Quantum Cryptography Courses

Quantum cryptography spans two distinct fields: quantum key distribution (QKD), which uses quantum mechanics to distribute encryption keys with physics-backed security guarantees, and post-quantum cryptography (PQC), which uses classical math designed to resist quantum computer attacks. This page covers courses on both.

Two entangled quantum spheres with a connecting beam visualising quantum key distribution

Two very different fields: QKD vs post-quantum cryptography

The term "quantum cryptography" is used loosely and often conflates two distinct areas. Understanding the difference is essential before choosing what to study.

Quantum key distribution (QKD)

QKD uses quantum mechanics to distribute encryption keys. Security comes from physics: the no-cloning theorem means any eavesdropping disturbs the quantum states being transmitted, making interception detectable. QKD requires dedicated quantum hardware -- single-photon sources, quantum channels, and specialized detectors. It is already deployed in some high-security environments but remains expensive and limited in range without quantum repeaters.

Physics-based security

Post-quantum cryptography (PQC)

PQC uses classical mathematical problems that are believed to be hard for quantum computers -- lattice problems, hash functions, code-based systems. It runs on today's classical hardware with no quantum infrastructure. NIST finalized its first PQC standards in 2024 (ML-KEM, ML-DSA). Organizations need to migrate from RSA and ECC to these standards before cryptographically relevant quantum computers arrive. PQC is the more urgent near-term priority for most security professionals.

Algorithm-based security

Quantum key distribution (QKD) explained

QKD allows two parties (typically called Alice and Bob) to generate a shared secret key with security guaranteed by the laws of quantum mechanics. The most important protocol is BB84, introduced by Charles Bennett and Gilles Brassard in 1984.

1

BB84 protocol basics

Alice sends photons to Bob with polarization states encoding 0s and 1s, chosen randomly between two incompatible bases (rectilinear and diagonal). Bob measures each photon randomly in one of the two bases. After transmission, Alice and Bob publicly compare which bases they used -- without revealing the bit values -- and keep only the bits where they chose the same basis. This forms the raw key.

2

The no-cloning theorem as a security guarantee

An eavesdropper (Eve) cannot copy an unknown quantum state -- this is the no-cloning theorem. Any attempt to intercept and re-transmit Alice's photons requires Eve to measure them first, which inevitably introduces detectable errors. If Alice and Bob compare a subset of their key bits and find an error rate above a threshold, they know the channel was compromised and discard the key.

3

Real-world QKD deployments

QKD networks are operational in several countries. China's Micius satellite demonstrated intercontinental QKD in 2017. Commercial QKD systems are deployed in financial institutions and government networks in Japan, South Korea, and parts of Europe. The main limitations are distance (single-photon signals attenuate in fiber, limiting range to about 100-200 km without quantum repeaters) and cost.

Post-quantum cryptography

The threat from quantum computers to classical cryptography is well-understood. Shor's algorithm can break RSA, DSA, and elliptic curve cryptography in polynomial time on a sufficiently large fault-tolerant quantum computer. The "harvest now, decrypt later" threat makes this urgent even before such computers exist: adversaries can record encrypted traffic today and decrypt it once quantum hardware matures.

NIST PQC standards (2024)

After an eight-year standardization process, NIST finalized three primary post-quantum standards: ML-KEM (based on CRYSTALS-Kyber) for key encapsulation, ML-DSA (based on CRYSTALS-Dilithium) for digital signatures, and FN-DSA (based on FALCON) for compact signatures. SLH-DSA (based on SPHINCS+) was standardized as a hash-based signature backup.

Why RSA and ECC will be broken

RSA security relies on the hardness of integer factoring. ECC security relies on the hardness of the discrete logarithm problem on elliptic curves. Shor's algorithm solves both in polynomial time. A quantum computer with a few thousand logical qubits running Shor's algorithm could break 2048-bit RSA -- the current internet standard -- in hours.

Harvest-now-decrypt-later threat

Encrypted data captured today has a long shelf life. State-level adversaries are believed to be storing large volumes of encrypted traffic now, with the intention of decrypting it when quantum computers become available. Sensitive data that must remain confidential for 10 or more years -- government secrets, medical records, financial data -- is at risk now, not only when quantum computers arrive.

Migration timeline

NIST recommends beginning migration planning immediately. Full transition from RSA and ECC to post-quantum standards is a multi-year process involving inventory of cryptographic assets, risk prioritization, and phased deployment. Most organizations will run hybrid classical + post-quantum schemes during the transition period to maintain backward compatibility.

Courses covering quantum cryptography

Ranked by rating. Covers QKD, BB84, post-quantum cryptography, and quantum-safe protocols.

Related tutorials

Step-by-step guides covering BB84, QKD simulation, and post-quantum concepts.

Frequently asked questions

What is quantum cryptography?
Quantum cryptography uses principles of quantum mechanics to achieve cryptographic goals that are impossible or impractical with classical methods. The most well-known application is quantum key distribution (QKD), which allows two parties to exchange encryption keys with security guaranteed by physics -- any eavesdropping disturbs the quantum states and is detectable. More broadly, the term is sometimes used to include post-quantum cryptography (PQC), which is classical mathematics designed to resist quantum computer attacks, though these are really two distinct fields.
What is the difference between QKD and post-quantum cryptography?
QKD uses quantum mechanics directly: photons or other quantum systems carry key bits, and the no-cloning theorem guarantees that any interception is detectable. Security comes from physics. Post-quantum cryptography (PQC) uses classical mathematics -- specifically, problems believed to be hard for quantum computers, like lattice problems or hash-based signatures. PQC runs on today's classical hardware with no quantum infrastructure required. QKD requires quantum channels and hardware. PQC is a software upgrade; QKD is a network infrastructure upgrade. Most organizations will deploy PQC first.
Is quantum cryptography unbreakable?
QKD has information-theoretic security in principle: the security of key distribution is guaranteed by quantum mechanics, not by computational assumptions. However, real-world implementations have vulnerabilities at the hardware level -- side-channel attacks on detectors, source imperfections, and implementation flaws have been demonstrated against commercial QKD systems. The theory is secure; the engineering is not always. Post-quantum cryptography is computationally secure, meaning it relies on the hardness of mathematical problems -- secure in practice but not unconditionally.
What NIST post-quantum standards should I know about?
NIST finalized its first post-quantum cryptography standards in 2024. The primary standards are: CRYSTALS-Kyber (now called ML-KEM) for key encapsulation and encryption, and CRYSTALS-Dilithium (now called ML-DSA) plus FALCON (FN-DSA) for digital signatures. A hash-based signature scheme, SPHINCS+ (SLH-DSA), was also standardized as a conservative backup. These algorithms are designed to resist attacks from both classical and quantum computers. Organizations should begin planning migration from RSA and ECC to these standards now, before cryptographically relevant quantum computers arrive.