Quantum Cryptography Explained

The Quantum Threat to Current Encryption

Modern internet security relies on public-key cryptography, where mathematical problems that are easy to compute in one direction but extremely hard to reverse protect the confidentiality and authenticity of digital communication. RSA encryption depends on the difficulty of factoring large numbers: multiplying two 1024-bit prime numbers takes microseconds, but factoring their product takes longer than the age of the universe on a classical computer. Elliptic curve cryptography (ECC) depends on the difficulty of the discrete logarithm problem over elliptic curves. These systems secure web browsing (HTTPS), email encryption, banking transactions, government communications, and digital signatures.

Shor's algorithm solves both of these mathematical problems efficiently on a quantum computer, factoring integers and computing discrete logarithms in polynomial time. A quantum computer with roughly 4,000 error-corrected logical qubits could break RSA-2048 in hours and crack standard elliptic curve cryptography even faster. While no quantum computer today is anywhere close to this capability (the largest processors have roughly 1,200 noisy physical qubits, compared to the millions of physical qubits needed for fault-tolerant operation), the threat is not only future. Encrypted communications intercepted and stored today could be decrypted years from now when quantum computers become powerful enough, a strategy called "harvest now, decrypt later" that intelligence agencies are assumed to be employing.

This threat has motivated two parallel responses. Post-quantum cryptography (PQC) replaces the vulnerable mathematical foundations of current encryption with mathematical problems believed to be hard for both classical and quantum computers. Quantum cryptography (specifically quantum key distribution) provides an entirely different approach to security that is provably immune to quantum attacks. Both approaches are being pursued simultaneously because they serve complementary roles and have different strengths and limitations.

Quantum Key Distribution: The BB84 Protocol

The BB84 protocol, proposed by Charles Bennett and Gilles Brassard in 1984, was the first quantum key distribution scheme and remains the most widely implemented. It allows two parties (traditionally called Alice and Bob) to establish a shared secret key using quantum communication, with security guaranteed by the laws of quantum mechanics rather than computational assumptions.

Alice prepares a sequence of single photons, each randomly encoded in one of four polarization states: horizontal (0 degrees), vertical (90 degrees), diagonal (45 degrees), or anti-diagonal (135 degrees). These four states belong to two bases: the rectilinear basis (horizontal/vertical) and the diagonal basis (45/135 degrees). Within each basis, one state represents bit 0 and the other represents bit 1. For each photon, Alice randomly chooses a basis and a bit value, records both, and sends the photon to Bob through a quantum channel (typically a fiber optic cable or a free-space optical link).

Bob independently and randomly chooses a measurement basis (rectilinear or diagonal) for each received photon. When Bob's chosen basis matches Alice's preparation basis, his measurement result deterministically matches Alice's bit value. When the bases do not match, Bob's result is random and uncorrelated with Alice's bit. After transmitting all photons, Alice and Bob publicly announce which basis they chose for each photon (but not the bit values). They discard all bits where their bases disagreed and keep only the bits where they agreed, which should be identical for both parties. This remaining bit string is the raw key.

The security comes from quantum mechanics' measurement disturbance principle. If an eavesdropper (Eve) intercepts a photon and measures it, she must choose a basis. If she guesses correctly, she gets Alice's bit and can resend an identical photon to Bob. If she guesses wrong (which happens 50% of the time), her measurement disturbs the photon's state, and when Bob measures it in the correct basis, he gets a random result instead of Alice's bit. This introduces errors in the bits where Alice and Bob's bases matched, which they can detect by publicly comparing a random subset of their key bits. If the error rate exceeds a threshold (roughly 11% for BB84), they know an eavesdropper is present and discard the key. If the error rate is below the threshold, they can distill a shorter but perfectly secure key using classical error correction and privacy amplification.

Entanglement-Based QKD: The E91 Protocol

Artur Ekert proposed an alternative QKD protocol in 1991 that uses entangled photon pairs instead of single photons. A source produces pairs of entangled photons in a Bell state and sends one photon to Alice and one to Bob. Both parties independently choose random measurement bases and record their results. When they choose the same basis, their results are perfectly correlated (or anti-correlated, depending on the Bell state), providing the shared key bits.

The E91 protocol's security relies on Bell inequality violations. Alice and Bob use some of their measurement results (from bases chosen for testing rather than key generation) to compute a Bell inequality statistic. If the source is genuinely producing entangled pairs and no eavesdropper has disturbed them, the statistic violates the Bell inequality, confirming that the correlations are genuinely quantum and cannot have been predetermined by a hidden variable (including one known to an eavesdropper). Any eavesdropping attempt that intercepts and measures the photons destroys the entanglement, reducing the Bell inequality violation and alerting Alice and Bob.

The E91 protocol has a conceptual advantage over BB84: its security is derived from a fundamental theorem of quantum mechanics (Bell's theorem) rather than from specific properties of the quantum states used. This means the security proof is more robust against imperfections in the source and detectors. In practice, both BB84 and E91 achieve similar security levels, and the choice between them depends on practical considerations like the availability of efficient single-photon sources versus entangled photon pair sources.

Post-Quantum Cryptography: The Classical Response

While QKD provides physics-based security, it requires specialized quantum hardware and dedicated optical links between communicating parties. For most internet communications, a more practical approach is post-quantum cryptography (PQC): classical encryption algorithms based on mathematical problems that are believed to be hard for both classical and quantum computers. Unlike QKD, PQC runs on standard hardware and can protect internet traffic using existing infrastructure with software updates alone.

NIST (the US National Institute of Standards and Technology) ran a multi-year competition to standardize PQC algorithms, finalizing the first standards in 2024. The selected algorithms include CRYSTALS-Kyber (now ML-KEM) for key encapsulation (establishing shared secrets) and CRYSTALS-Dilithium (now ML-DSA) for digital signatures. Both are based on lattice problems, mathematical structures involving high-dimensional grids of points where finding the closest lattice point to a given target is believed to be hard for quantum computers. SPHINCS+ (SLH-DSA), based on hash functions, was also standardized as a backup signature scheme with different security assumptions.

The transition to PQC is a massive undertaking. Every system that uses RSA or ECC, which includes virtually every server on the internet, every web browser, every email client, every VPN, every banking system, and every government communication system, must be updated to use post-quantum algorithms. Many organizations have begun the migration, with major web browsers and servers adding support for hybrid key exchange that combines classical and post-quantum algorithms for defense in depth. The full transition is expected to take 10 to 15 years, and the urgency is driven by the "harvest now, decrypt later" threat: data encrypted today with vulnerable algorithms can be stored and decrypted once quantum computers are powerful enough.

Deployed Quantum Networks

QKD has moved from laboratory demonstrations to deployed infrastructure in several countries. China's quantum communication program is the most advanced, with a 2,000-kilometer fiber-optic QKD backbone connecting Beijing, Shanghai, Jinan, and Hefei, secured by trusted relay nodes. The Micius satellite, launched in 2016, demonstrated satellite-to-ground QKD over distances exceeding 1,200 kilometers, generating secure keys between ground stations in China and Austria. This satellite-based approach overcomes the distance limitation of fiber-based QKD, where photon absorption in the fiber limits practical distances to about 100 kilometers without quantum repeaters.

European quantum networks include the Cambridge Quantum Network in the UK, the Madrid Quantum Network in Spain, and pan-European projects under the EuroQCI (European Quantum Communication Infrastructure) initiative, which aims to connect all 27 EU member states with quantum-secured communication by 2030. South Korea has deployed a 48-node QKD network connecting government institutions in the Seoul metropolitan area. Japan, Singapore, and several other countries have operational QKD testbeds.

Commercial QKD systems are available from companies including ID Quantique (Switzerland), Toshiba (Japan/UK), QuantumCTek (China), and SK Telecom (South Korea). These systems achieve key generation rates of 1 to 100 kilobits per second over fiber distances of 50 to 100 kilometers, sufficient for encrypting communication channels but not for bulk data transfer. Research systems have demonstrated key rates exceeding 10 megabits per second over shorter distances, and twin-field QKD protocols have extended the distance record beyond 500 kilometers in fiber without trusted relays.

The main limitation of current QKD deployments is the need for quantum repeaters to extend distances beyond 100 to 200 kilometers. A quantum repeater uses entanglement swapping and quantum error correction to extend entanglement across multiple short links, but building a fully functional quantum repeater requires quantum memory that can store quantum states for the round-trip communication time. Prototype quantum memories based on trapped atoms, nitrogen-vacancy centers, and rare-earth crystals have demonstrated storage times of seconds to hours, and the first practical quantum repeaters are expected within the next decade.