Entangled Migrations PQC, QKD, and US–PRC Risk Postures for Critical Infrastructure

March 2026

By David Mussington, Ph.D., CISSP, DDN QTE,

ICIT Fellow, Co-Chair, ICIT FCEB Resilience Center

The ICIT Quantum-Resilient Convergence paper established that Post-Quantum Cryptography (PQC) migration and AI/Low Earth Orbit (LEO) infrastructure modernization are a single coupled program, and that the window to embed cryptographic resilience into that infrastructure closes in the early 2030s. This paper extends that analysis into a dimension the first paper identified but did not develop: the parallel emergence of Quantum Key Distribution (QKD) as a live infrastructure investment on the same 2026–2035 timeline, and the structurally divergent risk choices the United States and the People’s Republic of China (PRC) are making across both PQC and QKD for their most consequential critical infrastructure (CI) links.

The United States applies defense-in-depth as a foundational principle in nuclear deterrence, missile defense, cyber architecture, and critical infrastructure protection. Quantum-era cryptographic resilience is the conspicuous exception. Current US policy concentrates all CI protection on a single class of mathematical assumption — post-quantum cryptography — implemented through one standards track, executed on a migration timeline already under institutional strain. The PRC has made a different choice: it is building a sovereign QKD infrastructure layer at continental scale while simultaneously pursuing a domestic PQC stack, purchasing defense-in-depth against the possibility that either approach alone proves insufficient.

This paper does not argue that the US should replicate PRC-scale QKD deployment. It asks whether concentrating all quantum-era cryptographic resilience on PQC — without any physics-based fallback — is an acceptable risk posture for the small number of Tier-1 CI links — defined in this paper as the critical infrastructure communication paths where confidentiality horizons are permanent or multi-decade, where compromise enables physical consequences or systemic financial disruption, and where the cost of cryptographic failure is not recoverable through patching or migration after the fact — specifically nuclear command segments, financial settlement backbones, and bulk power control networks. The answer may be yes. But the question must be asked with the same rigor the United States applies to every other domain where it stakes national security on layered defense, and current policy does not ask it.

PQC and QKD are conventionally framed as competing responses to the quantum cryptographic threat — mathematical hardness versus physics-based key exchange. That framing obscures two facts that matter for CI resilience.

First, the technologies are structurally coupled. QKD’s operational security depends on PQC at the authentication layer; both share partial-deployment downgrade vulnerabilities; both face hardware maturity constraints on overlapping timelines; and both introduce classical chokepoints that reintroduce the threat surface they were designed to escape. Neither is a standalone answer. A risk framework that evaluates one without the other will systematically misestimate quantum-era exposure.

Second, they encode different bets against different failure modes — and the United States and the PRC have chosen different sides of that bet for their highest-value infrastructure. PQC is a bet on the durability of mathematical hardness assumptions. QKD is a bet on the stability of physical laws governing quantum measurement. The PRC has paid for both bets simultaneously. The US has chosen one. The divergence is not a deployment-scale gap measurable in kilometers of fiber. It is a structural difference in how each state allocates risk across algorithmic failure, infrastructure chokepoints, and governance for the CI links where the cost of being wrong is highest.

This paper’s contribution is to extend the ICIT convergence analysis into that risk-posture dimension: modeling PQC and QKD as coupled surfaces with shared structural challenges, mapping the US and PRC choices as distinct risk allocations over those surfaces, and assessing whether the resulting US single-assumption posture warrants the same defense-in-depth scrutiny applied to every other domain of national security.

VIEW AND DOWNLOAD THE WHITE PAPER

About ICIT

The Institute for Critical Infrastructure Technology (ICIT) is a nonprofit, nonpartisan, 501(c)3think tank with the mission of modernizing, securing, and making resilient critical infrastructure that provides for people’s foundational needs. ICIT takes no institutional positions on policy matters. Rather than advocate, ICIT is dedicated to being a resource for the organizations and communities that share our mission. By applying a people-centric lens to critical infrastructure research and decision making, our work ensures that modernization and security investments have a lasting, positive impact on society. Learn more at www.icitech.org.