One time pad. Inefficient, but guaranteed secure by mathematical proof if the key is secure. Google it. QKD is far from ready for last-mile networks
The very term QKD as "Quantum Key Distribution" implies that the system we're discussing is good only for distribution of keys much shorter than the message.
So which is it?
You're not impressing me with the claiming of "one time pad security" for a system that's not actually a one time pad. This is classic snake oil jargon.
Your arguments against it are the same that were once applied to transistors or lasers.
Yes, I'll admit there's an element of reactionary conservatism here. The difference is that lasers were demonstrably doing something new and transistors were doing something existing (amplification) in a way that had radically better economics.
QKD is taking something that we're already doing now (non-intrinsically authenticated key agreement) and claiming that there's a need to do it in this new, expensive, complicated, and fragile way. Forgive me if I don't just take your word for it.
It would really be cool for those saying "really, your (EC)DH will be broken in 20 years" to put it where their mouth is and tell us what attacks they have in mind. Otherwise, it's just FUD.
"Quantum Key Distribution" in no way implies the key is shorter than the message. It actually needs to be longer to allow for error correction, authentication, and privacy amplification (i.e. to compensate for noise that could be attributed to an attack). A one time pad, or vernam cipher, is commonly used in commercial QKD systems. It's not snake-oil. Please google it. It's dead simple to understand and almost as easy to understand why it's impossible to break if used properly. As I pointed out, it's the gold-standard for paranoid government agencies even without QKD, ergo spooks with suitcases on planes.
As for attacks on ECDH, look up Shor's algorithm. That particular algorithm needs a quantum computer to run, but there is no existing proof showing that it is impossible to find one that would run efficiently on a classical computer. Again, the nature of classical communications means that encrypted messages may be copied and archived, so that vulnerabilities found in the future can compromise messages you send today. Maybe nobody will ever manage to crack ECDH, but maybe they will. It's a gamble. Quantum communications cannot be copied and archived so QKD must be broken at the time of transmission or the message is safe for all time. That's the big difference.
Again, I'm not suggesting ECDH isn't fine for most normal people's day-to-day needs. We're talking about secrets that need to be kept for generations that you simply don't want to gamble on.
The very term QKD as "Quantum Key Distribution" implies that the system we're discussing is good only for distribution of keys much shorter than the message.
So which is it?
You're not impressing me with the claiming of "one time pad security" for a system that's not actually a one time pad. This is classic snake oil jargon.
Your arguments against it are the same that were once applied to transistors or lasers.
Yes, I'll admit there's an element of reactionary conservatism here. The difference is that lasers were demonstrably doing something new and transistors were doing something existing (amplification) in a way that had radically better economics.
QKD is taking something that we're already doing now (non-intrinsically authenticated key agreement) and claiming that there's a need to do it in this new, expensive, complicated, and fragile way. Forgive me if I don't just take your word for it.
It would really be cool for those saying "really, your (EC)DH will be broken in 20 years" to put it where their mouth is and tell us what attacks they have in mind. Otherwise, it's just FUD.