Unlike conventional cryptography and PQC, the security of QKD is inherently tied to the physical layer, which makes the threat surfaces of QKD and conventional cryptography quite different. QKD implementations have already come under publicized attack  and the NSA notes that the risk profile of conventional crypto is better understood . The fact that conventional cryptography and PQC are implemented at a layer higher than the physical layer means that PQC can be used to securely send protected information through untrusted relays, as shown in the top half of Figure 4 This is in stark contrast to QKD, which relies on hop-by-hop security between intermediate trusted nodes. The PQC approach is better aligned with the modern technology environment, in which more and more applications are moving towards end-to-end security and zero-trust principles. It is also important to note that while PQC can be deployed as a software update, QKD requires new hardware.
Regarding the implementation details of QKD, the NSA states that communication needs and security requirements are physically in conflict in QKD and that the engineering required to balance them has extremely low error tolerance. While conventional cryptography may be implemented in hardware in some cases for performance or other reasons, QKD is inherently hardware-bound. The NSA points out that this makes QKD less flexible when it comes to upgrades or security patches. As QKD is fundamentally a point-to-point protocol, the NSA also notes that QKD networks often require the use of trusted relays, which increases the security risk from insider threats.
As QKD requires external authentication via conventional cryptography, the UK’s National Cyber Security Center cautions against exclusive reliance on it, particularly in critical areas of national infrastructure, and suggests that the PQC as standardized by NIST is a better solution. . In the meantime, France’s National Cybersecurity Agency has decided that QKD could be considered a complementary defense-in-depth measure to conventional cryptography, as long as the cost incurred does not negatively affect the mitigation of current threats against computer systems. .
Quantum random number generators
Secure randomness is essential in cryptography – if the quality of randomness generators is poor, many cryptographic protocols will fail to provide security. Although conventional hardware random generator technology is robust and secure against quantum computers, QRNGs have nonetheless attracted attention in recent years. QRNGs operate on a physical realization of a quantum model, instead of the other physical processes used in conventional hardware random generators.
QRNGs are sometimes advertised as generating perfect, unbiased random bits, unlike the biased bits from conventional generators. In reality, however, any bias in the bits emitted by conventional generators is smoothed out in post-processing through the application of pseudo-random number generators, which operate on the same mechanism that allows a single 128-bit AES key to produce several gigabytes of seemingly random encrypted data.
If QRNG technology becomes as well understood in the future as our current hardware random generator technology, it could, in principle, be certified, validated and evaluated on the same basis.