Essay PQC vs QKD Budgets
25 MAY 2026 · 8 MIN READ

PQC vs QKD: the budget conversation Indian boards actually need

Most board decks frame the question as "PQC or QKD?". That framing is wrong. They are two different procurement models, two different operating costs, and two different scopes. Pick by what you can deploy, not what you can afford to debate.

Side-by-side comparison of PQC and QKD across capital cost, operating cost, deployment scope, latency, and regulatory posture. PQC is a site-wide software upgrade. QKD is a per-link hardware infrastructure investment.
PQC vs QKD on the five dimensions that move budget conversations.

The PQC-vs-QKD debate keeps getting rerun because both sides keep talking past each other. PQC vendors point at universal applicability; QKD vendors point at physical-layer security. Both claims are correct and neither helps a CFO write a procurement line item.

The useful framing is procurement-shaped. Ask the same question you'd ask of any infrastructure decision: what am I buying, what does it operate like, and what is the addressable scope of the deployment? Once you put it in those terms, the answer for almost every Indian enterprise is the same — and it isn't the answer the QKD pitch deck wants.

What you actually buy with PQC

Post-quantum cryptography is, at the procurement level, a software upgrade. The NIST standards (ML-KEM, ML-DSA, SLH-DSA, FN-DSA) run on the CPUs you already own. Migration consumes engineering time, not capex on dedicated hardware — except where HSMs need replacing because their firmware is too old to take a PQC update, which is its own conversation (see the HSM problem).

Cost shape:

  • Capex: limited to HSM firmware (often free from the vendor under existing support contracts) or replacements where firmware isn't available. Edge equipment (load balancers, ADCs) is usually firmware-upgradeable.
  • Opex: indistinguishable from your current cryptographic operating cost. CPU overhead is real but small.
  • Scope: every endpoint, every signature, every KEM in your estate. Site-wide.

What you actually buy with QKD

Quantum key distribution is, at the procurement level, a specialist hardware infrastructure project. You buy QKD endpoints (paired transmitter / receiver units), dedicated dark fibre between them (or a satellite ground-station for free-space QKD), a key management system, and a 24×7 operations team to run the link because key rate, polarisation drift, and bit-error rate all need continuous monitoring.

Cost shape:

  • Capex: crore-scale per link in India today. Endpoint pair plus dark fibre lease plus integration plus key management software.
  • Opex: trusted-node operations, link calibration, key-rate monitoring, fibre maintenance. Not trivial.
  • Scope: point-to-point only. QKD does not scale to the internet; trusted-node chains beyond ~100 km add their own attack surface.
A site-wide software upgrade and a per-link hardware project are not the same kind of decision. They go on different lines of the budget for a reason.

The budget asymmetry that decides it

Take a typical mid-tier Indian universal bank with say 200 branches, 2,000 servers, a dozen internal CAs, and four data centres. PQC migration touches every one of those. Done properly, it removes the bank's exposure to harvest-now-decrypt-later attacks against external TLS, internal mTLS, document signing, code signing, and archival data. The bill for that work is a multi-year programme but a relatively small fraction of the existing cybersecurity budget — it's mostly engineering hours.

QKD touches one fibre link. To get the same risk reduction across the same estate using QKD alone would require dozens or hundreds of QKD links, each a multi-crore capex item with its own operating crew. It is not a comparable spend.

This is what the comparison usually misses. PQC is not just "good enough" — it is the only mathematically and operationally viable way to migrate a whole enterprise. QKD is a complementary capability for the small set of links where the physical-layer properties of QKD are actually doing useful work that PQC can't.

Where QKD earns its keep

There are three deployment patterns where QKD makes budget sense in India today:

  • Sovereign backbones. National-security agencies, defence networks, the strategic-affairs side of finance ministries. These already operate dark-fibre infrastructure, can absorb the capex, and benefit from physical- layer eavesdropping detection on a small set of critical links.
  • Data-centre interconnect for highest-tier banks. A handful of L3/L4 systems where two of your data centres are within ~50 km of each other, the link already runs on dark fibre you control, and adding QKD as a defence-in-depth layer on top of PQC is incremental rather than a new programme.
  • Research and pilot. Funded under NQM programmes for capability development. Useful for the country, but a different conversation from the bank's own migration budget.

The Indian picture, plainly

India's NQM has rightly funded both PQC migration and QKD capability development as separate workstreams. They serve different purposes. For an enterprise CFO weighing where the next ten crore of cyber budget should go, the answer for the next three years is almost always PQC migration first — because that is where the exposure is.

If you have an L4 data-centre-interconnect link and dark fibre you control, layer QKD on top once PQC is done. If you don't, don't.

Read more
Reference

PQC vs QKD: full decision framework

The technical comparison — algorithms, foundations, throughput, deployment models. Companion piece to this budget read.

 Operations

The HSM problem

Why most PQC plans stall in procurement — and what to do about it before the budget cycle closes.

 Roadmap

India's PQC roadmap

The NQM Task Force framework and what each phase asks of Indian enterprises and CII operators.
See the platform Back to the blog