Fundamentals of Quantum Key Distribution — BB84, B92 & E91 protocols

The shell of classical communication security is about to crack and we are in desperate need of its quantum replacement!

Current scenario of communication

Currently, communication takes place using classical bits and thus the security is purely in the hands of classical cryptography. Classical cryptography can be divided into two major branches; secret or symmetric key cryptography and public key cryptography, which is also known as asymmetric cryptography.

Secret key cryptography represents the most traditional form of cryptography in which two parties both encrypt and decrypt their messages using the same shared secret key. While some secret key schemes, such as one-time pads, are perfectly secure against an attacker with arbitrary computational power , they have the major practical disadvantage that before two parties can communicate securely they must somehow establish a secret key. In order to establish a secret key over an insecure channel, key distribution schemes based on public key cryptography, (such as Diffie-Hellman), are typically employed.

Secret Key Cryptography

In contrast to secret key cryptography, a shared secret key does not need to be established prior to communication in public key cryptography. Instead each party has a private key, which remains secret, and a public key, which they may distribute freely. If one party, say Alice, wants to send a message to another party, Bob, she would encrypt her message with Bob’s public key after which only Bob could decrypt the message using his private key. While there is no need for key exchange, the security of public key cryptography algorithms are currently all based on the unproven assumption of the difficulty of certain problems such as integer factorisation or the discrete logarithm problem. This means that public key cryptography algorithms are potentially vulnerable to improvements in computational power or the discovery of efficient algorithms to solve their underlying problems. Indeed algorithms have already been proposed to perform both integer factorisation and solve the discrete logarithm problem in polynomial time on a quantum computer.

Why Quantum?

While the advent of a feasible quantum computer would make current public key cryptosystems obsolete and threaten key distribution protocols such as Diffie-Hellman, some of the same principles that empower quantum computers also offer an unconditionally secure solution to the key distribution problem. Moreover, quantum mechanics also provides the ability to detect the presence of an eavesdropper who is attempting to learn the key, which is a new feature in the field of cryptography. Because the research community has been focused primarily on using quantum mechanics to enable secure key distribution, quantum cryptography and quantum key distribution (QKD) are generally synonymous in the literature.

Thus, our focus would be to go through the most fundamental quantum key distribution protocols and their security from the perspective of a computer scientist and not that of a quantum physicist.

Quantum Key Distribution (QKD)

The basic model for QKD protocols involves two parties, referred to as Alice and Bob, wishing to exchange a key both with access to a classical public communication channel and a quantum communication channel. This is shown in the given figure. An eavesdropper, called Eve, is assumed to have access to both channels and no assumptions are made about the resources at her disposal. With this basic model established, let’s now take a dive into the various fundamentals QKD protocols.

General representation of a QKD setup

BB84 protocol

Proposed in 1984 by Bennett and Brassard — that’s where the name comes from by the way, the idea is to encode every bit of the secret key into the polarisation state of a single photon. Because the polarisation state of a single photon cannot be measured without destroying this photon, this information will be ‘fragile’ and not available to the eavesdropper. Any eavesdropper (called Eve) will have to detect the photon, and then she will either reveal herself or will have to re-send this photon. But then she will inevitably send a photon with a wrong polarisation state. This will lead to errors, and again the eavesdropper will reveal herself.

It runs as follows-

• Alice sends a sequence of pulses (for instance, femtosecond pulses with 80 MHz rep. rate), each of which, ideally, contains a single photon polarized differently.
• Alice encodes zeroes into H-polarized(Horizontally) photons while unities she encodes into V-polarized photons(vertically) (red arrows in the Fig.).

Fig.: Representation of photon polarization for BB84 protocol

• But this happens only in half of the cases. The other half of bits, chosen randomly, are encoded using a diagonal polarization basis (blue arrows in the Fig.). Then, the ‘D’ polarization corresponds to zero and the ‘A’ polarization, to unity.
• The receiver, Bob, measures the polarization using a standard setup (a PBS or a Glan prism with two single-photon detectors in the output ports, or a calcite crystal also followed by two detectors). This way Bob can distinguish between H and V polarizations if he uses the HV basis (further denoted as ‘+’). But in half of the cases Bob randomly changes his basis (the orientation of his prism) to AD (denoted as ‘X’).
• After a certain number of bits has been transmitted (and all photons have been detected and destroyed!), Bob publicly announces which basis he used for each bit. Alice then says in which cases they used the same bases. They throw out the bits where they used different bases, and leave only those where they used the same one.
• After this procedure (key sifting) the length of the key is reduced twice, but what remains is random and coincides for Alice and Bob.
• Then, they check if there was eavesdropping. To do this, they take a part of the key for instance, (10%) and compare it. This procedure is also public, but these 10% are then discarded. If the eavesdropping took place, the key would contain errors. Then the whole key is thrown out and the procedure is repeated again.
• The table below gives an example of transmitting 8 bits of a secret key. After the key sifting, only 4 bits are left.

Example of BB84 with 8 bits

B92 protocol

In 1992, Charles Bennett proposed the B92 protocol in his paper “Quantum cryptography using any two non-orthogonal states”. B92 protocol is a modified version of the BB84 protocol with the key difference between the two being that while BB84 protocol uses four different polarization states of photon, the B92 protocol uses two (one from the rectilinear basis, conventionally H-polarization state and one from the diagonal basis, conventionally +45°-polarization state). The B92 protocol can be summarized in the following steps-

• Alice sends a string of photons in either H-polarisation state or +45°-polarisation state, chosen randomly. H-state will correspond to the bit ‘0’ whereas +45°-state will correspond to the bit ‘1’.

Fig.: Representation of photon polarization for B92 protocol

• Bob randomly chooses between rectilinear and diagonal basis, to measure the polarisation of the received photon.
• If Bob is measuring in the rectilinear basis, there are two possible circumstances: if the incident photon is H-polarized, then the measurement outcome will be H-state with probability 1 whereas if the incident photon is +45°-polarised, then the measurement outcome will be either H-state or V-state with probability 0.5. Thus, if only the outcome is V-state, Bob can infer confidently that the incident polarization state of the photon is ‘+45°’.
• Similar argument will be applicable if Bob is measuring in the diagonal basis, where the measurement outcome of -45°-state will indicate that the incident polarisation state of the photon is ‘H’.
• After the transmission of the string of photons, Bob announces the instances in which the measurement outcome was either ‘V’ or ‘-45°’ and the rest are discarded by both of them. These results can be used to generate a random bit string between Alice and Bob.
• For the verification of eavesdropping, Bob and Alice publicly share a part of the generated random bit string and if the bit error rate crosses a tolerable limit, the protocol is aborted. If not, they now have been able to generate a secure and symmetric key between them.

We suggest you to go deeper yourself to know more about the tolerable limit and how it’s calculated.

E91 protocol

The important principle on which QKD is based is the principle of quantum entanglement. It is possible for two particles to become entangled such that when a particular property is measured in one particle, the opposite state will be observed on the entangled particle instantaneously. This is true regardless of the distance between the entangled particles. It is impossible, however, to predict prior to measurement what state will be observed thus it is not possible to communicate via entangled particles without discussing the observations over a classical channel. The process of communicating using entangled states, aided by a classical information channel, is known as quantum teleportation and is the basis of Ekert’s protocol.

Setup Representation of E91 protocol

Let us now go through the procedure of the quantum E91 protocol in the following steps-

• The source centre chooses the EPR pair(Entangled Bell State) |φ+⟩=(1/√2)(|00⟩+|11⟩), sends the first particle |φ+⟩₁ to Alice and second particle |φ+⟩₂ to Bob.
• Alice makes a measurement with a direction randomly chosen between {0, π/8 , π/4}, whereas Bob makes a measurement with a direction randomly chosen between {−π/8 , 0, π/8}. They record the measurement result and broadcast the measurement basis which they used, through the classical channel.
• Thus, Alice and Bob now know each other's choice. They divide the measurement result into two groups: one is the decoy qubits G₁ where they choose different measurement basis and another is the raw key qubits G₂ where they choose the same measurement basis.
• The group G₁ is used to detect whether there is an eavesdropping. To detect eavesdropping, they can compute the test statistic S using the correlation coefficients between Alice’s bases and Bob’s, similar to that shown in the Bell test experiments. If there is an error in the value of S, which means that there is also a eavesdropper, Alice and Bob will conclude that the quantum channel is not safe and they will interrupt this communication and start a new one.
• If the quantum channel is safe, G₂ can be used as the raw keys because Alice and Bob can receive the same measurements. Both Alice and Bob agree on that the measurement |0⟩ represents the classical bit 0, while the measurement |1⟩ represents the classical bit 1, and thus get their key string.

Conclusion

We saw the basic fundamental protocols each of which can be used in various situations where fit right. There are many other modern and more advanced protocols today as well but these are the most fundamental protocols that define the basis of Quantum Key Distribution. To get a better grasp of the concepts try to read the original research papers of these protocols attached below.

Quantum Cryptography is a new revolution in the world of secure communication and as the research continues, the day is not very far when we will be successfully using it for highly secure communication.

Original papers: BB84, B92, E91

Written by — Maanav Seth and Amit Yadav