This dialogue, the first in a series, is inspired by the transcription of meetings held at NeverLocal by myself and our communication specialist Ionut Gaucan. Here the aim is to introduce the notions behind the first, paradigmatic quantum key distribution protocol: BB84, introduced by Charles Bennett and Gilles Brassard in 1984.
Nicola: Before diving into how the BB84 protocol works, let us remind ourselves of its ultimate goal: to transmit a message privately between two agents.
Ionut: Why is the BB84 protocol concerned with the key, rather than the message?
Nicola: The goal is to securely share a key, which can later be used to establish encrypted communication. The essence of the cryptographic challenge is the transmission of keys, not the message itself. Once the key is shared, it can be used to encrypt a message, transmit it openly, and then decrypt it securely. Given that all communication channels are, by nature, insecure, we need protocols, algorithms designed to ensure at least partial integrity of communication.
Ionut: On an insecure channel, what assurance can such a protocol actually provide?
Nicola: It can provide detectability of interference: if an eavesdropper acts, her disturbance raises the error rate, something which can test. If errors are below a theoretically derived bound, we keep the key; if they are above, we discard it and retry.
Nicola: To share a key, you must communicate. This communication can be physical, such as placing the key in a briefcase and delivering it securely from Alice to Bob, or it can exploit subtler methods, such as the quantum protocol we are discussing.
Ionut: What does the quantum route add that physical delivery does not?
Nicola: In short, it allows us to extract a mathematical proof that certifies that this physical delivery occurred without interception. This is classically impossible.
Nicola: The aim is to allow Alice and Bob to share keys they will later use to encrypt and decrypt messages securely, even over an open channel. And to do so, they must rely not only on random numbers and clever algorithms, but also on the very structure of physical reality, on quantum mechanics. Here the security claim is information-theoretic: it does not rely on Eve being computationally limited.
Convention and context
Nicola: Now, to grasp how quantum mechanics makes this possible, we need to understand the conventional nature of information.
Ionut: What exactly makes classical information “conventional”?
Nicola: Classical information systems are digital in character, built on convention. You take a system, perhaps a physical object, a letter, or a lamp, and you encode information into it. Typically, this is done using binary bits. For instance, a lamp being on could represent a 1, and off could represent a 0. The physical substrate is analog, but the interpretation is digital, established by convention.
Ionut: So I would guess that in the quantum world these differences become relevant?
Nicola: In a sense, digitality and conventionality are synonymous. A digital message is only meaningful because of an agreement between agents on how to interpret physical states. In our daily lives, analog and digital representations blend seamlessly. They are mutually necessary, often interchangeable. Yet at the boundaries of observation, where quantum mechanics comes into play, this interchangeability becomes fraught and more difficult to maintain. The physics begins to constrain which “agreements” are possible.
Nicola: In quantum protocols like BB84, the information carrier is a physical system obeying the laws of quantum mechanics. Typically, this is a qubit. A physical system has many degrees of freedom, i.e., independent modes of behaviour we can manipulate to represent information.
Ionut: And what could these carriers of quantum information be in practice?
Nicola: Often single photons, for example polarization or time-bin degrees of freedom, but the argument is general.
Nicola: Think of observing a cube. You can look at it from many perspectives, an infinite number in fact. Your brain synthesizes these into a coherent object: a three-dimensional cube. Each view is just a projection, but your mind understands their compatibility because you know what a cube is.
Ionut: And what if projections refuse to fit one coherent picture?
Nicola: Sometimes, we see projections that trick us. Think of Escher’s staircases or the Penrose triangle. They seem coherent at first glance, but upon closer inspection, something is off. Our brain detects the inconsistency, realizing such an object could not exist in three dimensions. These illusions rely on fine-tuned projections designed to deceive. In a similar way, quantum systems reveal contradictions when we try to unify all perspectives classically.
Nicola: Let us return to finite quantum systems: the qubit, qutrit, and qudit (in its general form). We simplify by focusing on the qubit.
Ionut: Before we do that, what does “choosing a perspective” mean here? A specific measurement basis?
Nicola: Yes. In both classical and quantum systems, we must choose how to observe them, that is, choose a perspective. For a cube, the perspective does not alter the object’s nature. For a quantum system, it does. Observation is contextual: once you choose a context (or basis), you gain access to specific properties, but lose access to others.
The operational lever
Nicola: Take a spin-½ particle, a basic quantum two-level system. To measure its spin, you must choose a direction, parametrized by an angle. The particle does not have a fixed spin in all directions. Instead, each direction corresponds to a distinct perspective. If you prepare a spin in one direction and measure it in another, the outcomes are probabilistic. Preparation does not entail deterministic measurement.
Ionut: And quantum mechanics prescribes different observed statistics for each of these directions?
Nicola: Precisely. The probabilities follow the Born rule: $\cos^2(\theta/2)$ for a relative angle $\theta$.
Nicola: Moreover, if you measure more complex systems, say, two entangled particles, the statistical outcomes can be mutually incompatible. You cannot always reconcile the results with a single classical description. This stochastic behaviour and incompatibility reflect a deeper structure.
Ionut: Is that the structure formalized by Bell?
Nicola: Yes, by John Bell and also, independently and with different physical assumptions, by Simon Kochen, and Ernst Specker (although relying on different physical assumptions). If measurement results were always deterministic, we might try to reconstruct a single unified description. But quantum theory shows this is not possible: perspectives resist unification. The two features, probabilistic outcomes and contextual incompatibility, are intertwined. This is the essence of what is often called quantum contextuality.
Ionut: So “contextuality” names the precise failure of a single classical account?
Nicola: It is something we do not witness in the everyday classical world, which has strengthened the belief that a unifying explanation is always possible. A keen mind, well-trained in conditional probabilities, might even intuit that these `quantum’ observations cannot arise from classical systems. The distributions we observe defy classical synthesis. This realization came only decades after quantum mechanics was born, in the work of John Bell, Kochen, and Specker. Early quantum physicists, despite recognizing stochastic behaviour, hoped it might be due to hidden variables, unknown factors determining outcomes. But this hope proved in vain.
Nicola: So, when encoding information in quantum systems, we must never forget the importance of context, of perspective. Encoding and decoding both depend on it.
Ionut: Practically, then, you can use quantum systems to send information? Providing we agree on some reference observation of the system?
Nicola: Yes. If I encode a bit using a qubit’s spin, and I tell you the context in which I did so, you can measure it in the same basis and retrieve the bit. All is well. But if you measure in a different basis, your result may be uncorrelated with the original bit. The act of measurement in quantum mechanics effectively re-prepares the system. This is often described as wavefunction collapse, though it need not be mystical; it reflects the alignment of observation with a chosen classical framework.
Ionut: So a wrong-basis measurement overwrites correlation with fresh randomness?
Nicola: If the receiver measures in the wrong basis, the outcome may be completely unrelated to the sender’s original encoding. Suppose I prepare a spin-up state in one basis; if you measure in a complementary basis, you will see a 0 or 1 at random. This inherent randomness is unfamiliar: classically, probability arises from ignorance. Here, it is intrinsic, in a sense which can be made technical.
Nicola: For a physicist trained in determinism, this is unsettling. If outcomes are probabilistic, what are we missing? Yet in quantum mechanics, repeated preparations yield variable results unless measurements align with the original context. The randomness does not arise from hidden details, it is fundamental.
Ionut: And we use that intrinsic randomness rather than explaining it away. Surely you must somehow explain this fundamental randomness, maybe one can be helped by the many so-called “interpretations” of quantum theory?
Nicola: Some seek refuge in multiverse interpretations to explain it, namely, the idea that all outcomes occur in branching universes. But this narrative, though popular, does not necessarily clarify the core mystery.
Ionut: Does the security story depend on any interpretation?
Nicola: No. The operational predictions suffice for the protocol.
Nicola: Our classical world-view demands that observations yield deterministic outcomes. But the quantum world resists this expectation. We observe only through narrow epistemic windows, and shifting these windows, changing the basis, changes what we see. Each perspective is like a keyhole through which we glimpse but a part of a greater, elusive whole.
Ionut: And BB84 turns that keyhole into a test for tampering?
Nicola: Exactly, that is the cryptographic leverage.
BB84 in practice
Nicola: Here is how the BB84 protocol works. Alice and Bob aim to establish a shared, random, secret key. They each possess the ability to generate random numbers securely. Alice prepares a sequence of qubits, choosing randomly from four possible states: $\lvert 0\rangle, \lvert 1\rangle, \lvert +\rangle, \lvert -\rangle$. These correspond to two different bases $\lvert 0\rangle, \lvert 1\rangle$ and $\lvert +\rangle, \lvert -\rangle$, two maximally incompatible perspectives (mutually unbiased bases).
Ionut: Why those four, do the two mutually unbiased bases maximize Eve’s disturbance?
Nicola: Each qubit encodes one bit of a potential key. Alice sends each qubit to Bob. Bob, for each received qubit, chooses at random one of the two bases to measure it in. If his basis matches Alice’s, he obtains the same bit. If not, his result is uncorrelated with hers.
Ionut: So matched bases recover the bit; mismatched produce potentially uncorrelated results. What fraction of rounds survive?
Nicola: In the ideal, about half survive sifting, because half the time their random basis choices coincide.
Nicola: They repeat this many times. Afterward, they communicate classically, but only to reveal which bases they used. They discard rounds where their bases differed. The remaining rounds, those where bases matched, should yield perfectly correlated bits.
Ionut: How is that classical discussion protected from spoofing?
Nicola: By authenticating the classical channel, for example with a message authentication code derived from a short pre-shared secret, later refreshed by the new key.
Nicola: These bits form a shared key. But how can they be sure the key is secure? They publicly reveal a subset of the bits. If too many discrepancies are found, they suspect eavesdropping and abort the protocol.
Ionut: How is “too many” decided? Do we compare the observed error to a theoretical threshold?
Nicola: They estimate the quantum bit error rate from the sample and compare it to a bound derived from the attack model. Below the bound, post-processing can still distil a secure key; above it, the run is aborted.
Nicola: Why? Because an eavesdropper, Eve, would have to measure the qubits to learn their content. But choosing a basis to measure necessarily alters the qubit. Since Eve does not know Alice’s chosen bases, her interference introduces errors. These show up when Alice and Bob compare samples.
Ionut: So learning without detectable disturbance is not possible here?
Nicola: This is the crux: in quantum physics, you cannot observe without disturbing. In classical physics, Eve could read states without leaving a trace. In BB84, her observation reshapes the system, and this disturbance is detectable.
Ionut: Then accept if the disturbance is low enough, abort if it is not.
Nicola: Indeed. As a consequence, BB84 offers a remarkable promise: the ability to detect any attempt to intercept a secret key. A feat impossible in classical terms becomes feasible when one accepts the peculiar logic of the quantum world.
Ionut: After acceptance, error correction and privacy amplification finish the job?
Nicola: Exactly, classical post-processing turns the correlated but noisy raw bits into a composably secure key.
Nicola: That is what NeverLocal aims to exploit: these uniquely quantum traits of information carriers, to build secure communication channels, generate shared secrets, and even lay the foundation for quantum computation and distributed security systems. This is not merely a technological feat, but a profound application of the way nature behaves at its most fundamental level. When observation and reality intertwine, security is woven not from secrecy, but from the fabric of the universe itself.