Unlike conventional cryptography and PQC, QKD’s security is intrinsically tied to the physical layer, which makes the threat surfaces of QKD and conventional cryptography very different. QKD implementations have already come under high profile attacks  and the NSA notes that the risk profile of conventional crypto is better understood . The fact that conventional cryptography and PQC are implemented at a higher layer than the physical layer means that PQC can be used to securely send protected information through untrusted relays, as shown in the top half of Figure 4. This is in stark contrast to QKD, which relies on hop-by-hop security between intermediate trusted nodes. The PQC approach is better suited to the modern technological environment, in which more and more applications are moving towards principles of end-to-end security and zero trust. It’s also important to note that while PQC can be deployed as a software update, QKD requires new hardware.
Regarding the details of the implementation of QKD, the NSA states that the communication needs and security requirements are physically in conflict in QKD and that the engineering required to balance them has extremely low error tolerance. While conventional cryptography can be implemented in hardware in some cases for performance or other reasons, QKD is intrinsically tied to hardware. The NSA points out that this makes QKD less flexible when it comes to upgrades or security fixes. Since QKD is fundamentally a point-to-point protocol, the NSA also notes that QKD networks often require the use of trusted relays, which increases the security risk from insider threats.
As QKD requires external authentication via conventional cryptography, the UK’s National Cyber Security Center warns of exclusive reliance on it, especially in critical national infrastructure sectors, and suggests that PQC such that standardized by NIST is a better solution. . At the same time, the National Cybersecurity Agency of France decided that QKD could be considered as a defense in depth measure complementary to conventional cryptography, as long as the cost incurred does not negatively affect the mitigation of current threats to the systems. of information. .
Quantum random number generators
Secure randomness is essential in cryptography – if the quality of randomness generators is poor, many cryptographic protocols will fail to provide security. Although conventional hardware hazard generator technology is robust and secure against quantum computers, QRNGs have nonetheless gained attention in recent years. QRNGs operate according to a physical realization of a quantum model, instead of other physical processes used in conventional hardware random generators.
QRNGs are sometimes advertised as generating perfect, unbiased random bits, unlike biased bits from conventional generators. In reality, however, any bias in the bits produced by conventional generators is smoothed out during post-processing through the application of pseudo-random number generators, which operate according to the same mechanism that allows a single AES key of 128 bits produce several gigabytes of seemingly random encrypted data.
If QRNG technology becomes as well understood in the future as our current hardware random generator technology, then it could, in principle, be certified, validated and evaluated on the same basis.