BB84 Protocol

BB84 is a quantum key distribution protocol developed by Charles Bennett and Gilles Brassard in 1984. It was the first practical scheme to exploit the laws of quantum mechanics — specifically the no-cloning theorem — to solve the key distribution problem with information-theoretic security rather than computational hardness. The protocol remains the foundational reference point for all subsequent quantum communication research.

BB84 uses four quantum states of a single photon, organized into two conjugate bases. In the rectilinear basis, the photon is prepared in one of two states representing bit values 0 and 1 (horizontal and vertical photon polarization). In the diagonal basis, the photon is prepared in two states rotated 45 degrees from the rectilinear axes, again representing 0 and 1. The critical feature is that any measurement in the wrong basis destroys the information about the original state: a photon prepared in the rectilinear basis and measured in the diagonal basis yields a random result, and vice versa.

The protocol proceeds as follows. Alice (the sender) generates a random string of bits and a random string of basis choices. For each bit, she prepares a photon in the corresponding state of the chosen basis and transmits it to Bob (the receiver) through a quantum channel. Bob measures each photon in a randomly chosen basis. After transmission, Alice and Bob perform basis reconciliation over a public classical channel: they compare their basis choices and discard all bits where the bases differed. The remaining bits form the sifted key.

The security of BB84 rests on the no-cloning theorem. An eavesdropper, Eve, cannot copy the quantum states for later analysis without disturbing them. If Eve intercepts and measures photons in randomly chosen bases, she will guess the wrong basis half the time. Her wrong-basis measurements randomize the state, introducing detectable errors when Bob measures in the correct basis.

Alice and Bob estimate the error rate by comparing a subset of their sifted key over the public channel. If the error rate exceeds a threshold — typically around 11% for the standard BB84 protocol under ideal conditions — they abort the protocol, concluding that an eavesdropper was present. If the error rate is below threshold, they apply classical post-processing — error correction and privacy amplification — to distill a shared secret key about which Eve has negligible information.

This is not merely a practical security measure. It is a structural consequence of quantum mechanics: the uncertainty principle guarantees that non-commuting observables cannot be simultaneously measured with arbitrary precision. The two bases of BB84 are non-commuting, and any attempt to gain full information about both simultaneously fails.

The theoretical security of BB84 is unconditional, but its practical implementation faces formidable engineering challenges. Photon polarization is fragile; photons are lost in fiber or free-space transmission; and detectors have dark counts and efficiency limitations. The maximum distance for terrestrial fiber-based QKD using BB84 is limited by photon loss and detector noise, currently on the order of hundreds of kilometers before the signal becomes indistinguishable from noise.

The photon number splitting attack exploits a practical weakness: real lasers do not emit perfect single photons but weak coherent pulses with occasional multi-photon events. An eavesdropper can split off one photon from a multi-photon pulse and measure it after the basis is revealed, obtaining full information without introducing errors. This vulnerability is addressed by decoy state QKD, a protocol extension where Alice intentionally sends pulses of varying intensity to detect photon number splitting.

The authenticated classical channel required for basis reconciliation and error estimation introduces a subtlety: BB84 requires that Alice and Bob already share some initial secret to authenticate their classical communication, or they must rely on a Public Key Infrastructure that is itself vulnerable to quantum attack. The protocol solves key distribution but not initial authentication, revealing that the key distribution problem is a recursive structure rather than a closed problem.

The BB84 protocol is often celebrated as proof that physics can guarantee security, but this framing is incomplete. The security guarantee is a conditional one: it holds under the assumption that quantum mechanics is correct, that the devices are trusted, and that the authenticated classical channel is secure. These are not minor caveats. They are the same kind of trust assumptions that classical cryptography requires, merely relocated to a different layer of the infrastructure. The quantum revolution in cryptography does not eliminate trust; it transforms it. And the question of whether that transformation is a genuine advance or a change of costume remains unanswered.