Quantum Key Distribution in Government Deployments: What Works, What Doesn't
Government security programmes increasingly encounter QKD in briefings, vendor pitches, and policy discussions, often without a clear picture of where it has actually been deployed, what problems emerged, and why two of the world's leading government cybersecurity agencies have explicitly declined to endorse it. This article provides that picture.
QKD and post-quantum cryptography are separate technologies addressing different problems. If you are not clear on that distinction before reading further, see Post-Quantum vs Quantum Cryptography: What Is the Difference? The answer to whether QKD belongs in your programme depends on that distinction being understood precisely.
What QKD is and why governments take an interest
Quantum key distribution uses quantum mechanical properties of photons to generate and distribute a shared cryptographic key between two parties. The defining property is physical: any eavesdropping attempt disturbs the quantum state of the photons, introducing detectable errors in the quantum channel. This security argument is information-theoretic, meaning it does not rest on the difficulty of a mathematical problem but on the laws of physics. A future computer of any power cannot change the physics.
The most widely deployed commercial QKD protocol is BB84, proposed by Bennett and Brassard in 1984, and its decoy-state variants. Continuous-variable QKD (CV-QKD) and measurement-device-independent QKD (MDI-QKD) operate at smaller scale in research and pilot deployments. The ETSI ISG QKD working group has published a series of specifications (GS QKD 001 through 016) covering use cases, security requirements, and testing procedures.
Government interest in QKD is driven by two considerations that sit outside the typical commercial threat model. Nation-state adversaries operate on longer time horizons than commercial threat actors: a classified communication that must remain confidential for twenty to thirty years faces a different harvest-now-decrypt-later (HNDL) risk profile than a commercial transaction. And for highly classified programmes, HNDL collection is happening today. QKD provides key distribution that no future computer can retrospectively compromise, because the key never traversed a mathematically vulnerable channel.
NCSC and NSA: why two major government agencies do not endorse QKD
The UK National Cyber Security Centre published an explicit position in its 2023 white paper "Quantum security technologies." NCSC's conclusion is direct: it does not endorse QKD for government or military applications. The reasoning is specific and worth understanding in full, because it is not a dismissal of QKD's physics.
NCSC identifies four technical limitations. First, beyond approximately 100 km on unrepeatered fibre, QKD requires trusted relay nodes. Each relay terminates one quantum link and initiates another, holding keys in plaintext at the junction. The end-to-end security of a multi-hop QKD link reduces to the physical and personnel security of each relay node. An information-theoretic security claim on the quantum channel becomes a physical-security-of-hardware-in-a-building claim at the relay.
Second, QKD protects only the key distribution channel. It must be used with a classical encryption algorithm for bulk data, and the quantum channel itself requires classical or post-quantum authentication to prevent man-in-the-middle attacks. The security of the authentication depends on classical or post-quantum cryptography. PQC is required regardless of whether QKD is also used. QKD and PQC are not alternatives; they address different layers of the same problem.
Third, a denial-of-service attack on the quantum channel, such as injecting light to saturate the single-photon detectors, leaves communications without key distribution capability. QKD-dependent systems need an alternative key distribution mechanism for resilience.
Fourth, NCSC considers the infrastructure cost and operational overhead disproportionate to the security benefit when FIPS-standardised PQC algorithms are available as a software upgrade with no new physical infrastructure.
The US National Security Agency takes the same position through a different mechanism. NSA's CNSA 2.0 advisory (September 2022) specifies ML-KEM-1024 (FIPS 203) and ML-DSA-87 (FIPS 204) as the required algorithms for National Security Systems. QKD does not appear. NSA has separately confirmed that QKD is not a replacement or supplement for the CNSA 2.0 algorithms in NSS communications.
The shared conclusion of NCSC and NSA is not that QKD's physics is wrong. It is that in practical deployments, QKD systems rely on classical security components that PQC addresses, while the trusted relay node requirement introduces physical trust assumptions absent from software-based PQC migration. PQC is required in either case.
France: ANSSI's more permissive posture
ANSSI, the French national cybersecurity agency, has taken a different view. It is important to frame this position correctly: ANSSI's 2022 paper predates the NIST FIPS 203/204/205 standards finalised in August 2024, and the position should be read in that pre-standardisation context. ANSSI's 2022 position paper on post-quantum cryptography acknowledges QKD as a complement to PQC for high-security applications, particularly long-lifecycle government communications, and does not exclude it from consideration for protected networks. ANSSI's position was that a hybrid approach, combining QKD for key distribution on physically controlled networks with PQC for authentication and general cryptography, may be appropriate for specific government contexts. Whether ANSSI's posture has been updated following NIST FIPS finalisation should be verified directly with current ANSSI publications before relying on the 2022 paper as a current statement of French government policy.
France has participated in QKD research on academic and research networks, including trials on the RENATER national research and education network. France is also among the leading participants in EuroQCI (European Quantum Communication Infrastructure), the European Commission initiative to deploy a pan-EU quantum communication network combining terrestrial fibre QKD and satellite-based relay, with a target deployment window of approximately 2027 to 2030. Participation in EuroQCI does not reduce the urgency of PQC migration for general IT infrastructure. EuroQCI is designed to complement PQC migration, not to substitute for it.
South Korea: operational government QKD deployment
South Korea has made among the most sustained investments in government QKD deployment of any country outside China. The Korea Internet and Security Agency (KISA) has coordinated QKD deployment across South Korean government networks, with involvement from the National Intelligence Service (NIS) in QKD standards and procurement. As of 2020 to 2021 conference documentation, the baseline figure for protected government network links stood at approximately forty, primarily from SK Broadband, KT (Korea Telecom), and POSTECH. This should be treated as a historical baseline: the programme has continued since then, but the most recent comprehensive published figure available in English-language sources dates to that period. Current programme scope should be verified against recent KISA publications before citing a precise link count.
SK Broadband's commercial QKD service, marketed as the Q-Key Quantum Network, launched in 2020 and offers QKD-based key distribution over metropolitan fibre to government and enterprise customers in Seoul and Busan. The technology is BB84 decoy-state QKD, operational at distances up to approximately 80 km per link, with trusted relay nodes for longer distances. This is one of the few examples globally of commercially operated QKD infrastructure available to government customers outside China. South Korea's approach consistently treats QKD as an additional security layer over classified government networks, not as a PQC replacement.
Singapore: national testbed and government integration
Singapore's Centre for Quantum Technologies (CQT) at the National University of Singapore, working with Singtel and the Infocomm Media Development Authority (IMDA), has operated the Singapore Quantum-Safe Network (SQSN) as a national testbed since 2021. The network connects government agencies and research institutions via QKD links over Singtel's fibre infrastructure and serves as both an operational pilot and an ETSI-standard QKD interoperability research platform.
Singapore's Ministry of Defence (MINDEF) and Cyber Security Agency (CSA) have both included quantum-safe communications, including QKD pilots, in Singapore's national cybersecurity strategy. The National Research Foundation's Quantum Engineering Programme has funded QKD integration research. Singapore's posture is more active on QKD than the UK or US, which is consistent with its broader policy of building indigenous capability in quantum technologies. The current operational status and network extent of SQSN should be verified against CQT and IMDA current publications; the 2021 launch documentation is the most recent publicly detailed source.
China: the largest deployed QKD infrastructure
China's QKD infrastructure is the largest in the world by any published measure. The Beijing-Shanghai backbone QKD network, operational since 2017 and expanded to approximately 2,000 km of total fibre, connects multiple cities and is used by the People's Bank of China and other government entities. The network employs trusted relay nodes throughout its length.
The Micius satellite, launched in 2016 and operated by the Chinese Academy of Sciences, demonstrated intercontinental QKD over approximately 7,600 km between ground stations in China and Austria in 2017 (Liao et al., Science, 2017). A 2021 paper in Nature documented an integrated space-to-ground quantum communication network spanning approximately 4,600 km (Chen et al., Nature, 2021). These are peer-reviewed demonstrations of real operational scale. The primary domestic QKD vendor is QuantumCTek (QTEK), publicly listed on the Shanghai STAR Market.
China's scale reflects both national security priorities and industrial policy. QuantumCTek and the Chinese Academy of Sciences have commercial and strategic interests in demonstrating QKD viability that are distinct from the security certification requirements of Western government frameworks. The presence of large-scale Chinese QKD deployment does not resolve the trusted relay node trust problem or the ETSI certification maturity question for Western security planners. It does provide the most extensive real-world performance data for the technology.
The trusted relay node problem and advanced protocols
The fundamental technical limitation of QKD over long distances is the trusted relay node requirement. Quantum signals in optical fibre suffer from exponentially increasing loss with distance. At approximately 100 to 200 km, the quantum bit error rate and channel loss make direct QKD impractical without a repeater. Classical signal amplifiers cannot be used, because amplification would destroy the quantum state. The solution in all currently deployed systems is the trusted relay: an intermediate point that terminates one QKD link and initiates the next, holding the key in plaintext at the junction.
The end-to-end security model of a multi-hop QKD network is therefore not information-theoretic for the full path. It is information-theoretic for each individual link and physical-security-dependent for the chain of relay nodes. This is a precise technical limitation, not a vague concern about hardware quality.
MDI-QKD (Lo et al., Physical Review Letters, 2012) removes trust in the measurement device, eliminating the detector side-channel attacks that affect standard QKD implementations. It has been demonstrated in field trials by groups at the University of Toronto, Toshiba Research Europe, and the University of Science and Technology of China. MDI-QKD has not yet reached commercial maturity with government certification.
Twin-field QKD (TF-QKD), proposed by Lucamarini et al. in Nature (2018), extends transmission distance beyond the repeaterless limit through single-photon interference, with experimental demonstrations at approximately 500 km on unrepeatered fibre. Commercial deployment has not been achieved as of knowledge cutoff August 2025. Planning that assumes TF-QKD commercial availability on current PQC migration timescales is not well-founded.
Side-channel vulnerabilities in QKD hardware
QKD's information-theoretic security proof applies to the idealised protocol. Real QKD devices have documented side-channel vulnerabilities. Published attacks include photon-number-splitting (PNS) attacks against imperfect single-photon sources; time-shift attacks on gated single-photon detectors; and blinding attacks on avalanche photodiode detectors (Lydersen et al., Nature Photonics, 2010), which demonstrated that commercial QKD systems could be controlled by an attacker using bright illumination to saturate the detector. Decoy-state QKD (Lo, Ma and Chen, Physical Review Letters, 2005) is the standard mitigation for PNS attacks in commercial systems. Detector blinding attacks require hardware-level countermeasures.
The practical implication is that certifying a QKD system against a formal security standard requires both the theoretical protocol to be provably secure and the physical implementation to be free from exploitable side channels. ETSI ISG QKD has published specifications covering security requirements, testing procedures, and protocol definitions. No QKD system has received the equivalent of a FIPS 140-3 validation as of knowledge cutoff August 2025. The certification framework for QKD hardware is more analogous to Common Criteria than to the NIST CMVP, reflecting the hardware-specific nature of the devices.
A pragmatic assessment: where QKD applies and where it does not
For government security planners, the applicability of QKD divides into three zones.
Where QKD has demonstrated value: Short-to-medium distance fixed links (under approximately 200 km) between highly classified facilities where endpoint security can be fully assured, trusted relay nodes are under complete organisational physical control, and the cost and infrastructure overhead are acceptable within the programme budget. Government data centre interconnects and classified agency building-to-building links in a controlled metropolitan area are the primary examples.
Where QKD is architecturally limited: Any communications path requiring trusted relay nodes outside organisational control; mobile or tactical communications; cloud service integration; and any application dependent on a public key infrastructure for authentication, because PKI authentication requires PQC regardless of the key distribution method used.
Where PQC is the correct answer: General-purpose government IT infrastructure, internet-facing systems, supply chain communications, cloud workloads, and all certificate infrastructure. NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), and FIPS 206 (FN-DSA) are the endorsed standards. PQC is a software upgrade path, deployable without new physical infrastructure, and explicitly endorsed by both NCSC and NSA for all government IT use cases.
NCSC's 2023 white paper indicates that the agency's non-endorsement position is not permanent and could be reconsidered as QKD technology develops, with quantum repeaters cited as the specific technical development that would most significantly change the assessment. The precise wording of any future NCSC review commitment should be verified directly against the source document rather than paraphrased. Quantum repeaters based on entanglement swapping and quantum memory are an active research field. No commercial quantum repeater exists as of knowledge cutoff August 2025. Programme planning should not assume their availability on PQC migration timescales of 2026 to 2033.
QKD and PQC are not in competition. For specific high-assurance fixed-link contexts, they are complementary layers. For general government IT infrastructure, PQC is the path, and that migration cannot wait for QKD technology to mature. Every organisation in or adjacent to government that has not yet started its PQC programme has a known timeline problem, regardless of where it lands on QKD.
Sources verified 2026-05-18
Sources: Bennett and Brassard, ICASSP 1984 (reprinted https://doi.org/10.1016/j.tcs.2014.05.025); Gisin et al., Reviews of Modern Physics 74, 2002, https://doi.org/10.1103/RevModPhys.74.145; ETSI GS QKD 002; NCSC "Quantum security technologies," 2023, https://www.ncsc.gov.uk/whitepaper/quantum-security-technologies; NSA CNSA 2.0, September 2022; NSA/CSS Quantum Computing and Post-Quantum Cybersecurity, 2021; ANSSI Post-Quantum Cryptography positions, 2022, https://www.ssi.gouv.fr/en/publication/anssi-views-on-the-post-quantum-cryptography-transition/; European Commission EuroQCI, https://digital-strategy.ec.europa.eu/en/policies/european-quantum-communication-infrastructure-euroqci; Liao et al., Science 2017, https://doi.org/10.1126/science.aan3211; Chen et al., Nature 2021, https://doi.org/10.1038/s41586-021-03582-w; Lo, Curty and Qi, PRL 2012, https://doi.org/10.1103/PhysRevLett.108.130503; Lucamarini et al., Nature 2018, https://doi.org/10.1038/s41586-018-0066-6; Lydersen et al., Nature Photonics 2010, https://doi.org/10.1038/nphoton.2010.214; Lo, Ma and Chen, PRL 2005, https://doi.org/10.1103/PhysRevLett.94.230504; ETSI ISG QKD specifications; NIST FIPS 203/204/205/206; Kim et al., ETSI/IQC Quantum Safe Cryptography Workshop 2020; CQT NUS Singapore Quantum-Safe Network; Singapore Cybersecurity Strategy 2021.