Sifted key (matching bases) Key
Protocol legend
Bases: + = rectilinear {↑,→} × = diagonal {↗,↘}
Bit encoding: + basis: 0=→, 1=↑ × basis: 0=↗, 1=↘
Matching bases → correct measurement → sifted bit
Eve's intercept randomly disturbs ~25% of matching bits →
detectable QBER ≥ 0.25
About BB84 Quantum Key Distribution
BB84 is the world's first quantum cryptography protocol, published by Charles Bennett and Gilles Brassard in 1984. It uses the quantum mechanical properties of photons — specifically that measuring a quantum state in the wrong basis irreversibly disturbs it — to distribute a secret cryptographic key between two parties (Alice and Bob) such that any eavesdropping by a third party (Eve) is detectable. This is a genuine physical security guarantee, not a computational one: it holds even against an attacker with unlimited computing power.
In this simulation, Alice sends qubits encoded in randomly chosen rectilinear (+) or diagonal (×) bases; Bob measures in his own random bases. After transmission, they publicly compare bases (not values), keep only matching-basis bits, and check a sample for errors introduced by eavesdropping. You can adjust the number of qubits, add an eavesdropper, and see the resulting sifted key and error rate.
Frequently Asked Questions
What makes BB84 secure against eavesdropping?
Security comes from the no-cloning theorem of quantum mechanics: an eavesdropper cannot copy an unknown quantum state without disturbing it. If Eve intercepts a qubit and measures it in the wrong basis, she collapses the superposition, causing Alice and Bob to see a ~25% error rate in their check bits — well above the noise floor — revealing the intrusion.
What are the two bases used in BB84?
BB84 uses two conjugate bases: the rectilinear (or Z) basis with states |0⟩ and |1⟩ (horizontal/vertical polarisation), and the diagonal (or X) basis with states |+⟩ and |−⟩ (±45° polarisation). These bases are "mutually unbiased": measuring an X-basis state in the Z basis gives a completely random result, and vice versa.
What is the sifted key rate?
After Alice and Bob compare bases over a public channel, they keep only the bits where their randomly chosen bases match, discarding the rest. On average, bases match 50% of the time, so the sifted key rate is half the raw qubit transmission rate. Further key distillation (error correction and privacy amplification) reduces it further but removes any information Eve may have gained.
How is BB84 implemented in the real world?
Commercial QKD systems transmit single photons (or weak coherent pulses) through optical fibre or free-space links. Companies such as Toshiba and ID Quantique sell QKD hardware operating at hundreds of kilometres over fibre. The BB84 protocol underpins the ETSI and ISO/IEC 23837 quantum cryptography standards.
What is quantum key distribution used for?
QKD is used to distribute symmetric encryption keys that are then used with classical algorithms such as AES-256. Real deployments include interbank communications in China's quantum network (over 2,000 km of fibre), government communications, and high-security data centres. The keys are information-theoretically secure, making them future-proof against quantum computers.
What is the no-cloning theorem?
The no-cloning theorem, proved by Wootters and Zurek in 1982, states that it is impossible to create an identical copy of an arbitrary unknown quantum state. This follows from the linearity of quantum mechanics: a hypothetical cloning operation would have to copy both basis states simultaneously, which is impossible without knowing the state in advance.
What is the difference between QKD and quantum computing?
Quantum key distribution uses quantum mechanics to distribute secret keys; it is a communication protocol that can run on today's photonic hardware. Quantum computing uses quantum superposition and entanglement to perform computations exponentially faster than classical computers for certain problems. QKD is already commercially deployed, while large-scale quantum computing remains a research goal.
How does the error rate reveal eavesdropping?
If Eve intercepts a qubit and measures it, she guesses the basis correctly 50% of the time. When she guesses wrong, she disturbs the qubit, and Bob's subsequent measurement in Alice's basis will produce a wrong bit 50% of the time. Averaged over all intercept events, this introduces a 25% quantum bit error rate (QBER) in the sifted key, easily distinguishable from typical noise levels of under 5%.
Can BB84 be broken by a quantum computer?
No. BB84's security is based on the laws of quantum physics, not on the difficulty of a mathematical problem. Shor's algorithm (which runs on a quantum computer) can break RSA and elliptic-curve cryptography, but it cannot help an eavesdropper obtain the BB84 key without causing detectable disturbance. This is why QKD is considered "post-quantum secure."
What is privacy amplification?
After error correction, Alice and Bob apply privacy amplification: they compress the sifted key using a randomly chosen hash function to reduce Eve's potential knowledge of the key to negligibly small levels. If Eve has information about at most k bits of the n-bit corrected key, hashing to n−k−s bits leaves her with less than 2^(−s) bits of mutual information about the final key.