Summer Research Fellowship Programme of India's Science Academies

Study of BB84 QKD protocol: Modifications and attacks

Priyanka M.

M.Sc. Student, NSS College, Ottapalam, Kerala

Guided by:

Dr. Urbasi Sinha

Associate Professor, Raman Research Institute, Bengaluru


Cryptography – the art of secure communication using secret codes dates back to more than 2000 years. The sender will encrypt a message by combining it with proper keys using suitable algorithms or ciphers. On the other end the receiver decrypts the message by performing inverse algorithm. But the potential issue is the possibility that this could be read by an unauthorised person. In this current era of information, the importance of cryptography is increasing day by day. Whether it is a casual text message or a confidential communication of national importance, we have to ensure its security from malicious activities. Conventional methods of cryptography are to make the task difficult using complex mathematical problems like large integer factorisation, discrete logarithm etc. But by the advent of better algorithms and faster computers, this method can become potentially insecure. The concept of one-time pad is provably secure. That is, if the key is only used once. But the distribution of key itself through a potentially insecure channel is a challenging task. It was Stephen Wiesner, in 1970 who introduced the idea of Quantum Cryptography; that peculiar features of quantum theory offer a solution to the problem of secure transmission of cryptographic keys. Elementary quantum states like polarised single photons are used to carry information through a quantum channel. In 1984, Charles Bennet and Gilles Brassard introduced the first quantum cryptography protocol, the BB84. According to an ideal description of BB84, it is invulnerable to attacks. But various factors like technical imperfections, enhanced eavesdropping techniques etc pose threat to this protocol. Hence various modifications are introduced to patch up all those imperfections and works are still going on. The main aim of this project is to study the BB84 protocol and its modifications. Various other protocols are also considered for comparison.

Keywords: Quantum Cryptography, Quantum Key Distribution, BB84 protocol, Photon number splitting attack, Quantum bit error rate.



Those who use WhatsApp might have noticed a statutory sentence on the top of every chat “messages to this chat and calls are now secured with end-to-end encryption.” How well are we aware of the security of our online chats, e-mails, bank transaction etc? Secret communication using codes, indecipherable by a third party has a history right from when man started to communicate each other. In this current era of information, the importance of it, what is called Cryptography, is keeping on increasing in an alarming rate.

Classical cryptography, in general, consist of two major kinds – symmetric-cryptography (secret/private-key) and asymmetric-cryptography (public-key).

In symmetric cryptography, the sender and receiver possess the same shared secret key for encryption and decryption respectively. It has a major disadvantage that the key must be established between the sender and receiver prior to any communication, before in hand. But in asymmetric cryptography, each party will have a private key which is kept secret and a public key, which they may distribute publicly. In this scheme, the sender will encrypt the message using receiver’s public key and then the receiver decrypts it using the private key. Hence there is no need of key exchange prior to communication. Usually, the key exchange step of symmetric cryptography is carried out using the public key exchange scheme. The security of such public key cryptography is relying on the unproven assumption of difficulty in carrying out certain complex mathematical problems, which cannot be solved in reasonable time using classical computation. Hence, they are potentially vulnerable to improvements in computational methods.

In fact, the advent of quantum computers and better algorithms like [1], [2] which can solve such complex mathematical problems in polynomial time on a quantum computer makes the conventional cryptosystems like DES, RSA, DLP, IFP etc obsolete and threaten key distribution protocols such as Diffie-Hellman. But the same principles which empower the quantum computers were found to offer an unconditionally secure solution to the key distribution problem. That was entirely a new arena in the field of cryptography - using quantum principles for secure transmission of cryptographic keys – Quantum Cryptography. [3]

The idea was first put forward by Stephen Wiesner in 1970 and the first quantum key distribution (QKD) protocol was introduced by Charles Bennet and Gilles Brassard in 1984 – the BB84 protocol.

This work is intended to study about the BB84 protocol, which is still one among the prominent QKD protocols of all time. Various modifications and attacks of it are surveyed to get a better picture. Auxiliary details on certain other QKD protocols are also noted briefly for comparison.



  •       To study the BB84 QKD protocol
  •        Survey major modifications made to the protocol
  •       A short glimpse on major attacks posed against BB84
  •      A brief check on various other QKD protocols



This project is a theoretical study about the BB84 QKD protocol and its modifications, carried out in an allowed time of two month. The resources for this study were collected mainly from various research papers. Only modifications to the protocol is considered, no experimental modifications are included in this study.


One-time pad

OTP has been proven to be the perfectly secure cryptographic protocol by C.E. Shannon. The scheme uses a random key which is only known to the sender and receiver. The sender will initially translate the message into a string of binary digits and perform sum modulo 2 with the key which is another random binary string of the same length. The requirement that the key must have the same length as that of the message is a prime important need for perfect secrecy. Now the result is a completely uncorrelated string which is undecipherable to anyone who does not know the key. The receiver will decode the encrypted message by adding again the secret key. This method is only safe, though, if the key is used just once [4].

To illustrate, consider a sender (henceforth “Alice”), encrypting a message M which is in the form of a string of binary digits by combining it with a randomly generated key K, which is of the same length of M. Since the digits of K are random, the key itself contains no information. Alice encrypts the message as a signal S=M ϴ K, where ϴ indicates the XOR operation. Surely the signal S will also contain the same amount of randomness as in K. Hence, any eavesdropper (henceforth “Eve”) can’t get any information from it. But the receiver (henceforth “Bob”) can decipher the message by performing the inverse operation. The security of the message is weakened by repeated usage of the key. For example, suppose two messages M1 and M2 are encrypted using the same key, K. Since K ϴ K= 0,

S1 ϴ S2 = M1 ϴ K ϴ M2 ϴ K

= M1 ϴ M2.

Since the bits in M1 and M2 are not random, the eavesdropper gains some information about the messages. Hence such issues can be solved by using the key only once, i.e., the one-time pad [5]. The name ‘one-time pad’ is attributed to this scheme because, during the second world war, the key was written on a sheet torn from a pad.

 Quantum Cryptography - History

The birth of Quantum cryptography was during the late sixties, when Stephen Wiesner wrote his highly innovative paper, ‘Conjugate Coding’, which unfortunately, was unpublished at that time and went unnoticed. In that paper he introduced the idea of using the principles of quantum physics to produce bank notes that would be practically impossible to counterfeit and showed the idea of implementing what he called a “multiplexing channel”, similar to Rabin’s “Oblivious Transfer” which he introduced after more than ten years.

The paper got revived again when Charles H. Bennett and Gilles Brassard joined their hands together. Bennett knew Wiesner well and had heard about his idea straight from the horse’s mouth. Thus, Quantum cryptography regained life during the occasion of the 20th IEEE Symposium on the Foundations of Computer Science, held at Puerto Rico on October 1979. Inspired from Wiesner’s ideas, they discovered how to incorporate the notion of public key cryptography, which resulted in a CRYPTO ’82 paper. Following this, Wiesner’s original paper was published in ‘Sigact News’ along with some other selected papers from the earlier CRYPTO ’81 workshop [6].

But due to the lack of proper technology to implement, quantum cryptography could only get an impression of a science-fiction at that time. But soon this notion was out-broken when Bennet and Brassard realised the fact that photons were never meant to store information, but rather to transmit it. Following this, what came initially was the idea of a self-winding reusable one-time pad, which although went unpractical that time. Later Bennet came with the idea of quantum key distribution channel and Brassard designed a quantum coin-tossing protocol [7] which was somewhat less realistic. That was a great breakthrough for quantum cryptography to grow as a field of research interest. After that, many other researchers also got interested in this field and they came up with new implementations.

 Quantum Key Distribution

Exchanging the key securely between two legitimate users, who share no secret information initially, through a potentially insecure channel is an important task in cryptography. In conventional cryptography, the digital information communicated can be passively monitored by an eavesdropper, without the sender or receiver being aware of it. By contrast, quantum principles empower a secure transmission of digital information, which is impossible in principle to eavesdrop without knowing certain information used in forming the transmission.

The eavesdropper cannot read or copy the information without leaving a high probability of disturbing the transmission in a random way such that it could be detected by the legitimate users. The quantum method involves encoding the key in the quantum states of elementary quantum systems like polarised single photons, to carry the information through a quantum channel.

Once the key is securely exchanged between the legitimate users, they can assure the security of the communication as well. Hence one can even say that quantum cryptography eventually reduces to the task of secure transmission of cryptographic keys - ‘Quantum Key Distribution (QKD)’. Right from its beginning, many QKD protocols have been emerged and are still continuing. Since in this information era, the need for global security of information are keeping on increasing, finding more secure and robust QKD protocols are still flourishing as a research area of interest.

Essential Quantum principles utilised

As mentioned earlier, the security of quantum cryptography relies on certain fundamental quantum principles. The most prominent among them are the Heisenberg Uncertainty principle and the No cloning theorem which intuitively follows from the former itself.

i.          Heisenberg Uncertainty Principle

The Heisenberg Uncertainty principle (HUP) states that in a quantum system only one property of a pair of conjugate properties can be known with certainty. Heisenberg was initially referring it to the conjugate properties, position and momentum of a particle. For the two conjugate properties, measuring one property would randomize the value of the other. Similarly, in the case of a single photon, measuring its linear polarisation would randomize its circular polarisation and vice versa.

ii.          No-Cloning Theorem

The no-cloning theorem, published by Wooters, Zurek, and Dieks in 1982 states that it is impossible due to linearity and unitarity of quantum mechanics to create identical copies of an arbitrary unknown quantum state. If such cloning was possible, then multiple copies of a quantum state could be produced and the different conjugate properties of it could be measured on each separate copy simultaneously with certainty. But this is prohibited by the HUP and hence it could be said that the no cloning theorem intuitively follows from the HUP. Thus, a spy cannot produce perfect copies of a quantum state in transit in order to measure it and send back the original.


iii.          Non-orthogonal states cannot be distinguished perfectly

It is a property of a quantum mechanical two-state system that it cannot only be in the state |0❭ or the other |1❭, but more generally in a linear superposition |Ψ❭ = α|0❭ + β|1❭ with coefficients α and β satisfying |α|2 + |β|2 =1. Laws of quantum mechanics ensures that it is impossible to reliably distinguish between

1 = α1 |0 + β1|1❭

2 = α2 |0❭ + β2 |1❭

Unless the states |Ψ1 and |Ψ2❭ are mutually orthogonal, i.e. Ψ12❭ = 0. [4]

The BB84 protocol

BB84 was the first ever published quantum key distribution protocol. It is named after Charles H. Bennett and Gilles Brassard and the year they proposed the scheme, 1984. It uses the polarisation state of single photons to encode the key bits.

Generally, any pair of polarisation states will be referred to as a basis if they correspond to a reliably measurable quantity of a single photon and two bases are said to be conjugate if quantum mechanics decrees that measuring one property completely randomizes the other.

The BB84 protocol utilises a pair of conjugate bases, the Rectilinear and the Diagonal basis. They are mutually canonical bases.

    The conjugate polarization bases

    The rectilinear basis consists of 0⁰ (horizontal) and 90⁰ (vertical) polarisation directions and the diagonal basis consist of 45⁰ (diagonal) and 135⁰(anti-diagonal). Hence the four possible quantum states are,



    | ō = (|0❭ + |1❭ ),

    | ī ❭ = (|0❭ - |1❭ ).

    Here the states |0❭ and | ō ❭ represent bit value ‘0’, the states |1❭ and | ī ❭ stand for bit value ‘1’. The first two states correspond to vertically and horizontally polarized photons, the last two to polarization angles 45⁰ and 135⁰ with respect to the vertical axis.

    polarisation bases.png
      The polarisation angles and bit values

      Thus, a bit can be represented by polarizing the photon in either one of two bases.

      The two basis sets have the essential property that no member of one basis is orthogonal to either member of the other. The bases are also as different as possible, in the sense that |❬ŝ|s❭|2 = 1/2, for ŝ = | ō ❭ ,

      The primary model consists of two parties, Alice the sender and Bob the receiver. They both have access to a classical public communication channel and a private quantum channel. An eavesdropper Eve with unlimited computational power is assumed to have access to both channels and no assumptions are made about the resources at her disposal. She is only limited by the laws of nature.

        Primary model of QKD

        The protocol begins with Alice choosing a random bit string. She then sends a string of photons each representing one bit, to Bob through the quantum channel. For each photon, she randomly chooses a polarization from the four possibilities. As Bob receives the photons he decides, randomly for each photon and independently of Alice, whether to measure the photon’s rectilinear polarization or its diagonal polarization, and interprets the result of the measurement as a binary zero or one. As mentioned earlier, a random answer is produced and all information lost when one attempts to measure the rectilinear polarization of a diagonal photon, or vice versa. Hence, if Alice sends |0❭ or |1❭ and Bob happens to choose the rectilinear basis, then his measurement will pick out the correct state, and his bit assignment will exactly match the one Alice sent. But if he chooses the diagonal basis, then a measurement on |0❭ will yield | ō ❭ or | ī ❭ with equal probability. Thus, if Alice sent 0, Bob will assign 1 half the time. Hence, Bob obtains meaningful data from only half the photons he detects - those for which he guessed the correct polarization basis. Since Bob makes wrong choice of basis half the time, his average error rate will be 25%. Bob’s information is further degraded by the fact that, realistically, some of the photons would be lost in transit or would fail to be counted by Bob’s inefficient detectors. The bit string resulting from this procedure is called a raw key.

        The next step of the protocol involves the public discussion over the classical channel. The peculiarity of classical channel is that, Eve has full access to the announced information on the classical channel but she can listen only and cannot tamper with the signals. For each bit, Bob announces through the classical channel, his choice of measurement basis, but not the result of his measurement.

        Alice replies by stating whether or not the encoding basis and the measurement basis agree for each bit. If their bases agree, the bit is kept; otherwise, it is discarded. Also, they discard the bit positions where Bob’s detectors failed to detect the photon at all. The remaining bit string, which will be about half the length of the raw string, is called the sifted key.

        Subsequent steps of the protocol involve Alice and Bob testing for eavesdropping by publicly comparing some of the bits on which they think they should agree, though of course they have to sacrifice the secrecy of these bits. Because of the random mix of rectilinear and diagonal photons in the quantum transmission, any eavesdropping carries the risk of altering the transmission in such a way as to produce disagreement between Bob and Alice on some of the bits on which they think they should agree. An eavesdropper who is unaware of a photon’s original basis, cannot perform a measurement on the photon during its transit from Alice to Bob such that it could yield more than ½ expected bits of information about its polarisation. Suppose such a measurement yields b bit of information (b ≤ ½), then it has a probability of at least b/2 of inducing a discrepancy when Alice and Bob compare the data for which Bob measured in the correct basis. For example, if Eve decides to measure and retransmit all the photons which she intercepts, in rectilinear basis, then she may learn the correct polarisation of half of the photons and at the same time, her this action induces a disagreement to about ¼ of those photons which Bob may measure using correct basis. Hence, Alice and Bob can test for eavesdropping by publicly comparing a few bits on which they both have used the same basis. In order to make sure that the eavesdropping attempt on more than a few photons has not escaped from detection, the bit position of the bits used for this comparison should be a random subset of the correctly received bits. If this comparison agrees and Alice and Bob find no discrepancies, they safely assume that no eavesdropping attempts has happened in-between the transmission and hence conclude that those remaining bits that were sent and received with the same basis is safe to use as a one-time pad for subsequent secure communication over the public channel. When this one-time pad is used up, the protocol is repeated again to produce a new one. On the other hand, if they find much discrepancies, they would abort the protocol.

          steps of BB84 protocol (without eavesdropping)

          The assurance that the public channel cannot be corrupted or altered by Eve is essential. Otherwise, Eve can sit in between Alice and Bob and thereby impersonate each of them to the other. Thus, she can share separate string between Alice and Bob and deceive them to believe that their communication is secure. Hence such crucial property of a public channel can be implemented by using an un-jammable public channel or an information-secure authentication scheme. But still there are chances for Eve to suppress secure communication by utilizing the quantum channel. Nevertheless, the protocol guarantees that Alice and Bob can detect that their secret communication are being suppressed and will not be fooled to believe that it is secret and secure, when in fact it is actually not [4,5,6,7].

          Inadequacies in the protocol

          According to Shor and Preskill [8] the original BB84 protocol is unconditionally secure. But in practise, the protocol embodies a few inadequacies.

          1.    Realistic detectors are not completely ideal. Their imperfection introduces noises in the communication. Hence even if there is no presence of eavesdropping, Alice and Bob may still face contradiction in some of their data.

          2.    It is technically difficult to produce a perfectly single photon pulse. Most single photon generators have at least a minimum probability of producing multi-photons pulses. Suppose λ be the expected number of photons per pulse of a photon generator, then there is a probability of λ2/2 for the eavesdropper to split the photon pulse into two or more photons and keep one with her and send the other to Bob. Hence, she can get partial information about the shared key, without inducing errors.

          3.    Due to the random choosing of basis by the sender and receiver, in general, only about 25% of the bit string can be utilised as a key. Hence the protocol lacks efficiency since most of the transmitted qubits goes unused in producing the key.

          4.    Alice and Bob have to trust their devices using which they perform the protocol. Also, they have to assume that the subset of the total transmitted information they will use to generate key, has been fairly sampled.

          Possible Attacks to the protocol

          Although an ideal description of BB84 protocol mentioned above assures that it is unbreakable, it is practically difficult to implement the theory in real life perfectly. Due to imperfection in both generating the photons and measuring the photons, there are multiple ways to perform quantum hacks, breaking quantum key distributions by exploiting imperfections of the implemented system. The following are a few eavesdropping strategies.

           1.    Intercept-Resend strategy.

          Intercept-Resend is a comparatively simpler eavesdropping strategy. In this, Eve would intercept the transmitted data from Alice and perform measurement. According to the outcome of her measurement she would prepare a new state in the measured polarization and send this to Bob. For example, suppose, Alice prepares and sends a quantum state | Ψak ❭which belongs to the basis { Ψa }. If Eve intercept and measures the state in the same basis, she would detect the correct state | Ψak and thus prepares and send the correct state to Bob. Thus, Eve introduces no error, Bob detects the correct state provided he measures the state in correct basis. But if Eve intercept and measure the state in another basis { Ψb }, where a≠b, then her outcome will be completely random, she gains no information and introduces maximum disturbance in the transmission. [9]

          2.    Photon Number Splitting Attack

          It is really difficult to generate perfectly single-photons at a very high rate using current techniques. Hence, most of the implementation of BB84 uses phase-randomized weak coherent pulses. Most sources are bound to generate, with at least a minimum probability, multi-photon pulses. Hence while these multi-photon pulses are in transit from Alice to Bob, Eve can intercept in between and split the photons. She keeps one with her and send the other to Bob. After Alice and Bob have made their measurements and publicly announce the bases, Eve would perform measurement accordingly. She will measure in the same basis as that of Bob and hence on an average, obtain the same data as Bob. Single photon sources based on spontaneous parametric down conversion (SPDC) in a non-linear crystal is very less susceptible to this attack.

          3.    Intermediate basis method

          This is a probabilistic kind of eavesdropping strategy. In this method, Eve perform her measurement on photons using an intermediate or Breidbart basis, instead of using the same bases that Alice and Bob are using. This gives Eve a probabilistic information. [9]

          It should be pointed out that we cannot even in principle distinguish errors due to noise from errors due to eavesdropping activity. We therefore assume that all errors are due to eavesdropping.


          Right from the advent of the original BB84 protocol, there had been tremendous efforts to investigate methods to both enhancing the security of the protocol as well as to find new eavesdropping strategies. Because when both these aspects were studied hand in hand only, better refinements be brought to the protocol. The field of QKD was flourishing as a research area of interest. New experimental technologies were introduced to implement the protocol in real life. Modifications were introduced to both the protocol itself and also to its experimental implementations to patch up loopholes caused by advanced eavesdropping strategies as well as the noises caused by imperfect devices. Here we discuss only about the modifications introduced to the BB84 protocol itself.

          1.    Omitting public announcement of bases [10]

          In BB84 protocol, public announcement of bases known as basis reconciliation is an inevitable step. Alice and Bob announce publicly each other which basis they had chosen randomly at each instance. Accordingly, they decide to discard those bits for which they chose the wrong basis. But there are many sophisticated eavesdropping strategies which exploits the information of bases shared during this public discussion. For instance, in the PNS attack, Eve might have stored a photon which she split from the original multiphoton pulse send by Alice. Then she can later measure it in the same basis as that of Bob, by listening to the public announcement of bases. Thus, without introducing a detectable error, Eve can easily gain information about the key.

          It was on1997, that W.Y. Hwang, I.G. Koh and Y.D. Han came up with a modified version of BB84 protocol which does not involve the public announcement of bases. The scheme is as follows.

          Initially Alice and Bob share a random secret binary sequence by employing any method like secret courier or BB84 scheme itself. This random sequence is used to determine which basis to encode the qubit. For instance, every 0s in the sequence indicate to encode in one particular basis and 1s to encode in the other basis. This information is only known to Alice and Bob and must be kept secret. Naturally, Eve is prevented from knowing the base sequence.

          Since Alice and Bob possess the same secret sequence, there will be perfect correlation between them unless the quantum carriers are perturbed by Eve or noise. Hence, public announcement of bases is not required in this scheme.

          This sequence need not be as lengthy as that of the intended key. It can be repeated. In fact, the scheme is useful only if it is possible to use safely the random sequence repeatedly. If this is not the case, Alice and Bob have to consume the same length of random sequences to obtain some length of new random sequences. Fortunately, laws of quantum mechanics allow to safely repeat the base sequence enough number of times.

          To illustrate this, suppose Alice repeats the sequence N times. Eve collects the measurement records all the N times and sit for analysing this. She arranges the records according to the order of the base sequences. She collects all the records of ith position among the N sequence. Then, she will be sure that this set of N qubits are encoded in either one basis u or the other, u'. She then tries to obtain information about which basis is used. Suppose ith position of the sequence indicate to encode in basis u. When Eve arranges all those qubits corresponding to ith position, she would get it as, for example, |u-❭,|u+❭,|u-❭,|u-❭,|u+❭... with equal probabilities of + and −. Similar is the case for u' also. These two ensembles of states have the same density operator ½|u+❭❬ u+| + ½ |u-❭❬u-| (= ½|u'+❭❬ u'+| + ½ |u'-❭❬u'-| ). Any two ensembles that have the same density operator give statistically the same outcome to any quantum mechanical measurements, even if they were composed of ensembles of different state vectors. Since the two ensembles give rise to statistically same outcomes Eve cannot distinguish which basis is used and hence gain no information.

          However, it must be noted that the base sequence must be discarded after the expanded key is used for encrypting a message. It is because in most case cryptograms can reflect some amount of information about the key.

          Even though public announcement of bases is not needed, public discussion for error detection and privacy amplification is still necessary in this scheme. Bob and Alice check for error by publicly comparing a random subset of received key.

          It may be inconvenient for Alice and Bob to prepare the random base sequence every time they distribute the key. Hence, a convenient solution is to leave some of the distributed key in order to use it as base sequence later.

          Significant advantage of this scheme is that there is no need of public announcement of bases. Moreover, it reduces Eve’s information about the basis thereby preventing much sophisticated eavesdropping strategies. Another advantage is the high efficiency of this scheme. In ideal case, there is no need to discard any data, while in BB84, almost half of the data has to be discarded. But one disadvantage lying in this scheme is the extra need of Alice and Bob to share a secure random base sequence.

          2.    Using multi-level encoding [9]

          In original BB84 protocol, Alice and Bob chooses between the two complementary bases and the information for each basis is encoded using two orthogonal quantum states. The peculiarity of complementary bases is that if Alice prepares one state in a basis and Bob measures it in a complementary basis, the outcome will be completely random. Hence any attempt of eavesdropping with intercept and resend strategy invariably introduces errors in transmission such that they are detectable by the legitimate users.

          In the multi-level encoding scheme proposed by Bourennane et al, they introduce a variation in BB84 protocol by suggesting to encode the quantum states in N-dimensional Hilbert space using M bases. So, according to this scheme, Alice first randomly chooses in which of the M complementary bases to prepare the state, and second, decides which of the N states to send. The information carried in the state may be called a quNit. Hence there are in total MN possibilities of states and each state appears with probability 1/(MN). Wootters and Fields have shown that when N= pk, where p is a prime and k an integer, there exists a set of M= N+1 mutually complementary bases.

          Each time Bob receives a quNit, he randomly chooses from the M possibilities of bases to measure it. As in BB84, after public discussion, they keep only those symbols for which they used the same basis. Since they both make random choices, on an average, about (1-(1/M)) of the transmitted symbols will need to be discarded. The average information of Eve when she eavesdrops a fraction λ of the string sent by Alice is,

          IEve (λ) = λ (log2 N )/M

          Significant advantage in using the higher dimensional encoding is that, the eavesdropper introduces a higher error rate for Bob,

          eBob (λ) = λ (1 − 1/M)( 1 − 1/N) .

          Another point to note is that an intermediate basis eavesdropping strategy cannot be applied for M= N+1 where, N>2. It is because an intermediate basis having the requirements needed to be satisfied by one to be used for eavesdropping cannot be constructed for N>2.

          But a prominent drawback with this scheme is that for the case of no eavesdropping, the effective transmission rate in bits per symbol after sifting cannot be more than log2(N)/M, so choosing M too large will lower the rate. Also, the transmission rate increases when N increases, has a maximum value for N ≈ 4 and starts to decrease when N increases further.

          For error correction, Alice and Bob randomly chooses pairs of symbols, compute their XOR sum modulo N and announce the value. They keep the first symbol if and only if the results are same and discard the second symbol. For privacy amplification, they do not announce the XOR value, but discard two randomly chosen symbols, while keeping the XOR sum for a new key with improved privacy.

          Bourennane et al [11] provides a scheme for the experimental realisation of multi-level QKD by time multiplexing and phase encoding in an interferometric system. Detector noise and dark count probability are some of the limiting factors in realistic QKD systems. Quantum bit error rate scales linearly with (N-1) Pdark.

          3.    Decoy pulse method [12]

          This method was introduced mainly to overcome the photon number splitting attack. It was earlier mentioned that most practical sources cannot produce perfect single photons. So, Eve takes advantage of this and she split the multiphoton to keep one with her send the other to Bob without introducing a detectable error. However, this modified scheme proposed by W.Y. Hwang in 2002, presents an intelligent solution, the decoy pulse method to overcome such attacks.

          The protocol begins by the assumption that the photon generator used by Alice has a probability of 90% to emit single photon pulses and 10% to emit multi photon pulses. It will be not known when the multi photons are emitted, since they are generated inadvertently. Also, the channel is assumed to have 90% loss and 10% yield. Bob is assumed to use practical detectors which are insensitive to photon numbers. Eve’s attacking strategy is as follows. For all the incoming pulse, she measures the number of photons in it. If it is a single photon, she just blocks it. If it is a multi-photon, she split the pulse, preserves one with her and send the other to Bob via an ideal lossless channel. Thus, Bob obtains only 10% of signal pulses send by Alice. However, Eve can get full information about the key by measuring each of the preserved photon in the proper basis that is publicly announced later by Alice. Here, they adopt the best-case assumption that Eve uses all the multi photon pulses for PNS attack. Hence, if the yield of channel y is less than the probability pmulti of multi photons, the protocol is highly insecure. hence, for the security of the protocol, the condition to be satisfied is,

          y > pmulti.

          Hence, when yield is very low, almost perfect single photon generator is required.

          However, the problem is that the sources cannot be perfect single photons in practice. Hence, to tackle this, Alice adopts two photon sources, that is, signal source S and decoy source S' . The signal source is used to distribute the key. The decoy source is used to detect the PNS attack. Alice intentionally and randomly replaces certain photon pulses from signal sources by multi photon pulses from the decoy source. The polarization of the pulses of the decoy source is randomized such that it cannot be distinguished from those of the signal source as long as photon numbers of the pulses are the same. Since Eve is unable to distinguish the multi photon pulses of signal from those of decoy source, the yields of the two pulses must be similar. After receiving all the signal pulses, Bob notifies it to Alice. Then Alice replies with which pulses are from the decoy source. Through public discussion, they estimate the total yield of signal sources ys and that of decoy source yd. If yd > ys, the whole protocol is aborted. Other wise it is continued by estimating the yield of signal multi photon pulses based on that of decoy pulses. This estimation is done with an assumption that the two losses have similar values.

          Thus, this modified protocol provides essentially a shield against the PNS attack by Eve. It has been successfully employed for practical implementations.

          4.    Bidirectional QKD with practical faint pulses [13]

          For a secure key exchange in BB84 protocol, perfect single photons must be used. But even though single photons can be produced in principle, there is still some distance away from practical realisation. Hence the protocol has been demonstrated using faint laser pulses. This protocol is a modified version of BB84 protocol, with bidirectional QKD technic using faint laser pulses, proposed by F.G. Deng and G.L. Long in 2004.

          As mentioned, most practical demonstration of BB84 utilises faint laser pulses which are attenuated enough. Although in most laser pulses there is only a single photon, but still there is some probability that the pulse may contain more than two photons. Hence there is a strong chance for Eve to perform PNS attack. But this protocol uses bidirectional transmissions, which is secure even when single photons are replaced by faint laser pulses that do not contain more than two single photons. For that, the faint laser pulses are attenuated to an extend that the mean photon number in each pulse is less than 0.1. The detailed procedure of the protocol are as follows.

          In the initial step, Bob randomly chooses among the two conjugates bases to produce each faint laser pulse randomly in one of the four possible states and send the laser pulses to Alice. Upon receiving each laser pulse, Alice decides to pick either the checking mode or encoding mode for the pulse.

          If she selects the checking mode, she randomly chooses one basis to measure the pulse which is similar to measurement performed by the receiver in the BB84 protocol. She then informs Bob, for which pulses she used the checking mode, the measuring basis she used and the outcome. Upon knowing this, Bob can check if Alice’s measurement is consistent with his for those cases which they both used the same basis. It gives an idea about whether eavesdropping attempt has occurred. Hence this is equivalent to eavesdropping check in original BB84.

          If she selects encoding mode, she randomly chooses one of the two unitary operations to encode on the quantum signal.

          One is U(0), which is nothing but the identity operation I, which leaves the qubit unchanged, and encodes logical ‘0’. The other is U(1), which when acted, flips the qubit { U(1)|0 = |1❭ , U(1)|1❭ = |0❭ , U(1)| ō = | ī ❭ , U(1)| ī ❭ = − | ō } and encodes logical ‘1’. Alice then send these encoded qubits back to Bob, who measures it in the same basis he prepared it. This feature allows Bob to deterministically infer Alice’s operation. After transmitting a sufficiently large set of qubits, Bob analyses the result which will be divide into three sequences.

          The first one is for which Alice performed the checking mode. It helps to detect the eavesdropping attempt, provided the laser pulse contain only a single photon. If there are multi photons, Eve can perform PNS attack, without introducing errors detectable. He estimates the quantum bit error rate (QBER) on the forward and backward channels and call them partial QBERs q1 and q2. Second one is for which Alice performed the encoding mode. Bob publishes the result of this part and they both check if Eve is present.

          The security of the protocol relies on these two eavesdropping checking. Finally, as usual, the raw key is followed by the procedures of error correction and privacy amplification.

          Ensuring that the signal pulses are single photons, this QKD scheme is highly secure, because it is equivalent to doing BB84 QKD process twice. Also, since eavesdropping check is done twice, laser pulses containing more than two pulses can also be used. Even if Eve tries to perform PNS attack, the second check will discover her presence. Intrinsic efficiency of this protocol is high since every photon is used for valid key distribution except those chosen for eavesdropping check. Since there is no need of exchange of measuring basis information, a lot of classical information storage is saved. This protocol has been efficiently implemented experimentally [14].

          5.    Delayed measurement method [15]

          This protocol proposed by F.G. Deng, G.L. Long, Y. Wang and L. Xiao in 2004 presents a scheme to improve the original protocol by performing delayed measurements. The procedure of the protocol is as follows.

          While preparing the quantum states, Alice randomly chooses some of the bits in the sequence as test instances and prepare them in a particular basis among the two conjugate ones and the rest majority of qubits are prepared in the other basis. It is assumed that, Bob already knows which basis is used for test instances and which for the rest. Alice then sends the encoded states to Bob. Bob delays his measurement until the whole trail of states are received. After the reception notice from Bob, Alice tells him the positions of the test instances. He then measures the test instances in that particular basis in which they are prepared and rest of the states in the other basis. Alice and Bob then publicly announce the results of test instances and a small portion of the remaining states for checking for eavesdropping. If they find that the error rate is below a threshold value, they confirm that the distribution was secure, otherwise abort the process.

          This method has the advantage of high efficiency. No data in ideal case need to be discarded. Also, since measuring basis information of most instances is known and need not be communicated, it saves much classical communication. But it suffers a disadvantage that it requires the use of storage of quantum state.

          Various other QKD protocols

          • B92 Protocol [16]

          The B92 protocol was introduced by Charles. H. Bennett in 1992. He realised that it was not necessary to use two orthogonal bases for encoding the quantum states. Instead, a single non-orthogonal basis will suffice without affecting the security of the transmission against eavesdropping. Hence the total number of possible polarisation states in B92 protocol is only two, while it was 4 in original BB84.

            B92 polarisation directions

            0⁰ polarisation in the rectilinear basis corresponds to binary 0 and 45⁰ in diagonal basis corresponds to binary 1. Alice prepares the string of photons by randomly choosing any of the two possible polarisation states and transmits it to Bob. At the receiving end, Bob randomly chooses which basis to measure the incoming photon; the rectilinear or the diagonal basis. After his measurements, Bob tells Alice in which instances he got a positive result, but not his choice of measurement basis. Hence the two parties agree upon to discard all other instances.

            • SARG04 Protocol [17]

            SARG04 protocol was proposed in 2004 by Scarani et al. It is a simple protocol using four non-orthogonal sates. Alice randomly chooses one among the four possible states |± x❭ or |± z❭ and sends the string of photons to Bob. Bob measures either σx or σz. Hence, at the quantum level is similar to BB84. But there is a change in the classical sifting procedure. Instead of publicly announcing the measurement basis, Alice announces any of four pairs of non-orthogonal states Aω,ω' = {|ωx❭, |ω' z❭}, with ω, ω' belongs to {+, -}, and with the convention that |± x❭ code for 0 and |± z❭ codes for 1. After the sifting procedure Bob is left with almost ¼ of the raw bits which when compared to BB84 is very less. Hence in this protocol, comparatively higher μ (mean photon number in each pulse) has to be taken higher. In compensation to it, this protocol provides a better shield against the PNS attack at QBER = 0.

            • Six State Protocol (SSP) [18]

            Six State protocol was proposed by Pasquinucci and Gisin in 1999. As the name indicates, this protocol makes use of six possible polarisation states. So in total there are three rather than two bases. They are,

            |0❭ (horizontal),

            |1❭ (vertical),

            | ō = (|0❭ + |1❭ ) (diagonal),

            | ī ❭ = (|0❭ - |1❭ ) (anti-diagonal),

            | Õ = (|0❭ + i |1❭ ) (right circular),

            | ĩ ❭ = (|0❭ - i |1❭ ) (left circular).

            The six states can be viewed as Bloch vectors pointing along the positive and negative x, y, and z directions. Alice randomly chooses a state among the six and sends it to Bob. Bob measures it in either x, y or z basis randomly. Here the probability that Alice and Bob choose the same basis is reduced to 1/3, which means they have to discard on an average, 2/3 of the transmitted bits in order to establish a secure key. But due to the presence of more possible states than in BB84, it increases the error rate of Eve. Thus, her maximal information will be lesser than that in BB84. In that way, this protocol is safer against eavesdropping on single qubits than the BB84 scheme.


            The main aim of this work was to study the BB84 QKD protocol and to survey its modifications. The method of study adopted was referring old research papers and original works by pioneers in this filed.

            The theory of BB84 protocol was studied, which provided an idea about how securely it renders the distribution of a cryptographic key utilising the principles of quantum mechanics.

            The modifications surveyed in this work deals with only the conceptual part of the protocol. No experimental modifications or their implementations are included. To list they were, modified BB84 without public announcement of bases, using multi-level encoding, using decoy states, bidirectional QKD and Delayed measurements. Even though they are modifications, each of them has its own advantages as well as disadvantages.

            For the first modification mentioned, it has the advantage that there is no need of public announcement of bases and increased efficiency. But it suffers the disadvantage of the extra need to safely establish the base sequence.

            In the second one of multilevel encoding, Eve is bound to introduce a higher error rate, which helps in detecting her presence. But at the same time, the protocol has to sacrifice (1-(1/M)) (which will be larger than in BB84 for M>2) bits for establishing a secure key.

            The third modification, which is the decoy pulse method, has high shielding power against the PNS attack. Also, it does not demand for a perfect single photon generator. But, the photon number statistics of the signal source and decoy source must be similar in a region of multi photons.

            The bidirectional QKD method discussed, has much advantages that there is no demand for single photon generators, faint laser pulses can be used, high efficiency of key bit transmission, no need for exchanging the measuring bases information etc. still, it requires the assumption that the faint laser pulses used should not contain more than two single photons. Hence the attenuation may weaken the pulses, requiring extra arrangements for it be used in far distance communication.

            The last modification discussed, the Delayed measurement method also provides increased efficiency and saves much classical communications. Although it requires the storage of quantum storage since the measurements are delayed.

            Like this, there are many other conceptual as well as experimental modifications applied to the original BB84 protocol. It must be noted that it is not a kind of sequential modification. The modifications are being made according to various scopes and as well as purposes.


            Quantum cryptography is the act of using quantum principles to encode information on quantum carriers and securely distribute the cryptographic key between the sender and receiver. The first QKD protocol BB84, introduced by Bennett and Brassard in 1984, uses the polarisation state of single photons to encode key bits. By an ideal description, BB84 is invulnerable to any attacks, its security being guaranteed by the random nature of individual quantum events. But various factors like technical imperfections, enhanced eavesdropping techniques etc. pose threat to it. Right from the time of invention of the protocol itself, many variants and modification in the protocol are introduced to patch up the practical inadequacies as well as to improve the security. A few of which are studied in this project. QKD is still a drastically growing research field. It has come out from the earlier notion of a science fiction to much practical advancements. Research works are still going on to improve the security, key generation rate, distance over which it can be implemented etc. Since information security is a matter of global importance, this field of research flourish to have better scopes.


            Foremost, I take this opportunity to sincerely acknowledge the Science Academies (IASc-INSA-NASI) for providing me an ample platform to do a project under the programme of Summer Research Fellowship, 2019. Words are not enough for me to express how fortunate I feel to work under my guide, who is such an eminent personality in the field of her research area, Dr. Urbasi Sinha. I take this opportunity to convey my deep gratitude for her masterly guidance, suggestions, support and care. I also wish to thank her for including me in the group discussions which helped me in somehow to understand the systematic progress a research work should have.

            I am extremely indebted to Rishab Chatterjee, PhD student in LAMP, for his masterly suggestions, valuable corrections, involvement, and kind support.

            I convey my sincere thanks to RRI library for providing valuable reference books and peaceful ambience to study.

            I convey my deep regards and thanks to all members in the department for their support.

            I sincerely convey my gratitude to Ms. Nayana, Assistant Professor, Department of Physics, NSS College Ottapalam, for providing my letter of recommendation to Indian Academy of Sciences. Last but not the least, I owe my heartiest gratitude to my parents, sister, family members, teachers, friends and all dear ones for their unending love, support and encouragement.


            1.    Shor, P., "Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer.", SIAM Journal of Computing, 26, 1997, pp. 1484-1509.

             2.    Bruss, D., Erdelyti, G., Meyer, T., Riege, T., Rothe, J., "Quantum Cryptography: A Survey" ACM Computing Surveys, Vol. 39, No. 2, Article 6, June 2007.

            3.    Haitjema, Mart. (2019). A Survey of the Prominent Quantum Key Distribution Protocols.

            4.    Bruß, Dagmar, and Norbert Lütkenhaus. “Quantum Key Distribution: from Principles to Practicalities.” Applicable Algebra in Engineering, Communication and Computing, vol. 10, no. 4-5, 2000, pp. 383–399., doi:10.1007/s002000050137.

            5.    Garrison, John C., and Raymond Y. Chiao. Quantum Optics. Oxford University Press, 2014.

             6.    Bennett, C.H., Bessette, F., Brassard, G. et al. J. Cryptology (1992) 5: 3. https://doi.org/10.1007/BF00191318

            7.    C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computer, Systems, and Signal Processing _IEEE, New York, 1984_, p. 175.

            8.    Shor, P. W., & Preskill, J. (2000). Simple proof of security of the BB84 quantum key distribution protocol. Physical review letters, 85(2), 441.

            9.    Bourennane, Mohamed & Karlsson, Anders & Bjork, Gunnar & Gisin, Nicolas & J Cerf, Nicolas. (2001). Quantum Key Distribution using Multilevel Encoding: Security Analysis. Journal of Physics A General Physics. 64. 10.1088/0305-4470/35/47/307.

            10. Young Hwang, Won & Gyu Koh, In & Han, Yeong Deok. (1998). Quantum Cryptography without Public Announcement of Bases. Physics Letters A. 244. 489-494. 10.1016/S0375-9601(98)00358-2.

            11. H. Bechmann-Pasquinucci and W. Tittel, Phys. Rev. A 61, 062308 (2000).

            12. Hwang, Won-Young. (2003). Quantum Key Distribution with High Loss: Toward Global Secure Communication. Physical review letters. 91. 057901. 10.1103/PhysRevLett.91.057901.

            13. Deng, Fu-Guo & Long, Gui. (2004). Bidirectional quantum key distribution protocol with practical faint laser pulses. Phys. Rev. A. 70. 10.1103/PhysRevA.70.012311.

            14. Abdul Khir, Mohd Fared & Norzalliman Mohd Zain, Mohd & Bahari, Iskandar & Soekardjo, Suryadi & Shaari, Sahbudin. (2013). Experimental two way quantum key distribution with weak+vacuum decoy state. Malaysian Journal of Mathematical Sciences. 7. 49-57.

            15. Li, Xiao & Deng, Fu-Guo & Laboratory for Quantum Information and Measurements, MOE, Beijing, Key & Long, Gui & Jianwei, Pan. (2004). Efficient multiparty quantum-secret-sharing schemes. Physical Review. A. 69. 10.1103/PhysRevA.69.052307.  

            16. Bennett, Charles. (1992). Quantum Cryptography using any two Nonorthogonal Sates. Physical review letters. 68. 3121-3124. 10.1103/PhysRevLett.68.3121.

            17. Scarani, Valerio & Acín, Antonio & Ribordy, Grégoire & Gisin, Nicolas. (2004). Quantum Cryptography Protocols Robust against Photon Number Splitting Attacks for Weak Laser Pulse Implementations. Physical review letters. 92. 057901. 10.1103/PhysRevLett.92.057901.

            18. Bruss, Dagmar. (1998). Optimal Eavesdropping in Quantum Cryptography with Six States. Physical Review Letters. 81. 10.1103/PhysRevLett.81.3018.

            Written, reviewed, revised, proofed and published with