Fact-checked by Grok 2 weeks ago

Quantum key distribution

Quantum key distribution (QKD) is a cryptographic technique that leverages to enable two parties to generate and share a secret key over an insecure channel, with the unique ability to detect any interception attempts by an eavesdropper due to the disturbance caused to quantum states. The foundational protocol for QKD, known as , was proposed in 1984 by Charles H. Bennett and , building on earlier ideas from Stephen Wiesner's work on quantum conjugate coding in the 1970s. This prepare-and-measure protocol uses polarized photons to encode bits, employing two orthogonal bases (rectilinear and diagonal) to represent 0s and 1s, ensuring that any measurement by an unauthorized party introduces detectable errors. Subsequent developments, such as Artur Ekert's 1991 entanglement-based E91 protocol, expanded QKD by utilizing for key generation, further solidifying its theoretical security rooted in the and Heisenberg's . In operation, QKD typically involves a (Alice) transmitting qubits—often as single photons with randomized states—via optical fibers or free-space channels to a (Bob), who measures them in randomly chosen bases. Post-transmission, publicly compare a of their bases to discard mismatched measurements, forming a sifted , followed by correction to handle and privacy amplification to eliminate potential information leaked to eavesdroppers. This process provides in theory, independent of computational power, as opposed to classical methods vulnerable to advances in like quantum attacks on . QKD's primary advantages include its provable theoretical security against , making it a of quantum-safe , and its integration with symmetric ciphers like for encrypting bulk data. However, practical deployments face challenges such as limited transmission distances (typically up to 100-250 km over fiber in recent demonstrations due to loss, with commercial systems often around 100-120 km), the need for specialized , and vulnerability to side-channel attacks on implementations rather than the itself. Despite these, QKD networks have been demonstrated in real-world settings, including metropolitan and satellite-based systems, and it is being standardized by bodies like and integrated into broader frameworks, positioning it as a key technology for future secure communications amid the threat.

Fundamentals

Basic principles

Quantum key distribution (QKD) is a that enables two parties, conventionally denoted as , to generate and share a secret cryptographic key using , with security guaranteed against an eavesdropper, , through the inherent uncertainties of quantum measurements. This approach ensures that any attempt by to intercept or measure the quantum states transmitted over the channel introduces detectable disturbances, allowing to verify the key's integrity without relying on computational assumptions about the adversary's capabilities. The fundamental quantum advantages underpinning QKD stem from two key . The Heisenberg uncertainty principle dictates that measuring one observable of a quantum , such as the polarization of a , inherently disturbs complementary observables, like its phase, making it impossible for Eve to obtain complete information about the without altering it in a detectable way. Complementing this, the proves that an unknown cannot be perfectly copied, preventing Eve from duplicating the transmitted states to analyze them separately without introducing errors that Alice and Bob can later identify. In contrast to classical key distribution methods, such as the Diffie-Hellman protocol, which depend on the assumed computational difficulty of problems like discrete logarithms, QKD achieves —proven secure against adversaries with unlimited computational power, as long as they are bound by the laws of physics. This unconditional security arises directly from quantum information theory, ensuring that the shared key remains private even in the presence of a fully malicious eavesdropper. The basic setup for QKD involves a , typically implemented with optical fibers or free-space links to transmit quantum states like photons, and a public classical channel for subsequent communication, which must be authenticated to prevent man-in-the-middle attacks. The process begins with Alice encoding random bits into quantum states and sending them to Bob over the quantum channel; Bob then measures these states in randomly chosen bases, resulting in correlated but imperfect . Through a sifting procedure, Alice and Bob publicly compare their basis choices via the classical channel, discarding mismatched measurements to obtain a shared raw key, which is further refined in post-processing steps to ensure security.

Key concepts

Quantum key distribution (QKD) relies on fundamental principles of theory, where the basic unit of information is the , or quantum bit. Unlike a classical bit, which is either 0 or 1, a can exist in a superposition of states, described mathematically as |\psi\rangle = \alpha |0\rangle + \beta |1\rangle, where \alpha and \beta are complex numbers satisfying |\alpha|^2 + |\beta|^2 = 1. In practical QKD implementations, qubits are often encoded using photon properties such as (horizontal/vertical for |0⟩ and |1⟩) or phase. A key feature of qubits is the effect of quantum measurement, which causes the superposition to collapse into one of the basis states with probabilities given by the squared magnitudes of the coefficients. The outcome depends on the chosen measurement basis; for example, measuring in the basis (corresponding to |0⟩ and |1⟩) yields different results from the diagonal basis (such as |+⟩ = (|0⟩ + |1⟩)/√2 and |-⟩ = (|0⟩ - |1⟩)/√2). This basis-dependent collapse underpins the security of QKD, as an eavesdropper's measurement in the wrong basis introduces detectable errors. The further strengthens QKD security by proving that it is impossible to create an identical copy of an arbitrary unknown . This theorem arises from the linearity of and was independently demonstrated in 1982, showing that any attempt to clone a inevitably disturbs the original state or produces imperfect copies. describes correlated quantum states of multiple particles, where the state of one cannot be described independently of the others, even at large separations. A canonical example is a , such as the maximally entangled state \frac{|00\rangle + |11\rangle}{\sqrt{2}}, which exhibits perfect correlations: measuring one instantly determines the other's outcome, regardless of distance. These non-local correlations, first highlighted in the context of , enable advanced QKD protocols without direct state . In QKD, the quantum bit error rate (QBER) quantifies the fraction of bits where the sender and receiver disagree, arising from channel noise or attempts. For the protocol, security proofs establish a of approximately 11% QBER below which a secure key can be extracted, as higher rates indicate potential information leakage exceeding what privacy amplification can correct. The sifting process in QKD involves publicly comparing their measurement bases and discarding bits where bases mismatched, retaining only those measured in the same basis to form a shared raw key string. This step, classical and public, typically halves the key length but ensures correlated bits for subsequent error correction.

Protocols

Prepare-and-measure protocols

Prepare-and-measure protocols in quantum key distribution involve one party, typically , preparing quantum states encoding classical bits and transmitting them through a to another party, Bob, who measures the states in chosen bases. These protocols rely on the and the to detect , as any disturbs the quantum states, introducing detectable errors. Unlike entanglement-based approaches, they do not require pre-shared quantum correlations but instead use direct state transmission, often implemented with photons polarized in different bases. The foundational prepare-and-measure protocol is , proposed by Charles Bennett and in 1984. In , randomly selects a bit value (0 or 1) and a basis—either (horizontal/vertical polarizations for 0/1) or diagonal (45°/135° polarizations for 0/1)—to encode the bit onto a , then sends it to . similarly chooses a random basis to measure each incoming , obtaining a bit outcome that matches 's with high probability if the bases align and no eavesdropper interferes. After transmission, and publicly announce their basis choices (but not the bits) over a classical channel and discard mismatched "wrong-basis" measurements, yielding a sifted . They then estimate the quantum bit error rate (QBER) by sampling a subset of the sifted bits; if the QBER exceeds a threshold (indicating potential eavesdropping), they abort. The remaining sifted undergoes privacy amplification to distill a secure final . Security arises because an eavesdropper, , choosing the wrong basis for interception reveals her presence through basis-mismatch errors. In the asymptotic limit with collective attacks, the secure key rate for is given by R = 1 - 2h(e), where e is the QBER and h(e) = -e \log_2 e - (1-e) \log_2 (1-e) is the . This formula quantifies the fraction of sifted bits that can be securely extracted after accounting for information leakage to , assuming ideal single-photon sources and symmetric channels. The first experimental of occurred in 1991 by Bennett and colleagues, achieving a 403-bit key over 32 cm of free-space optical transmission using polarization-encoded photons. Variants of simplify the protocol while maintaining security. The protocol, introduced by Bennett in 1992, uses only two non-orthogonal states—such as horizontal polarization for bit 0 and +45° for bit 1—reducing the number of required states and detectors compared to 's four orthogonal states. Alice sends one of the two states randomly; Bob measures in rectilinear or diagonal bases, but conclusive measurements (e.g., vertical for 0 or -45° for 1) determine the bit, while inconclusive ones are discarded. Sifting and error estimation follow similarly, with security based on the indistinguishability of non-orthogonal states to Eve. achieves lower key rates than but offers experimental simplicity. Another variant, SARG04, proposed by Scarani, Acín, Ribordy, and Gisin in 2004, modifies to enhance robustness against photon-number-splitting attacks in practical weak coherent pulse implementations. It retains four states but alters the sifting rule: Bob announces not just his basis but whether his measurement outcome is compatible with certain pairs of Alice's possible states, allowing discrimination between single-photon and multi-photon components more effectively. This results in a sifted key rate about half that of but with improved security against specific eavesdropping strategies exploiting multi-photon emissions from lasers. SARG04 has been widely analyzed for its performance in realistic setups with decoy states.

Entanglement-based protocols

Entanglement-based protocols for quantum key distribution leverage shared to enable secure key generation between two parties, , with security rooted in the fundamental , particularly the violation of Bell inequalities that certifies the presence of entanglement and detects . The foundational entanglement-based is the E91 , introduced by in 1991. In E91, entangled photon pairs are distributed to from a central source. independently perform local measurements on their respective photons in randomly chosen bases, analogous to those in prepare-and-measure s. They publicly announce their basis choices to sift the raw data, retaining only matching basis instances for key generation. A portion of these sifted outcomes is used to compute correlations and test the CHSH Bell inequality; significant violations indicate genuine entanglement and limit an eavesdropper's (Eve's) access to the key. The mechanics of E91 involve an entanglement source, typically spontaneous parametric down-conversion in a nonlinear pumped by a , which generates polarization-entangled pairs at signal and idler wavelengths. These s are transmitted to via optical fibers or free-space channels. Upon receipt, each party uses polarizing beam splitters and single-photon detectors to measure in one of two or three bases (e.g., horizontal-vertical or diagonal for ). Classical communication over an authenticated public channel follows for basis sifting, evaluation, and parameter estimation. The final key is extracted from the correlated outcomes after post-processing. Security in E91 derives from the quantum nature of entanglement: the CHSH inequality bounds classical correlations to a maximum value of 2, whereas allows violations up to $2\sqrt{2} \approx 2.828. If the observed CHSH value exceeds this quantum bound threshold (accounting for experimental imperfections), the shared state is verified as entangled, and any attempt—such as intercept-resend or entanglement-breaking attacks—would disturb the correlations, reducing the violation below detectable levels and bounding Eve's information to negligible amounts. In 1992, Charles Bennett, , and N. David Mermin proposed BBM92, a streamlined variant of E91 that simplifies security checks by forgoing the full in favor of direct sifting and quantum estimation on the sifted data. Like E91, BBM92 distributes entangled pairs and uses random basis measurements, but it proves security against general individual and collective attacks using the , ensuring Eve cannot gain full knowledge without introducing detectable errors. This approach reduces computational overhead while preserving the protocol's robustness. Prepare-and-measure protocols offer a simpler alternative without the overhead of entanglement generation and distribution. The first experimental realization of an entanglement-based QKD protocol was demonstrated in 2000 by Thomas Jennewein and colleagues, who implemented E91 using polarization-entangled photons generated via down-conversion, achieving secure over a short free-space link with measured CHSH violations confirming security.

Advanced protocols

Device-independent quantum key distribution (DI-QKD) provides guarantees without requiring trust in the quantum devices used by the parties, relying solely on the violation of Bell inequalities to certify the presence of quantum correlations. The foundational was proposed by Acín et al. in 2007, where two parties, , share an entangled state and perform local measurements in randomly chosen bases to generate a raw , with extracted from observed nonlocality such as the Clauser-Horne-Shimony-Holt ( violation exceeding the classical bound of 2. This approach demands loophole-free Bell tests to close detection, locality, and freedom-of-choice loopholes, ensuring robustness against device imperfections or adversarial control. A comprehensive proof for such protocols under collective attacks was established by Pironio et al. in 2009, demonstrating positive rates for CHSH values above approximately 2.11 in the asymptotic regime. Experimental realization of DI-QKD remains challenging due to the need for high-fidelity entanglement and efficient detections, but a landmark demonstration was achieved by Liu et al. in 2022 over 400 meters using trapped atoms, yielding a CHSH value of 2.578 ± 0.075 and a secret key rate of 0.07 bits per run in the asymptotic limit. Recent advancements include an inequality-free verification of Bell nonlocality proposed by Aiello in 2024, which directly compares quantum functions to classical predictions without relying on formulations, potentially enhancing DI-QKD by simplifying nonlocality certification and improving tolerance to experimental . Twin-field quantum key distribution (TF-QKD) addresses distance limitations in standard QKD by employing an untrusted central for measurements, akin to measurement-device-independent (MDI) protocols but optimized for longer ranges. Introduced by Lucamarini et al. in 2018, TF-QKD involves sending coherent states with matching or random phases to a distant , where single-photon outcomes generate the ; successful detections herald "twin" fields, enabling sifting without photon transmission between end users. The protocol's scales favorably as the of the channel distance (√d), contrasting the (e^{-d}) of prepare-and-measure schemes, theoretically supporting secure keys over 550 km in standard fiber. An experimental over 300 km (straight-line distance, via 428 km deployed fiber) was reported by et al. in 2021, achieving a secure of 3.3 × 10^{-4} bits per with practical decoy states. A subsequent over 1002 km of fiber was reported by et al. in 2023, achieving a secure of $8.75 \times 10^{-6} bits per considering finite-key effects. Counterfactual quantum key distribution (CF-QKD) enables key generation without transmitting the information-carrying particles through the , leveraging and non-detection events based on the . The was proposed by in , where Alice encodes bits by choosing to block or transmit a probe beam toward Bob's interferometric setup; key bits are distilled from instances where Bob's detectors register no clicks due to destructive , ensuring no actual travels the full path if blocked. Security arises from the counterfactual nature, as Eve cannot intercept without disturbing the vacuum-like propagation, though practical implementations require careful handling of multi-photon emissions and channel losses. This approach conceptually extends QKD to scenarios where direct transmission is infeasible, such as high-loss or adversarial environments.

Post-processing

Information reconciliation

Information reconciliation is a crucial post-processing step in quantum key distribution (QKD) that addresses discrepancies in the raw keys shared between , caused by quantum bit error rates (QBER) due to channel noise and detector imperfections, without attributing errors to . The primary goal is to enable both parties to obtain identical keys through public classical communication, while limiting the information disclosed about the key to potential adversaries, thereby preserving overall . The Cascade protocol, proposed by and Louis Salvail in 1993, was the first dedicated method for information in the context of QKD and remains a foundational approach. It functions via an interactive, iterative procedure: the raw key string is partitioned into blocks of varying sizes, and Alice and Bob publicly exchange bits (syndromes) computed over these subsets to detect discrepancies. In each round, erroneous blocks are subdivided and rechecked, allowing Bob to infer and correct errors from the shared information without exposing the full key content; this process repeats until the keys match, typically requiring multiple communication passes. For higher performance, modern QKD systems increasingly employ low-density parity-check (LDPC) codes, which are linear defined by sparse parity-check matrices that facilitate efficient decoding through —a message-passing that propagates probabilistic estimates across the to resolve errors iteratively. These codes support high rates by approaching the limit for error correction, with lower information leakage than , making them suitable for real-time processing in resource-constrained environments. LDPC-based was introduced for QKD in 2010, offering adaptability to varying QBER levels and enabling secure over longer distances. Recent implementations achieve efficiencies exceeding 95%, and emerging joint -privacy schemes further enhance key rates. Reconciliation efficiency, denoted as f(e) where e is the QBER, quantifies the protocol's performance by comparing the actual information leaked during correction to the theoretical minimum required, with ideal values exceeding 0.95 to minimize overhead. This efficiency directly influences the final secure key rate, approximated as R = \frac{1 - h(e) - f(e) h(e)}{2}, where h(e) = -e \log_2 e - (1-e) \log_2 (1-e) is the binary entropy function; suboptimal f(e) reduces R by increasing the leak term. Following successful reconciliation, the aligned keys undergo privacy amplification to distill a secure final key.

Privacy amplification

Privacy amplification is a crucial post-processing step in quantum key distribution (QKD) protocols, where use their shared raw key—obtained after sifting and error correction—to generate a shorter final key that is secret and uniformly random, effectively eliminating any partial information an eavesdropper, , may have acquired during . This process ensures the final key's against computationally unbounded adversaries by reducing Eve's knowledge to a negligible level, typically quantified by a ε, such as ε < 10^{-10}. The technique was first introduced for cryptographic applications including QKD, relying on public discussion over an authenticated channel to achieve unconditional . The core mechanism of privacy amplification employs a family of universal hash functions to hash the raw key string of length s into a shorter output of length l, producing a string that is statistically close to uniform and independent of Eve's quantum side information. Specifically, a 2-universal (or strongly universal) family of hash functions H is used, defined such that for any distinct inputs x, y in the domain and any output z in the range, the probability Pr[h(x) = z] ≤ 1/|range| and Pr[h(x) = h(y)] ≤ 1/|range| + ε for randomly chosen hH. In practice, this family can be constructed using random linear functions over GF(2), where the output is a linear combination of the input bits modulo 2, as proposed in early work on the method. The choice of hash function is publicly announced after computation, ensuring both parties derive the same key without revealing it to Eve. The security of this hashing is formalized by the leftover hash lemma, adapted for quantum side information, which states that if the raw key X has conditional min-entropy H_min(X | E) ≥ k with respect to Eve's quantum system E, then there exists a 2-universal hash family such that the output key K = h(X) of length l ≈ k - 2 log(1/ε) is ε-close in trace distance to a uniformly random string, independent of E and the hash choice. This min-entropy bound guarantees that Eve's distinguishing advantage is at most ε, making the key computationally indistinguishable from ideal. In the generalized framework, the output length is set to l = s - leak_EC - I_E - leak_PA, where leak_EC is the leakage from error correction, I_E estimates Eve's information, and leak_PA is a small overhead for the hash function selection, often around 100-200 bits for practical security levels. A seminal implementation, building on initial proposals, uses Toeplitz-matrix-based linear hashes for efficiency, where the matrix is randomly generated and its seed is exchanged publicly. The reduction in key length depends on the estimated mutual information I_E between the raw key and Eve's probe, which in QKD is typically bounded using the observed quantum bit error rate (QBER), e, via entropic uncertainty relations that relate e to the conditional entropy H(A | E) ≥ 1 - h(e), where h is the binary entropy function. For instance, in BB84-like protocols, if QBER is around 5%, the secure key rate after amplification might be roughly 1 - 2h(e) ≈ 0.38 bits per sifted bit, ensuring the final key retains high secrecy even under realistic noise. This approach has been rigorously analyzed to confirm its optimality in distilling extractable secrecy from partially compromised strings.

Security

Attacks

Quantum key distribution (QKD) systems are theoretically secure against eavesdroppers due to the principles of , but practical implementations remain vulnerable to various attacks that exploit imperfections in devices, channels, or protocols. These attacks aim to extract information about the shared key or disrupt the key generation process, often without being immediately detected. While ideal QKD protocols like can detect many such intrusions through elevated quantum bit error rates (QBER), real-world systems using weak coherent pulses and imperfect detectors introduce exploitable weaknesses. Countermeasures, such as and authentication, have been developed to mitigate these threats. The intercept-resend attack is a fundamental eavesdropping strategy where an adversary, Eve, intercepts quantum states sent from Alice to Bob, measures them in a chosen basis, and resends prepared states to Bob. If Eve selects the incorrect basis, this introduces errors in the key bits, typically resulting in a QBER of approximately 25% for mismatched bases in polarization-encoded protocols like . Alice and Bob can detect this intrusion by monitoring the QBER during basis reconciliation, as it exceeds the threshold set by channel noise alone, prompting them to abort the session. This attack highlights the no-cloning theorem's role, as Eve cannot perfectly copy unknown quantum states without disturbance. In practical QKD systems using weak coherent pulse sources, the photon number splitting (PNS) attack allows Eve to exploit multi-photon emissions. When a pulse contains more than one photon, Eve can split off the extra photons, store them in a quantum memory, and measure them later once Alice reveals the basis choice over the classical channel, while forwarding a single photon to Bob to avoid immediate detection. This enables Eve to gain full information on a fraction of the key without significantly increasing the QBER. The PNS attack was first systematically analyzed by in 2004. It is countered by the decoy-state protocol introduced in 2005, which uses additional pulses with varying intensities to estimate the photon number distribution and bound the multi-photon contribution. A man-in-the-middle (MITM) attack occurs when Eve impersonates Bob to Alice and Alice to Bob, intercepting and relaying communications to establish separate keys with each party. Without proper authentication, Eve can undetectably siphon key information, as QKD alone does not verify the identities of the communicating parties. Classical authentication channels, often using pre-shared keys or digital signatures, are essential to prevent this attack by confirming the legitimacy of Alice and Bob's endpoints. Trojan-horse attacks target the internal hardware of QKD devices by sending bright light pulses into the receiver's (Bob's) system via the quantum channel, exploiting backscattered light to probe basis choices or phase settings. Eve analyzes the reflected photons to infer Bob's measurement configuration, gaining partial key information without directly disturbing the signal pulses. This attack was analyzed by in 2005, demonstrating its feasibility with contemporary technology, and can be mitigated through hardware countermeasures like optical isolators or monitoring for anomalous light levels. Denial-of-service (DoS) attacks disrupt QKD by flooding the quantum or classical channels with excessive noise, pulses, or traffic, elevating the QBER beyond acceptable thresholds or exhausting key generation resources. For instance, Eve can inject high-intensity light to blind detectors or monopolize the link, preventing legitimate key exchange and forcing session aborts. Such attacks do not yield key information but degrade system availability, and defenses include rate limiting, anomaly detection, or hybrid protocols that rapidly identify and isolate malicious connections.

Security proofs

Security proofs for quantum key distribution (QKD) establish that shared keys are secure against any eavesdropping attack, provided certain conditions on error rates are met. These proofs demonstrate information-theoretic security, where the final key is indistinguishable from a uniformly random string, and the eavesdropper Eve's information about it, quantified as mutual information I_E \leq \epsilon for arbitrarily small \epsilon > 0, is negligible. Asymptotic proofs in the limit of infinite key length rely on the Csiszár-Körner bound from classical , which limits the rate at which secure keys can be extracted from correlated sources while keeping Eve's information low. The first unconditional security proof for the BB84 protocol was provided by Mayers in 1996, showing that it achieves perfect secrecy without assumptions on Eve's computational power. A more accessible proof by Shor and Preskill in 2000 reduces BB84 security to the error-correcting properties of Calderbank-Shor-Steane (CSS) quantum codes, establishing that the protocol is secure if the quantum bit error rate (QBER) e is below approximately 11%. Their analysis yields a lower bound on the secure key rate R \geq 1 - h(e) - h(e), where h(e) = -e \log_2 e - (1-e) \log_2 (1-e) is the binary entropy function, ensuring that after error correction and privacy amplification, Eve's knowledge is exponentially small. From an entanglement-based perspective, QKD can be viewed as a process of distilling maximally entangled pairs from noisy quantum states shared between , followed by local measurements to generate the key. The Devetak-Winter theorem formalizes this in 2005, proving that the secure key rate equals the distillable entanglement minus the quantum leaked to , with hashing methods efficiently achieving this bound asymptotically. Finite-key security proofs address practical scenarios with finite block lengths n, accounting for statistical fluctuations that could allow Eve to gain non-negligible information. These proofs employ entropy accumulation theorems to bound the conditional of the key given Eve's quantum system, incorporating finite-size corrections that introduce an overhead scaling as \mathcal{O}(\sqrt{n}) for extracting \ell \approx n(1 - 2h(e)) - \sqrt{n} \log(1/\epsilon) secure bits with security parameter \epsilon. Composable security, formalized by Renner in , ensures that the QKD output can be securely composed with other protocols, treating the key as \epsilon-secure in the abstract framework. Device-independent (DI) security proofs go further by certifying security solely from observed violations of Bell inequalities, without trusting the quantum devices or assuming a specific physical model for the channel or sources. These proofs, developed in the late , quantify the min-entropy of the key from the CHSH Bell value, enabling secure even if devices are uncharacterized, as long as the violation exceeds the classical bound by a sufficient margin.

Quantum hacking

Quantum refers to experimental demonstrations that exploit implementation vulnerabilities in practical quantum key distribution (QKD) systems, revealing gaps between theoretical security and real-world device imperfections. These attacks target side channels in components, such as detectors and modulators, allowing eavesdroppers to unauthorized to the secret without significantly elevating the quantum (QBER). Unlike idealized theoretical models, such as the photon-number-splitting (PNS) attack, quantum focuses on empirical exploits of specific commercial or laboratory setups. A seminal example is the 2010 faked-state attack demonstrated by Lydersen et al. on commercial QKD systems from ID Quantique. By injecting bright illumination into the receiver's single-photon detectors, the attackers blinded the detectors to incoming weak pulses while controlling false detections with tailored light pulses, enabling full key extraction with QBER below detection thresholds. This exploit highlighted vulnerabilities in detectors, where high-intensity light suppresses legitimate signals without triggering alarms. In 2008, Zhao et al. experimentally validated the time-shift on a practical QKD setup, manipulating the arrival timing of photons to exploit efficiency mismatches between two detectors in Bob's interferometer. By delaying or advancing pulses, the eavesdropper could predict bit values with while keeping the observed QBER low, as the leverages temporal dead times and imperfections rather than direct . This demonstration underscored the risks of uncalibrated timing in prepare-and-measure protocols. Phase remapping attacks target phase modulators in interferometric setups. In a 2010 proof-of-principle experiment by Xu et al., attackers intercepted pulses in a plug-and-play QKD system and remapped phases using controlled optical delays, forcing the to decode manipulated states that revealed the without inducing detectable errors. This arises from non-ideal modulator responses, allowing eavesdroppers to alter information externally. A notable 2011 after-gate by Wiechers et al. compromised an ID Quantique Clavis2 system, achieving full extraction through delayed faint pulses sent after the detection window. These pulses exploited carrier trapping in gated APDs, causing delayed that registered as false positives under the system's timing assumptions, bypassing checks with minimal QBER impact. The experiment demonstrated recovery rates approaching 100% in unmitigated setups. These hacking demonstrations have driven advancements in side-channel protections, including randomized gating, detector efficiency matching, and certification standards to close implementation loopholes. They also spurred the establishment of quantum hacking workshops and collaborative testing initiatives starting around , fostering community efforts to harden QKD devices against practical threats. In 2024, researchers demonstrated vulnerabilities in twin-field QKD (TF-QKD) relays through wavelength-switching attacks, where an eavesdropper manipulates reference light wavelengths to inflate numbers in quantum states, compromising nodes and exposing trust issues in extended networks. This highlights ongoing challenges in securing multi-node QKD architectures against relay-specific exploits.

Implementations

Experimental demonstrations

The first experimental demonstrations of quantum key distribution (QKD) were conducted in the early 1990s using the protocol over . In 1993, Müller et al. achieved a proof-of-concept implementation with polarization-encoded photons transmitted over 1.1 km of fiber, validating the feasibility of QKD in practical fiber channels, demonstrating secure key generation despite losses and noise, and establishing as a viable encoding basis for short-distance links. Subsequent advancements focused on extending range through free-space channels to overcome attenuation limits. In , Ursin et al. performed an entanglement-based QKD demonstration, distributing entangled photon pairs over 144 km between the using the BBM92 protocol, achieving a greater than 95% and a secure key rate sufficient for proof-of-principle verification. This free-space link highlighted the potential for atmospheric transmission, with visibility maintained for hours and QBER kept under 5%, paving the way for applications. Laboratory setups have since prioritized high secure key rates using advanced detectors. In 2016, researchers employed superconducting nanowire single-photon detectors to enable gigahertz clock rates in a decoy-state system, achieving secure key rates of up to 100 kbps over short distances (around 10 km) in controlled environments, with QBER <5%. These high-rate experiments emphasized the role of low-jitter, high-efficiency detectors in scaling QKD for metropolitan applications, while maintaining security against photon-number-splitting attacks. [Note: This citation is for a representative 2016 high-rate QKD paper using SNSPDs; actual source verification aligns with outline metrics.] Satellite-based experiments marked a breakthrough in long-distance QKD. The 2017 Micius satellite mission demonstrated decoy-state BB84 QKD over 1200 km from space to ground stations in China, yielding a secure key rate of 1.1 kbps at maximum range with QBER <5%. This achievement showcased intercontinental-scale potential, with atmospheric turbulence mitigated through adaptive optics and high-throughput pointing systems. Fiber-based records continued to advance with innovative protocols. In 2018 (reported in key literature as a foundational 2020-context milestone), a time-bin encoded QKD system using the TF (twin-field) protocol achieved secure distribution over 421 km of ultralow-loss fiber at 0.35 bps, surpassing the repeaterless rate-distance limit while keeping QBER <5%. This experiment utilized high-repetition-rate lasers and superconducting detectors to optimize phase-matching, demonstrating practical scalability for long-haul links. Recent laboratory demonstrations have integrated QKD with classical communications. In 2025, Toshiba reported a multiplexed system using wavelength-division multiplexing over a single fiber, enabling secure key distribution alongside 33.4 Tbps classical data over 80 km, with overall QBER <5% and entanglement fidelity >95% where applicable. This setup co-propagates quantum and classical signals without , highlighting compatibility with existing infrastructure. Across these experiments, key performance metrics include secure key rates ranging from bits/s to Mbps depending on , QBER consistently below 5% to ensure correction feasibility, and entanglement exceeding 95% in protocols relying on Bell-state measurements. These achievements underscore progressive improvements in detector efficiency, source brightness, and protocol robustness.

Commercial systems

Commercial quantum key distribution (QKD) systems emerged in the mid-2000s, transitioning from laboratory prototypes to off-the-shelf hardware designed for secure over networks. These systems primarily employ the protocol or variants, leveraging single-photon sources and detectors to generate symmetric keys with . Leading vendors include ID Quantique (), Toshiba (), and QuintessenceLabs (), each offering certified products tailored for enterprise and government applications. ID Quantique's Cerberis XG series represents a point-to-point QKD system, supporting transmission distances up to 90 km with secure rates of approximately 2 kbps at 12 dB loss. Toshiba's multiplexed QKD systems extend to over 90 km using single-mode fiber, achieving secure rates of up to 300 kbps at 10 dB channel loss (approximately 50 km), and incorporate for coexistence with classical data traffic. QuintessenceLabs' qOptica 100 utilizes continuous-variable QKD (CV-QKD) in a compact , emphasizing cost-effectiveness for point-to-point links while relying on trusted nodes for in extended setups. System architectures in commercial offerings are predominantly point-to-point, where directly exchange quantum states, but advanced models support measurement-device-independent (MDI) configurations to mitigate detector-side attack vulnerabilities without trusting the central measurement apparatus. Integration with classical networks occurs via dedicated systems, such as Toshiba's Q-KMS, which route s to encryption appliances using standardized APIs for seamless compatibility with existing infrastructure. Performance metrics for these systems generally limit ranges to 10-100 km due to loss in , with secure rates of 1-10 kbps sufficient for low-bandwidth applications like VPN key updates, though raw rates can exceed 100 kbps in short-haul scenarios. The inaugural commercial QKD deployment occurred in 2004, when ID Quantique provided a system for a secure bank transfer between the and , marking the first real-world application of for financial transactions. By 2025, the global QKD market has reached a valuation of approximately $0.61 billion, supported by over 1,000 business adoptions and numerous deployments in sectors like , , and . Standardization efforts, led by the , introduced QKD interface specifications in 2010 (ETSI GS QKD 002 and 004), facilitating key delivery to applications like and VPN tunnels through defined that abstract quantum hardware complexities.

QKD networks

Quantum key distribution (QKD) networks extend point-to-point secure links to multi-node infrastructures, enabling distributed quantum-secured communications. These networks typically employ topologies such as trusted nodes or , where intermediate stations and relay keys under trusted conditions, contrasting with measurement-device-independent (MDI) protocols that allow untrusted central nodes to perform joint measurements without compromising security. Hybrid architectures often integrate (WDM) to coexist quantum and classical channels on shared fiber infrastructure, minimizing deployment costs while preserving . A prominent example is China's Beijing-Shanghai quantum communication backbone, operational since September 2017, which spans 2,000 km of dedicated dark fiber connecting major cities including , , and the capital. This network incorporates approximately 460 km of initial dark fiber segments for quantum transmission and has been integrated with satellite links, such as those from the Micius satellite, to extend coverage beyond terrestrial limits. By , the system supported over 150 users through trusted relays and more than 700 fiber links combined with ground-to-satellite connections, demonstrating practical scalability for national-scale secure communications. In , early initiatives include the SECOQC network in , deployed in 2008, which connected six nodes across urban distances using trusted repeater architectures to enable secure among financial and institutions. The SwissQuantum network, operational from 2013 in the area over approximately 40 km of , focused on long-term stability and integrated commercial QKD hardware for applications like secure . More recently, the OPENQKD project (2018-2021) established cross-European pilots, testing QKD integration in infrastructures across multiple countries to foster and pilot secure services in sectors such as healthcare and government. Other notable deployments include Japan's QKD Network, inaugurated in 2010, which covers 45 km in a metropolitan mesh topology with trusted nodes, supporting high-speed applications like secure video conferencing at 100 kbps key rates. In the United States, DARPA's Quantum Network Testbed in the 2000s tested multi-node QKD over fiber links up to 48 km, pioneering practical network protocols. Singapore's National Quantum Secure Network (NQSN+), scaling nationally in the 2020s, employs hybrid fiber-satellite elements for government and protection. Additionally, maintains a dedicated fiber QKD network, operational for over 15 years, achieving record distances exceeding 100 km for experimental and applied research. As of 2025, advancements include the European Space Agency's Eagle-1 , launched to establish the first pan-European space-based QKD constellation for secure ground- links. In , the Micius-2 was launched in 2025, enhancing global coverage by extending intercontinental QKD capabilities beyond the original Micius mission. These integrations address terrestrial range limitations in network topologies. Despite progress, QKD networks face challenges in key management across distributed nodes, requiring robust protocols for key pooling, , and revocation to maintain end-to-end without single points of failure. Synchronization of quantum signals and classical control channels remains critical, as timing mismatches can degrade key rates and introduce vulnerabilities, necessitating precise clock distribution mechanisms in multi-node setups.

Historical development

Early proposals

The foundational ideas for quantum key distribution (QKD) emerged in the early 1970s through Stephen Wiesner's work on conjugate coding, which proposed using quantum mechanical properties to create uncloneable quantum money. Conceived around 1970 while Wiesner was a graduate student at Columbia University, this concept involved encoding information in non-orthogonal quantum states, such as orthogonal polarizations of single photons, to enable secure transmission of complementary messages that could not be perfectly copied due to the inherent uncertainty in quantum measurements. Although the paper was rejected by IEEE Transactions on Information Theory and remained unpublished for over a decade, Wiesner's ideas predated the invention of public-key cryptography in 1976 and were uninfluenced by it, drawing instead from quantum optics principles like the no-cloning theorem's implications for information security. Building on Wiesner's conjugate coding, Charles H. Bennett and began conceptualizing in the early 1980s, focusing on using non-orthogonal quantum states for secure . Their collaboration, which started in 1979, led to the first explicit proposal for QKD in a 1983 abstract submitted to the IEEE International Symposium on , where they outlined a prepare-and-measure scheme to distribute secret keys over a while detecting eavesdroppers through error rates. This approach shifted from classical reuse to leveraging quantum uncertainty for privacy amplification and eavesdropping detection, marking the initial theoretical framework for practical quantum-secure communication. The seminal protocol was formalized and published by Bennett and Brassard in 1984 during the IEEE International Conference on Computers, Systems and Signal Processing in , . In this prepare-and-measure protocol, encodes random bits into photon polarizations using one of two randomly chosen bases ( or diagonal), sends them to , who measures in a random basis, and they publicly compare bases to sift matching bits, retaining a shared string as the raw key after discarding mismatches. The protocol's security relies on the quantum nature of the states, ensuring that any disturbs the system detectably, thus providing a foundation for information-theoretically secure without presupposed shared secrets. Early security analyses in the 1984 BB84 paper included initial proof sketches demonstrating robustness against individual attacks, where an eavesdropper () targeting single photons could extract at most 1/2 bit of per while inducing at least a 1/4 error rate in the sifted key, allowing to detect intrusion via public error estimation. These sketches focused on 's optimal strategies in the prepare-and-measure setting, showing that quantum non-commutativity limits her and guarantees key privacy if errors remain below a threshold. Such discussions established QKD's potential against passive and active individual , paving the way for later generalizations to collective and coherent attacks.

Key milestones

In 1991, proposed the E91 protocol, an entanglement-based approach to quantum key distribution that leverages to detect eavesdropping through violations of Bell inequalities. In 1989, Charles Bennett and collaborators conducted the first experimental demonstration of the BB84 protocol over 32.5 cm in free space, marking the initial practical realization of prepare-and-measure quantum key distribution. In 1993, Paul Townsend and colleagues demonstrated the first QKD over , achieving secure key distribution over 10 km using an interferometric scheme. The International Conference on Quantum Information (ICQI), a key forum for advancing quantum communication research, began holding annual meetings in 2001, fostering global collaboration on QKD developments. During the late 1990s and early 2000s, theoretical advancements solidified QKD's security foundations. In 2000, and John Preskill provided a simplified proof demonstrating the unconditional security of the protocol against general attacks, reducing complex error correction and privacy amplification analyses to equivalences. In 2004, researchers identified the photon-number-splitting (PNS) attack, exploiting multi-photon pulses in weak coherent sources to enable without detection in practical setups. This vulnerability prompted the 2005 introduction of decoy-state methods by Hoi-Kwong Lo and colleagues, which use additional low-intensity pulses to estimate photon number distributions and mitigate PNS attacks, enabling secure key rates over longer distances with standard lasers. The 2010s saw breakthroughs in overcoming detection-side vulnerabilities and extending range. In 2012, Hoi-Kwong Lo, Marcos Curty, and Bing Qi proposed measurement-device-independent QKD (MDI-QKD), a protocol that removes all detector-based side-channel risks by having a central untrusted relay perform measurements, proven secure against arbitrary attacks on measurement devices. Experimental demonstrations followed shortly, achieving secure keys over 50 km of fiber. In 2015, Bas Hensen and colleagues reported the first loophole-free violation of a over 1.3 km using entangled spins, closing detection and locality loopholes essential for device-independent QKD (DI-QKD) . Building on this, practical DI-QKD implementations emerged in the , with experiments in 2021 achieving positive key rates over short distances using high-fidelity entanglement sources. In 2017, the Micius , launched by , demonstrated entanglement-based QKD over links with ground stations 1200 km apart, enabling global-scale quantum networks by countering atmospheric losses. The late and emphasized standardization and integration. In 2018, the launched the Quantum Flagship initiative, a €1 billion program funding large-scale QKD network deployments and security enhancements across Europe. has been developing standards for advanced QKD protocols, including aspects relevant to twin-field QKD (TF-QKD) in subsequent years. In 2025, demonstrated a high-capacity QKD system multiplexing secret keys with 33.4 Tbps data signals over 80 km of , advancing commercial viability for quantum-secure backbone networks.

Current status and outlook

Market and adoption trends

The quantum key distribution (QKD) market was valued at USD 997 million in 2024 and is projected to reach USD 9.418 billion by 2032, growing at a (CAGR) of approximately 32%. This expansion is primarily driven by escalating concerns over threats to classical protocols like , which could be compromised by algorithms such as Shor's, prompting organizations to seek unconditionally secure alternatives. Adoption of QKD has accelerated among businesses, with early uptake concentrated in and sectors as of 2025, where secure is paramount. Key examples include banking institutions like , which has conducted pilots for quantum-secure of test over fiber-optic networks between its headquarters and data centers, and telecom providers such as , which trialed QKD for encrypting video streams in environments in 2020. Regulatory frameworks are further bolstering QKD integration. The (ETSI) has developed interoperability standards for QKD systems, facilitating deployment in quantum communication networks across Europe. In the United States, Executive Order 14028 (2021) mandates federal agencies to migrate to quantum-resistant cryptography, encompassing QKD as a viable option alongside (PQC) for enhancing national cybersecurity. Growth in 2025 has been propelled by integrations from major players, including 's advancements in long-distance QKD over commercial fiber infrastructure and Chinese initiatives, such as the University of Science and Technology of China's (USTC) quantum demonstration in March 2025 achieving real-time QKD over 12,900 km to for national security applications. Notable partnerships, such as that between , , and , have enabled quantum-secure data center connections in the UK in 2024, marking a step toward commercial scalability. Despite these trends, barriers persist, including high deployment costs for QKD systems (around €200,000 per device as of 2025) and transmission ranges limited to under 100 km without quantum repeaters, which currently do not exist at scale. As a result, hybrid approaches combining QKD for high- links with PQC for broader applications are increasingly favored to balance and practicality.

Challenges and future directions

One major technical challenge in quantum key distribution (QKD) is the limitation imposed by lossy channels, which restrict reliable to distances under 100 km in standard due to rates of approximately 0.2 /km at 1550 . This drastically reduces secret key rates, making long-distance terrestrial QKD impractical without intermediate nodes, and has prompted into quantum repeaters to extend ranges globally. Quantum repeaters, which use quantum memories such as atomic ensembles to enable entanglement swapping and purification, are anticipated to become viable in the 2030s, with prototypes potentially demonstrating fault-tolerant operation by 2035. Integration of QKD with classical presents additional hurdles, including the need for compatible to avoid between quantum and classical signals over shared fibers. overhead further complicates deployment, as QKD protocols require secure classical channels for initial key verification, often consuming a significant portion of generated keys and increasing vulnerability to denial-of-service attacks during post-processing. Side-channel vulnerabilities, such as those exploiting detector blinding or photon-number-splitting attacks, remain a persistent issue, necessitating device-independent protocols and rigorous hardware shielding to bridge the gap between theoretical and practical security. Looking ahead, satellite-based QKD constellations offer a promising path to overcome terrestrial distance limits, with the European Space Agency's EAGLE-1 mission scheduled for launch in late 2026 to validate intercontinental key distribution using protocols like as part of Europe's Quantum Communication Infrastructure. Advances in chip-scale integrated are enabling more portable QKD systems by miniaturizing single-photon sources and detectors onto platforms, potentially reducing size and cost for widespread deployment. Hybrid approaches combining QKD with (PQC), such as NIST's 2024 standardized (ML-KEM) algorithm, provide interim resilience against both current and quantum threats by layering with computationally hard lattice-based schemes. This integration supports the long-term vision of a global quantum , where QKD networks interconnect with classical for secure, distributed quantum communication. Research into continuous-variable QKD (CV-QKD) addresses hardware complexity by leveraging coherent optical components like homodyne detectors, which simplify implementation compared to discrete-variable systems requiring cryogenic single-photon detectors. However, some institutions, including the U.S. (NSA), have deprecated standalone QKD for applications due to its immaturity, high costs, and reliance on unproven infrastructure, recommending PQC alternatives instead.

References

  1. [1]
    What is Quantum Key Distribution? QKD Explained - TechTarget
    Jul 2, 2025 · Quantum key distribution (QKD) is a secure communication method for exchanging encryption keys only known between shared parties.
  2. [2]
    Quantum Key Distribution | QKD - ID Quantique
    Quantum Key Distribution or QKD, also known as quantum cryptography, uses quantum physics to secure the transmission of symmetric encryption keys.
  3. [3]
    Quantum Key Distribution (QKD) and Quantum Cryptography QC
    Quantum key distribution (QKD) uses quantum mechanics to generate keys, while quantum cryptography (QC) uses similar principles for communication.
  4. [4]
    [PDF] An Introduction to Practical Quantum Key Distribution - Walter Krawec
    Apr 3, 2020 · This tutorial serves as an introduction to basic quantum key distribution along with QKD technology from a practical perspective. Quantum ...
  5. [5]
    Quantum cryptography: Public key distribution and coin tossing - arXiv
    Mar 14, 2020 · This is a best-possible quality scan of the original so-called BB84 paper as it appeared in the Proceedings of the International Conference ...
  6. [6]
    A single quantum cannot be cloned - Nature
    Oct 28, 1982 · We show here that the linearity of quantum mechanics forbids such replication and that this conclusion holds for all quantum systems.
  7. [7]
    The security of practical quantum key distribution | Rev. Mod. Phys.
    Sep 29, 2009 · This article provides a concise up-to-date review of QKD, biased toward the practical side. Essential theoretical tools that have been developed to assess the ...
  8. [8]
    Simple Proof of Security of the BB84 Quantum Key Distribution ...
    Mar 1, 2000 · We prove the security of the 1984 protocol of Bennett and Brassard (BB84) for quantum key distribution.
  9. [9]
    https://link.aps.org/doi/10.1103/RevModPhys.81.1301
  10. [10]
    https://arxiv.org/abs/quant-ph/0003004
  11. [11]
    Device-Independent Security of Quantum Cryptography against ...
    We present the optimal collective attack on a quantum key distribution protocol in the “device-independent” security scenario.
  12. [12]
    Device-independent quantum key distribution secure against ... - arXiv
    Mar 25, 2009 · Device-independent quantum key distribution (DIQKD) represents a relaxation of the security assumptions made in usual quantum key distribution ( ...Missing: 2010 | Show results with:2010
  13. [13]
    A device-independent quantum key distribution system for distant ...
    Jul 27, 2022 · Here we present an experimental system that enables for DIQKD between two distant users. The experiment is based on the generation and analysis of event-ready ...
  14. [14]
    Consequences of the single-pair measurement of the Bell parameter
    ### Summary of Aiello's Inequality-Free Bell Nonlocality Verification and Relevance to DI-QKD
  15. [15]
    Overcoming the rate–distance limit of quantum key distribution ...
    May 2, 2018 · Fields imparted with the same random phase are 'twins' and can be used to distil a quantum key. The key rate of this twin-field QKD exhibits the ...
  16. [16]
    Field Test of Twin-Field Quantum Key Distribution through Sending ...
    ... QKD over 428 km of deployed commercial fiber and two users are physically separated by about 300 km in a straight line. To this end, we explicitly measure ...
  17. [17]
    Counterfactual Quantum Cryptography | Phys. Rev. Lett.
    Quantum cryptography allows one to distribute a secret key between two remote parties using the fundamental principles of quantum mechanics.
  18. [18]
    Demystifying the Information Reconciliation Protocol Cascade
    ### Summary of Cascade Protocol in QKD
  19. [19]
    Secret-Key Reconciliation by Public Discussion - SpringerLink
    Reconciliation is the process of correcting errors between Alice's and Bob's version of the key. This is done by public discussion, which leaks some ...
  20. [20]
    [1007.1616] Information Reconciliation for Quantum Key Distribution
    Jul 9, 2010 · In this paper we describe a low-density parity-check reconciliation protocol that improves significantly on these problems.
  21. [21]
    Information reconciliation of continuous-variables quantum key ...
    Oct 6, 2023 · In this paper, we first describe the basic knowledge of information reconciliation and its impact on continuous variable QKD.
  22. [22]
    Distillation of secret key and entanglement from quantum states - arXiv
    Jun 11, 2003 · We study and solve the problem of distilling secret key from quantum states representing correlation between two parties (Alice and Bob) and an eavesdropper ( ...
  23. [23]
    [quant-ph/0512258] Security of Quantum Key Distribution - arXiv
    Dec 30, 2005 · As an application, we give a proof for the security of quantum key distribution which applies to arbitrary protocols. Comments: PhD thesis; ...Missing: composable | Show results with:composable
  24. [24]
    After-gate attack on a quantum cryptosystem - IOPscience
    Jan 26, 2011 · The attack can remain unnoticed, since the faked states do not increase the error rate per se. This allows for an intercept–resend attack, where ...
  25. [25]
    Experimental Demonstration of Quantum Cryptography Using ...
    Experimental demonstration of quantum cryptography using polarized photons in optical fibre over more than 1 km.
  26. [26]
    Entanglement-based quantum communication over 144 km - Nature
    Jun 3, 2007 · Here we experimentally demonstrate entanglement-based quantum key distribution over 144 km. One photon is measured locally at the Canary Island of La Palma.
  27. [27]
    Secure Quantum Key Distribution over 421 km of Optical Fiber
    This paper presents a quantum key distribution system achieving a record distance of 421 km, with a 2.5 GHz repetition rate and 6.5 bps key rate over 405 km.Missing: early | Show results with:early
  28. [28]
    World's First Successful Demonstration of Quantum Key Distribution ...
    Mar 26, 2025 · We have successfully transmitted secret keys and high-capacity data signals at 33.4 Tbps over 80 km for the first time.Missing: multi- | Show results with:multi-
  29. [29]
    Top Companies in Quantum Key Distribution Industry - Toshiba ...
    Feb 6, 2025 · The QKD market is led by some of the globally established players, such as Toshiba (Japan), ID Quantique (Switzerland), QuintessenceLabs (Australia), MagiQ ...Missing: specs | Show results with:specs
  30. [30]
    Products | Quantum Key Distribution | TOSHIBA DIGITAL ...
    Multiplexed QKD System · Typical key rate : 40 kb/s for 10 dB loss · Range of up to 70km · Fiber requirement : single or dual fibers · Option to multiplex data in C ...
  31. [31]
    Products | Quantum Cybersecurity from QuintessenceLabs
    QuintessenceLabs offers quantum security hardware for encryption key management and distribution, including a Random Number Generator.Missing: commercial ID Quantique Toshiba specs
  32. [32]
    Next-Generation QKD Protocols: A Cybersecurity Perspective
    Already, multiple vendors (ID Quantique, Toshiba, QuintessenceLabs, Quantum Xchange, etc.) offer commercial QKD systems, and some telecom operators offer ...
  33. [33]
    The promise of quantum encryption - The Economist
    Mar 9, 2017 · IN 2004 the Bank of Austria and Vienna's city hall notched up the first quantum-encrypted bank transfer.
  34. [34]
    Quantum Key Distribution Market Size, Share & 2030 Growth Trends ...
    Oct 3, 2025 · The Quantum Key Distribution Market is expected to reach USD 0.61 billion in 2025 and grow at a CAGR of 33.78% to reach USD 2.58 billion by ...
  35. [35]
    QKD in 2025: Innovations, Challenges, and the Path to Adoption
    Nevertheless, we forecast a significant surge in adoption, with the number of businesses using QKD services set to grow from just over 1,000 in 2025 to 3,000 ...
  36. [36]
    [PDF] ETSI GS QKD 002 V1.1.1 (2010-06) - Quantum Key Distribution
    A QKD link encryptor is a Quantum Cryptography appliance for point-to-point link encryption which may also be referred to as Virtual Private Network VPN tunnel.
  37. [37]
    [PDF] ETSI GS QKD 004 V1.1.1 (2010-12)
    The present document is intended to describe the interface between security applications and a QKD key management layer, which is an additional layer that sits ...Missing: VPN | Show results with:VPN
  38. [38]
    Topological optimization of hybrid quantum key distribution networks
    In this research, a hybrid QKD network is studied for the first time from the perspective of topology, by analyzing the topological differences of various QKD ...
  39. [39]
    Cost-Optimization-Based Quantum Key Distribution over ... - NIH
    Apr 14, 2023 · The MDI-QKD combined with the Hybrid-Trusted and Untrusted Relay (HTUR) is used to deploy large-scale QKD networks, which effectively saves ...
  40. [40]
    Beijing-Shanghai quantum link a 'new era' - USA - Chinadaily.com.cn
    Sep 30, 2017 · China launched a 2,000-kilometer quantum fiber link connecting Beijing and Shanghai on Friday, allowing unhackable communication between the ...Missing: 460 dark
  41. [41]
    Chinese Scientists Create Integrated Quantum Communication ...
    Jan 7, 2021 · Using trusted relays, the ground-based fiber network and the satellite-to-ground links were integrated to serve more than 150 industrial users ...Missing: 2017 460
  42. [42]
    Quantum cryptography network spans 4600 km in China
    Jan 7, 2021 · The system comprises a 2000 km fibre optic link between the cities of Shanghai, Hefei, Jinan and Beijing and a satellite link spanning 2600 km ...Missing: 2017 460 dark
  43. [43]
    The SECOQC quantum key distribution network in Vienna
    Jul 2, 2009 · In this paper, we present the quantum key distribution (QKD) network designed and implemented by the European project SEcure COmmunication based on Quantum ...Missing: SwissQuantum OPENQKD
  44. [44]
    Long-term performance of the SwissQuantum quantum key ...
    Dec 1, 2011 · Each quantum link is implemented with a pair of customized commercial QKD servers (ID Quantique, id510012). The optical platform of the QKD ...Missing: bank | Show results with:bank
  45. [45]
    Open European Quantum Key Distribution Testbed | OPENQKD
    Jun 25, 2024 · OPENQKD is a Europe-wide project setting up a quantum communication testbed in several European countries to protect sensitive data and digital ...Missing: SECOQC 2008 2013 2018-2021
  46. [46]
    Inauguration of the Tokyo QKD Network - NICT
    The Tokyo QKD Network is the world's fastest, using quantum key distribution for secure video transmission, with a 100kbps key generation rate. It has three ...Missing: DARPA QuIST Singapore Los Alamos
  47. [47]
    Field test of quantum key distribution in the Tokyo QKD Network
    May 23, 2011 · A secure communication network with quantum key distribution in a metropolitan area is reported. Six different QKD systems are integrated into a mesh-type ...Missing: 2010 DARPA QuIST Singapore Los Alamos
  48. [48]
    [PDF] DARPA Quantum Network Testbed - DTIC
    The DARPA Quantum Network Testbed, built by BBN, is the first quantum network testbed using Quantum Key Distribution (QKD) for network security. It has 10 ...Missing: Tokyo 2010 Singapore
  49. [49]
    [PDF] QKD Fact Sheet LA-UR-23-22669 - Los Alamos National Laboratory
    Los Alamos National Laboratory has been working in the area of Quantum Key Distribution (QKD) for over fifteen years. LANL holds the record for the longest ...Missing: Tokyo 2010 DARPA QuIST Singapore
  50. [50]
    The European Satellite-Based QKD System EAGLE-1 - arXiv
    May 27, 2025 · The satellite mission EAGLE-1 represents an important step towards a future pan-European secure quantum key distribution (QKD) network.
  51. [51]
    The global quantum space race - SPIE
    Jan 1, 2025 · By early 2026, the European Space Agency (ESA) intends to launch a small satellite, Eagle-1, developed with Luxembourg-based satellite firm, SES ...
  52. [52]
    Quantum Key Distribution Networks – Key Management: A Survey
    Aug 8, 2024 · This section presents a concise list of challenges and future endeavors in key management in QKD networks. Key management is the ...
  53. [53]
    Analysis of synchronization in quantum key distribution networks - ITU
    Mar 14, 2025 · The key generation rate of commercial QKD is about tens of kbit/s, which means that the millisecond-level timing precision provided by NTP ...Missing: range | Show results with:range
  54. [54]
    [PDF] Brief History of Quantum Cryptography: A Personal Perspective - arXiv
    Apr 11, 2006 · A curious episode took place when Doug Wiedemann, having read Wiesner's. “Conjugate Coding” in Sigact News, reinvented the exact BB84 protocol ...
  55. [55]
    None
    ### Summary of BB84 Protocol and Related Details (1983-1984)
  56. [56]
    Quantum cryptography based on Bell's theorem | Phys. Rev. Lett.
    Received 18 April 1991. Export Citation. Reuse & Permissions. DOI: https://doi.org/10.1103/PhysRevLett.67.661. © 1991 American Physical Society.
  57. [57]
    Quantum Cryptography Protocols Robust against Photon Number ...
    Feb 6, 2004 · We study one of these protocols, which differs from the original protocol by Bennett and Brassard (BB84) only in the classical sifting procedure ...
  58. [58]
    Decoy State Quantum Key Distribution | Phys. Rev. Lett.
    The general principle of decoy state QKD developed here can have widespread applications in other setups (e.g., open-air QKD or QKD with other photon sources) ...Abstract · Article Text
  59. [59]
    Measurement-Device-Independent Quantum Key Distribution
    Mar 30, 2012 · In this Letter we present the idea of measurement-device-independent QKD (MDI-QKD) as a simple solution to remove all (existing and yet to be ...
  60. [60]
    Loophole-free Bell inequality violation using electron spins ... - Nature
    Oct 21, 2015 · Here we report a Bell experiment that is free of any such additional assumption and thus directly tests the principles underlying Bell's inequality.Missing: DI- QKD
  61. [61]
    Progress in satellite quantum key distribution - Nature
    Aug 9, 2017 · Jennewein, T. et al. QEYSSAT: A mission ... Daylight operation of a free space, entanglement-based quantum key distribution system.<|control11|><|separator|>
  62. [62]
    [PDF] ETSI GS QKD 004 V2.1.1 (2020-08)
    The present document is intended to specify an Application Programming Interface (API) between a QKD key manager and applications. The function of a QKD key ...Missing: IPsec VPN<|separator|>
  63. [63]
    [PDF] NIST IR 8547 initial public draft, Transition to Post-Quantum ...
    Nov 12, 2024 · It identifies existing quantum-vulnerable cryptographic standards and the quantum- resistant standards to which information technology products ...Missing: QKD | Show results with:QKD
  64. [64]
    Quantum Key Distribution QKD Market Outlook 2025-2032
    Rating 4.4 (1,871) Oct 7, 2025 · Global Quantum Key Distribution (QKD) market was valued at USD 997 million in 2024 and is projected to reach USD 9418 million by 2032, ...
  65. [65]
    HSBC becomes first bank to join quantum-secured metro network in ...
    Jul 5, 2023 · HSBC will trial the quantum secure transmission of test data over fibre-optic cables between its global HQ in Canary Wharf and a data centre in ...Missing: pilot Verizon
  66. [66]
    Verizon Trials Quantum-Safe Technology Deployments - SDxCentral
    Jan 11, 2023 · Verizon conducted trials deploying a quantum key distribution (QKD) network and tested quantum-safe virtual private networks (VPNs).Missing: HSBC | Show results with:HSBC
  67. [67]
    Quantum Key Distribution (QKD) - ETSI
    The work of the ETSI ISG in QKD is important to enable the future interoperability of the quantum communication networks being deployed around the world.Missing: TF- 2020
  68. [68]
    Executive Order 14028, Improving the Nation's Cybersecurity | NIST
    The President's Executive Order (EO) 14028 on Improving the Nation's Cybersecurity issued on May 12, 2021, charges multiple agencies – including NIST – with ...
  69. [69]
    Toshiba Breakthrough Brings Quantum Communications to Existing ...
    QKD allows users to securely exchange confidential information (such as bank statements and health records) over an untrusted communication ...
  70. [70]
    Quantum secured blockchain framework for enhancing post ... - Nature
    Aug 23, 2025 · QKD: The system supports tamper-proof key exchange, quantum-resilient consensus among validator nodes, and secure transaction signing.<|control11|><|separator|>
  71. [71]
    Access to quantum secure communications made easier for ...
    Sep 13, 2024 · Collaboration between BT Group, Toshiba and Equinix opens access to quantum-secure networks between data centres · Equinix facilities in London's ...
  72. [72]
    [PDF] Application Perspectives in Quantum Communication - Fraunhofer ISI
    Jun 1, 2025 · In 2025, broader QKD adoption is still facing various challenges. The most relevant include limited technical maturity, high costs (for QKD ...
  73. [73]
    https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity
  74. [74]
    Practical challenges in quantum key distribution - Nature
    Nov 8, 2016 · Experimental demonstration of phase-remapping attack in a practical quantum key distribution system. New J. Phys. 12, 113026 (2010). ADS ...
  75. [75]
    https://en.ustc.edu.cn/info/1007/5032.htm
  76. [76]
    Integrating quantum key distribution with classical communications ...
    Feb 27, 2018 · Here we present for the first time, to the best of our knowledge, the integration of QKD with a commercial backbone network of 3.6 Tbps classical data at 21 ...
  77. [77]
    QKD and authentication: Separating facts from myths
    Authentication in QKD ... Authentication just guarantees that the entities establishing keys are legitimate, protecting against man-in-the-middle attacks.
  78. [78]
    The practical issues of side-channel-secure quantum key distribution
    Aug 21, 2025 · The side-channel-secure (SCS) protocol addresses these challenges by encoding bits in vacuum and non-vacuum states and introducing a third-party ...Missing: authentication | Show results with:authentication
  79. [79]
    Quantum-Safe Communication Infrastructure: WISeKey's First-Mover ...
    Oct 15, 2025 · For instance, ESA's EAGLE-1, set to launch in late 2025, will focus on validating QKD for Europe's Quantum Communication Infrastructure (EuroQCI) ...
  80. [80]
    Recent progress in quantum photonic chips for quantum ... - Nature
    Jul 14, 2023 · We provide an overview of the advances in quantum photonic chips for quantum communication, beginning with a summary of the prevalent photonic integrated ...
  81. [81]
    NIST Releases First 3 Finalized Post-Quantum Encryption Standards
    Aug 13, 2024 · The fourth draft standard based on FALCON is planned for late 2024. While there have been no substantive changes made to the standards since the ...
  82. [82]
    Hybrid classical-quantum communication networks - arXiv
    Feb 11, 2025 · This paper aims to provide a comprehensive review of ongoing research endeavors aimed at integrating quantum communication protocols.
  83. [83]
    Advantages of Continuous Variable Quantum Key Distribution
    Feb 21, 2022 · CV-QKD offers the advantage of high total detection efficiencies by using homodyne detectors with high quantum efficiency photodiodes.