The first protocol for quantum key distribution, invented by Bennett and Brassard in 1984, securing a shared key with the laws of physics rather than the limits of a computer.
BB84 is the protocol that turned quantum cryptography from a thought experiment into a working technology. Devised by Charles Bennett and Gilles Brassard in 1984, it lets two people share a secret key whose security rests not on the difficulty of a calculation but on the laws of physics themselves. In an age when quantum computers threaten to break the codes we rely on today, BB84 offers a defence that no computer, however powerful, can quietly defeat.
This guide explains what BB84 is, how it works step by step, and why it is secure, before looking at how it is used in the real world and where its limits lie. The protocol is the foundation of quantum key distribution, the most mature application of quantum information, and understanding it is the best way into the whole field.
The problem that BB84 was built to solve
Almost every secure message sent today depends on the two parties first sharing a secret key, and getting that key to both of them without anyone intercepting it is the oldest problem in cryptography. Modern systems solve it with mathematics, using schemes whose security rests on problems like factoring that are hard for ordinary computers. The trouble is that a large quantum computer running Shor’s algorithm would make those problems easy, and so would undo much of that security.
BB84 sidesteps the issue entirely by not relying on any mathematical assumption. Instead of betting that a calculation is too hard to perform, it encodes the key in individual quantum particles whose behaviour guarantees that any eavesdropper leaves a trace. The security of BB84 comes from nature rather than from the limits of an adversary’s computer, which is why it remains safe even against a future quantum attacker.
The danger is not only in the future. Adversaries can already record encrypted traffic today and store it, waiting for a quantum computer capable of breaking it to arrive, a strategy known as harvest now and decrypt later. Any secret that must stay confidential for a decade or more is arguably at risk right now, which is part of why interest in BB84 and its relatives has surged.
How BB84 works step by step
The protocol begins with Alice, who wants to share a key with Bob. For each bit she generates a random value of zero or one and then chooses, at random, one of two ways to encode it, using either a rectilinear basis or a diagonal basis. She sends each bit as a single photon polarised accordingly, so the same bit value looks different depending on which basis she happened to pick.
Bob, receiving the stream of photons, has no idea which basis Alice used, so for each one he simply guesses, measuring in either the rectilinear or the diagonal basis at random. When his choice matches Alice’s the result is reliable, and when it does not the result is effectively random. The diagram below shows a short run of this exchange and how the shared key emerges from it.
After all the photons are sent, Alice and Bob talk over an ordinary public channel and compare which basis each of them used for every bit, though never the bit values themselves. They keep only the bits where their bases happened to agree and discard the rest, a step known as sifting. What remains is a string of bits that, in the absence of interference, both of them share and nobody else knows.
The physics that makes BB84 secure
The security of BB84 rests on two deep features of quantum mechanics. The first is that the two encoding bases are incompatible, so measuring a photon in the wrong basis destroys the information it carried and yields a random answer. There is no way to sit in the middle and read the bit without first guessing the basis, and a wrong guess scrambles the result.
The second feature is the no-cloning theorem, the rule that an unknown quantum state cannot be copied. An eavesdropper cannot simply duplicate each photon, keep one copy to measure later and pass the other along untouched, because physics forbids the copy. Between them these two facts mean that any attempt to learn the key necessarily disturbs it, and that disturbance is exactly what BB84 is designed to detect.
It helps to picture the two bases as two different questions you can ask a photon, questions so incompatible that answering one erases any answer to the other. This is a direct expression of Heisenberg’s uncertainty principle applied to polarisation. Because Alice’s choice of question is random and kept secret until later, no measurement strategy can reliably recover her bits.
Catching an eavesdropper
Suppose an eavesdropper, traditionally called Eve, tries to intercept the photons. Lacking knowledge of Alice’s bases, she must guess just as Bob does, and every time she guesses wrong she disturbs the photon and introduces an error into Bob’s results. Her interference is not subtle, it leaves a statistical fingerprint that Alice and Bob can find.
To check for her, Alice and Bob publicly compare a random sample of their supposedly shared bits and count how many disagree, a figure called the quantum bit error rate. If the rate is low the line is clean and they proceed, but if it climbs above a known threshold they conclude that someone is listening and throw the whole key away. This ability to detect eavesdropping rather than merely hope against it is the defining advantage of BB84.
The numbers are unforgiving for an eavesdropper. In the simplest attack, where Eve measures each photon and resends what she finds, she guesses the basis correctly only half the time and introduces an error in about a quarter of the sifted bits. An error rate that high is impossible to miss, which is why a crude eavesdropper is caught almost immediately.
From a sifted key to a secret key
The sifted bits are not yet usable, because real equipment is imperfect and some errors creep in even without an eavesdropper, while Eve may have learned a little from a cautious attack. Two further classical steps fix this. Error correction reconciles the small differences between Alice’s and Bob’s strings so that they hold an identical key.
Privacy amplification then shrinks the key, using a mathematical procedure that distils a shorter but far more secret string from the corrected one, squeezing out whatever partial knowledge an eavesdropper might have gained. What emerges is a key that Alice and Bob can prove is essentially unknown to anyone else. Only at this point does BB84 hand over a key fit to encrypt real messages.
These classical steps are as essential as the quantum ones, and a flaw in them can undermine an otherwise perfect exchange. Modern implementations lean on decades of work in information theory to make error correction and privacy amplification provably sound. The quantum part gets the attention, but the careful classical processing is what makes the final key trustworthy.
BB84 in the real world
BB84 is not a blackboard curiosity but a deployed technology, running today over optical fibre and through open air. Commercial systems sell BB84-based key distribution to banks and governments, and field networks have linked cities and institutions across several countries. The protocol has moved a long way from its origins in a 1984 conference paper.
Its most spectacular demonstration came from space, when the Chinese Micius satellite distributed quantum keys between ground stations more than a thousand kilometres apart, using protocols in the BB84 family. That experiment showed that quantum key distribution could in principle span continents, pointing toward a future global network secured by the same physics that governs a single photon.
Networks rather than single links are now the frontier. Metropolitan quantum networks have operated in Tokyo, Vienna and several Chinese cities, and a backbone stretching some two thousand kilometres connects Beijing and Shanghai. These testbeds knit individual BB84 links into something closer to real infrastructure, one trusted node at a time.
BB84, E91 and the wider QKD family
BB84 was the first quantum key distribution protocol, but it was not the last, and it belongs to a broad and growing family. It is a prepare-and-measure scheme, in which Alice actively prepares each photon and sends it to Bob, and this simplicity is part of why it remains the most widely used protocol in practice.
A different approach was proposed by Artur Ekert in 1991, the E91 protocol, which uses pairs of entangled particles and derives its security from the violation of Bell’s inequality rather than from the no-cloning theorem directly. BB84 and E91 are the two pillars of quantum key distribution, and many later protocols are refinements or combinations of these two foundational ideas.
The limits of BB84 and the road ahead
For all its elegance BB84 faces real constraints, the sharpest being distance. Photons are absorbed and scattered as they travel through fibre, so the secret key rate falls steeply with length, and beyond a few hundred kilometres a direct link becomes impractical. Unlike a classical signal, a quantum one cannot simply be amplified, because amplification would count as the very copying that physics forbids.
Researchers are pushing past these limits on several fronts, using decoy states to close loopholes in real photon sources, measurement-device-independent schemes to remove whole classes of attack, and quantum repeaters to extend range. The long-term goal is a quantum internet in which BB84 and its descendants secure communication across the globe. The protocol that began the field is still very much at the centre of its future.
There is also the matter of cost, since BB84 needs specialised single-photon hardware and a dedicated channel, which is expensive next to a software update. For many users the simpler answer to the quantum threat is post-quantum cryptography, new classical algorithms believed to resist quantum attack, so the two defences are likely to coexist rather than compete.
