Post-Quantum Cryptography vs Quantum Cryptography: What Is the Difference?

The two terms are not interchangeable, and treating them as if they were produces real planning errors. An organisation that means to ask "which post-quantum algorithm should we deploy in TLS?" but believes it is considering "should we build a quantum key distribution network?" is looking at the wrong cost curve, the wrong procurement catalogue, and the wrong engineering team. Those questions differ by orders of magnitude in infrastructure cost, deployment complexity, and regulatory mandate status. Getting the terminology right is the prerequisite for everything that follows.

NIST's Cryptography Resource Center uses "post-quantum cryptography" with a specific and consistent meaning: cryptographic algorithms, designed to run on classical computers, that resist attacks by both classical and quantum computers. The NIST PQC project ran for eight years, from 2016 to 2024, and concluded with four algorithms standardised as FIPS 203, 204, 205, and 206. Those algorithms run on servers, laptops, and network hardware already in use. No quantum optical equipment is required. No dedicated fibre is required. The hardware does not change.

"Quantum cryptography," in technical usage, most commonly refers to quantum key distribution (QKD): a set of protocols that use quantum mechanical properties of individual photons to establish a shared secret key between two parties such that any eavesdropping attempt is physically detectable. QKD does not run on classical hardware. It requires single-photon sources, single-photon detectors, and dedicated quantum channels. The infrastructure requirement is substantial, the deployment range is constrained to roughly 100 to 200 km on unrepeatered fibre, and neither NCSC nor NSA recommends it as the general migration path for most organisations.

Two Different Answers to the Same Quantum Threat

Both fields exist because of the same underlying problem: a cryptographically relevant quantum computer (CRQC), running Shor's algorithm, would break RSA, ECDH, ECDSA, and classical Diffie-Hellman. The asymmetric cryptographic layer on which TLS, PKI, VPN authentication, code signing, and email encryption currently depends would fail. Both post-quantum cryptography and quantum cryptography are responses to that problem. They are different responses, operating at different layers, with different deployment requirements and different levels of institutional mandate.

The confusion is not a sign of carelessness. Both terms contain the word "quantum." Both are associated with security. Vendors sometimes use "quantum-safe" to mean post-quantum cryptography (in line with NIST framing) and sometimes to mean any product that includes quantum-related technology, including QRNG-equipped hardware that does not replace a single vulnerable algorithm. Standards bodies have worked to clarify the distinction, but the terminology continues to blur in press coverage, procurement documents, and vendor marketing materials. The practical consequence of that blur is that security teams sometimes spend time evaluating QKD deployment proposals when their actual migration problem is a TLS library upgrade.

Post-Quantum Cryptography: A Software Upgrade

Post-quantum cryptography is software cryptography. The algorithms are mathematical constructions whose security rests on problems that neither classical nor quantum computers can solve efficiently. ML-KEM (FIPS 203) is based on the Module Learning With Errors (MLWE) lattice problem. SLH-DSA (FIPS 205) is based on the security of iterated hash functions. FN-DSA (FIPS 206) uses NTRU lattice structures. None of these require quantum hardware to execute. They run on the same processors, in the same memory, over the same network connections as RSA and ECDH today.

The deployment path is a software library upgrade with engineering overhead. A TLS 1.3 connection using ML-KEM-768 for key exchange uses the same network handshake sequence and the same server hardware as a connection using ECDHE-P256. The underlying algebraic structure is different; the deployment context is identical. Google and Cloudflare have operated ML-KEM-768 hybrid key exchange in production TLS since 2023, serving hundreds of millions of connections. The engineering is validated at scale.

The NIST PQC standardisation process is the reference point for confidence in these algorithms. Eight years of global cryptographic research community evaluation, multiple rounds of cryptanalysis, and public scrutiny from teams across university departments, national laboratories, and independent research organisations. The four final algorithms, ML-KEM, ML-DSA, SLH-DSA, and FN-DSA, carry the weight of that process. No known efficient classical or quantum attack exists against the mathematical problems they depend on. That is the strongest statement the cryptographic community can make about an algorithm; it is the same basis on which RSA was trusted for forty years before Shor's algorithm was published.

The fourth algorithm, ML-DSA (FIPS 204), replaces ECDSA and RSA in digital signature applications. Together, ML-KEM and ML-DSA cover the primary TLS, PKI, and code signing use cases that currently depend on quantum-vulnerable asymmetric algorithms. Why RSA and ECC are vulnerable in the first place is covered in the companion article on Shor's algorithm. The short version: Shor's algorithm solves integer factorisation and the discrete logarithm problem in polynomial time on a quantum computer, collapsing the security of both RSA and all ECC variants.

Quantum Key Distribution: A Physics-Based Approach

Quantum key distribution uses a fundamentally different mechanism. Bennett and Brassard published the BB84 protocol in 1984: Alice sends photons to Bob, encoded in randomly chosen polarisation bases. Bob measures in randomly chosen bases. They compare which bases they used over a classical authenticated channel, discard mismatched measurements, and retain the rest as a shared secret key. An eavesdropper intercepting and re-transmitting the photons disturbs the quantum states in ways that Alice and Bob can detect by comparing a sample of their bit values. If the error rate exceeds a threshold, the key is discarded.

The security argument for QKD rests on the no-cloning theorem (Wootters and Zurek, 1982): it is physically impossible to create an exact copy of an unknown quantum state. Measuring a quantum state necessarily disturbs it. An eavesdropper cannot copy the photons undetected. This is a security argument from the laws of quantum mechanics, not from a computational hardness assumption. In principle, it provides information-theoretic security for the key distribution phase: security that holds even against an adversary with unlimited computational resources.

In practice, QKD has significant constraints that limit its deployment to specific high-security environments. Dedicated quantum channels are required; QKD cannot be overlaid on standard networking infrastructure. Commercial QKD systems from vendors including ID Quantique and Toshiba operate at distances of approximately 100 to 200 km on unrepeatered fibre. Verify against current vendor documentation before relying on this figure. Beyond that range, options are trusted relay nodes (which introduce security assumptions at each relay point, potentially undermining the information-theoretic security argument), satellite-based relay as demonstrated by China's Micius programme, or quantum repeaters (experimental; not commercially deployed as of 2025).

NCSC's published position on QKD is explicit and worth quoting directly in substance. NCSC does not endorse QKD for government or military applications, citing concerns about the trusted relay node requirement, the vulnerability of the quantum channel to denial-of-service attacks, the relative immaturity of quantum channel authentication, and the high cost compared to PQC software solutions. NCSC recommends PQC (FIPS-standardised algorithms) as the appropriate migration path for most organisations. NCSC's position does not preclude organisations from deploying QKD in addition to PQC, it states that QKD is not the recommended general migration path and should not replace PQC adoption. Verify that the 2023 NCSC whitepaper "Quantum security technologies: quantum key distribution" remains the current NCSC position document before relying on this characterisation. NSA's CNSA 2.0, published in September 2022, is consistent with that position: the approved suite mandates ML-KEM-1024 and ML-DSA-87 for National Security Systems, and QKD is not included as an alternative or complement.

For readers who want a detailed technical treatment of QKD protocols, deployment architectures, and where QKD does have validated use cases, the QSECDEF QKD explained article covers this in depth.

Other Meanings of "Quantum Cryptography": QRNG and Beyond

Quantum random number generation (QRNG) is a distinct technology that is sometimes marketed under a "quantum security" banner. QRNG hardware generates random numbers using quantum physical processes such as photon detection timing or vacuum fluctuations. The randomness is genuinely quantum-derived, which is technically accurate. What QRNG provides is high-quality entropy for cryptographic key generation.

What QRNG does not provide is quantum-safe key exchange. Replacing a software pseudorandom number generator with a hardware QRNG while leaving RSA key exchange in place does not address the HNDL threat. The randomness quality improves. The key exchange mechanism remains quantum-vulnerable. Shor's algorithm operates on the public key material to reconstruct the private key; the quality of the random number that generated the private key is irrelevant to the attack. QRNG is a component of a strong cryptographic system. It is not a migration strategy.

Beyond QKD and QRNG, the term "quantum cryptography" is sometimes used to describe theoretical fields including quantum digital signatures (protocols using quantum states for signature schemes, largely academic and not commercially deployed), and device-independent QKD (which requires loophole-free Bell inequality violations in deployed settings, not currently achievable at practical distances). The ETSI Quantum Safe Cryptography Technical Committee's taxonomy document, GR QSC 006, provides a structured overview of the full field. For most security practitioners, the relevant distinction is the one drawn above: post-quantum cryptography (software algorithms, classical hardware, NIST standardised) versus quantum key distribution (quantum physics, dedicated hardware, specialist use cases).

How Standards Bodies Separate the Two

ETSI and ITU-T have both published standards that distinguish PQC from QKD while treating both as valid components of a layered quantum security architecture. ETSI's Quantum Safe Cryptography Technical Committee works across both domains. The QSC Migration Guide (ETSI TS 103 744) frames PQC and QKD as different tools operating at different protocol layers: PQC at the software and protocol layer (the key exchange and signature algorithms), QKD at the physical key distribution layer (the secure channel over which key material is delivered). Neither technology is superior to the other in this framing; they address different aspects of the quantum security problem and can be used together in high-assurance environments.

ITU-T Study Group 17 publishes the Y.3800 series on QKD network architecture. ITU-T Y.3800 defines a reference model for QKD networks, entirely separate from the NIST PQC framework, treating QKD as a network-layer technology with its own architecture, nodes, and protocols. ITU-T's framing reinforces the same conclusion: QKD and PQC are not in competition; they occupy different parts of the security stack. Verify that the 2019 version of ITU-T Y.3800 cited here has not been superseded before relying on this citation.

The standards bodies recognise both. The difference between them on mandate status is significant: NIST FIPS 203/204/205/206 are mandated transition targets under NIST IR 8547 (November 2024), with deprecation timelines for RSA and ECC already published. QKD is the subject of ETSI and ITU-T standardisation work but does not carry equivalent regulatory mandate status for most sectors or jurisdictions. Both NSA and NCSC are clear on this point: PQC is the mandated path; QKD is a complementary specialist technology.

What This Means for Your Organisation

For the overwhelming majority of organisations, commercial enterprises, government agencies without specialist quantum communications infrastructure, regulated financial institutions, critical infrastructure operators, the conclusion is the same. PQC is the migration path. ML-KEM (FIPS 203) replaces RSA and ECDH in key encapsulation and key exchange. ML-DSA (FIPS 204) replaces ECDSA in digital signatures. Both run on existing hardware. Both have NIST standardisation status, NSA mandate status, and NCSC endorsement. The QSECDEF NIST PQC Algorithm Selector provides a structured decision tool for mapping specific use cases to the correct FIPS algorithm and key size.

QKD has valid applications in environments that can support dedicated quantum channels and justify the infrastructure investment: high-security government facilities, financial sector core backbone links between a small number of known fixed endpoints, and specific inter-data-centre connections where the economics and security requirements align. In these environments, QKD's information-theoretic security for key exchange and PQC's software-layer authentication are complementary rather than competing. A QKD channel with PQC-authenticated endpoints is stronger than either technology alone.

Most organisations are not in that position. Most organisations are running TLS on web servers, VPNs on commercial hardware, PKI across distributed systems. For them, the migration question resolves to a software upgrade path: TLS libraries, PKI root hierarchies, code signing pipelines, and key management infrastructure, sequenced by exposure to the HNDL threat and operational risk. That is the PQC migration. Quantum optical fibre networks are a different project, for a different set of organisations, on a different decision timeline.

Quick Reference: Five Differences

Post-Quantum Cryptography (PQC) Quantum Key Distribution (QKD)
What it is Classical algorithms resistant to quantum attacks (ML-KEM, ML-DSA, SLH-DSA, FN-DSA) Quantum physics protocol for key exchange using photon quantum states
What it runs on Existing servers, devices, and network hardware Dedicated quantum optical hardware and channels
Security basis Computational hardness (lattice problems, hash functions), no known quantum attack Quantum mechanics (no-cloning theorem), information-theoretic in ideal conditions
Deployment requirement Software library upgrade, TLS/PKI compatible Dedicated quantum channels; 100-200 km range on unrepeatered fibre
NCSC and NSA status Mandated migration path (NIST FIPS 203/204/205/206; CNSA 2.0; NCSC guidance) Not endorsed as general solution; complementary technology for specialist use cases

About the Author

Steven Vaile is Director at Quantum Security Defence. He advises governments, financial institutions, and critical infrastructure operators on quantum security strategy and post-quantum cryptography migration. He is a keynote speaker at the QSECDEF World Symposium. View on LinkedIn | View Team | QSecDef Events