On Mon, Mar 23, 2026 at 05:27:58PM +0000, John Mattsson wrote: > >You need a QKD transmitter at one end and a receiver at the other end > >of every link. This means the scaling is O(N^2). > > The main problem is not the N^2 new hardware tied to the physical > layer, the main problem is that you need a full mesh N^2 > point-to-point links between all the N parties. Trusted parties breaks > e2ee.
N^2 is the reason that the Internet has routers: so it can scale. But what kills QKD is the lack of "quantum authentication". You have to use classical cryptography to authenticate QKD when the whole point of QKD is to have something that is physically provably secure w/o reference to any potentially-weak classical (non-quantum) cryptography. I.e., there's just no point to QKD full stop. Even if quantum authentication existed, presumably we'd need physical contact to exchange set it up, which is another thing that won't scale, so even if there was a fully-quantum point-to-point solution, it wouldn't scale even if we built quantum-hop-by-quantum-hop authentication protocols. QKD is a dead end. Nothing can save it. Any attempt to sell QKD must inherently be snake-oil-like because of this. And they generally are. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
