What this is
- () is being explored as a solution to secure communications against quantum computer threats.
- This review critically evaluates real-world use cases and compares them with ().
- It assesses the security, implementation complexity, and scalability of solutions, providing insights for decision-makers.
Essence
- offers potential security benefits against quantum threats, but practical limitations hinder its widespread adoption. This review evaluates various use cases and contrasts them with , revealing that often provides limited advantages.
Key takeaways
- is limited by distance and infrastructure requirements, making it unsuitable as a general replacement for traditional public-key cryptography. Current implementations face challenges in scalability and complexity.
- Government agencies prefer over due to its cost-effectiveness and ease of maintenance. is often seen as applicable only in niche scenarios.
- Some use cases, such as securing genome data with and one-time pads, demonstrate potential advantages, particularly in contexts requiring high confidentiality.
Caveats
- 's theoretical strengths are countered by practical limitations, including high costs and dependency on physical infrastructure. These factors restrict its applicability in many scenarios.
- The analysis reveals that many use cases do not significantly outperform existing cryptographic methods, suggesting a need for careful evaluation before adoption.
Definitions
- Quantum Key Distribution (QKD): A method using quantum mechanics to securely distribute encryption keys between parties.
- Post-Quantum Cryptography (PQC): Cryptographic algorithms designed to be secure against the potential threats posed by quantum computers.
AI simplified
Introduction
Heavy corporate and public investments are accelerating the development of large-scale quantum computers [1, 2]. This development threatens the confidentiality of current data transmissions because sufficiently powerful quantum computers could break certain cryptographic algorithms [3] that currently are widely used. Importantly, this is not only a threat to future data, but also to data encrypted today: in a so-called HNDL (Harvest-Now-Decrypt-Later) attack, attackers record data on transit and decrypt the data once a quantum computer becomes available, thereby breaching confidentiality retroactively [4]. While such attacks compromise confidentiality, they do not enable retroactive breaches of authentication (e.g., impersonation), as authentication relies on real-time verification during the interaction. To protect confidential communication against quantum attacks, it is necessary to overhaul current cryptographic solutions. Currently, the main overhaul strategies in discussion are a), replacing the broken algorithms with still-classical algorithms that are secure against quantum attacks (so-called PQC (Post-Quantum Cryptography)), b), utilize QKD (Quantum Key Distribution) [5], and additionally, using mixes of both [6, 7].
PQC essentially allows to maintain already established security infrastructures (with some caveats concerning compatibility), and the first PQC solutions have recently been standardized [8]. At the same time, PQC is not unconditionally secure and future algorithmic breakthroughs could occur, one thus cannot unconditionally rule out HNDL attacks [9], even ones run on classical computers. While QKD-based solutions theoretically overcome this limitation of PQC, they will introduce significant changes to security infrastructures and are not yet fully standardized [10, 11], though several solutions have been demonstrated at different locations around the world. QKD currently exhibits practical limitations that public-key cryptography does not have – first, QKD is limited in distance and until quantum repeaters [12] are developed, QKD cannot provide end-to-end security over long distances, and, second, wireless QKD technologies currently only exist with free space optics, where photons are sent over the air [13], making it incompatible with the currently predominant radio networks. These limitations restrict the use cases in which QKD can be applied and prevent QKD from serving as a general-purpose replacement for public-key cryptography. Additionally, information cannot be protected with QKD alone – to ensure confidentiality and authenticity, it has to be used in conjunction with quantum-secure authentication and quantum-secure symmetric encryption. To assess which level of security can be guaranteed for a concrete use case, it is necessary to account for all involved cryptographic algorithms and all underlying assumptions. Assessments that account for this fuller picture help clarify the comparison between QKD-based solutions and solutions that do not involve QKD. This also paves the way towards a comparison between QKD-based solutions and solutions stemming from PQC, on a case-by-case basis.
Most governmental bodies that have commented on the choice between QKD and post-quantum asymmetric cryptography currently prefer the latter: The US National Security Agency (NSA) considers post-quantum cryptography to be ‘more cost-effective and easily maintained’ and ‘does not support the use of QKD to protect communications in national security systems’ [14]. Their criticism about QKD are addressed in detail in [15]. In a joint position document, the French Cybersecurity Agency (ANSSI), the German Federal Information Security Office (BSI), the Netherlands National Communications Security Agency (NLNCSA) and the Swedish National Communications Security Authority declare ‘the clear priority should […] be the migration to post-quantum cryptography’ and state that QKD can ‘due to current and inherent limitations […] currently only be used in practice in some niche use cases’ [9]. However, they also state that ‘research on this topic should be continued in order to investigate if there are ways to overcome some of the limitations of the current technology’. The British National Cyber Security Centre (NCSC) published a statement stating that ‘the NCSC does not endorse the use of QKD for any government or military applications, and cautions against sole reliance on QKD for business-critical networks’ and instead advises ‘that the best mitigation against the threat of quantum computers is quantum-safe cryptography’. NCSC also recommends any other organizations considering the use of QKD as a key agreement mechanism ensure that robust quantum-safe cryptographic mechanisms for authentication are implemented alongside them.’ [16].
Significant global investments are being made to overcome QKD limitations and advance quantum technologies [17]. The US National Quantum Initiative [18], EuroQCI under the EU Quantum Flagship [19, 20], and the UK’s Quantum Technologies Program [21, 22] are driving secure quantum communication development. Other major contributors include Germany, the Netherlands [23], China, Japan, South Korea, India [24], and Singapore [17], fostering a competitive global push toward scalable quantum communication systems. Beyond research, private companies such as ID Quantique [25], Toshiba [26], and others [27, 28] offer QKD-based solutions. The global quantum communication market, valued at USD 1.1 billion in 2023, is projected to reach USD 8.6 billion by 2032 [29]
As QKD gains traction as a secure communication technology, identifying relevant use cases is essential for maximizing its potential, driving adoption, and guiding further research. Various surveys, white papers, and commercial reports offer insights into practical implementations. Early studies, such as [30], identified QKD use cases including off-site backup, enterprise MANs, critical infrastructure security, backbone protection, and high-security networks, detailing their operational aspects and challenges. A more recent survey by [31] expands on these, highlighting emerging applications in metropolitan networks, healthcare, smart cities, and industrial automation, often integrating PQC for enhanced security.
Several companies have demonstrated real-world QKD deployments. Toshiba [32] showcased use cases in genome data security, back-office protection, and secure transfers. ID Quantique applied QKD in banking, finance, government, and critical infrastructure sectors [33]. QNu Labs [34] explored enterprise and critical infrastructure applications, while QuantumCTek [35] focused on securing governmental communications. Quantum Xchange highlighted high-level applications of its QKD solutions [36]. These implementations illustrate QKD’s adaptability across diverse domains.
Motivation
While numerous QKD use cases exist, the currently available literature (including manufacturers’ resources and project reports) do not provide a comprehensive practical security analysis. Specifically, sources in the literature often fail to critically examine (or even frequently omit) key aspects we view as crucial. This encompasses aspects such as security requirements, the concrete usage of the generated keys, which kind of data they aim to protect (and for how long), the protocol with which the proposed solution operates, network topology, and the concrete targeted security guarantees. Further relevant aspects that are missing in such documents are whether the proposed solution involves additional cryptographic components (and the impact of potential failures of these components), and a discussion of/comparison with potential alternative approaches (such as pre-shared keys and PQC).
Our contribution
This paper addresses this gap by conducting a comprehensive, detailed and practical security analysis of available QKD-based use cases to evaluate their feasibility and effectiveness. We evaluated use cases deployed in optical fiber networks, focusing on those with sufficient publicly available information to enable detailed evaluation. We systematically selected use cases from the literature, sorting them chronologically from older to more recent examples. We critically analyze each use case based on parameters such as target sector, QKD system employed (including technical details provided by QKD providers and underlying technology), security goals, and type of data to be protected. We excluded use cases that lack adequate information for the analysis but listed them in thefor reference. Our analysis identifies strengths and gaps in the reviewed use cases, thus contributing to a general assessment of their practicality and effectiveness. Furthermore, we provide recommendations on how to improve the solutions discussed per use case and explore whether similar outcomes could be achieved using classical cryptographic systems, thus offering a comprehensive perspective on the applicability of QKD solutions. Appendix
Organization of this paper
We begin by providing necessary background in Sect.and compare different communication protocols in Sect.. We provide details on the use cases to be analyzed in Sect.and describe our approach to use case analysis in Sect.. In Sect., we apply this method to analyze use cases, critically comment on the use cases and offer recommendations for improvement. Finally, in Sect., we conclude the paper. 2 3 4 5 6 7
Background
QKD is a comparatively new technology, that allows two parties to establish a shared key. In this section, we will give an explanation of the terms used and a brief overview of QKD including trade-offs, alternatives such as PQC and pre-shared keys, assumptions, and related schemes.
Security properties
A cryptographic solution can provide different security properties. Our main focus in this work is on confidentiality and authenticity as the most commonly required ones, but we note that other properties such as anonymity may be as, or even more important, depending on the use case.
Confidentiality
Confidentiality intuitively means that the content of an interaction remains hidden from everyone but the involved parties. As far as encryption of large plaintexts is concerned, this means that no outside party should be able to learn any information about it, except for its length. In case of QKD and key-exchange protocols, an equivalent but usually preferred definition is that the key is indistinguishable from a random key sampled from the same distribution. This property is inherently vulnerable to HNDL attacks, and security parameters are generally chosen to make decryption infeasible, even for extended periods.
Some protocols achieve confidentiality by encrypting messages to keys that are in use for a long time. If such a key is corrupted at some point, this allows the decryption of all future and past communication. To deal with this threat, protocols will often implement stronger versions of general confidentiality, that require graceful treatment of this scenario: Forward Secrecy and PCS (Post-Compromise Security).
Forward Secrecy, also occasionally known as Pre-Compromise Secrecy or, misleadingly, as Perfect Forward Secrecy (there is nothing perfect about it) is the property that a protocol prevents the decryption of old messages, even if a key is corrupted at some point. To achieve forward secrecy, a protocol can update its session key at regular intervals and remove old ones, for example with a new key exchange such as QKD or with a symmetric ratchet.
PCS (Post-Compromise Security), also known as Backward Secrecy, on the other hand is the property that a protocol can recover from a corruption and get back to a point of full confidentiality, even if a party’s state gets corrupted at some point [37]. To achieve Post-Compromise Security, a protocol can update its session key with fresh randomness at regular intervals with a new key exchange, for example with QKD or an AKE (Authenticated Key Exchange).
Authenticity
Authenticity intuitively means that the parties participating in an interaction are indeed the parties that they claim to be and that their messages contain the content that they actually transmitted. Sometimes the latter part is treated as the distinct property ‘integrity’, though we will use the term authenticity to also cover integrity.
Computational and information-theoretical security
Cryptographic security notions can offer resistance against different classes of attackers. The most powerful notion in this respect is perfect security, which is defined as unconditional security against computationally unbounded adversaries in all cases. A slightly weaker version of this is statistical security, which allows an adversary to break security in a very small and random number of cases, but without any influence on whether he gets lucky. Both of these can be summarized as information-theoretical security, since they can be proven directly from information theory. However, information-theoretical security is sometimes also used to refer to perfect security only.
The more common alternative is computational security, in which computationally bounded adversaries should only have a negligible chance of breaking a scheme. This class can be further subdivided based on whether the adversary has access to a quantum computer or not: In the former case we call the adversary a quantum adversary and in the latter a classical adversary.
In the context of QKD, we gain one further class: Schemes whose security can be proven with quantum information theory, which adds quantum mechanical assumptions to information theory. We call notions that fall into this category quantum-information-theoretically secure.
One-time pads and message authentication codes
OTPs (One-Time Pads) are a method in which a plaintext is XORed with a random key of equal length. The key is used only once before being discarded. OTPs at times are not even viewed as an encryption scheme in the stricter sense due to the inability to reuse keys, and since the length requirement on the key poses severe limitations. On the other hand, correctly used OTPs are the only way to achieve unconditional confidentiality that requires no further conditions or assumptions. A scheme with this level of security could be called perfectly confidential.
On their own, however, OTPs offer no authenticity – it is trivial to manipulate ciphertexts with (partially) known plaintexts in a way such that they decrypt to other messages. To prevent this, we require an authenticity mechanism, which is usually achieved via message authentication. The strongest possible way to achieve this is with MACs (Message Authentication Codes) based on universal hash families, originally introduced by Carter and Wegman [38, 39]. MACs based on universal hashing still can be attacked with a very small chance – the very small chance is that an attacker correctly guesses the authentication tag due to sheer luck, but there exist no successful attack strategies beyond guessing. While such schemes thus aren’t perfectly secure, they offer statistical authenticity.
Encryption with pre-shared keys
Considering the significant cost of setting up quantum channels between two parties, it is worthwhile to investigate whether the cost of doing this exceeds the cost of simply exchanging the necessary key material directly (in person) between the endpoints. Although such an approach does not scale to universal use on the Internet, it can be viable with a small number of well-known endpoints and predetermined connectivity. Some of the use cases that we analyzed fall into that category, even when envisioned as fully deployed.
We distinguish two scenarios, depending on the encryption method. First, the OTP can be combined with a statistically secure MAC to achieve ITS. Since OTP requires a key that is at least as long as the data that is being transmitted, this requires an initial trusted offline distribution of a large number of pre-shared key bits, each of which has to be discarded after use. For example, this distribution could be done by a trusted courier. Moreover if more data needs to be transmitted, then additional trusted offline key distributions are required. The key material for an OTP must be deleted after use, both to prevent accidental reuse, but also to reduce the attack surface by preventing the decryption of past ciphertexts as a consequence of a later compromise of the keys (‘forward secrecy’). Once this is done on both ends, this method guarantees everlasting confidentiality. A second option is to use computationally secure symmetric cryptography, for example AES with GMAC, so that only a small number of pre-shared key bits are required. Only an initial offline distribution is required: as estimated below, one could simply distribute enough key bits initially to last for the effective lifetime of the system. Alternatively, a single small key can be distributed initially, which is stretched via a symmetric ratchet (the ratchet even be based on AES to minimize the computational assumptions in the system). This ratchet would also provide forward secrecy in case of key leakage via (for example) a device compromise.
Modern mass storage has become incredibly cheap, to the point where micro SD cards with a capacity of 1 TB are commercially available for under 100€. At the rate of consuming one 256-bit key per minute for AES, this would be enough capacity to store key material for almost 60.000 years1 at the cost of exchanging a physical item once, requiring no assumptions besides the availability of a good source of randomness and the correct identification of the peer when handing over the key material. We compare the usage of pre-shared keys with QKD in Table 3.
The downside of using pre-shared keys, compared to QKD and AKE, is that this method does not provide PCS, as key material cannot easily be generated on the fly. This is problematic after a breach that may have corrupted key material intended for later use, because this could result in the unavailability of key material until new key material is exchanged. We remark though that even QKD and AKE could run into issues in that scenario, as this kind of breach could also affect key material for authentication. Whether the cost of the new individual exchange is cheap or expensive heavily depends on the use case in question.
| Scheme | Security | Key management | Complexity | Scalability |
|---|---|---|---|---|
| Pre-shared keys + OTP + ITS MAC | Perfect confidentiality, statistical authenticity. No PCS. | Biggest challenge is securely sharing, re-sharing (if more keys are required), and storing a key as long as the messages. | High complexity in key management. High due to the need for large keys and secure storage. | Very Poor, due to need for quadratic number of in person interactions. |
| Pre-shared keys + Symmetric encryption | Computational confidentiality and authenticity. No PCS. | Secure key distribution is required. Key size is much smaller than in OTP, making it more practical. | Moderate to high in key management. Slightly easier than with OTP due to smaller key sizes. | Very Poor, due to need for quadratic number of in person interactions. |
| Pre-shared authentication keys + ITS MAC + QKD + OTP | Q-ITS confidentiality, statistical authenticity. PCS. | Secure key distribution is required. QKDallows on-demand generation of OTP-keys. | Moderate to high in key management, but overall high due to need forQKD infrastructure. | Extremely poor, due to quadratic number of in person interactions combined with the need for quantum channels. |
| QKD + OTP + Signatures | Q-ITS confidentiality, computational authenticity. PCS. | QKD allows on-demand creation of OTP-key, signature verification key needs to be securely shared. | High complexity due to need for QKD infrastructure. Low complexity for key management. | Poor, due to need for quantum channels; star-networks can take some of the edge of, but inherently require trust into operator. |
| QKD + Symmetric encryption + Signatures | Computational confidentiality with additional need of quantum-assumptions, computational authenticity. PCS. | QKD allows on-demand creation of encryption-key, signature verification key needs to be securely shared. | High complexity due to need for QKD infrastructure. Low complexity for key management. | Poor, due to need for quantum channels; star-networks can take some of the edge of, but inherently require trust into operator. |
| Authenticated key exchange + Symmetric encryption | Computational confidentiality and authenticity. PCS. | AKE allows on-demand creation of encryption-key, authenticity-key needs to be securely shared and stored. | Low complexity for key management. | Excellent, if PKI (Public Key Infrastructure) is available, otherwise still better than alternatives. |
Asymmetric cryptography, PQC
Traditionally, the problem of establishing a shared secret key between two parties is solved using asymmetric cryptography. Initially, this came mainly in the form of asymmetric encryption based on the RSA (Rivest-Shamir-Adleman) algorithm, a public-key cryptosystem that relies on the computational difficulty of factoring large composite numbers [40]. At this point, we also see a large number of protocols based on versions of the DHKX (Diffie-Hellman Key Exchange) [41]. We compare the usage of an authenticated key exchange using asymmetric cryptography with QKD in Table 3. These techniques scale exceptionally well and by now protect most of the communications infrastructure upon which the World Wide Web operates. Additionally, they also protects much of the Internet and most digital communication. On the other hand, like all asymmetric cryptography, RSA and DHKX rely on computational assumptions. Shor’s algorithm additionally renders them vulnerable to quantum attacks.
PQC is a name for classical algorithms that are expected to withstand quantum attacks. The first asymmetric PQC solutions have been standardized by NIST, encompassing ML-KEM [42] (based on Kyber [43]) and HQC [44] (FIPS to appear) for key establishment as well as several digital signing algorithms, called ML-DSA [45] (based on Dilithium [46]), SLH-DSA [47] (based on SPHINCS+ [48]), and FALCON [49] (FIPS to appear). Additionally, some European government agencies have approved the use of the conservative KEMs Classic McEliece [50] and Frodo [51]. Lastly the IRTF standardized the two stateful signature schemes XMSS [52] and LMS [53]. We provide an overview of all of these in Table 1.
| Scheme | Type | Status | Based on | Sizes [bytes] |
|---|---|---|---|---|
| ML-KEM (“Kyber”) | KEM | (NIST)S. | Lattices (M-LWE) | L. 1: pk: 800, c: 768L. 3: pk: 1184, c: 1088L. 5: pk: 1568, c: 1568 |
| Frodo | KEM | (BSI, ANSSI, NCSC)A. | Lattices (LWE) | L. 1: pk: 9616, c: 9720L. 3: pk: 15,632, c: 15,744L. 5: pk: 21,520, c: 21,632 |
| Classic McEliece | KEM | (BSI, ANSSI, NCSC)A. | Codes | L. 1: pk: 261,120, c: 96L. 3: pk: 524,160, c: 156L. 5: pk: 1,044,992, c: 208 |
| HQC | KEM | (NIST)C. | Codes | L. 1: pk: 2249, c: 4497L. 3: pk: 4522, c: 9042L. 5: pk: 7245, c: 14,485 |
| ML-DSA (“Dilithium”) | Signature | (NIST)S. | Lattices (M-LWE) | L. 1: pk: 1312, sig: 2420L. 3: pk: 1952, sig: 3293L. 5: pk: 2592, sig: 4595 |
| SLH-DSA (“SPHINCS+”) | Signature | (NIST)S. | Hashes | L. 1: pk: 32, sig: 7856L. 3: pk: 48, sig: 16,224L. 5: pk: 64, sig: 29,792 |
| FN-DSA (“Falcon”) | Signature | (NIST)C. | Lattices (NTRU) | L. 1: pk: 1281, sig: 666L. 5: pk: 1793, sig: 1280 |
| XMSS (RFC 8391) | Stateful Signature | (IRTF)S. | Hashes | L. 5: pk: 64, sig: 2500 |
| LMS (RFC 8554) | Stateful Signature | (IRTF)S. | Hashes | L. 5: pk: 56, sig: 2664 |
Strengths
Here we list some benefits of using asymmetric cryptography including PQC.
Challenges
Here we list some major challenges.
Assumptions of classical cryptography (including PQC)
Here we list all the assumptions for classical cryptography which also includes PQC.
Quantum key distribution
QKD is a mechanism that uses a quantum channel, a channel that allows the transmission of quantum states (generally speaking qubits), to establish a shared secret between the endpoints. On its own, this mechanism would be inherently vulnerable to man-in-the-middle (MitM) attacks. It is thus necessary to perform the procedure in an authenticated way, by means of an authenticated channel (which may be classical). Usually, ‘QKD’ refers to the combined mechanism and encompasses the authenticated channel. The resulting shared secret is said to offer confidentiality based on the postulates of quantum mechanics, assuming that the authenticated channel is indeed information-theoretically secure and that executions of the protocol do not deviate from its abstract design. This is often claimed to offer ITS (Information-theoretic security), though we would argue that this can be confusing – security is based on the additional assumptions that underlie QKD, such as the postulates of quantum mechanics. We expand on the assumptions underlying QKD in Sect. 2.6.1. To make a clear distinction between information-theoretic security and its extension with quantum physics postulates, we will use the term Q-ITS (Quantum Information-theoretic security).
The keys established by QKD can be used with a OTP and a statistical authentication mechanism to achieve quantum-information-theoretic confidentiality and authenticity, but this requires a large amount of key material. Many real-world schemes will thus instead combine QKD with classical, computationally secure symmetric encryption mechanisms, resulting in computational security with additional quantum assumptions.
Assumptions about QKD
Although QKD-based solutions are often advertised as solutions that dispense with the computational assumptions underlying public-key cryptography, it is important to note that they come with their own assumptions and limitations. Most of these assumptions are protocol-dependent, but below are some fundamental ones independent of this choice of the QKD protocol [62].
Types of QKD service
There are multiple ways in which a user can use QKD. Figure 1 shows which ones we encountered in our use case analysis and shows what is operated by the end-user and what is operated by the service provider. Horizontal dotted lines with a color have an accompanying service offering written in a box on the left. All components above the respective line are operated by the service provider, while the components below the respective line are operated by the end-user. Vertical communication lines are within a node and are assumed to be physically secured, while horizontal communication lines can be accessed by an attacker.
Overview of systems involved in the encryption of data using QKD keys. Different types of service provide different functionality and determines which systems the user is required to operate
QKD network topology
The purpose of a key exchange is that only two parties share the key material, which perfectly fits the basic P2P (Point-to-point) connections. However, when dealing with more complex network topologies, a device-based technology such as QKD requires a more complex architecture (see Fig. 2) [71]. Because deploying fibers is an expensive and time-consuming operation, any fiber operator would prefer sharing their pre-existing fiber infrastructure over deploying an entire new one only for QKD. A typical architecture of shared infrastructure includes two parallel optical networks [72, 73]: the classical network, which is based on the OSI model of 7 layers, and the QKD network, which includes two subnetworks referred as KM (Key Management) and quantum layers. The connection between the two classical and QKD networks is provided by an application layer that manages keys requests, which are managed by the QKD network. As the name suggests, the KM layer connects the KMSs assigned to each node. The KM and application layers can easily share the infrastructure with standard WDM (Wavelength Division Multiplexing). However, this is not the case for the quantum layer, which connects QKD Tx and Rx, because of the quantum channel. The sharing of fibers in classical networks presents numerous technical challenges, such as crosstalk, scattering, and additional filters so that quantum channels can bypass optical amplifiers [74].
QKD protocols are executed in the quantum layer. Typically, service channels must be synchronized with quantum ones, thus sharing the same or parallel fibers is preferred. However, no standardization has been proposed yet on the QKD protocol to adopt, making it difficult for fiber operators to integrate QKD into their infrastructure [75]. There are two main families of QKD protocols: DV-QKD (Discrete Variable QKD) and CV-QKD (Continuos Variable QKD). Table 2 reports some of the QKD protocols that are closest to being deployed on real networks.
We can observe that all proposed protocols are limited in SKR (Secret Key Rate) when compared to typical data rates on fiber communications, which are on the order of hundreds of gigabits. This limitation prevents the use in real time of QKD for ITS symmetric encryption schemes that require keys comparable in size to the data, such as OTP. SKRs are still sufficient for symmetric encryption algorithms with smaller keys such as AES, although this comes with a cost in terms of the overall security of the system. Despite sharing the same fiber infrastructure, classical data transmission and QKD are virtually separated into classical and quantum networks. One of the main motivations behind this separation is the incompatibility of QKD with some classic photonic components such as amplifiers. Other motivations are the difference of multiple orders of magnitude between SKR and standard data rates, and between the power of quantum and classic signals. Moreover, the distance limitation of QKD combined with the absence of quantum repeaters, makes the presence of chains of intermediate trusted nodes necessary [84].
DV-QKD protocols were the first to be formulated and demonstrated, thus they are currently the most mature technologically and are already available as commercial products as shown in Table 2. However, DV-QKD protocols have significant technological limitations and challenges that limit their deployment in realistic scenarios. The first limitation is the cost, mainly due to the single-photon detectors, which are expensive and are not standard telecom devices. The second limitation is the high sensitivity to crosstalk due to the extremely low power of the quantum channel compared to classic ones. There are, however, efforts to overcome this limitation [85]. A promising family of protocols are MDI-QKD (Measurement-Device-Independent QKD) protocols, which rely on an intermediate node for measuring two different streams of qubits. The main advantage of MDI-QKD is that the security does not depend on the implementation of the receiver, although the key rates are significantly lower compared to BB84 [78]. An additional benefit of MDI-QKD is the longer distances compared to other DV-QDK protocols. Another family of measurement independent protocols is Twin-Field (TF)-QKD, which enables to increase the distance between two nodes even further [86]. TF-QKD has been reported to have achieved more than 500 km on field deployment [79], although the SKR was significantly lower. The maturity of systems based on measurement-independent protocols is still limited to network deployments, which is promising but still behind compared to other DV-QKD protocols in Table 2.
CV-QKD protocols have the advantage of using coherent receivers with detectors more similar to those used for classical optical communications. This advantage enables not only the reduction of costs, but also the compatibility with equipment from telecom operators and WDM systems [87]. Another advantage is that CV-QKD is more resilient to classical noise [88]. CV-QKD protocols can be based on GM (Guassian Modulation) or DM (Discrete Modulation) such as QAM (Quadrature Amplitude Modulation) and QPSK (Quadrature Phase Shift Keying) [83]. DM based protocols show some advantages compared to GM: higher reconciliation efficiency of practical error correction schemes, simpler implementation, and higher capacity in the very low SNR (Signal to Noise Ratio) regime, which is a very common regime for CV-QKD schemes [89]. These properties make DM CV-QKD protocols optimal and scalable options for deployment into classical optical networks. However, the signal-to-noise ratio in CV-QKD protocols rapidly decreases with channel losses, thus limiting the use to shorter distances, as shown in Table 2. In terms of maturity, CV-QKD relies on standard photonic components for telecommunications, which make it easier to demonstrate and deploy [90]. However, significant effort is required in terms of signal post-processing and calibration. GM and QAM-DM CV-QKD system have been demonstrated in a field demonstrations [80, 82] over deployed fiber links below 20 km. DM CV-QKD systems have been shown to achieve key rates beyond 1 Mbps in short distances, although significant effort is still needed for deployment in a real optical network [91–93]. Compared to DV-QKD a significant limitation of CV-QKD protocols is their security that is based the assumption of perfect states separation, which cannot be guaranteed in a practical CV-QKD system [94].
General architecture of an optical network supporting QKD. Protocol stacks of classic optical network (top-left) and QKD network (bottom-left)
| Protocol | Quantum state | Cost | Maximum distance [km] | SKR [Mb/s] | Maturity level |
|---|---|---|---|---|---|
| BB84 (DV) [] [76] | Single photon | medium | 150 | 0.3 @50 km | Variants of BB84 available as commercial products. |
| COW (DV) [] [77] | Coherent pulses | medium | 90 | 0.05 | Available as commerical product. |
| MDI (DV) [] [78] | Pair of photons | high | 442 | 2.19 10−4 | Deployed on real networks. |
| TF (DV) [] [79] | Pair of photons | high | 511 | 3.37 10−9 | Deployed on real networks. |
| Gaussian (CV) [,] [80] [81] | Coherent state | low | 20 | 0.03 | Field demonstrations. |
| QAM (CV) [] [82] | Coherent state | low | 16 | 35 | Field demonstration. |
| QPSK (CV) [] [83] | Coherent state | low | 20 | 10 | Deployable system under development. |
Comparison of communication protocols
In this section, we provide a detailed comparison of various communication protocols using classical, quantum and post-quantum cryptography based on their security properties, key management requirements, complexity, and scalability. The discussion aims to offer a comprehensive understanding of the trade-offs involved in selecting an appropriate protocol for different security environments. All of these protocols are summarized in Table 3.
Pre-shared keys + OTP + ITS-MAC
This method is one of the most secure but least scalable cryptographic techniques. It provides perfect confidentiality due to the OTP and statistical authenticity through ITS MAC. However, it lacks PCS, meaning that if a key is exposed, all communications encrypted with that key are compromised. A significant drawback is the need to securely distribute and store extremely large keys, as each message requires a key of equal length. Additionally, due to the requirement for in-person key exchanges, this scheme is highly impractical for large-scale networks or frequent communications. The combination of high security and logistical difficulty makes it suitable for only highly sensitive, low-frequency communications.
Pre-shared keys + symmetric encryption
This approach balances security and practicality better than OTP-based methods. While it provides computational confidentiality and authenticity, it does not offer PCS. Symmetric encryption reduces the key size requirement compared to OTP, making it easier to manage. However, the challenge of securely distributing and storing keys remains. This method requires pre-shared keys, meaning a trusted mechanism must exist for exchanging them beforehand. Key management complexity is moderate to high, depending on the size of the network. Scalability is still poor since secure key exchange must occur in advance and in a quadratic fashion for a fully connected network. This protocol is occasionally used in secure messaging applications where a fixed group of users communicates regularly.
Pre-shared authentication keys + ITS-MAC + QKD + OTP
This method provides Q-ITS confidentiality through OTP encryption and statistical authenticity via ITS MAC. Additionally, it achieves PCS, meaning that even if an encryption key is compromised, a new one can be generated, reestablishing confidentiality for future messages, as long as the MAC-key did not become corrupted. However, deploying QKD requires specialized quantum infrastructure, which adds significant complexity and cost. Moreover, scalability is severely limited due to the requirement for both quantum channels and a quadratic number of in-person key exchanges. This makes the approach feasible only in very specific environments, such as in some settings involving government and military communications.
QKD + OTP + signatures
This method offers Q-ITS confidentiality using OTP encryption and computational authenticity through digital signatures. It also ensures PCS, meaning security remains intact even if past encryption keys are exposed. QKD allows for the on-demand generation of OTP keys, eliminating the need for long-term key storage. The inclusion of digital signatures ensures authenticity. However, the overall complexity is high due to the reliance on quantum infrastructure. Scalability is constrained by the requirement for quantum channels, which are difficult to deploy over long distances. While star-network architectures can alleviate some of the challenges, they introduce a need for trust in the network operator.
QKD + symmetric encryption + signatures
This scheme uses QKD to generate encryption keys for symmetric encryption while relying on digital signatures for authentication. Unlike OTP-based approaches, symmetric encryption reduces the key size requirement, making storage and management easier. However, the confidentiality guarantee now depends on both computational assumptions and Q-ITS. PCS is ensured, meaning that future communications remain secure even if past keys are compromised. The major drawbacks are the reliance on QKD infrastructure, which significantly increases deployment complexity and the reliance on twos sets of security assumptions (computational and quantum information theoretical) instead of just one in the cases of both QKD and solutions that are based on classical authenticated key exchanges. Scalability remains poor due to the need for quantum channels, but some network architectures, such as star topologies, can improve feasibility.
Authenticated key exchange + symmetric encryption
This approach offers computational confidentiality and authenticity in a highly scalable and practical way. Most modern protocols offer PCS as a matter of course and generate dynamic encryption keys, eliminating the need for long-term key storage. Key management is relatively straightforward, making it a suitable choice for large networks. Scalability is excellent, particularly when combined with a PKI, which enables efficient and automated distribution of authentication-keys. Most modern secure communication systems, such as TLS and VPNs, rely on this kind of protocol for their security.
Current use cases
This section briefly introduces the use cases being analyzed in the subsequent sections. Analyzing all the available use cases in the literature, in commercial QKD company documents [95–97], in the OpenQKD project [98, 99] and in other sources is not possible due to the limited details provided on some use cases. Use cases with sufficient technical information are analyzed here. The order is based on the year of occurrence. We summarize the use cases in Table 4.
| Use case | Target sector, country | Description | QKD system and network | Intended impact | Security goals | QKD service |
|---|---|---|---|---|---|---|
| : Authenticity of election results 4.1 | Government, CH | Used QKD to guarantee authenticity of election results during transmission between the counting center and storage location. | ID Quantique Cerberis QKD system directly connected using a 4 km long fiber. | Ensured authenticity of election results. | Transmission reliability, successful integration of QKD with existing cryptographic methods. | Equipment. |
| : Backup for disaster recovery 4.2 | Banking, CH | Used QKD with AES to secure connections between a bank’s headquarters and a disaster recovery center. | QKD via ID Quantique’s Cerberis QKD server. Direct connection, approx. 100 km apart. | Enhanced security for disaster recovery operations. | Forward secrecy, high performance, secure communication. | Equipment. |
| : Financial data 4.3 | Financial, US | Used QKD to secure a video stream transmission over a 32 km dark fiber between financial offices. | Toshiba’s QKD system. Data transmission over 32 km dark fiber between New York and New Jersey. | Enhanced security for financial data transmission. | Increased network capacity, secure long-distance communication. | QKD keys as a service. |
| : Facial recognition 4.4.1 | Biometrics, JP | Used QKD to secure the transfer of data for facial recognition in a server room. | NEC’s QKD devices in Tokyo QKD Network. One trusted node between the camera server and the facial recognition server. | Secure storage and transfer of biometric data. | Reliability of QKD-secured video storage, successful facial recognition data transfer. | Data transport. |
| : Key storage and key backup 4.4.2 | Cryptocurrency, CH | Used QKD with OTP to transfer key shares in a cryptocurrency exchange’s key storage system. | QKD with ID Quantique’s QRNG. Direct connection. | Secure storage and backup of keys | Robustness of key recovery, resilience against attacks | QKD keys as a service []. [115] |
| : Medical image sharing 4.4.3 | Medical research, AT | Exchanged medical images using QKD and secret sharing between different datacenters. | QKD devices from ID Quantique, Toshiba, and ADVA. Direct connection with intermediate nodes at Citycom Graz data centers. | Secure storage and sharing of medical data. | Data recovery capabilities, redundancy of data storage. | Equipment. |
| : Medical record backup 4.4.4 | Healthcare, JP | Backed up medical records using QKD to split and transmit data to different datacenters. | The Tokyo QKD Network was used, which connected three locations using equipment from NEC, Toshiba, NTT-NICT and Gakushuin University. | Secure backup of electronic medical records. | Data redundancy, secure multi-location storage. | Data transport. |
| : Connecting data centers 4.5 | Public utility, CH | Secured connection between two data centers using QKD and AES-256 on layer 1 to protect cloud applications. | ID Quantique’s Cerberis3 system. Direct connection using ADVA FSP 3000 for optical transport. | Increased data security for cloud applications. | Secure data transmission, fallback mechanisms. | Equipment. |
| : Genome data 4.6 | Medical research, JP | Secured transfer of genome data and video conferences using QKD and OTP encryption. | Toshiba’s QKD system. Data transmission over 2 connections between 3 medical institutions, of which one connection 7 km long. | Secure high-speed transmission of genome data and video conferences. | Stable communication, real-time transmission capabilities. | QKD-secured service. |
| : Metrics of an overbraider machine 4.7 | Industrial manufacturing, UK | Sent quality and performance metrics of an overbraider machine between two facilities using QKD. | Toshiba’s QKD system. Data transmission over 7 km connection. | Secure transmission of industrial data. | Secure and reliable data exchange, optimized industrial process monitoring. | Equipment. |
| : Self-driving cars 4.8 | Automotive, RU | Integrated QKD hardware into a self-driving car to securely transfer data and software updates over 4G LTE. | QRate QKD hardware. Quantum key distribution during refueling/charging via optical channel. VPN over 4G LTE. | Secure transfer of software updates and telemetry data. | Cache and retrieve QKD keys, secure data transfer over mobile network. | Equipment. |
| : Grid network 4.9 | Energy, CH | Secured data transmission between power stations using QKD to prevent intrusions. | QKD, Peer-to-peer architecture. | Enhanced security for Smart Grid communications. | Latency impact, link stability, service continuity during QKD-related issues. | Equipment. |
| : Authentication of smart grid communications 4.1 | Energy, US | Authentication of SCADA traffic (i.e. measurement and control data) between a power distribution center and an electrical substation. | Qubitekk QKD System. Direct connection, 3.4 km. | Ensured authenticity of SCADA traffic. | Information-theoretic authentication in smart grid communications. | Equipment. |
| : Genome distance sharing 4.11 | Medical research, ES and PT | Used QKD with OTP to secure information sharing on how genome sequences (for example from family members) are related. | ID Quantique and Huawei QKD systems were used to secure 2 connections of 7 km and 24 km between 3 institutions. | Secure sharing of genome distances. | Securely calculating and sharing of genome distances without revealing the genome sequences. | Equipment. |
Authenticity of election results (2007)
The State of Geneva, Switzerland, used QKD during its 2007 election process to secure transmission of the election count totals from the counting center to the location where the votes were stored [100–102]. The QKD keys were used in conjunction with AES-256 for confidentiality and HMAC-SHA-256 for authenticity [103, 104]. ID Quantique provided the QKD devices. The locations were directly connected using 4 km long fibers [105].
Backup for disaster recovery (2017)
A private asset and wealth management company in Switzerland needed to secure its communication network between its headquarters and a DRC (Disaster Recovery Center) [106, 107]. To protect sensitive data long-term, they used Thales’ network encryptors and Cerberis QKD devices to combine layer 2 Ethernet encryption using AES-256 with keys from QKD. The success of this implementation led to the expansion of the encryption platform to other areas of the company for MAN and WAN applications.
Financial data (2019)
In 2019, Toshiba and Quantum Xchange reported on a collaboration that augmented the encrypted connection between Wall Street’s financial markets and a data center in New Jersey, using the QXC Phio QKD network [108, 109]. The connection between Wall Street and the data center is usually used to transmit sensitive financial data like trading algorithms and customer settlement accounts. As a demonstration, the QKD-augmented connection was used to transmit an uncompressed live video stream. The fiber connection multiplexes the QKD channels, including the quantum one, and the commercial data over a single dark fiber. The multiplexing scheme was based on CWDM (Coarse Wavelength Division Multiplexing) with the quantum channel in the O-band and the rest of the channels in the C-band. Deploying new optical fibers is one of the most expensive operations for a network provider. Therefore, the capability of Toshiba’s system of avoiding a dedicated dark fiber for the quantum channel only is a significant improvement for the solution proposed in this use case.
Distributed information sharing and backups
We encountered several use cases in which actors wanted to store sensitive information, which we describe below. All use cases followed the principle of protecting that information against server breaks via a cryptographic protocol known as ‘Secret Sharing’, i.e., by splitting them into N many components (‘shares’) that cannot be used to reconstruct the original information without obtaining at least n many shares out of these N. The rationale is that by distributing the separate shares to spatially separated secure locations, it is ensured that an attacker cannot access the information without breaking into at least n many (secured) servers.
Facial recognition (2019)
The NICT (National Institute of Information and Communications Technology) of Japan, NEC (Nippon Electric Company), and the National Olympic Committee of Japan have partnered to use facial recognition to access a server room [110]. QKD is used to secure the necessary data for facial recognition. A facial recognition server decides if a person gets access to a server room that stores medical and athlete data records. The video recordings of athletes are used for analysis to improve their performance. A camera is connected to the central server and over this connection facial recognition data is sent which is secured using QKD. The central server is also connected to three servers using a QKD-secured connection. The biometric data of people who should be given access to the server room is stored on the facial recognition server and a backup is stored on three servers using secret sharing.
Key storage and key backup (2020)
Mt. Pelerin, a Swiss company specializing in cryptocurrency, partnered with ID Quantique to involve QKD in their asset management to secure digital assets [111, 112][113, Use Case 03]. These assets include blockchain private keys with which transactions can be signed and were split into five shares using SSS (Shamir’s Secret Sharing) [114]. To recover the assets, access is necessary to three of five storage nodes [115]. The procedure for backing up assets to storage nodes involves OTP encryption of each share, for which the application uses keys distributed by ID Quantique’s QKD devices.
Medical image sharing (2020)
The Diagnostic and Research Center for Molecular BioMedicine of Medical University Graz, Austria, exchanged images with the pathological institute of the LKH Graz West II, so that the images could be analyzed at both sites [116, 117]. The images were split in three shares using fragmentiX secret sharing which is based on SSS [118]. Two shares were encrypted using AES with QKD keys and transferred to two different datacenters in the same city. The third share was transferred using TLS to a storage at the Medical University Graz. In case one storage location encounters data loss, all data can be restored using the other two storage locations.
Medical record backup (2020)
NICT, NEC and ZenmuTech partnered to backup medical records [119, 120]. Dummy medical records were sent from the medical institution to a server using QKD. This server split the medical records into three shares using the AONT (All-or-nothing transform) [121]. The three shares were then transmitted to three different data centers in different cities while being secured by QKD.
Connecting data centers (2020)
SIG (Services Industriels de Genève), a Swiss public utility company managing a fiber optical network, partnered with ID Quantique (IDQ) to secure a connection between two data centers using QKD and AES [113, Sect. 3.4]. SIG runs an encrypted connection between their two main data centers to secure sensitive data processed in their cloud applications [122]. They used QKD keys to augment the standard encryption key. Functionality in the case of unavailable QKD keys is maintained by falling back to the non-augmented encryption keys.
Genome data (2020)
By 2020, Toshiba Corporation and Tohoku Medical Megabank Organization (ToMMo) finished a five-year trial in which they used Toshiba’s QKD system to encrypt sensitive large-scale genome sequence data [123–125]. Over two years, genome data produced with the Japonica Array tool was encrypted and transmitted from the Toshiba Life Science Analysis Center to the Tohoku Medical Megabank Organization over a distance of 7 km. Toshiba reported to have achieved stable communication with speeds exceeding 10 Mbps.
Toshiba furthermore reported that the sequencing of 24 genome data sets took over 117 hours to generate. During the generation of this data, the data was transmitted after being encrypted with OTP using keys from QKD. The transmission of this data finished in less than 4 minutes after the sequencing finished.
In 2020, the QKD network was extended with a connection between Tokohu University Hospital and ToMMo, which are a few hundred meters away from each other. The QKD keys were used to encrypt video conferences and exome sequence data using OTP. The exome sequence data was encrypted and transmitted while the sequencing was ongoing. One exome sequence produces approximately 344 GB of data.
Metrics of an overbraider machine (2020)
Toshiba, BT, the Centre for Modelling and Simulation (CFMS), and the National Composites Centre (NCC) recently partnered to send production data between NCC and CFMS, encrypting this data using QKD-generated keys [126–128]. The data, which was sent over a 7 km long fiber, included quality and performance metrics of an overbraider machine.
Self-driving cars (2021)
In collaboration with QRate, researchers from Innopolis University, Russia, integrated QKD hardware into a self-driving car in 2021 [129], to facilitate the exchange of key material with QKD-enabled gas/charging stations over an optical fiber. The gained key material was to be used to launch an encrypted OpenVPN connection (4G LTE) with the vendor’s data center, in order to facilitate remote software updates and the transmission of telemetry data.
Grid network (2022)
IDQ additionally partnered with SIG to connect two of SIG’s power stations to the OpenQKD testbed, as a demonstrator for an envisioned Smart Grid network connecting all of SIG’s power stations in Geneva with each other and the operations center by a peer-to-peer (p2p) architecture [113, Sect. 3.1]. According to the OpenQKD report [113, Sect. 3.1], the use case was motivated by the goal to ‘secure data transmission and detect intrusions such as hackers taking control of the electricity distribution network’.
Authentication of smart grid communications (2022)
In this use case, QKD was deployed over a distance of 3.4 kilometers between a power distribution center and an electrical substation in Tennessee, United States [130]. The keys from the Qubitekk QKD system were used to authenticate SCADA (Supervisory Control and Data Acquisition) traffic which was send using MQTT (Message Queuing Telemetry Transport). The SCADA traffic contains non-confidential control data and measurement data such as voltage, current, frequency and phase. The traffic was authenticated using the GMAC (Galois Message Authentication Code) with AES.
Genome distance sharing (2022)
In the QuGenome project, the UPM (Universidad Politécnica de Madrid), the CSIC (Spanish National Research Council) and the Ciemat (Research Centre for Energy, Environment and Technology) had one or more genome sequences of which they would like to know how they are related to the genome sequences at the other institutions [131]. Using quantum oblivious transfer, secure multiparty computation and a distance-based method, the evolutionary distances between every pair of sequences were calculated without revealing the genome sequences at one institution to the other institutions [132]. The evolutionary distances were encrypted using OTP with QKD keys and shared with the other institutions to calculate the phylogenetic tree of the genome sequences. This tree can be used to visualize how family members or different variants of a virus are related.
Method of analysis
While the use cases listed in Sect.differ in terms of target sector and concrete technological means, they share similarities in their technological approaches and/or their security goals. To structure our discussion in Sect., we will analyze the use cases using the following questions: 4 6
How is the key used?
While all use cases involve the use of keys provided by QKD, these keys are used in different protocols. The respective protocol determines
Different symmetric ciphers have different security guarantees. While AES provides computational security, OTP provides secrecy independent of the computational resources of the attacker, assuming the secrecy of the key does not depend on this as well and assuming the key is only used once. This has implications for the security guarantees that are provided by the system. To analyze the use cases in Sect., it is therefore important to keep the following questions in mind: 6
What does the network topology look like?
Understanding network topology is crucial because it directly impacts the security, scalability, and feasibility of QKD deployment. The choice of QKD protocols, devices, and the configuration of trusted nodes influences overall security guarantees and determines the practicality of implementing QKD in real-world scenarios. By examining these aspects, we can assess how well the system aligns with the intended use case and its security requirements. Therefore, we look for the following points:
What security guarantees does the system provide?
The two primary properties that we discuss in this work are confidentiality and authenticity. Additionally we require correctness (the property that the scheme ‘works’ in the absence of an attacker) and availability, the property that a scheme can be used when needed. For the most part, the latter two are however less of an issue and none of the use cases that we analyzed seemed to encounter major issues with them.
Use case assessment and recommendations
To address the specific questions raised in Sect. 5 for each use case, we now examine to what end the established QKD keys are used, which protocols and devices are involved, and the obtained security guarantees. To enable a comparison with traditional cryptographic methods and PQC, we additionally discuss if and how traditional cryptography and PQC could enable each use case, and if this would lead to different security guarantees. We also critically comment on the discussed use cases and offer recommendations for improvement. We summarize the analysis in Table 5. We also provide an overview over alternatives that don’t rely on QKD to achieve the same security goals. We remark that we do so largely independently of the needed assumptions, in particular we assume that quantum assumptions and computational assumptions are both suitable to meet the security requirements.
| Use case | Aim | Used technology | Security requirements | Alternatives |
|---|---|---|---|---|
| Authenticity of election results 6.2 | Ensures authenticity of election results during transmission. Secures the link between central ballot-counting stations and government data centers. | SARG04, AES-256, HMAC-SHA-256 | Authenticity | PQ Signatures |
| Backup for disaster recovery 6.3 | Additional security layer for encryption between headquarters and DRC. Protects sensitive business and customer data. | SARG04, AES-256 | Confidentiality, Authenticity | Pre-shared keys PQ key exchange |
| Financial data 6.4 | Secures transmission of sensitive data between financial centers. Protects trading algorithms, customer accounts, etc. | BB84/T12, AES-256 | Confidentiality, Authenticity | Pre-shared keys PQ key exchange |
| Facial recognition 6.5.1 | Secures transmission of biometric authentication data. Protects feature data in a face recognition system. | BB84 and DPS-QKD, Secret sharing, symmetric cipher used unknown | Confidentiality, Authenticity | Pre-shared keys PQ key exchange |
| Key storage and backup 6.5.2 | Encrypts digital asset components split using secret sharing. Protects private keys for digital assets such as cryptocurrencies. The to-be-protected assets are secrets for computationally secure cryptography | DV-QKD, OTP, Secret sharing | Confidentiality, Authenticity | Pre-shared keys PQ key exchange |
| Medical image sharing 6.5.3 | Encrypts data fragments during transmission between hospitals and external storage. Protects highly sensitive medical data. | DV-QKD and BB84/T12, AES, Secret sharing, TLS | Confidentiality, Authenticity | Pre-shared keys PQ key exchange |
| Medical record backup 6.5.4 | Secures transmission of medical records. Protects extremely sensitive personal data. | BB84, BB84/T12, DPS-QKD, CV-QKD, Secret sharing | Confidentiality, Authenticity | Pre-shared keys PQ key exchange |
| Connecting data centers 6.6 | Secures symmetric key exchange between data centers. Protects utility operations and customer data. | COW, AES-256 | Confidentiality, Authenticity | Pre-shared keys PQ key exchange |
| Genome data 6.7 | Secures transmission of genome data and video conferences. Protects highly sensitive genome data and video conferences. | BB84/T12, OTP | Confidentiality, Authenticity | Pre-shared keys PQ key exchange (losing everlasting confidentiality) |
| Metrics of an overbraider machine 6.8 | Secures transmission of manufacturing data. Protects production parameters of composite components. | BB84/T12, symmetric cipher used unknown | Confidentiality, Authenticity | Pre-shared keys PQ key exchange |
| Self-driving Cars 6.9 | Secures software updates and telemetry data. Quantum-protected software updates for the autonomous control system. | BB84, OpenVPN | Authenticity for Software Updates, Confidentiality and Authenticity for Telemetry. | Pre-shared keys PQ key exchange Signatures (auth only) |
| : Grid network 6.1 | Secure Communication between power stations, prevent hacking | DV-QKD, Peer-to-peer architecture, symmetric cipher used unknown | Authenticity, Maybe Confidentiality (unclear) (Secure implementations; not really a crypto-problem in the first place) | Pre-shared keys PQ key exchange |
| : Authentication of smart grid communications 6.11 | Ensure authenticity of measurement and control data | Entanglement-based QKD, GMAC with AES | Authenticity | Pre-shared keys |
| : Genome distance sharing 6.12 | Secures transmission of genome hamming distances | CV-QKD, OTP, quantum oblivious transfer, secure multiparty computation | Confidentiality, Authenticity | Pre-shared keys |
Comment on backups in general
We encountered several use cases that use QKD to protect the transmission of data with the goal to backup this data. QKD is primarily a replacement for key exchange mechanisms aiming for transport protection.
However, transported data should ideally also be protected at rest, i.e., while being stored as backups. Generally, this is not an ideal use case for dynamically created (or ‘non-static’) keys since such keys have to be stored along with the backup for eventual data recovery. For backup use cases, it may be desirable to use a pre-existing key to encrypt the to-be-transmitted data already before transmission since the storage facility then does not have to store the key material, making it harder for attackers to recover the encrypted data even if they gain digital or physical access to the storage facility. If the encryption scheme used for this long-term encryption is asymmetric, the generator of the data does not even need to maintain knowledge about the used secret key – it could be stored in a separate secure location, independent of the mass-data backup.
One way to then further strengthen such storage-encryption is to secret-share the key in a way that requires multiple parties to work together to decrypt the back-ups. Depending on the use-case this could for example involved all members of a company’s board of directors receiving a share.
Authenticity of election results 4.1
Aim
Used technology
Analysis and recommendation
In this use case, the QKD key was used to protect count totals of a public election. This data can be made public as soon as the voting stations close. If the data is transferred after closing the voting station, it does not have to be confidential anymore. The data only has to be authenticated to make sure the count totals are not modified. Therefore, it is not clear that this use case requires any form of confidentiality whatsoever; it seems that it only requires authenticity. Any QKD protocol requires an authenticated channel, which would suffice to solve the use case in a more natural way (by directly authenticating the transmitted local results once the election concluded). Therefore, we assess that QKD does not add value to this use case.
One could envision a variant of this use case in which votes are transmitted as they are being cast, instead of being transmitted only as an aggregate that needs no confidentiality. This would change the setting to a setting that requires confidentiality, which could be provided by QKD or AKEs. This variant, however, would inherently introduce additional attack vectors – e.g., parties with access to the receiving system could collaborate with a party that collects information about when a given voter voted, thereby breaking the secrecy of the election.
Backup for disaster recovery 4.2
Aim
Used technology
Analysis and recommendation
QKD is used here to provide transport security, which is it’s primary strength. However, the backup data is only secured in transit and not secured at rest. The recommendation to secure the data at rest from the Comment on backups in general applies.
Financial data 4.3
Aim
Secure the transmission of sensitive and high-value data between a datacenter on Wall Street and a datacenter in New Jersey. This data includes trading algorithms, customer settlement accounts, real-time trading and transactional data, core banking applications and video conferencing data.
Used technology
Analysis and recommendation
QKD is used here to provide transport security, which is it’s primary strength. We only note that the institutions in question are physically close enough and pre-determined enough, that exchanging AES-keys physically, as discussed in Sect., would be a viable and even more secure, but more labor-intensive alternative here. 2.4
Distributed information sharing and backups
Facial recognition 4.4.1
Aim
Secure the transmission of biometric authentication data, specifically feature data in a face recognition system, between the central server and the face recognition server. Additionally, secret sharing is used to secure the storage of reference data for authentication across distributed servers.
Used technology
Analysis and recommendation
As biometric authentication cannot be changed like a password, this data has to be protected for a long time. QKD is indeed a possible way to provide some transport security, though AKEs would be able to do the same and the Comment on backups in general also applies to this use case.
Key storage and key backup 4.4.2
Aim
Used technology
Analysis and recommendation
The private keys protected by the system need to be protected for the entire duration that the digital assets are in custody, which could potentially be indefinite or until the assets are moved or redeemed. However, assuming these private keys are used to control cryptocurrencies such as Bitcoin or Ethereum, the private keys can be calculated from the public key by a CRQC and the usage of QKD in this use case will not protect the private key from being recovered by a CRQC.
The use case aims to protect asymmetric secrets, i.e., secrets that are used by asymmetric cryptosystems. The use case thus assumes that the respective cryptosystems are secure – otherwise, protection of these secrets would not be worthwhile. Considering the significant overhead of QKD in comparison with classical cryptosystems, this calls the use case into question in general.
Medical image sharing 4.4.3
Aim
Used technology
Analysis and recommendation
This use case uses QKD to provide transport security, which is its primary strength. Given the nature of medical records, protection may be required for many years or even decades. Even if the TLS connection used to transport shares of the medical images is broken by an attacker, the attacker would still need access to a second share to restore the original image. Besides the caveats regarding the use of QKD in general, we note that the institutions in question are physically close enough (and pre-determined enough) that exchanging AES keys physically, as discussed in Sect., would be an alternative that is viable and does not have to rely on quantum assumptions. 2.4
Medical record backup 4.4.4
Aim
Secure the transmission of medical records that were split using secret sharing. Medical records contain detailed patient information, diagnostic results, treatment plans, and other confidential health-related data.
Used technology
Analysis and recommendation
The confidentiality of the medical data needs to be protected for as long as the data is sensitive, which generally means many years. The data is sent to a server that secret-shares them and distributes the shares towards storage servers. As a consequence, the connections between the sender and the various servers have to be secured. Considering that the medical data is secret shared by a trusted server and not the original producer raises significant questions about why this is done this way, as it introduces the need for an otherwise unnecessary third party. Getting rid of this component and encrypting the data directly under secret-shared keys could improve the overall security and would still allow to use QKD to protect transport-encryption as a defense-in-depth measure. At that point the analysis given in Sect.would apply. 6.5.3
Connecting data centers 4.5
Aim
Secure the connection between SIG’s two main data centers to protect utility operations data, customer information, and other confidential business data.
Used technology
Analysis and recommendation
QKD is used to provide transport security, its primary strength. We note, however, that this use case is highly vulnerable to downgrade-attacks – attackers can completely eradicate the QKD component from this solution by simply interrupting the quantum channel. When the quantum channel stops working, no QKD keys will be used and only the standard session key is used to encrypt data. This behaviour prevents the unavailability of the connection. We recommend to change this behaviour. We also note that XORing keys is not without issues if it cannot be fully guaranteed that the keys are independent and non-maliciously generated; a dual-PRF could be more appropriate here [134].
We were unable to find information about the distance between the data centers. In case they are physically close, the alternative mentioned in(physical exchanges of key material) would also apply here. 6.5.3
Genome data 4.6
Aim
Secure the transmission of video conferences, exome data and genome data, which can legally be considered personally identifiable information.
Used technology
Analysis and recommendation
QKD is used to its primary strength, providing transport security. This transport security is used to protect genome and exome sequence data, which is sensitive personal information that should be protected for a long time. Different from most other use cases, the one-time pad is used instead of AES. This prevents the need to rely on computational hardness assumptions. Considering the short distance between the endpoints, the comment about physical exchanges of key material (see) also applies here. Amongst the use cases we analyzed, we view this one andas the two more reasonable ones due to the lack of obvious and/or fundamental problems (in comparison with the other use cases) and because of the use of one-time pad encryption instead of AES encryption. 6.5.3 6.12
Metrics of an overbraider machine 4.7
Aim
Used technology
Analysis and recommendation
We arrive at similar conclusions as in Sect., in that we don’t see anything fundamentally wrong about the way that QKD is used here. 6.5.3
Self-driving cars 4.8
Aim
Used technology
Analysis and recommendation
In the case of rental cars, we note that the owning company will be in regular physical contact with them for maintenance. In this scenario, installing pre-shared keys appears to be an alternative that uses much simpler and cheaper technology, while at the same time being significantly more secure since it does not have to rely on trusted nodes (recall Sect.). 2.6.1
In the case of privately owned cars, we first note that transmitting significant amounts of real-time telemetry data to the manufacturer could pose a significant infraction of privacy, which would make transmission undesirable in any case. Even when setting these ethical concerns aside, it is still not clear why this would make a convincing use case: it would still be viable and more practical to rely on pre-installed key material that gets updated (replaced) during the necessary regular maintenance in a car workshop.
For the protection of software updates, we note that QKD is used purely to ensure authenticity. Like in the voting use case, this begs the question from where the QKD protocol derives its authenticated channel and why that authentication mechanism couldn’t be used directly for the software updates instead. 6.2
Grid network 4.9
Aim
Used technology
Analysis and recommendation
The security goals of this use case seem underspecified – for example, the level of protection did not become fully clear: it neither became clear what kind of data it aims to protect, nor for how long, nor against which kinds of attacks. The stated security goals furthermore include phrasing that suggests that they are independent of the used cryptography, such as ‘hackers taking control of the electricity distribution network’ [113, Sect. 3.1] (which would go far beyond dealing with cryptography). For network takeovers, the main attack surfaces (code execution and privilege escalation) cannot be fixed on the level of cryptographic protocols. Our primary recommendation for this use case thus is to first create a clear threat model, to analyze which attacks follow from that threat model, and then to analyze which technologies can prevent these attacks. In case the involved data needs long-term confidentiality (e.g. private information on energy usage), then QKD could be an (albeit more expensive) alternative to PQC to accomplish that.
Authentication of smart grid communications 4.1
Aim
Used technology
Analysis and recommendation
Although the presentation in [130] suggests that the solution achieves information-theoretic authentication, this is not the case. The solution uses GMAC with AES which is not information-theoretic secure. (GMAC with OTP would achieve statistical authenticity, but this drops to computational security when used with AES.)
This use case only requires authentication. With the same reasoning as for the other use cases that only require authenticity, votingand software updates of self-driving cars, we assess QKD as not adding any value to this use case. 6.2 6.9
Genome distance sharing 4.11
Aim
Secure the transmission of genome distance data.
Used technology
Analysis and recommendation
We come to the same conclusions as for the genome distance sharing use casewith two additional remarks: 6.7
Conclusion
As quantum computing continues to develop, there is increasing attention on the risks that surround traditional cryptography in the presence of quantum attackers. To mitigate these risks, it is necessary to consider alternative approaches such as QKD and PQC. In this paper, we conducted an in-depth security evaluation of QKD-based approaches across various real-world use cases. Our analysis highlights both the theoretical strength of QKD (not having to rely on computational assumptions), as well as its theoretical and practical limitations, such as the need to rely on physical assumptions, high implementation costs in currently available systems, poor scaling behaviour, and limitations in applicability.
We compared QKD with other cryptographic alternatives, particularly with PQC, which offers a more direct transitioning path for existing systems and infrastructures. While PQC addresses the potential threats from quantum computers, QKD in conjunction with OTPs might be able to offer everlasting confidentiality. We analyzed sufficiently documented use cases and saw that in most, QKD provides very limited or no advantage over other methods for key establishment such as PQC or pre-shared keys. The analyzed examples included using QKD for authentication, using QKD with AES to secure data between just two specific locations over a short distance, and using QKD to secure digital signing keys. The only use cases where we saw that QKD might be able to provide an advantage are use cases that use QKD with OTP (instead of AES) to secure a short-distance connection, as this might be able to secure data against an attacker with unlimited computational resources. These use cases include sharing genome data using OTP. One other potential advantage of QKD is that it can provide PCS without relying on computational assumptions, although none of the analyzed use cases even mention this as a security requirement.
Decision-makers must weigh the trade-offs between QKD and PQC to select the most appropriate solution for securing their systems in the post-quantum era.
Acknowledgements
Not applicable.
Abbreviations
Appendix: Not considered use cases
All the use cases analyzed in this paper have been sourced from various research articles, company websites, and other references. In Sect., we outline the key information required for analyzing each use case. However, for some use cases, relevant data or information is unavailable for unknown reasons. To ensure completeness, we have listed these cases here. Since the necessary data is lacking, we are unable to assess their potential impact. 5
A.1 Madrid QCI use cases
Besides not finding enough information for the use cases demonstrated by the Madrid QCI [137], we sometimes had other reasons for exclusion. We briefly discuss the use cases below:
A.2 Quantum CTek use cases
The use cases listed on the website of Quantum CTek [35] did not include enough technical information for analysis and we therefore have been unable to verify the claims made by the original project. However, we still summarize the use cases including the unverified claims below.
Author contributions
NA, BC and SD conducted the literature search for relevant use cases. NA, BC, SD, KH, FJW and SV contributed to the background and discussion of QKD and PQC. NA, BC, SD, KH, FJW and SV devised the analysis method. NA, SD, KH, FJW conducted the use case analysis. NA, BC, SD, KH and FJW wrote the manuscript. CO, SR, BS, ITM and SV reviewed the manuscript text. All authors contributed to final revision of the manuscript. All authors read and approved the final version of the manuscript.
Funding
This work was in part funded by the Dutch Ministry of Economic Affairs and Climate Policy (EZK) as part of the Quantum Delta NL National Growthfunds on Quantum Technology and by the NWO NWA project FIQCS (NWA.1436.20.005).
Data Availability
No datasets were generated or analysed during the current study.
Declarations
Competing interests
The authors declare no competing interests.
Footnotes
References
Associated Data
Data Availability Statement
No datasets were generated or analysed during the current study.