Quantum Cryptography and Quantum Key Distribution
Quantum cryptography uses the laws of quantum mechanics to protect information in ways that classical encryption cannot match. At its core sits quantum key distribution (QKD) — a method for exchanging cryptographic keys whose security is guaranteed not by computational difficulty but by physics itself. This page covers how QKD works, where it gets deployed, and where its real-world limits bite hard enough to matter.
Definition and scope
Classical encryption schemes like RSA rely on the practical impossibility of factoring enormous numbers quickly. That premise is under pressure: a sufficiently powerful quantum computer running Shor's algorithm could crack RSA-2048 in hours rather than millennia, a threat the National Institute of Standards and Technology (NIST) has treated seriously enough to launch a multi-year post-quantum cryptography standardization process, finalizing its first 3 post-quantum algorithm standards in 2024.
Quantum cryptography sidesteps the problem entirely. Rather than making eavesdropping computationally hard, it makes eavesdropping physically detectable. The scope covers any communication channel where key material — the shared secret that encrypts and decrypts messages — needs to be exchanged without the risk of silent interception. QKD is the most mature application in this space, with fiber-based commercial deployments operating since the mid-2000s and satellite-based links demonstrated by China's Micius satellite in 2017 (Nature, 2017).
Quantum cryptography as a field also includes quantum random number generation (QRNG) and device-independent protocols, but QKD is the piece with real infrastructure behind it — and the piece drawing the heaviest scrutiny from national security agencies.
How it works
The mechanics hinge on a principle discussed in depth on the quantum mechanics principles page: measuring a quantum state disturbs it. QKD exploits this feature deliberately.
The most widely deployed protocol, BB84 (proposed by Charles Bennett and Gilles Brassard in 1984), works in four steps:
- Photon transmission: The sender (conventionally called Alice) generates individual photons and encodes each one in a randomly chosen polarization basis — either rectilinear (0°/90°) or diagonal (45°/135°).
- Measurement: The receiver (Bob) measures each arriving photon using a randomly chosen basis. Because basis choices are independent, Bob gets the right result roughly 50% of the time.
- Sifting: Alice and Bob announce their basis choices over a public (non-secret) classical channel, then keep only the measurements where both chose the same basis. This retained subset is the raw key.
- Error checking and privacy amplification: A portion of the raw key is compared to detect errors. An eavesdropper (Eve) disturbing photons to read them introduces a measurable quantum bit error rate (QBER). If QBER stays below roughly 11% (the threshold at which BB84 remains provably secure), the parties apply privacy amplification — mathematical compression that destroys any partial information Eve might have collected.
The security proof relies on the Heisenberg uncertainty principle: no measurement of a quantum system can extract complete information without altering the system. Eve cannot copy a photon without detection because the no-cloning theorem forbids perfect duplication of an unknown quantum state.
A related protocol, E91 (Artur Ekert, 1991), uses quantum entanglement instead of prepared single photons, deriving security from Bell's theorem — any correlation structure inconsistent with local hidden variables signals an eavesdropper.
Common scenarios
QKD sees real-world use in three distinct environments:
Fiber-optic metropolitan networks — Cities including Geneva, Tokyo, and Vienna operated experimental QKD networks in the 2000s. The Tokyo QKD network demonstrated 100 km links at key rates sufficient for encrypted voice calls. Photon loss in fiber limits practical unamplified distances to roughly 100–200 km without quantum repeaters.
Financial and government data centers — Short-range QKD links (under 50 km) connect data centers where the cost of deployment is justified by the sensitivity of the data. Toshiba demonstrated a QKD system achieving key rates above 1 Mbps over 50 km of standard telecom fiber (Toshiba Research, published in Nature Photonics).
Satellite-based long-distance links — China's Micius satellite completed a 7,600 km intercontinental quantum key exchange with Austria in 2017, establishing that space-based QKD can span distances impossible for fiber. Ground-to-satellite transmission uses the relative transparency of atmosphere at low elevation angles.
The quantum communication networks page covers the infrastructure layer in more detail, including repeater architectures under active development.
Decision boundaries
QKD is not a universal replacement for classical public-key cryptography, and treating it as one produces expensive disappointment. The honest comparison:
| Factor | QKD | Post-Quantum Cryptography (PQC) |
|---|---|---|
| Security basis | Physical laws | Computational hardness assumptions |
| Infrastructure required | Dedicated optical channel | Standard internet |
| Key distribution distance | ~200 km (fiber), global (satellite) | Unlimited |
| Deployment cost | High (hardware, fiber, maintenance) | Low (software update) |
| Authentication requirement | Still needs classical authentication | Self-contained |
| Vulnerability | Side-channel attacks on hardware | Algorithm breaks (unproven so far) |
NIST's position, reflected in its post-quantum standardization guidance, is that PQC provides a more practical near-term defense for most applications. The UK National Cyber Security Centre (NCSC) published analysis in 2020 specifically cautioning against over-reliance on QKD, citing the authenticated classical channel requirement and the attack surface of real-world photon detectors.
QKD makes sense where an adversary is assumed to be recording ciphertext now for decryption later — a threat model sometimes called "harvest now, decrypt later" — and where dedicated fiber or satellite access is operationally feasible. For most organizations, NIST's finalized PQC algorithms cover the same threat at a fraction of the infrastructure cost. For intelligence agencies, central banks, and critical infrastructure operators with long-lived secrets and dedicated links, QKD adds a layer whose security proof lives in physics textbooks rather than complexity theory. That's a genuinely different kind of guarantee — it just comes with a very specific set of installation requirements.
A broader map of the field these protocols sit within is available at the Quantum Physics Authority index.
References
- NIST Post-Quantum Cryptography Standardization
- NIST Glossary — No-Cloning Theorem
- UK National Cyber Security Centre — Quantum Security Technologies (2020)
- Micius Satellite Intercontinental QKD — Nature (2017)
- Toshiba 1 Mbps QKD over 50 km — Nature Photonics
- NIST SP 800-209 and related quantum-safe guidance at csrc.nist.gov