up:: Quantum-Native Security MOC
QKD vs PQC
QKD versus PQC is the question every executive asks once they hear about the quantum threat: should we buy the “unbreakable quantum thing” or migrate our software to the new post-quantum algorithms? Quantum Key Distribution (QKD) shares an encryption key over a dedicated optical link, using the physics of measurement to catch any eavesdropper, and post-quantum cryptography (PQC) is a set of math-based algorithms NIST standardized to run as ordinary software on the networks you already have. They solve the same threat by opposite means, and the major Western security agencies have converged on the same answer: for almost every organization, PQC carries the transition and QKD stays a niche tool. NSA, the UK’s NCSC, and France’s ANSSI with Germany’s BSI all say so in published guidance.
The short version:
- QKD is quantum-native hardware that distributes keys over dedicated fiber or line-of-sight optics; PQC is a set of standardized math algorithms (ML-KEM, ML-DSA, SLH-DSA) that run in software over existing networks.
- QKD agrees a key and does no authentication on its own, so it always needs a classical or PQC layer to prove who is on the other end. PQC handles both key agreement and signatures.
- QKD is point-to-point and distance-limited, roughly 100 to a few hundred kilometers per link, and spanning farther today means “trusted nodes” that see the key in the clear.
- QKD is easy to disrupt: the same sensitivity that catches an eavesdropper lets an attacker jam the link and stop the key from flowing, a denial-of-service exposure PQC does not carry.
- NSA states plainly that it does not support QKD for National Security Systems; NCSC will not endorse it for government or military use; ANSSI, BSI, and partners call it a niche technology. All three recommend PQC as the primary mitigation.
- QKD earns a place on a handful of operator-controlled point-to-point links with a genuine information-theoretic requirement. PQC is the answer everywhere else.
Picture QKD as an armored courier who can only walk one specific hallway between two rooms you own, and PQC as a lock you can fit to any door, on any road, that also stamps a tamper-proof signature on everything it closes. The courier is genuinely clever in the one corridor built for them, and the lock is what actually secures the building, the campus, and everything shipped between cities.
What is the difference between QKD and PQC?
The difference is where the security comes from and what shape the technology takes. QKD roots its guarantee in the laws of quantum physics: because measuring a quantum state disturbs it and an unknown state cannot be copied, an eavesdropper on the quantum channel leaves statistical fingerprints the two parties can see, so they distill a clean key or abort. PQC roots its guarantee in mathematics: it rests on problems, such as finding short vectors in high-dimensional lattices, that are believed hard even for a quantum computer, and it runs as software on the hardware you already own.
That single distinction cascades into every practical property that matters:
| QKD | Post-quantum cryptography (PQC) | |
|---|---|---|
| Security basis | Laws of quantum physics (measuring a state disturbs it) | Math problems believed hard even for a quantum computer |
| Form | Specialized hardware plus dedicated fiber or line-of-sight optics | Software algorithms running on existing networks |
| What it does | Key agreement only | Key agreement and digital signatures / authentication |
| Reach | Point-to-point, roughly 100 to a few hundred km per link | Any routed network, the public internet, many-to-many |
| Authentication | None on its own; needs a classical or PQC layer | Provides it directly (ML-DSA, SLH-DSA signatures) |
| Standardization | Protocols not yet under a settled assurance standard | Finalized NIST standards (ML-KEM, ML-DSA, SLH-DSA) |
| Agency stance | Not recommended for general or high-assurance use | The recommended substrate for the transition |
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC),” nsa.gov; NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov.
The takeaway is that QKD removes one assumption, the computational hardness of key agreement, and takes on several others in exchange: a separate authentication primitive, dedicated physical infrastructure, and trust that the hardware matches its idealized model. PQC keeps a computational assumption and asks for a software upgrade. For the estate most organizations run, that is a very different bill.
Why don’t NSA, NCSC, and ANSSI recommend QKD?
Because when the agencies weighed QKD’s physics-based promise against its engineering reality, the reality won, and they said so on the record. This is the load-bearing point for any board conversation, because it is the direct answer to “shouldn’t we just buy the unbreakable quantum thing instead of migrating.”
United States, NSA. NSA’s published guidance concludes that QKD’s limitations and implementation challenges make it impractical for national-security-system operational networks, and its bottom line is unambiguous: “NSA does not support the usage of QKD or QC to protect communications in National Security Systems, and does not anticipate certifying or approving any QKD or QC security products for usage by NSS customers unless these limitations are overcome.” NSA views quantum-resistant (post-quantum) cryptography as the more cost-effective and maintainable path, consistent with CNSA 2.0, which mandates PQC for national-security systems.
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC),” nsa.gov.
United Kingdom, NCSC. The UK’s National Cyber Security Centre states it will not support the use of QKD for government or military applications, and advises that QKD should not be solely relied upon for generating and distributing cryptographic keys. Its central technical objection is that QKD provides no authentication, so it always has to be paired with quantum-resistant authentication, and it needs specialist hardware where PQC does not. NCSC recommends PQC as the primary mitigation to the quantum threat.
Source: UK NCSC, “Quantum security technologies,” ncsc.gov.uk; see also UK NCSC Quantum-safe Cryptography.
France, Germany, and partners, ANSSI and BSI. France’s ANSSI and Germany’s BSI, together with the Netherlands’ NLNCSA and Sweden’s national authority, published a joint position paper concluding that QKD currently applies only to certain niche use cases, and that for the vast majority of situations where classical key agreement is used today, QKD is not a practical option. Their shared priority is migration to post-quantum cryptography, which they note diverges far less from existing systems than QKD does.
Source: ANSSI, BSI, NLNCSA, and Swedish NCSA, “Position Paper on Quantum Key Distribution,” bsi.bund.de.
Three agencies, three jurisdictions, one conclusion: standardized PQC is the substrate for the quantum transition, and QKD is a specialized tool reserved for the rare cases where its physical-layer properties are genuinely required.
What are QKD’s practical limitations against PQC?
QKD’s constraints are physical, and they are the reason it stays niche while PQC scales. NSA enumerates five limitations in its guidance, and each one lands as a disadvantage compared with a software algorithm:
- It’s only a partial solution. QKD agrees keys but does no authentication, so it still requires a separate mechanism to prevent a man-in-the-middle. PQC signatures provide that authentication directly.
- It needs special-purpose equipment. QKD cannot be delivered in software or as a network service; it needs dedicated fiber or free-space optics and purpose-built photon hardware at both ends. PQC deploys as a software update.
- It raises infrastructure cost and insider-threat risk. Spanning distance means chaining “trusted nodes,” and every relay sees the key in the clear and becomes a node that has to be trusted. PQC routes end to end with no such relays.
- Securing and validating it is hard. Real QKD security depends on the hardware and engineering, not on physics alone, and confirming a fielded device meets the guarantee is a significant challenge. PQC’s security is analyzed at the algorithm level and validated through NIST’s process.
- It raises denial-of-service risk. The same sensitivity that catches an eavesdropper makes the link easy to disrupt: jam the channel and the key stops flowing. PQC has no equivalent single-link kill switch.
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC),” nsa.gov, five limitations enumerated.
Two of these deserve a closer look, because they are where vendor pitches tend to skate past the physics. The distance limit is hard: photon loss in optical fiber grows exponentially with length, and because QKD depends on single photons that cannot be amplified without destroying their quantum state, the usable key rate collapses beyond roughly 100 to a few hundred kilometers per link, a ceiling fixed by the repeaterless secret-key-capacity (PLOB) bound. To go farther, QKD networks chain trusted nodes that decrypt and re-encrypt the key at each hop, which reintroduces the exact trust-in-intermediaries problem QKD’s physics argument was supposed to remove, so a continental QKD backbone is only as secure as its most-compromised relay.
Source: S. Pirandola, R. Laurenza, C. Ottaviani, L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nature Communications 8, 15043 (2017).
Does QKD replace the PQC migration?
No, and this is the misconception that costs the most money when it goes unchallenged. QKD cannot operate over routed networks, does no authentication, and needs dedicated hardware at both ends of every link, so it cannot carry an organization’s general cryptography. The overwhelming majority of enterprise, cloud, and internet systems route over shared networks that QKD’s point-to-point optics cannot serve at all, which means for those systems QKD is not a slower option, it is a non-option.
The harvest-now-decrypt-later threat makes this concrete. Adversaries record encrypted traffic today to decrypt it once a quantum computer exists, so long-lived data flowing over ordinary networks needs protecting now. That traffic runs across the public internet and shared infrastructure, exactly where QKD cannot reach, so the answer for nearly everyone is migrating to PQC and hybrid key exchange rather than wiring QKD across the estate. Buying a QKD link for two facilities does nothing for the thousands of connections harvesting actually threatens. A quantum computer also forges TLS certificate signatures once it exists, and QKD does no signing, so the authentication half of the transition is entirely a PQC job regardless.
When does QKD actually make sense over PQC?
QKD earns its place in a narrow band, and it is worth naming the band precisely rather than dismissing the technology. Reach for QKD, and not PQC alone, only when all of these hold at once:
- You control both endpoints and the fiber over a bounded distance, so there are no untrusted relays between the two facilities and both ends sit under one organization’s physical control.
- You have a genuine information-theoretic requirement for the key-agreement step, meaning your threat model legitimately includes adversaries beyond any computational assumption and the data has to stay confidential effectively forever. Certain state-secret and intelligence channels are the honest examples.
- You can absorb the overhead, meaning the specialist hardware, dedicated optics, denial-of-service exposure, and the separate authentication layer QKD still requires are all acceptable and budgeted.
Even in that niche, QKD is one component in a larger stack. It still needs an authentication layer to stop a man-in-the-middle, still needs the symmetric cipher such as AES-256 that consumes the keys it produces, and still needs the surrounding key management and operational controls. Everywhere outside that band, which is to say general-purpose key establishment over routed networks, the public internet, the vast majority of enterprise and cloud systems, and anything that cannot deploy its own dedicated optics, PQC provides the protection at software cost with no new hardware. Building crypto-agility so the next algorithm change is a configuration update is the general-purpose move, and QKD is the exception you reach for only when the physics is a hard requirement.
Common misconceptions
- “QKD is unbreakable, so it beats PQC.” The physics guarantee holds for an ideal system, and real QKD hardware has been attacked through side-channels, especially detector vulnerabilities. Security depends on the engineering of the specific device, which is why validating a fielded system is hard, and it is a large part of why the agencies stay cautious.
- “Adopting QKD means we can skip the PQC migration.” The agencies say the reverse. QKD covers one narrow job in a few settings and cannot serve routed networks, so PQC is the substrate they all recommend for the transition.
- “QKD handles authentication because it’s quantum.” It handles key agreement only. Authentication always comes from a separate classical or PQC layer, and without it QKD is wide open to a man-in-the-middle.
- “QKD is a drop-in replacement for TLS key exchange.” It is point-to-point hardware over dedicated optics, not a routable protocol, so it cannot run across the internet or serve the many-to-many connections TLS handles.
- “QKD removes the need to trust intermediaries.” Over distance it does the opposite, because the trusted-node relays that span long links see the key in the clear, so a long QKD network is only as trustworthy as its weakest relay.
Questions people ask
Is QKD better than post-quantum cryptography? Not for general use. They solve the same threat by different means, and for almost every real deployment PQC is the practical answer because it runs in software, it authenticates, and it works over ordinary networks. QKD is a niche complement, and NSA, NCSC, and ANSSI all direct buyers to PQC first.
Should my organization buy QKD instead of migrating to PQC? Almost certainly not. QKD makes sense only when you control both endpoints and the fiber over a bounded distance, have a real information-theoretic confidentiality requirement, and can absorb the hardware, denial-of-service, and authentication overhead. For everything else, PQC carries the migration.
Why do NSA and NCSC recommend PQC over QKD? Because QKD does no authentication on its own, needs dedicated hardware and links, is distance-limited, reintroduces trusted intermediaries over long spans, and is easy to jam, while PQC authenticates, runs in software over existing networks, and is standardized. NSA does not support QKD for National Security Systems and NCSC will not endorse it for government or military use.
Does QKD stop harvest-now-decrypt-later? For nearly everyone, PQC and hybrid key exchange stop it, because HNDL threatens data flowing over routed networks QKD cannot serve. QKD addresses the harvesting risk only on the specific point-to-point links where it can physically operate.
Can QKD and PQC be used together? Yes, in the narrow settings where QKD fits. A QKD deployment still needs authentication, and quantum-resistant PQC signatures are the natural way to provide it, so the two are complementary there rather than competing. For the rest of an estate, PQC does the whole job on its own.
How far can QKD reach compared to PQC? Commercial fiber QKD runs point-to-point over roughly 100 to a few hundred kilometers before the key rate collapses, a limit fixed by photon loss and the repeaterless (PLOB) bound. PQC runs over any routed network at internet scale, with no distance limit, which is a core reason it carries the general migration.
Everything here is the map, given freely. When your team needs its own estate assessed and a real post-quantum plan built, whether QKD belongs anywhere in it or not, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.