BB84 Protocol
The BB84 protocol (Bennett and Brassard, 1984) is the foundational QKD scheme. Alice encodes bits in single-qubit states across two mutually unbiased bases:
| Bit | Rectilinear basis ${ | 0\rangle, | 1\rangle}$ | Diagonal basis ${ | +\rangle, | -\rangle}$ |
|---|---|---|---|---|---|---|
| 0 | $|0\rangle$ | $|+\rangle = \frac{1}{\sqrt2}(|0\rangle+|1\rangle)$ | ||||
| 1 | $|1\rangle$ | $|-\rangle = \frac{1}{\sqrt2}(|0\rangle-|1\rangle)$ |
Protocol steps:
-
Transmission: Alice chooses a random bit $b \in {0,1}$ and a random basis $\beta \in {Z, X}$, then sends the corresponding state.
-
Measurement: Bob independently chooses a random basis $\beta’ \in {Z, X}$ and measures each received qubit.
-
Sifting: Alice and Bob publicly announce (over an authenticated classical channel) which basis they used for each qubit. They keep only the positions where $\beta = \beta’$ — the sifted key — discarding the rest. On average, half the bits survive.
-
Error estimation: They sacrifice a random subset of the sifted key to estimate the quantum bit error rate (QBER): $Q = P(\text{disagreement})$.
-
Error correction: Using a classical error-correcting code (e.g., cascade protocol) over the public channel, they reconcile their keys. This leaks $h(Q)$ bits per sifted bit (where $h$ is the binary entropy function).
-
Privacy amplification: They apply a random hash function to compress the reconciled key, reducing Eve’s information to a negligible amount. The final key rate is:
where $h(Q) = -Q\log_2 Q - (1-Q)\log_2(1-Q)$. If $Q > (1-1/\sqrt{2}) \approx 11\%$, the protocol aborts.
Intercept-Resend Attack Detection
An eavesdropper Eve intercepting BB84 faces a fundamental dilemma: she cannot determine Alice’s basis without a $50\%$ chance of choosing the wrong one.
Intercept-resend attack: Eve measures each qubit in a randomly chosen basis and resends the post-measurement state to Bob.
Analysis: When Eve’s basis $\beta_E \neq \beta_A$ (probability $1/2$), she sends the wrong state. Bob, measuring in the correct basis $\beta_B = \beta_A$, gets the wrong answer with probability $1/2$.
\[P(\text{error}) = P(\beta_E \neq \beta_A) \cdot P(\text{Bob wrong}|\text{Eve wrong basis}) = \frac{1}{2} \cdot \frac{1}{2} = \frac{1}{4}\]Eve’s intervention introduces a QBER of $Q = 25\%$, far above the $11\%$ threshold — the attack is detected.
Intercept-resend with optimal strategy: Eve measures in the $(\hat{x}+\hat{z})/\sqrt{2}$ axis (the Breidbart basis), achieving QBER $= 1 - \cos^2(\pi/8) \approx 14.6\%$, still detectable but maximising her information. No classical strategy can avoid this noise penalty.
Information-Theoretic Security
The security of BB84 rests on information-theoretic (unconditional) security, proven by Mayers (1996) and Shor-Preskill (2000).
The Shor-Preskill proof reduces BB84 security to entanglement distillation:
-
Consider the entanglement-based version: Alice prepares Bell pairs $ \Phi^+\rangle$ and sends one qubit to Bob, keeping the other. Measuring in random bases on her qubit simulates BB84’s state preparation. -
Eve’s intervention creates a mixed state $\rho_{ABE}$ involving Alice, Bob, and Eve’s ancilla.
- If the QBER is $Q < 11\%$, there exists an error-correcting code $C$ such that after error correction and privacy amplification, Eve’s mutual information satisfies:
for an arbitrarily long final key $K$ of length $\ell$.
The composable security framework (Renner 2005) gives a stronger statement using the smooth min-entropy $H_{\min}^\varepsilon(\rho_{AB}|\sigma_B)$: the key rate is bounded by:
\[\ell \leq H_{\min}^\varepsilon(A|E) - \text{(error correction leakage)}\]This holds against the most general quantum attacks (coherent attacks on all $n$ qubits simultaneously) by the quantum de Finetti theorem or the entropy accumulation theorem.
E91 Protocol (Entanglement-Based)
Ekert’s E91 protocol (1991) uses entangled Bell pairs distributed between Alice and Bob.
-
A source emits pairs in the singlet state $ \Psi^-\rangle = \frac{1}{\sqrt{2}}( 01\rangle - 10\rangle)$. -
Alice measures in bases ${0°, 45°, 90°}$ and Bob in ${45°, 90°, 135°}$.
-
They announce bases publicly and compute the CHSH correlator $\mathcal{S}$ from the non-shared basis measurements.
-
Security check: $\mathcal{S} = 2\sqrt{2}$ certifies that the states are maximally entangled (no Eve). If $\mathcal{S} < 2\sqrt{2}$, Eve may be present.
- The shared-basis measurement outcomes form the raw key.
E91 security relies on the violation of Bell inequalities — any eavesdropper reduces the correlations, lowering $\mathcal{S}$. This provides device-independent security in principle: the security guarantee holds even if the measurement devices are untrusted.
Practical Implementation Challenges
Real QKD systems face several departures from the ideal single-photon model:
Photon number splitting (PNS) attack: Weak coherent pulse (WCP) sources emit Poissonian photon numbers:
\[P(n) = \frac{\mu^n e^{-\mu}}{n!}\]Multi-photon pulses allow Eve to split off one photon (retaining it) and forward the rest — gaining full information on multi-photon pulses without introducing errors. The fraction of multi-photon pulses scales as $\mu^2/2$, limiting the secure key rate.
Decoy state method: Alice randomly sends different intensity levels (signal, decoy$_1$, decoy$_2$). By comparing statistics across intensities, she can detect PNS attacks and bound Eve’s information. Decoy-state BB84 achieves a key rate:
\[R \geq q\left[-Q_\mu h(E_\mu) + Q_1[1 - h(e_1)]\right]\]where $Q_\mu, E_\mu$ are observed gain and QBER, $Q_1, e_1$ are estimated single-photon gain and error rate, and $q = 1/2$ is the sifting efficiency.
Channel loss and distance limits:
| Distance | Fibre loss (0.2 dB/km) | Transmission | Key rate |
|---|---|---|---|
| 50 km | 10 dB | $10^{-1}$ | $\sim$ Mbps |
| 100 km | 20 dB | $10^{-2}$ | $\sim$ kbps |
| 200 km | 40 dB | $10^{-4}$ | $\sim$ bps |
| $> 300$ km | $> 60$ dB | $< 10^{-6}$ | Impractical |
The PLOB bound (Pirandola, Laurenza, Ottaviani, Banchi 2017) gives the fundamental key-rate capacity of a lossy channel $\eta$:
\[R \leq -\log_2(1-\eta) \approx \eta/\ln 2 \quad (\eta \ll 1)\]MDI-QKD and Twin-Field QKD
Measurement-Device-Independent QKD (MDI-QKD): Removes all detector side-channel attacks by having both Alice and Bob send states to an untrusted relay Charlie who performs a Bell measurement:
\[|\Psi^-\rangle_{A'B'} \longrightarrow \text{Charlie announces Bell outcome} \longrightarrow \text{Alice and Bob correlate}\]Security is maintained even if Charlie is Eve. MDI-QKD is practical with current technology and has been demonstrated over metropolitan-scale networks.
Twin-Field QKD (TF-QKD): Extends distance by having Alice and Bob send coherent states that interfere at a central relay, using single-photon interference rather than coincidence detection. The key rate scales as $O(\sqrt{\eta})$ rather than $O(\eta)$, overcoming the PLOB bound for point-to-point with a relay:
\[R_{\text{TF}} \sim O(\sqrt{\eta}), \quad R_{\text{BB84}} \sim O(\eta)\]This enables secure key distribution over $\sim 500$ km of optical fibre.
QKD Network Deployments
Commercial and governmental QKD networks have been deployed worldwide:
| Network | Location | Year | Technology |
|---|---|---|---|
| SECOQC | Vienna | 2008 | Multi-node, 200 km |
| Tokyo QKD Network | Japan | 2010 | 4-node metropolitan |
| Jiuquan-Beijing | China | 2017 | Satellite + ground, 2000 km |
| Cambridge QN | UK | 2019 | Metropolitan ring |
| EuroQCI | Europe | 2023+ | EU quantum internet initiative |
Satellite QKD (Micius satellite, China 2017) demonstrated $\sim 1200$ km ground-to-ground QKD using satellite relay with a key rate of $\sim 1$ kbps in a 275-second window — the first intercontinental QKD demonstration.