0

Deploying PQC is a pressing need but, longer term, a hybrid PQC/QKD approach will deliver quantum-safe networks

Quantum computers have been on the verge of commercial utility for years. However, ramping momentum in the space, coupled with the established threat of harvest now, decrypt later approaches wherein bad actors steal valuable data now, then use quantum computing to decrypt in the future, is prompting operators to take action. Another factor that’s adding urgency are a range of nation-level timelines that mandate post-quantum cryptography migration in the 2030-2035 timeline. Net-net, the point is operators around the world are working to deploy quantum-safe networks to protect their own data, as well as the data they carry for customers, particularly those in regulated industries like financial services, healthcare and utilities.

Before we examine how operators are preparing for Q-Day and beyond, it’s useful to define (and differentiate) post-quantum cryptography (PQC) and quantum key distribution (QKD) — these are distinct but complementary approaches to building quantum-safe networks. PQC replaces older public-key systems like RSA and ECC with new methods designed to resist quantum-based decryption. NIST has finalized three primary standards for secure key exchange, digital signatures and hash-based signatures.

These algorithms can be integrated into existing internet protocols like TLS, IPsec, QUIC, and 5G networks, allowing organizations to strengthen security through software or firmware updates without replacing their hardware. PQC is a software-based upgrade that is more economical and scalable given that it works on existing processing and network cards, and because it fits into current key and certificate system.

QKD is a way to exchange encryption keys using the properties of quantum mechanics rather than increasingly complex math. It encodes keys into quantum particles whose behavior changes when observed. This means any attempt to compromise those particles reveals the presence of a bad actor. QKDs provides high-assurance and provable secrecy for key exchanges; however, its requires specialized optical hardware, dedicated fiber and precise system calibration. That means QKD is best suited to highly specialized or valuable data links.

Singtel is delivering hybrid quantum-safe networks as a managed service

Singtel is positioning quantum-safe networks as a managed enterprise security service. The operator has built a nationwide Quantum-Safe Network in Singapore that combines PQC and QKD meant to protect both core connectivity and harder-to-reach sites, including remote, cloud and international locations.

The effort began as a national infrastructure play. Singapore’s Infocomm Media Development Authority appointed Singtel to develop the country’s first National Quantum-Safe Network Plus, or NQSN+, with ID Quantique supplying QKD technology. Singtel then widened the ecosystem through memoranda of understanding with Cisco, Fortinet and Nokia, integrating quantum-safe key distribution with Cisco routing platforms, Fortinet firewalls and Nokia optical devices so enterprises can add quantum-safe protection to existing network and security architectures.

Commercially, Singtel is packaging the capability in several ways. Its Quantum Key-as-a-Service offering includes operational support, monitoring, incident response and change management while letting customers retain control of encryption keys. It also offers managed domestic quantum-safe networks linking offices and data centers, with Singtel handling QKD, key management and encryptors. The company is also developing hardware security module integration, cloud-based deployments and a one-to-many key-management model intended to reduce complexity and cost as deployments scale.

BT builds a quantum-safe metro network

BT has approached quantum-safe networks as both a near-term security service and a longer-term national infrastructure play. Its most visible work began with Toshiba in London, where the companies launched what they described as the world’s first commercial trial of a quantum-secured metro network, with EY as the first commercial customer. The trial connected EY sites in Canary Wharf and near London Bridge, using QKD over standard fiber links to secure high-value data traffic between physical locations.

BT’s role in that deployment was as the network operator. The service used Openreach private fiber infrastructure, with Toshiba providing the QKD hardware and key management software. BT positioned the offer around dedicated high-bandwidth, end-to-end encrypted links, giving enterprises a way to trial quantum-secured communication without building their own specialized infrastructure.

The company has since moved the model closer to repeatable enterprise consumption. In 2024, BT, Toshiba and Equinix announced a UK-first quantum-secure data center-to-data center connection between Equinix facilities in Canary Wharf and Slough. That architecture is important commercially because rather than requiring each customer to procure bespoke quantum infrastructure, businesses colocated in those facilities can access BT and Toshiba’s quantum-secured metro network and trial quantum keys-as-a-service.

BT is also framing quantum security as one element of broader “quantum-ready” networking. Its research agenda includes post-quantum cryptography, QKD and entanglement-based security, alongside work to connect future quantum computers, sensors and devices. Recent projects include QKD assurance work, resilience for fiber-based QKD, hybrid quantum data center exploration with ORCA Computing, optical space-to-ground communications research with the University of Suffolk and quantum-enabled RF sensing through Project SPECTRA.

AT&T adds PQC to its enterprise SD-WAN offering

AT&T is taking a different path into quantum-safe networking than operators building QKD-based metro networks. Its initial move is focused on PQC for enterprise SD-WAN, with AT&T Business launching a Quantum Resilient SD-WAN service powered by Cisco 8000 Series Secure Routers.

The product strategy is pragmatic in that it starts where large enterprise traffic already concentrates, then expand across the broader software-defined security stack. AT&T says the service will align with NIST-standardized PQC algorithms and will be available to business customers later this year. Cisco’s secure router platform is intended to provide quantum-resilient encryption, authentication and secure boot capabilities.

AT&T’s Novith Reddy framed the launch less as a race to market than a response to timing, compliance and customer risk. “So harvest now, decrypt later is not theoretical, it’s happening,” he said, pointing to CNSA 2.0 compliance timelines moving toward 2027 and faster quantum development cycles. That makes the WAN a logical starting point, particularly for customers with long data-retention requirements.

The architecture gives customers an incremental path. Reddy said Cisco Catalyst customers should see software updates that make “mainly the encryption part” quantum safe, while the newer secure routers provide “a three-pronged approach” covering data-plane encryption, control-plane authentication and device trust through secure boot and firmware signing using PQC algorithms. “Customers shouldn’t really be scared about ripping out their existing infrastructure,” he said. “It will give them time.”

The longer-term issue is crypto agility. “Cryptography is an evolving field,” Reddy said, arguing that enterprises need infrastructure able to accommodate future algorithm changes. AT&T’s role is to absorb complexity by working with vendors, testing code in its labs and pushing updates through software-defined architectures. For now, Reddy said utilities and financial companies are asking the most questions. His broader advice was to take a phased approach, but do not wait for a deadline or breach to force the migration.

Register to attend the Quantum Safe Networks Forum hosted by RCR Tech on July 14, for a 360-degree view of how operators are protect networks from future threats.