B92 and Other QKD Variants

In short

BB84 uses four quantum states and two conjugate bases; E91 uses entangled pairs and a Bell test. Between and beyond these two flagship protocols is a family of QKD variants, each designed to defeat a specific real-world attack. B92 (Bennett, 1992) simplifies BB84 to only two non-orthogonal states — cheaper hardware, lower key rate. Decoy-state BB84 (Lo-Ma-Chen, 2005; Hwang, 2003) defeats the photon-number-splitting attack on weak-coherent sources, and is standard in every modern BB84 deployment. Measurement-device-independent QKD (Lo-Curty-Qi, 2012) sends Alice's and Bob's states to an untrusted middle station that does a Bell measurement, sealing off every detector-side-channel attack. Twin-field QKD (Lucamarini et al., 2018) uses interferometric measurement at the midpoint to change the distance-rate law from O(1/d) to O(1/\sqrt d), reaching over 500\,\text{km} of fibre. Understanding this family is how you understand real QKD — deployed today by ID Quantique, Toshiba, QNu Labs, and ISRO — rather than the textbook version.

BB84 is beautiful. You pick a basis, you send a single photon, you measure in a basis, you sift, you amplify. Done. In a world with perfect lasers that emit exactly one photon per pulse, perfect optical fibres that transmit that photon without loss, and perfect detectors that click exactly when a photon arrives and not when it doesn't, BB84 would already be the end of quantum cryptography as a field.

But every one of those words — "perfect laser," "perfect fibre," "perfect detector" — is a lie in the presence of real hardware. Weak-coherent laser sources emit probabilistic numbers of photons per pulse, with a non-zero chance of two-photon events. Optical fibres attenuate signal exponentially: roughly 0.2\,\text{dB/km} at telecom wavelengths, meaning signal drops by a factor of ten every 50\,\text{km}. Single-photon detectors can be blinded by bright laser pulses, can have timing side-channels, can leak information about which basis Alice used. Every one of these imperfections is a channel for an eavesdropper — a way for Eve to extract information that BB84's idealised security proof does not cover.

The story of QKD from 1992 to the present is the story of closing these channels. Each major variant — B92, decoy-state BB84, MDI-QKD, twin-field QKD — was invented to defeat a specific attack. When you read about a QKD deployment today (ISRO Bengaluru-to-Mount-Abu, Toshiba's London testbed, China's Beijing-Shanghai backbone), you are reading about a modern descendant of BB84 with several of these variants stacked on top. This chapter walks through the family tree.

B92 — BB84 stripped down to two states

In 1992, Charles Bennett (the "B" of BB84) asked: do we really need four states? The original BB84 uses |0\rangle, |1\rangle (computational basis) plus |+\rangle, |-\rangle (Hadamard basis). But the security argument only ever uses the fact that the two bases are conjugate — that a state from one basis looks maximally random when measured in the other. Do we need all four specific states, or would two non-orthogonal states suffice?

Bennett's answer: two is enough. The B92 protocol uses only |0\rangle and |+\rangle, which have inner product \langle 0|+\rangle = 1/\sqrt 2 — they are non-orthogonal, so no measurement can perfectly distinguish them. This is the algebraic content of no-cloning applied to just two states.

B92's two encoding states. Bit 0 is $|0\rangle$; bit 1 is $|+\rangle$. They are at $45°$ to each other — non-orthogonal, with inner product $1/\sqrt 2$. No measurement can perfectly distinguish them.

The protocol. Alice picks a random bit. If 0, she sends |0\rangle; if 1, she sends |+\rangle. Bob performs unambiguous state discrimination: he picks a random basis (Z or X) and measures. There are four outcomes:

Alice sent |0\rangle, Bob measured in Z: gets 0 with certainty. (Inconclusive — Alice might have sent |0\rangle, or she might have sent |+\rangle and got 0 with probability 1/2.)
Alice sent |0\rangle, Bob measured in X: gets + or - with equal probability. If -, Bob concludes Alice did not send |+\rangle (which would give + with certainty), so she must have sent |0\rangle. Conclusive: bit 0.
Alice sent |+\rangle, Bob measured in Z: gets 0 or 1 with equal probability. If 1, Bob concludes Alice did not send |0\rangle (which would give 0 with certainty), so she must have sent |+\rangle. Conclusive: bit 1.
Alice sent |+\rangle, Bob measured in X: gets + with certainty. Inconclusive.

So on about 1/4 of the rounds, Bob gets an unambiguous outcome: he knows exactly which bit Alice sent. On the remaining 3/4, his outcome is inconclusive and he discards it. Bob announces which rounds were conclusive; those become the raw key.

Why it works. An eavesdropper Eve cannot copy or perfectly measure the states, because they are not orthogonal. Any measurement she performs will collapse the state, introduce errors, and be detected when Alice and Bob check a sample of their key bits. The no-cloning theorem does the work, just as it does in BB84.

Why it's rarely used. B92 has lower key rate than BB84 (about half, since only 1/4 of rounds are conclusive and some are sacrificed for error checking). It is also more vulnerable to loss — if Eve can block the rounds where Bob gets conclusive outcomes on the "cheap" side and resend on the other side, she can gain partial information. It is a pedagogical landmark, but modern deployments prefer BB84's four-state symmetry.

Example 1 — B92 on four pulses

Alice sends four pulses; Bob measures. Work through the outcomes.

Step 1 — Alice's preparation. She picks bits 1, 0, 1, 0 and sends |+\rangle, |0\rangle, |+\rangle, |0\rangle.

Step 2 — Bob's bases and outcomes. Bob picks bases X, X, Z, Z at random. The outcomes:

Pulse 1: Alice sent |+\rangle, Bob measured in X, gets +. Inconclusive (both states give + with non-zero probability).
Pulse 2: Alice sent |0\rangle, Bob measured in X, gets - (happens with probability 1/2). Conclusive: bit 0. (Because \langle -| + \rangle = 0, the |+\rangle state never gives outcome -.)
Pulse 3: Alice sent |+\rangle, Bob measured in Z, gets 1 (with probability 1/2). Conclusive: bit 1.
Pulse 4: Alice sent |0\rangle, Bob measured in Z, gets 0. Inconclusive. Why the conclusive outcomes work: if Bob's measurement outcome is orthogonal to one of Alice's two possible states, he can rule that state out. Outcome - in the X basis is orthogonal to |+\rangle, so Alice cannot have sent |+\rangle — she sent |0\rangle. This is unambiguous-state discrimination in action.

Step 3 — Sifting. Bob announces rounds 2 and 3 as conclusive. He has decoded bits 0 and 1. These two bits become his raw key; pulses 1 and 4 are discarded.

Result. Two of four pulses gave raw key bits — a yield of 50\% in this run, matching the theoretical average of roughly 25\% (the 50\% here is small-sample fluctuation on four rounds).

A four-pulse B92 run. Only two rounds give Bob unambiguous outcomes; those two bits become the raw key. This is the price of using only two states: about three-quarters of the pulses are discarded.

What this shows. B92 is simpler than BB84 (two states instead of four, no basis announcement) but less efficient (roughly half the raw key rate per signal). It is historically important — the first demonstration that BB84's symmetry is not required for security — but for practical deployment, the efficiency loss is rarely worth it.

Decoy-state BB84 — defeating the photon-number-splitting attack

Here is the attack that haunts every real BB84 deployment. A laser diode does not emit exactly one photon per pulse. Instead, it emits a coherent state |\alpha\rangle — a superposition of photon-number eigenstates with Poissonian statistics. A typical QKD pulse is attenuated to mean photon number \mu \approx 0.1, which gives a 9.5\% chance of one photon, a 0.5\% chance of two photons, and a 90\% chance of zero photons (empty pulse).

The 0.5\% two-photon events are the problem. Eve can perform a photon-number-splitting attack (PNS): she measures the photon number of each pulse (a non-demolition measurement that does not determine the polarisation state), keeps one photon from each two-photon pulse in a quantum memory, and forwards the other photon to Bob. For pulses where Bob announces a successful detection, Eve later measures her stored photon in the correct basis — learned from Alice's basis announcement — and obtains the bit. Eve learns the key without introducing any errors, because she never measures in a wrong basis.

PNS was pointed out by Lütkenhaus and others in the late 1990s and early 2000s and threatened to make weak-coherent-source BB84 insecure at any practical distance.

Hwang's and Lo-Ma-Chen's decoy trick

Won-Young Hwang (2003) and independently Xiang-Bin Wang (2005) proposed the decoy-state method, formalised into the standard protocol by Lo, Ma, and Chen (2005). The idea: Alice does not use one intensity for her pulses. She randomly alternates between three (or more) intensities: a signal intensity \mu, a weak decoy \nu < \mu, and a vacuum \mu_0 = 0 (empty pulses).

Eve cannot tell whether a given pulse is a signal or a decoy — they all look the same to her (coherent states with the same polarisation). So her PNS strategy must treat them all the same. But after the protocol, Alice reveals which pulses were signals and which were decoys. From the observed detection rates on each intensity, Alice and Bob can infer the yield from single-photon pulses alone — the part of the channel that is actually secure against PNS.

Specifically: the single-photon yield Y_1 and single-photon error rate e_1 can be estimated (with rigorous bounds) from the observed total yield Q_\mu at each intensity. The security of BB84 then rests on Y_1 and e_1 — not on the multi-photon part of the channel, which is conceded to Eve.

Alice's pulse sequence during decoy-state BB84. Signal, decoy, and vacuum pulses are interleaved randomly. Eve sees coherent states that all look the same; she cannot tune her PNS strategy to signals only. After the protocol, Alice announces which pulses were which, and Alice and Bob compute the single-photon yield $Y_1$ — the rate at which genuine single-photon pulses made it through.

Why decoy states work — an intuition. If Eve is running PNS and absorbing single-photon pulses (which she cannot gain information from without introducing errors) while forwarding multi-photon pulses (which she can split), her behaviour depends on the photon-number distribution. Decoy pulses have a different Poisson distribution than signal pulses, so Eve's forwarding rate is different for them too. From the two yield numbers Q_\mu and Q_\nu, Alice and Bob can solve a linear-algebra problem to recover Y_1 with tight bounds — and any Eve behaviour that deviates from "identical on all intensities" shows up as an anomaly in this comparison.

The actual formulas (Ma-Qi-Zhao-Lo, 2005) are:

Y_1 \geq \frac{\mu}{\mu\nu - \nu^2}\bigl(Q_\nu\, e^\nu - Q_\mu\, e^\mu \cdot \nu^2/\mu^2 - (\mu^2 - \nu^2)/\mu^2 \cdot Y_0\bigr),

where Y_0 is the dark-count rate (estimated from the vacuum decoy). The exact form is ugly; the content is clean: from three observable quantities, Alice and Bob bound the single-photon yield without assumptions about Eve's strategy.

Decoy-state BB84 is now standard in every modern QKD deployment. ID Quantique, Toshiba, QuantumCTek, and QNu Labs all use decoy-state protocols as the default. The idea — that Eve's attack is asymmetric across intensities, and Alice can exploit this asymmetry by randomising — is one of the prettiest practical results in all of QKD.

Measurement-device-independent QKD

Decoy states defeat attacks on the source. But another class of attacks targets the detectors. In 2010, Lars Lydersen and collaborators (the "quantum hacking" group at NTNU) demonstrated that commercial single-photon detectors could be blinded by bright continuous laser light and controlled to report whatever click pattern Eve wanted. This is a complete break of BB84 security under the assumption that the detectors behave as single-photon detectors — they can be remotely turned into classical click-generators.

The measurement-device-independent (MDI) QKD protocol, proposed by Lo, Curty, and Qi in 2012, kills this class of attack by removing detector trust entirely.

The MDI architecture

Instead of Alice sending states to Bob (who holds the detectors), in MDI both Alice and Bob send states to an untrusted middle station, usually called Charlie or Eve. Charlie performs a Bell-state measurement (BSM) on the two incoming photons and announces the outcome.

MDI-QKD architecture. Alice and Bob each send BB84-style states to Charlie, who performs a Bell-state measurement. Charlie is **untrusted** — he might be Eve. Security comes from the fact that the Bell measurement projects Alice's and Bob's states into correlated pairs, and any tampering by Charlie is caught during the sifting step.

How it works. Alice and Bob each prepare BB84 states as usual. They both send to Charlie. Charlie reports one of the Bell-basis outcomes |\Phi^\pm\rangle, |\Psi^\pm\rangle — or a failure. For every round where the BSM succeeded and Alice and Bob used compatible bases (after public reconciliation), they can correlate their bits using Charlie's announced Bell outcome.

Critically: if Charlie is Eve, she cannot extract information about the key. The Bell measurement projects the incoming two-qubit state into a maximally entangled basis; the outcome tells Charlie a relationship between Alice's and Bob's states, but not either one individually. Any attempt by Charlie to learn more — by measuring one of the qubits individually before the BSM — is caught during the public sifting step, because it introduces detectable errors in the key.

Trade-offs. MDI requires Alice and Bob to synchronise precisely (their photons must arrive at Charlie within a narrow time window for the BSM to succeed). It has lower key rate than plain BB84 because the BSM only succeeds on a fraction of incoming pulse pairs. And it requires both Alice and Bob to have high-quality laser sources — the vulnerability has shifted from detectors to sources (which is where decoy states come in, combined with MDI to get the best of both).

Deployed MDI: Toshiba's 2013 field trial in Tokyo; China's 2016 demonstration over 404\,\text{km} of fibre; several subsequent experiments up to 600\,\text{km}.

Twin-field QKD — beating the fundamental distance limit

One hard fact of QKD: the key rate R scales as R \sim O(1/d) \cdot e^{-\alpha d} where d is the fibre length and \alpha \sim 0.2\,\text{dB/km} is the attenuation. The linear-in-loss factor comes from the fact that BB84 (and MDI) rely on direct transmission of single photons; every photon lost is information lost.

In 2017, Takeoka, Guha, and Wilde proved a fundamental bound: the repeaterless PLOB limit, which states that any point-to-point QKD without quantum repeaters has key rate bounded by \sim 1.44\,\eta where \eta is the channel transmissivity. For 300\,\text{km} of fibre, \eta \sim 10^{-6}, so the key rate is at most about 10^{-6} bits per channel use. This sets the ceiling for any "send a photon, measure it" protocol.

Twin-field QKD, proposed by Lucamarini, Yuan, Dynes, and Shields (Toshiba) in 2018, beats this. The idea: instead of sending a photon from Alice to Bob, have Alice and Bob each send optical fields — coherent states with a controlled phase — to a middle station. The middle station measures the interference of the two fields; the outcome depends on the phase difference between Alice's and Bob's fields.

Because the scaling is now interferometric, the key rate scales as O(\sqrt\eta) instead of O(\eta). For \eta = 10^{-6} (a 300\,\text{km} fibre), \sqrt\eta = 10^{-3} — a factor of 1000 improvement. Over 500+ km of fibre, twin-field is the only family of QKD protocols that produces any useful key rate.

Top: key rate versus distance on a log scale. BB84 and MDI follow the repeaterless PLOB limit (key rate $\sim 1/\eta$, linear in channel loss). Twin-field QKD scales as $\sim 1/\sqrt\eta$ — square-rooted loss — by measuring optical-field interference at the midpoint rather than single-photon arrival. Bottom: the architecture; Alice and Bob each send phase-encoded coherent pulses; the middle station interferes them.

The key engineering challenge. Twin-field requires phase stability between Alice's and Bob's fields across hundreds of kilometres of fibre — temperature drift, mechanical vibrations, and dispersion all randomise the phase. Modern twin-field systems use real-time phase locking (a pilot tone sent alongside the signal, processed by active feedback) to keep the phases matched. The engineering is non-trivial, but Toshiba, University of Geneva, University of Science and Technology of China (USTC), and others have all demonstrated twin-field QKD over 500+ km in the field.

Example 2 — Why decoy states work, at the level of yields

Demonstrate the decoy-state idea with concrete numbers. Alice uses signal intensity \mu = 0.5 photons/pulse and decoy intensity \nu = 0.1 photons/pulse. Bob measures yields (fraction of pulses that result in a detection): Q_\mu = 0.03 at signal intensity, Q_\nu = 0.008 at decoy.

Step 1 — What these numbers mean. Q_\mu = 0.03 means 3\% of signal pulses trigger a detection at Bob's end; the remaining 97\% are lost to channel and detection inefficiency. Q_\nu = 0.008 is similar for decoy pulses. Why yields differ for the two intensities: more photons per pulse means a higher chance of at least one photon surviving to Bob. If the channel were single-photon-only (Eve's PNS attack), Q would scale proportionally to intensity. Deviations from this scaling reveal multi-photon contributions.

Step 2 — Separate single-photon from multi-photon contributions. Using the Poisson distribution of photon numbers at intensity \mu: P_n(\mu) = e^{-\mu}\mu^n/n!. The total yield is Q_\mu = \sum_n P_n(\mu) Y_n where Y_n is the yield given n photons were emitted. With two unknowns (Y_1 and the effective multi-photon yield Y_{\geq 2}) and two equations (Q_\mu and Q_\nu), Alice can solve.

Step 3 — The bound. Carrying through the algebra (three-intensity version with \nu_1 = 0.1, \nu_0 = 0):

Y_1 \geq \frac{\mu}{\mu\nu - \nu^2}\left[\frac{Q_\nu\, e^\nu - Q_{\nu_0}\, e^{\nu_0}}{1} - \frac{\nu^2}{\mu^2}(Q_\mu e^\mu - Q_{\nu_0}e^{\nu_0})\right] \approx 0.015.

Plugging numbers: the single-photon yield is approximately 1.5\% — roughly half the total yield, with the other half coming from (Eve-accessible) multi-photon pulses.

Result. The effective secure key rate now uses only the 1.5\% single-photon yield, not the full 3\% total. The other 1.5\% is multi-photon events Eve might have split, and these are excluded from the key.

What this shows. Decoy states do not catch Eve in the act; they concede the multi-photon channel to her and extract a key only from the provably safe single-photon channel. The security argument becomes: no matter what Eve does on multi-photon pulses, she cannot gain information about single-photon pulses without introducing errors, which Alice and Bob detect in the standard BB84 way. The decoy trick is what makes weak-coherent-source QKD secure in principle.

Deployment landscape — where the variants actually live

Real-world QKD deployments, as of 2024, use variants stacked on top of each other.

ID Quantique (Switzerland) — their Cerberis series uses decoy-state BB84 over fibre up to \sim 100\,\text{km} for banking and government clients. Deployed commercially since the mid-2000s.
Toshiba (UK) — deployed decoy-state BB84 in the Tokyo QKD Network (2010s) and has demonstrated twin-field QKD prototypes over 600+ km of fibre.
QuantumCTek (China) — the Beijing-Shanghai quantum backbone (completed 2017, roughly 2000\,\text{km}) uses decoy-state BB84 with trusted-node repeaters.
QNu Labs (Bengaluru, India) — offers decoy-state BB84 to Indian banks and defence clients. Active partner with IIT Madras and the National Quantum Mission on MDI-QKD development.
ISRO — the 2022 Bengaluru-to-Mount-Abu free-space QKD demonstration was BB84 with decoy states, over roughly 300\,\text{km} of line-of-sight atmospheric path. Satellite-based experiments using the same protocol are in the pipeline.
China's Micius satellite (2016–) — demonstrated decoy-state BB84 from orbit to ground (two separate ground stations) at the 1200\,\text{km}-separation scale, enabling intercontinental-scale QKD.

Notice the pattern: decoy-state BB84 is the workhorse. E91-style entanglement-based QKD and MDI-QKD exist in research labs but have not yet reached commercial deployment. Twin-field QKD is at the demonstrator stage, with commercial products expected later this decade.

Common confusions

"B92 is more secure than BB84 because it uses fewer states." No. B92 is less secure and less efficient than BB84 — fewer states means less redundancy and a slightly weaker statistical security argument. BB84 is simpler and more robust. B92 exists as a "proof that two states are enough," not as a practical improvement.
"MDI-QKD requires a trusted middle station." Opposite. MDI explicitly makes the middle station untrusted; that is the whole point. The Bell measurement at the middle station can be performed by Eve herself without breaking security. This is a huge architectural advantage: Alice and Bob can deploy an insecure commodity middle station, and security still holds.
"Decoy states solve the no-cloning problem." No. Decoy states solve a different problem: the photon-number-splitting (PNS) attack on weak-coherent sources. No-cloning is still the underlying security principle for BB84; decoy states patch a specific implementation loophole that PNS exploits.
"Twin-field QKD is a quantum repeater." Not quite. A true quantum repeater stores, purifies, and retransmits quantum states with entanglement swapping; twin-field QKD uses classical interferometric tricks to get sub-exponential loss scaling, but does not actually store or regenerate quantum information. It is the "best you can do without a repeater." Real repeaters require quantum memory and are still research targets.
"All QKD is equivalent, it's just different hardware." No. The variants address different threat models. If your source is a perfect single-photon emitter (e.g. an NV-centre or quantum-dot source), decoy states are irrelevant. If your detectors are untrustworthy, you need MDI. If you're going over 500+ km of fibre, you need twin-field. The protocol choice is driven by the specific risks of your deployment.
"Decoy-state BB84 and MDI-QKD are competitors." Actually, most modern deployments combine them: decoy-state MDI-QKD uses multiple intensities at the sources AND untrusted middle station, getting security benefits from both. The variants compose.
"Twin-field beats the PLOB bound, so it's faster than light." No. Twin-field still obeys all the normal causality constraints. What it beats is the specific PLOB bound on point-to-point key rate with single-photon direct transmission — a bound derived under particular assumptions that twin-field's interferometric architecture does not satisfy. There is no faster-than-light communication; only a smarter way to extract classical correlations from an optical channel.

Going deeper

B92 as stated above is the teaching version. What follows is the formal B92 security bound and its known subtleties, a full decoy-state calculation, the MDI security derivation at the level of density matrices, the engineering details of twin-field phase locking, and the specific ISRO plan for satellite QKD that India is building.

Formal B92 security

Tamaki, Koashi, and Imoto (2003) proved B92's security against coherent attacks under idealised assumptions (single-photon source, perfect detectors). The security proof runs in two steps: first, show that from Bob's perspective, the B92 protocol is equivalent to a restricted form of BB84 where Alice sends states from only one of the two bases; second, apply Mayers-style BB84 security arguments with a modified key rate accounting for the lower conclusive-outcome fraction.

The key rate formula for B92:

R_{B92} = Q \cdot \bigl(1 - 2 H_2(e)\bigr),

where Q is the conclusive-outcome rate (approximately (1 - |\langle 0|+\rangle|^2)/2 \approx 1/4) and e is the bit-error rate. Compared to BB84's R_{BB84} = Q_\text{sift}(1 - 2 H_2(e)) with Q_\text{sift} \approx 1/2, B92 has about half the rate. In the PNS-attack-capable regime, B92 needs decoy states just like BB84; these are messier to derive but straightforward in principle.

Decoy-state math at research level

The three-intensity decoy-state formula (Lo-Ma-Chen, 2005) is:

Y_1 \geq Y_1^{\text{LB}} = \frac{\mu}{\mu\nu - \nu^2}\left[Q_\nu e^\nu - \frac{\nu^2}{\mu^2}Q_\mu e^\mu - \frac{\mu^2 - \nu^2}{\mu^2} Y_0\right],

e_1 \leq e_1^{\text{UB}} = \frac{Q_\nu e^\nu \cdot E_\nu - Y_0 e_0}{Y_1^{\text{LB}}\nu},

where Q_\mu, Q_\nu are the total yields, E_\nu is the observed QBER at decoy intensity, Y_0 is the vacuum yield (dark counts), and e_0 = 1/2 is the random QBER of dark counts. These are lower/upper bounds — rigorous bounds valid against any Eve strategy satisfying linearity of quantum mechanics.

For optimal security, Alice tunes \mu and \nu to maximise the secure key rate

R \geq Q_\mu \cdot \bigl(-f(E_\mu)H_2(E_\mu) + \frac{Y_1 e^{-\mu}\mu}{Q_\mu}(1 - H_2(e_1))\bigr),

where f is the error-correction efficiency (typically \sim 1.1). Typical optimal values: \mu \sim 0.5, \nu \sim 0.1. The entire modern decoy-state literature is a careful study of how to tune these for realistic parameter regimes.

MDI security and the virtual-Bell-state argument

The MDI security proof proceeds via a virtual entanglement argument. Note that BB84-state preparation is equivalent to Alice measuring one half of a Bell pair and announcing the outcome. In MDI, Charlie's Bell-state measurement on Alice's and Bob's sent qubits is equivalent (by entanglement swapping) to creating an entangled state between two "virtual" qubits held conceptually by Alice and Bob. Security then reduces to the standard Lo-Chau proof for entanglement-based QKD.

The formal security argument is in Braunstein and Pirandola (2012) and Lo-Curty-Qi (2012). A full composable-security version appears in Curty et al. (2014). Modern MDI deployments use this theoretical framework plus decoy states on Alice's and Bob's sides.

Twin-field interferometric phase locking

Twin-field's key engineering problem: maintain phase stability between Alice's and Bob's coherent states over hundreds of kilometres of fibre. Phase drift has two sources:

Thermal: fibre expands and contracts with temperature, changing optical path length by \sim 40\,\text{ps/K/km}. A 1\,\text{K} fluctuation over 500\,\text{km} changes the phase by thousands of 2\pi.
Mechanical: acoustic vibrations, wind-induced cable motion.

Solutions: send a pilot tone (a reference laser field at a different wavelength) down the same fibre; measure the pilot's arrival phase at the middle station; feed back to Alice's and Bob's signal-laser phase modulators in real time. Commercial twin-field systems achieve phase stability of <0.1\,\text{rad} rms over 500\,\text{km}.

The Toshiba 2018 paper and subsequent demonstrations (USTC, University of Geneva) are the working references for phase-locking architectures.

Free-space QKD and India's satellite programme

Free-space QKD has different loss characteristics than fibre: atmospheric turbulence dominates near the ground, but above 20\,\text{km} altitude the sky is nearly transparent. A satellite-to-ground link has almost all of its loss concentrated in the lowest atmosphere, giving an effective channel transmissivity of \sim 10^{-3} for satellites at 500\,\text{km} altitude — dramatically better than the 10^{-16} that 1200\,\text{km} of straight fibre would give.

ISRO's roadmap, publicly articulated in the National Quantum Mission programme documents:

2022: 300\,\text{km} free-space BB84 (Bengaluru-Mount Abu) — completed.
2024–2026: intra-city fibre QKD networks in Delhi, Bengaluru, and Hyderabad.
2027–2029: first Indian QKD satellite, demonstrating BB84 and entanglement distribution from orbit.
Post-2029: quantum-communication integration with existing Indian defence and financial infrastructure.

The key technical challenges are: high-efficiency silicon-photomultiplier detectors (currently imported; indigenous development under way at RRI), narrow-linewidth laser sources, sub-nanosecond timing electronics, and space-qualified adaptive optics for ground-station telescopes. Each is an active area of Indian research.

Finite-key security and composability

All the protocols above have an idealised "asymptotic" security analysis — the bounds hold exactly as the number of rounds goes to infinity. Real protocols run for finite N. Finite-key security (Tomamichel, Lim, Gisin, Renner, 2012) accounts for statistical fluctuations in the observed error rates and yields. The corrections typically cost O(\log N / \sqrt N) in secret key rate — manageable for N \gtrsim 10^6 rounds, which any deployed system exceeds.

Composable security means that the protocol's output (the secret key) remains secure when used as part of a larger cryptographic system — e.g., as the key for an AES encryption that is subsequently broadcast. This is the strongest form of security guarantee for QKD and is the modern standard for security proofs. All the variants discussed have composable security proofs in the finite-key regime.

Where this leads next

BB84 protocol — the flagship from which every variant descends.
E91 protocol — the entanglement-based cousin, the template for device-independent QKD.
Device-independent QKD — the ultimate "no-trust" protocol, using CHSH violation as security certification.
Quantum network architecture — how these variants are composed into continental-scale networks.
Post-quantum cryptography — the algorithmic alternative to QKD for the same threat.

References

Charles H. Bennett, Quantum cryptography using any two non-orthogonal states (Phys. Rev. Lett. 68, 3121, 1992) — the B92 original. APS page.
Hoi-Kwong Lo, Xiongfeng Ma, Kai Chen, Decoy state quantum key distribution (2005). arXiv:quant-ph/0411004.
Hoi-Kwong Lo, Marcos Curty, Bing Qi, Measurement-device-independent quantum key distribution (2012). arXiv:1109.1473.
Marco Lucamarini, Z. L. Yuan, J. F. Dynes, A. J. Shields, Overcoming the rate-distance limit of quantum key distribution without quantum repeaters (Nature, 2018) — the twin-field paper. arXiv:1811.06826.
Wikipedia, Quantum key distribution — survey of protocols, attacks, and deployments.
Feihu Xu, Xiongfeng Ma, Qiang Zhang, Hoi-Kwong Lo, Jian-Wei Pan, Secure quantum key distribution with realistic devices (Rev. Mod. Phys. 92, 025002, 2020) — comprehensive modern review. arXiv:1903.09051.