Quantum Key Distribution (QKD): if someone eavesdrops on the communication, they automatically leave traces due to quantum mechanics. How it works and where it is already applied.
🔐 The promise: security based on laws of nature
Classical cryptography relies on mathematical problems — factoring enormous numbers, computing discrete logarithms. These problems are considered hard, but no one has ever proven they are impossible to solve. It is like a lock we believe nobody can break, without actually being certain. And things are getting worse: Shor's algorithm, running on a sufficiently powerful quantum computer, could break RSA and elliptic curves in polynomial time.
Quantum Key Distribution (QKD) offered a radically different philosophy: instead of trusting the difficulty of a mathematical problem, we trust the fundamental laws of quantum mechanics. Specifically, three principles: first, measuring a quantum system inevitably disturbs it (uncertainty principle). Second, you cannot copy an unknown quantum state (no-cloning theorem). Third, two particles in an entangled state exhibit correlations that violate Bell inequalities — confirming there are no hidden variables.
⚙️ BB84: where it all began
In 1984, Charles Bennett of IBM and Gilles Brassard of the University of Montreal presented the BB84 protocol at a conference in Bangalore. The idea was strikingly elegant. Alice sends Bob individual photons, each polarized in one of four states — vertical (0°), horizontal (90°), diagonal (45°), or anti-diagonal (135°). These states belong to two measurement "bases": rectilinear and diagonal.
Bob measures each photon in a random basis. If he happens to measure in the correct basis, he gets the right result. If he measures in the wrong basis, the result is random and the information is irreversibly lost. After transmission, Alice and Bob publicly announce their bases (but not their results). They keep only the bits where they agreed on the basis — on average 50%. This becomes their shared key.
What if a third party, Eve, intervenes? Even if she intercepts a photon, she must guess the basis. If she guesses wrong (probability 50%), she sends Bob a modified photon. If Bob then measures in the correct basis, there is a 50% chance of getting the wrong result. Overall, each intercepted photon introduces a 25% error. By comparing 72 bits, the probability of detecting Eve reaches 99.9999999%.
🔄 From BB84 to E91 and beyond
In 1991, Artur Ekert proposed an alternative protocol (E91) based on quantum entanglement. Instead of Alice sending polarized photons, a source creates pairs of entangled photons — one goes to Alice, one to Bob. Their measurements will be perfectly correlated if no one has interfered. Eavesdropping detection is done through violation of Bell inequalities: if Eve has acquired information, the quantum correlations weaken and the statistical test fails.
The beauty of E91 is that security does not even depend on the manufacturer of the source. Even if the entangled photons are made by Eve herself, Bell inequalities reveal whether there has been manipulation. This idea led to modern research on device-independent QKD — protocols that do not even trust the devices themselves.
🌐 The reality: networks, satellites, commerce
From theory to practice, QKD has taken impressive steps. In 2008, the Cambridge–Toshiba collaboration achieved key transmission at 1 Mbit/s over 20 km of optical fiber. In 2015, the longest fiber distance was 307 km (University of Geneva–Corning). The Twin-Field QKD record exceeded 833 km.
The most spectacular demonstration came in August 2016 with the Chinese satellite Micius (QUESS). Pan Jianwei's team measured entangled photons at a distance of 1,203 km between two ground stations. In December 2017, using Micius as a relay, encrypted images and video were transmitted between Beijing and Vienna — the first intercontinental QKD. In 2024, researchers from South Africa and China achieved QKD at 12,900 km via a microsatellite in low Earth orbit.
Commercially, companies like ID Quantique (Geneva), Toshiba, MagiQ Technologies (New York), and QNu Labs (Bangalore) already sell QKD systems. The DARPA QKD network operated since 2004 in Boston. Japan runs the Tokyo QKD Network, and China has a 2,000 km network between Beijing and Shanghai operating commercially.
🛡️ The criticism: why the NSA says “no”
Despite theoretically perfect security, QKD faces serious criticism. The National Security Agency (NSA) of the US, along with counterparts in Britain (NCSC), France (ANSSI), Germany (BSI), Australia, and elsewhere, explicitly advise against using QKD for critical applications.
First, QKD does not provide source authentication. It can guarantee that no one intercepted the key, but does not prove who the sender is. It requires classical asymmetric cryptography or pre-installed keys for authentication — negating part of the advantage. Second, it requires specialized hardware: dedicated optical fibers or free-space systems. It cannot be implemented in software or easily integrated into existing networks. Third, QKD networks need “trusted relays” over long distances — points where keys are decrypted and re-encrypted, introducing insider threat risk.
Fourth — and perhaps most importantly — the theoretical “unconditional” security holds only in the model. In practice, real devices introduce imperfections. In 2010, a team from Norway and the Max Planck Institute demonstrated they could remotely control the single-photon detectors in commercial QKD systems — stealing the entire key without a trace. The attack exploited weaknesses in avalanche photodiodes, not in the protocol. But for the user, the result is the same: a breach.
🔮 The alternative: post-quantum cryptography
Opposed to QKD, Post-Quantum Cryptography (PQC) follows an entirely different strategy: instead of new hardware, it uses new mathematics. Algorithms based on lattices, hash functions, and error-correcting codes that are believed to resist even quantum computers. NIST completed in 2024 the standardization of four PQC algorithms (ML-KEM, ML-DSA, SLH-DSA, FN-DSA), deployable through software updates on every existing device.
PQC does not offer “proven” security — it relies on the conjecture that no algorithm (classical or quantum) can break the new mathematics in reasonable time. But it is easy to deploy, works on existing infrastructure, can be upgraded with a patch, and requires no special equipment.
⚖️ The real question
The QKD versus PQC discussion is not black and white. QKD provides information-theoretic security: even if in the future some miraculous algorithm is discovered, keys transmitted via QKD remain safe — physics does not change. Conversely, a PQC key recorded today could theoretically be broken tomorrow (a “harvest now, decrypt later” attack).
On the other hand, QKD is at an early stage of commercial maturity. Distances remain limited, costs high, integration difficult. If large-scale networks, quantum repeaters, and satellites become affordable, QKD could serve as a critical complement. If it remains expensive and fragile, it will be confined to high-security government applications.
"Quantum cryptography does not replace classical cryptography — it complements it. Real security requires multiple layers, not a single magic weapon."
Quantum Security ExpertsPerhaps the most honest answer to the question “is QKD the absolutely secure communication?” is: theoretically yes, practically “not yet.” Physics guarantees the theory. Engineering still needs to deliver on the promise.