Pentagon Bans Quantum Key Distribution in PQC Strategy
The Pentagon's new post-quantum cryptography strategy bans quantum key distribution and sets a 2031 deadline for every military system.
On June 24, the Department of War published its first dedicated post-quantum cryptography strategy, a 25-page document telling every military system, from radios in the field to nuclear command and control, to be running quantum-resistant encryption by the end of 2031. That part isn’t shocking. Governments have been signaling this for a while, and it landed one day after the White House signed executive orders setting similar deadlines for civilian agencies.
The part worth stopping on is buried a few pages in: the strategy explicitly bans quantum key distribution as a substitute for standards-based post-quantum cryptography. Not “deprioritizes.” Bans. If you’ve spent any time around vendors selling “quantum security” hardware, you know why that line matters.
What the strategy actually requires
The timeline has two steps. By December 31, 2030, every Department of War system needs to support post-quantum algorithms or get phased out. By December 31, 2031, every system has to actually be using them, no exceptions for cost or legacy status. In between, components have to inventory their cryptography, name a migration lead, and get test artifacts approved before deploying anything.
That inventory requirement is the unglamorous part that will eat the most time. CIO Kirsten Davies wrote in the strategy’s opening that “nearly every deployed military asset will be affected in some way.” Anyone who has tried to find every place RSA or ECC shows up in a large organization knows that finding the crypto is usually harder than replacing it. Certificates hide in firmware. Keys get baked into decades-old radios that nobody documented. A five-year runway sounds generous until you’re the one doing the inventory.
Why banning QKD is the more interesting move
Quantum key distribution uses physics, not math, to detect eavesdropping on a fiber link. It sounds like exactly the kind of thing a “quantum threat” should be answered with, and several vendors have built businesses pitching it that way. The Department of War strategy says no. QKD doesn’t scale over the distances and networks the military actually operates on, it doesn’t provide authentication on its own, and it requires specialized hardware most of the world doesn’t have and can’t easily install.
This is a strategy document rejecting a “quantum” solution to a quantum problem in favor of ordinary math (lattice-based algorithms that run on the computers everyone already owns). ML-KEM and ML-DSA, the NIST-standardized algorithms this migration is built around, don’t need anything exotic. That’s the entire point of standardizing them. If your organization is evaluating vendor pitches that lean on QKD or “quantum-safe” hardware as a shortcut around the FIPS 203/204/205 migration, this document is a useful thing to wave at them.
Why nuclear command and control changes the math
The strategy names two scenarios as existential, not just serious: authorizing nuclear weapons and coordinating operations with partner forces. The concern isn’t that someone reads old traffic later. It’s that an adversary with a future quantum computer could interfere with command and control mid-operation, not just decrypt archives after the fact.
And the archives matter too. Harvest-now-decrypt-later doesn’t require a working quantum computer today, just storage. Classified traffic encrypted with RSA or ECC and intercepted this year is exactly as vulnerable in 2032 as it will be the day a cryptographically relevant quantum computer switches on. The 2031 deadline stops new exposure. It does nothing for whatever’s already been collected, and the strategy is candid about that instead of pretending otherwise.
The bandwidth tax nobody prices in
Most coverage of this strategy skips the part that matters most for implementers. Post-quantum algorithms are bigger. ML-KEM public keys run around 1,200 bytes. ML-DSA signatures land between 2,420 and 4,595 bytes, several times the size of an ECDSA signature. For a data center swapping TLS libraries, that’s a rounding error. For a satellite uplink or a battlefield radio operating on constrained bandwidth, it’s a real engineering problem, which is why the strategy leans so hard on crypto-agility instead of picking one algorithm and calling it done.
What this means outside the Pentagon
Most organizations don’t have to protect nuclear command and control, but the shape of the problem is the same: find where your cryptography actually lives, prioritize what handles long-lived secrets, and build systems that can swap algorithms without a rebuild. If the Department of War, with its budget and its urgency, is giving itself until 2031 and admitting that some of the risk is already baked in, that’s worth sitting with if your own migration plan is still “get to it next year.”
The QKD ban is a smaller story than the deadline, but it’s the one I keep coming back to. The people writing the rules for the most sensitive networks on earth looked at the flashy physics-based option and picked the boring, standardized math instead. That’s a decent tiebreaker for anyone still weighing a “quantum” vendor pitch against a FIPS-standard one.