First, clear up a name collision that causes endless confusion. Quantum key distribution (QKD) and post-quantum cryptography (PQC) are not the same thing, and they are not even the same kind of thing.
- Post-quantum cryptography is ordinary software — new mathematical algorithms (like ML-KEM) designed to resist attack by quantum computers. It runs on the hardware you already own.
- Quantum key distribution is hardware — it uses the physical behavior of individual photons to establish a key over a special optical link. It defends against eavesdropping using quantum physics, not quantum computers.
Both are responses to a quantum future, but PQC is what's actually being deployed across the internet today. QKD is a narrower, infrastructure-heavy technology. This article is about the second one.
The Physical Idea
QKD rests on two facts from quantum mechanics. First, you cannot measure a quantum system without disturbing it. Second, the no-cloning theorem says you cannot make a perfect copy of an unknown quantum state. Together these mean that an eavesdropper who intercepts photons in transit cannot do so invisibly — measuring them changes them, and that change is statistically detectable by the legitimate parties.
This is the key reframing. Classical cryptography assumes an eavesdropper can copy every bit on the wire silently and attack it later at leisure (the "harvest now, decrypt later" threat). QKD aims to make silent interception physically impossible. If someone listens, the error rate climbs and the parties know to throw the key away before using it.
QKD does not encrypt your data. It establishes a shared secret key whose secrecy can be verified — and that key is then used with ordinary symmetric encryption. The quantum part is purely about agreeing on a key nobody else could have learned undetected.
BB84, Step by Step
The original and still most-taught protocol is BB84, proposed by Charles Bennett and Gilles Brassard in 1984. Here's the shape of it, using the convention that Alice sends and Bob receives.
- Alice encodes random bits on photons, choosing for each one a random "basis" — think of it as two different orientations of polarization, rectilinear (+) or diagonal (×). The bit value and the basis are both random.
- Bob measures each photon in a basis he also picks at random. When his basis matches Alice's, he reads the correct bit. When it doesn't, he gets a random result.
- They compare bases over a public channel — not the bit values, just which basis each used. They keep only the photons where the bases happened to match (about half) and discard the rest. This surviving string is the "sifted key."
- They check for eavesdropping by publicly comparing a random sample of the sifted bits. If an eavesdropper measured photons in transit, she had to guess bases too, and her wrong guesses introduce errors. A quantum bit error rate above a known threshold means someone was listening — abort.
- They distill a final key from the remaining bits using error correction and privacy amplification, which shrinks the key while squeezing out any partial information a weak eavesdropper might have gained.
The elegance is that security comes from the public basis-comparison step combined with physics: an eavesdropper cannot avoid disturbing the photons she measures, so she cannot learn the key without being caught. Other protocols (E91, which uses entanglement; and various decoy-state schemes) refine this, but BB84 captures the core intuition.
Why It Hasn't Taken Over the Internet
If QKD offers physics-grade key secrecy, why aren't we all using it? Because the practical constraints are severe, and several national security agencies — including the UK's NCSC and the US NSA — have publicly recommended post-quantum cryptography over QKD for general use. Here's the honest list of limitations.
| Limitation | What it means in practice |
|---|---|
| Distance | Photons get absorbed in fiber. Direct QKD links are limited to roughly a few hundred kilometers; going further needs trusted relay nodes or immature quantum repeaters. |
| Trusted relays | Long-distance QKD networks chain together relay nodes that see the key in the clear. You're back to trusting infrastructure — the very thing QKD was supposed to avoid. |
| Special hardware | It needs dedicated fiber or line-of-sight optics, single-photon sources and detectors. It does not run over the ordinary internet. |
| No authentication | QKD can't tell who is on the other end. It still needs classical authentication to stop a machine-in-the-middle — so it doesn't remove the need for conventional cryptography. |
| Implementation attacks | Real devices aren't ideal. Attacks like detector blinding have exploited hardware imperfections to defeat deployed QKD systems without violating any physics. |
The theory of QKD is unconditionally secure. The hardware that implements it is not. Most real-world QKD breaks have attacked the gap between the two.
The Authentication Catch
This point deserves its own emphasis because it undercuts the "physics replaces math" narrative. QKD guarantees that the photons weren't read undetected — but it cannot, by itself, tell Alice she's talking to Bob and not to an impostor sitting in the middle running QKD with each of them separately. To prevent that, the public discussion channel must be authenticated, and authentication relies on classical cryptography (a shared secret or signatures).
So QKD does not eliminate the need for conventional cryptography — it sits alongside it. This is part of why agencies recommend hardening systems with post-quantum algorithms and good forward secrecy instead: those defend the whole internet in software, today, without new fiber.
Where It's Real
QKD is not vaporware. China's Micius satellite demonstrated entanglement-based key distribution between ground stations over 1,000 km apart in 2017, and a Beijing-to-Shanghai fiber backbone has carried QKD traffic. Several commercial vendors sell QKD systems, and some banks and government links use them. The technology works — within its niche of point-to-point links where one party controls both ends or trusts the relays, and where the cost of dedicated optical infrastructure is justified.
That niche is genuine but small. For protecting communication at internet scale — which is what most people, and most privacy tools, actually need — the answer is strong end-to-end encryption with forward secrecy, migrating to post-quantum algorithms over time.
The Takeaway
Quantum key distribution is a beautiful idea: detect eavesdropping using the fact that observation disturbs quantum states. It delivers on that idea in theory and, with caveats, in practice. But it requires special hardware, is distance-limited, still needs classical authentication, and has been broken through implementation flaws. It complements conventional cryptography rather than replacing it.
If you're worried about a quantum future, the practical move is not a fiber link to your contacts — it's using tools built on modern, well-audited cryptography that are adopting post-quantum algorithms. That's a software upgrade, not a physics project.