Quantum key distribution (QKD) is a method for generating and distributing symmetric cryptographic keys with information-theoretic security based on quantum information theory [ETS18].

A QKD protocol establishes a secret key between two parties — let us call them 👩 Alice and 🧔 Bob as per tradition — connected by 1️⃣ an insecure quantum channel and 2️⃣ an authenticated classical channel [Gra21, Sec. 3.1].

• The established key can be however long as required so that it can serve as the key in a one-time pad.
• “Authenticated” does not imply “confidential” and does not necessarily require the use of cryptography. Alice and Bob can physically meet and verify each other’s identity.
• In practice, the authenticated classical channel can be established using 1️⃣ a pre-shared symmetric key, or 2️⃣ public-key cryptography [PAB+20, Sec. F].

A QKD protocol typically proceeds in two phases [Wol21, Ch. 4]:

1. the quantum transmission phase, in which 👩 Alice and 🧔 Bob send and/or measure quantum states;
2. the classical post-processing phase, where the bitstrings generated in the previous phase are converted into a pair of secret keys.

The security of QKD hinges on the principles of quantum mechanics, rather than the hardness of any computational problem, and hence does not get threatened by advances in computing technologies.

• During the quantum transmission phase, any adversary — let us call it 😈 Eve as per tradition — eavesdropping on the quantum channel inherently disturbs the channel and interrupts the key establishment process.
• Eve cannot make a copy of any transmitted state (that contributes to the key to be established) thanks to the no-cloning theorem.

The earliest QKD protocol is due to Bennett and Brassad [BB84] and is called BB84, named after the authors and the year it was proposed.

QKD leverages physical mechanisms, so unavoidably we need to discuss the physical mechanisms that underlie/enable BB84, which are based primarily on the polarisation of photons [Wol21, Sec. 1.3.1].

Polarisation

The polarisation of photons specifies the geometrical orientation of the oscillation of its electromagnetic field.

• Polarisation is linear if the field only oscillates in one direction.
• Polarisation is circular if the field rotates in a plane as the wave propagates.

We only consider linear polarisation here. For linear polarisation, we distinguish between two bases:

• rectilinear basis, which includes horizontal and vertical orientations; and
• diagonal basis, which is essentially the rectilinear basis rotated by $+45^\circ$; as shown in Fig. 1.

Consider the effect of polarisation filters depicted in Fig. 1:

• When a ↕ vertically polarised photon passes through a rectilinear polarisation filter, it is deflected to the right (➡).
• When a ↔ horizontally polarised photon passes through a rectilinear polarisation filter, it is deflected to the left (⬅).
• When a diagonally polarised photon passes through a rectilinear polarisation filter, it is equally likely to be deflected to the left and right.

Thus, measuring a diagonally polarised photon in the rectilinear basis, and similarly measuring a vertically/horizontally polarised photon in the diagonal basis, give a random result.

• We call the rectilinear and diagonal bases mutually conjugate (see Definition 1).

  Definition 1: Conjugate bases

  Two bases are mutually conjugate [BB84; FGG+97] or unbiased [Wol21, p. 9] if each vector of one basis has equal-length projections onto all vectors of the other basis.

• The Heisenberg uncertainty principle ensures that when making two sequential measurements using conjugate bases, the system is disturbed in such a way that the uncertainty of the measurement outcome is maximised [Woj22, p. 42].

With knowledge of polarisation in mind, let us now discuss the quantum transmission phase of BB84, which involves encoding of classical bits into quantum states, communication over a quantum channel, and decoding of quantum states into classical bits.

Quantum transmission phase

This phase of the protocol involving 👩 Alice and 🧔 Bob goes like this [Wol21, Sec. 1.3.2]:

1. 👩 Alice chooses a string of $N$ random classical bits: $X_1,\ldots,X_N$.
2. 👩 Alice chooses a random sequence of rectilinear (Z) bases and diagonal (X) bases; these are called the canonical bases [Dua14, p. 295].

3. 👩 Alice encodes her bitstring into a collection of photons with basis-dependent polarisation.

   In the rectilinear basis, 0 and 1 are encoded as → and ↑ respectively.

   In the diagonal basis, 0 and 1 are encoded as ↗ and ↖ respectively.

4. When 🧔 Bob receives the photons, he randomly (and independently of Alice) decides for each photon whether to measure/decode it in the rectilinear or diagonal basis to retrieve the classical bit.
5. At the end of this quantum transmission phase, 👩 Alice and 🧔 Bob each holds a classical bit string, denoted $\vec{X}=[X_1,\ldots,X_N]$ for Alice and $\vec{Y}=[Y_1,\ldots,Y_N]$ for Bob. $\vec{X}$ and $\vec{Y}$ form the raw key pair.

An illustration of the process above can be found Fig. 1.

Since the polarisation state of each photon is a discrete variable, BB84 is an example of a discrete-variable quantum key distribution (DV-QKD) scheme.

BB84 is also an example of a prepare-and-measure protocol, because of the preparation action of 👩 Alice and the measurement action of 🧔 Bob.

Classical post-processing phase

This phase of the protocol involves 👩 Alice and 🧔 Bob exchanging a sequence of classical information in the classical channel to transform their raw key pair into a shared secret key [Wol21, Sec. 1.3.3]:

1. This is the sifting step (steps 4-5 in Fig. 1):
   • 🧔 Bob publicly announces the bases he has chosen to measure the photons Alice has sent.
   • 👩 Alice compares Bob’s bases to the ones she used and confirms which bases Bob has chosen correctly.
   • 👩 Alice and 🧔 Bob discard all the bits for which the encoding and measurement bases are not the same.
2. This is the parameter estimation step:
   • 👩 Alice and 🧔 Bob want to compute an estimate of the quantum bit error rate (QBER) in the quantum channel, i.e., the fraction of bits where $\vec{X}$ and $\vec{Y}$ differ in the Z and X bases [Gra21, p. 38].
   • For this, 🧔 Bob reveals a random subset of his key bits.
   • In case of no eavesdropping, these bits should be the same as Alice’s bits and 👩 she confirms them.
   • If the QBER is too high, 👩 Alice and 🧔 Bob suspect eavesdropping and abort the protocol.
   • The bits that have been revealed during this step are discarded as their information is now public to eavesdroppers.
3. Computation of the final key if the error rate is not too high:
   • 👩 Alice and 🧔 Bob perform steps, which were later additions to the original BB84 [BBR88], to correct errors in their keys and increase the secrecy of their key.

   • The first step is error correction (also called information reconciliation), where they erase all errors in their bit strings. After this step, they hold identical strings.

     Direct vs reverse reconciliation [GG02; Djo19, p. 7; PAB+20, Sec. B]

     ▶ Direct reconciliation: 👩 Alice sends correction information and 🧔 Bob corrects his key elements to have the same values as Alice’s.

     • For example, 👩 Alice performs low-density parity check (LDPC) encoding and sends the parity bits to 🧔 Bob, who in turn performs LDPC decoding.
     • Error correction fails when quantum channel loss exceeds 50%.

     ◀ Reverse reconciliation: 🧔 Bob sends correction information and 👩 Alice corrects her key elements to have the same values as Bob’s.

     • For example, 🧔 Bob performs LDPC encoding and sends the parity bits to 👩 Alice, who in turn performs LDPC decoding.
     • Preferred option to direct reconciliation.
     • Provides a usable key when the mutual information of Alice ($A$) and Bob ($B$) exceeds the mutual information of Bob and Eve ($E$), i.e., $I(A;B)>I(B;E)$; the difference between these two terms gives the asymptotic secret key rate.
   • The second step is privacy amplification, which is a procedure that minimises Eve’s knowledge of the key.

Table 1 shows an example of an exchange between 👩 Alice and 🧔 Bob in the absence of eavesdropping.

For discussion of physical realisations of BB84, follow this knowledge base entry.

Performance and security evaluation

In terms of performance, a basic figure of merit of every QKD protocol is the secret key rate, i.e. the fraction of secure key bits produced per protocol round.

For security, follow this overview of QKD security.

Continuing from an overview of BB84, this entry discusses several ways in which BB84 can be realised.

Fig. 1 shows an experimental setup built by IBM [NC10, Box 12.7], where

• 🧔 Bob generates strong coherent states $|\alpha\rangle$ using a 1.3 μm (near infrared wavelength) diode laser and transmits the states to 👩 Alice 10 km away via an optical fibre.
• 👩 Alice attenuates the states to generate approximately a single photon, and subsequently polarises the photon to one of $|0\rangle$, $|1\rangle$, $|+\rangle$ and $|-\rangle$.
• 👩 Alice returns the photon to 🧔 Bob, who measures it using a polarisation analyser in a random basis (either rectilinear or diagonal).

For the setup in Fig. 1,

• The reason for making the photons traverse the optical fibre twice (from Bob to Alice then back to Bob) is to automatically compensate for asymmetry and fluctuations of the medium.
• The polarisation controller (“Pol Cont” in Fig. 1) is for correcting polarisation drifts in the quantum channel [Sud10, p. 111].
• The Faraday rotator (“Faraday Rot” in Fig. 1) effects polarisation through the Faraday (rotation) effect; watch demonstration on YouTube.
• The classical channel of wavelength 1.55 μm is carried over the same optical fibre. Multiplexing of the quantum and classical channels is achieved through the wavelength (division) multiplexers (“WM” in Fig. 1).
• The polarising beamsplitter (also called polarization beamsplitter, or “PBS” in Fig. 1) plays a crucial role, but let us first look at Thorlabs’ Quantum Cryptography Analogy Demonstration Kit (part number EDU-QCRY1), because the accompanying manual [Tho20] is rich with practical information rarely found elsewhere.

Fig. 2 shows a minimalist block diagram for EDU-QCRY1, while Fig. 3 shows a photo of a physical setup realising the block diagram.

Let us study the functions of the PBS in this context:

• For Alice to send a $|0\rangle$ to Bob, a half-wave plate (HWP, also called λ/2 plate, labelled as “Polarization Rotator” in Fig. 4) is physically rotated to 0°.

  To send a $|1\rangle$, the HWP is physically rotated by 45° to achieve a polarisation rotation of 90°.

  In general, for linearly polarised light, polarisation is rotated by a value twice as large as the rotation of the HWP.

• On Bob’s side, a horizontally polarised photon ($|0\rangle$) passes through the PBS, while a vertically polarised photon ($|1\rangle$) gets reflected, as shown:

  Thus, a single-photon detector is needed to detect each state.

• To support both the rectilinear basis (0° and 90°) and diagonal basis (-45° and 45°), the setup in Fig. 4 is extended to the setup in Fig. 6, where Alice’s polarisation rotator now support four angles in total ($|0\rangle$, $|1\rangle$, $|+\rangle$, $|-\rangle$), and Bob gets a polarisation rotator that supports two angles (one for each basis).

  Note Bob still needs only two photon detectors, one for each basis state of the selected basis.

• Eve can be emulated by simply 1️⃣ duplicating the setup for Bob (for intercepting Alice’s photons), and 2️⃣ duplicating the setup for Alice (for “replaying” measured states to Bob); as shown in Fig. 2.

References

[GK05]	C. Gerry and P. Knight, Introductory Quantum Optics, Cambridge University Press, 2005. https://doi.org/10.1017/CBO9780511791239.
[HIP+21]	C. Hughes, J. Isaacson, A. Perry, R. F. Sun, and J. Turner, Quantum Computing for the Quantum Curious, Springer Cham, 2021. https://doi.org/10.1007/978-3-030-61601-4.
[LCPP22]	C.-Y. Lu, Y. Cao, C.-Z. Peng, and J.-W. Pan, Micius quantum experiments in space, Rev. Mod. Phys. 94 no. 3 (2022), 035001. https://doi.org/10.1103/RevModPhys.94.035001.
[NC10]	M. A. Nielsen and I. L. Chuang, Quantum computation and quantum information, 10th anniversary ed., Cambridge University Press, 2010. Available at http://mmrc.amss.cas.cn/tlb/201702/W020170224608149940643.pdf.
[Sud10]	M. Suda, QKD Systems, in Applied Quantum Cryptography (C. Kollmitzer and M. Pivk, eds.), Lect. Notes Phys. 797, Springer Berlin Heidelberg, 2010, pp. 71–95. https://doi.org/10.1007/978-3-642-04831-96.
[Tho20]	Thorlabs, EDU-QCRY1 EDU-QCRY1/M: Quantum Cryptography Demonstration Kit: Manual, December 2020. Available at https://www.thorlabs.com/_sd.cfm?fileName=MTN005660-D02.pdf&partNumber=EDU-QCRY1.

Consider the circuit below, where a Hadamard gate is connected to qubit $q_0$ and a controlled-NOT (CNOT) gate is connected to $|q_0q_1\rangle$ after the Hadamard gate:

The Hadamard gate in Fig. 1 effects the transformations: $|0\rangle\to|+\rangle$ and $|1\rangle\to|-\rangle$.

The CNOT gate in Fig. 1 has its control qubit connected to the $q_0$ line, and its target qubit connected to the $q_1$ line.

The unitary matrix representing the CNOT gate is

$\text{CNOT} = \begin{bmatrix}1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 1 \\ 0 & 0 & 1 & 0\end{bmatrix}.$

If the input to the CNOT gate is the state $|q_0q_1\rangle = a|00\rangle + b|01\rangle + c|10\rangle + d|11\rangle = \begin{bmatrix}a & b & c & d\end{bmatrix}^\top$, then the output is

$\text{CNOT}|q_0q_1\rangle = \begin{bmatrix}a & b & d & c\end{bmatrix}^\top = a|00\rangle + b|01\rangle + d|10\rangle + c|11\rangle.$

Thus, as an example, if the input is $|q_0q_1\rangle = |10\rangle$, then the Hadamard gate transforms it to $|-,0\rangle = \frac{1}{\sqrt{2}}(|00\rangle - |10\rangle)$, and the CNOT gate further transforms it to

$\text{CNOT}\frac{1}{\sqrt{2}}\begin{bmatrix}1 & 0 & -1 & 0\end{bmatrix}^\top = \frac{1}{\sqrt{2}}\begin{bmatrix}1 & 0 & 0 & -1\end{bmatrix}^\top = \frac{1}{\sqrt{2}}(|00\rangle - |11\rangle).$

Table 1 is the truth table summarising the outputs corresponding to basis-state inputs.

Table 1: Truth table for quantum circuit in Fig. 1.

Input $|q_0q_1\rangle$	Output
$|00\rangle$	$|\Phi^+\rangle = |\beta_{00}\rangle = \frac{1}{\sqrt{2}}(|00\rangle + |11\rangle)$
$|01\rangle$	$|\Psi^+\rangle = |\beta_{01}\rangle = \frac{1}{\sqrt{2}}(|01\rangle + |10\rangle)$
$|10\rangle$	$|\Phi^-\rangle = |\beta_{10}\rangle = \frac{1}{\sqrt{2}}(|00\rangle - |11\rangle)$
$|11\rangle$	$|\Psi^-\rangle = |\beta_{11}\rangle = \frac{1}{\sqrt{2}}(|01\rangle - |10\rangle)$

The output states in Table 1 are called the Bell states or Einstein-Podolsky-Rosen (EPR) pairs [KLM07, p. 75; NC10, Sec. 1.3.6], and can be represented concisely as

$|\beta_{xy}\rangle = \frac{1}{\sqrt{2}}\left[|0,y\rangle + (-1)^x|1,\bar{y}\rangle \right].$

When the Bell states are used as an orthonormal basis, they are called the Bell basis [Wil17, pp. 91-93].

Consider the ket vector $|\psi\rangle = \alpha|0\rangle + \beta|1\rangle$, where $\alpha$ and $\beta$ are complex-valued probability amplitudes, $|0\rangle$ and $|1\rangle$ are the computational bases.

We can express $\alpha$ and $\beta$ in the exponential form [Wil17, (3.6)]:

$\alpha = r_0e^{j\varphi_0}, \qquad \beta = r_1e^{j\varphi_1},$

we can rewrite $|\psi\rangle$ as

$|\psi\rangle = e^{j\varphi_0}\underbrace{\left\{\cos\left(\frac{\theta}{2}\right)|0\rangle + e^{j(\varphi_1-\varphi_0)}\sin\left(\frac{\theta}{2}\right)|1\rangle\right\}}_{\text{Portion that matters}},$

where $\theta$ is related to $r_0$ and $r_1$ by:

$r_0 \triangleq \cos\left(\frac{\theta}{2}\right), \qquad r_1 \triangleq \sin\left(\frac{\theta}{2}\right).$

Thus, given $|\psi\rangle = \alpha|0\rangle + \beta|1\rangle$, we can rewrite it in the physically equivalent form:

$|\psi\rangle = \cos\left(\frac{\theta}{2}\right)|0\rangle + e^{j\varphi}\sin\left(\frac{\theta}{2}\right)|1\rangle,$

where $\varphi\triangleq\varphi_1-\varphi_0$, $0\leq\varphi\lt2\pi$, $0\leq\theta\leq\pi$. Note:

$\left|\cos\left(\frac{\theta}{2}\right)\right|^2 + \left|e^{j\varphi}\right|^2\left|\sin\left(\frac{\theta}{2}\right)\right|^2 = 1.$

💡 Above, $\theta/2$ is used instead of $\theta$ because for visualisation using a Bloch sphere (more on this later), as $\theta$ ranges from 0 to $\pi$, the values of $\cos$ and $\sin$ are confined within $[0,1]$ to ensure the qubit representation is unique [Wil17, p. 57].

So what is a Bloch sphere?

As explained in Fig. 2, a sphere provides the necessary number of degrees of freedom to represent a ket vector.