Unless stated otherwise, the following statement is fully quoted from https://www.nsa.gov/what-we-do/cybersecurity/quantum-key-distribution-qkd-and-quantum-cryptography-qc/


NSA continues to evaluate the usage of cryptography solutions to secure the transmission of data in National Security Systems. NSA does not recommend the usage of quantum key distribution and quantum cryptography for securing the transmission of data in National Security Systems (NSS) unless the limitations below are overcome.

What are Quantum Key Distribution (QKD) and Quantum Cryptography (QC)?

Quantum key distribution utilizes the unique properties of quantum mechanical systems to generate and distribute cryptographic keying material using special purpose technology. Quantum cryptography uses the same physics principles and similar technology to communicate over a dedicated communications link. Published theories suggest that physics allows QKD or QC to detect the presence of an eavesdropper, a feature not provided in standard cryptography.

Quantum-resistant algorithms are implemented on existing platforms and derive their security through mathematical complexity. These algorithms used in cryptographic protocols provide the means for assuring the confidentiality, integrity, and authentication of a transmission—even against a potential future quantum computer. The National Institute of Standards and Technology (NIST) is presently conducting a rigorous selection process to identify quantum-resistant (or post-quantum) algorithms for standardization1. Once NIST completes its selection process, NSA will issue updated guidance through CNSSP-15.

Understanding the QKD/QC story

Quantum key distribution and Quantum cryptography vendors—and the media—occasionally state bold claims based on theory—e.g., that this technology offers “guaranteed” security based on the laws of physics. Communications needs and security requirements physically conflict in the use of QKD/QC, and the engineering required to balance these fundamental issues has extremely low tolerance for error. Thus, security of QKD and QC is highly implementation-dependent rather than assured by laws of physics. Although we refer to QKD only to simplify discussion below, similar statements can be made for QC.

Technical Limitations

  1. Quantum key distribution is only a partial solution. QKD generates keying material for an encryption algorithm that provides confidentiality. Such keying material could also be used in symmetric key cryptographic algorithms to provide integrity and authentication if one has the cryptographic assurance that the original QKD transmission comes from the desired entity (i.e., entity source authentication). QKD does not provide a means to authenticate the QKD transmission source. Therefore, source authentication requires the use of asymmetric cryptography or preplaced keys to provide that authentication. Moreover, the confidentiality services QKD offers can be provided by quantum-resistant cryptography, which is typically less expensive with a better understood risk profile.
  2. Quantum key distribution requires special purpose equipment. QKD is based on physical properties, and its security derives from unique physical layer communications. This requires users to lease dedicated fiber connections or physically manage free-space transmitters. It cannot be implemented in software or as a service on a network and cannot be easily integrated into existing network equipment. Since QKD is hardware-based it also lacks flexibility for upgrades or security patches.
  3. Quantum key distribution increases infrastructure costs and insider threat risks. QKD networks frequently necessitate the use of trusted relays, entailing additional cost for secure facilities and additional security risk from insider threats. This eliminates many use cases from consideration.
  4. Securing and validating quantum key distribution is a significant challenge. The actual security provided by a QKD system is not the theoretical unconditional security from the laws of physics (as modeled and often suggested), but rather the more limited security that can be achieved by hardware and engineering designs. The tolerance for error in cryptographic security, however, is many orders of magnitude smaller than in most physical engineering scenarios making it very difficult to validate. The specific hardware used to perform QKD can introduce vulnerabilities, resulting in several well-publicized attacks on commercial QKD systems.2
  5. Quantum key distribution increases the risk of denial of service. The sensitivity to an eavesdropper as the theoretical basis for QKD security claims also shows that denial of service is a significant risk for QKD.


In summary, NSA views quantum-resistant (or post-quantum) cryptography as a more cost effective and easily maintained solution than quantum key distribution. For all of these reasons, NSA does not support the usage of QKD or QC to protect communications in National Security Systems and does not anticipate certifying or approving any QKD or QC security products for usage by NSS customers unless these limitations are overcome.

WA’s Comment: An experienced hacker would say that eavesdropping has never been a pain point in today’s communication because it is hard to pull out useful information by doing so. Instead, a hacker hacks the server where everything maybe found. By applying quantum communication, the community moves from a problem-free regime to a regime with two problems. The first one is there won’t be a break-even for the investment on quantum channel globally, knowing that there is still no treat called a quantum computer. The second is that hackers will do frequent eavesdropping not for the information but to demolish entire communication network. At the end, the hardware-based approach: QKD should only be used when secrecy needs to be guaranteed under all circumstances and at all costs. Alternatively, the software-based approach: Post-Quantum Cryptography (PQC) that relies on cryptographic algorithms designed to withstand cyberattacks from large-scale quantum computers is more attractive in satisfying demands for cryptographic usability and flexibility, described in Table 1.

Table 3: A comparison chart that contrasts the software-based approach: Post-Quantum Cryptography (PQC) and the hardware-based approach: Quantum Key Distribution (QKD). Reproduced from Ajey Lele, Quantum Technologies and Military Strategy, Springer Nature Switzerland AG 2021, ISBN 978-3-030-72721-5, pp58-59.

Comparison Metric PQC QKD
Security Algorithms will undergo years of study to determine reliability. However, there is no 100% guarantee that someone would eventually find a way to break it. Quantum mechanics guarantees that a quantum channel cannot be successful intercepted without detection.
Implementation Most implementations will be software only. Will not require specialized hardware. Implementations will require specialized hardware.
Communications media Can be used with any type of digital communications media including RF, wired networks, optical communications. Only works with optical communications; either optical fiber or free space optical.
Cost Relatively low cost since the solutions will be software-based. Higher cost because hardware and a new communications infrastructure will be required.
Repeater compatibility Full compatible with current digital repeater technology. Repeater possible by receiving a quantum channel, decoding to classical bits, and re-encrypting and retransmitting to another quantum channel. However, this does create a security risk of interception when the data is in a classical state at the repeater.
Mobile device compatibility Fully compatible with any type of communications used by a mobile device. Very limited. Could only be used with line-of-sight nodes.
Digital signature compatibility Variations of the standards are being developed specifically for digital signature applications. Could potentially be used for digital signatures, but use is unlikely for other reasons.

Note: PQC often referred to as quantum-proof, quantum-safe or quantum-resistant is about preparing algorithms and standards after the realization of practical quantum computers. Distinguishably, Quantum Cryptography (QC) is based on quantum mechanical properties, not on leveraging mathematical knowledge and perceiving complex problems, QKD is a good example.

1 See csrc.nist.gov/Projects/post-quantum-cryptography.

2 See, for example: 1) Vakhitov, Makarov, and Hjelme, Large pulse attack as a method of conventional optical eavesdropping in quantum cryptography, Journal of Modern Optics 48, 2001. 2) Makarov and Hjelme, Faked states attack on quantum cryptosystems, Journal of Modern Optics, vol. 52, 2005. 3) Ferenczi, Grangier, Grosshans, Calibration Attack and Defense in Continuous Variable Quantum Key Distribution, CLEO-IQEC, 2007. 4) Zhao, Fung, Qi, Chen, and Lo, Experimental demonstration of time-shift attack against practical quantum key distribution systems, Physical Review A vol. 78, 2008. 5) Scarani and Kurtsiefer, The black paper of quantum cryptography: Real implementation problems, Theoretical Computer Science (560) 2014.