Quantum key distribution (QKD)
Quantum key distribution (QKD) is a method of sharing secret keys whose security rests on the laws of quantum physics rather than on computational hardness. Two parties exchange key material encoded on individual quantum states, usually single photons, so that any eavesdropper's measurement disturbs the states and is detected. QKD addresses only key exchange, not authentication or the encryption of data itself.
How it works
The founding protocol, BB84, was described by Charles Bennett and Gilles Brassard in 1984. The sender transmits photons polarized in randomly chosen bases; the receiver measures in randomly chosen bases; afterward the two compare bases over a public channel and keep only the bits where the bases matched, a step called sifting. The physics does the security work: a photon carrying an unknown quantum state cannot be copied (the no-cloning theorem), and any attempt to measure it in the wrong basis perturbs it. An eavesdropper therefore raises the error rate on the sifted key, and the parties estimate that rate by sacrificing a sample of bits. If the observed error stays below a threshold, error correction and privacy amplification distill a shorter key that is secret with a bound set by physical law; if the error is too high, they abort (ETSI).
A second family uses entanglement rather than prepared states. In the E91 protocol proposed by Artur Ekert in 1991, a source distributes entangled photon pairs and the parties test for violation of a Bell inequality; a genuine violation certifies that no eavesdropper holds a correlated copy. Both families produce the same product: a shared symmetric key that can then feed a conventional cipher such as AES, or a one-time pad where the key rate allows.
QKD versus post-quantum cryptography
QKD and post-quantum cryptography both aim to protect keys against a future quantum computer, but they are opposite in kind and are not interchangeable.
| Property | QKD | Post-quantum cryptography |
|---|---|---|
| Security basis | Laws of quantum physics | Conjectured hard math problems |
| Implementation | Dedicated optical hardware | Software on ordinary computers |
| Channel | Point-to-point fiber or free space | Any existing IP network |
| Authentication | Not provided; needs a separate scheme | Provided by [[digital-signature |
| Range | Limited; needs trusted relays | Unlimited, end to end |
| Deployment | New physical links | Software and firmware update |
Post-quantum cryptography replaces vulnerable algorithms like RSA and elliptic curve with new public-key schemes that run over today's internet with no new hardware. QKD instead removes the mathematical assumption entirely, but only along a dedicated quantum channel between two endpoints. Because it never transmits the key in a form a computer could later decrypt, QKD is inherently resistant to harvest now, decrypt later capture of the key exchange. That single advantage is bought at a heavy practical cost.
Limitations
QKD carries structural constraints that software cryptography does not:
- It requires special-purpose equipment. Because the guarantee is physical, QKD cannot be delivered as a software update; it needs photon sources, detectors, and either dedicated fiber or line-of-sight optics between the two parties.
- It does not provide authentication. QKD alone cannot tell whether the party at the other end of the fiber is legitimate, so it must be bootstrapped with pre-shared keys or with classical or post-quantum digital signatures. It therefore still depends on conventional cryptography for the property an active attacker most wants to defeat.
- Its range and throughput are limited. Photon loss caps direct links at roughly a few hundred kilometers, and quantum states cannot be amplified like classical signals. Long-distance QKD networks bridge segments with trusted relay nodes, and every relay sees the key in the clear, reintroducing the very trust QKD was meant to remove.
- Validating a real device is hard. The unconditional security proof describes an idealized system; a physical implementation can leak through imperfect detectors and other side channels, and several fielded systems have been broken by attacks on the hardware rather than the physics.
- It is easy to disrupt. Because eavesdropping raises the error rate and forces an abort, an attacker can deny service simply by disturbing the channel.
Agency positions
The United States National Security Agency and the United Kingdom National Cyber Security Centre have both declined to endorse QKD as a general replacement for public-key cryptography, and both point to post-quantum cryptography as the recommended path.
The NSA lists five technical limitations of QKD, including that it is only a partial solution requiring separate authentication, that it needs special-purpose equipment, that it raises infrastructure cost and insider-threat risk through trusted relays, that validating real systems is difficult, and that it is prone to denial of service. On that basis the NSA does not support using QKD to protect national security systems and does not plan to certify QKD products, recommending post-quantum cryptography instead (NSA).
The NCSC reaches a parallel conclusion in its quantum security white paper: it advises against QKD for government and military use and against relying on it alone for business-critical networks, citing the hardware requirement, the unsolved authentication problem, and QKD's narrow applicability, and it recommends post-quantum cryptography as the primary mitigation (NCSC). These positions concern general-purpose and government communications; neither agency disputes the underlying physics, and specialized point-to-point deployments continue in research and industry.
History and deployment
BB84 turned 40 in 2024 and remains the reference protocol. Commercial QKD systems have shipped since the mid-2000s, and metropolitan and backbone testbeds have been built, including a fiber link between Beijing and Shanghai and satellite-relayed exchanges using the Micius spacecraft. Standards bodies including ETSI maintain an industry specification group for QKD interfaces and security (ETSI). In mainstream migration planning, however, QKD sits alongside rather than inside the recommended stack: agencies and standards work direct general deployments toward post-quantum algorithms, frequently in hybrid combinations, which upgrade the existing internet without new physical infrastructure.
Frequently asked questions
Is QKD the same as post-quantum cryptography?
No. QKD is a hardware method for sharing keys over quantum channels, while post-quantum cryptography is software running on ordinary computers over the existing internet. They solve overlapping problems by opposite means.
Do the NSA and NCSC recommend QKD?
No. Both agencies recommend post-quantum cryptography instead and advise against QKD for national security and government use, citing its need for special hardware, its lack of built-in authentication, and the difficulty of validating real devices.
Sources
- Quantum Key Distribution (QKD) and Quantum Cryptography (QC) (NSA, 2021)
- Quantum security technologies (white paper) (UK NCSC, 2020)
- Quantum Key Distribution (QKD) (ETSI, 2023)
Cite this entry
"Quantum key distribution (QKD)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/quantum-key-distribution@misc{pqwiki-quantum-key-distribution,
title = {Quantum key distribution (QKD)},
howpublished = {\url{https://postquantum.wiki/quantum-key-distribution}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}