Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of contents

What Is Quantum Key Distribution (QKD)? + How It Works

8 min. read
Table of contents

Quantum key distribution (QKD) is a method for creating and sharing secret encryption keys using the principles of quantum mechanics.

It relies on quantum states that change when observed, allowing any interception attempt to be detected. By pairing quantum transmission with classical authentication, QKD enables the secure exchange of keys for protected communication.

 

How does QKD work?

Quantum key distribution works by sending information using quantum particles—usually photons—to create a shared secret key between two endpoints.

  • Each photon encodes a bit of data in a quantum state. That state might represent polarization or phase. When the photons travel through a fiber or free-space channel, any attempt to measure them changes their properties. Which means interception can’t happen without being noticed.

  • In a typical setup, two parties—commonly called Alice and Bob (although below, we’ll refer to them as Leia and Luke)—use a quantum channel to transmit photons and a classical channel to verify results.

  • The quantum channel carries the raw key material. The classical channel handles coordination and authentication. Both are essential. The quantum exchange ensures security through physics. The classical exchange makes sure both sides are talking to each other, not an attacker.

Diagram titled 'Quantum key distribution' showing two participants labeled Leia on the left and Luke on the right. Leia is associated with blue circles labeled 'Diagonal polarizers' and purple circles labeled 'Horizontal-vertical polarizers.' Luke is associated with similar labels reading 'Diagonal beamsplitter' and 'Horizontal-vertical beamsplitter.' Between them, a horizontal path labeled 'Photon source' on Leia's side and 'Photon detector' on Luke's side shows alternating blue and purple dots representing transmitted photons. Below the diagram, rows of binary sequences are labeled 'Leia's bit sequence,' 'Luke's detection,' and 'Luke's measurements,' followed by a third line labeled 'Sifted key' showing a series of ones, zeros, and dashes.

  • After transmission, the participants compare a portion of their measurement results. This step reveals whether an eavesdropper has tampered with the photons. If the detected error rate stays below a defined threshold, they keep the rest of the data as a "sifted key."

  • That key is then refined through two final stages: error correction and privacy amplification. Together, these processes remove mismatched bits and reduce any information an attacker could have learned. The result is a shared, secret key ready for use in encryption.

To simplify it:

QKD turns the laws of quantum mechanics into a method for detecting intrusion and generating encryption keys that can't be copied or read in transit.

 

What are the main types of QKD protocols?

Architecture diagram titled 'Types of QKD protocols' showing a horizontal photon channel between two labeled endpoints: 'Sender (Leia)' on the left and 'Receiver (Luke)' on the right. A parallel line above the photon channel is labeled 'Classical channel – Coordination & authentication.' Along the photon channel, small colored dots represent photons traveling between Leia and Luke. Five labeled callouts appear below the channel. From left to right: 'BB84 – Polarization assets' with a short description reading 'Encodes bits using photon polarization; interception changes state.' Next, 'E91 – Entanglement-based' with text 'Uses entangled photon pairs; measurement correlations detect eavesdropping.' Centered beneath the channel is 'CV-QKD – Continuous-variable' labeled 'Encodes data in continuous light properties for telecom compatibility.' To its right, 'MDI-QKD – Measurement-device-independent' includes the note 'Both ends send photons to an untrusted middle station; removes detector attacks.' Furthest right, 'DI-QKD – Device-independent' includes the line 'Security verified via Bell inequality tests; trust not required in devices.' The overall layout presents the photon channel as a continuous pathway linking Leia and Luke with distinct protocol types arranged along it.

Quantum key distribution protocols all aim to do the same thing: generate a shared secret key between two parties using quantum physics. But the way they achieve it differs.

Each protocol represents a step in the evolution of how QKD has been tested, verified, and hardened against attack.

In other words, the differences show how far the field has come from theory to practical systems.

BB84

The BB84 protocol was the first practical design for QKD.

It uses photons encoded in one of two possible bases to represent bits. When the receiver measures those photons, the results depend on whether their chosen basis matches the sender's.

If an eavesdropper tries to intercept the transmission, it changes the photon states and creates detectable errors. That's why BB84 is still used as a reference model for modern QKD systems. It's simple, proven, and foundational.

Note:
Today, BB84 remains the benchmark protocol for validating new QKD hardware, making it central to conformance testing and standardization efforts.

E91

The E91 protocol builds on quantum entanglement.

Instead of sending individual photons, it uses entangled photon pairs shared between two parties. Measuring one photon instantly determines the state of the other, no matter the distance. So if an eavesdropper interferes, the correlations change in measurable ways.

E91 provides stronger theoretical security, but it's harder to implement reliably in real-world networks.

CV-QKD

Continuous-variable QKD, or CV-QKD, encodes information in continuous properties of light such as amplitude and phase.

It works with standard telecom components, which makes it easier to integrate into existing fiber networks. However, it requires very precise detection and noise control.

In practice, CV-QKD trades some physical complexity for better compatibility with commercial infrastructure.

Note:
Because it reuses existing optical equipment, CV-QKD is the leading candidate for large-scale telecom integration and hybrid post-quantum trials.

MDI-QKD

Measurement-device-independent QKD, or MDI-QKD, solves one of the biggest vulnerabilities in earlier systems: detector attacks. Instead of trusting either party's detectors, it sends signals to a third measurement node that can even be untrusted.

The security comes from quantum correlations rather than the devices themselves. This architecture eliminates a major implementation loophole and has become central to large-scale QKD networks.

Note:
Its architecture is now the basis for most national and commercial QKD testbeds, bridging research networks with operational infrastructure.

DI-QKD

Device-independent QKD, or DI-QKD, pushes this idea further. It removes the need to trust any internal workings of the devices used.

Security is based entirely on the statistical violation of Bell inequalities, which is a quantum property that cannot be faked classically. In theory, it provides the strongest possible assurance of security. In practice, it's still experimental and limited by demanding conditions like high detector efficiency and low signal loss.

Beyond these core protocol families, research is also advancing methods that extend how QKD can be deployed. Twin-field QKD (TF-QKD) increases how far keys can travel by letting both parties send signals to a shared middle point. Trusted nodes and experimental quantum repeaters relay keys across longer distances, supporting wide-area and future intercontinental networks.

In sum:

Each protocol reflects a balance between theory and engineering:

  • BB84 and E91 proved QKD was possible. CV-QKD made it practical.
  • MDI-QKD made it secure against hardware flaws.
  • DI-QKD is shaping what the future of fully trustless quantum communication could look like.

 

What are the advantages and disadvantages of QKD?

Quantum key distribution offers strong security benefits. But it also faces practical limits. QKD is powerful in theory and controlled environments. It becomes harder to deploy at scale.

Here’s how the benefits work.

Architecture diagram titled 'What makes QKD secure' showing four labeled sections connected by a dotted vertical line. Each section includes an icon, color-coded header, and brief description. At the bottom, a blue box labeled 'Foundations' contains an icon of a network chip and text reading 'Information-theoretic security – Security doesn’t depend on computing power.' To its right, a small gray caption states 'Even a quantum computer can’t solve or guess the key.' Above it, a red box labeled 'Quantum no-cloning theorem' shows an icon with three overlapping circles and lines and reads 'No perfect copies allowed – Any attempt to copy or measure a quantum state changes it.' To the left, a purple box titled 'Intrusion detection' includes an icon of two linked circles and text 'Eavesdropping creates detectable errors – Leia and Luke compare a portion of results to detect interference.' At the top, a teal box labeled 'Verification & trust' features an icon of two nodes connected by a line and text 'Bell inequality validation (advanced protocols) – Bell tests confirm the system behaves quantumly, not classically.' A short paragraph at the top left reads 'In QKD, every layer—from photon physics to validation tests—makes tampering visible. It replaces computational trust with physical certainty.'

  • QKD provides information-theoretic security.

    That means the secrecy of the key does not rely on assumptions about an attacker's computing power. Even a future quantum computer would not be able to break the key itself. The protection comes from how information is encoded into quantum states and how those states behave when observed.

  • Which leads to the quantum no-cloning theorem.

    An unknown quantum state cannot be perfectly copied. Any attempt to intercept or duplicate the transmitted photons changes their state. Leia and Luke detect those changes when they compare a portion of their results. If the error rate rises above a threshold, they discard the session.

  • Some protocols add another layer through Bell inequality tests.

    These tests check whether the system behaves according to quantum mechanics. If the correlations can't be explained classically, the link is considered secure. That matters for advanced models such as E91 and device-independent QKD.

Now let's walk through the challenges and limitations.

Chart titled 'Challenges and limitations of quantum key distribution (QKD)' showing five labeled sections arranged around a circular central hub with a padlock icon. Each section has an icon, color-coded header, and short description. At the bottom left, a yellow section labeled 'Physical limits' includes an icon of a wave and text reading 'Photon loss and distance – Quantum signals can’t be amplified, making long-distance transmission difficult.' Above it, an orange section labeled 'Scalability & environment' shows an icon of connected nodes and reads 'Difficult to deploy at scale – Fiber requires dedicated channels; free-space links face alignment and weather constraints.' At the top center, a dark teal section labeled 'Organizational readiness' includes an icon of a person and reads 'Slow enterprise adoption – Unclear timing and ROI keep adoption limited to pilots and government networks.' On the right, a blue section titled 'Interoperability' shows an icon of two overlapping connectors and reads 'Vendor & standards mismatch – Different key management protocols slow multi-vendor integration.' At the lower right, a light blue section labeled 'Hardware & cost' includes a gear icon and text 'Expensive, precision hardware – Specialized, high-maintenance components limit accessibility.' All sections connect to the central circular hub, emphasizing the collective challenges surrounding QKD deployment.

  • Photon loss increases sharply with distance.

    Quantum signals weaken as they move through fiber or free space. They also can't be amplified without breaking coherence. That means long-distance links require trusted nodes or experimental quantum repeaters. Each option adds complexity and risk.

  • QKD hardware introduces cost.

    Systems rely on single-photon sources, detectors, and temperature-controlled optics. Each component needs precise alignment and ongoing monitoring. That limits adoption outside research networks and high-security environments.

  • Scale is another obstacle.

    Fiber-based systems need dedicated optical channels and stable environmental conditions. Free-space and satellite systems help, but they depend on alignment windows and weather conditions. Building continuous coverage takes coordination that few organizations are ready for.

  • Interoperability is also a challenge.

    Vendors use different key-management protocols and interfaces. ETSI and ISO standards are addressing this gap. But integration across legacy equipment remains uneven. That slows multi-vendor deployments.

  • And there's also the question of readiness.

    Many decision-makers understand the theory. But they remain unsure about timing and return on investment. That uncertainty keeps QKD deployments concentrated in governments, defense networks, and telecom pilots.

In practice, QKD's value depends on where it is applied. It offers strong security in controlled or high-assurance environments. It becomes more difficult to use across large, heterogeneous networks. Those tradeoffs shape where QKD fits today and how it will evolve alongside other quantum-safe approaches.

 

How does QKD compare to post-quantum cryptography?

Quantum key distribution and post-quantum cryptography both aim to protect data from quantum attacks. But they take entirely different paths to get there.

One is based on physics. The other on mathematics. So they're complementary, not competing, approaches.

Post-quantum cryptography, or PQC, is encryption that can resist attacks from both classical and quantum computers.

Infographic titled 'Post-quantum cryptography explained'. The diagram is divided into five horizontal sections labeled Part 1 through Part 4, with a concluding takeaway bar. Part 1, labeled 'The problem', contains two red boxes: one labeled 'RSA & ECC today' with text 'Secure against classical computers by using factoring and discrete logarithms', and the other labeled 'Quantum threat' with text 'Shor's algorithm on a quantum computer could break RSA and ECC'. Part 2, labeled 'The solution', shows a blue box reading 'Post-quantum cryptography (PQC)' with text 'New encryption methods based on math problems that remain hard for both classical and quantum computers'. Part 3, labeled 'Algorithm families', presents three purple boxes. The first, 'Lattice-based', reads 'Foundation of ML-KEM & ML-DSA; uses high-dimensional algebraic structures'. The second, 'Hash-based', reads 'Relies on secure one-way hash functions; basis of SPHINCS+'. The third, 'Multivariate', reads 'Uses polynomial equations; still in research stages'. Part 4, labeled 'NIST standards', includes three gray circular icons with accompanying text: 'ML-KEM (FIPS 203) Standard for key establishment', 'ML-DSA (FIPS 204) Standard for digital signatures', and 'SLH-DSA (FIPS 205) Stateless hash-based digital signature scheme'. A dark gray bar at the bottom labeled 'Takeaway' contains the statement 'PQC is the standards-led path forward — practical and deployable today'.

It does this by using new mathematical problems that are hard for any computer to solve efficiently. These algorithms are designed to drop into today's systems without major hardware changes, and they're seen as the way forward for quantum security.

In contrast, QKD secures communication by detecting eavesdropping through quantum mechanics. Its security doesn't depend on computation at all.

Comparison: QKD vs. PQC at a glance
Aspect Quantum key distribution (QKD) Post-quantum cryptography (PQC)
Security basis Physics of quantum measurement and no-cloning Hard mathematical problems (lattice, code, multivariate)
Primary defense model Detects interception in real time Prevents decryption by quantum algorithms
Implementation Requires quantum hardware and optical links Software-based; runs on existing infrastructure
Scalability Limited by distance, photon loss, and cost Highly scalable through classical networks
Standardization Defined under ISO/IEC 23837 and ETSI QKD 014 specifications NIST FIPS 203, FIPS 204, FIPS 205
Operational maturity Early-stage deployments; specialized use Ready for near-term enterprise rollout
Integration potential Works alongside classical encryption Can combine with QKD for layered defense

Some national cybersecurity agencies currently recommend prioritizing post-quantum cryptography for most organizations. Guidance from the UK’s NCSC and the U.S. NSA notes that PQC can be deployed widely using existing infrastructure, while QKD requires specialized hardware and is suited to more limited, high-assurance scenarios.

This guidance focuses on near-term practicality rather than dismissing QKD’s security model, which continues to be explored in specialized and long-term confidentiality use cases.

Both are evolving as part of a broader quantum-secure ecosystem.

PQC will safeguard most digital systems through stronger algorithms. QKD will protect the highest-value links where key secrecy must endure for decades.

They're not competing technologies. They're complementary defenses in the post-quantum era.

| Further reading: What Is Post-Quantum Cryptography (PQC)? A Complete Guide

 

Where is QKD being used today?

Chart titled 'Where quantum key distribution is being used today' showing three vertical panels with icons and text describing deployment areas. On the left, a red-toned panel labeled 'Government networks' includes an illustration of a government building and text reading 'Governments and defense agencies use QKD to secure sensitive communications and test hybrid architectures combining quantum and classical encryption. The EuroQCI initiative is building a continent-wide quantum communications network.' In the center, a blue-toned panel labeled 'Satellite links' shows an illustration of a satellite orbiting Earth above buildings and text stating 'Free-space QKD extends reach beyond fiber limits. ID Quantique's payload on China's Micius satellite and missions in Japan and Europe show how satellites can distribute quantum keys globally when terrestrial links fall short.' On the right, a light blue-toned panel labeled 'Telecom backbones' includes an illustration of fiber cables connected to data towers and text reading 'Carriers are testing QKD across metropolitan and national fiber routes to secure data between data centers. Projects by Toshiba and ID Quantique distribute keys over existing optical networks as an added security layer for backbone services.'

Quantum key distribution has moved beyond the lab. Real-world pilots are showing how it can protect sensitive data across critical networks.

The most active deployments today focus on telecom infrastructure, satellite links, and government communications.

Here's what that looks like in practice.

Telecom backbones

Major carriers are testing QKD across metropolitan and national fiber routes. These pilots focus on securing data moving between data centers and cloud interconnects.

Projects led by Toshiba and ID Quantique use commercial optical fibers to distribute keys alongside regular traffic. The goal is to integrate QKD with existing optical network equipment rather than replace it.

For all practical purposes, QKD is being treated as an added security layer for critical backbone services, not a standalone replacement.

Note:
Telecom pilots are proving that QKD can coexist with existing optical infrastructure. By layering quantum and classical encryption over shared fibers, these trials are setting interoperability benchmarks that will shape how service providers roll out future quantum-secure networks.

Satellite links

Free-space QKD experiments are extending reach beyond fiber limits. Satellites act as trusted relay nodes, distributing quantum keys between distant ground stations.

European and international programs are expanding this model through coordinated satellite research and pilots.

ID Quantique's payload on the Chinese Micius satellite, along with upcoming missions in Japan and Europe, show that satellite-based QKD can provide global coverage when terrestrial links fall short.

Note:
Satellite QKD is the bridge to global-scale quantum communications. These missions are validating how key exchange can operate beyond fiber constraints, laying groundwork for hybrid constellations that could one day link terrestrial and space-based quantum networks into a single system.

Government networks

Government agencies are among the earliest adopters. National defense, intelligence, and energy sectors use QKD to secure communication between critical command sites.

These deployments often combine QKD with classical encryption and post-quantum algorithms to test hybrid architectures. In Europe, the EuroQCI initiative is coordinating national pilots to create a continent-wide quantum communications infrastructure.

Note:
Government adoption is driving the standards that private networks will later follow. EuroQCI and similar initiatives are not just testing QKD. They're building the governance, certification, and integration models required to bring quantum security into regulated environments.

Bottom line:

QKD is no longer theoretical. It's being tested in real optical networks, on orbiting satellites, and within strategic government systems.

The technology still faces scale and cost hurdles, but pilot programs are proving it can work in the field. And that's laying the foundation for quantum-secure networks worldwide.

 

How are governments and standards bodies shaping QKD adoption?

The next phase of QKD is about more than pilots. It's about coordination across systems so they interoperate, scale, and meet regulatory expectations.

Governments, standards bodies, and research organizations define how QKD should be built, tested, and deployed. That collaborative structure turns isolated experiments into scalable infrastructure.

ISO/IEC established the first international standard for evaluating QKD systems.

ISO/IEC 23837-1 sets security assurance, conformance testing, and interoperability principles. It gives vendors a shared basis to demonstrate that implementations meet agreed criteria. Part 2, now in development, extends this to full system evaluations.

ETSI complements this on the telecommunications side.

ETSI QKD 014 specifies system architectures, interfaces, and key management protocols. These specifications enable secure interoperability across optical networks. ETSI's quantum-safe work also aligns QKD with post-quantum cryptography in hybrid models.

NIST supports the ecosystem through measurement science and cross-program coordination.

Its current work emphasizes practical hybrid models that combine algorithmic and physical-layer security, including authentication and key-lifecycle integration.

CEN-CENELEC leads parallel efforts in Europe.

The Q04 and Q05 reports map use cases, standardization gaps, and readiness levels for quantum communications. They connect pilots to regulatory frameworks and cybersecurity certification, laying groundwork for a pan-European quantum network.

QKD is moving from experimental setups to regulated infrastructure. International efforts are giving it structure so future quantum networks are interoperable, auditable, and compatible with existing cryptographic ecosystems.

 

What's next for QKD?

Timeline diagram titled 'The road ahead for quantum key distribution' showing three columns labeled 'Now – near term,' 'Mid term,' and 'Future horizon.' The left column contains a red section labeled 'Hybrid security integration: Quantum + post-quantum coexistence' with supporting text explaining that organizations are testing hybrid architectures combining QKD's physical key exchange with PQC's algorithmic resilience. The middle column is titled 'Global network expansion: Continental & satellite-scale deployment' and describes programs such as EuroQCI, Toshiba, and ID Quantique extending QKD across regional, national, and orbital links using repeaters, trusted nodes, and satellites. The right column shows two stacked red sections: 'Toward a quantum-secure ecosystem,' which explains that QKD, PQC, and classical cryptography will operate together as layers of the same defense model, and 'Network convergence: Integration into classical networks,' which notes that ETSI and ISO/IEC standards are enabling unified optical and quantum control planes where QKD becomes a managed service layer within telecom infrastructure.

The future of quantum key distribution is about expansion: turning pilot networks into scalable, interoperable systems that work alongside classical and post-quantum cryptography.

Here's where it's headed.

The first frontier is integration with post-quantum cryptography.

Experts see QKD and PQC as complementary layers of defense.

PQC protects data through new algorithms, while QKD provides real-time detection of eavesdropping. Hybrid models that combine both—known as quantum-safe architectures—are already being tested in pilot networks.

So security will come from layered design, not a single technology.

Next is the expansion toward large-scale quantum networks.

New initiatives are extending QKD's reach beyond regional links toward continental and global coverage.

Efforts like the European Quantum Communication Infrastructure (EuroQCI) and global testbeds led by Toshiba and ID Quantique are demonstrating large-scale integration through quantum repeaters, trusted nodes, and satellite relays.

The aim is continuous, end-to-end key distribution across national and international networks.

Finally, QKD is heading toward network convergence.

Rather than operate in isolation, quantum channels will integrate into existing optical networks through standardized interfaces and control planes.

ETSI and ISO/IEC frameworks are defining those mechanisms now. This is what will turn today's pilots into quantum-secure service layers that telecom providers can scale and manage.

Looking ahead, QKD's future lies in coexistence. It won't replace other cryptography. It will reinforce it.

As standards mature and infrastructure evolves, QKD is poised to become part of a broader quantum-secure ecosystem that blends physical, mathematical, and operational assurance into one continuous defense model.

Explore the future of quantum security
Dive into an interactive overview of quantum threats, post-quantum cryptography, and NIST's new standards.

Launch experience

 

QKD FAQs

Most national cybersecurity agencies recommend prioritizing post-quantum cryptography for broad adoption because it works with existing infrastructure. QKD is still used mainly in specialized, high-assurance environments where long-term confidentiality is critical.
Quantum key distribution provides provable security based on quantum physics. It detects eavesdropping in real time and produces encryption keys that cannot be copied or intercepted undetected. It offers long-term data protection independent of computational assumptions or advances in quantum computing.
QKD is a secure communication method that uses quantum particles, such as photons, to create and share encryption keys. Any attempt to intercept those particles changes their properties, alerting the users to potential eavesdropping.
Key distribution is the process of securely sharing encryption keys between communicating parties so they can encrypt and decrypt data. In QKD, this process uses quantum mechanics to ensure any interception is immediately detectable.
QKD is being developed by research institutions, telecom providers, and specialized companies such as ID Quantique, Toshiba, and Quantum Xchange. Government and standards bodies including NIST, ETSI, ISO/IEC, and CEN-CENELEC are advancing interoperability and certification frameworks.
Quantum keys are generated from measurements of quantum particles. Because observing those particles changes their states, any interception introduces detectable errors. After verification, both parties refine the shared data into a secret encryption key.
QKD faces practical limits: high deployment costs, short transmission distances, and complex alignment requirements. It needs dedicated optical links or satellites, and interoperability between vendors is still developing. Scalability remains its main challenge.
Yes. Satellite-based QKD distributes quantum keys over long distances by transmitting photons between ground stations and orbiting relays. It extends coverage beyond fiber limits and supports global quantum communication networks.
Implementing QKD requires a quantum channel for transmitting photons and a classical channel for authentication. Specialized hardware—single-photon sources, detectors, and synchronization systems—enables key exchange, followed by error correction and privacy amplification to finalize a secure key.
RSA relies on mathematical complexity for security, which can be broken by quantum computers. QKD relies on quantum physics to detect interception. RSA is algorithmic and software-based; QKD is physical and hardware-based. They can be combined for hybrid protection.
Quantum key distribution was first proposed by Charles Bennett and Gilles Brassard in 1984 through the BB84 protocol, which established the foundation for secure quantum communication.
Related content
Blog: Palo Alto Networks Announces New Quantum Security Innovations
Learn about the new crypto inventory tool, quantum-optimized firewalls and PAN-OS 12.1 enabled quantum readiness.
Podcast: Threat Vector | Is the Quantum Threat Closer Than You Think?
Hear how to start your transition to quantum-resistant cryptography now.
TechDocs: Quantum Security Concepts
Get the facts on resisting the quantum computing threat straight from PANW’s solutions documentation.
Interactive experience: Is Your Organization Ready for a Quantum-Safe Future?
Dive into an immersive overview on quantum threats, PQC, and NIST’s new standards.

Get the latest news, invites to events, and threat alerts