKD have very little > understanding of security. Many statements from QKD vendors and users are > truly horrendous. Any company claiming that QKD is practical is a major red > flag, indicating either a lack of understanding of security or a disregard > for it. > > > > Anybody that have invested in QKD should see it as a sunk cost. > > > > >It also, unlike PQC algorithms, has a (physical) proof that if it > succeeds then the information exchanged is indeed private. > > > > No, protection against MITMs is based purely on classical (non-quantum) > cryptography. > > > > Cheers, > > John Preuß Mattson > > > > *From: *Yaakov Stein <[email protected]> > *Date: *Monday, 23 March 2026 at 17:06 > *To: *Salz, Rich <[email protected]>, Andrei Popov > <[email protected]> > *Cc: *[email protected] <[email protected]> > *Subject: *[TLS] Re: LS on the work item related to QKD and TLS > integration framework in SG13 > > > > > > *From:* Salz, Rich <[email protected]> > *Sent:* Monday, March 23, 2026 2:31 PM > *To:* Andrei Popov <[email protected]> > *Cc:* [email protected] > *Subject:* [TLS] Re: LS on the work item related to QKD and TLS > integration framework in SG13 > > > > It can be as simple as > > The TLS working group feels that QKD is still too premature to be a secure > solution to any problem. We note that other organizations also feel this > way [refs to UKNCSC, NSA if needed]. We are unlikely to do any work in this > area now. We suggest that you look at the QCRG, in our related organization > the IRTF, which has active QKD discussions. > > > > WHAT???? > > > > QKD is a much more mature technology than PQC, dating back to 1984. > > (I used QKD in the 1990s). > > There are multiple vendors with significant sales – > > the market size exceeded $600M in 2025 with a CAGR of 30%. > > It also, unlike PQC algorithms, has a (physical) proof that if it succeeds > then the information exchanged is indeed private. > > > > Sure, QKD can be expensive, may be limited in range, doesn’t presently do > DSA, > > and (despite the proof) there are implementation and timing attacks, > > but saying that it is “premature” may be “simple”, but is certainly > incorrect. > > > > Y(J)S > > > > > > This message is intended only for the designated recipient(s). It may > contain confidential or proprietary information. If you are not the > designated recipient, you may not review, copy or distribute this message. > If you have mistakenly received this message, please notify the sender by a > reply e-mail and delete this message. Thank you. > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > > > -- > > > Sophie Schmieg | Information Security Engineer | ISE Crypto | > [email protected] > > > This message is intended only for the designated recipient(s). It may > contain confidential or proprietary information. If you are not the > designated recipient, you may not review, copy or distribute this message. > If you have mistakenly received this message, please notify the sender by a > reply e-mail and delete this message. Thank you. > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
