Quantum key distribution (QKD) uses quantum mechanics to establish secure encryption keys between two parties. The BB84 protocol is an example of how it works: Alice sends Bob polarized photons encoded in random bases. Bob measures in a random basis, and they later disclose their bases to keep the results where they matched. This allows detection of eavesdropping, since an eavesdropper would introduce errors. While providing security against future computers, current QKD has limitations like vulnerability to attacks on the classical channel and practical difficulties generating single photons. Overall it demonstrates how quantum effects can offer information-theoretic security for encryption.
2. What is QKD?
• QKD protocols use quantum mechanical phenomena
to establish shared keys between two parties that can
then be used for symmetric encryption schemes.
3. Key Benefit of QKD
• Eavesdropping can be detected allowing for provably
secure communication
5. Quantum Crash Course
Qubit
(shown as a Bloch Sphere)
Collapses when measured
= 0
= 1
As a consequence, it is
impossible to tell what
state a qubit is in with only
a single measurement*
* A corollary is the no cloning
theorem which states that it is
impossible to copy a qubit
+−
0
1
x
y
z
0
1
x
y
z
0
1
x
y
z
6. Quantum Crash Course (cont.)
Qubit
(shown as a Bloch Sphere)
100%
Can measure in a different basis
( − , + basis shown here)
= ++− x
y
z
+−
0
1
x
y
z
7. QKD: Now with more Photons!
Several QKD implementations including the one we’ll talk about use
polarization
Orthogonal Qubit Bases: Orthogonal Polarization Bases:
0 , 1
− , +
0°, 90°
45°, 135°
8. One-Time Pad Encryption
1001011010111010….
⊕
Shared Key
(One-Time Pad)
0011101000101001
Message
1010110010010011
Encrypted Message
1010110010010011
⊕
1001011010111010….
0011101000101001:)
Decrypted Message
Alice Bob
(XOR)
10. A First Protocol: BB84
1. Alice and Bob agree on two (orthogonal) bases to use*
Alice
Bit Basis A Basis B
0 0 −
1 1 +
Bob
*Since BB84 is a protocol that uses polarization, the bases should actually be orthogonal
polarization angles but I’ll use qubit bases because I think it’s more intuitive to understand.
11. A First Protocol: BB84 (cont.)
2. Alice generates a random stream of bits AND a random stream of bases
3. These streams are used to determine the quantum states Alice sends
Alice Bob
1001011010111010…. ABABAABAAABABBAB….
1 − 0 + 0 1 + 0 1 0 + 1 + − 1 − ….
Bit Basis A Basis B
0 0 −
1 1 +
12. A First Protocol: BB84 (cont.)
4. Alice sends the qubits to Bob who measures them in a random basis
Alice
Bob
1 − 0 + 0 1 + 0 ….
BBAAABBB….
Bit Basis A Basis B
0 0 −
1 1 +
13. Flashback: Quantum Measurements
Qubit
(shown as a Bloch Sphere)
Measurement in the same basis
as the qubit was encoded yields
the same result 100% of the time
100% = ++− x
y
z
+−
0
1
x
y
z
14. Flashback: Quantum Measurements
Measurement in an
orthogonal basis yields a
perfectly random basis state
Qubit
(shown as a Bloch Sphere)
= 0
= 1
+−
0
1
x
y
z
0
1
x
y
z
0
1
x
y
z
15. A First Protocol: BB84 (cont.)
What happens when Bob measures?
Alice (sends)
Bob (measures)
Alice sends +
0 , 1 basis:
0 50%
1 50%
+ 100%
− , + basis:
Bit Basis A Basis B
0 0 −
1 1 +
16. A First Protocol: BB84 (cont.)
5. Bob converts his measurements back to bits*
Alice Bob
1 − 0 + 0 1 + 0 …. BBAAABBB….
? 00? 0? 1?….
* Note that Bob will only choose the same basis as Alice 50% of the time on average
Bit Basis A Basis B
0 0 −
1 1 +
17. A First Protocol: BB84 (cont.)
6. Alice and Bob exchange information about the bases they
encoded/measured in over classical channels
7. They discard the bits for which they encoded/measured in different bases
8. The resulting bits are a shared key and can be used as a One-Time Pad!
Alice Bob
BBAAABBB….
?00?0?1?….10010110….
ABABAABA….
0001…. 0001….
Bit Basis A Basis B
0 0 −
1 1 +
18. The End!*
* Wait! What happened to that ”can detect eavesdropping” stuff?
19. BB84: From the top! This time with Eve
1. Alice and Bob agree on two (orthogonal) bases to use
Alice
Bit Basis A Basis B
0 0 −
1 1 +
Bob
20. BB84: With Eve (cont.)
2. Alice generates a random stream of bits AND a random stream of bases
3. These streams are used to determine the quantum states Alice sends
Alice Bob
1001011010111010…. ABABAABAAABABBAB….
1 − 0 + 0 1 + 0 1 0 + 1 + − 1 − ….
Bit Basis A Basis B
0 0 −
1 1 +
21. BB84: With Eve (cont.)
4. Alice sends the qubits to Bob, but they are intercepted by Eve, who
measures them in a random basis*
Alice
Bit Basis A Basis B
0 0 −
1 1 +
Bob
1 − 0 + 0 1 + 0 ….
BBAAABBB….
Eve
ABABABAB….
* Recall that the act of measurement changes the state of the qubit
meaning that imperceptible passive observation should be impossible
22. BB84: With Eve (cont.)
What happens if Eve listens in?
Alice (sends)
Bit Basis A Basis B
0 0 −
1 1 +
Bob (measures)
Alice sends +
0 , 1 basis:
0 50%
1 50%
+ 100%
− , + basis:
Eve (measures)
0 50%
1 50%
0 , 1 basis:
− 50%
+ 50%
− , + basis:
+ 100%
0 50%
1 50%
0 , 1 basis: − , + basis:
Error!
23. BB84: With Eve (cont.)
5. Bob and Eve convert their measurements back to bitstrings
Alice
Bit Basis A Basis B
0 0 −
1 1 +
Bob
1 − 0 + 0 1 + 0 …. BBAAABBB….
Eve
ABABABAB….
10010???….
1 − 0 + 0 ? ? ? ….
?00?0???….
24. BB84: With Eve (cont.)
Without Eavesdropper
Bit Basis A Basis B
0 0 −
1 1 +
Bob Measures:
?00?0???….
With Eavesdropper
?00?0?1?….
Notice that the presence of an eavesdropper changes the outcome of
Bob’s measurements, leaving additional chances to induce errors
25. BB84: With Eve (cont.)
6. Alice and Bob exchange information about the bases they
encoded/measured in over classical channels
7. They discard the bits for which they encoded/measured in different bases
to form the candidate shared key
Alice Bob
BBAAABBB….
?00?0???….10010110….
ABABAABA….
0001…. 000?….
Bit Basis A Basis B
0 0 −
1 1 +
Eve
26. BB84: With Eve (cont.)
8. Alice and Bob then compare a few random bits of the
candidate shared key
Alice Bob0001…. 000?….
Bit Basis A Basis B
0 0 −
1 1 +
Eve
0
1
0
?
✓
✕
* On average there will be a 25% error rate in the presence of an eavesdropper since:
• Errors only occur if Bob chooses the same basis as Alice but Eve chooses the wrong basis
• Eve chooses the same basis as Bob on average 50% of the time
• If Eve and Bob choose different bases, they still measure the same result 50% of the time
27. BB84: With Eve (cont.)
9. If no errors are detected (e.g. there was no Eve), Alice and Bob drop
the bits they compared and use the remaining bits as their shared key
Alice Bob0001…. 0001….
Bit Basis A Basis B
0 0 −
1 1 +
0
1
0
✓
✓ 1
00….0001….
Shared Key
28. Can we do better?
If eavesdropping is detected, can we still get a shared key?
Yes* Alice and Bob can use Privacy Amplification to reduce Eve’s
knowledge about a key
If transmission losses or errors occur, can we still get a shared key?
Yes, Alice and Bob can use Information Reconciliation (form of error
correction) to ensure they have identical keys
*The best I’m aware of allows for up to an 18.9% error rate: https://arxiv.org/pdf/quant-ph/0105121.pdf
29. Physical Implementations
• QKD is done using light
• Most implementations use lasers tuned to get close to producing
single photons
• Transmission can be over optical fibers (421 km is the current record)1
or through free space (has been done over 1200 km to a satellite)2
• Trusted repeater stations are used to create larger QKD links
• BB84 is implemented using polarization (bases are typically [0°, 90°]
and [45°, 135°]), other equivalent schemes use entanglement
1. https://arxiv.org/pdf/1807.03222.pdf
2. https://arxiv.org/pdf/1707.01339.pdf
30. Weaknesses
• Relies on an authenticated classical channel since BB84 is vulnerable to a
simultaneous MITM attack on both channels
• Sources are not perfect single-photon emitters, additional photons can be
captured by Eve using a Photon-Number-Splitting attack1 (addressed by
decoy state modifications)
• Detectors can be tricked by Eve using bright pulses to only register
measurements in bases she chooses (Faked States Attack)2
• Backscatter from bright pulses from Eve can be used to infer basis choices
(Trojan Horse Attack)3
• Vulnerable to Denial-of-Service attacks if errors are beyond privacy
amplification threshold
• Relay stations provide target for hacking
• Reliant on secure supply-chain for QKD components
1. https://pdfs.semanticscholar.org/87d2/fad6966bf5d9726ebd6be3e96a2e8b12bfdc.pdf
2. https://arxiv.org/pdf/1008.4593.pdf
3. https://arxiv.org/pdf/1406.5813.pdf
31. Key Benefit (Amended)
• Eavesdropping can be detected* allowing for provably
secure communication+
* On the quantum channel
+ Assuming you can reliably create, transmit, and detect single
photons on trusted secure hardware over a single link