Quantum mechanics has been tested over several decades and has been found to describe the world we live in very accurately. Any post-quantum deviations would be very minor.
I agree to that. However a very minor deviation could be enough. Cryptography is very, very sensitive to information leaks, far more than pysical measurements. This could well mean that you can break messages later. And, incidentially, you still have a conventional network and conventional encryption for the actual message. This means you have to maintain two networks and one of them is pretty expensive.
During the "hardware phase" of a quantum key exchange there is a certain amount of noise that has to be corrected due to imperfections in the channel and that means that there is in practice always possible with some information leakage. The apparatus therefore estimates the maximum possible amount of information leakage (making sure it is overestimated rather than underestimated) and performs "privacy amplification" to make sure that this information is useless to an eavesdropper (this lowers the key rate and is one of the reasons it is only 1 kbps). Now say an eavesdropper finds a new source of information leakage. This is only a problem if the total information leakage is greater than the estimated maximum leakage.
Here is a thought experiment for the key exchange: Say you can exchange 1kB of key material per second. Alternatively, say you have 1TB disks with one-time pads as key sources. This gives you enough key material for 31 years at the speed of the quantum link. Now, do you suppose creating these HDDs is cheaper or building and operating the quantum link is cheaper? I would say the pre-arranged one-time pads are several orders of magnitude cheaper. In addition, they are more reliable, easier to secure, well understood and use only proven technology.
I agree that creating and securing these HDDs is much cheaper, but a QKD system would fail more gracefully if you have a security breach in some realistic scenarios. Imagine that in month 2 you had an employee with malicious intent at your secure site. If this employee would be able to copy the 1 TB HDD, anyone outside would be able to decrypt anything during the next 31 years. The same person would only be able to leak information from his period of employment if a continuously generated key is used. (This is a somewhat oversimplified version of an argument made by a MagiQ representative)
If you really, really need high security, one-time pads do the job relatively cheap and with known properties. If you need more regular security, conventional encryption is fine. Quantum key exchange has no place in this.
QKD probably has a place in niche markets (companies like MagiQ and IdQuantique actually have customers). An intersting observation regardig the cost of QKD devices is that the cost of a full system is not much higher than the single photon detectors they contain. This means that if somebody finds a way to manufacture single photon detectors cheaply, the cost of QKD devices will drop drastically. If the devices are not very expensive and you already have fibers, why not use them?
Disclaimer: I have benefited from SECOQC funding, but have not worked on anything related to the implemented network or any other QKD implementations.
