What Is Quantum Key Distribution (QKD)?

This is part of the Quantum Security Reference Deep Dive series. For the full landscape overview, see the capstone article on quantum security.

Introduction

Quantum key distribution (QKD) is a method for sharing cryptographic keys between two parties using quantum physics. Its defining property is that any attempt by a third party to intercept the key exchange disturbs the quantum states being transmitted, producing detectable errors. If the error rate stays below a threshold, the two parties know their key is secure. If it exceeds the threshold, they know an eavesdropper was present and discard the compromised key.

This guarantee is grounded in the laws of quantum mechanics, not in the computational difficulty of a mathematical problem. No increase in computing power, classical or quantum, can break a properly implemented QKD protocol. That distinction makes QKD the only key distribution method that offers information-theoretic security.

How BB84 Works

The BB84 protocol, proposed by Charles Bennett and Gilles Brassard in 1984, remains the most widely deployed QKD scheme. The sender (Alice) encodes random bit values in the polarization of individual photons, choosing randomly between two measurement bases for each photon. The receiver (Bob) measures each arriving photon using a randomly chosen basis.

After transmission, Alice and Bob compare their basis choices over a public classical channel (without revealing the bit values). They keep only the bits where they happened to choose the same basis, discarding the rest. An eavesdropper (Eve) who intercepted photons during transmission would have been forced to guess the basis, and incorrect guesses introduce errors that Alice and Bob can detect by comparing a sample of their shared bits.

The protocol’s security follows from a simple physical fact: measuring a photon’s polarization in the wrong basis randomizes the result, and there is no way to determine the correct basis without prior knowledge. Eve cannot copy the photons (the no-cloning theorem forbids it) and cannot measure them without risking detection.

Beyond BB84

QKD has evolved well beyond its original protocol. Entanglement-based protocols like E91 and BBM92 distribute keys using correlated photon pairs, providing security guarantees that derive from the violation of Bell inequalities rather than from trust in the source. Device-independent QKD (DI-QKD) pushes this further, offering security even when the devices themselves are untrusted, closing a class of side-channel attacks that have plagued earlier implementations.

I cover the full range of emerging approaches in my analysis of next-generation QKD protocols.

The Practical Limitations

QKD’s theoretical security is real. Its practical constraints are also real, and they limit where and how it can be deployed.

Distance is the primary constraint. Single photons are absorbed by optical fiber, limiting QKD to roughly 100-300 kilometers over terrestrial links depending on the protocol and fiber quality. Quantum repeaters can extend this range, but they remain experimental. Satellite-based QKD (demonstrated by China’s Micius satellite) bypasses the fiber limitation but introduces its own constraints around weather, orbital windows, and ground station requirements.

Dedicated infrastructure is required. QKD cannot run over the public internet. It requires either dedicated optical fiber or free-space optical links between the communicating parties. This makes it expensive and limits its applicability to point-to-point connections rather than the many-to-many communication patterns of modern networked systems.

Implementation vulnerabilities are the gap between theory and practice. QKD’s information-theoretic guarantee applies to the protocol. The hardware that implements it uses classical components: laser sources, single-photon detectors, timing electronics. These components are subject to side-channel attacks that exploit imperfections in the physical implementation rather than weaknesses in the protocol. Detector blinding, photon-number splitting, and Trojan horse attacks have all been demonstrated against QKD systems in laboratory settings.

QKD vs. PQC

QKD and post-quantum cryptography are complementary technologies, not competitors, though they are sometimes positioned as alternatives. The practical differences are significant.

PQC is software that runs on existing hardware, can be deployed across any network, and is the subject of regulatory mandates with hard deadlines. QKD requires specialized hardware, dedicated fiber, and has no regulatory mandate in most jurisdictions. For the vast majority of organizations, PQC is the path to quantum safety.

QKD’s value lies in specific high-security use cases where the physics-based guarantee matters: links between government facilities, financial data centers, or military installations where the cost of dedicated infrastructure is justified by the sensitivity of the data and the threat model includes nation-state adversaries with potential future quantum capability. Some organizations deploy QKD and PQC together in a layered defense.

The geopolitical dimension adds complexity. As I cover in my analysis of why countries differ on QKD’s future, China has built extensive operational QKD networks while the US and UK focus almost exclusively on PQC. The right answer for any given organization depends on its threat model, regulatory environment, and infrastructure constraints.

Go Deeper

What Is Quantum Cryptography? — the broader context

QKD 101: A Guide for Cybersecurity Professionals — comprehensive overview

QKD and the BB84 Protocol — detailed protocol walkthrough

Why Countries Differ on QKD’s Future — the geopolitical and technical debate

Next-Generation QKD Protocols — beyond BB84

Device-Independent QKD — security without trusting the hardware

Quantum Repeaters — extending QKD range