Post-quantum cryptography versus quantum key distribution. Do you need both and what does each protect against?

[Hollow85]

Two very different technologies are both called quantum security and the confusion between them is common even among people who work in adjacent fields.

Post-quantum cryptography is classical software running on normal computers but using mathematical problems that quantum computers cannot solve efficiently. It protects data at rest and in transit against future quantum attacks. NIST finalised four PQC standards in August 2024. This is the migration that most organisations need to start.

Quantum key distribution uses the physics of individual photons to share encryption keys in a way that is theoretically impossible to intercept without detection. It requires new physical infrastructure, dedicated optical fibres or line-of-sight links, and it addresses the key exchange problem specifically rather than all encryption. China operates a 2,000km QKD network. Toshiba demonstrated transatlantic QKD this month.

The question is whether you need both. The security community answer is mostly: PQC first because it is software deployable now, QKD second for the highest-security applications where physical infrastructure is justified

[Luke_67]

PQC first because it is deployable now on existing hardware is the practical answer for 99 percent of organisations. QKD first for government, defence, and critical financial infrastructure where the budget and need align

[StringTheory95]

The harvest now decrypt later threat makes PQC urgent today regardless of when quantum computers arrive. QKD addresses a different threat model: interception during key exchange rather than decryption of stored data

[Kev5]

The distinction between mathematical security and physical security is the core of the PQC versus QKD debate. PQC security depends on computational assumptions that could theoretically be broken. QKD security depends on physics that cannot be circumvented

[Paige_68]

Information-theoretic security from QKD being a stronger claim than computational security from PQC is accurate but the practical deployment difference overwhelms the theoretical security difference for most use cases

[ParallelSelf34]

The Toshiba transatlantic QKD demonstration using existing carrier-grade fibre is the key commercial development. If QKD can deploy over infrastructure that already exists the cost argument changes significantly

[Red Wrench]

Hybrid key exchange using both PQC and a classical algorithm simultaneously is what Chrome has been doing for HTTPS since 2024. Belt and suspenders for the transition period before either approach is definitively proven or broken