BB84 — Quantum Key Distribution

In short

BB84, published by Charles Bennett and Gilles Brassard in 1984, is the first and still the most widely deployed quantum key distribution (QKD) protocol. Alice picks a random bit and a random basis (Z or X) for each photon, prepares the corresponding state — one of |0\rangle, |1\rangle, |+\rangle, |-\rangle — and sends the photon to Bob over a quantum channel. Bob picks a random basis and measures. They publicly compare bases (not bit values), keep the positions where bases matched (the sifted key, about half the original length), and estimate the error rate on a random sample. If the error rate is below the security threshold (\sim 11\%), the remaining bits are processed through information reconciliation and privacy amplification to produce a final shared key whose secrecy is guaranteed by the laws of quantum mechanics. The security argument is built on the no-cloning theorem (chapter 20): Eve cannot copy the unknown photon, and any attempt to measure it in the wrong basis disturbs the state and introduces detectable errors. BB84 has been implemented in fibre (up to \sim 500 km with trusted nodes), in free space, and from space — China's Micius satellite (2017) and India's ISRO Bengaluru–Mt. Abu demonstration (2022) show the protocol working across hundreds of kilometres.

Shor's algorithm (chapters 74–77) will, eventually, break RSA and ECC. The previous chapter laid out the migration plan: replace public-key primitives with lattice-based post-quantum cryptography. But there is a second way to solve the key-distribution problem, and it does not depend on any computational assumption at all. It depends on the structure of quantum mechanics itself.

In October 1984, at a conference in Bangalore — the IEEE International Conference on Computers, Systems, and Signal Processing — Charles Bennett and Gilles Brassard presented a protocol for distributing a shared secret key between two parties using single photons. The protocol, now known as BB84, is the first quantum cryptographic scheme of any kind. It is provably secure against any eavesdropper, regardless of computational resources, so long as quantum mechanics is correct and the devices do what the protocol says they do.

Forty-two years later, BB84 runs over fibre-optic links in banks in Vienna and Beijing, from satellites in low Earth orbit, and — as of 2022 — between two ground stations in Karnataka and Rajasthan via an ISRO satellite. The hardware is niche; the protocol is standard; and the security proof is watertight. This chapter walks through exactly how it works.

The setup

BB84 needs two communication channels between Alice and Bob.

A quantum channel — an optical fibre or a free-space line of sight — on which Alice can send single photons in one of four polarisation states. This channel can be noisy and it can be tapped.
An authenticated classical channel — any ordinary link (telephone, internet) on which messages can be read by anyone but cannot be tampered with. Alice and Bob will announce their basis choices and error-rate samples over this channel.

The authentication of the classical channel is a separate problem, usually solved with a small pre-shared symmetric key and a message authentication code. BB84 extends a short shared key into a much longer one; it does not bootstrap from nothing. A common framing is that BB84 is a "key growing" protocol, not a "key distribution from zero" protocol.

Eve, the eavesdropper, can see everything on both channels. She can do anything quantum mechanics allows on the quantum channel — measure photons, store them, substitute new ones — but she cannot alter messages on the classical channel (that is the meaning of "authenticated").

The three parties and two channels. The quantum channel carries single photons and is fully under Eve's control — she may measure, block, or replace photons. The classical channel is authenticated: Eve can read its traffic but cannot modify or forge messages. BB84's security argument reduces entirely to the laws of quantum mechanics applied to the quantum channel.

The four states

Alice encodes bits in photon polarisation. Every bit needs one photon, prepared in one of two bases.

Z basis (rectilinear): |0\rangle (horizontal polarisation, bit 0) and |1\rangle (vertical polarisation, bit 1).
X basis (diagonal): |+\rangle = \tfrac{1}{\sqrt{2}}(|0\rangle + |1\rangle) (diagonal +45°, bit 0) and |-\rangle = \tfrac{1}{\sqrt{2}}(|0\rangle - |1\rangle) (diagonal -45°, bit 1).

Why two bases: the security of BB84 rests on the fact that the four states are not all orthogonal. |0\rangle and |+\rangle have inner product \langle 0 | + \rangle = 1/\sqrt{2} — they cannot be perfectly distinguished by any measurement. Choose a single basis (say Z) and the protocol degenerates to "Alice sends 0 or 1; Eve measures in Z and learns everything." Using two bases forces Eve into a lose-lose: measure in Z and miss half the time; measure in X and miss the other half.

The first time Dirac notation appears in this chapter: |0\rangle — read "ket zero" — is a 2-dimensional column vector \begin{pmatrix}1 \\ 0\end{pmatrix}. |1\rangle is \begin{pmatrix}0 \\ 1\end{pmatrix}. The X-basis states are unit combinations of these. All four live on the Bloch sphere: |0\rangle at the north pole, |1\rangle at the south pole, |+\rangle at +x on the equator, |-\rangle at -x. For a deeper tour of the picture, see qubit-as-unit-vector and bloch-sphere.

The BB84 alphabet on the Bloch sphere. The Z basis places $|0\rangle, |1\rangle$ at the poles; the X basis places $|+\rangle, |-\rangle$ on the equator (at $+x$ and $-x$). Any two states drawn from different bases have inner product $1/\sqrt{2}$ — partially overlapping, impossible to perfectly distinguish.

The protocol, step by step

BB84 has seven steps. Steps 1–3 are quantum; steps 4–7 are classical.

Step 1 — Alice prepares. For each photon i = 1, 2, \ldots, n Alice picks a random bit a_i \in \{0, 1\} and a random basis b_i \in \{Z, X\}, and prepares the state |a_i\rangle_{b_i} using the table above. Each bit and each basis is a fresh random coin flip.

Step 2 — Alice transmits. Alice sends the n photons, one at a time, over the quantum channel.

Step 3 — Bob measures. For each photon i, Bob picks a random basis c_i \in \{Z, X\} and measures in that basis. He records the outcome b'_i \in \{0, 1\}. Crucially, he picks c_i before knowing what Alice sent — there is no correlation between Alice's b_i and Bob's c_i.

When c_i = b_i (Bob happened to pick the same basis Alice used), Bob's outcome is deterministic: b'_i = a_i. When c_i \ne b_i, the state is being measured in the wrong basis — a state from one basis is an equal superposition in the other — and the outcome is a uniformly random bit, independent of a_i. Why the wrong-basis outcome is random: a state like |0\rangle decomposed in the X basis is |0\rangle = \tfrac{1}{\sqrt{2}}(|+\rangle + |-\rangle). An X-basis measurement gives outcome + with probability 1/2 and - with probability 1/2. The measurement destroys the original Z-basis information.

Step 4 — Public basis reconciliation (sifting). Over the classical channel, Alice announces her basis sequence (b_1, b_2, \ldots, b_n) and Bob announces his (c_1, c_2, \ldots, c_n). They identify the positions where b_i = c_i and discard the rest. Since each basis is a fair coin, roughly n/2 positions survive. On these sifted positions, a_i and b'_i should agree in the absence of noise. Call the sifted sequence the raw key.

Why this works even though Eve sees the basis announcements: Eve learns which positions were kept, but she does not learn a_i or b'_i from the announcement itself — the announcement contains only the basis labels, not the bit values. Eve's information about the raw key comes only from what she did on the quantum channel during Step 2.

Step 5 — Error-rate estimation. Alice and Bob pick a random subset (typically 5%–25%) of the sifted positions and publicly compare their bit values on those positions. This reveals both Alice's a and Bob's b' on those positions, so they are burned and discarded. The fraction that disagree is the quantum bit error rate, \text{QBER}.

Step 6 — Eavesdropping check. If \text{QBER} > \text{threshold} — typically 11\% for the standard BB84 security proof — abort. Something is wrong. Either Eve was there, or the channel is too noisy to be useful. Keep the key only if \text{QBER} is below the threshold.

Step 7 — Reconciliation and privacy amplification. Even below the threshold, the remaining raw key has two problems. First, there may be small errors: a_i \ne b'_i at a few positions because of channel noise. Alice and Bob run information reconciliation — public parity-check exchanges, akin to classical error correction — that tell Bob enough to fix the errors while revealing as little information to Eve as possible. Second, even a small \text{QBER} means Eve may have partial information about the bits. Privacy amplification — hashing the reconciled key with a random universal-hash function down to a shorter output — removes Eve's partial information, at the cost of shortening the final key. The output is the secret key, short but provably private.

The full protocol as a seven-step flow. The quantum portion occupies only the first three steps; everything after that is classical post-processing, including the crucial eavesdropping check at step 6 and the privacy-amplifying hash at step 7.

Why eavesdropping gets caught — the no-cloning argument

The heart of BB84 is that Eve cannot intercept the photons without leaving a trace. The argument has three pieces.

Piece 1 — no-cloning (chapter 20). Eve cannot take an unknown photon and produce two copies of it. If she could, she would keep one copy for herself, forward the other to Bob, and learn Alice's bit without disturbing the channel — a complete break. The no-cloning theorem says no unitary can do this. So Eve's best option is to measure the photon (destroying it) and send a fresh photon to Bob based on her outcome.

Piece 2 — measurement in the wrong basis disturbs the state. Eve does not know which basis Alice used; she has to pick her own. Suppose Alice sent |0\rangle (Z basis, bit 0) and Eve measured in the X basis. The state |0\rangle written in the X basis is \tfrac{1}{\sqrt{2}}(|+\rangle + |-\rangle), so Eve gets + or - with probability 1/2 each. Whichever she gets, she prepares the corresponding X-basis photon and sends it to Bob. Now Bob measures in his random basis. If Bob measures in Z (matching Alice), he receives the state Eve sent — say |+\rangle — and measurement in the Z basis gives |0\rangle or |1\rangle with probability 1/2 each. Bob's outcome matches Alice's with probability 1/2, so Eve's interception introduces an error at that position with probability 1/2.

Piece 3 — Eve fails to match half the time. On each photon, Eve guesses a basis; she matches Alice's basis with probability 1/2 and mismatches with probability 1/2. When she matches, her interception is undetectable on that bit: she learns Alice's bit and passes it on correctly. When she mismatches (half the bits), her interception introduces a 50-50 error at that position when Bob also happens to use the right basis (i.e. Alice's). In the sifted key (bits where Alice and Bob agreed on basis), exactly half of Eve's interceptions are in the wrong basis, each introducing a 50-50 error. Expected error rate from naive intercept-resend: \tfrac{1}{2} \cdot \tfrac{1}{2} = \tfrac{1}{4} = 25\%.

Why 25%, not 50%: Eve guesses right 50% of the time (no error); of the 50% she guesses wrong, a 50-50 outcome means half her re-prepared photons match Alice's bit, half don't. So the error rate Bob sees on the sifted key is \tfrac{1}{2} \times \tfrac{1}{2} = 25\%.

25\% is far above the BB84 security threshold of \sim 11\%. So naive intercept-resend is always detected. A full security proof (Shor-Preskill 2000, Gottesman-Lo 2003 [2],[3]) extends the argument to arbitrary eavesdropping strategies — coherent attacks, entanglement-assisted probes — and arrives at the same conclusion: if \text{QBER} < 11\%, the key is provably secret.

Intercept-resend: Eve's decision tree on a single photon Alice encoded as $|0\rangle$. Half the time Eve picks the right basis (Z) and escapes detection on that photon; half the time she picks X, re-prepares a state that Bob sees as a 50-50 noise source. Averaged over all photons in the sifted key, Eve introduces a 25% error rate — easily caught by the 11% threshold.

Worked example — a run with 10 photons

With small numbers the whole protocol fits on a page.

Example 1: a full BB84 run with $n = 10$ photons

Setup. Alice is about to send 10 photons to Bob. For each photon she generates a random bit a_i and a random basis b_i. Bob independently generates his own random basis c_i for each measurement. Suppose the channel is perfect — no noise, no eavesdropping — so whenever b_i = c_i, Bob's outcome b'_i exactly matches Alice's bit a_i; whenever b_i \ne c_i, b'_i is a uniform random bit (but it will be discarded in sifting anyway).

Step 1. Alice's random choices (imagine 20 fair coin flips).

i	1	2	3	4	5	6	7	8	9	10
a_i (bit)	0	1	1	0	1	0	1	1	0	0
b_i (basis)	Z	X	Z	Z	X	X	Z	X	Z	X
state sent	\lvert 0\rangle	\lvert -\rangle	\lvert 1\rangle	\lvert 0\rangle	\lvert -\rangle	\lvert +\rangle	\lvert 1\rangle	\lvert -\rangle	\lvert 0\rangle	\lvert +\rangle

Step 2. Alice sends all 10 photons. They travel the quantum channel and arrive at Bob (no losses in this example).

Step 3. Bob's random bases and resulting measurement outcomes.

i	1	2	3	4	5	6	7	8	9	10
c_i	Z	X	X	Z	Z	X	X	X	Z	X
match?	✓	✓	✗	✓	✗	✓	✗	✓	✓	✓
b'_i	0	1	?	0	?	0	?	1	0	0

Why the ? entries can be anything: at positions 3, 5, 7 Alice and Bob used different bases, so Bob's outcome is a uniform random bit independent of Alice's a_i. These positions will be discarded in sifting, so their actual values do not matter for the final key.

Step 4. Alice and Bob announce their bases over the classical channel and keep the matching positions.

Matching positions: \{1, 2, 4, 6, 8, 9, 10\} — seven positions from the original ten.

Sifted bits (Alice and Bob should match):

i	1	2	4	6	8	9	10
a_i	0	1	0	0	1	0	0
b'_i	0	1	0	0	1	0	0

They agree everywhere. Raw key length = 7.

Step 5. Sample a subset, say positions \{2, 9\}, and publicly compare.

At i = 2: Alice says a_2 = 1, Bob says b'_2 = 1. Agree. At i = 9: Alice says a_9 = 0, Bob says b'_9 = 0. Agree.

Estimated \text{QBER} = 0 / 2 = 0\%. Why sampling reveals QBER: errors are statistically estimable from any random subset; the law of large numbers says the sample proportion converges to the population proportion as the sample grows. A realistic run with n = 10^6 photons and a sample of 10^5 gives an estimate accurate to about 0.3\%.

Step 6. 0\% < 11\%: continue. No eavesdropper detected.

Step 7. Remaining raw key (after burning samples): positions \{1, 4, 6, 8, 10\}, bits (0, 0, 0, 1, 0). Since \text{QBER} = 0 in this clean-channel example, information reconciliation does nothing; privacy amplification hashes the 5 bits down to a slightly shorter output, say 3 bits. The 3-bit output — which in a real protocol would be extracted by a random universal hash — is the final shared secret key.

Result. Starting with 10 photons, Alice and Bob end up with a few bits of shared secret key. The inefficiency — 10 photons in, 3 bits out — is fundamental: sifting costs you half (basis-mismatch positions are dropped), error-rate sampling costs another fraction (sampled positions are burned), privacy amplification shrinks the rest to remove any of Eve's marginal information.

The "yield" of BB84. Starting with $n$ photons, sifting halves the count, error-rate sampling burns a small fraction more, and privacy amplification hashes away Eve's partial information. A clean-channel run yields a final key of order $n/4$ to $n/3$ bits; a noisier channel yields less.

What this shows. The protocol is an arithmetic procedure — random bits, announcements, comparisons, hashes — applied on top of quantum measurement. The quantum part is done after Step 3; everything else is classical post-processing, carried out with standard cryptographic tools.

Worked example — detecting an eavesdropper

Example 2: Eve attempts an intercept-resend and is caught

Setup. Repeat the protocol but now Eve is active on the quantum channel. She intercepts every photon, measures it in a random basis of her own (call it e_i \in \{Z, X\}), learns an outcome, prepares a fresh photon in that basis and value, and sends it to Bob. Bob proceeds as before with his own random basis choice c_i.

Step 1. Alice's preparations: say the first four photons are (a_i, b_i) = (0, Z), (1, X), (0, Z), (1, Z), i.e. states |0\rangle, |-\rangle, |0\rangle, |1\rangle.

Step 2. Eve's bases and outcomes.

i	1	2	3	4
Alice's state	\lvert 0\rangle	\lvert -\rangle	\lvert 0\rangle	\lvert 1\rangle
Eve's basis e_i	Z	Z	X	Z
Eve's outcome	0	0 or 1 (50-50)	+ or − (50-50)	1
Eve resends	\lvert 0\rangle	\lvert 0\rangle or \lvert 1\rangle	\lvert +\rangle or \lvert -\rangle	\lvert 1\rangle

Why Eve's outcomes are random at positions i = 2, 3: Alice used one basis, Eve guessed the other. For i = 2 Alice's |-\rangle decomposes in the Z basis as \tfrac{1}{\sqrt{2}}(|0\rangle - |1\rangle), a 50-50 mix. For i = 3, |0\rangle decomposes in X as \tfrac{1}{\sqrt{2}}(|+\rangle + |-\rangle), also 50-50.

Step 3. Bob's measurements — assume Bob happens to use Alice's basis every time (these are the sifted positions).

i	1	2	3	4
Bob's basis c_i	Z	X	Z	Z
Alice's basis b_i	Z	X	Z	Z
Eve's state → Bob	\lvert 0\rangle	\lvert 0\rangle or \lvert 1\rangle	\lvert +\rangle or \lvert -\rangle	\lvert 1\rangle
Bob's outcome b'_i	0	measures X: 50-50	measures Z: 50-50	1
match a_i?	✓	50%	50%	✓

Why Bob's outcome at i = 2 is 50-50: Eve resent |0\rangle or |1\rangle (depending on her measurement). Bob measures in the X basis. The state |0\rangle expressed in X is \tfrac{1}{\sqrt{2}}(|+\rangle + |-\rangle), so Bob gets + or - with probability 1/2. Alice's a_2 = 1 means she encoded |-\rangle (X basis), so she expects Bob to see - (outcome 1). Eve's intercept-resend gave Bob a Z-basis state, so Bob's outcome is now random in his X basis, matching Alice's 1 only half the time.

Step 4. Eve picks Alice's basis exactly half the time (positions 1, 4 above). On those positions, her intercept is invisible: she learns a_i and passes along the correct state. On the other half (positions 2, 3), she picks the wrong basis: Bob's sifted bit matches Alice's only 50% of the time.

Step 5. Expected overall QBER on the sifted key: probability Eve picks wrong basis × probability Bob then errs = \tfrac{1}{2} \times \tfrac{1}{2} = 25\%.

Step 6. 25\% > 11\%: Alice and Bob abort. They discard the entire exchange. No key is generated, but no secret has leaked either.

Why aborting is safe: Eve learned some of Alice's bits (those at the positions where she guessed basis correctly), but Alice and Bob threw away the whole raw key. Eve's knowledge is useless because the bits she learned will never be used as a cryptographic key. BB84's security property is failure-safe: either the protocol succeeds with a provably secret key, or it fails with no key — never a leaked key.

Result. Any non-trivial intercept-resend attack produces a QBER above 11%, triggering abort. Eve learns a few bits but loses the key. The protocol is detection-secure, not confidentiality-post-break — the act of tampering is what leaks, not the bits.

The QBER scales linearly with the fraction of photons Eve intercepts. Even a partial intercept (44% of photons) lifts QBER past the 11% threshold. Eve cannot "eavesdrop a little and hope nobody notices" — the noise she adds is detectable from any non-trivial sampling rate.

What this shows. BB84's security lives in statistics, not in individual photons. Eve learns a few bits per intercepted photon, but every intercept moves the estimated QBER upward; above threshold, the whole key is thrown away. The design inverts the classical assumption that "eavesdropping is undetectable" — in the quantum regime, eavesdropping is structurally the thing that gets caught.

Implementations — fibre, free-space, satellite

BB84 works in theory with ideal single-photon sources and perfect single-photon detectors. In practice, the hardware is always imperfect, and the engineering has evolved through several generations.

Fibre-optic BB84. Standard telecommunication fibre at 1550 nm has low loss (\sim 0.2 dB/km) and is compatible with existing network infrastructure. Fibre-based QKD systems have been deployed by ID Quantique (Switzerland) since 2007, Toshiba since 2010, and SK Telecom (South Korea) in commercial rollouts. The practical range in fibre is \sim 100-200 km per hop because photon loss grows exponentially with distance; longer distances require trusted nodes (intermediate relays where the key is decrypted and re-encrypted). China's Beijing–Shanghai QKD backbone (2017) is \sim 2000 km of fibre stitched together with 32 trusted nodes.

Free-space BB84. For line-of-sight ground links (campus to campus, building to building), photons can be sent through the open atmosphere. The losses depend on turbulence, weather, and pointing stability, but clear-air demonstrations have reached tens of kilometres between mountaintops. The advantage is deployability without digging fibre; the disadvantage is weather dependence.

Satellite BB84. Free-space links to satellites avoid the fibre attenuation problem: vacuum has zero loss. China's Micius satellite (launched 2016) executed BB84 between the satellite and ground stations in Xinglong and Graz at rates of a few kbit/s over 1200 km [5]. This was the first intercontinental satellite-QKD demonstration.

India's satellite-QKD demonstration. In March 2022, ISRO's Space Applications Centre (SAC) demonstrated satellite-based QKD between ground stations separated by \sim 300 km, using a Low Earth Orbit platform operated jointly with the Raman Research Institute. The protocol was BB84 with decoy states; the downlink wavelength was 850 nm; the achieved quantum bit error rate was well below the 11% threshold on clear nights. The demonstration is part of the National Quantum Mission (NQM, 2023, ₹6003 crore) communications pillar, and a follow-on satellite dedicated to quantum communication — part of the NQM-aligned QuEST-SAT programme — is in planning with a mid-decade launch target. This places India in the small set of countries (China, US, Canada, Singapore, India) to have demonstrated satellite QKD.

The 2022 ISRO satellite-QKD demonstration. BB84 photons were downlinked from a Low Earth Orbit platform to two Indian ground stations separated by $\sim 300$ km, with decoy-state protocol variants to close side-channel loopholes. The demonstration validates the Indian hardware stack end-to-end and is a stepping stone to the planned QuEST-SAT satellite.

Common confusions

"BB84 sends the secret key over the photons." No. BB84 sends random bits. The raw key is a string of random bits that Alice and Bob happen to share by virtue of the physics. The secret key is extracted from those random bits by classical post-processing (sifting, reconciliation, privacy amplification).
"No-cloning alone makes BB84 secure." No-cloning prevents Eve from copying photons; it is necessary but not sufficient. Equally essential is that measurement in the wrong basis disturbs the state, creating the QBER signature that Alice and Bob detect. Both properties together — non-clonability plus measurement disturbance — are what make BB84 work.
"BB84 replaces RSA." Not in the same layer of the stack. RSA is a computational public-key primitive used to bootstrap a key between parties with no prior relationship. BB84 is a physical-layer key-growing protocol that requires a quantum channel and some pre-shared authentication secret. BB84 addresses the post-Shor key-distribution problem in specific high-security niches (banks, government, strategic communications); it does not replace RSA on the consumer internet.
"BB84 is unconditionally secure, so it's perfect." Unconditional security applies to the protocol. Real devices leak: the photon source may emit occasional double-photon pulses that Eve can split (photon-number-splitting attack), the detector may be spoofed (detector blinding). Decoy-state BB84 and measurement-device-independent QKD close these loopholes at the protocol level; careful engineering handles the rest.
"QKD exists in products, so post-quantum cryptography is unnecessary." QKD and PQC are complementary, not alternatives. QKD needs a dedicated quantum channel and is expensive to deploy at scale; PQC is a software change, deployable on every device. Sensible architectures use both — QKD where point-to-point secrecy at the physical layer is worth the hardware investment; PQC across the general internet.

Going deeper

If you understand that BB84 uses four polarisation states in two bases, that Eve cannot copy photons (no-cloning) and cannot measure them without disturbing them, that the intercept-resend attack gives a 25% QBER against the 11% threshold, and that India has demonstrated the protocol over 300 km via satellite — you have chapter 152. The material below is for readers who want the sharper version: the security proof via Ekert-91 equivalence, side-channel loopholes, decoy states and MDI-QKD, and the specifics of the Indian satellite-QKD demonstration.

Security proof via the Ekert-91 equivalence

BB84's unconditional security was not proven in the original 1984 paper; a full proof took until Mayers (1996), Lo-Chau (1999), and the elegant entanglement-based reduction by Shor and Preskill (2000) [2]. The key insight: BB84's prepare-and-measure protocol is equivalent to an entanglement-based protocol in which Alice creates a Bell pair |\Phi^+\rangle = \tfrac{1}{\sqrt{2}}(|00\rangle + |11\rangle), keeps one half, sends the other to Bob, and each measures in a random basis. Measurement outcomes then have exactly the correlations BB84 needs. Eve's attack maps to a Pauli-channel error model on the distributed Bell pair, and the security proof reduces to analysing CSS error-correcting codes that handle the X and Z errors separately. The 11% threshold emerges from the CSS code's decoding limit; above that error rate, no code can distil a secret key faster than Eve's mutual information grows.

Side-channel attacks and their fixes

Real-device BB84 has been attacked many times, always through implementation flaws rather than protocol flaws. The canonical attacks:

Photon-number-splitting (PNS). Weak laser sources emit Poisson-distributed photon numbers per pulse. Occasionally a pulse contains two or more photons. Eve can split off one photon, keep it in quantum memory, wait for the basis announcement, and measure in the correct basis — learning Alice's bit without introducing any QBER. Fix: decoy-state BB84 (Lo-Ma-Chen 2005) interleaves pulses of different intensities so Alice and Bob can detect if Eve is preferentially blocking single-photon pulses.
Detector blinding. Commercial avalanche-photodiode detectors can be saturated ("blinded") by a bright pulse, after which Eve can force the detector to click at the time of her choosing by sending a precisely-timed trigger pulse. Fix: measurement-device-independent QKD (MDI-QKD) removes detector trust entirely — Alice and Bob both send photons to an untrusted third party (Eve, in the worst case) who performs a Bell measurement and announces the outcome; the announcement is correlated with Alice and Bob's inputs in a way that lets them extract a key.
Trojan-horse attacks. Eve shines a laser into Alice's or Bob's device and analyses the reflected light to learn basis settings. Fix: optical isolators and spectral filters on all device inputs.
Time-shift attacks. Detector response depends weakly on arrival time; Eve shifts her photons in time to bias which detector fires. Fix: detector characterisation, MDI-QKD.

Decoy-state BB84 — closing the PNS loophole

Decoy-state BB84 (Hwang 2003; Lo-Ma-Chen 2005; Wang 2005) interleaves signal pulses of intensity \mu with decoy pulses of intensity \nu_1 < \mu and \nu_2 \ll \nu_1. Alice and Bob publicly reveal which pulses were signal vs decoy after transmission. They estimate the channel's single-photon transmission rate directly from the decoy statistics; any PNS attack alters the yield-vs-intensity curve in a detectable way. With decoy states, BB84 tolerates the realistic weak-coherent-pulse source while preserving security against PNS. Virtually every production QKD system today (ID Quantique, Toshiba, Micius, ISRO) uses decoy-state BB84.

Measurement-device-independent QKD

MDI-QKD (Lo-Curty-Qi 2012) goes further: both Alice and Bob are senders, and an untrusted Eve is the measurement party. Alice and Bob each prepare BB84 states and send them to a central Bell-state analyser. The analyser projects the incoming pair onto one of the four Bell states and announces the outcome. The Bell-measurement outcome, combined with Alice's and Bob's preparations, reveals a correlated bit that can be sifted and post-processed as in BB84. Crucially, the analyser does not need to be trusted: a dishonest analyser can only cause abort (high QBER), not leak the key. MDI-QKD removes all detector-side-channel attacks at the cost of \sim 3\times higher loss and a star-network topology.

The Indian satellite-QKD demonstration, in detail

The ISRO SAC-PRL demonstration (2022) used a decoy-state BB84 protocol at 850 nm over a LEO downlink. The ground stations at Bengaluru (ISRO SAC) and Mount Abu (PRL) are separated by \sim 300 km. Key parameters reported:

Pulse rate: \sim 100 MHz at the satellite.
Mean photon number per signal pulse: \mu = 0.5; decoys at \nu_1 = 0.1, \nu_2 \approx 0 (vacuum).
Achieved QBER: < 6\% on clear-sky passes, well under the 11% threshold.
Sifted key rate: \sim 1-10 kbit/s after sifting and reconciliation, depending on pass geometry.
Final key rate: \sim 100 bit/s to 1 kbit/s after privacy amplification.

The demonstration ran jointly with the Raman Research Institute (RRI) in Bangalore, which developed the quantum source and receiver hardware; the satellite tracking and optical links used ISRO's existing SAC infrastructure. The follow-on QuEST-SAT programme targets a dedicated QKD satellite with polarisation-entanglement sources, enabling E91-style protocols (chapter 153) alongside BB84.

Where this leads next

E91 Protocol — the entanglement-based alternative to BB84, with a CHSH test replacing the QBER check.
B92 and Other Variants — a stripped-down BB84 using only two non-orthogonal states, and the broader family of prepare-and-measure QKD protocols.
Quantum Money (Wiesner) — the 1970 idea that inspired BB84, using no-cloning to make unforgeable banknotes.
Decoy-State QKD — how decoy-state BB84 closes the photon-number-splitting loophole in real hardware.
The Quantum Threat Model — why post-quantum cryptography and QKD together form the future of key distribution.

References

Charles H. Bennett and Gilles Brassard, Quantum cryptography: Public key distribution and coin tossing (1984) — original paper, reprinted as arXiv:2003.06557.
Peter Shor and John Preskill, Simple proof of security of the BB84 quantum key distribution protocol (2000) — arXiv:quant-ph/0003004.
Daniel Gottesman and Hoi-Kwong Lo, Proof of security of quantum key distribution with two-way classical communications (2003) — arXiv:quant-ph/0105121.
Wikipedia, BB84.
Sheng-Kai Liao et al., Satellite-to-ground quantum key distribution (Micius, 2017) — Nature 549, 43 / arXiv:1707.00542.
John Preskill, Lecture Notes on Quantum Computation, Chapter 8 — theory.caltech.edu/~preskill/ph229.