[tschumacher]

Some post-quantum signatures like CRYSTALS-Dilithium are based on lattices. Makes me think that quantum key distribution (what I've been working on for the past 6 months) has a chance to actually become useful instead of being only of interest to academics and to a few companies that sell overpriced solutions to paranoids.

[hannob]

QKD does not solve the problem that quantum computers create, and cannot replace public key cryptography. That's a common misconception that the marketing departments of QKD research tries to keep alive.

Even under ideal conditions (whether these can exist is debatable), the best QKD gives you is a securely encrypted channel only when you already have a securely authenticated channel. The latter is extremely important, makes the whole thing mostly useless, and is often omitted by QKD advocates.

[HappyPanacea]

If you don't have an authenticated channel, you are susceptible to a MITM attack which makes any asymmetric crypto useless. Thus I think there is an implicit assumption in any asymmetric crypto that you already have an authenticated channel. Or did I miss something?

[ilya_m]

Grossly simplifying, Alice and Bob may establish an authenticated channel either by physical means (a wire) or by some combination of certificates/passwords and out-of-band authentication. Most of the time, QKD implicitly assumes the former - a line-of-sight connection or a fiber-optics cable. In these circumstances the parties might as well exchange flash drives with one-time pads, similarly to how the Kremlin-White House hotline was protected.

[less_less]

I'm not a huge fan of QKD, but there is a potential use case for it. Basically, for digital signatures we have schemes like SPHINCS+, and perhaps also PICNIC and FAEST, which don't require "mathematically structured" assumptions like other public-key crypto, but instead are secure based on not much more than one-way functions. If (and it's a big if) quantum computers can break all those structured assumptions but not AES/SHA, then we would still have secure public-key signatures, certificates etc but not KEMs.

But QKD can, in principle, securely distribute keys if you have a way to exchange quantum state (e.g. line-of-sight or some sort of currently-nonexistent quantum router) and a classical authenticated channel. SPHINCS+ could provide that authenticated channel. In that case QKD would enable secure key exchange even between parties who don't have a pre-shared secret.

Of course right now, all of that is science fiction.

[Vecr]

Code based systems are still in, and classic McEliece could be extended to ~50 MiB for a keypair and still be way more practical than QKD. Just run the max current classic McEliece spec hybrid post quantum with X448.

[sgt101]

NSA is that you?

[karma_pharmer]

please explain?

OP recommended McElice, not DUAL_EC_DRDBG. Is there something I should know about the former?