BB84 Quantum Key Distribution
Two strangers, Alice and Bob, want to agree on a secret string of bits — a
key — that no eavesdropper can learn. Every classical scheme for doing this rests on
a computational promise: that factoring a huge number, or some similar sum, is too slow to
crack in practice. Break the assumption — build a fast enough computer — and the secret spills. In
1984, Charles Bennett and Gilles Brassard proposed something startling: a way to share
a key whose secrecy is guaranteed not by hard arithmetic but by the laws of physics.
Their protocol, BB84, was the first piece of quantum cryptography, and it is still the
most famous.
The trick leans on two facts you already know about qubits. First, an unknown qubit
cannot be copied
— so an eavesdropper cannot quietly duplicate the traffic and analyse it later. Second,
measuring
a qubit in the wrong basis disturbs it — so any attempt to peek leaves fingerprints. BB84
weaves these together into a key that announces its own theft.
The two bases
Alice will encode each bit in one of two bases. The
computational basis \{|0\rangle, |1\rangle\} encodes the
bit the plain way: 0 \mapsto |0\rangle,
1 \mapsto |1\rangle. The
Hadamard basis
\{|{+}\rangle, |{-}\rangle\} encodes it in the balanced superpositions:
0 \mapsto |{+}\rangle, 1 \mapsto |{-}\rangle,
where |{\pm}\rangle = \tfrac{1}{\sqrt2}(|0\rangle \pm |1\rangle).
The whole protocol hinges on how these two bases sit relative to each other: they are
rotated 45° apart. Picture each state as an arrow. The computational states are the
vertical and horizontal axes; the Hadamard states are those same axes turned by 45°. Because of that
tilt, a state that is definite in one basis is maximally uncertain in the other —
measuring |{+}\rangle in the computational basis gives
0 or 1 with probability
\tfrac12 each, a pure coin flip.
The protocol, step by step
BB84 has four short stages. The first two happen over a quantum channel (qubits fly
from Alice to Bob); the last two over an ordinary public channel (anyone may listen).
- Alice sends. For each qubit she rolls two coins: a random bit
(0 or 1) and a random basis
(computational or Hadamard). She prepares the matching state and sends it.
- Bob measures. For each arriving qubit Bob picks his own random basis and
measures. When his basis matches Alice's, he reads her bit exactly; when it doesn't, he gets a
coin flip — a useless result.
- Sifting. Over the public channel they compare the bases they used
— never the bit values — and throw away every position where the bases differed. Since each chose
randomly, they agree about half the time, and those surviving bits form the
sifted key.
- Error check. They sacrifice a random handful of sifted bits and compare the actual
values in public. On a clean channel these should match perfectly. A surprising number of
mismatches betrays an eavesdropper — and if the error rate is low enough, the
remaining bits become the secret key.
Notice what is and isn't public. The bases are announced (step 3); the bit values
stay secret except for the few deliberately sacrificed to estimate errors (step 4). Knowing which
basis was used is worthless to an attacker after the fact — the qubit is long gone.
Worked example: sifting a key
Follow eight qubits. Alice's random bits and bases are on the left; she prepares the "sent state"
accordingly. Bob picks his own random bases and measures. Wherever the bases agree
(\checkmark) the bit is kept; where they differ
(\times) it is discarded. Write Z for the
computational basis and X for the Hadamard basis.
| Alice bit |
Alice basis |
Sent state |
Bob basis |
Bases agree? |
Sifted bit |
| 0 | Z | |0\rangle | Z | \checkmark | 0 |
| 1 | Z | |1\rangle | X | \times | — |
| 1 | X | |{-}\rangle | X | \checkmark | 1 |
| 0 | X | |{+}\rangle | Z | \times | — |
| 1 | Z | |1\rangle | Z | \checkmark | 1 |
| 0 | X | |{+}\rangle | X | \checkmark | 0 |
| 0 | Z | |0\rangle | X | \times | — |
| 1 | X | |{-}\rangle | X | \checkmark | 1 |
Five of the eight bases agreed, so the sifted key is
0\,1\,1\,0\,1 — known to Alice and Bob, and to nobody else. The
three discarded rows are simply forgotten. On average you keep about \tfrac12
of the qubits, so to end up with an n-bit key you send roughly
2n qubits (before spending a few more on the error check).
Why an eavesdropper is caught
Call the eavesdropper Eve. She sits on the quantum channel and wants to learn the key without being
noticed. Her problem is that she faces the same two walls Alice built the protocol on. She
cannot copy the qubit and quietly forward the original — no-cloning forbids it. And she
does not know which basis Alice used, because the bases are only announced later,
after the qubits have arrived. Her best simple strategy is the intercept-resend attack:
grab each qubit, measure it in a basis of her own guessing, then send a fresh qubit matching what she
saw on to Bob.
Worked example: the 25% error signature
Let's compute the damage Eve does, counting only the sifted positions (where Alice and Bob used the
same basis — the bits that would otherwise be perfect). Two coin flips decide each qubit's fate.
Case 1: Eve guesses Alice's basis correctly (probability
\tfrac12). She measures in the right basis, reads the true bit, and resends
the correct state. Bob — measuring in that same basis — recovers Alice's bit exactly. No
error.
Case 2: Eve guesses wrong (probability \tfrac12). Say Alice
sent |0\rangle in the computational basis but Eve measures in the Hadamard
basis. She gets |{+}\rangle or |{-}\rangle with
equal odds and resends that. Now Bob measures her Hadamard state back in the computational
basis — another 45°-mismatched measurement — so he too gets a coin flip:
0 or 1 with probability
\tfrac12. Half of those flips disagree with Alice's original bit. So when Eve
guesses wrong, Bob's bit is wrong with probability \tfrac12.
Combine the two cases over the sifted bits:
P(\text{error}) = \underbrace{\tfrac12 \times 0}_{\text{Eve right}} + \underbrace{\tfrac12 \times \tfrac12}_{\text{Eve wrong}} = \tfrac14 = 25\%.
A clean channel gives a 0\% error rate on the sifted bits; a channel with a
full intercept-resend eavesdropper gives about 25\%. That gap is enormous and
unmistakable — sacrifice a few dozen sifted bits, compare them in public, and an error rate near a
quarter screams that someone is listening. Alice and Bob simply throw the whole key away and
start over on a channel Eve isn't touching. Eve cannot do better by being clever: the very act
of extracting information from an unknown qubit disturbs it.
- Alice sends qubits, each a random bit in a random basis — computational
\{|0\rangle,|1\rangle\} or Hadamard
\{|{+}\rangle,|{-}\rangle\};
- Bob measures each in his own random basis;
- sifting: they publicly compare bases (not values) and keep only the
\approx\tfrac12 where the bases matched;
- they sacrifice a few sifted bits to estimate the error rate; the rest become the
shared secret key;
- security is physical: no-cloning stops copying, and a wrong-basis measurement
disturbs the state — a full intercept-resend attack raises the error rate to
\approx 25\% and is caught.
This is what makes BB84 feel like magic. Classical key exchange is a race against hardware: RSA is safe
only as long as nobody can factor fast enough, and the day a large quantum computer runs
Shor's algorithm
that race is lost. BB84 doesn't enter the race at all. Its guarantee has nothing to do with how much
computing power Eve owns — she could have every supercomputer on Earth, a quantum computer, and a
thousand years, and it would not help, because the information she wants was destroyed by her own
measurement the instant she looked. You are not betting that a problem is hard; you are relying on
the fact that measurement disturbs a quantum state. That is a law of nature, not a conjecture about
algorithms — which is why quantum key distribution is often called unconditionally secure.
Two things people routinely get wrong. First, BB84 distributes a key — it does not encrypt your
message. What Alice and Bob end up with is a shared random string. To actually send secret
traffic they still feed that key into an encryption scheme (a
one-time pad, say). BB84
solves the notoriously hard key-distribution half of cryptography; the encrypting is a separate,
ordinary step. Second, the security does not come from any hard mathematical
problem. There is no huge number to factor, no discrete log, nothing a cleverer algorithm or a
faster machine could shortcut. It rests entirely on no-cloning plus measurement disturbance. So the usual
worry — "won't a quantum computer break it?" — has the story exactly backwards: a quantum computer breaks
classical crypto (that's the threat), while BB84 is one of the tools that survives the
quantum era precisely because it never relied on computational hardness in the first place.