Quantum cryptography is all the hype. Everyone's talking about it. Scientists are competing to do it over the longest possible distances, with the highest possible bit-rates and even to put it into orbit on satellites. In this post I'd like to explain what quantum cryptography is and compare it to classical cryptography. Then I'll tell you why I think it's all a waste of time and money, and why the same money should instead be spent on other quantum technologies like quantum computing.

**What is cryptography?**

Cryptography is the science of obfuscating messages so that only an intended recipient can read it, and no one else can. It's been around for millennia in early forms. First attempts at cryptography included simple substitution ciphers, whereby we swap around the letters in a message to scramble it. For example, we replace the letter 'A' with the letter 'P', the letter 'Z' with the letter 'C', and so on. The intended recipient knows in advance what the substitution is (the 'key'), and can easily reverse it. But to someone who doesn't know the correct substitutions, they see gibberish. Modern cryptography is nothing more than a much more mathematically advanced approach to achieving the same goal. The simple substitution cipher I mentioned can trivially be broken using a letter-frequency analysis. We know that in the English language different letters appear with different frequencies. The letter 'E' appears much more often than the letter 'X'. Thus, by carefully analysing the frequencies of different letters, we can soon figure out what the substitution is. This is called cryptanalysis. During World War II the Nazis used the Enigma machine to encrypt their communications. This was famously cracked by Alan Turing, arguably tipping the balance in the war. Modern codes eliminate these kinds of attacks using advanced mathematics, which creates codes much harder to cryptanalyse and reverse.

**What is quantum cryptography?**

Quantum cryptography is an approach to cryptography based on the laws of quantum mechanics. There are various protocols, but all ultimately rely on the truly random nature of the measurement of quantum mechanical systems. This randomness is used to obscure information in a way that cannot be reversed, even if the line of communication is eavesdropped. Quantum cryptography is 'provably secure' and immune to cryptanalysis. That is, we can mathematically prove that even if an eavesdropper has full access to the communication between two parties, it is theoretically impossible for them to extract the hidden message. This is a bold claim, and the reason quantum cryptography attracts so much interest. Several companies have released commercial quantum cryptography products, available to buy off-the-shelf for private use.

**Why do we need quantum cryptography?**

The reason quantum cryptography has attracted particular interest is that it is secure even in the advent of quantum computing. Quantum computers - computers based on the laws of quantum mechanics - are exponentially faster than classical computers for some applications. One of the best known applications for quantum computers is their ability to crack RSA, a public-key encryption protocol, which is the mainstay of modern secure internet communication. Every time you type in your credit card online it's protected by RSA encryption. And while there are no known classical algorithms that compromise RSA, there is a well known quantum algorithm that can easily crack it, known as Shor's algorithm. This is not the case for quantum cryptography. Quantum cryptography is secure even if the eavesdropper has a quantum computer at their disposal. Thus, proponents tout that quantum cryptography is necessary to future-proof our cryptographic protocols against quantum computers.

**What are the limitations of quantum cryptography?**

While quantum cryptography is provably secure on paper, when we build it it's no longer on paper, but a physical device with imperfections. These imperfections can compromise the security of the protocol and undermine its status as 'provably secure'. There have been numerous cases where scientists have constructed a quantum cryptographic device and claimed it to be provably secure, only to have it debunked because the experiment they built in the lab didn't *perfectly* implement what was written on paper. For this reason, if someone approached me and asked for security advice, I would strongly advise *against* employing quantum cryptography.

**Why don't we need quantum cryptography?**

As discussed, quantum cryptography is provably secure on paper, but not necessarily so once it's built in the lab. We are presented with two alternatives. The first is to continue pursuing quantum cryptography, trying again and again to build physical devices that are provably secure. The second is to abandon it and go back to classical cryptography. Why do the latter when I've already said that classical cryptography can be compromised by quantum computers? Because not *all* classical cryptographic protocols are compromised by quantum computers. The RSA algorithm, which we heavily employ today, is compromised because quantum computers can solve the integer factorisation problem, upon which RSA is based. However, there are more recent classical protocols that are based on harder mathematical problems, which quantum computers are strongly believed to not be able to solve. One contender is the McEliece protocol. This is a public-key protocol, like RSA, and could therefore be applied to the same applications as RSA. However, McEliece is based on a so-called NP-hard problem. While this is not provably secure as quantum cryptography is, scientists have *very* strong reason to believe that NP-hard problems cannot be solved by quantum computers. If this mathematical statement is correct, then McEliece and other similar protocols would be viable protocols in a post-quantum computer world. The advantage of adopting a post-quantum classical cryptographic protocol as opposed to a quantum cryptographic protocol is that we don't need to build a whole new quantum infrastructure for the internet and other forms of communication - we can continue to use the same infrastructure and just update our software, with no additional cost. A software update is certainly much easier than putting quantum satellites into space.

**What should we instead invest in?**

In my opinion, post-quantum classical cryptographic protocols are actually more secure than quantum cryptographic protocols, and the cost overhead is zero. As such, I see little reason to continue investing huge amounts of money into quantum cryptography. I'd rather see the money invested into other quantum technologies like quantum computing, which will have significant genuine benefits over classical computing that could be achieved in no other way.

Now that I've said all this I'm going to upset a lot of high-profile people and no one in the field of quantum cryptography is ever going to offer me a job again.