Every key exchange protocol in widespread use today – Diffie-Hellman, ECDH, RSA key transport, and even the new lattice-based ML-KEM – rests on a computational assumption: some mathematical problem is hard to solve. Factor large integers. Compute discrete logarithms. Find short vectors in high-dimensional lattices. If any of these assumptions fails – because of a new algorithm, a quantum computer, or a mathematical breakthrough we have not anticipated – the security guarantee evaporates. Retroactively.
Quantum key distribution operates on a fundamentally different principle. Its security is guaranteed by the laws of physics, not the difficulty of computation. Specifically, it relies on the quantum mechanical properties of photons: the no-cloning theorem (an unknown quantum state cannot be perfectly copied) and the measurement disturbance principle (measuring a quantum state in the wrong basis irreversibly alters it). These are not assumptions. They are experimentally verified consequences of quantum mechanics.
The result: QKD provides information-theoretic security for key exchange. An eavesdropper with unlimited computational power – including a quantum computer of arbitrary capability – cannot intercept the key without being detected. No other key exchange protocol in existence provides this guarantee.
This security comes at a cost: QKD requires a quantum channel (typically an optical fiber or free-space laser link) between the communicating parties, operates at relatively low key rates (kilobits to megabits per second), and has distance limitations (approximately 100-400 km over fiber without quantum repeaters). These are engineering constraints, not fundamental ones, and they are being actively addressed.
The BB84 Protocol
BB84, proposed by Charles Bennett and Gilles Brassard in 1984, was the first quantum key distribution protocol. It uses single photons encoded in two complementary bases.
The Quantum Setup
Alice wants to share a secret key with Bob over a quantum channel (optical fiber) and an authenticated classical channel (standard network connection).
Alice prepares each photon in one of four polarization states:
- Rectilinear basis (+): Horizontal (0 degrees) = bit 0, Vertical (90 degrees) = bit 1
- Diagonal basis (x): 45 degrees = bit 0, 135 degrees = bit 1
For each bit of the raw key, Alice randomly chooses a basis (+ or x) and a bit value (0 or 1), and sends the corresponding photon to Bob.
Bob’s Measurement
Bob randomly chooses a measurement basis (+ or x) for each incoming photon. If Bob’s basis matches Alice’s, his measurement result deterministically matches Alice’s bit value. If the bases differ, Bob’s result is random – equally likely to be 0 or 1, independent of Alice’s bit value.
Sifting
After all photons are transmitted, Alice and Bob publicly compare their basis choices (but not their bit values) over the classical channel. They discard all bits where their bases differed, keeping only the bits where they used the same basis. On average, their bases match 50% of the time, so approximately half of the raw bits survive sifting.
Eavesdropper Detection
The security of BB84 rests on a physical law: the no-cloning theorem prohibits an eavesdropper (Eve) from copying the photon to measure it and then forwarding the original to Bob. Eve must measure the photon, which collapses its quantum state, and then re-prepare a photon based on her measurement result.
If Eve measures in the same basis Alice used, she obtains the correct bit value and sends the correct state to Bob. No disturbance.
If Eve measures in the wrong basis (probability 50%), she obtains a random result and sends a photon in the wrong state. When Bob measures this photon in Alice’s original basis, he gets the wrong result 50% of the time.
The net error rate introduced by Eve’s intercept-resend attack: 25% of the sifted bits are incorrect (50% chance of wrong basis * 50% chance of wrong result). Alice and Bob check for this by publicly comparing a random subset of their sifted bits. If the error rate exceeds the expected level (accounting for channel noise and detector imperfections), they conclude that eavesdropping occurred and abort the protocol.
Privacy Amplification and Error Correction
Real quantum channels are noisy. Photon loss, detector dark counts, and polarization drift introduce errors even without eavesdropping. The protocol must distinguish natural errors from eavesdropping-induced errors.
Error correction: Alice and Bob perform classical error correction (e.g., Cascade protocol or LDPC codes) on their sifted key to reconcile discrepancies. This requires publishing some parity information over the classical channel, which leaks a bounded amount of information to Eve.
Privacy amplification: Alice and Bob apply a universal hash function to their error-corrected key, reducing its length but eliminating any information Eve may have gained during eavesdropping or error correction. The output is a shorter key that is provably secure – Eve’s information about the final key is exponentially small.
The security proof, formalized by Shor and Preskill (2000) and refined by Renner (2005), shows that the final key rate is:
r = 1 - H(e_x) - H(e_z)
where H is the binary entropy function and e_x, e_z are the error rates in the two bases. For error rates below approximately 11%, the key rate is positive – secure key can be distilled. Above 11%, the protocol aborts.
E91: Entanglement-Based QKD
Artur Ekert proposed E91 in 1991, using quantum entanglement rather than prepare-and-measure.
A source (which can be untrusted) produces pairs of entangled photons and sends one to Alice and one to Bob. Each entangled pair is in the Bell state |Phi+> = (|00> + |11>)/sqrt(2). When Alice and Bob measure in the same basis, they obtain perfectly correlated results (both 0 or both 1).
The security check uses Bell’s inequality. Alice and Bob each measure in one of three bases (0, pi/8, pi/4 for Alice; 0, pi/8, -pi/8 for Bob). For the measurements where they used different bases, they compute the CHSH (Clauser-Horne-Shimony-Holt) correlation parameter S. Quantum mechanics predicts S = 2*sqrt(2) for maximally entangled photons. Any eavesdropping that disturbs the entanglement reduces S below this value. A classical eavesdropper is bounded by S <= 2 (the CHSH inequality).
E91’s elegance: the security test is a direct verification of quantum entanglement. Any attempt by Eve to learn the key necessarily destroys the entanglement, which is detectable through the Bell inequality violation.
The practical advantage of E91 over BB84 is that the photon source can be in the middle (between Alice and Bob) or even controlled by Eve. The entanglement correlation is independent of the source – only the measurement statistics matter. This makes E91 particularly suitable for quantum network architectures where a central node distributes entangled pairs.
Real-World QKD Networks
Fiber-Based Networks
China’s Beijing-Shanghai Backbone (2017). A 2,000 km fiber-optic QKD network connecting Beijing, Jinan, Hefei, and Shanghai through 32 trusted relay nodes. The longest single-span link is approximately 100 km. Key rates of several kilobits per second per link. As of 2024, the network has been expanded to over 4,600 km, connecting additional cities.
The trusted relay model is QKD’s current practical limitation. Because photon loss in fiber limits direct QKD distance to approximately 100-400 km (depending on fiber quality and detector technology), long-distance links require intermediate “trusted nodes” that decrypt, re-encrypt, and forward keys. Each trusted node is a security vulnerability – a compromised relay exposes the key.
Quantum repeaters, which would extend QKD range without trusted relays using entanglement swapping and quantum error correction, remain in the research stage. A 2024 demonstration at TU Delft achieved entanglement swapping across three nodes with a fiber distance of approximately 35 km – promising but far from production readiness.
European EuroQCI Initiative. The European Union’s Quantum Communication Infrastructure initiative plans to deploy a pan-European QKD network by 2027, combining fiber-based metropolitan networks with satellite-based inter-city links. The initiative involves all 27 EU member states and aims to protect critical infrastructure communications.
Satellite QKD
Micius (2016). China’s Micius satellite demonstrated satellite-to-ground QKD over distances exceeding 1,200 km, with key rates of several kilobits per second. The satellite distributes entangled photon pairs to ground stations, enabling intercontinental QKD without fiber.
In 2020, Micius facilitated a quantum-secured video conference between Beijing and Vienna (7,600 km apart), using satellite-ground QKD combined with fiber networks. The demonstration processed approximately 2 kilobits per second of secure key material – enough for real-time symmetric key refresh for the encrypted video stream.
SpeQtral (Singapore). The startup plans to deploy a constellation of QKD satellites enabling global key distribution, targeting commercial availability by 2028.
Free-space QKD through the atmosphere faces challenges: atmospheric turbulence, cloud cover, and the requirement for line-of-sight between the satellite and ground station. Daylight operation is possible with spectral filtering and timing correlation but achieves lower key rates than nighttime operation.
Key Rates and Performance
Current QKD system performance (2025-2026):
| System | Medium | Distance | Key Rate |
|---|---|---|---|
| Toshiba QKD | Fiber | 100 km | 10 Mbps |
| ID Quantique Cerberis | Fiber | 50 km | 3.2 kbps |
| Micius satellite | Free space | 1,200 km | ~2 kbps |
| Twin-field QKD (experimental) | Fiber | 509 km | ~0.1 kbps |
Toshiba’s 2024 demonstration of 10 Mbps QKD over 100 km of fiber represents a breakthrough – previous commercial systems achieved tens of kilobits per second at best. The improvement comes from multiplexing techniques (wavelength division and time division) and improved single-photon detectors (superconducting nanowire detectors with >95% efficiency and <100 ps timing jitter).
Twin-field QKD (TF-QKD), proposed by Lucamarini et al. in 2018, extends the maximum fiber distance by having both Alice and Bob send pulses to a central measurement node, rather than Alice sending to Bob directly. This overcomes the point-to-point rate-distance limit and has achieved secure key distribution over 509 km of optical fiber in laboratory conditions.
QKD vs. Post-Quantum Cryptography
QKD and post-quantum cryptography (PQC) address the quantum threat differently:
| Property | QKD | PQC (ML-KEM, etc.) |
|---|---|---|
| Security basis | Physics (unconditional) | Mathematics (computational) |
| Quantum channel required | Yes | No |
| Distance limitation | ~100-400 km (fiber) | Unlimited |
| Key rate | kbps-Mbps | Unlimited |
| Infrastructure cost | Very high | Minimal (software) |
| Maturity | Niche deployment | Standardized (FIPS 203/204) |
| Forward secrecy | Inherent | Protocol-dependent |
PQC is deployable today as a software update. QKD requires dedicated hardware and quantum channels. For the vast majority of internet communications, PQC is the practical solution.
QKD’s value is in high-security contexts where the unconditional security guarantee justifies the infrastructure cost: government classified communications, financial interbank links, critical infrastructure control systems, and any application where the security must survive not just current computational capabilities but unknown future capabilities.
The two approaches are complementary, not competing. A defense-in-depth strategy might use PQC (lattice-based key exchange) for TLS connections to the internet at large, and QKD for the most sensitive internal links where the unconditional security guarantee is worth the infrastructure investment.
Limitations and Open Problems
Side-channel attacks. QKD’s security proof assumes ideal devices. Real devices have imperfections: photon sources may occasionally emit multiple photons (enabling photon-number splitting attacks), detectors have efficiency mismatches (enabling detector blinding attacks), and optical components may have wavelength-dependent behavior exploitable by Eve. Device-independent QKD (DI-QKD), which proves security from observed Bell inequality violations without trusting the devices, addresses these concerns but at significantly reduced key rates.
Authentication. QKD requires an authenticated classical channel for basis comparison and error correction. This authentication typically uses pre-shared symmetric keys or digital signatures. If the authentication is compromised, QKD’s security fails. The classical authentication is the protocol’s weakest link.
Scalability. Point-to-point QKD does not scale to the internet’s billions of endpoints. Quantum network architectures – using trusted relays, satellite links, or (eventually) quantum repeaters – are needed for scalable deployment, but none currently match the convenience and ubiquity of classical internet infrastructure.
Cost. QKD transmitters cost tens of thousands of dollars. Single-photon detectors (superconducting nanowire or avalanche photodiode arrays) cost similarly. Dedicated fiber is expensive to lease or deploy. The total cost of a single QKD link can exceed $100,000, making it impractical for consumer applications.
The Stealth Cloud Perspective
Stealth Cloud’s architecture operates over the classical internet, using TLS 1.3 for transport security and client-side AES-256-GCM encryption for end-to-end data protection. QKD does not fit into this architecture today – the infrastructure requirements are incompatible with a globally distributed, edge-first platform running on Cloudflare Workers.
But QKD represents something that matters to Stealth Cloud’s mission: the existence of an unconditionally secure key exchange. Every other key exchange mechanism relies on a computational assumption that could, in principle, be broken. QKD proves that the laws of physics permit secure communication without any such assumption.
This matters for Stealth Cloud’s long-term positioning. Post-quantum cryptography provides resistance against known quantum algorithms under specific mathematical assumptions. QKD provides resistance against all adversaries, known and unknown, bounded only by physics. As QKD hardware costs decrease and quantum network infrastructure matures, the option of QKD-secured links between zero-knowledge infrastructure nodes becomes a design consideration – not for every user connection, but for the critical paths where the key material must be protected with absolute certainty.
The most profound implication of quantum key distribution is not practical. It is epistemological. QKD demonstrates that secure communication is not merely a mathematical construction that might be undermined by future computational advances. It is a physical reality, grounded in the same quantum mechanics that governs the behavior of every photon in the universe.
Mathematics can be wrong. Physics cannot be bypassed.