Blog

What’s the difference between quantum cryptography and quantum-resistant cryptography?

Author: Arnaud DUFOURNET, Chief Marketing Officer

In July 2023, Gartner published its most recent “Hype Cycle” for data security, the key feature of which is a graph showing the maturity and take-up of technologies and applications in the field of data security. Highly promising technologies in the mid- to long-term, meaning the next two to five years, include post-quantum cryptography and quantum cryptography (also called quantum key distribution). Post-quantum cryptography (PQC) and quantum cryptography (a.k.a. quantum key distribution, QKD)  are two concepts that are often confused. Gartner’s article is an opportunity to reiterate the main differences between these two technologies and the uses to which they can be put.

Quantum cryptography or QKD

Let’s start with the oldest technology of the pair. Invented by American Charles Bennett and Canadian Gilles Brassard in 1984, quantum cryptography is based on the principle of QKD, which involves exchanging encryption keys, these being generally symmetrical, by optical means (terrestrial, free space, or satellite link). This means of communication is essentially tamper-proof, because it exploits a basic principle of quantum mechanics, namely particle entanglement (typically photons). Any attempt to interfere with the transmission chain generates a disturbance which is immediately detected by the communication protocol, bringing the communication to an instant halt. This aspect is obviously the main benefit of this technology.

While it will be a vital component in any future quantum internet, it nevertheless has several major drawbacks. The first limitation is that it requires a new physical network, one dedicated to this means of communication alone. Furthermore, it is difficult to extend quantum networks over large distances.

While it will be a vital component in any future quantum internet, it nevertheless has several major drawbacks. The first limitation is that it requires a new physical network, one dedicated to this means of communication alone. Furthermore, it is difficult to extend quantum networks over large distances.

Although much progress has been made since it first emerged (the first fiber-optic transmission in 1989 had a range of just 30 cm), the new record set by a Swiss company, Terra Quantum, is just over 1,000 kilometers.  “Achieving QKD over long distances requires trusted quantum repeaters to be set up between two terminal points, which increases the infrastructure to be managed,” as Gérôme Billois told us when we were writing TheGreenBow white paper entitled “Cryptography at the core of the quantum revolution.” A final significant drawback is that quantum key distribution does not enable the sending source to be authenticated, therefore requiring the addition of post-quantum cryptography mechanisms.

Post-quantum cryptography or PQC

The aim of post-quantum cryptography, or quantum-resistant cryptography, is encryption that can resist attacks by quantum computers capable of running the Shor and Grover algorithms (see our article “Post-quantum cryptography: why should we be concerned now?”). Some see this technology as competing with quantum cryptography, while others see the pair as dovetailing together. Quantum-resistant cryptography consists of algorithms based on new mathematical problems (Euclidean lattices, error-correcting codes [ECC], multivariate polynomial inversion, etc.) and it is intended to replace existing asymmetrical key algorithms such as Diffie-Hellman, RSA, and elliptic-curve cryptography (ECC), reckoned to be vulnerable to quantum attacks.

This spurred the National Institute of Standards and Technology (NIST) to initiate a competition in 2016 calling on the international cryptography community to submit candidate algorithms. In July 2022, the third round of evaluation and analysis resulted in the selection of four algorithms (one for encryption and three for electronic signatures) whose implementation standards will be published in April 2024.

The big difference compared with QKD is that PQC can be deployed over existing security infrastructure, and so can provide a response now to a threat that exists now, namely Harvest Now Decrypt Later attacks, which entail grabbing sensitive data with a long lifespan in the present, with a view to decryption in a few years’ time using a quantum computer. As a consequence, major security agencies around the world (CISA [USA], ENISA [EU], ANSSI [France], NCSC [UK], BSI [Germany], and others) strongly recommend that businesses and governments migrate to this new cryptography as soon as possible.

Doing so is a long job (see our blog post “Migrating to quantum-resistant cryptography: why you should start now”) considering the omnipresence of RSA and Diffie-Hellman keys in our daily data interchange. Past experience has shown that it often takes a good decade to migrate systems (software, equipment, and associated services). In the financial sector for instance, as readers might recall, the migration away from MD5 (Message Digest 5), a cryptographic hash function, took more than ten years to complete after this algorithm was deemed vulnerable in 2008. Hence the need to plan and begin the migration to quantum-resistant cryptography as quickly as possible.

PQC vs QKD: what security agencies recommend

Being tamper-proof, QKD is proving promising for protecting highly sensitive communications, such as military communications. However, QKD does not yet constitute an alternative to current cryptography, particularly that based on RSA keys. It requires new infrastructure that will be costly to maintain, and it operates over distances that are still too short to meet practical needs, all of which significantly restricts its use cases. The USA’s National Security Agency (NSA) has pointed out as much, adding a further drawback to QKD by explaining that it increases the risk of denial of service attacks. The NSA describes how, given that confidentiality is based on the principle that if a communication is eavesdropped upon, then the interference caused instantly brings the communication to a halt, cyber attackers can consequently prevent communications merely by causing repeated disruption in this way. The NSA also sees quantum-resistant cryptography as a cheaper solution that is easier to maintain. For all these reasons, the NSA asks that PQC be the option implemented first so as to protect communications. Similarly, neither France’s cybersecurity agency ANSSI (read its position paper “Should Quantum Key Distribution be used for secure connections?”) nor its British counterpart, the NCSC (see the white paper on “Quantum security technologies”) recommend using quantum cryptography to keep access to information systems secure.


Subscribe to our newsletter