Computational Monogamy of Entanglement and Non-Interactive Quantum Key Distribution

Quantum key distribution (QKD) enables Alice and Bob to exchange a secret key over a public, untrusted quantum channel. Compared to classical key exchange, QKD achieves everlasting security: after the protocol execution the key is secure against adversaries that can do unbounded computations. On the flip side, while classical key exchange can be achieved non-interactively (with two simultaneous messages between Alice and Bob), no non-interactive protocol is known that provides everlasting security, even using quantum information. In this work, we make progress on this problem. Our main technical contribution is a computational variant of the celebrated monogamy of entanglement game, where the secret is only computationally hidden from the players, rather than information-theoretically. In these settings, we prove a negligible bound on the maximal winning probability over all strategies. As a direct application, we obtain a non-interactive (simultaneous message) QKD protocol from any post-quantum classical non-interactive key exchange, which satisfies everlastingly secure assuming Alice and Bob agree on the same key. The protocol only uses EPR pairs and standard and Hadamard basis measurements, making it suitable for near-term quantum hardware. We also propose how to convert this protocol into a two-round protocol that satisfies the standard notion of everlasting security. Finally, we prove a no-go theorem which establishes that (in contrast to the case of ordinary multi-round QKD) entanglement is necessary for non-interactive QKD, i.e., the messages sent by Alice and Bob cannot both be unentangled with their respective quantum memories if the protocol is to be everlastingly secure.

💡 Research Summary

Quantum key distribution (QKD) offers everlasting security: after the protocol finishes, even an adversary with unlimited computational power cannot learn the secret key. Classical key exchange, however, can be performed non‑interactively (a single round of simultaneous messages) but no non‑interactive QKD with everlasting security has been known. This paper makes a breakthrough by showing how to achieve non‑interactive (simultaneous‑message) QKD under a realistic security model where the adversary is computationally bounded during the protocol execution but becomes unbounded afterwards.

The core technical contribution is a “computational monogamy of entanglement” game. In the classic monogamy‑of‑entanglement game, a random basis string θ is information‑theoretically hidden from the players; here θ is only hidden from efficient algorithms (i.e., computationally hidden). The game proceeds as follows: a public parameter p and a hidden basis θ are sampled from a distribution Z; Alice, Bob and a third player Charlie jointly prepare an efficiently‑generable quantum state on registers A, B, C using p. Alice measures A in the θ‑basis, revealing θ afterwards; Bob measures B honestly in the same basis; Charlie may apply any (possibly unbounded) measurement on C. The players win if all three outcomes coincide. The authors prove that, assuming the distributions (p,θ) and (p,θ*) (with θ* uniform) are computationally indistinguishable, the winning probability is negligible (≈2^{‑Ω(√n)} for n qubits). The proof splits the joint state into √n‑size blocks, shows that if a block contains at least one EPR pair then Charlie’s success probability drops exponentially, and finally argues that any deviation from the uniform case would break the computational indistinguishability of (p,θ) and (p,θ*).

Using this game, the paper constructs a non‑interactive QKD protocol from any post‑quantum classical non‑interactive key exchange (NIKE), such as those based on Learning‑with‑Errors or isogeny problems. The protocol works as follows:

1. Alice and Bob run the NIKE to obtain a shared secret p and corresponding public keys.
2. Alice prepares n EPR pairs |00⟩+|11⟩ and sends the second qubit of each pair to Bob, together with her public key. Bob sends his public key to Alice (only classical).
3. Both parties derive a shared basis string θ∈{0,1}ⁿ from the NIKE secret.
4. Alice measures her halves of the EPR pairs in the θ‑basis (standard basis if θ_i=0, Hadamard if θ_i=1) obtaining K_A; Bob does the same on his halves obtaining K_B.

If the NIKE is correct, Alice and Bob obtain the same θ, thus their measurement outcomes are identical and they share the same raw key. Security follows from the computational monogamy theorem: an efficient adversary who intercepts the quantum messages can be modeled as Charlie in the game; because θ is only computationally hidden, the theorem guarantees that Charlie’s chance of guessing the joint outcome (and therefore the key) is negligible, even after he becomes computationally unbounded. Consequently, the protocol achieves “weak everlasting security”: conditioned on Alice and Bob agreeing on a key, any adversary’s success probability is negligible.

To upgrade to the standard notion of everlasting security (indistinguishability from random even when Alice and Bob’s keys differ), the authors propose a two‑round extension. After the first round they exchange hashes of their raw keys; a mismatch aborts the protocol with overwhelming probability. If the hashes match, they apply a quantum‑proof randomness extractor seeded by the XOR of two independent seeds (one from each party) to obtain a final key that is statistically close to uniform. This yields a fully everlasting‑secure QKD protocol with only four messages total (two simultaneous‑message rounds) and still only requires EPR pairs and simple basis measurements.

Finally, the paper proves a no‑go theorem: entanglement is necessary for any non‑interactive QKD that aspires to everlasting security. If the protocol’s quantum messages are unentangled with the parties’ private quantum memories, the honest measurements are non‑destructive, meaning an eavesdropper can simulate both parties’ behavior, collect all possible keys, and later, after the protocol ends, compute the exact key with constant probability. Hence, without shared entanglement, an adversary can always break everlasting security.

In summary, the paper delivers four major contributions:

1. Definition and analysis of a computational monogamy‑of‑entanglement game with a negligible winning probability.
2. Construction of a non‑interactive QKD protocol from any post‑quantum NIKE, achieving weak everlasting security.
3. A two‑round refinement that attains full everlasting security while still using only EPR pairs and simple measurements.
4. An impossibility result showing that entanglement is indispensable for non‑interactive everlasting‑secure QKD.

The protocol’s reliance on only EPR pairs and standard/Hadamard measurements makes it experimentally attractive for near‑term quantum devices, and its modularity (plug‑in any post‑quantum NIKE) broadens its applicability. This work closes a long‑standing gap between classical non‑interactive key exchange and quantum key distribution, opening a path toward practical, non‑interactive, everlasting‑secure quantum cryptography.