Quantum Cryptography vs Post-Quantum Cryptography: Why the Difference Matters

$$|\psi\rangle \rightarrow |\psi\rangle \otimes |\psi\rangle \text{ is impossible for unknown } |\psi\rangle$$

When Alice sends a photon in a specific polarization state to Bob, any measurement by Eve collapses the quantum state. The error rate introduced by eavesdropping (typically >25% for intercept-resend attacks) can be detected through public discussion of a subset of transmitted bits.

[!INSIGHT] QKD's security is based on physics, not computational assumptions. Even if an adversary has infinite computing power — including a quantum computer with billions of logical qubits — they cannot break QKD without violating the laws of quantum mechanics.

Post-Quantum Cryptography: Mathematical Hardness

Post-Quantum Cryptography (PQC), in stark contrast, relies on mathematical problems that remain computationally hard even for quantum computers. In July 2022, NIST selected four algorithms for standardization, with CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures) leading the pack.

CRYSTALS-Kyber is based on the Learning With Errors (LWE) problem over module lattices. The security reduces to finding short vectors in high-dimensional lattices — a problem with no known efficient quantum algorithm:

Given $\mathbf{A} \in \mathbb{Z}_q^{n \times m}$ and $\mathbf{b} = \mathbf{A}\mathbf{s} + \mathbf{e}$ where $\mathbf{e}$ is a small error vector, find $\mathbf{s}$.

The quantum speedup for lattice problems using Grover's algorithm provides only a quadratic improvement, not the exponential advantage that Shor's algorithm achieves against RSA and ECC.

The Infrastructure Reality Check

QKD's Physical Limitations

QKD sounds ideal in theory, but its practical deployment faces severe constraints that make it unsuitable for most real-world applications:

Distance Limitations: Photons attenuate in optical fibers at approximately 0.2 dB/km. Without quantum repeaters (which don't yet exist in deployable form), QKD is limited to roughly 100-200 km. The record distance of 521 km, achieved by Toshiba in 2021, required specialized detectors and operated at extremely low key rates.

Dedicated Infrastructure: QKD cannot run over standard internet infrastructure. It requires:

• Dark fiber pairs (unavailable in most locations)
• Specialized photon detectors cooled to -269°C for some implementations
• Trusted relay nodes every 50-100 km for extended distances

Cost Analysis: A 2023 study by the European Telecommunications Standards Institute (ETSI) estimated QKD deployment costs at €50,000-150,000 per kilometer of fiber, excluding the endpoint hardware. For a 500 km link, this translates to €25-75 million in infrastructure alone.

Key Rate Limitations: Modern QKD systems achieve 1-10 Mbps at 50 km, but this drops to kbps ranges at 100+ km. Compare this to AES-256, which can encrypt at 10+ Gbps on commodity hardware.

PQC's Deployment Advantage

PQC, by contrast, runs on existing infrastructure:

1. Software-Based Implementation: CRYSTALS-Kyber requires only ~3 KB for public keys and achieves key generation, encapsulation, and decapsulation in microseconds on standard CPUs.

2. Protocol Compatibility: PQC can be dropped into existing TLS 1.3, VPN, and PKI infrastructure with software updates. Cloudflare deployed Kyber hybrid key exchange in production in 2022.

3. No Physics Hardware: There's no need for single-photon sources, detectors, or dedicated fiber. Your smartphone can perform PQC operations.

[!NOTE] China has invested over $400 million in QKD infrastructure, including a 2,000 km Beijing-Shanghai trusted-node QKD network and the Micius satellite for space-based QKD. However, the network requires 32 trusted relay nodes — each a potential vulnerability and ongoing maintenance burden.

The Hybrid Transition: Pragmatism Over Purity

The cryptographic community has reached a consensus: hybrid approaches combining classical (ECDHE), post-quantum (Kyber), and optionally QKD layers offer the most robust transition path.

Why Hybrid?

PQC algorithms are new. Despite extensive cryptanalysis during the NIST competition (2016-2024), these algorithms haven't faced 40+ years of scrutiny like RSA. A catastrophic break in Kyber's lattice assumptions remains theoretically possible.

Hybrid key exchange computes: $$K = \text{HKDF}(K_{\text{ECDHE}} || K_{\text{Kyber}} || K_{\text{QKD}})$$

An attacker must break ALL components to recover the session key. The security is at least as strong as the strongest component.

Signal's Approach

In September 2023, Signal deployed PQXDH (Post-Quantum Extended Diffie-Hellman), combining X25519 elliptic curve with CRYSTALS-Kyber-1024. This protects against:

• Classical adversaries (via X25519)
• Future quantum adversaries performing "harvest now, decrypt later" attacks (via Kyber)

Signal processed over 100 million hybrid key exchanges in the first month without user-facing disruption.

The Verdict: When to Use Which

Use QKD when:

• You control a point-to-point fiber link under 100 km
• You have nation-state adversaries with potential future quantum capabilities
• Budget is not a constraint
• You need information-theoretic security for specific high-value links

Use PQC when:

• You need to secure internet-scale communications
• You operate over existing infrastructure
• You need to protect against "harvest now, decrypt later" attacks
• You need practical deployability within 1-2 years

Sources: NIST Post-Quantum Cryptography Standardization (2024), ETSI QKD Implementation Guide, "Quantum Key Distribution: From Principles to Protocols" (Pirandola et al., 2020), Gartner Quantum Security Survey (2024), Toshiba Europe QKD Distance Record (2021), Signal PQXDH Protocol Specification (2023), European Quantum Communication Infrastructure (EuroQCI) Deployment Report (2023)