Cryptography

Quantum Key
Distribution

Most encryption today is secure because breaking it would take too long — a bet that computers stay slow enough. Quantum key distribution makes a different bet: that the laws of physics themselves can guarantee security. Anyone who tries to listen in unavoidably leaves fingerprints.

BB84 Protocol E91 Protocol No-Cloning Theorem Information-Theoretic Security QBER Practical Limitations

Why Quantum Key Distribution?

Security from Physics, Not Mathematics

The encryption protecting your bank login and private messages relies on math problems that are simply too slow for today's computers to solve. That security is conditional — it holds only as long as no one builds a fast enough machine. Shor's algorithm on a large quantum computer would break it. (Classical key exchange — Diffie-Hellman, RSA — depends on the assumed hardness of factoring and discrete logarithms, both solvable in polynomial time by Shor's algorithm.)

Quantum key distribution takes a fundamentally different approach: its security comes from physics, not computational difficulty. Quantum mechanics says that measuring a quantum system disturbs it, and that an unknown quantum state cannot be copied. So an eavesdropper can't silently tap the line — the act of listening changes what's being sent, and the legitimate parties can detect it. (The measurement-disturbance principle and the No-Cloning Theorem are the two physical foundations.)

This means QKD's security holds against any adversary — no matter how much computing power they have, now or in the future, quantum or otherwise. (This is called information-theoretic or "unconditional" security, in contrast to the computational security of classical cryptography.)

The BB84 Protocol (1984)

The BB84 protocol. Alice encodes each bit in one of two conjugate bases (rectilinear or diagonal). Bob measures each qubit in a randomly chosen basis. After transmission they publicly compare bases (not values) and retain only measurements where bases matched — the sifted key. Source

How BB84 Works

The setup: Two parties — conventionally called Alice and Bob — want to agree on a secret key. Alice sends Bob a stream of individual light particles (photons), each carrying one bit of information encoded in a randomly chosen "orientation."

Step 1 — Preparation: For each photon, Alice randomly picks a bit value (0 or 1) and one of two encoding orientations, then sends it. (The two orientations are conjugate bases: rectilinear {|0⟩,|1⟩} or diagonal {|+⟩,|−⟩}.)

Step 2 — Measurement: Bob doesn't know which orientation Alice used, so he guesses randomly for each photon. When he guesses right, he reads the bit perfectly. When he guesses wrong, he gets a random result — quantum mechanics guarantees it. (Measuring in the wrong basis projects the state onto that basis with 50/50 probability.)

Step 3 — Sifting: Alice and Bob talk over an ordinary public channel and compare which orientations they each used — but never the bit values themselves. They throw away every bit where their choices didn't match, about half. What remains is the shared "sifted key."

Step 4 — Error checking: They sacrifice a random sample of their remaining bits and compare them publicly. If too many disagree, someone was listening — an eavesdropper's measurements would have disturbed the photons and introduced errors. They discard the key and start over. (The error fraction is the Quantum Bit Error Rate, QBER; above ~11% the channel is considered compromised.)

Step 5 — Distillation: If the error rate is acceptably low, classical post-processing corrects the remaining errors and compresses the key, squeezing out any partial information an eavesdropper might have gleaned. The result is a shorter key that is provably secret. (Error correction followed by privacy amplification via universal hashing.)

The E91 Protocol (1991)

Entanglement-Based QKD

The idea: Instead of Alice sending photons to Bob, a central source creates pairs of "entangled" photons — particles whose properties are linked no matter how far apart they travel — and sends one to each party. When Alice and Bob measure their photons, the linked outcomes give them matching key bits.

Catching eavesdroppers: Entangled particles share correlations that are provably stronger than anything classical physics allows. Alice and Bob can test for these "impossible" correlations — if the test passes, the photons are genuinely entangled and untouched; if it fails, something (or someone) interfered. (The test is a Bell/CHSH inequality: quantum mechanics predicts |S| = 2√2 ≈ 2.83, while any classical or tampered system is bounded by |S| ≤ 2.)

The deeper advantage: Because the test certifies the physics directly, E91's security doesn't require trusting the hardware — even equipment bought from an adversary can be verified. This long-theoretical idea became real: device-independent QKD was experimentally demonstrated in 2022, and a February 2026 result extended it over 11 km of optical fiber — roughly 3,000 times the previous record — with validation up to 100 km. (Device-independent QKD: Nature 607, 682–691 (2022); DI-QKD over deployed fiber, 2026.)

Protocol Comparison

Feature BB84 E91
Physical basis Measuring disturbs the signal (superposition / uncertainty principle) Linked particle pairs (entanglement / Bell inequalities)
Hardware Single-photon source + polariser Entangled photon pair source
Eavesdropping detection Too many transmission errors (elevated QBER) Correlations weaker than quantum physics predicts (Bell inequality deviation)
Trust in hardware required Yes No — demonstrated experimentally (2022, extended 2026)
Deployment maturity Commercially available (Toshiba, ID Quantique) Experimental / fiber and satellite demonstrations

Real-World QKD — Satellite Links

China's Micius satellite (launched 2016) demonstrated intercontinental QKD over 7,600 km via satellite relay — circumventing the optical fibre distance limitation with free-space quantum channels between ground stations. In March 2026, China extended this approach with a QKD link between Beijing and South Africa — the first ultra-secure quantum connection into the southern hemisphere. Source

Practical Limitations

📏

Distance Limits

Photons get absorbed as they travel through fiber, so range is limited. Standard QKD reaches roughly 100–200 km, though newer twin-field protocols have pushed records to 830 km and beyond 1,000 km in lab conditions. Practical long-haul links still await quantum repeaters, an unsolved engineering challenge. (Fibre loss ~0.2 dB/km; TF-QKD records: 830 km, Nature Photonics 2022; 1,002 km, PRL 2023.)

Low Key Rates

Current systems generate keys far more slowly than conventional methods — kilobits to megabits per second — too slow for high-throughput applications. Classical key exchange is orders of magnitude faster.

🔓

Side-Channel Attacks

The protocol may be perfectly secure on paper, but real hardware can be exploited — attackers have manipulated photon detectors directly rather than attacking the quantum physics. Real-world security requires careful engineering beyond the protocol itself. (e.g. detector blinding attacks.)

🌐

Trusted Relay Nodes

Because of distance limits, long QKD networks chain together intermediate stations where the key exists unprotected — each one a potential physical vulnerability if compromised. (e.g. China's 2,000 km Beijing–Shanghai backbone uses trusted relays.)

Why eavesdropping is physically impossible to hide: Quantum mechanics forbids copying an unknown quantum state — there is no machine, even in principle, that can duplicate a qubit without knowing what it is. So an eavesdropper can't intercept a photon, copy it, and pass the original along untouched. Reading the signal means disturbing it. (The No-Cloning Theorem: no unitary operation U exists such that U|ψ⟩|0⟩ = |ψ⟩|ψ⟩ for all |ψ⟩.)