Decision Framework

PQC vs QKD

Two different answers to the same question — how do we protect data against quantum computers? Here is when to choose each, and when to combine them.

Mathematics-based

Post-Quantum Cryptography

Software algorithms believed to be hard for quantum computers.

  • Runs on existing classical infrastructure
  • NIST-standardised: ML-KEM, ML-DSA, SLH-DSA
  • Works over the public internet
  • Drops into TLS, IKE, PKI, and code signing
  • Recommended by NSA, BSI, ANSSI, NCSC, ASD
Physics-based

Quantum Key Distribution

Physical key exchange whose security comes from quantum mechanics.

  • Requires dedicated fibre or satellite links
  • Detects eavesdropping at the physical layer
  • Bounded distance — needs trusted nodes
  • Used for high-assurance government links
  • Hardware-heavy, low throughput
PropertyPQCQKD
FoundationHard mathematical problemsLaws of quantum physics
MediumSoftware, existing networksDedicated fibre or free-space links
RangeGlobal (anywhere TCP/IP runs)~100 km fibre · trusted nodes beyond
AuthenticationBuilt inRequires classical authentication channel
ThroughputComparable to classicalkbps to low Mbps
CostSoftware upgradeSpecialist hardware + dark fibre
Mass deployabilityHighConstrained
Regulatory postureRecommended by most allied agenciesCaution — limited national use cases
Best fitPublic internet, enterprise, IoT, signaturesLong-lived high-assurance government links
When to combine

Pure PQC

Use as the default. Internet-scale, enterprise, IoT, signatures — everywhere classical cryptography lives today.

PQC + Classical Hybrid

Transitional posture: run X25519 and ML-KEM together. If either holds, the channel remains safe.

PQC + QKD

Reserve for national-security backbones where the budget exists for dedicated infrastructure and trusted-node operations.

Background — why the question even comes up
Shor's Algorithm

Breaks public-key crypto

Peter Shor's 1994 algorithm factors integers and computes discrete logs in polynomial time on a quantum computer. That collapses RSA, Diffie-Hellman, and elliptic-curve cryptography in one stroke — every key-exchange and signature scheme in use today.

Grover's Algorithm

Halves symmetric strength

Lov Grover's 1996 algorithm gives a quadratic speed-up for unstructured search. AES-128 effectively halves to ~64-bit. AES-256 remains comfortably safe — which is why most agencies now mandate AES-256 as the post-quantum default for symmetric cryptography.

CRQC

The arrival threshold

A Cryptographically Relevant Quantum Computer is one with enough logical qubits, depth, and error correction to actually run Shor's algorithm against a real RSA-2048 or P-256 key. That's the moment classical public-key cryptography fails — not the qubit-count headlines.

India's stance is hybrid. PQC is the recommended primary path for broad enterprise migration. QKD is funded for sovereign backbones and continues as a strategic capability.
See India's roadmap Compare algorithms