BB84 Quantum Key Distribution

Two strangers, Alice and Bob, want to agree on a secret string of bits — a key — that no eavesdropper can learn. Every classical scheme for doing this rests on a computational promise: that factoring a huge number, or some similar sum, is too slow to crack in practice. Break the assumption — build a fast enough computer — and the secret spills. In 1984, Charles Bennett and Gilles Brassard proposed something startling: a way to share a key whose secrecy is guaranteed not by hard arithmetic but by the laws of physics. Their protocol, BB84, was the first piece of quantum cryptography, and it is still the most famous.

The trick leans on two facts you already know about qubits. First, an unknown qubit cannot be copied — so an eavesdropper cannot quietly duplicate the traffic and analyse it later. Second, measuring a qubit in the wrong basis disturbs it — so any attempt to peek leaves fingerprints. BB84 weaves these together into a key that announces its own theft.

The two bases

Alice will encode each bit in one of two bases. The computational basis \{|0\rangle, |1\rangle\} encodes the bit the plain way: 0 \mapsto |0\rangle, 1 \mapsto |1\rangle. The Hadamard basis \{|{+}\rangle, |{-}\rangle\} encodes it in the balanced superpositions: 0 \mapsto |{+}\rangle, 1 \mapsto |{-}\rangle, where |{\pm}\rangle = \tfrac{1}{\sqrt2}(|0\rangle \pm |1\rangle).

The whole protocol hinges on how these two bases sit relative to each other: they are rotated 45° apart. Picture each state as an arrow. The computational states are the vertical and horizontal axes; the Hadamard states are those same axes turned by 45°. Because of that tilt, a state that is definite in one basis is maximally uncertain in the other — measuring |{+}\rangle in the computational basis gives 0 or 1 with probability \tfrac12 each, a pure coin flip.

The protocol, step by step

BB84 has four short stages. The first two happen over a quantum channel (qubits fly from Alice to Bob); the last two over an ordinary public channel (anyone may listen).

  1. Alice sends. For each qubit she rolls two coins: a random bit (0 or 1) and a random basis (computational or Hadamard). She prepares the matching state and sends it.
  2. Bob measures. For each arriving qubit Bob picks his own random basis and measures. When his basis matches Alice's, he reads her bit exactly; when it doesn't, he gets a coin flip — a useless result.
  3. Sifting. Over the public channel they compare the bases they used — never the bit values — and throw away every position where the bases differed. Since each chose randomly, they agree about half the time, and those surviving bits form the sifted key.
  4. Error check. They sacrifice a random handful of sifted bits and compare the actual values in public. On a clean channel these should match perfectly. A surprising number of mismatches betrays an eavesdropper — and if the error rate is low enough, the remaining bits become the secret key.

Notice what is and isn't public. The bases are announced (step 3); the bit values stay secret except for the few deliberately sacrificed to estimate errors (step 4). Knowing which basis was used is worthless to an attacker after the fact — the qubit is long gone.

Worked example: sifting a key

Follow eight qubits. Alice's random bits and bases are on the left; she prepares the "sent state" accordingly. Bob picks his own random bases and measures. Wherever the bases agree (\checkmark) the bit is kept; where they differ (\times) it is discarded. Write Z for the computational basis and X for the Hadamard basis.

Alice bit Alice basis Sent state Bob basis Bases agree? Sifted bit
0Z|0\rangleZ\checkmark0
1Z|1\rangleX\times
1X|{-}\rangleX\checkmark1
0X|{+}\rangleZ\times
1Z|1\rangleZ\checkmark1
0X|{+}\rangleX\checkmark0
0Z|0\rangleX\times
1X|{-}\rangleX\checkmark1

Five of the eight bases agreed, so the sifted key is 0\,1\,1\,0\,1 — known to Alice and Bob, and to nobody else. The three discarded rows are simply forgotten. On average you keep about \tfrac12 of the qubits, so to end up with an n-bit key you send roughly 2n qubits (before spending a few more on the error check).

Why an eavesdropper is caught

Call the eavesdropper Eve. She sits on the quantum channel and wants to learn the key without being noticed. Her problem is that she faces the same two walls Alice built the protocol on. She cannot copy the qubit and quietly forward the original — no-cloning forbids it. And she does not know which basis Alice used, because the bases are only announced later, after the qubits have arrived. Her best simple strategy is the intercept-resend attack: grab each qubit, measure it in a basis of her own guessing, then send a fresh qubit matching what she saw on to Bob.

Worked example: the 25% error signature

Let's compute the damage Eve does, counting only the sifted positions (where Alice and Bob used the same basis — the bits that would otherwise be perfect). Two coin flips decide each qubit's fate.

Case 1: Eve guesses Alice's basis correctly (probability \tfrac12). She measures in the right basis, reads the true bit, and resends the correct state. Bob — measuring in that same basis — recovers Alice's bit exactly. No error.

Case 2: Eve guesses wrong (probability \tfrac12). Say Alice sent |0\rangle in the computational basis but Eve measures in the Hadamard basis. She gets |{+}\rangle or |{-}\rangle with equal odds and resends that. Now Bob measures her Hadamard state back in the computational basis — another 45°-mismatched measurement — so he too gets a coin flip: 0 or 1 with probability \tfrac12. Half of those flips disagree with Alice's original bit. So when Eve guesses wrong, Bob's bit is wrong with probability \tfrac12.

Combine the two cases over the sifted bits:

P(\text{error}) = \underbrace{\tfrac12 \times 0}_{\text{Eve right}} + \underbrace{\tfrac12 \times \tfrac12}_{\text{Eve wrong}} = \tfrac14 = 25\%.

A clean channel gives a 0\% error rate on the sifted bits; a channel with a full intercept-resend eavesdropper gives about 25\%. That gap is enormous and unmistakable — sacrifice a few dozen sifted bits, compare them in public, and an error rate near a quarter screams that someone is listening. Alice and Bob simply throw the whole key away and start over on a channel Eve isn't touching. Eve cannot do better by being clever: the very act of extracting information from an unknown qubit disturbs it.

This is what makes BB84 feel like magic. Classical key exchange is a race against hardware: RSA is safe only as long as nobody can factor fast enough, and the day a large quantum computer runs Shor's algorithm that race is lost. BB84 doesn't enter the race at all. Its guarantee has nothing to do with how much computing power Eve owns — she could have every supercomputer on Earth, a quantum computer, and a thousand years, and it would not help, because the information she wants was destroyed by her own measurement the instant she looked. You are not betting that a problem is hard; you are relying on the fact that measurement disturbs a quantum state. That is a law of nature, not a conjecture about algorithms — which is why quantum key distribution is often called unconditionally secure.

Two things people routinely get wrong. First, BB84 distributes a key — it does not encrypt your message. What Alice and Bob end up with is a shared random string. To actually send secret traffic they still feed that key into an encryption scheme (a one-time pad, say). BB84 solves the notoriously hard key-distribution half of cryptography; the encrypting is a separate, ordinary step. Second, the security does not come from any hard mathematical problem. There is no huge number to factor, no discrete log, nothing a cleverer algorithm or a faster machine could shortcut. It rests entirely on no-cloning plus measurement disturbance. So the usual worry — "won't a quantum computer break it?" — has the story exactly backwards: a quantum computer breaks classical crypto (that's the threat), while BB84 is one of the tools that survives the quantum era precisely because it never relied on computational hardness in the first place.