This post is based on a conversation with Bill Munro from HP Labs.

One of the few uses for quantum information theory which is accessible using existing technology is *quantum cryptography* or *quantum key distribution* (QKD). QKD gives us a means by which to – in principle – share random bit strings with *complete security*, by which we mean that any attempt to eavesdrop on the communication can be detected and there is no way of circumventing this. So what’s the use in sharing a random bit string with someone? There is only one *completely* uncrackable encryption protocol, known as the *one-time pad* or *Vernam cipher*. By ‘completely uncrackable’ we mean that – hypothetically speaking – even with infinite computing power at one’s disposal, it is not possible to crack. The one-time pad protocol relies on a completely secure random bit string as a resource. The caveat is that the random bit string must be as long as the message being encrypted. For this reason the one-time pad is rather impractical in most situations, since if we had the means by which to securely share a random bit string we could have just used it to share our secret message in the first place. QKD solves this problem.

There have been many experimental demonstrations of QKD over increasingly long distances and recently commercial cryptography systems based on QKD have become available, most notably by MagiQ. Companies which manufacture commercial QKD systems tout the incredible security of QKD which is ‘guaranteed by the laws of physics’. In principle such a claim is correct. However, Bill drew my attention to a very interesting point recently. The rate at which commerical QKD systems can communicate random bit strings is very slow – on the order of a hundred bits per second. Since the one-time pad requires a random bit string as long as the message to be encrypted, it should be clear that such a system is not going to be useful for anything but the smallest messages. For this reason, these systems don’t actually employ the one-time pad algorithm at all. Instead they employ conventional cryptographic protocols such as triple–DES and AES, which require much smaller keys. Of course this completely undermines the security of QKD, since QKD inherently derives its security from the fact that the one-time pad is the only completely secure cipher.

When I first learned this I was extremely surprised, since, while it may not be explicitly advertised, it is taken for granted that any QKD system will employ the one-time pad cipher. My take on all this is that customers of current QKD systems are paying hundreds of thousands of dollars for cryptosystems no more secure than freely available software packages like PGP.