The claim that appears most often in QKD vendor materials is some variant of "information-theoretically secure" or, in looser language, "unbreakable." The physics behind the first claim is genuine. The second phrase should not be used. The gap between those two statements is where most enterprise QKD assessments go wrong, and closing that gap is what this article is for.

Quantum Key Distribution is a key exchange protocol. It uses quantum mechanical properties to distribute a shared secret key between two parties in a way that makes eavesdropping detectable. That is a precise and meaningful statement. It is also a narrower statement than most descriptions of the technology suggest, and the narrowness matters for any organisation deciding whether QKD belongs in its security architecture.

What QKD Is, Precisely

The security foundation of QKD rests on two principles from quantum mechanics. The no-cloning theorem states that an arbitrary unknown quantum state cannot be perfectly copied. Any attempt to measure and retransmit a quantum state necessarily disturbs it. The measurement problem means that observing a quantum system changes it. Together, these properties mean that an eavesdropper attempting to intercept the quantum channel leaves a statistical signature that the communicating parties can detect during the key reconciliation step.

The foundational protocol is BB84, proposed by Charles Bennett and Gilles Brassard in 1984 (Theoretical Computer Science, 560, 2014 reprint). BB84 encodes key bits in the polarisation states of individual photons transmitted over a quantum channel (typically optical fibre or a free-space optical link). The receiving party measures the photons; both parties reconcile measurements over an authenticated classical channel and discard bits where their measurement bases disagreed. What remains is a shared secret key. Any eavesdropping disturbs the photon polarisation states in a way that increases the measured error rate above expected levels. If the error rate exceeds a threshold, both parties know the channel has been compromised and discard the key material.

The security proof for BB84 was established by Shor and Preskill (Physical Review Letters, 85(2), 2000) and extended by Lo and Chau (Science, 283, 1999). The proofs demonstrate unconditional security: security that holds against a computationally unbounded adversary, including a CRQC, under the assumption of ideal hardware and ideal channel conditions. That assumption carries significant weight in practice.

BB84 quantum key distribution protocol: Alice encodes photons over the quantum channel to Bob, while Eve the eavesdropper is detectable via error rate disturbance BB84 Protocol: Key Exchange Overview Bennett & Brassard, 1984. Eavesdropping leaves a detectable statistical signature. Alice Encodes random bits in photon polarisation Bob Measures photons in random basis QUANTUM CHANNEL (optical fibre / free-space optical) AUTHENTICATED CLASSICAL CHANNEL (basis reconciliation + key sifting) Eve Intercepts & re-transmits Disturbs polarisation states Error rate exceeds threshold. Interception detected during reconciliation. No eavesdropping Shared secret key confirmed Eavesdropping detected Key discarded. Channel flagged.
BB84 protocol overview. Alice encodes key bits in photon polarisation states and transmits over the quantum channel. Any attempt by Eve to intercept and re-transmit photons disturbs the polarisation states, raising the error rate above expected levels. Both parties detect this during basis reconciliation and discard the compromised key material.

Beyond BB84, the protocol landscape includes Continuous-Variable QKD (CV-QKD), which encodes key information in the continuous quadrature amplitudes of coherent light states (Grosshans and Grangier, Physical Review Letters, 88(5), 2002) and uses standard telecom homodyne detection equipment rather than single-photon detectors. Measurement-Device-Independent QKD (MDI-QKD), developed by Lo, Curty, and Qi (Physical Review Letters, 108, 2012), removes the requirement to trust the measurement devices and defends against detector side-channel attacks. Twin-field QKD (Lucamarini et al., Nature, 557, 2018) extends achievable distances beyond the repeaterless bound. Each represents a meaningful advance over BB84's constraints, and CV-QKD in particular is relevant to enterprise contexts because of its hardware compatibility with existing telecom infrastructure.

Why the Physics Is Genuinely Impressive

Classical cryptography, including post-quantum cryptography, is computationally secure. Its security holds as long as no efficient algorithm exists to solve the underlying mathematical problem. PQC security rests on the assumption that MLWE or hash function preimage resistance will remain hard for quantum and classical computers. Those are strong assumptions with good evidence behind them. They are still assumptions.

QKD's security is information-theoretic. It does not rest on any computational assumption. A CRQC cannot break a properly implemented QKD key exchange during transmission regardless of computational power, because the security comes from the physics of the quantum channel, not from the hardness of a mathematical problem. Portmann and Renner (Reviews of Modern Physics, 94(2), 2022) provide the current comprehensive treatment of QKD security proofs under realistic assumptions. That distinction between computational security and information-theoretic security is real and meaningful. The article would be dishonest not to acknowledge it.

The qualifications that follow are not arguments against QKD's theoretical properties. They are arguments about the gap between theoretical security under ideal conditions and operational security in real deployments.

What QKD Does Not Solve

Every limitation listed here must be understood before any QKD deployment decision. Several of them are not temporary engineering constraints. Some are fundamental to how the technology works.

QKD does not protect data at rest. QKD distributes keys for new encryption sessions. Data already encrypted and stored with classical algorithms (including any data currently at risk from HNDL attacks) remains vulnerable regardless of whether QKD is deployed for future key exchange. QKD is a forward-looking key distribution mechanism, not a retroactive solution for data already harvested (NCSC, "Quantum Key Distribution," 2020).

QKD does not provide quantum security for digital signatures, authentication, or data integrity. QKD addresses key exchange and nothing else. Digital signatures, code signing, certificate authorities, and authentication protocols require separate post-quantum solutions: specifically ML-DSA (FIPS 204) or SLH-DSA (FIPS 205). An organisation deploying QKD for key exchange while retaining ECDSA for certificate signing and RSA in its authentication infrastructure has addressed a fraction of its quantum exposure. NIST FIPS 204 (August 2024) is explicit on this point.

QKD requires an authenticated classical channel. The reconciliation process, where both parties agree on which bit values are valid after quantum transmission, must happen over a classical channel that is itself authenticated using a pre-shared key or a classical authentication scheme. If that classical channel uses quantum-vulnerable authentication and a CRQC is available, the authentication is the attack surface. A fully quantum-safe QKD deployment requires post-quantum authentication on the classical side. Most current deployments do not meet that requirement (Gisin et al., Reviews of Modern Physics, 74(1), 2002; Portmann and Renner, 2022).

QKD cannot traverse the public internet. Quantum states cannot be amplified without collapsing the superposition. Classical signal amplifiers (repeaters) in optical networks are therefore unusable for the quantum channel. QKD requires a dedicated fibre or free-space optical link between the communicating parties. This is a fundamental physical constraint, not a software engineering problem that will be resolved in the next product release.

Distance is limited by photon loss, and extending range currently requires trusted nodes. Practical single-span QKD over commercial optical fibre operates over approximately 50 to 100 km under normal conditions. Experimental demonstrations using twin-field QKD have achieved approximately 421 km under controlled conditions (Pittaluga et al., Nature Photonics, 15, 2021). To connect locations further apart than the single-span limit, QKD networks use trusted nodes: intermediate relay points where key material is decrypted and re-encoded. At a trusted node, the key exists in plaintext. A trusted node that is compromised breaks end-to-end security.

This is not a theoretical limitation. It is the current operational architecture of every national QKD network in deployment. China's integrated quantum communication network (Beijing to Shanghai, 2,000 kilometres, 32 trusted nodes, operational since 2017) uses this architecture (Chen et al., Nature, 589, 2021). The UK Quantum Network trials and EuroQCI national network deployments use the same approach. Quantum repeaters, which would eliminate the trusted node requirement by preserving quantum coherence across relay hops, require quantum memory with coherence times and fidelities that are not achievable at commercial scale with current technology. The timeline for commercially viable quantum repeaters is not established. Trusted nodes are the current operational reality.

Key generation rate is low relative to high-bandwidth encrypted traffic. Commercial QKD systems generate symmetric key material at rates of kilobits to megabits per second, depending on distance and hardware. Rekeying a 10 Gbps encrypted link at 10-second intervals requires approximately 25.6 Mbps of key material. Many commercial systems cannot sustain that rate at distances of 50 km or more, requiring either extended rekeying intervals (increasing key reuse exposure) or a hybrid approach where QKD-generated keys seed a key expansion scheme (ETSI GR QKD 012 V1.1.1, 2019).

Real QKD hardware is vulnerable to side-channel attacks. Security proofs assume ideal hardware. Commercial QKD implementations use physical devices with imperfections that attackers have exploited. Photon number splitting attacks exploit non-ideal single-photon sources; time-shift attacks exploit detector timing imperfections; bright-light attacks inject strong light pulses to manipulate detector behaviour (Lydersen et al., Nature Photonics, 4, 2010). These are not theoretical concerns. The 2010 Lydersen paper demonstrated successful attacks against commercial QKD systems. MDI-QKD addresses the detector-side attack surface by removing the assumption of trusted measurement devices. Device-independent QKD (DI-QKD) would extend this further, but DI-QKD is not commercially deployed at scale. The gap between theoretical security and implementation security is a real operational risk.

Where QKD Is the Right Tool

None of the above is an argument that QKD is not a legitimate technology. It is an argument that QKD is a specialised tool appropriate to a narrow class of use cases, and that misapplying it creates both cost and security risk.

QKD makes sense where all of the following conditions hold: traffic volume is within the key generation rate of available hardware; the parties are geographically close enough for direct fibre or free-space links without trusted nodes (or the trusted node risk profile is acceptable in the specific threat model); the security requirement is explicitly information-theoretic (meaning that computational hardness assumptions are considered insufficient) and not merely "quantum-resistant"; and the infrastructure investment is justified by the sensitivity of the traffic. NCSC and ENISA (ENISA "Quantum Key Distribution," 2021) both identify the appropriate contexts: government-to-government secure communications, military command links, central bank high-value settlement systems, and diplomatic communications. These are contexts where the sensitivity of the traffic, the low volume requirements, and the available infrastructure make the QKD economics work.

National QKD networks validate the technology at scale in these contexts. China's Micius satellite network demonstrated QKD over 1,200 km in 2017 (Yin et al., Science, 356, 2017) and satellite-mediated ground-to-ground key exchange over 7,600 km in 2020. The EuroQCI initiative, funded under the EU Quantum Flagship programme, plans a pan-European quantum communication infrastructure combining ground-based fibre and satellite links. The engineering works. The scale is not general enterprise.

Whether QKD is appropriate for a specific deployment depends on network topology, traffic volume, security model, and infrastructure investment profile. QSECDEF's QKD Network Readiness Qualifier assesses these variables against your environment and returns a structured recommendation on whether QKD is a viable component of your quantum security architecture. For many organisations, the assessment will confirm that QKD is not the current priority. That is the honest and correct outcome for those environments.

QKD and PQC: The Correct Comparison

QKD and PQC solve overlapping but not identical problems. PQC migration covers the full cryptographic surface: key exchange, digital signatures, certificate infrastructure, code signing, and authentication. It requires no new hardware. It is mandated by federal compliance frameworks, recommended by NCSC, and supported by ETSI. A mid-sized enterprise with a heterogeneous infrastructure can begin PQC migration with existing hardware, open-source libraries, and existing protocol tooling. The programme takes years; it does not require specialised equipment.

QKD covers key exchange only. It requires dedicated physical infrastructure. It is appropriate for a narrower set of use cases. NCSC is explicit in its position: QKD "should be seen as a component of a broader quantum-safe security solution" and PQC migration should be the priority for most organisations ("Quantum Key Distribution," 2020, NCSC). ENISA's 2021 position paper reaches the same conclusion. Neither authority recommends QKD as the primary enterprise quantum security strategy.

QKD versus PQC comparison table covering security basis, scope, infrastructure requirements, range, key generation rate, cost, and maturity QKD vs PQC: Comparison Two different solutions addressing overlapping but non-identical problems Dimension PQC QKD Security basis Computational hardness (MLWE / hash) Information-theoretic (quantum physics) Cryptographic scope Key exchange, signatures, certs, auth Key exchange only Infrastructure required Existing hardware, software update Dedicated fibre / free-space optical link Range Global (internet-compatible) ~50–100 km per span; trusted nodes needed Key generation rate Not a constraint kbps–Mbps; limits high-bandwidth links Standards maturity FIPS 203 / 204 / 205 (final, 2024) ETSI / ISO; no NIST FIPS standard Primary use case Enterprise-wide migration: organisations, most use cases High-security point-to-point links; gov, mil, central bank contexts
QKD versus PQC comparison across seven dimensions. PQC covers the full cryptographic surface using existing hardware. QKD provides information-theoretic security for key exchange only, over dedicated physical links. The two are not mutually exclusive in a mature architecture, but PQC migration is the correct starting point for most organisations.

The two are not mutually exclusive in a mature architecture. QKD as a key source feeding a PQC-protected classical channel is coherent for high-security point-to-point contexts where the infrastructure cost is justified and the information-theoretic security requirement is genuine. But for any organisation that has not completed PQC migration (which, in April 2026, is most organisations), QKD is not the first investment to make.

The NIST PQC standards are published and production-ready. The HNDL risk is active. The cryptographic inventory work that precedes any migration takes months. There are no QKD deployments that substitute for that programme, and no QKD vendor whose architecture covers the signature, certificate, and authentication surface that PQC migration addresses.

QKD Standards: Where They Stand

The primary QKD standards body for European deployments is ETSI, through its Industry Specification Group for QKD (ISG QKD). Relevant standards include ETSI GS QKD 014 V1.1.1 (2019) for network-context key exchange protocols, ETSI GR QKD 012 V1.1.1 (2019) for device and channel parameters, and ETSI GS QKD 015 V2.1.1 (2022) for software-defined networking integration. ISO/IEC 23837 (2023) provides requirements for QKD modules. BSI TR-02102-4 (2024) covers QKD implementation requirements for German federal use.

There is no NIST standard for QKD. NIST's PQC programme produced standards for post-quantum algorithms running on classical hardware. NIST's engagement with QKD has been limited to interoperability considerations and standards review. Organisations building QKD into their security architecture are working from ETSI and ISO/IEC standards, not from NIST FIPS publications.

QKD's physics are real. Its security guarantees under ideal conditions are genuine. The implementation constraints (distance limits, trusted nodes, low key generation rates, hardware side-channel vulnerabilities, the classical channel authentication requirement) are also real, and they determine whether QKD is the right tool for a specific environment. The organisations that deploy QKD effectively are the ones that have answered that question rigorously rather than accepting vendor claims at face value. NCSC has answered it for most UK commercial organisations already. Their recommendation is clear.