Table of Contents
Introduction
“Quantum security” is a term that is increasingly being used. With everyone having their own definition of the term. It can carry multiple meanings depending on context, but so do other related terms. The whole field is fairly new and related terms are not yet clearly defined. So this is my attempt to untangle the ambiguity by exploring what quantum security commonly refers to, how related terms like quantum resistance, quantum-safe cryptography, quantum resilience, quantum readiness, post-quantum security, and post-quantum cryptography (PQC) are defined, and how different organizations and standards bodies use these terms.
Multiple Meanings of Quantum Security
The term quantum security is not formally standardized and is used in at least three different ways:
Three Meanings
Using Quantum Technologies for Security
In one sense, quantum security refers to the use of quantum mechanics to secure data and communications.
This includes technologies like quantum key distribution (QKD) and quantum random number generators (QRNGs). For example, one source explicitly defines quantum security as “the use of quantum mechanics to secure the transfer of data“. Under this definition (often dubbed quantum cryptography), quantum phenomena such as superposition and entanglement are leveraged to achieve security properties that classical methods cannot. QKD is the flagship example – it uses quantum states (typically photons) to distribute encryption keys such that any eavesdropping is detected, thus providing secrecy based on physics rather than computational assumptions. In practice, QKD allows two parties to detect interception and abort the communication, making the key exchange theoretically immune to eavesdroppers (including those with future quantum computers).
This flavor of “quantum security” is about quantum-enabled security – improving security with quantum technology.
Securing Systems Against Quantum Threats
In another common usage, quantum security refers to protecting classical information systems from the threats posed by quantum computing.
In this context, the focus is on post-quantum or quantum-resistant cryptography – new cryptographic algorithms and protocols that should remain secure even if an adversary has a quantum computer. This usage is about being secure against quantum techniques. For example, one description states that quantum security is “a cybersecurity branch dedicated to safeguarding sensitive information from the potential risks posed by future quantum computers”.
In other words, this is the field of developing and deploying quantum-proof defenses so that today’s data will not be decrypted by tomorrow’s quantum code-breakers. In practice, this primarily means post-quantum cryptography (PQC) – algorithms (running on classical computers) that are believed to be unbreakable even with quantum computing – as well as broader strategies to maintain security in the quantum era. (We will define PQC and quantum-resistant algorithms in detail below.)
Security of Quantum Systems Themselves
A less common interpretation is the cybersecurity of quantum technologies.
As quantum computers and quantum networks emerge, they too will need protection from hacking, malware, or sabotage. For instance, ensuring a cloud-based quantum computer is secure from intrusion, or that a QKD device cannot be tampered with, falls under this category. While this is an important topic (sometimes called quantum cybersecurity in the narrow sense), it’s not usually what people mean by “quantum security” in everyday discussion. At least not yet. Indeed, the phrase quantum security is rarely used in this narrow sense; instead one might talk about the specific system (e.g. security of QKD networks, or secure protocols for quantum computing services).
Standards bodies like the ITU-T have begun addressing such issues (for example, defining security requirements for QKD equipment to be intrusion-resistant), but these efforts are specialized. In general, unless explicitly specified, “quantum security” is typically understood in one of the first two senses above – either using quantum tech for security, or securing against quantum attacks.
With such divergent meanings, the “right” use of the term depends on context. In practice, the second meaning – protecting against the quantum computing threat – has become the most pressing topic in cybersecurity today. The prospect of future quantum computers breaking today’s encryption has driven extensive research and policy activity. As a result, discussions of “quantum security” at conferences or in policy often center on quantum-proof cryptography and organizational readiness. At the same time, vendors and researchers working on QKD and quantum communications also use “quantum security” to describe their technologies. This dual use can be confusing. Therefore, experts and standards organizations increasingly favor more precise terms (defined below) to avoid ambiguity.
Post-Quantum Cryptography (PQC), Quantum-Resistant, and Quantum-Safe Cryptography
When it comes to securing data against quantum attackers, the key concept is post-quantum cryptography (PQC). PQC refers to new cryptographic algorithms – usually for public-key encryption and digital signatures – that are designed to be secure against both classical and quantum computational attacks. In other words, even if an adversary had a powerful quantum computer, these algorithms (as far as we know) would not be efficiently breakable. PQC algorithms are implemented on conventional, classical computers; they are post-quantum in the sense that they will remain secure in a future where quantum computers exist (not because they require a quantum computer to run).
Synonymous Terms: PQC is often used interchangeably with several other terms, notably quantum-resistant cryptography and quantum-safe cryptography. All these terms refer to the same class of solutions.
A U.S. National Security Agency (NSA) FAQ document clarifies: “Quantum-resistant (QR), quantum-safe, and post-quantum (PQ) cryptography are all terms used to describe cryptographic algorithms that can be run on computers today and are believed to be resistant to cryptanalytic attacks from both classical and quantum computers“. Similarly, Wikipedia notes that post-quantum cryptography is “sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant.”
In short, PQC = quantum-resistant = quantum-safe = quantum-proof in most discussions. (Some organizations use these terms in slightly different ways, which we will address later, but generally they are synonymous.) In practice, calling an algorithm “quantum-resistant” or “quantum-safe” means the same thing: it is believed to withstand attacks by a quantum computer.
Definition
A clear definition comes from NIST (the U.S. National Institute of Standards and Technology), which led a global effort to standardize PQC algorithms. NIST states that the goal of post-quantum (quantum-safe) cryptography is to develop “cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks”. European standards use similar language; for example, ETSI (the European Telecommunications Standards Institute) explains that “quantum-safe cryptography refers to efforts to identify algorithms that are resistant to attacks by both classical and quantum computers, to keep information assets secure even after a large-scale quantum computer has been built.”
In practice, this involves cryptographic constructions based on hard mathematical problems that neither known classical nor quantum algorithms can solve efficiently – examples include lattice-based problems, error-correcting code problems, multivariate polynomial problems, hash-based constructions, and others. These underlying problems are believed to be quantum-resistant, providing the security foundation for PQC algorithms.
Why It Matters
The urgency behind PQC comes from Peter Shor’s 1994 algorithm, which showed that a sufficiently powerful quantum computer could factor large integers and compute discrete logarithms exponentially faster than any known classical algorithm – effectively breaking RSA, Diffie-Hellman, elliptic-curve cryptography (ECC) and other commonly used public-key schemes. Such a “cryptanalytically relevant” quantum computer (CRQC) does not exist yet, but the threat is taken very seriously. Adversaries might be harvesting encrypted data now to decrypt later when quantum capabilities emerge (the so-called “store now, decrypt later” strategy).
Moreover, migrating the world’s cryptographic infrastructure to new algorithms is a massive effort that can take a decade or more, so proactive planning is required.
In short, without quantum-resistant cryptography, data secured under today’s algorithms (RSA/ECC) could be exposed once a large quantum computer appears.
Standards and Timeline
Recognizing this threat, NIST initiated a public competition in 2016 to standardize post-quantum algorithms. By 2022, NIST had selected a first batch of PQC algorithms (based on lattice and hash-based schemes) for standardization, and in 2024 it released the initial PQC standards.
Internationally, standards bodies have embraced PQC as well. ETSI formed a Quantum-Safe Cryptography working group in 2015, and ISO/IEC has also worked on PQC standards (in early documents ISO used the term “quantum computing resistant cryptography,” which is equivalent to quantum-resistant cryptography).
The terms may differ – quantum-safe cryptography is often used in Europe, whereas U.S. agencies prefer post-quantum or quantum-resistant cryptography – but the focus is the same: future-proofing cryptography against quantum-enabled adversaries. For example, the European Union Agency for Cybersecurity (ENISA) and others have urged adoption of “quantum-resistant encryption, including hybrid solutions” to protect European critical systems in coming years.
In summary, when policymakers and technical experts talk about quantum security today in a cybersecurity context, they most often mean post-quantum security – ensuring that encryption, digital signatures, and other cryptographic mechanisms remain strong in the face of quantum computing. As one industry source puts it, “quantum security addresses this challenge by protecting sensitive data from future quantum-enabled attacks [and] securing communications in quantum-safe ways.”
(It’s worth noting that symmetric cryptography and hashing are also impacted by quantum computing, but to a lesser degree – Grover’s algorithm can speed up brute force attacks, effectively halving the security of symmetric keys. Fortunately, doubling key sizes (e.g. using AES-256 instead of AES-128) mitigates that, so symmetric schemes are largely considered quantum-safe with sufficient key lengths.)
Quantum Cryptography and Quantum Key Distribution (QKD)
On the other side of the coin, quantum security can refer to security techniques that rely on quantum physics themselves – what is classically known as quantum cryptography. The quintessential example of this is quantum key distribution (QKD). QKD involves two parties exchanging cryptographic key material over a quantum channel (for example, encoding bits in the polarization of photons) such that any eavesdropping by an attacker will inevitably disturb the quantum states and be detected. QKD, when implemented correctly, provides a form of security based on the laws of physics: it is often described as “provably secure against any computational or mathematical attack” because no amount of computing power (classical or quantum) can circumvent the physics of quantum measurements that QKD relies on. In essence, QKD offers unconditional secrecy of the key exchange, guaranteed by quantum mechanics.
It’s important to note that QKD is not a drop-in replacement for public-key encryption; rather, it’s a method to distribute secret keys with extremely high assurance. Those keys still need to be used in symmetric encryption algorithms (like one-time pad or AES) to actually encrypt data. QKD also requires specialized hardware (single-photon sources, detectors, etc.) and is limited by distance (optical fiber losses or line-of-sight for free-space links). Currently, QKD is used in niche applications – such as securing links between bank data centers or in government/military communication lines – and in various pilot networks around the world.
Where QKD Fits
Some organizations use the umbrella term quantum security to include both QKD and post-quantum algorithms as complementary technologies.
For instance, the UK’s National Cyber Security Centre (NCSC) published a 2020 white paper on “Quantum Security Technologies” that discussed two approaches: quantum-resistant crypto algorithms and QKD. In that paper, NCSC referred to “quantum-safe cryptography” in a broad sense that included QKD alongside algorithmic solutions. The quantum communications industry, however, responded by advocating more precise language: their community response noted, “the NCSC White Paper uses the term quantum-safe cryptography which includes QKD. For clarity this [response] uses the term quantum-resistant algorithms to refer specifically to cryptographic algorithms believed to be secure against attack by quantum computers.” Here we see an important distinction: quantum-resistant algorithms (QRA) meaning the new post-quantum algorithms, versus quantum cryptography (QKD) meaning physics-based key exchange – both falling under a broad “quantum-safe” umbrella in that context. The takeaway is that experts try not to conflate these; they specify whether they mean QKD or PQC.
International Perspective
Different regions have taken slightly different stances on QKD vs PQC. The United States (through agencies like NIST and NSA) has heavily emphasized PQC as the primary solution for most needs, viewing it as more practical to deploy widely. The NSA has publicly stated that quantum-resistant (post-quantum) algorithms are a more cost-effective and easily maintained solution than QKD for protecting communications. In fact, NSA does not support using QKD for national security systems at present, citing numerous limitations (e.g., need for special hardware, distance limits, lack of authentication, infrastructure cost, etc.) and noting that “quantum-resistant cryptography… offers confidentiality and integrity via math-based solutions that are typically less expensive and easier to integrate“.
On the other hand, parts of Europe and Asia have invested significantly in QKD research and even operational networks. The EU’s EuroQCI initiative aims to develop a quantum communication infrastructure, and China has deployed the world’s largest QKD networks (including a Beijing-Shanghai backbone). These efforts position QKD as a strategic technology for certain high-security use cases. Standards for QKD have been developed through organizations like ETSI (which has an Industry Specification Group working on QKD) and ITU-T (which published the Y.3800-series recommendations for QKD networks).
The bottom line on terminology is: to avoid ambiguity, professionals typically do not use the plain phrase “quantum security” when precision is required. Instead, they’ll say “quantum cryptography” or specifically “QKD” when referring to quantum-enabled security tech, and “post-quantum” or “quantum-safe cryptography” when discussing algorithmic solutions against quantum threats. If one encounters marketing or media references to “quantum encryption” or “quantum security” without further detail, it’s important to clarify the meaning – it could refer to QKD-based tech, or simply to encryption that resists quantum attacks. The marketing world sometimes uses these buzzwords loosely (e.g. “military-grade quantum encryption” as a hype term) which can lead to misconceptions.
In short: be wary of quantum hype, and look for specifics about whether it’s physics-based quantum cryptography or quantum-resistant algorithms being discussed.
Quantum Resilience and Quantum Readiness
As organizations prepare for the coming quantum era, two terms have gained prominence in policy and strategy documents: quantum resilience and quantum readiness. These relate to an organization’s posture and preparedness rather than specific cryptographic tools.
Quantum Resilience
This refers to the capacity of systems and infrastructure to maintain security and functionality despite the advances of quantum computing.
In essence, a quantum-resilient organization or system is one that can withstand quantum-powered attacks. Achieving quantum resilience typically means adopting quantum-resistant cryptography throughout an organization’s systems (since cryptography is often the weakest link under quantum threat). It also implies a broader adaptability (i.e. “crypto-agility“) – ensuring that as quantum technology evolves, the organization’s security measures can adapt to preserve confidentiality, integrity, and availability of data.
One detailed description frames it as “the capacity of systems, data, and infrastructure to withstand and adapt to the disruptive capabilities of advanced quantum computers,” maintaining security where conventional approaches would fail.
In practice, talking about achieving quantum resilience underscores that this is not just about implementing one or two new algorithms, but about a comprehensive effort: inventorying where cryptography is used, planning upgrades, managing keys and certificates during migration, and building cryptographic agility into systems so they can switch to new primitives as needed.
Some interpretations of quantum resilience even extend to a philosophical level – the idea that a truly resilient security architecture continues to function securely under any advanced threat, not just known quantum algorithms. In day-to-day usage, however, declaring a goal of “quantum resilience” usually means “we intend to migrate all our critical systems to quantum-safe (quantum-resistant) cryptography and thus remain secure even when quantum computing arrives.” For example, major tech companies have announced plans to transition their products to quantum-resistant encryption within the next decade, aligning with government timelines for quantum resilience.
Quantum Readiness
This term emphasizes preparedness and proactive planning. To say an organization is quantum-ready (or has achieved quantum readiness) means it has taken steps to prepare for the transition to post-quantum cryptography.
Governments are actively urging institutions to develop quantum readiness roadmaps. A joint NSA/CISA/NIST advisory in 2023, for instance, recommended that organizations “start preparing for the implementation of post-quantum cryptography” by doing things like establishing a quantum-readiness roadmap, engaging vendors about PQC support, conducting a cryptographic inventory, and prioritizing systems to migrate first. In the U.S., a National Security Memorandum (NSM-10, 2022) required federal agencies to inventory their cryptographic systems and be ready to switch to approved PQC once standards are published.
In essence, quantum readiness is about being prepared in advance so that the actual transition (sometimes dubbed “Q-Day” – the day new quantum-proof algorithms go live) can be executed smoothly. It’s a measure of how far along an organization is in terms of awareness, planning, and initial implementation of quantum-resistant measures. A business or government entity that has, for example, cataloged all its cryptographic dependencies, assessed risk timelines, begun testing PQC in its environment, and developed a migration plan can claim a higher degree of quantum readiness than one that has not yet considered the problem.
These terms underscore that the shift to a post-quantum world is not instantaneous – it’s a phased, multiyear process. Being quantum-ready is the first stage (planning and early adoption), which leads to achieving quantum resilience (actually having all critical systems protected by quantum-safe solutions and thus able to withstand quantum attacks). Both terms are increasingly used in policy communications to spur action now, rather than waiting until quantum computers are operational.
As NSA Cybersecurity Director Rob Joyce put it, “the key is to be on this journey today and not wait until the last minute” – organizations should begin quantum-proofing their systems well before the threat materializes. Those who lead in quantum readiness and resilience are likely to gain trust and competitive advantage, whereas laggards risk severe exposure if and when the quantum threat arrives.
Differences in Terminology Across Regions and Standards
While the technical concepts are universal, different communities and jurisdictions sometimes favor different terminology or have nuanced usage for these terms:
United States (NIST, NSA, etc.)
U.S. government agencies and much of the academic community predominantly use “Post-Quantum Cryptography (PQC)” to describe cryptographic solutions for the quantum era. This term was cemented by the NIST PQC competition and subsequent standards. Official documents from NIST and NSA also frequently use “quantum-resistant cryptography” as an adjective for these new algorithms.
The term “quantum-safe” is seen in some outreach materials (and NIST will occasionally use it interchangeably with post-quantum in public discussions), but post-quantum and quantum-resistant are more common in formal usage. The U.S. also introduced the term “Cryptographically Relevant Quantum Computer (CRQC)” to mean a quantum computer capable of breaking real-world cryptography. By and large, U.S. standards and strategy documents focus on PQC deployment and cryptographic agility (see NIST’s guidelines and NSA’s Commercial National Security Algorithm Suite 2.0 documents) rather than quantum cryptography. NSA has made its stance clear that for most applications, quantum-resistant algorithms are the preferred path (with QKD seen as impractical for widespread use).
Europe and International (ETSI, ISO/IEC, ENISA)
In Europe, the term “quantum-safe cryptography” gained early traction. ETSI began hosting Quantum-Safe Cryptography workshops starting in 2013, and their reports define quantum-safe cryptography in the same spirit as PQC (algorithms secure against quantum attacks). The term quantum-safe is essentially synonymous with post-quantum; for example, Gartner and other industry groups often talk about “planning for quantum-safe encryption” meaning the adoption of PQC.
The ISO/IEC JTC 1 (international standards committee for IT) also studied this area; notably, around 2016 ISO/IEC used the phrase “quantum computing resistant cryptography” to describe what we now call PQC – explicitly highlighting resistance to quantum computing.
Europe’s cybersecurity agency ENISA uses “post-quantum cryptography” in its reports and recommends transition to quantum-resistant crypto, including hybrid (combined classical+PQC) solutions, for European infrastructures.
When it comes to quantum cryptography, European initiatives speak of “Quantum Communications” or “QKD” rather than using the term quantum-safe. For instance, the European Commission describes a dual approach: promoting widespread adoption of PQC and building a EuroQCI for QKD – but they do not lump these together under one ambiguous term. There’s a general understanding in international standards that PQC and QKD are complementary; documents will clearly specify which is being addressed. An ETSI White Paper on “Quantum Safe Cryptography and Security” and an ITU-T recommendation on QKD can coexist, each with clear terminology for their scope.
United Kingdom (NCSC)
The UK’s NCSC has sometimes used the term “quantum-safe cryptography” in a broader sense. As mentioned, a 2020 NCSC paper used quantum-safe cryptography to encompass both QKD and post-quantum algorithms. However, in most of its public advice, NCSC focuses on encouraging preparedness for PQC – using phrases like “prepare for quantum-safe cryptography” in the context of deploying new algorithms. The subtle nuance is that NCSC might use quantum-safe to describe the end-state (systems safe against quantum threats), and then use more specific terms like “quantum-resistant algorithms (QRA)” when referring to the mathematical algorithms themselves.
The NCSC has also been cautious about QKD, not endorsing it for general government use until it matures (their stance as of 2016 was skeptical of QKD; by 2020 they acknowledged it as an emerging tech to watch, but still advised against sole reliance on it). So, in UK usage we see: quantum-resistant algorithms (PQC) vs quantum-safe outcome (could include multiple tech), and explicit references to QKD when needed.
Other Regions
In Canada, the national cryptologic agency (CSE) uses similar language to NIST (post-quantum, quantum-resistant).
Australia’s ACSC likewise has published guidance on “post-quantum cryptography” and migration strategies.
In China, a lot of emphasis is placed on “quantum communication security”, which usually means QKD networks and related quantum encryption tech; Chinese sources often use the term “quantum cryptography” to mean QKD and reserve “post-quantum” for PQC algorithms. Given China’s extensive QKD deployments, phrases like “quantum secure communication” there typically refer to QKD-secured links.
Japan, Korea, and others have research programs for both PQC and QKD; their documents tend to adopt the internationally used terms (the English phrase “post-quantum cryptography” appears in many of their papers, even if translated).
Overall, despite minor differences in preferred wording, there is broad global agreement on technical substance: everyone recognizes the need to transition to quantum-resistant algorithms, and the potential niche role of QKD for specialized cases. This is reflected in collaborative efforts – e.g., Germany’s BSI, France’s ANSSI, NIST, and others have all contributed to or at least mirrored the results of the NIST PQC process, and multinational groups (EU, Five Eyes, etc.) have issued consistent calls to action on quantum readiness.
Navigating Quantum Security Terminology
So, what is the “right” way to use the term quantum security? The answer depends on context, and the key is to be specific. In casual conversation or high-level writing, quantum security has most often come to mean the field of countering the quantum computing threat – i.e. keeping data secure despite advances in quantum computing. This aligns with the surge of interest in post-quantum cryptography and is reflected in definitions that cast quantum security as protecting against quantum-enabled attacks. If someone says “we need to invest in quantum security,” they usually mean upgrading cryptography to quantum-resistant methods (not necessarily buying quantum hardware). However, given the ambiguity, it’s best to clarify the intended meaning.
When precision is important, use the established specific terms:
- Post-Quantum Cryptography (PQC) or quantum-resistant/quantum-safe cryptography when talking about new algorithms designed to withstand quantum attacks. For example: “Banks should start implementing post-quantum cryptography to protect customer data for the long term.” This makes it clear you mean mathematical, quantum-proof encryption algorithms.
- Quantum Cryptography / QKD when talking about using quantum physics for security. For example: “Quantum key distribution is a quantum security technique that allows two parties to detect eavesdroppers on their communication.” This indicates you’re referring to the physics-based approach.
- Quantum-Resilient systems to describe an infrastructure that can survive quantum attacks (after it has been upgraded with the above technologies). And quantum readiness to describe the state of preparation to achieve that resilience. For example: “Our IT team is developing a quantum readiness roadmap to ensure all critical systems are quantum-resilient by 2030.”
In formal standards and policies, you’ll rarely see an open-ended term like “quantum security” defined. Instead, you’ll find definitions for the narrower concepts: post-quantum cryptography (with explicit criteria of resisting quantum attacks), quantum-safe algorithms, quantum key distribution, etc. The consensus is that quantum security isn’t a single technology or solution, but rather an umbrella domain addressing the impact of quantum technology on security – both the threat and the opportunity.
