Cybersecurity has always been an arms race, and quantum cryptography is its next front.
Attackers break in, we build defenses. They adapt, we adapt faster. We invested in more sophisticated tools, including AI, to improve efficiency and lower costs. Attackers are now using AI to do the same.
We have to think two or three moves ahead to stand a chance of stopping them. The next move is quantum cryptography, a market projected to reach $9.4 billion by 2032, up from under $1.4 billion last year.
What is it, and why does it matter? Here are the questions every leader should be able to answer.
Quantum Cryptography Explained
As defined by the National Institute of Standards and Technology (NIST), quantum cryptography uses quantum devices, such as sensors that can record individual particles of light (photons), to protect data. Photons exist in more than one state at the same time, making it impossible to pinpoint their exact quantum state and, therefore, virtually impossible to crack. Unlike traditional cryptographic methods, which use mathematical algorithms, quantum cryptography relies on the principles of physics and is far more secure.
What Is Quantum Cryptography? How Does It Work?
Traditional cryptography uses mathematical algorithms to hide information from unauthorized parties.
Quantum cryptography is based on the laws of physics, not math. As the National Institute of Standards and Technology (NIST) defines it, quantum cryptography uses quantum devices, like sensors that can record individual particles of light (photons), to protect data.
Photons are unpredictable, which in this case is a feature, not a bug. They can exist in more than one state at the same time, making it impossible to pinpoint their exact quantum state. When photons are used to create a random encryption key, the result is quantum key distribution (QKD), which takes advantage of that unpredictability to ensure the key is random, secure and theoretically unbreakable.
The most widely used QKD method, called BB84, works by encoding each bit of the key onto a single photon. If anyone intercepts that photon to read it, the act of measuring the particle changes it. Both parties then know the key has been compromised.
Is Quantum Cryptography More Secure?
Yes. Adversaries cannot clone a quantum particle with full certainty. And there’s the observer effect: Any attempt to intercept a quantum key exchange disrupts the quantum state, making it instantly detectable.
Attackers cannot copy or intercept keys without tipping their hand, which matters because not all encryption is equally at risk. Data at rest, protected with AES-512 or higher, remains relatively safe today, with some performance tradeoffs. Data in motion, protected by today’s public-private key encryption, is far more vulnerable. That’s where security leaders need to focus first.
Adversaries know this too, and they’re working to weaponize it. The trend to watch is “harvest now, decrypt later.” Attackers, especially nation-state actors, are collecting encrypted data today with no immediate way to read it. They’re betting that quantum technology will mature enough to decrypt it later, at scale.
Security leaders should assume this is already happening to their most sensitive traffic. The immediate precaution is to classify data by its long-term sensitivity. Anything that must remain confidential for a decade or more, such as intellectual property, M and A strategy or customer PII, should be prioritized for early migration to quantum-resistant encryption, even before the full threat materializes.
Real-World Applications of Quantum Cryptography
Now is the time to invest, not later. 61 percent of global organizations are planning to migrate to post-quantum cryptography (PQC) within five years. Interest spiked in December 2024 when Google introduced Willow, a quantum chip that performed a calculation in under five minutes that would take modern supercomputers 10 septillion years to complete. That’s longer than the universe has existed.
Significant implications are now at play for government agencies, especially the military, along with financial institutions, critical infrastructure and health and science research. The White House is directing agencies to defend systems from cryptanalytically relevant quantum computers (CRQCs), which will be capable of breaking much of the public-key cryptography in use today. The National Security Agency (NSA) has issued guidance to the Department of Defense (DoD) and Defense Industrial Base (DIB) regarding responses to CRQCs.
In the financial sector, HSBC is deploying PQC-enabled virtual private network (VPN) tunnels and quantum random number generation (QRNG) to protect tokenized gold transactions. In the healthcare industry, organizations are exploring quantum advancements to safeguard sensitive patient, clinical trial and genomic data.
In 2024, NIST finalized its principal set of encryption algorithms designed to withstand quantum attacks. Major telecommunications providers, defense contractors, and tech firms are investing in the infrastructure. Governments in the US, Europe, and elsewhere are committing to PQC research. Last year, China announced a $138 billion government-backed fund for quantum computing and other emerging technologies.
What Are the Challenges of Quantum Cryptography?
Quantum cryptography is complex and costly to implement. Quantum communications systems use photons to transport information over hundreds of kilometers inside an optic fiber. Over such a large distance, photon absorption in the fiber limits the ability to convey information as well as preserve the fragile state of the photons. Because of intricacies like these, the technology remains in the development and testing stage. Researchers are making progress on quantum repeaters and satellite-based QKD to extend range, but widespread commercial deployment is still years away.
Even so, “harvest now, decrypt later” makes long-term data protection a board-level priority. The right starting point is a hard organizational question: what data, if decrypted in five or 10 years, would do the most damage to the business? That answer should drive the roadmap.
What Is the Future of Quantum Cryptography?
Quantum cryptography and PQC are still works in progress, but organizations that wait for maturity will find themselves behind.
My recommendation to other CIOs and CISOs is straightforward. Don’t wait. Start with an inventory of every encryption method you use today. Designate an owner for your quantum readiness effort. Build a roadmap from there, and invest in cryptographic agility so that your teams can switch encryption methods quickly and safely as new threats emerge.
The arms race has always been about staying two or three steps ahead. With quantum, the organizations that start preparing now will be the ones still ahead when it arrives.
Frequently Asked Questions
What is quantum cryptography?
As defined by the National Institute of Standards and Technology (NIST), quantum cryptography uses quantum devices, such as sensors that can record individual particles of light (photons), to protect data. Photons exist in more than one state at the same time, making it impossible to pinpoint their exact quantum state and, therefore, virtually impossible to crack.
Is quantum cryptography used today?
Yes, but it's still in the early exploration stage rather than full deployment. Governments are investing in research and setting standards. NIST finalized its first post-quantum encryption algorithms in 2024, and 61 percent of global organizations are planning to migrate to post-quantum cryptography (PQC) within five years.
What is the difference between quantum cryptography and normal cryptography?
Traditional cryptography uses mathematical algorithms to hide information from unauthorized parties. Quantum cryptography is based on the laws of physics, using the unpredictable behavior of photons to do the same.
