BB84 Quantum Key Distribution

An interactive exploration of the first quantum cryptography protocol — provably secure key exchange

? The Problem

Alice and Bob want to establish a shared secret key over a public channel, even if an eavesdropper (Eve) is listening. Classical key exchange relies on computational assumptions. BB84 achieves information-theoretic security using the laws of quantum mechanics: the no-cloning theorem and measurement collapse guarantee that any interception is detectable.

Classical
Computational
BB84 / QKD
Info-theoretic
Key Concepts

Conjugate Bases

Two measurement bases that are mutually unbiased — measuring in the wrong basis yields a uniformly random outcome.

Quantum Channel

Photons are sent one at a time. Each is polarized in one of 4 states across 2 bases.

No-Cloning Theorem

It is impossible to create a perfect copy of an arbitrary unknown quantum state. Eve cannot clone and forward.

Measurement Collapse

Measuring in the wrong basis irreversibly disturbs the state, introducing detectable errors.

The Two Bases

Rectilinear +

0
1
|0⟩ = |↑⟩    |1⟩ = |→⟩

Diagonal ×

0
1
|+⟩ = (|0⟩+|1⟩)/√2
|−⟩ = (|0⟩−|1⟩)/√2

Try It: Measure a Quantum State

A photon is prepared in one of the four states. Choose a measurement basis and see what happens.

Prepared state:
|↑⟩ (+ basis, bit 0)
Measure with:
Click a basis button above to measure
Protocol Walkthrough
navigate steps
Interactive Simulation
A
Alice
B
Bob
E
Eve

Configure the parameters above and click Run Protocol to see the BB84 simulation in action. Toggle Eve to see how eavesdropping introduces detectable errors.

Extracted Sifted Key

Eavesdropping Detected!

Eve intercepted each photon, measured it in a random basis, and re-sent it to Bob. When Eve's basis didn't match Alice's, she irreversibly altered the qubit. This introduced ~25% errors among sifted bits — a clear signal. Alice and Bob would abort the protocol.

Channel is Secure

No eavesdropper was present. All sifted bits are perfectly correlated, yielding 0% error rate. The key can be safely used for one-time pad encryption.

🔒 One-Time Pad — Use Your Key

The shared key from BB84 enables information-theoretically secure encryption. The one-time pad XORs each message bit with a key bit — without the key, the ciphertext is perfectly random, giving zero information about the plaintext. Try it: type a message and encrypt it with the sifted key from the simulation above.

Plaintext
ASCII bits
Type above to see binary…
Key (BB84)
Run the simulation first to generate a key

⚠ Key Reuse Vulnerability

You encrypted two different messages with the same key. This is catastrophically insecure! An attacker who XORs the two ciphertexts gets:

This equals plaintext1 ⊕ plaintext2 — the key cancels out completely! From this, an attacker can use frequency analysis to recover both messages. A one-time pad key must never be reused.

🎮 Be Bob — Choose Your Bases

Experience the protocol first-hand! Alice is sending you polarized photons. For each one, choose a measurement basis (+ rectilinear or × diagonal). You won't know which basis Alice used until afterwards — can you extract a shared key?

π Why ~25% Error Rate?
1
Eve picks a random basis. Probability it matches Alice's: P = 1/2
2
If bases match, Eve reads correctly and re-sends the right state. No error.
3
If bases differ P = 1/2, Eve gets a random result and re-sends a disturbed qubit.
4
Bob (matching Alice's basis) then measures the disturbed qubit — error probability: 1/2
P(error) = 1/2 × 1/2 = 25%

Trace a Single Photon

A
Alice
E
Eve
B
Bob
Probability Tree
📊 Monte Carlo: Error Rate Distribution

Run the BB84 protocol hundreds of times to see how the error rate distributes with and without an eavesdropper. This demonstrates why Alice and Bob can statistically detect Eve's presence with overwhelming confidence.

🔍 Eavesdropper Detection Probability

Each check bit has a 3/4 chance of hiding Eve (she might have guessed the right basis). But as we check more bits, the probability of all of them passing drops exponentially. With n check bits, the probability that Eve goes undetected is (3/4)n.

10
Detection Probability
94.37%
Pdetect = 1 − (3/4)10
Caught No error detected
Confidence Level Check Bits Needed Eve's Escape Prob.
90%8~10%
95%11~4.2%
99%16~1.0%
99.9%24~0.1%
99.99%32~0.01%
99.9999%48< 0.0001%

n = ⌈log(1−p) / log(3/4)⌉ — only logarithmic growth needed for exponential confidence

Key Rate & Efficiency

Not all transmitted qubits contribute to the final key. Between basis sifting, error checking sacrifices, and privacy amplification, the usable key rate is a fraction of the raw transmission rate. Adjust the parameters below to see how they affect the final key.

Rkey = Rraw × psift × (1 − fcheck) × (1 − H(e))
psift = basis match probability (~50%)  •  fcheck = fraction sacrificed for error checking  •  H(e) = binary entropy of error rate (privacy amplification cost)
1000
15%
0%
Sifted out
Error check
Privacy amp.
Usable key
0 bits 1000 bits sent
425 usable key bits (42.5% efficiency)
🌍 Real-World QKD

BB84 is not just a theoretical curiosity — it has been implemented in real systems. Quantum key distribution networks are operational today, with commercial products and government-scale deployments pushing the boundaries of secure communication.

1984
BB84 proposed by Charles Bennett and Gilles Brassard, laying the theoretical foundation for quantum cryptography.
1992
First experimental demonstration over 32 cm of free-space optics at IBM Research, proving the concept works in practice.
2004
First bank transfer secured by QKD in Vienna. Commercial QKD systems begin appearing from companies like ID Quantique.
2017
China’s Micius satellite demonstrates satellite-to-ground QKD over 1,200 km, enabling intercontinental quantum-secure communication.
2021
Integrated QKD network spanning 4,600 km combining fiber and satellite links across China, with 700+ fiber nodes supporting real users.

📡 Fiber Optic

QKD over telecom fiber works up to ~100 km with direct detection. Beyond that, photon loss becomes prohibitive without quantum repeaters.

🛰 Satellite QKD

Free-space channels via satellites avoid fiber loss. Enables QKD over thousands of kilometers, connecting distant ground stations.

🔀 Quantum Repeaters

Future networks will use entanglement-based repeaters to extend fiber QKD range without trusted relay nodes.

📋 BB84 Protocol Summary

A compact reference for the complete BB84 quantum key distribution protocol.

1

Alice Prepares

For each bit, Alice randomly picks a basis (+ or ×) and encodes the bit as a polarized photon.

2

Quantum Transmission

Alice sends each photon over the quantum channel. Any interception disturbs the state.

3

Bob Measures

Bob randomly picks a basis and measures each photon. If his basis matches Alice's, the bit is correct.

4

Basis Reconciliation

Over a public channel, they compare bases (not bits). Mismatched-basis bits are discarded (~50%).

5

Error Estimation

They sacrifice a random subset of sifted bits to check for errors. Error rate >11% ⇒ abort (Eve detected).

6

Privacy Amplification

Remaining bits are compressed via hashing to eliminate any partial information Eve may have. Result: secure key.

Security guarantee:   no cloning + measurement collapseeavesdropping ≡ detectable errors
Check Your Understanding

1. What happens when Bob measures a photon using a different basis than Alice?

2. What error rate among sifted bits signals an intercept-resend eavesdropper?

3. Why can't Eve perfectly clone each photon she intercepts?

4. During basis reconciliation, what do Alice and Bob share publicly?

5. What fraction of qubits survive basis reconciliation on average?

6. Why must a one-time pad key never be reused?

7. With 20 check bits, what is approximately the probability of detecting an eavesdropper?

8. In the key rate formula, what does the binary entropy term H(e) represent?

Your Score
Previous
Quantum State Tomography
Course
All Modules
Next
Grover's Search