Inventors of Quantum Cryptography Win Turing Award

Charles Bennett and Gilles Brassard have won the 2026 Turing Award for inventing quantum cryptography.

I am incredibly pleased to see them get this recognition. I have always thought the technology to be fantastic, even though I think it’s largely unnecessary. I wrote up my thoughts back in 2008, in an <a href+https://www.schneier.com/essays/archives/2008/10/quantum_cryptography.html”>essay titled “Quantum Cryptography: As Awesome As It Is Pointless.”

Back then, I wrote:

While I like the science of quantum cryptography—my undergraduate degree was in physics—I don’t see any commercial value in it. I don’t believe it solves any security problem that needs solving. I don’t believe that it’s worth paying for, and I can’t imagine anyone but a few technophiles buying and deploying it. Systems that use it don’t magically become unbreakable, because the quantum part doesn’t address the weak points of the system.

Security is a chain; it’s as strong as the weakest link. Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains. Our symmetric and public-key algorithms are pretty good, even though they’re not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.

Cryptography is the one area of security that we can get right. We already have good encryption algorithms, good authentication algorithms and good key-agreement protocols. Maybe quantum cryptography can make that link stronger, but why would anyone bother? There are far more serious security problems to worry about, and it makes much more sense to spend effort securing those.

As I’ve often said, it’s like defending yourself against an approaching attacker by putting a huge stake in the ground. It’s useless to argue about whether the stake should be 50 feet tall or 100 feet tall, because either way, the attacker is going to go around it. Even quantum cryptography doesn’t “solve” all of cryptography: The keys are exchanged with photons, but a conventional mathematical algorithm takes over for the actual encryption.

What about quantum computation? I’m not worried; the math is ahead of the physics. Reports of progress in that area are overblown. And if there’s a security crisis because of a quantum computation breakthrough, it’s because our systems aren’t crypto-agile.

Tags: , ,

Posted on March 31, 2026 at 7:05 AM5 Comments

Comments

Who? March 31, 2026 11:00 AM

A cryptographically relevant quantum computer (“CRQC”) may not be as good as it sounds for our society. Recently, requirements to break secp256k1 have been lowered to only
half a million qubits.

Clive Robinson March 31, 2026 12:36 PM

@ Bruce,

“Charles Bennett and Gilles Brassard have won the 2026 Turing Award for inventing quantum cryptography.”

There is an interesting pre-story, in the fact that the work that lead up to it was a thought experiment to invent un-forgable currency using quantum wells which Gilles Brassard has talked about inthe past.

He’s also mentioned it was not secure due to an acoustic side channels due to being able to hear the polarisers changing position, which was a useful diagnostic aid.

But the big issue is the “medium” the photons travel in.

This limited the range to a few tens of meters originally that brings us to,

“While I like the science of quantum cryptography—my undergraduate degree was in physics—I don’t see any commercial value in it. I don’t believe it solves any security problem that needs solving. I don’t believe that it’s worth paying for, and I can’t imagine anyone but a few technophiles buying and deploying it.”

Nearly all the issues are to do with the channel medium which has improved significantly recently.

But as the Chinese have been proving the use of quantum entangled particles in the medium of “space” can solve many of these and may in fact be the only way we can get Secure Key Distribution between satellites that are going to be up in space for a quarter of a century to work, and they are becoming rather more numerous of late. Not just for military applications but civil as well.

The real issue is “terrestrial internets” unlike space systems that are mostly “point to point” they are “multipoint to multipoint”, hence your,

“The real problems are elsewhere: computer security, network security, user interface and so on.”

As I’ve mentioned before QKD does not work with “switches” and like “repeaters” they are not currently secure.

The thing is, is this actually something that will always be an issue, or is it something we are working toward a solution for?

I won’t go into details but people are working on solving them in various ways.

Thus the question devolves down to what do we mean by “secure”?

I’m firmly convinced that we can have real security in some areas…

BUT, that we “can not” and more importantly “will not” be allowed to have “full security” in consumer and commercial equipment.

As I’ve pointed out for quite some time it’s in part a question of how you make and manage a system where,

1, The “Security End Point” and what follws is
2, Securely beyond the “communications End Point”.

As can be seen the security success of E2EE has been killed by “Client Side Scanning” that Apple started putting in their products.

But… As I’ve pointed out and proved in the past, you can create a “plaintext” that has a “covert channel” within in it that can not be “proved” to exist and is deniable to any 3rd Party Observer.

But others have recently used the same reasoning to show that Guide Rails on LLM’s irrespective of input, output, or both will always be subject to being “jail broken” by simple “Crypto”.

So we know that there are some things that “observers” can not do, thus actual Shannon “Perfect Security” can be had with appropriate system design.

Ray Dillinger March 31, 2026 2:31 PM

Bruce is right; it doesn’t solve a problem we actually have. Even if it worked perfectly.

A problem that do actually have is Kleptographic Standards attacks. For example the Dual-EC DRBG standard promulgated by NIST a few years ago. Bruce probably remembers:

https://www.schneier.com/blog/archives/2022/06/on-the-subversion-of-nist-by-the-nsa.html

On Quantum Crypto, I think I’m more in the camp of Peter Gutmann, who thinks it’s bollocks.

https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf

So let’s have a look at this attack and ask why Quantum Crypto has become so important:

NIST has a new standard that’s settled on several “quantum-secure” algorithms such as SKEIN, KYBER, and KEM. Those algorithms are still too new and under-examined to really trust on the same level of evidence that assures trust with existing non-quantum algorithms, so if you’re going to use them it’s a valid design choice to use them “layered” with algorithms which are trusted on stronger evidence.

But NIST is specifically recommending against such deployment, and actually seems to be spending significant effort on convincing people not to. They are saying people should use these new algorithms, by themselves, and trust them completely.

That seems pretty odd, doesn’t it? So why would they do that?

I looked around some research papers found what may be some answers to why.

Could it be because https://eprint.iacr.org/2022/1681.pdf ?

or maybe because https://link.springer.com/chapter/10.1007/978-3-031-82852-2_11 ?

So, I see the attack we are dealing with here, and it isn’t an attack on data in flight. It’s an attack on the standardization process.

Quantum Cryptography, while intellectually neat, does not present a practical attack that we need protection against at this time. Kleptographic Standards on the other hand are very much a practical attack that we need to protect against at this time.

When a standards body tells you that you should cast aside well-studied cryptographic algorithms which have earned their trust through dozens of years of examination, testing, and motivated attackers, for the sake of protection against Quantum Crypto? The attack you should be protecting against isn’t Quantum Crypto.

QC in this case was just something that very few people fully understand. Such things are easy pretexts for spreading FUD about. And generating sufficient FUD is a crucial step in performing a Kleptographic Standards attack.

Ray Dillinger March 31, 2026 2:43 PM

I don’t mean to diminish the work of Bennett and Brassard. They had some amazing insights and deserve their award.

At the same time I suppose that people affiliated with various three-letter-agencies may have been consulted as to the value of their work when the Turing Awards were being considered. Those agencies, if they are behind the Kleptographic attack that appears to be happening here, may have had an interest in promoting public awareness of Quantum Crypto as a threat. Promoting public awareness of a threat is absolutely a necessary step in any campaign to use that threat as a lever to get people to do something stupid out of FUD.

So I fear that the work of Bennett and Brassard, however good it may be, would likely have gone unrecognized if not for the input of people who are, despite all protestations, unlikely to be motivated by protecting people against it.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.