up:: The Transition MOC
Quantum-Native Security
Quantum-native security is the use of quantum physics itself, rather than new mathematics, to protect information, and its two practical forms are quantum key distribution (QKD), which shares an encryption key over a dedicated optical link so any eavesdropper is detectable, and quantum random number generation (QRNG), which produces true randomness from a quantum measurement. It sits opposite post-quantum cryptography (PQC), the math-based algorithms NIST standardized to run as software on ordinary networks. The honest picture is that PQC carries the quantum transition for almost every organization, while QKD and QRNG stay niche tools with real physical limits, and the major Western security agencies say so plainly.
Map of content
A short overview of quantum-native security, and the index that routes you to every note in this section. Skim it to get oriented, then follow the links to go deep.
The short version:
- Quantum-native security protects data using the laws of physics. QKD uses the fact that measuring a quantum state disturbs it to catch any eavesdropper on a key exchange, and QRNG uses quantum indeterminacy to produce randomness with no predetermined value.
- This is a different category from post-quantum cryptography. PQC is a set of math-based algorithms (ML-KEM, ML-DSA) that run in software; quantum-native technology is hardware that exploits physics.
- For the quantum threat, standardized PQC is the mainstream answer. QKD needs special hardware and dedicated links, it does no authentication at all, and it does not scale like software, so it can’t carry an organization’s general cryptography.
- NSA, the UK’s NCSC, and France’s ANSSI (with Germany’s BSI and partners) all direct buyers to PQC and treat QKD as a specialized tool for a few extreme-assurance settings.
- QRNG is the more broadly useful of the two, as an entropy source that improves the randomness feeding key generation, and it is complementary to PQC rather than a substitute for the migration.
Think of quantum-native security as protecting a message through the physical properties of the paper it’s written on rather than through a clever lock on the box. A sheet that visibly smudges the instant anyone reads it tells you whether it was intercepted, which is genuinely clever, and it only helps when you can hand-carry it down one dedicated hallway. The math-based lock, by contrast, travels on any road and works at internet scale, which is why it does the everyday job while the smudging paper stays reserved for the rare corridor that truly needs it.
What is quantum-native security?
Quantum-native security is a family of technologies whose security comes from quantum-mechanical physics rather than from computational hardness. Ordinary and post-quantum cryptography both rest on math problems an adversary is assumed to lack the compute to solve; quantum-native tools instead exploit properties like the no-cloning theorem and measurement disturbance, so their guarantees come from the behavior of physical systems. The label “quantum cryptography” is often used loosely for the same idea, though it sweeps in several quantum technologies at once.
Two of those technologies are practical enough to buy today, and they solve different problems:
| Technology | What it does | Maturity | Relation to the transition |
|---|---|---|---|
| QKD | Shares a symmetric key over a quantum channel so eavesdropping is detectable | Fielded but niche, distance-limited, hardware-based | A specialized complement, not a PQC replacement |
| QRNG | Produces true random bits from a quantum measurement | Mature commercial products | An entropy source that feeds keygen, complementary to PQC |
Two more extend the same physics further out. The quantum internet would network quantum devices and, with a working quantum repeater, carry entanglement over long distances, and quantum sensing applies quantum measurement to precision instrumentation. Both are worth understanding and neither is something to wait for; the practical quantum-native security conversation today is QKD and QRNG.
The reason this hub leads with the honest picture is that quantum-native technology is pitched constantly as the “unbreakable” alternative to migrating, and that framing gets the risk backwards. The physics is real and elegant, and the constraints around it are equally real, so the useful question for any executive is where these tools genuinely fit rather than whether they sound impressive.
What is QKD and where does it fit?
QKD is a hardware-based method for two parties to agree on a shared secret key by sending individual photons over a dedicated physical link, using the physics of measurement to make eavesdropping detectable. Because a measurement disturbs a quantum state and an unknown state can’t be copied, an interceptor leaves statistical fingerprints in the error rate, so the two parties either distill a clean key or abort. The two anchor protocols are BB84 (Bennett and Brassard, 1984), where the sender encodes bits into photon polarization, and E91 (Ekert, 1991), which distributes entangled photon pairs.
Source: C. H. Bennett and G. Brassard, “Quantum cryptography, Public key distribution and coin tossing,” Proc. IEEE Int. Conf. Computers, Systems and Signal Processing, 1984; A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Physical Review Letters 67, 661 (1991).
Where QKD fits is a narrow band. It earns a place on point-to-point links of bounded distance between two facilities under one organization’s physical control, in the rare use cases with a genuine information-theoretic requirement for the key-agreement step, where the specialist hardware, denial-of-service exposure, and separate authentication overhead are all acceptable. That describes a handful of state-secret and intelligence channels. The full treatment, including the five stages of a BB84 run and the trusted-node problem, lives in the QKD note.
What is QRNG and where does it fit?
QRNG is the production of random bits by measuring a quantum process whose outcome has no predetermined value, such as which way a single photon reflects off a beam splitter or the amplitude of vacuum noise in a laser. It’s an entropy source in the precise sense of NIST SP 800-90B, meaning it feeds raw randomness into the same random-bit-generator stack every cryptographic key already depends on, and it earns trust the same way any entropy source does, by passing SP 800-90B validation against its measured output.
Source: NIST SP 800-90B, “Recommendation for the Entropy Sources Used for Random Bit Generation,” January 2018, DOI 10.6028/NIST.SP.800-90B, csrc.nist.gov.
QRNG fits more broadly than QKD because it needs no second party and no dedicated link. It shows up wherever high-assurance entropy is wanted, inside hardware security modules and key managers, on entropy cards and cryptographic appliances, at cloud and chip scale, and in public randomness beacons. The thing to hold onto is that good randomness is the foundation under every key, nonce, salt, and initialization vector, and weak randomness has silently broken real systems at internet scale, so a physically grounded, well-validated entropy source is worth caring about on its own terms. Full detail, including the SP 800-90B validation gate and the device-independent variants, is in the QRNG note.
Should you use QKD instead of post-quantum cryptography?
For general use, no. QKD and PQC both aim to keep secrets safe from a future quantum computer, and they are different categories of thing that solve the problem by different means. QKD is quantum-native hardware distributing keys over dedicated optics; PQC is a set of standardized math-based algorithms that run as software on the networks you already have and that also handle the digital signatures QKD leaves untouched.
| QKD | Post-quantum cryptography (PQC) | |
|---|---|---|
| Security basis | Laws of quantum physics (measuring a state disturbs it) | Math problems believed hard even for a quantum computer |
| Form | Specialized hardware plus dedicated fiber or line-of-sight optics | Software algorithms running on existing networks |
| What it does | Key agreement only | Key agreement and digital signatures / authentication |
| Reach | Point-to-point, roughly 100 to a few hundred km per link | Any routed network, the public internet, many-to-many |
| Authentication | None on its own; needs a classical or PQC layer | Provides it directly (ML-DSA, SLH-DSA signatures) |
| Standardization | Protocols not yet under a settled assurance standard | Finalized NIST standards (ML-KEM, ML-DSA, SLH-DSA) |
| Agency stance | Not recommended for general or high-assurance use | The recommended substrate for the transition |
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)”; NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov.
The practical upshot is that for the vast majority of enterprise, cloud, and internet systems, PQC carries the migration and QKD can’t even operate, because those systems route over shared networks that QKD’s point-to-point optics can’t serve. QKD removes one assumption, the computational hardness of key agreement, and takes on several others in exchange: a separate authentication primitive, dedicated physical infrastructure, and trust that the hardware matches its model. That trade pays off only in a narrow set of circumstances. The reason long-lived data needs protecting today, harvest now, decrypt later, is answered for nearly everyone by migrating to PQC and hybrid key exchange rather than by wiring QKD across the estate.
What are QKD’s real limitations?
QKD’s constraints are physical rather than marketing quibbles, and they’re the reason it stays niche. NSA enumerates five in its published guidance, and they line up with what the physics forces:
| Limitation | Why it holds |
|---|---|
| It’s only a partial solution | QKD agrees keys but does no authentication, so it always needs a separate mechanism to prevent a man-in-the-middle |
| It needs special-purpose equipment | It can’t be delivered in software or as a network service; it needs dedicated optics and purpose-built photon hardware at both ends |
| It raises infrastructure cost and insider-threat risk | Spanning distance means chaining “trusted nodes,” and every relay sees the key in the clear and has to be trusted |
| Securing and validating it is hard | Real security depends on the hardware and engineering, not physics alone, and confirming a fielded device meets the guarantee is a significant challenge |
| It raises denial-of-service risk | The same sensitivity that catches an eavesdropper makes the link easy to disrupt: jam the channel and the key stops flowing |
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)”, five limitations enumerated.
Two of these deserve a closer look because they’re where vendor pitches tend to skate past the physics. Photon loss in optical fiber grows exponentially with length, and because QKD depends on single photons that can’t be amplified without destroying their quantum state, the usable key rate falls off steeply, capping commercial fiber QKD at roughly 100 to a few hundred kilometers per link. That ceiling is the repeaterless secret-key-capacity bound, the PLOB bound.
Source: S. Pirandola, R. Laurenza, C. Ottaviani, L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nature Communications 8, 15043 (2017).
To go farther today, QKD networks chain links through intermediate trusted nodes that decrypt and re-encrypt the key at each hop, so every relay sees the key in the clear. That reintroduces the exact trust-in-intermediaries problem QKD’s physics argument was supposed to remove, which is why a continental QKD backbone is only as secure as its most-compromised relay. A quantum repeater would extend keys across links without exposing them, and it remains research-grade rather than deployable infrastructure, so the trusted-node compromise is what’s actually fielded. The QKD note covers the newer measurement-device-independent and twin-field protocols that push the range while leaving those foundational facts intact.
Do NSA, NCSC, and ANSSI recommend QKD?
No. The major Western cyber-defense agencies have converged on the same position: prioritize standardized PQC, treat QKD as niche, and avoid fielding QKD for high-assurance government systems. This is the load-bearing point for any board conversation, because it’s the answer to “shouldn’t we just buy the unbreakable quantum thing instead of migrating.”
-
United States, NSA. NSA’s guidance states that QKD’s limitations make it impractical for national-security-system operational networks, and its bottom line is unambiguous: “NSA does not support the usage of QKD or QC to protect communications in National Security Systems, and does not anticipate certifying or approving any QKD or QC security products for usage by NSS customers unless these limitations are overcome.” NSA views quantum-resistant cryptography as the more cost-effective and maintainable path, consistent with CNSA 2.0.
Source: NSA Cybersecurity, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)“.
-
United Kingdom, NCSC. The UK’s National Cyber Security Centre states it will not endorse QKD for government or military use and advises that other organizations should treat PQC as the primary mitigation. Its central technical objection is that QKD provides no authentication and therefore always has to be paired with quantum-resistant authentication, and that it needs specialist hardware where PQC does not.
Source: UK NCSC, “Quantum security technologies”.
-
France, Germany, and partners, ANSSI and BSI. France’s ANSSI and Germany’s BSI, together with the Netherlands’ NLNCSA and Sweden’s national authority, published a joint position paper concluding that QKD currently applies only to certain niche use cases and that migration to post-quantum cryptography is the shared priority, because PQC diverges far less from existing systems than QKD does.
Source: ANSSI, BSI, NLNCSA, and Swedish NCSA, “Position Paper on Quantum Key Distribution”.
The honest-broker summary across all of them: standardized PQC is the substrate for the quantum transition, and QKD is a specialized tool reserved for the rare cases where its physical-layer properties are genuinely required and its constraints are acceptable.
How do QKD and QRNG differ from each other?
They’re two different quantum technologies, and the market blurs them constantly. A QRNG produces the unpredictable bits that feed key generation; QKD transports a shared key over a quantum channel between two endpoints. One is a local component you can drop into a single rack, and the other is a point-to-point link with hard physical constraints.
The consequence is that QRNG is broadly deployable, because it needs no partner and no dedicated link, while QKD needs a special quantum channel, does no authentication by itself, and is positioned by the security agencies as suitable only for narrow settings. QRNG also carries a subtler trap: buying one does nothing to make RSA or ECC quantum-safe, because the quantum threat lives at the algorithm layer that Shor’s algorithm attacks, while randomness lives underneath it. Improving your entropy leaves every quantum-vulnerable algorithm exactly as vulnerable as before. Both notes go deep on the confusion and how to keep the two straight.
Where does quantum-native security genuinely belong?
Quantum-native security belongs in the entropy layer and in a narrow band of physical-layer key distribution, sitting alongside the algorithm migration rather than replacing it. QRNG belongs wherever high-assurance key generation wants a physically grounded, high-rate entropy source with strong health testing, recorded in a CBOM as one entropy source among many. QKD belongs on operator-controlled point-to-point links where a genuine information-theoretic confidentiality requirement justifies the hardware, the distance limit, the denial-of-service exposure, and the separate authentication layer.
Everywhere else, which is to say general-purpose key establishment over routed networks and the ordinary internet, standardized PQC provides the protection at software cost with no new hardware, and building crypto-agility so the next algorithm change is a configuration update is the general-purpose move. Quantum-native security is the exception you reach for when the physics is a hard requirement, and understanding exactly where that line falls is most of the value this hub offers.
Common misconceptions
- “Quantum-native security is the answer to the quantum threat.” For almost every organization, standardized post-quantum cryptography is. QKD is a niche complement that can’t operate over routed networks, and QRNG works in a different layer entirely and does nothing to make vulnerable algorithms safe.
- “QKD is unhackable.” The physics guarantee holds for an ideal system, and real QKD hardware has been attacked through side-channels, especially detector vulnerabilities. Security depends on the engineering of the specific device, which is why validating a fielded system is hard.
- “Adopting QKD means we can skip the PQC migration.” The agencies say the reverse. QKD covers one narrow job in a few settings, and PQC is the substrate they all recommend for the transition.
- “A quantum label makes a random number generator safer.” The security of the bits comes from the validated entropy behavior of the specific device under NIST SP 800-90B, not from the word “quantum.” An unvalidated “quantum” source is an unproven box.
- “QKD and QRNG are the same quantum-security thing.” One distributes a key between two endpoints over a special link, and the other generates random bits locally with no second party. They have different costs, constraints, and use cases.
Questions people ask
Is quantum-native security the same as post-quantum cryptography? No. Quantum-native security uses physics (QKD, QRNG) and runs on special hardware, while post-quantum cryptography is a set of standardized math-based algorithms that run in software. PQC is the mainstream answer to the quantum threat; quantum-native tools are niche complements.
Should my organization deploy QKD? Almost certainly not as a general measure. QKD makes sense only when you control both endpoints and the fiber over a bounded distance, have a real information-theoretic confidentiality requirement, and can absorb the hardware, denial-of-service, and authentication overhead. For everything else, PQC carries the migration.
Is QRNG worth buying? It can be, for high-assurance key generation where a physically grounded, high-rate entropy source with strong health testing is genuinely valuable. Treat it as an entropy-quality decision inventoried in your CBOM, separate from the algorithm migration, and require a NIST SP 800-90B validation.
Why do the security agencies recommend PQC over QKD? Because QKD does no authentication on its own, needs dedicated hardware and links, is distance-limited, and reintroduces trusted intermediaries over long spans, while PQC authenticates, runs in software over existing networks, and is standardized. NSA, NCSC, and ANSSI with BSI all reach the same conclusion.
Does quantum-native security stop harvest-now-decrypt-later? For nearly everyone, PQC and hybrid key exchange stop it, because HNDL threatens data flowing over routed networks that QKD can’t serve. QKD addresses the harvesting risk only on the specific point-to-point links where it can physically operate.
Can QRNG and QKD work together? Yes. A QKD system needs a source of true randomness to choose its bases and bits, and a QRNG is a natural fit for that role. That pairing is internal to a QKD deployment and separate from the question of whether either belongs in a given estate.
Is the quantum internet going to change this? Eventually it may extend quantum-native techniques over long distances once a deployable quantum repeater exists, which would relax QKD’s trusted-node compromise. It’s research-stage today, so it’s worth understanding and not worth waiting for; the migration decision rests on PQC now.
Go deeper
The two practical technologies: Quantum Key Distribution (QKD) · Quantum Random Number Generation (QRNG)
The head-to-head comparison: QKD vs PQC lays out why NSA, NCSC, and ANSSI direct almost everyone to post-quantum cryptography rather than QKD, and the narrow band where QKD still fits.
The mainstream answer these complement: the post-quantum standards · FIPS 203 (ML-KEM) · Crypto-Agility · Hybrid Cryptography
The threat and the machines behind it: Cryptographically Relevant Quantum Computer (CRQC) · Shor’s Algorithm · Harvest Now, Decrypt Later (HNDL)
Where these choices get recorded is the CBOM; the deadlines that make the migration mandatory are in the mandates.
Everything here is the map, given freely. When your team needs to know whether QKD or QRNG belongs anywhere in your estate, and how the rest of it should migrate, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.