up:: Quantum-Native Security MOC
Quantum Key Distribution (QKD)
Quantum Key Distribution (QKD) is a hardware-based method for two parties to agree on a shared secret encryption key by sending individual particles of light over a dedicated physical link, using the laws of quantum physics to make any eavesdropping detectable. Because measuring a quantum state disturbs it, an interceptor leaves statistical fingerprints the two parties can see, so they either distill a clean key or abort. This is a different thing from PQC: QKD is quantum-native hardware that distributes keys over special optics, while PQC is a set of math-based algorithms that run in software on today’s networks. For almost every organization it’s PQC, not QKD, that answers the quantum threat, and the major Western security agencies say so plainly.
The short version:
- QKD shares a key by encoding random bits into single photons; the physics of measurement means an eavesdropper who peeks changes what the receiver sees, which is how tampering gets caught.
- It’s quantum-native and hardware-based. PQC is math-based software. They solve the same problem (surviving a quantum computer) by completely different means, and PQC is the mainstream answer.
- QKD agrees a key and nothing else. It provides no authentication on its own, so it always needs a classical or PQC layer running alongside it to prove who’s on the other end.
- Its physical limits are real: it needs dedicated fiber or line-of-sight optics, it caps out around 100 to a few hundred kilometers per link, and spanning longer distances today means chaining “trusted nodes” that see the key in the clear.
- NSA, the UK’s NCSC, and France’s ANSSI all direct buyers to standardized PQC and treat QKD as a niche tool for a few extreme-assurance settings, not a general-purpose replacement.
Think of QKD like handing someone a letter sealed with a film of wet ink that smudges the instant anyone reads it. If the seal arrives clean, no one opened it in transit, so you can trust what’s inside. That’s genuinely clever, and it’s also the whole trick: it works only when you hand the letter straight down one dedicated corridor, it doesn’t tell you the person receiving it is really who they claim to be, and you need special equipment at both ends. Useful in the right building, impractical as the postal system for the world.
What is Quantum Key Distribution (QKD)?
QKD is a family of protocols for establishing a shared symmetric key between two endpoints using quantum-mechanical light signals over a quantum channel, paired with an ordinary authenticated channel for the follow-up processing. The key material QKD produces then feeds a conventional symmetric cipher such as AES-256 for the actual encryption of data. QKD is sometimes labeled “quantum cryptography,” though that term is broader and sweeps in other quantum technologies.
The defining property is where the security comes from. Classical and post-quantum key agreement rest on computational hardness: an adversary could in principle recover the key but is assumed to lack the compute to do it. QKD rests on physics instead. Two facts of quantum mechanics, the no-cloning theorem and the way measurement disturbs a quantum state, make undetected eavesdropping on the quantum channel theoretically impossible, so the two parties can bound how much an eavesdropper could have learned and decide whether a safe key survives.
Two protocol families anchor the field:
- BB84 (Bennett and Brassard, 1984), the prepare-and-measure protocol. The sender encodes random bits into the polarization of single photons, picking randomly between two incompatible bases for each one; the receiver measures in a randomly chosen basis; afterward the two compare which bases they used and keep only the matching positions.
- E91 (Ekert, 1991), the entanglement-based protocol. A source distributes pairs of entangled photons to the two parties, who derive correlated key bits from their measurements, and an eavesdropper is caught by the drop in measured entanglement.
Source: C. H. Bennett and G. Brassard, “Quantum cryptography, Public key distribution and coin tossing,” Proc. IEEE Int. Conf. Computers, Systems and Signal Processing, 1984; A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Physical Review Letters 67, 661 (1991).
What QKD does not provide matters as much as what it does. QKD agrees a key but has no way to establish who is on the other end of the channel. To stop a physical man-in-the-middle, the classical processing channel has to be authenticated separately, either with an information-theoretic message-authentication code keyed by a pre-shared secret, or with public-key or PQC authentication. So a working QKD deployment always carries an authentication dependency on top of the quantum hardware.
How does QKD work?
Using BB84 as the worked example, one key-establishment run moves through five stages, no math required to follow the logic:
- Quantum transmission. The sender generates random bits, and for each one randomly picks one of two encoding bases, then sends a single photon prepared accordingly down the quantum channel, a dedicated optical fiber or a free-space optical link, to the receiver.
- Quantum measurement. The receiver measures each incoming photon in a randomly chosen basis. When the basis happens to match the sender’s, the intended bit comes through; when it doesn’t, the result is random.
- Sifting. Over the authenticated ordinary channel, the two disclose which basis they used for each photon (never the bit values) and throw away every position where the bases differed. What survives is the “sifted key.”
- Error estimation. They sacrifice a random slice of the sifted key to measure the quantum bit error rate. An eavesdropper who measured and re-sent photons is forced to introduce errors, so an error rate above the protocol’s threshold means either eavesdropping or too much channel noise, and the run is aborted.
- Reconciliation and privacy amplification. If the error rate is acceptable, the two run classical error correction to align their keys, then hash the result down to a shorter length to squeeze out any partial information an eavesdropper could hold. The shortened output is the final secret key.
The inputs are a quantum channel, an authenticated ordinary channel, and a source of true randomness (often a QRNG) for the basis and bit choices. The output is symmetric key material with a bounded, quantified guarantee on how much an eavesdropper could know, conditioned on the authentication layer holding and the hardware behaving as modeled.
Why can’t an eavesdropper listen in undetected?
Two facts of quantum physics do the work, and both are worth stating in plain language because this is the genuine and elegant core of QKD’s value.
- You can’t copy an unknown quantum state (the no-cloning theorem). Quantum mechanics forbids making an identical copy of an arbitrary unknown state. An eavesdropper can’t quietly duplicate each photon, keep one copy, and forward the other untouched, which is exactly the move that makes passively tapping an ordinary fiber undetectable.
- You can’t look without changing it (measurement disturbance). Measuring a quantum state in the wrong basis irreversibly disturbs it. An interceptor who grabs a photon has to measure it, and without knowing which basis the sender chose, guesses wrong a predictable fraction of the time, injecting detectable errors when the photon or a re-sent substitute reaches the receiver.
Together these mean any attempt to learn the key from the quantum channel leaves a statistical trace in the error rate, which the two parties measure and act on before any usable key exists.
Source: overview of QKD security based on no-cloning and measurement disturbance, Quantum key distribution, Wikipedia.
The honest caveat sits right here. That guarantee applies to an idealized protocol with idealized hardware. Real QKD systems use imperfect single-photon sources, imperfect detectors, and real optics, and the gap between the clean model and the physical device is where practical attacks live. NSA makes the point directly: the security of a fielded QKD system depends on hardware and engineering choices rather than on the laws of physics alone, and validating that a real system actually delivers the physics-based promise is itself a hard problem.
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)“.
How is QKD different from post-quantum cryptography?
This is the distinction that resolves most of the confusion, so it’s worth being precise. QKD and PQC both aim to keep secrets safe from a future quantum computer, but they are different categories of thing. QKD is quantum-native: physical hardware distributing keys over dedicated optics, with security rooted in quantum measurement. PQC is a set of classical mathematical algorithms, standardized by NIST as ML-KEM, ML-DSA, and SLH-DSA, whose security rests on math problems believed hard even for a quantum computer, and it runs as software on the networks you already have.
| QKD | Post-quantum cryptography (PQC) | |
|---|---|---|
| Security basis | Laws of quantum physics (measuring a state disturbs it) | Math problems believed hard even for a quantum computer |
| Form | Specialized hardware plus dedicated fiber or line-of-sight optics | Software algorithms running on existing networks |
| What it does | Key agreement only | Key agreement and digital signatures / authentication |
| Reach | Point-to-point, roughly 100 to a few hundred km per link | Any routed network, the public internet, many-to-many |
| Authentication | None on its own; needs a classical or PQC layer | Provides it directly (ML-DSA, SLH-DSA signatures) |
| Standardization | Protocols not yet under a settled assurance standard | Finalized NIST standards (ML-KEM, ML-DSA, SLH-DSA) |
| Agency stance | Not recommended for general or high-assurance use | The recommended substrate for the transition |
The practical upshot is that for the vast majority of enterprise, cloud, and internet systems, PQC carries the migration and QKD can’t even operate, because those systems route over shared networks that QKD’s point-to-point optics can’t serve. QKD removes one assumption (the computational hardness of key agreement) and in exchange takes on several others: a separate authentication primitive, dedicated physical infrastructure, and trust that the hardware matches its model. That trade only pays off in a narrow set of circumstances.
What are QKD’s real limitations?
QKD’s constraints are physical, not marketing quibbles, and they’re the reason it stays niche. NSA enumerates five in its published guidance, and they line up with what the physics forces:
- It’s only a partial solution. QKD agrees keys but doesn’t authenticate, so it still requires a separate authentication mechanism to prevent a man-in-the-middle.
- It needs special-purpose equipment. QKD can’t be delivered in software or as a network service; it needs dedicated fiber or free-space optics and purpose-built photon hardware at both ends.
- It raises infrastructure cost and insider-threat risk. Spanning distance means the trusted-relay model, and every relay is a new place the key is exposed and a new node that has to be trusted.
- Securing and validating it is hard. Real security depends on the hardware and engineering, not on physics alone, and confirming a fielded device actually meets the guarantee is a significant challenge.
- It raises denial-of-service risk. The same sensitivity to disturbance that catches an eavesdropper also makes a QKD link easy to disrupt: jam the channel and the key simply stops flowing.
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)”, five limitations enumerated.
Two of these deserve a closer look because they’re where vendor pitches tend to skate past the physics.
The distance problem. Photon loss in optical fiber grows exponentially with length, and because QKD depends on single photons that can’t be amplified without destroying their quantum state, the usable key rate falls off steeply. Commercial fiber QKD without intermediate help reaches roughly 100 to a few hundred kilometers before the rate collapses, a ceiling set by the repeaterless secret-key-capacity bound (the PLOB bound), which fixes the maximum key rate achievable over a lossy channel with no repeater.
Source: S. Pirandola, R. Laurenza, C. Ottaviani, L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nature Communications 8, 15043 (2017).
The trusted-node workaround, and why it undercuts the pitch. To go farther today, QKD networks chain multiple links through intermediate “trusted nodes.” At each node the key is decrypted and re-encrypted, so every intermediate node sees the key in the clear and has to be fully trusted. That reintroduces the exact trust-in-intermediaries problem QKD’s physics argument was supposed to remove, which is why NSA flags it as both a cost and an insider-threat driver, and it’s the reason a continental QKD backbone is only as secure as its most-compromised relay. The clean fix, a quantum repeater that would extend the key across links without ever exposing it, does not yet exist as deployable infrastructure and remains research-grade, which is why the trusted-node compromise is what’s actually fielded.
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)”, infrastructure-cost and insider-threat limitation.
Newer protocols do push the range. Measurement-device-independent QKD (MDI-QKD) removes detector-side vulnerabilities by sending both parties’ photons to an untrusted central relay, and twin-field QKD (TF-QKD) beats the repeaterless rate-loss scaling and has reached hundreds of kilometers of fiber in field and laboratory work, with records past 800 km. These are real and impressive, and they narrow the trusted-node problem on long links. They remain specialized demonstrations rather than commodity infrastructure, and they don’t change the foundational facts that QKD is point-to-point, needs separate authentication, and runs on dedicated hardware. They extend the niche without making QKD a general PQC substitute.
Source: H.-K. Lo, M. Curty, B. Qi, “Measurement-Device-Independent Quantum Key Distribution,” Physical Review Letters 108, 130503 (2012); TF-QKD 833.8 km fiber record, Nature Photonics 16, 154 (2022).
Do NSA, NCSC, and ANSSI recommend QKD?
No. The major Western cyber-defense agencies have converged on the same position: prioritize standardized PQC, treat QKD as niche, and don’t field QKD for high-assurance government systems. This is the load-bearing section for any executive or board conversation, because it’s the answer to “shouldn’t we just buy the unbreakable quantum thing instead of migrating.”
United States, NSA. NSA’s published guidance states that QKD’s limitations and implementation challenges make it impractical for national-security-system operational networks, and its bottom line is unambiguous: “NSA does not support the usage of QKD or QC to protect communications in National Security Systems, and does not anticipate certifying or approving any QKD or QC security products for usage by NSS customers unless these limitations are overcome.” NSA views quantum-resistant (post-quantum) cryptography as the more cost-effective and maintainable path, consistent with CNSA 2.0, which mandates PQC for national security systems.
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)“.
United Kingdom, NCSC. The UK’s National Cyber Security Centre states it will not endorse QKD for government or military use, and advises that other organizations should not rely on QKD as their sole means of generating and distributing keys. Its central technical objection is that QKD provides no authentication and therefore always has to be paired with quantum-resistant authentication, and that, unlike PQC, it needs specialist hardware. The NCSC recommends PQC as the primary mitigation against the quantum threat.
Source: UK NCSC, “Quantum security technologies”; see also UK NCSC Quantum-safe Cryptography.
France, Germany, and partners, ANSSI and BSI. France’s ANSSI and Germany’s BSI, together with the Netherlands’ NLNCSA and Sweden’s national authority, published a joint position paper concluding that QKD currently applies only to certain niche use cases, and that for the vast majority of situations where classical key agreement is used today, QKD is not a practical option. Their shared priority is migration to post-quantum cryptography, which they note diverges far less from existing systems than QKD does.
Source: ANSSI, BSI, NLNCSA, and Swedish NCSA, “Position Paper on Quantum Key Distribution”.
The honest-broker summary across all of them: standardized PQC is the substrate for the quantum transition, and QKD is a specialized tool reserved for the rare cases where its physical-layer properties are genuinely required and its constraints are acceptable.
Where does QKD actually fit?
QKD earns its place in a narrow band, and it’s worth naming the band precisely rather than dismissing the technology.
- Point-to-point links of bounded distance between two facilities under one organization’s physical control, where the operator owns and secures both endpoints and the fiber.
- Use cases with a genuine information-theoretic requirement for the key-agreement step, where the threat model legitimately includes adversaries beyond any computational assumption and the data has to stay confidential effectively forever, certain state-secret and intelligence channels being the honest examples.
- Environments where the specialist hardware, dedicated fiber, denial-of-service exposure, and separate authentication overhead are all acceptable and budgeted.
Even in that niche, QKD isn’t a complete cryptographic solution. It still needs an authentication layer, still needs the symmetric cipher that consumes its keys, and still needs the surrounding key management and operational controls. Everywhere else, which is to say general-purpose key establishment over routed networks and the ordinary internet, the vast majority of enterprise and cloud systems, and anything that can’t deploy its own dedicated optics, PQC provides the protection at software cost with no new hardware. That’s why the harvest-now-decrypt-later threat, the reason long-lived data needs protecting today, is answered for nearly everyone by migrating to PQC and hybrid key exchange rather than by wiring QKD across the estate. Building that agility, per Crypto-Agility, is the general-purpose move; QKD is the exception you reach for only when the physics is a hard requirement.
Common misconceptions
- “QKD is unhackable.” The physics guarantee is real for an ideal system, but real QKD systems have been attacked through hardware side-channels, especially detector vulnerabilities. Security depends on the engineering of the device, which is precisely why validating a fielded system is hard.
- “QKD removes the need to trust intermediaries.” Over distance it does the opposite. The trusted-node relays used to span long links see the key in the clear, so a continental QKD network is only as trustworthy as its weakest relay.
- “QKD is a drop-in replacement for TLS key exchange.” It’s point-to-point hardware over dedicated optics, not a routable protocol. It can’t run across the internet or serve many-to-many connections the way TLS key exchange does.
- “Adopting QKD means we can skip the PQC migration.” The agencies say the reverse. QKD covers one narrow job in a few settings, and PQC is the substrate they all recommend for the transition.
- “QKD handles authentication because it’s quantum.” It handles key agreement only. Authentication always comes from a separate classical or PQC layer, and without it QKD is wide open to a man-in-the-middle.
Questions people ask
Is QKD better than post-quantum cryptography? Not for general use. They solve the same threat by different means, and for almost every real deployment PQC is the practical answer because it’s software, it authenticates, and it runs over ordinary networks. QKD is a niche complement, and NSA, NCSC, and ANSSI all direct buyers to PQC first.
Does QKD make the PQC migration unnecessary? No. QKD can’t operate over routed networks, doesn’t authenticate, and needs dedicated hardware, so it can’t carry an organization’s general cryptography. The published agency positions are consistent that standardized PQC is the substrate and QKD is reserved for extreme cases.
How far can QKD reach? Commercial fiber QKD runs point-to-point over roughly 100 to a few hundred kilometers before the key rate collapses, a limit fixed by photon loss and the repeaterless capacity (PLOB) bound. Research protocols like twin-field QKD have pushed past 800 km in the lab, but those aren’t commodity deployments, and longer distances still rely on trusted relays or satellites.
Why does QKD still need other cryptography? Because it only agrees a key. It has no way to prove identity, so it always needs a separate authentication layer, classical or PQC, and it needs a symmetric cipher such as AES-256 to actually encrypt data with the key it produces. QKD is one component, not a full stack.
Has QKD been broken in the real world? Real QKD hardware has been attacked through side-channels, particularly by exploiting the photon detectors, even though the underlying protocol is provably secure in theory. That gap between the ideal protocol and the physical device is exactly why NSA calls validating a real system a significant challenge.
Is a quantum repeater going to fix QKD’s distance problem? Eventually, maybe. A quantum repeater would extend keys across long distances without exposing them at intermediate nodes, which would remove the trusted-node compromise. It doesn’t yet exist as deployable infrastructure and remains a research-stage technology, so for now long-distance QKD depends on trusted relays or satellite links.
Is QKD the same as quantum random number generation? No, though they’re often bundled. QRNG produces true randomness from a quantum process and is genuinely useful as the raw material for keys, including inside QKD systems. QKD is the separate business of distributing a shared key over a quantum channel.
When would an organization actually deploy QKD? When it controls both endpoints and the fiber over a bounded distance, has a real information-theoretic confidentiality requirement for data that must stay secret indefinitely, and can absorb the hardware, denial-of-service, and authentication overhead. That describes a handful of state-secret and intelligence links, not a typical enterprise, cloud, or internet-facing estate.
Everything here is the map, given freely. When your team needs its own estate assessed and a real post-quantum plan built, whether QKD belongs anywhere in it or not, that’s what an alignment briefing is for.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.