Suppose Alice has a secret message she wants to send to Bob. They have two information channels: a quantum channel (e.g., Bob is able to detect polarised photons sent by Alice from a satellite) and a two-way unsecure classical channel (e.g., unencrypted email). Let’s assume that the message and key are both encoded using binary and the key is a one-time pad. They will eventually XOR message and key to encrypt and decrypt the message.
BB84 (Bennett & Brassard, 1984) is an approach to quantum key distribution that allows Alice to send an encryption key to Bob and for them to verify with a high level of confidence that the key hasn’t been intercepted. Once convinced that the key was sent securely, Alice can use it to encrypt the secret message and send it over the unsecure classical channel. Bob safely decrypts at the other side.
BB84 takes advantages of three related features of quantum mechanics.
- If a qubit is in superposition, e.g., \(\frac{|0\rangle + |1\rangle}{\sqrt{2}}\), then it’s impossible to infer its state from one observation. In particular, suppose an eavesdropper, Eve, measured the qubit and observed \(|1\rangle\). She couldn’t tell whether it had been in the state \(\frac{|0\rangle + |1\rangle}{\sqrt{2}}\) or \(|1\rangle\).
- Once you measure a qubit in superposition, it collapses to a basis state, so Eve couldn’t intercept the key and retransmit it onto Bob.
- You also can’t clone a qubit that is in an unknown state so, e.g., Eve couldn’t intercept a qubit from Alice, clone it, measure one of the pair and pass the other unmeasured qubit onto Bob.
Here’s how BB84 works.
Alice begins by generating a stream of random bits:
110110100110000101110…
Some of these bits will be used for the key.
Next, she generates a random stream of bases, classical basis (\(+\)) or the Hadamard basis (\(\times\)):
\(+\)\(\times\)\(+\)\(+\)\(\times\)\(+\)\(\times\)\(+\)\(\times\)\(\times\)\(+\)\(\times\)\(\times\)\(+\)\(\times\)\(+\)\(\times\)\(\times\)\(+\)\(\times\)\(+\)…
These will determine which basis Alice uses to send each bit of the key. The figure below (from Mayers, 2001) shows the bases in state space.
For a photon, the classical basis corresponds to vertical/horizontal polarisation and the Hadamard basis to the diagonal polarisations. Note in this case the state space corresponds nicely with the physical realisation of the qubit; that won’t always be the case, e.g., consider spin up and down states for electrons.
Here are the qubit states Alice sends:
\(\Psi(0, +) = |0\rangle\)
\(\Psi(1, +) = |1\rangle\)
\(\displaystyle \Psi(0, \times) = H|0\rangle = \frac{|0\rangle + |1\rangle}{\sqrt{2}}\)
\(\displaystyle \Psi(1, \times) = H|1\rangle = \frac{|0\rangle -|1\rangle}{\sqrt{2}}\)
Where \(\displaystyle H = \frac{1}{\sqrt2} \begin{bmatrix}1 & 1\\1 & -1\end{bmatrix}\), the Hadamard gate.
Alice sends the potential key bits using the randomly chosen bases.
Bob measures them, randomly deciding whether to assume a classical or Hadamard basis – for the latter applying the Hadamard gate before measuring. The possible outcomes in the absence of eavesdropping are as follows:
| Alice sends | Bob assumes classical | Bob assumes Hadamard |
|---|---|---|
| \(\Psi(0, +) = |0\rangle\) | \(P(|0\rangle) = 1\) | \(P(|0\rangle) = \frac{1}{2}\) |
| \(\Psi(1, +) = |1\rangle\) | \(P(|1\rangle) = 1\) | \(P(|1\rangle) = \frac{1}{2}\) |
| \(\Psi(0, \times) = H|0\rangle\) | \(P(|0\rangle) = \frac{1}{2}\) | \(P(|0\rangle) = 1\) |
| \(\Psi(1, \times) = H|1\rangle\) | \(P(|1\rangle) = \frac{1}{2}\) | \(P(|1\rangle) = 1\) |
So if Bob randomly chooses the correct basis, he gets the correct bit; if not, he gets a random bit, with a 50-50 chance of a 1 or 0.
Bob tells Alice via the unsecure channel the sequence of bases he used. At this point, doing so doesn’t help any eavesdroppers since the qubits have already been measured.
Alice tells Bob which bases were correct, again on the unsecure channel, so Bob can discard measurements for the rest. She also sacrifices a random sample of the key bits by sharing what the right answer is for those. If Eve the eavesdropper intercepted any, then they won’t all have made it to Bob: either they will be missing or Eve will have had to replace them with a random bit.
If Alice and Bob are satisfied that the test qubits made it across okay without being intercepted, then they use the remainder for the key, sending the encrypted message through the unsecure channel.
That’s the gist. The devil’s in the detail, e.g., working out how many bits to send to ensure enough remain after checking for intercepts; how many to sacrifice to check that Eve wasn’t eavesdropping; while taking account of errors in transmission that will mean qubits don’t arrive intact for innocent reasons other than eavesdropping.
The security of BB84 depends on the quality of the implementation. The field of quantum hacking explores a variety of ways to exploit imperfections, e.g., classical side channels that leak information about what was sent, which can be intercepted without interfering with the qubit. Researchers devise clever ways to defend against these attacks. See, e.g., Dixon et al. (2017).
References
Bennett, C. H. & Brassard, G. (1984). Quantum cryptography: Public key distribution and coin tossing. Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing (pp. 175-179), India.
Dixon, A. R., Dynes, J. F., Lucamarini, M., Fröhlich, B., Sharpe, A. W., Plews, A., Tam, W., Yuan, Z. L., Tanizawa, Y., Sato, H., Kawamura, S., Fujiwara, M., Sasaki, M., & Shields, A. J. (2017). Quantum key distribution with hacking countermeasures and long term field trial. Scientific Reports, 7, 1978.
Mayers, D. (2001). Unconditional security in quantum cryptography. Journal of the ACM, 48, 351–406.