Fraunhofer Institute for Applied and Integrated Security Classical public-key methods for exchanging cryptographic keys could be broken by future quantum computers. Currently, two fundamentally different approaches to quantum-secure key exchange are being discussed:
- PPost-Quantum Cryptography (PQC): Cryptographic methods based on difficult mathematical problems that are resistant to attacks from both classical and quantum computers. These can be used on classical computers and communication networks and can be integrated into existing IT systems. Corresponding methods were standardized by NIST in 2024.
- Quantum Key Distribution (QKD): An approach that utilizes quantum physical effects to agree on a cryptographic key between two parties via an insecure quantum channel. A key property of the QKD protocol is that any eavesdropping attempt alters the quantum mechanical states, thereby revealing a man-in-the-middle attack. This property makes QKD theoretically very secure.
Important: While both PQC and QKD pursue the same goal (quantum security), they are fundamentally different approaches. PQC is based on mathematics and runs on classical hardware – QKD, on the other hand, utilizes quantum physics and quantum technologies.
The German Federal Office for Information Security (BSI), together with security authorities from France, the Netherlands, and Sweden, has analyzed the current state of quantum-based key distribution (QKD) in a position paper. It concludes that, due to technical limitations and a lack of security maturity, QKD is currently only practically usable for niche applications. QKD is not suitable for the majority of today’s secure communications.
The BSI cites several reasons for this:
Technical Limitations
QKD requires specialized hardware such as single-photon sources and detectors, as well as a dedicated communication infrastructure (quantum channel). The acquisition and maintenance of a QKD system involve very high costs, making it unsuitable for general use as a secure communication or mobile network.
Range Limitations
In practice, end-to-end encrypted transmission links are limited because quantum signals are significantly weakened over increasing distances when transmitted via fiber-optic cables. There are alternative satellite-based approaches, but these also have similar range limitations and are very costly to implement. The limited transmission range severely restricts the potential applications of the QKD system
Dependence on additional cryptographic methods for authentication
In addition to the quantum channel, a classical, authenticated channel is required for mutual authentication of the communication participants.
Two approaches are possible for implementing the authentication mechanism:
- Use of pre-shared keys with symmetric message authentication. These pre-shared keys must be renewed regularly.
- Use of post-quantum signature schemes with a public-key infrastructure (PKI). The security of the authentication depends entirely on the security of this post-quantum cryptographic scheme.
In practice, QKD remains dependent on additional cryptographic mechanisms.
Lack of practical security maturity
In theory, QKD protocols can guarantee security based on principles of quantum physics. However, there is currently a lack of sufficiently proven evidence that implemented QKD systems actually provide this security in practice. Several attacks on the hardware of a QKD system are known.
Conclusion
According to the position paper by European security authorities, QKD is an interesting technology that requires further research, not least due to current and inherent limitations. At present, QKD is only suitable for niche applications due to costly specialized hardware, range limitations, and unresolved security issues. To secure communication channels against quantum computers on a broad scale, the BSI and other authorities recommend focusing on post-quantum cryptography and initiating the migration to a hybrid public-key system (classical public-key cryptography combined with post-quantum cryptography) as early as possible.