Firstly, QKD - that is quantum key distribution - is simply that. A method whereby two parties can establish a secret key. The possible information leakage of this key to an eavesdropper can be tightly controlled and a definite bound put on the risk exposure.

It should be compared with other methods for key distribution - not other encryption algorithms. Once you have established the key you can use it in whichever way you see fit.

It makes no sense to compare QKD to AES, unless one is thinking of AES as an encryption tool for securing key distribution. If so, then both QKD and AES require the two parties to possess some initial secret.

There is no way round this - either classically or quantum mechanically. It is a problem you cannot solve with either classical or quantum means. So AES and QKD start from exactly the same place. QKD systems need to possess some means to make an initial authentication to fully secure the channel. But two parties wishing to use AES also need to share some initial secret which may be used for either implicit or explicit authentication.

Public key systems also require this initial authentication. From a certain perspective, PK systems simply transfer the problems of key management into problems of certificate management. Whilst this may be operationally beneficial in some scenarios it is simply an expression of the fact that if two parties wish to communicate in secret then they must already possess some shared secret.

QKD is only one possible component of a much larger security infrastructure. I think it has been dreadfully oversold by some physicists. It allows the risk of key distribution to be more tightly controlled. It is not the be all and end all of security by any means.

Organisations wishing this level of security for this particular component of their security infrastructure may well consider QKD as a possible solution. But, in general, it will come down to whether the risks for existing techniques for key distribution are sufficient to warrant the extra expense involved in reducing those risks using QKD.

Perfect security is a ridiculous goal. Bob Morris expressed it rather well in response to a comment by Whit Diffie at a conference I attended. Diffie was stressing the importance of key length and security, and commenting on the required key lengths to keep security agencies at bay. He was asked by Morris whether he thought it was more difficult for the NSA to steal a 60 bit key or a 90 bit key.

The response underlines that all of the high-tech security in the world will not buy you what you think you may have when humans and human processes are involved somewhere in the chain.

QKD may be a valuable tool for reducing the risk of key distribution for certain high value links. Whether the consequent reduction in risk (if any) is worth it is a commercial/operational decision.

Current commercial QKD systems exploit the quantum property of complementarity. QKD systems using entangled photons exploit quantum correlation properties and are not currently commercially available, to my knowledge.

Here is the link
http://www.secoqc.net/downloads/secoqc_crypto_wp.pdf

And here is the abstract

The SECOQC White Paper on Quantum Key Distribution is the outcome on a thorough consultation and discussion among the participants of the European project SECOQC (www.secoqc.net).
This paper is a review article that attempts to position Quantum Key Distribution (QKD) in terms of cryptographic applications. A detailed comparison of QKD with the solutions currently in use to solve the key distribution problem, based on classical cryptography, is provided. We also detail how the work on QKD networks lead within SECOQC will allow the deployment of long-distance secure communication infrastructures based on quantum cryptography
The purpose of the White Paper is finally to promote closer collaboration between classical and quantum cryptographers. We believe that very fruitful research, involving both communities, could emerge in the future years and try to sketch what may be the next challenges in this direction.

--
Dr. Romain Alléaume
Assistant Professor / Maître de Conférence
ENST Paris & LTCI-UMR CNRS 5141
Network and Computer Science Department / Département Informatique et Réseaux
37/39 rue Dareau, 75014 Paris, France

1)Perry seemed to suggest Q. Computation is definitely plausible and more interesting quantum technology.

2)He also says q. crypto is pointless because AES is secure enough.

My question is:
What happens when quantum computers are available (say in 20 years) and someone finds an efficienct q. algorithm to crack AES (similar to Shor's)? Isn't the point of Q crypto that we know it is overkill now, but best to be prepared for the future...especially if you believe q. computation is coming soon.

2) It's not an encryption algorithm, it's a (random) key growing algorithm. Only that.

6) It can use entangled photons (not that it is for any relevance to the man in the middle attack).

Sorry, this is my last posting in this thread. May I finally suggest those really interested in the state of the art read the review http://arxiv.org/abs/quant-ph/0101098
- as opposed to reading postings by persons who enjoy producing long opinionated comments about things they do not understand.