Why the NIST & NSA’s Stance on Quantum Cryptography is Wrong

Introduction: QKD vs PQC and the future of Quantum Communications

With quantum computers quickly improving – not to mention the current threats already introduced with their imminent mass deployment – securing data and communication channels is increasingly critical for organizations of all types, from governments to telcos and data centers.

There are two recognized approaches to solve the quantum threat. Interestingly, there are very different conclusions in terms of  which one is the best way forward.

The bodies in the U.S. responsible for setting the tone and strategy for post-quantum cryptography – the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) – seem set on post-quantum cryptography (PQC). On the other hand, the rest of the world has essentially decided on Quantum Key Distribution, or QKD, as the central foundation for their secure quantum communications strategy.

We’ll examine these positions, and evaluate the paths chosen by the various official bodies. Specifically, we’ll look at the U.S. National Security Agency’s (NSA) position on QKD vis-a-vis PQC.

 

The European/Asia-Pacific position on QKD and Quantum Cryptography

In Europe, the EU has given a massive endorsement of QKD as the cornerstone for quantum cryptography by embarking on The European Quantum Communication Infrastructure Initiative, or EuroQCI. The EuroQCI essentially maps out the building of an EU-wide QKD network. This strategic initiative has already been funded to the tune of €270m this year, with a total of €2 billion set to go to related initiatives.

In another example, ETSI, the European Telecommunications Standards Institute, is leading the pack in providing important standardization when it comes to QKD.

Many other countries have likewise been pouring resources into a QKD-secured future. South Korea, for example, has a 2,000km-long QKD network and is intensifying its efforts in this area; Japan has an expanding testbed, and Singapore announced it is setting up a national QKD network.

China is a world leader in QKD. Apart from the impressive QKD-related academic work, China has already established a working QKD network of around 5,000km, as well as putting a QKD satellite into space – thus positioning itself as the world leader in quantum cryptography by a wide margin.

Worryingly, many experts wonder if China already knows something about encryption, particularly PQC,  already being broken – which would explain such intense efforts to bolster their QKD-based security.

Australia too has made significant strides when it comes to QKD. Led by The Australian National University (ANU) which has been at the forefront of QKD research, it has already successfully deployed QKD networks.

These regions – and many others, such as Russia – generally view QKD as an essential part of their quantum encryption and quantum communications strategies.

 

The NIST and NSA position on QKD and Quantum cryptography

There are a number of government-sanctioned institutions in the U.S. that deal with questions around quantum cryptography, quantum encryption, and quantum communication in general. Foremost among them are the NSA and NIST. Both of these bodies have released positions on their view of the future of quantum security.

In a paper entitled “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)” the NSA notes that it does not recommend the use of these technologies in its systems unless certain “limitations” are overcome.

It lists these perceived limitations as:

1. Quantum key distribution is only a partial solution: Quantum Key Distribution (QKD) alone does not provide source authentication, requiring additional measures like asymmetric cryptography or preplaced keys. Quantum-resistant cryptography can offer similar confidentiality services with lower costs and a better-understood risk profile.
2. Quantum key distribution requires special purpose equipment: QKD relies on specialized equipment and physical layer communications, making it incompatible with software-based or network-integrated implementations. The need for dedicated fiber connections or free-space transmitters adds complexity and limits flexibility for upgrades.
3. Quantum key distribution increases infrastructure costs and insider threat risks: QKD networks often require trusted relays, leading to increased infrastructure costs and heightened insider threat risks. This restricts the range of viable use cases for QKD.
4. Securing and validating quantum key distribution is a significant challenge: The practical security of QKD systems depends on hardware and engineering designs rather than theoretical unconditional security from the laws of physics. Validating QKD’s cryptographic security is challenging due to the stringent error tolerance required, and vulnerabilities in specific hardware can undermine its security.
5. Quantum key distribution increases the risk of denial of service: The sensitivity of QKD to eavesdroppers also exposes it to the risk of denial of service attacks. This highlights a significant vulnerability in QKD systems.

 

Instead, it recommends “quantum-resistant (or post-quantum) cryptography as a more cost effective and easily maintained solution than quantum key distribution” until the above “limitations” are overcome.

 

Is PQC the way forward?

The NSA writes, regarding post-quantum cryptography, or “quantum resistant algorithms” as they put it, that these algorithms “derive their security through mathematical complexity” and “provide the means for assuring the confidentiality, integrity, and authentication of a transmission—even against a potential future quantum computer.”

We – and many others – take exception to this statement.

McKinsey notes that “PQC solutions are still nascent and because it is impossible to test them against quantum computers that do not yet exist, they haven’t been conclusively proven to provide protection from quantum—or even conventional—threats.”

What’s more, as has been extensively documented, one of the NIST’s PQC finalists has already had its algorithm cracked. This certainly does not instill confidence in the approach.

 

Our take on QKD and Quantum Communications

While we agree with the NSA opinion that successful QKD adoption is highly implementation dependent, we – and many others – disagree with some of the claimed technical limitations of QKD.

As the QuantLR solution shows – together with the path adopted by Europe, Asia, and Australia – QKD is a viable and essential tool in securing communications in a quantum world.

Specifically, in response to the NSA points, we believe:

1. “Quantum key distribution is only a partial solution”: PQC cannot guarantee that it will remain safe against future quantum computing power. QKD on the other hand can make this claim. And even more so, QKD and PQC can absolutely coexist. Indeed it is the plan by the EU and others to adopt PQC on top of their QKD networks as a second line of defense.
2. “Quantum key distribution requires special purpose equipment”: specialized equipment is required in communication environments all the time. Solutions such as QuantLR’s LoQomo1 can be placed into racks as standard 1U communication equipment, and can be set up as easily as setting up a switch. What’s more, specialized equipment significantly reduces the scope for attack and manipulation: anyone, anywhere in the world can attempt to break an algorithm with increasing computing power and generative AI tools to help the attacker. Whereas only those with physical access to QKD equipment and special knowledge can even consider interfering with QKD’s secure communication.
3. “Quantum key distribution increases infrastructure costs and insider threat risks”: as with any new technology, the costs related to QKD equipment are coming down dramatically. Many solutions, such as those from QuantLR, simply plug into existing networks, with no additional infrastructure costs required. PQC also has indirect infrastructure costs. The highly compute-intensive algorithms PQC relies on require additional compute and memory resources from existing equipment if they are to work without increasing latency and throughput of the underlying data pipes. Thus it is unclear if the total cost of ownership (TCO) of PQC is actually higher or lower than QKD. This requires additional research. The insider threat can be mitigated both by special solutions integrated into the QKD systems, as is the case with QuantLR’s systems; and also through smart multiple path key routing on the network. Of course, PQC solutions are just as susceptible to the insider threat, and perhaps even more so.
4. “Securing and validating quantum key distribution is a significant challenge”: as with any new industry, processes to secure and validate QKD systems will increasingly be available to vendors and users as the industry grows. QuantLR, for example, has been working with some of the world’s most demanding government security organizations to test and validate its offerings.
5. “Quantum key distribution increases the risk of denial of service”: Sophisticated QKD systems, such as QuantLR’s, can run in parallel to the existing network and are in many ways impervious to DoS attacks. What’s more, as QKD generates many more keys than consumed by routers today, router manufacturers can implement fallback options, such as keeping a QKD-generated key buffer to verify that communication continues uninterrupted even if the QKD line breaks. Finally, QKD works out-of-band, further refuting this point.

 

A recent Forbes article concurs with many of these points, adding the following instructive elements:

• QKD systems authenticate at both ends of the exchange, seamlessly securing communication
• Current in-ground fiber infrastructure is enough to support QKD
• Distance limitations between endpoints are quickly being minimized
• Many of the criticisms of QKD from NIST and the NSA are regarding issues that have subsequently been corrected
• Regarding eavesdropping and potential denial of service attacks, keys can be redirected “so quickly and randomly that the user will see no performance impact, and the interloper will be shut out”

 

The bottom line is that as the rest of the world has decided, quantum cryptography in the form of QKD is an essential part of quantum encryption, and will play a central role in securing quantum communications going forward.

Moreover, QKD and PQC are not mutually exclusive; PQC can be layered on top of QKD,  and together can form an effective, holistic secure quantum communications solution.