Quantum Key Distribution
Explore QKD fundamentals, BB84 protocol simulation, classical post-processing, and global deployment landscape.
What is Quantum Key Distribution?
is a method of distributing encryption keys using the laws of quantum physics rather than mathematical hardness assumptions. Unlike , which relies on computationally hard problems, QKD derives its security from the and the principle that measuring a quantum state inevitably disturbs it — providing information-theoretic security.
- Security from mathematical hardness
- Runs on standard networks
- Broken by quantum computers (Shor)
- Security from quantum-hard problems
- Runs on standard networks
- Believed secure against quantum attacks
- Security from physics (information-theoretic)
- Requires dedicated quantum channel
- Provably secure if implemented correctly
The BB84 Protocol
, proposed by Bennett and Brassard in 1984, was the first QKD protocol. It uses single photons encoded in two conjugate bases to establish a shared secret key between two parties (Alice and Bob) while detecting any eavesdropper (Eve).
Alice generates random bits and encodes each in a randomly chosen basis: rectilinear (+) with states ↕/↔, or diagonal (x) with states ⤢/⤡. She sends the photons to Bob over a quantum channel.
Bob independently chooses a random basis (+ or x) for each photon and measures it. When his basis matches Alice's, the result is deterministic. When it doesn't, the result is random.
Alice and Bob publicly compare which basis they used for each position (without revealing the bit values). They keep only the positions where both used the same basis — the (~50% of transmitted bits).
They sacrifice a random sample of the sifted key to check for errors. If the exceeds ~11%, eavesdropping is detected and the key is discarded.
State of the Art
QKD technology has matured significantly since the first demonstration in 1989. Today, commercial systems are deployed by governments and telecom operators worldwide, though significant constraints remain.
| Technology | Max Distance | Key Rate | Maturity |
|---|---|---|---|
| Fiber (single link) | ~100 km | ~1-10 Mbps (short), ~1 kbps (long) | Commercial |
| Fiber (trusted nodes) | >2,000 km | Limited by node processing | Deployed |
| Satellite | >7,000 km | ~1-10 kbps (LEO passes) | Demonstrated |
| Free-space (urban) | ~10 km | Weather-dependent | Research |
Notable milestones: Micius satellite (China, 2016), Beijing-Shanghai 2,000 km backbone (2017), BT/Toshiba commercial metro network (UK, 2022).
Satellite QKD
Fiber-based QKD is limited to roughly 100 km per link due to exponential photon loss in optical fiber. chains can extend range, but each relay is a potential point of compromise. Satellite QKD bypasses this fundamental constraint: free-space optical links through vacuum suffer no fiber absorption, and the atmosphere is thin (~10–20 km), meaning a low-Earth-orbit satellite pass traverses a relatively short atmospheric path. This makes satellites the leading approach for intercontinental and trans-oceanic quantum key distribution — including Earth-to-satellite, satellite-to-ground, and inter-satellite links.
- Satellite acts as a moving trusted node between ground stations
- Generates separate keys with each ground station, then relays
- Demonstrated by Micius (China–Austria, 7,600 km, 2017)
- Simpler to implement with current technology
- Satellite must be physically secured (compromise exposes keys)
- Satellite distributes photon pairs to two ground stations
- No key material ever exists on the satellite itself
- Eliminates the trusted-node vulnerability entirely
- Demonstrated by Micius over 1,120 km (2020)
- More technically demanding; requires high-fidelity photon sources
Key Satellite QKD Initiatives
| Program | Country | Operator | Status |
|---|---|---|---|
| Micius (QUESS) | China | CAS / USTC | Operational |
| EAGLE-1 / EuroQCI | EU | ESA / SES | Planned |
| QEYSSat | Canada | CSA / U. Waterloo IQC | Planned |
| SOCRATES | Japan | NICT | Completed |
| SpooQy-1 | Singapore | NUS CQT | Completed |
| QKDSat | UK | ESA / Craft Prospect | Planned |
Explore all satellite and terrestrial deployments interactively in the Workshop tab (Part 3: Global Deployments).
Limitations & NIST Position
While QKD offers unique theoretical security guarantees, it faces significant practical limitations. NIST has expressed skepticism about QKD as a general-purpose solution, recommending PQC for most use cases.
- Information-theoretic security (not based on computational assumptions)
- Forward secrecy — past keys remain secure even if future technology advances
- Eavesdropping detection built into the protocol
- Complements PQC as an additional security layer
- Distance: ~100 km fiber without trusted nodes
- Trusted nodes: compromise any relay → all keys exposed
- Cost: dedicated fiber, cryogenic detectors, specialized hardware
- Side channels: real devices have implementation vulnerabilities
- Key rate: orders of magnitude lower than classical methods
- No authentication: QKD itself does not authenticate parties
"NIST does not generally recommend QKD … QKD addresses only the key distribution problem … it requires special-purpose equipment … [and] is only proven secure under certain theoretical models that may not match real-world implementations."
NIST recommends post-quantum cryptography (FIPS 203/204/205) as the primary solution for quantum-resistant security, while acknowledging QKD may have niche applications in high-security environments.
QKD + PQC KEM Integration
In practice, QKD is most valuable when combined with key encapsulation mechanisms. A hybrid approach uses both a QKD-derived key and an shared secret, combining them via HKDF so that security holds even if one source is compromised.
The combined key is secure as long as either the QKD channel OR the ML-KEM exchange remains unbroken — defense in depth.
QKD + HSM Integration
Hardware Security Modules (HSMs) play a critical role in QKD deployments by providing tamper-resistant storage for QKD-derived keys and managing the key lifecycle. The integration follows standard PKCS#11 patterns.
Key Generation: QKD hardware generates shared secret via BB84 or similar protocol between endpoints.
HSM Import: QKD-derived key material is imported into the HSM via secure key injection (C_UnwrapKey or C_CreateObject).
Key Usage: Applications access QKD-derived keys through the HSM PKCS#11 API for encryption, MAC generation, or further key derivation.
Key Rotation: QKD continuously generates fresh keys; the HSM manages rotation and lifecycle (expiry, destruction).
Learn more about HSM operations and PKCS#11 workflows in the Key Management & HSM module.
Telecom & Government Adoption
QKD is being adopted primarily by governments and telecom operators who need the highest levels of communication security. China leads with the world's largest QKD infrastructure, while Europe is building a pan-continental network through the initiative.
Explore the full interactive deployment database in the Workshop tab.
Related Resources
Learn how classical + PQC hybrid KEMs work with hands-on HKDF key derivation.
Deep dive into HSM PKCS#11 operations and enterprise key lifecycle management.
Explore 3GPP security architecture — QKD could secure future telecom backbones.
Understand the quantum threats that motivate both PQC and QKD adoption.