BB84.

The setup

Alice wants to send Bob a random key — a string of bits they can later use as a one-time pad to encrypt messages. The problem: she can't just shout the key over the phone, because anyone listening would get it too. Classical cryptography solves this with hard math (RSA, ECC, Diffie-Hellman). Quantum cryptography solves it with the laws of physics.

BB84 has three ingredients:

1. Single photons as the carrier — you can't copy them without disturbing them (no-cloning theorem).
2. Two complementary bases — rectilinear (+) measuring H/V, and diagonal (×) measuring +45°/−45°. Measuring in the "wrong" basis randomizes the outcome.
3. A public classical channel for Alice and Bob to agree on which photons to keep — adversaries can listen, but it doesn't matter what they hear.

The protocol

Step 1 — quantum transmission. For each bit Alice wants to send, she picks at random which basis to encode it in. + basis: 0 → H, 1 → V. × basis: 0 → +45°, 1 → −45°. She fires the photon to Bob.

Step 2 — measurement. Bob doesn't know which basis Alice used, so he picks one at random and measures. If he happens to pick the same basis as Alice, he gets her bit. If he picks the other basis, his outcome is 50/50 random — quantum mechanics gives him no information.

Step 3 — sifting. Alice and Bob publicly tell each other which basis they used for each photon (but not the bit values). They keep only the bits where their bases matched. About half the photons are kept. This is the "sifted key."

Step 4 — error check. Alice and Bob sacrifice a random sample of sifted bits — say 10% — and publicly compare values. If anyone has been listening, the no-cloning theorem guarantees their interference shows up as errors. They calculate the Quantum Bit Error Rate (QBER). Below a threshold (~11%), the rest of the sifted key is safe; above it, they abort.

Try it

Hit Start stream. The widget runs the protocol photon-by-photon. The "Verdict" cell tells you whether the channel is clean. Then enable Eve and watch QBER spike past 10%, triggering detection.

The intercept-resend attack and why it always fails

Eve's best classical strategy is intercept-resend: catch each photon, measure it in a random basis, then send a fresh photon to Bob encoded in her measured bit and basis.

This sounds clever, but it leaks. When Eve's basis matches Alice's (50% of the time), she gets the right bit and re-encodes correctly — Bob's outcome is correct. When Eve's basis doesn't match Alice's (the other 50%), she gets a random bit and re-encodes in the wrong basis. Now Bob — if his basis matches Alice's — gets a random outcome from Eve's wrongly-encoded photon. The math works out to a ~25% error rate on the sifted key — far above the ~11% detection threshold. There is no Eve strategy that avoids this signature.

What this gives you that PQC doesn't

BB84 and post-quantum cryptography (PQC) are not competitors — they solve different problems. PQC like ML-KEM and ML-DSA replaces RSA and ECC with classical algorithms believed hard for quantum computers. PQC is software, runs on existing infrastructure, and is what NIST and NSA are mandating across the U.S. federal government.

QKD, by contrast, gives you something stronger but more expensive: information-theoretic security. The security argument doesn't depend on any hardness assumption that future math could break — it depends only on quantum mechanics. The cost is dedicated optical fiber or free-space links, single-photon sources, and distance limits set by photon loss (typically 100–200 km without repeaters).

Where QKD is deployed today:

• China's national QKD backbone — Beijing-Shanghai trunk (2,000+ km via trusted-node relays); Micius satellite for free-space intercontinental links.
• EuroQCI — the European Union's plan for a continent-wide QKD network across all member states, integrated with the IRIS² satellite constellation.
• Korean telcos — SK Telecom and KT have rolled out commercial QKD links for finance and government customers.
• Swiss banks and Toshiba/UK NQCC — production QKD links in finance and critical infrastructure.

The NSA position

For U.S. national-security systems, the NSA explicitly prefers PQC over QKD, citing engineering challenges (dedicated hardware, distance limits, denial-of-service exposure on the optical channel) and the difficulty of authenticating the classical channel without already shared secrets. For non-NSS contexts — and for any defense-in-depth posture where information-theoretic security justifies the cost — QKD remains viable and is being actively procured globally.

Why this matters for investors

The QKD market is small ($1–2B annually) and dominated by ID Quantique, Toshiba, and Chinese players, but it is one of the few quantum technology categories with shipping products and real procurement budgets today. The bigger commercial story is what QKD represents: a working quantum-information technology delivered to paying customers right now, while gate-model quantum computing is still pre-revenue at scale. QKD is the proof point that quantum hardware can productize.

Device-independent QKD — where security is guaranteed by Bell-inequality violation rather than trust in the hardware — is the long-term frontier, currently the subject of multiple satellite-QKD demonstrations.

Next, see the Bell test — the experiment proving quantum nonlocality, which is what device-independent QKD relies on. Or jump to the glossary for every PQC and QKD term defined, or papers to read Bennett & Brassard 1984.