A3/The BB84 quantum cryptography protocoll
We will now describe the BB84 protocol. It is named after its inventors C. Bennett and G. Brassard and was published in 1984, where its idea is based on prior work by S. Wiesner. The BB84 is the basis for most quantum cryptography protocols most commonly used in experimental realizations today. The reason for this is probably its structural simplicity, as the basic ideas can be explained with a simple setting with polarized light. We will describe the basic principle in its simplest form and then discuss issues of practical implementation.
We will consider again two parties, called Alice and Bob that want to communicate in private, save from an attacker called Eve. We have established in the last section, that it is sufficient for Alice and Bob to be able to effectively distribute secret key, as this will enable them to use a one-time pad encryption.
Idea of the protocol
They implement a scheme, in which Alice sends quantum signals to Bob, who will perform measurements. If no attack is present, Bob will receive these signals undisturbed, while any disturbance will be considered as a sign of an attack. To determine the level of disturbance, Bob needs to reveal a portion of his measured values over a public channel to be able to compare his findings with the states that Alice sent. In quantum cryptography "no disturbance" will always imply "no information" for Eve.
The basic setting for BB84 looks as follows: Alice has in her laboratory a single photon source, capable of sending single photons at the push of a button. She also has the possibility to prepare the polarisation of the single photons. Bob possesses a detector capable of detecting single photons and an analyser to absorb or transmit photons depending on their polarisation state.
Alice chooses each signal from one of the following four possibilities: either horizontally polarized (0°) light, vertically polarised light (90°), +45° polarised or -45° polarised light. One should note here, that according to the rules of quantum physics, there is no single measurement that is capable to distinguish all four of these states, as only the 0° can be distinguished with certainty from 90° and +45° can be distinguished from -45°, but there is no measurement that can distinguish e.g. 0° from +45° in a single measurement.
Bob may choose one of two measurements: He measures an incoming signal either in the 0°/90° basis (also called the + basis) or the +45°/-45° basis (also called the X basis). This means, that if Alice sends 0° and Bob measures in the + basis, then he will correctly detect that Alice has sent 0°. If he would use the X basis instead, the outcome of the measurement would be random and he would not be able to determine, which state Alice had sent. We have depicted all possible combinations of states and measurements in figure 5.
The unperturbed case
Consider for now that there is no eavesdropper present during the communication. Then the protocol will proceed as follows:
0.) Before the actual quantum communication starts, Alice and Bob discuss publicly that they want to start communicating and how many quantum signals they want to send. Call this number N.
1.) Alice chooses two random bit strings of length N. The first string determines basis choice (0 for + basis and 1 for X basis), the second string the key value. The key value 0 in + basis will be encoded as 0°, the value 1 in + basis as 90° while the value 0 in X basis will be encoded as +45° and 1 in X basis as -45°. She then prepares quantum signals according to her strings and sends them to Bob.
2.) Bob chooses a bit string of length N at random. This string determines in which basis he will measure the incoming signals. For the value 0 he measures in + basis, for the value 1 he measures in X basis. In the unperturbed case, Bob will thus be able to reconstruct Alice’s key bit for those signals, where his random basis choice and Alice’s random bass choice coincide. Otherwise the measurement results of Bob are random and independent of Alice’s key bit, so they are useless for communication.
3.) Alice and Bob both publicly announce their respective basis choices. All instances in which they do not coincide are then discarded.
We have depicted an example for a signal exchange in figure 6. Alice prepares a sequence of quantum states and sends them to Bob, who will measure each signal in a random basis. After the basis is compared, all instances on not matching bases are discarded (bit values marked in red). The bits that are left are called the raw key are represent a candidate for a secret key.
One should note, however, that the graphical representation in figure 6 may be misleading in one aspect: Even though Alice knows, which signals she prepared, Bob does not. So the pictorial representation of the states on Bob’s side only represents Alice’s knowledge (and ours as the omniscient observer) but not Bob’s. This corresponds to the fact that there are no measurements in quantum physics able to distinguish the four states.
When the eavesdropper Eve enters the communication, she is located in between Alice and Bob. This means that any signal Alice sends to bob will at first travel through Eve’s domain giving her the opportunity to interface with the signal. Of course, also Eve is bound by the laws of quantum physics, so also she is not capable of distinguishing all four possible signals with certainty.
Let us first consider an attack by Eve, called an “intercept-resend attack”. Here, Eve performs a measurement on each passing signal and then she prepares a new signal matching the value she has measured and sends this new signal to Bob in order to hide her interference. As she also does not know Alice’s basis choice, she is left with choosing a measurement basis at random, same as Bob.
If for instance she has chosen to measure in + basis and measured the value 1, she will prepare the state 90° and send the state to Bob. Now two things might have happened: Either her basis matches with Alice’s choice or it does not. If the choices coincide, she will have sent the same state Alice prepared and no disturbance occurs. If the choice does not coincide, the state she sends is different from Alice’s state. As Eve’s state is polarised in the other basis, Bob’s measurement result will be independent from the state Alice has chosen. This means that Bob’s measurement will produce a different value from the one Alice sent in half of the cases. As Eve’s basis choice will coincide with Alice and Bob in 50% of the cases and her interference will produce an error in 50% of the cases when the basis did not match, she will thus produce an error of 25% in the raw key.
Testing for errors
To determine the influence of Eve, Alice and Bob need to reveal parts of the raw key to check for errors. If they find no errors, then they can be certain that no eavesdropper has tried to interfere with the communication. If they should find an error rate of 25% they should abort the conversation, as there might be an eavesdropper present.
The basic principle, that any measurement of Eve will produce detectable errors in the raw key holds for any kind of attack that Eve may perform. The task of quantum cryptography is to find ways to prove security independent of assumptions about the possible attacks of Eve. How these estimations and security proofs work will be discussed in the next course.
By comparing parts of their raw key, Alice and Bob can estimate, how much information leaked to Eve. The more errors in the key they observe, the more information was leaked. This information is needed to perform what is called classical post processing. It consists of two steps: Error correction and Privacy amplification. In the error correction step, Alice and Bob will exchange information to make sure that their respective raw keys coincide. Here some additional information will flow to Eve. In the privacy amplification step they will shorten their key in a specific way to reduce the information Eve has about the key. By shortening the key they can thus make sure that Eve will not have any information about the final key left. The classical post processing is a classical algorithm and not specific to quantum communication. Both error correction and privacy amplification can be performed on classical computers.