Beyond the false binary: The PQC vs. QKD debate misses the point

The real question is: Which combination provides balanced near-term capability, risk mitigation, and long-term strategic positioning for defense in depth? And for the photonics industry, it’s about how to best build the optical infrastructure to enable quantum-enhanced security and computation.

Michael Baczyk

Oct. 29, 2025

5 min read

68ff8ce9bc8ca54f116c811c Dreamstime Xxl 348571148

The quantum cryptography landscape faces a polarizing debate that obscures more than it illuminates. Cybersecurity agencies from the U.K.’s NCSC to the U.S.’s NSA warn that quantum key distribution (QKD) is “not suitable for most practical cases.” Meanwhile, physics research institutions tout quantum networks as “unconditionally secure.” This apparent standoff between “math-based” and “physics-based” security has dominated discussions for more than a decade—but fundamentally misframes the challenge.

The real issue isn’t choosing between post-quantum cryptography (PQC) and QKD. It’s understanding that these technologies address different vulnerabilities through orthogonal mechanisms, which makes them naturally complementary. For the photonics community building quantum networking infrastructure, recognizing this complementarity is essential.

Misleading mathematics-physics dichotomy

The conventional framing positions PQC as “computational security” based on mathematical hardness assumptions, while QKD represents “physical security” grounded in quantum mechanics. This distinction obscures a deeper truth: Both rest on mathematical foundations but target different attack surfaces (see Fig. 1).

FIGURE 1. Conventional cryptography relies on computational assumptions (P≠NP, trapdoor predicates) where failure to find attacks builds confidence. Quantum cryptography leverages quantum theory’s mathematical properties (no-cloning theorem, Bell’s theorem) where eavesdroppers cannot exploit local hidden variables. — **FIGURE 1.** Conventional cryptography relies on computational assumptions (P≠NP, trapdoor predicates) where failure to find attacks builds confidence. Quantum cryptography leverages quantum theory’s mathematical properties (no-cloning theorem, Bell’s theorem) where eavesdroppers cannot exploit local hidden variables.

PQC’s security assumes certain problems (like lattice cryptography’s Shortest Vector Problem) remain computationally intractable even for quantum adversaries. But history counsels humility. SIKE, a late NIST PQC candidate, fell to conventional computer attacks unrelated to quantum computing. The 2024 Chen paper (later disputed) proposing quantum attack vectors against lattice cryptography reminded us that “quantum resistant” doesn’t mean “quantum proof.”

QKD’s security doesn’t depend on computational hardness assumptions. Bell’s theorem—itself a mathematical proof rather than computer science evidence—establishes that no theory based on local hidden variables can reproduce quantum predictions. An eavesdropper fundamentally cannot intercept and clone quantum states without detection, regardless of computational resources. This protection persists against adversaries with capabilities we cannot currently imagine.

Authentication and real-time detection

Critics correctly note that “QKD protocols do not provide authentication” in isolation. But this conflates key exchange with the complete cryptographic stack. QKD establishes secure key material; authentication layers separately—through PQC digital signatures, Wegman-Carter authentication with pre-shared keys, or symmetric-primitive methods.

Crucially, when combined with strong authentication (see Fig. 2), QKD provides real-time detection of tampering before data compromise—a qualitative difference from computational cryptography’s reliance on long-term mathematical problem hardness. This temporal dimension addresses harvest-now-decrypt-later (HNDL) threats that crypto agility cannot solve.

FIGURE 2. Multiple cryptographic stack configurations exist—from standard PQC (quantum-resistant internet) to hybrid quantum approaches combining ML-DSA authentication with QKD key exchange, to information-theoretic security using Wegman-Carter authentication with QKD. Each offers different combinations of enduring computational security and real-time quantum protection against HNDL attacks. — **FIGURE 2.** Multiple cryptographic stack configurations exist—from standard PQC (quantum-resistant internet) to hybrid quantum approaches combining ML-DSA authentication with QKD key exchange, to information-theoretic security using Wegman-Carter authentication with QKD. Each offers different combinations of enduring computational security and real-time quantum protection against HNDL attacks.

The HNDL threat crypto agility can’t address

HNDL attacks pose existential threats to long-lived sensitive data. Adversaries intercept and store encrypted communications today, then decrypt them when quantum computers or cryptanalytic breakthroughs emerge years later. This isn't theoretical—intelligence agencies have long pursued bulk data collection with precisely this strategy.

PQC advocates invoke “crypto agility”—swapping cryptographic algorithms as needed—as the solution. But crypto agility offers no protection for already-harvested data. Algorithm upgrades cannot retroactively secure intercepted traffic. QKD disrupts HNDL by making interception detectable in real time to enable an immediate response rather than silent compromise. For organizations handling multidecade sensitive information—government communications, medical records, financial data—this orthogonal protection has tangible value that purely computational security cannot provide.

Three strategic paths: Global testbed evidence

The theoretical debate takes concrete form in divergent national strategies. At least 50 active or announced quantum networking testbeds span the whole globe (see Fig. 3). These deployments reflect three distinct roadmaps:

Current-generation QKD deployment. China has built more than 3,000 kilometers of operational QKD infrastructure, including the Beijing-Shanghai backbone and multiple metro networks. Europe’s EuroQCI initiative pursues similar deployment across 14 member states through OpenQKD. This strategy builds commercial momentum immediately and generates practical scaling experience. The tradeoff: Current-generation QKD requires trusted nodes at repeater points, which creates vulnerabilities critics highlight.

Next-generation MDI-QKD. Measurement-device-independent QKD eliminates trusted node vulnerabilities through sophisticated protocols. This path couples tightly with distributed quantum computing technology—itself a scaling priority. Japan’s Tokyo QKD Network and advanced European testbeds explore this direction. But current MDI-QKD capabilities remain limited in range and key generation rates.

Full entanglement distribution. Quantum repeaters enabling true end-to-end entanglement show promise for the most powerful applications—distributed quantum computing and quantum sensor networks. U.S. Department of Energy quantum internet initiatives and Europe’s Quantum Internet Alliance are focusing on this endgame. The challenge: It requires sustained sovereign funding through an extended development timeline before commercial viability.

The question isn’t which path is “correct”—it’s which combination balances near-term capability, risk mitigation, and long-term strategic positioning?

FIGURE 3. Global quantum networking testbeds span from China’s 3,000+ km QKD backbone to Europe’s OpenQKD across 14 states, multiple U.S. regional networks (Illinois, Maryland, Tennessee, California, New York), Japan’s metro networks, Singapore’s national infrastructure, and South Korea’s 800-km deployment—representing more than 50 active testbeds pursuing different technical paths toward the quantum internet. — **FIGURE 3.** Global quantum networking testbeds span from China’s 3,000+ km QKD backbone to Europe’s OpenQKD across 14 states, multiple U.S. regional networks (Illinois, Maryland, Tennessee, California, New York), Japan’s metro networks, Singapore’s national infrastructure, and South Korea’s 800-km deployment—representing more than 50 active testbeds pursuing different technical paths toward the quantum internet.

Complexity vs. defense in depth

Critics legitimately raise concerns about complexity, specialized hardware, and operational overhead. Every architectural layer introduces potential vulnerabilities; cryptography history shows theoretically sound schemes can fail due to implementation flaws or side-channel attacks.

But dismissing quantum networking on complexity grounds ignores that orthogonal protection layers can simplify threat modeling by eliminating entire attack classes. Hybrid architectures combining PQC with quantum-enhanced key distribution don't merely add security—they reduce failure consequences. If PQC algorithms prove vulnerable, the quantum layer provides a safety net. If quantum hardware suffers side-channel compromises, computational layers maintain protection.

The documented testbeds aren’t merely research exercises—they represent strategic bets that quantum networking infrastructure will prove essential. South Korea’s nationwide QKD network, Singapore's NQSN+, India's quantum telecom links, distributed U.S. networks, etc. demonstrate deployment heading beyond proof-of-concept.

A photonics opportunity

For photonics researchers and engineers, this debate presents an opportunity rather than a dilemma. It’s about how to best build the optical infrastructure to make quantum-enhanced security and computation possible.

FURTHER READING

See https://uk-quantum-networks-5h9caaj.gamma.site.

See https://quantumcomputingreport.com/where-are-the-worldwide-quantum-networking-testbeds.

See www.nsa.gov/cybersecurity/quantum-key-distribution-qkd-and-quantum-cryptography-qc.

See www.ncsc.gov.uk/whitepaper/quantum-networking-technologies.