Two points:

1. There is a strong anti-QKD bias on HN or, at least, a very vocal few who reliably heckle anyone who discusses it. I get shouted at if I even mention it, and will likely get shouted at for saying this.

2. Should you trust the NSA's recommendations? This is a valid question, now more than ever.

▲

mswphd 5 hours ago | parent | next [-]

there is a strong anti-QKD bias among experts who understand QKD. It is fun academic concept, but does not solve a real world problem, and does not use techniques available at remotely comparable costs to classical cryptography in the real world, and even if you pay the enormous costs for it, it is trivial for an attacker to completely disrupt your communication in a way that cannot be recovered from (without out-of-band communication, e.g. either sending a courier, or using computational cryptography).

If you hate the NSA that's fine. Nobody in the EU cried foul over the NSA's recommendations though (and the NIST-winning schemes are European). Chinese scholars submitted some fundamentally similar schemes, the Chinese Academy of Sciences have formally recommended lattice-based schemes. While the Chinese (government-run) standardization is only starting, it is a very good bet that they will use a lattice-based scheme.

So, unless you think all of the world's governments (again, including China) are in a massive cabal to allow the NSA specifically to spy on the entire world, #2 is not a particularly valid question.

▲

pyinstallwoes 5 hours ago | parent | prev [-]

You don’t have to trust the recommendations, you can analyze the reasoning behind their decisions and argue that. In this case the risk being at the engineering and hardware side and also denial of service. In addition to the trusted relays. Those are valid disputes.

	▲	beloch 5 hours ago \| parent [-]
		You can argue these exhaustively. They have not done that here. Some of their arguments are complete bunk. e.g. "Quantum key distribution requires special purpose equipment" Yes, it requires special equipment. That hasn't deterred some from using it where the added expense is warranted. Commercial QKD systems have been in use for decades. The technology is not currently useful for credit card transactions from your living room, but that doesn't mean it has no applications. "Since QKD is hardware-based it also lacks flexibility for upgrades or security patches." This is like arguing that, because your internet connection runs on hardware, nothing can be done to upgrade it or fix security vulnerabilities. If your last-mile connection is copper, as it is for many, there have likely been massive upgrades to its bandwidth and security over the years in the form of changes to what's on either end of the copper. Fiber is the same way. A huge part of QKD protocols is software as well. When I see points like these, I question the source. They appear to have an agenda, and they certainly have motive. Remember, this is an organization whose business has been spying on its own citizens for decades.