Quantum Key Distribution

Quantum key distribution (QKD) allows two parties to establish a shared secret key with security guaranteed by the laws of physics. Any attempt by an eavesdropper to intercept the key necessarily disturbs the quantum states being transmitted, and this disturbance is detectable. If the channel is found to be undisturbed, the key is provably secret, regardless of the eavesdropper’s computational power, including quantum computers.

This is a fundamentally stronger security guarantee than classical cryptographic key exchange, which relies on mathematical hardness assumptions that could break if better algorithms are found.

The details

BB84 protocol (Bennett and Brassard, 1984):

Alice encodes bits as individual photons, choosing randomly between two bases: the rectilinear basis ($|0\rangle, |1\rangle$) and the diagonal basis ($|+\rangle, |-\rangle$):

• Bit 0 in rectilinear: $|0\rangle$ (horizontal polarization)
• Bit 1 in rectilinear: $|1\rangle$ (vertical polarization)
• Bit 0 in diagonal: $|+\rangle$ (diagonal polarization)
• Bit 1 in diagonal: $|-\rangle$ (anti-diagonal polarization)

Bob measures each arriving photon in a randomly chosen basis. After transmission, Alice and Bob compare their basis choices over a public (but authenticated) classical channel. They keep only the bits where their bases matched (the “sifted key”), discarding the rest.

An eavesdropper (Eve) who intercepts photons must guess the basis before measuring. If she guesses wrong, she projects the photon into the wrong basis and re-sends an incorrect state, introducing an error rate of $25\%$ on the sifted key. Alice and Bob detect Eve by sampling a subset of their sifted key and comparing values. Error rates above roughly $11\%$ indicate eavesdropping, and they abort.

Privacy amplification is then applied to the remaining key, using universal hash functions to distill a shorter but provably secure key from the sifted bits that Eve has only partial information about.

E91 protocol (Ekert, 1991):

Alice and Bob share a stream of entangled Bell pairs. They measure their qubits in various bases and then test Bell inequalities on a subset of outcomes. A violation of the Bell inequality confirms that the measured qubits were genuinely entangled and not pre-measured by Eve. The remaining correlated bits form the key.

Information-theoretic security: QKD is secure even against an adversary with unlimited classical or quantum computational power. This contrasts with RSA, whose security is computational: it holds only as long as factoring is hard.

Why it matters for learners

QKD is the most commercially mature application of quantum mechanics to real-world problems. Networks are deployed and operational today in:

• China: over $2{,}000$ km fiber network plus satellite links via Micius
• Europe: OpenQKD testbeds across multiple countries
• Japan: Tokyo QKD network operational since 2010
• US: Various research and government testbeds

Understanding QKD requires knowing the no-cloning theorem (why copying qubits is impossible), superposition (why photons can be in multiple polarization states), and measurement (why measuring disturbs the state). These concepts work together to create physical security.

The contrast with post-quantum cryptography (PQC) is practically important: PQC is a software solution deployable on existing networks, while QKD requires specialized quantum hardware and dedicated channels. For most organizations, PQC is more practical; QKD is reserved for high-value long-lived secrets.

Common misconceptions

Misconception 1: QKD is unhackable. The physics of QKD is secure, but implementations have vulnerabilities. Real photon sources sometimes emit multi-photon pulses, allowing an eavesdropper to siphon off one photon while the rest continue undetected. Single-photon detectors can be blinded or fooled by laser pulse attacks. Device-independent QKD removes assumptions about device behavior and closes most side channels, but is technically demanding.

Misconception 2: QKD makes all other cryptography obsolete. QKD only distributes keys; it does not encrypt data by itself. Once a key is distributed, symmetric encryption (AES) is used for actual data. Moreover, QKD requires dedicated point-to-point quantum channels and does not scale to the full internet. For most applications, PQC is the appropriate solution.

Misconception 3: QKD is limited to very short distances. Single-photon losses in fiber limit unamplified QKD range to roughly $200-300$ km. Trusted relay stations extend this using classical switching (at the cost of security at each relay). Satellite-based QKD removes the fiber attenuation limit and has demonstrated entanglement distribution over $1{,}200$ km. Quantum repeaters (in research, not yet deployed) would extend range without trusted relays.

See also

• Quantum Cryptography
• Post-Quantum Cryptography
• No-Cloning Theorem
• Entanglement
• Bell State