Sharing a secret key with security guaranteed by physics, not mathematics. The complete guide to QKD, from the BB84 and E91 protocols to the coming quantum internet.
Quantum key distribution is the most mature and arguably the most important application of quantum information, a way for two parties to share a secret key whose security is guaranteed by physics rather than by mathematics. While quantum computers grab the headlines, it is quantum cryptography that has quietly moved from theory into fibre-optic cables, satellites and commercial products. At its heart lies a simple and beautiful idea, that the act of looking at a quantum signal inevitably disturbs it.
This guide is a complete tour of quantum key distribution, explaining what it is, why it matters now, and how it works, before mapping the main families of protocols and the systems being deployed today. It is the parent topic that ties together protocols like BB84 and E91, and the best place to understand where quantum cryptography is heading.
What quantum key distribution is
Quantum key distribution, often abbreviated to QKD, solves one specific problem, the secure sharing of a secret key between two parties traditionally called Alice and Bob. Once they hold an identical string of random bits that nobody else knows, they can use it with well-understood classical methods to encrypt messages with absolute secrecy. The hard part has always been getting that key to both of them without an eavesdropper copying it on the way.
What makes the quantum approach special is that it does not try to make interception computationally difficult, it makes it physically detectable. By encoding the key in individual quantum particles, QKD ensures that any attempt to measure them in transit leaves a disturbance that Alice and Bob can see. The security rests on the laws of nature, which is why it holds even against an adversary with unlimited computing power.
The distinction between key distribution and encryption matters here. QKD does not encrypt messages itself, it solves only the narrower problem of agreeing a key, after which ordinary ciphers do the encrypting. That focus is a strength, because the one step it handles is the step classical methods struggle to secure against a future quantum adversary.
Why quantum key distribution matters now
The urgency comes from the other side of the quantum revolution. Much of today’s encryption relies on mathematical problems that are hard for classical computers but would crumble before a large quantum machine running Shor’s algorithm, so the secrets protecting banking, government and personal data carry a long-term expiry date. Adversaries can even record encrypted traffic today and store it, waiting for a future machine to unlock it.
Quantum key distribution offers a defence that does not share this weakness, because its security never depended on a hard calculation in the first place. A key exchanged by QKD is safe whether or not a quantum computer is ever built, which is exactly the kind of durable guarantee that high-value secrets demand. That is why governments and companies are investing in it well before the threat fully arrives.
The shift is already shaping policy. Several governments have published roadmaps for migrating critical systems away from vulnerable encryption, and quantum key distribution features in many of them as the option offering the strongest long-term guarantee. Banks, defence agencies and telecoms operators are running pilots today, less because the threat is imminent than because the data they must protect will still be sensitive long after a capable quantum computer arrives.
How quantum key distribution works
Although the protocols differ in detail, every quantum key distribution scheme follows the same broad shape. Alice and Bob first exchange a stream of quantum signals, single photons whose properties encode random bits, over a dedicated quantum channel. Because of the quantum rules governing those signals, neither an eavesdropper nor even Bob can read them perfectly without knowing choices that Alice keeps secret until later.
After the quantum exchange the two parties switch to an ordinary public channel to compare notes, keeping the bits that survived and discarding the rest in a step called sifting. They then run classical error correction to reconcile the small differences in their strings and privacy amplification to squeeze out any partial knowledge an eavesdropper might hold. What remains is a shorter key they can prove is known to no one else.
This blend of a quantum channel for the raw signals and a classical channel for the processing is common to the whole field. The quantum part provides the security, and the classical part turns a noisy, partial result into a clean and certified secret key. Neither half works without the other, and a weakness in either one can compromise the whole exchange.
In practice the quantum and classical channels run side by side, often over the same fibre at different wavelengths. Synchronisation, calibration and timing all have to be managed with care, because a real system is far messier than the clean picture of single photons suggests. Much of the engineering effort in QKD goes into these unglamorous details.
The two families of protocols
Quantum key distribution protocols fall into two broad families, shown in the diagram below. The first and larger family is prepare and measure, in which Alice actively prepares each photon in a chosen state and sends it to Bob. The original and still most widely used member of this family is the BB84 protocol, devised by Bennett and Brassard in 1984, and refinements such as decoy-state and measurement-device-independent QKD belong to it as well.
The second family is entanglement-based, in which a shared source distributes pairs of entangled particles to Alice and Bob rather than having one send to the other. Its foundational member is the E91 protocol, proposed by Artur Ekert in 1991, which draws its security from the violation of Bell’s inequality. The two families are deeply related and reach the same goal, but they suit different settings and rest on subtly different physical guarantees.
Beyond these two families sit hybrids and refinements that borrow from both. Continuous-variable schemes encode information in the quadratures of light rather than in single photons, and twin-field protocols have pushed secure distances dramatically further. The field is still inventing new members faster than any single article can track.
Detecting an eavesdropper
The defining feature of QKD is that eavesdropping cannot be hidden. An adversary who tries to measure the photons must guess the same secret choices Alice made, and every wrong guess disturbs a photon and plants an error in Bob’s data. The no-cloning theorem closes the obvious loophole, since an unknown quantum state cannot simply be copied for later inspection.
To exploit this, Alice and Bob sacrifice a random sample of their key and compare it openly, measuring the error rate between them. A low rate means the channel is clean and the key is safe to keep, while a high rate betrays an eavesdropper and tells them to discard it. This ability to detect interception, rather than merely make it expensive, is what sets QKD apart from every classical method.
It is worth stressing how different this is from classical security. A classical wiretap can be perfectly passive, copying a signal without leaving a trace, whereas a quantum measurement cannot. QKD turns the problem of secrecy from one of outracing an adversary’s computer into one of detecting a physical disturbance.
QKD in the real world
QKD is no longer confined to the laboratory. Commercial systems from companies such as Toshiba and others sell QKD hardware to banks and governments, and metropolitan quantum networks have linked institutions in Tokyo, Vienna and several Chinese cities. The technology has matured from a striking experiment into a product you can buy.
Its reach has grown dramatically over distance. Chinese researchers set a record by distributing keys over more than a thousand kilometres of fibre, and a backbone stretching some two thousand kilometres connects Beijing and Shanghai through a chain of trusted nodes. The Micius satellite went further still, distributing quantum keys between ground stations on opposite sides of a continent, pointing toward a global reach that fibre alone cannot achieve.
Standards bodies have begun to catch up with the technology, defining interfaces and certifications so that equipment from different vendors can interoperate. This quiet institutional work is a sign of maturity, the moment a laboratory idea becomes infrastructure that organisations can procure with confidence.
The limits and the post-quantum alternative
For all its promise, QKD faces real constraints. The secret key rate falls steeply with distance because photons are lost in fibre, and a quantum signal cannot be amplified the way a classical one can, since amplification would amount to the forbidden act of copying. Long links today depend on trusted relay nodes, which themselves become points that must be secured.
There is also a competing answer to the quantum threat, post-quantum cryptography, which uses new classical algorithms believed to resist quantum attack and needs no special hardware. Many organisations will adopt this software-based defence first, because it is cheaper and easier to deploy. QKD and post-quantum cryptography are best seen as complementary, with QKD offering the strongest physical guarantee where the cost is justified.
The road to a quantum internet
The long-term vision that gives QKD its momentum is the quantum internet, a network that distributes entanglement as readily as today’s internet moves data. Quantum repeaters, still under development, would extend entanglement across long distances without trusted nodes, removing the weakest link in current networks. Such a network would carry QKD as just one of its services.
Seen in that light, QKD is both a working technology and a first step toward something larger. The protocols being deployed now are teaching engineers how to build, operate and trust quantum networks at scale. Whatever the eventual shape of secure communication, the lessons of QKD will sit at its foundation.
None of this will arrive overnight, and the most likely path is gradual, with QKD links knitting together into ever larger networks. Each new deployment teaches the engineering lessons the next one needs. The journey from a single secure link to a planetary network is long, but it has unmistakably begun.
