Device-independent quantum key distribution from computational assumptions

In device-independent quantum key distribution (DIQKD), an adversary prepares a device consisting of two components, distributed to Alice and Bob, who use the device to generate a secure key. The security of existing DIQKD schemes holds under the assumption that the two components of the device cannot communicate with one another during the protocol execution. This is called the no-communication assumption in DIQKD. Here, we show how to replace this assumption, which can be hard to enforce in practice, by a standard computational assumption from post-quantum cryptography: we give a protocol that produces secure keys even when the components of an adversarial device can exchange arbitrary quantum communication, assuming the device is computationally bounded. Importantly, the computational assumption only needs to hold during the protocol execution -- the keys generated at the end of the protocol are information-theoretically secure as in standard DIQKD protocols.


I. INTRODUCTION
The security of classical public-key cryptography is based on the assumption that an adversary cannot solve a specific computational problem, e.g. a lattice problem [1]. A message encrypted with classical public-key cryptography only remains secret as long as this computational assumption holds. If a faster algorithm or more powerful hardware allows the adversary to break the computational assumption in the future, all past communication is at risk. In contrast, quantum key distribution (QKD) protocols generate keys that are information-theoretically secure, i.e., secure even against an all-powerful adversary, and are not compromised by advances in algorithms or hardware. The security of QKD protocols is based on certain assumptions (which depend on the specific protocol being considered) that need to hold during the execution of the protocol-violating the assumptions afterwards does not compromise the security of the key. This is known as everlasting security [2].
Early QKD protocols, such as the BB84 protocol [3], relied on the assumption that the quantum device used to generate the key is implemented as intended. Any deviation from the implementation analysed in the security proof can potentially lead to a security breach [4][5][6][7]. Device-independent QKD (DIQKD) protocols [8,9] address this problem: instead of making assumptions about the inner workings of the device, the device is being tested as part of the protocol, as explained below. This form of security is considered the "gold-standard" of quantum cryptography [10]. In particular, it allows for security statements that hold even when the manufacturer of the quantum device is incompetent or malicious. 1 The standard setting for DIQKD is shown in Fig. 1a. Alice and Bob each hold a component of a device prepared by a potentially malicious party called Eve. Alice's and Bob's components of the device and the adversary Eve share some quantum state, and Alice's and Bob's components perform some quantum measurement on their respective part of the state. The shared quantum state and the measurements used by the components of the device are unknown to Alice and Bob. Hence, the device is said to be uncharacterised. Alice and Bob can only observe the classical input-output correlations of their device: they supply classical inputs to the device (e.g., by pressing keys on a keyboard connected to the device) and receive classical outputs (e.g., by reading information displayed on its screen).
The security proofs of DIQKD protocols rely on the fact that a violation of a Bell inequality [11,12] can only be achieved by measuring an entangled quantum state. Hence, if Alice and Bob observe that the classical inputoutput correlations of the device violate a Bell inequality, they can conclude, under certain conditions, that the two components must have been entangled. This can then be used to certify the randomness, or entropy, of the output bits produced by measuring the entangled state. This certified entropy, in turn, acts as the basis for proving the security of the protocol [13][14][15][16].
For a security proof based on Bell inequalities to be valid, certain conditions must hold (or be assumed to hold). A potential violation of one of these conditions is called a loophole. An open loophole translates directly to a security breach in any DI cryptographic protocol [17]. A fundamental and experimentally challenging loophole is the so-called communication loophole-even a classical device can violate a Bell inequality when Alice's and Bob's components can communicate. Therefore, to conclude that the correlations produced by the device must have arisen from measuring an entangled state, we must assume that the two components of the device cannot communicate during one round of the protocol. The device may use pre-shared entanglement between its two components and can also be entangled with Eve (curly lines in the figure). The components cannot signal to each other or to Eve during the protocol execution. Alice and Bob interact classically with the device and communicate classically over a public authenticated channel (straight lines labeled by c.c. in the figure). (b) Computational DIQKD setting. The setting differs from the one in (a) in two respects: (i) The two components are connected by a quantum channel (labelled q.c. in the figure); the channel is part of the device prepared by Eve, but, as the rest of the device, cannot be accessed by Eve after giving the device to Alice and Bob. (ii) It is assumed that the device is computationally bounded (denoted by gears in the figure) and cannot break post-quantum cryptographic problems during the execution of the protocol, while Eve remains computationally unbounded as in (a).
There are two ways to experimentally enforce noncommunication between the two components of the device. The first is to make sure that the interaction with the device takes less time than a light signal needs to travel from one component to the other. Since special relativity forbids any signal to travel faster than light, this closes the communication loophole. With technological limitations on the speed of, e.g., the production of entanglement or the usage of a random number generator in experiments, this approach requires a separation between Alice's and Bob's components on the order of kilometres, leading to additional experimental difficulties and constraints on where the protocol can be used (see, e.g., [18]).
A different approach is to physically shield the components of the device so that they cannot communicate with each other. Without any communication at any point in the protocol, all the entangled particles required for a device to succeed in the protocol (at the very least ∼10 7 pairs) would need to be distributed prior to the execution of the protocol and stored in Alice's and Bob's components. Given the difficulties associated with storing quantum states, this is usually impractical. Therefore, in typical implementations of QKD, the two components of the device are connected by a quantum channel, so that entanglement can be distributed "on the fly": one component creates an EPR pair and sends one qubit of the pair to the other component. This makes shielding the components more difficult and the protocol execution potentially time-consuming as one has to be able to "unshield" the components between rounds of the protocol to allow for entanglement distribution before "re-shielding" them for the next round of the protocol.
Given the difficulty of perfectly shielding components of a device from one another, recent works have aimed at formulating Bell inequalities that tolerate some limited amount of communication between the two components of the device [19][20][21]. For a key distribution scheme based on such a Bell inequality to be secure, one needs to assume an a priori bound on the amount of communication; this bound cannot be verified during the protocol. Hence, these works allow a weakening of the nocommunication assumption, replacing the requirement of no communication by a requirement of limited communication. Gaining confidence as to whether the weakened no-communication assumption, i.e., the bound on the amount of communication, holds must be done in a device-dependent way and under various other assumptions.
In this work, we are interested in whether the no-communication assumption is a necessary one for DIQKD, or whether DIQKD can also be based on the "quantumness" of the devices alone. To study DIQKD without the no-communication assumption, we consider the setting in Fig. 1b. In this setting, the two components of the (untrusted) device are connected by a quantum channel, modelling the channel used for on-the-fly entanglement distribution. It is necessary to assume that Eve cannot access information sent via this channel, as otherwise this could be used by the device to signal to Eve. We will additionally require that a protocol for the setting of Fig. 1b has an honest implementation that can also be executed in the setting of Fig. 1a, i.e., the honest implementation only requires pre-shared EPR pairs and local operations. In other words, we include attacks that use the additional channel in our soundness analysis, while restricting to protocols that do not use it in our completeness proof. We discuss these assumptions and requirements further in Section IV.
Our main result is a DIQKD protocol (Protocol 3 de-scribed below) to generate information-theoretically secure keys in the setting of Fig. 1b, assuming that the device in the protocol is computationally bounded : we assume that the device cannot solve the Learning with Errors (LWE) problem, 2 a standard computational assumption in post-quantum cryptography [1,22] More specifically, we assume that the device is computationally bounded and that the probability of any computationally bounded device to solve the LWE problem is negligible in the security parameter λ. 3 This is called the LWE assumption.
Crucially, unlike in classical public-key cryptography, this computational assumption can be leveraged to generate an information-theoretically secure key: our DIQKD protocol (Protocol 3 below) achieves the same everlasting security as existing DIQKD protocols. The security of our protocol relies on the fact that, much like the nocommunication assumption and Bell inequalities in typical DIQKD protocols, the computational assumption in our setting gives Alice and Bob a way to test the device and certify that it uses entangled quantum states.
When studying QKD protocols, the main quantity of interest is the key rate of the protocol, namely, the length of the produced key divided by the number of rounds of the protocol. For simplicity, we consider the asymptotic key rate, which we denote by K, that describes the idealised case where one executes infinitely many rounds of the protocol and the device used in the protocol behaves independently and identically in each round (called the IID assumption). The extension of our result to the setting of finitely many and possibly correlated repetitions of the protocol is briefly discussed in Section IV.
Our main theorem sets a lower bound on the key rate of our DIQKD protocol. It involves two security parameters, ε and λ. Roughly speaking, ε is the maximum probability with which a device is allowed to fail in one round of the DIQKD protocol (e.g. due to noise). The higher the allowed value of ε, the lower the key rate of the protocol will be. The parameter λ is a security parameter for the LWE problem. The LWE assumption ensures that one can make the probability that the computationally bounded device solves the LWE problem during the protocol execution arbitrarily small, while still allowing an honest computationally bounded device to succeed in the protocol with probability close to 1.
2 Roughly speaking, the LWE problem corresponds to solving a noisy linear equation: given a matrix A and a vector b such that Ax + e = b, where e is a sufficiently short noise vector so that the solution x is unique, one needs to find x. For e = 0, this is easily solved by Gaussian elimination, but for a suitably sampled non-zero e, no efficient classical nor quantum algorithm is known. 3 A negligible function is one that decays faster than any inverse polynomial. A security parameter quantifies how hard an instance of a cryptographic problem is. As a simple example, consider factoring: here, the security parameter could be the number of bits of the composite number that needs to be factored. Theorem 1. Consider the setting of Fig. 1b and make the LWE assumption. Suppose Alice and Bob execute the key distribution protocol, Protocol 3, with threshold ε and security parameter λ. Assume the device behaves independently and identically in each round of the protocol. If the device leads the protocol to abort with probability approaching 0 as the number of rounds n → ∞, then the key rate K is at least for a small constant c.
In the theorem, the notation O(ε c log ε) means that there exists a constant C such that this term is bounded from above in absolute value by C ε c log ε for sufficiently small ε. The term negl(λ) denotes a negligible function in λ, i.e., a function that decays faster than any inverse polynomial in λ.
Some remarks are in order. Firstly, our DIQKD protocol (Protocol 3) allows an honest device to succeed with probability negligibly (in λ) close to 1 using only EPR pairs, pre-shared or distributed on the fly, and local quantum operations. Hence, for an honest device with preshared entanglement, the quantum channel between the two components of the device shown in Fig. 1b is not necessary, but a dishonest device may use it.
Secondly, the constant 1 128 is a consequence of fixing certain parameters in the protocol for simplicity. For practical implementations, these parameters could be optimized.
Thirdly, as mentioned before, while Theorem 1 makes use of a computational assumption, encrypting a message with the resulting key differs fundamentally from classical public-key encryption. The latter type of encrypted message can be intercepted and stored, with the purpose of decrypting it years later, once it becomes technologically feasible to break the computational assumption. In contrast, the key rate K in Theorem 1 refers to an information-theoretically secure key: unless the key generation device has enough computational power to break the computational assumption during the execution of the protocol, the encrypted message is guaranteed to be information-theoretically secure. For a practical implementation, this means that unlike instances of computational problems in classical cryptography, which must be chosen large enough so that they cannot be solved for years to come, our protocol only requires comparatively small instances that are just large enough so that the device cannot solve them in the short time it takes to execute the protocol.

II. COMPUTATIONAL SELF-TESTING
We briefly review a recent protocol for self-testing [23], a fundamental primitive in device-independent quantum information processing, of a single quantum device under computational assumptions. This will form the basis for our DIQKD protocol in Section III. Self-testing [24][25][26][27][28][29] is a method in device-independent quantum information processing that certifies, only from classical input-output statistics of a quantum device, that a certain state and measurements must have been used to generate the device's output. The setting for selftesting is the standard one for Bell experiments, pictured in Fig. 2a. Alice and Bob each receive a component of a quantum device. The two components may be entangled, but cannot communicate with each other. Alice and Bob play a "game" with their device: they send (classical) questions to the device, and the device returns (classical) answers. We say that the device has won the game if it answers correctly according to some pre-defined winning condition.
Let us denote the maximal winning probability for a quantum device by ω * . A typical self-testing statement is as follows: Assume the two components of the device cannot communicate and the device wins with probability close to ω * . Then, up to local changes of basis in each component of the device and a small difference in trace distance, the device must have used a specific bipartite quantum state |φ ref AB , and specific measurements M A for Alice's component and N B for Bob's component. 4 For example, in the CHSH game, the reference state |φ ref AB is an EPR pair, the measurements M A on Alice's side are computational or Hadamard basis measurements (depending on Alice's question), and the measurements N B on Bob's side are similar (but rotated).
As explained earlier, the non-communication assumption is difficult to enforce in some experimental settings. Motivated by this difficulty, a self-testing protocol that replaces the non-communication assumption by the assumption that the device is computationally bounded was introduced in [23], building on techniques from [31][32][33]. This setting, shown in Fig. 2b, inspired our QKD setting in Fig. 1b. The protocol from [23] is described as Protocol 1 below.
Note that this setting allows arbitrary quantum communication between the two components of the device, thereby opening the possibility for the device to perform any non-local (with respect to the two components) gate. This setting is thus mathematically equivalent to the setting of a single device without any spatially separated components or other internal structure. The protocol in [23], which we build on, is presented in this "singledevice" setting.
Before describing the protocol from [23] in more detail, let us connect its result to standard self-testing statements of the form above. The protocol from [23] has multiple rounds of interaction between Alice, Bob, and the device. For the purpose of self-testing, we are interested in the last round of interaction: here, Alice and Bob send an input, a question, (x, y) to the device and receive an output, an answer, (a, b). We can model the behaviour of the device in this last round by a quantum state σ and measurements {P (a,b) x,y } a,b , meaning that when the device receives questions (x, y), it measures {P (a,b) x,y } a,b on σ to obtain answers (a, b). The goal of Protocol 1 is to ensure that the device's state σ is a Bell state (i.e., the reference state φ ref for the protocol is a Bell state), and that the devices measurements P

up to a change of basis and a small error.
We now describe the self-testing protocol from [23]. The protocol makes use of a key and a trapdoor. The key should be thought of as a piece of public information that specifies a particular instance of a cryptographic problem. The trapdoor is a piece of private information with which the cryptographic problem can be solved efficiently. Alice and Bob use such private trapdoors to be able to efficiently evaluate whether the device, which has no access to the trapdoor and is assumed to be unable to solve the cryptographic problem, has succeeded in the protocol or not. We also describe the behaviour of an honest device, i.e., a device that behaves in the way Alice and Bob would like it to, omitting some details for the sake of brevity. A more detailed description of the honest strategy for a modified version of this protocol, Protocol 2 below, can be found in Appendix A.
Protocol 1 (Self-testing protocol from [23] respectively, and send them to the device. b6. Alice and Bob receive answer bits a and b, respectively, from the device. 5 Honest behaviour: The remaining state has two qubits. Apply a controlled-Z operation between them, followed by a Hadamard gate on the second qubit. Measure the first qubit in basis x and the second in basis y, obtaining outcomes a, b ∈ {0, 1}, respectively. Send answer a to Alice and b to Bob.
In analogy to self-testing, we need to define what it means for the device to win the game. This is done by specifying a number of checks that Alice and Bob apply to the device's answers. These checks are described in Appendix A and [23]. Here, we only remark that the computationally efficient evaluation of these checks requires the trapdoors t A and t B , which are known to Alice and Bob, but not the device.
To state the self-testing guarantee from [23], we need a bit of notation. The reference states (i.e., the states that the device is meant to prepare) in Protocol 1 are Bell states. We denote the four Bell states by for bits s A , s B . The reference measurements are singlequbit measurements in the computational or Hadamard basis. We denote by {Q a x } a∈{0,1} the single-qubit measurement in the basis x (e.g., for x = Hadamard, Q 0 x = |+ +| and Q 1 x = |− −|). We are interested in the device's state and measurements in the last step of the protocol (Step b6) in the case where θ A = θ B = Hadamard. In this case, we denote the device's state by σ (s A ,s B ) , where s A and s B are bits that label which of the four Bell states the device should have prepared. Alice can efficiently compute the bit s A from k A , t A , c A , d A , and likewise Bob can compute s B (see Eq. (A13) for details). In contrast, the device cannot efficiently compute s A or s B because it does not have access to the trapdoors t A and t B . Hence, Alice and Bob know which Bell state the device should have prepared, whereas the device itself does not.
For questions x, y ∈ {Computational, Hadamard}, we denote the 4-outcome measurement used by the device to obtain answers a, b ∈ {0, 1} by {P (a,b) x,y } a,b∈{0,1} . Note that any arbitrary device that returns a, b can always be described as performing a measurement on a state, so these definitions impose no additional assumptions on the device. With this, we can state the self-testing guarantee from [23] (in a simplified form).
Theorem 2 (Theorem 4.38 in [23], simplified). Consider a device that wins Protocol 1 with probability 1 − ε and make the LWE assumption. Let λ be the security parameter used in the protocol, s A and s B bits (labelling the desired Bell state, as explained above), H the device's physical Hilbert space, and H some ancillary Hilbert space. Then, there exists an isometry V : H → C 4 ⊗ H and some state ξ such that, in the case θ A = θ B = Hadamard, the following holds (with |φ (s A ,s B ) and Q a x as defined in and below Eq. (2)): Here, the notation ≈ O(ε c )+negl(λ) means that the trace distance between the two states is O(ε c ) + negl(λ) for some small constant c arising in the proof.
Intuitively, Theorem 2 states that up to a change of basis (given by the isometry), any computationally bounded device that succeeds in the protocol must have performed single-qubit measurements on a Bell pair to obtain the results returned to the verifier.
We conclude this section with some intuition as to why Theorem 2 holds. Depending on Alice's and Bob's choices for the state bases and challenge type, we distinguish two types of rounds: we call rounds with θ A = θ B = Hadamard and challenge type b Bell rounds, and all other rounds product rounds.
Theorem 2 only makes a statement about the device in a Bell round. In a Bell round, the two qubits prepared by an honest device at the start of Step b6 are Hadamard basis states (see Appendix A for details). An honest device will apply a controlled-Z gate followed by a single-qubit Hadamard gate to these two qubits, creating a Bell state The product rounds are used to check that the device behaves honestly. In a product round, at least one of the two qubits prepared by an honest device at the start of Step b6 is in a computational basis state. Thus, the two qubits will remain in a product state even after the controlled-Z operation. In a product round, the checks that the device needs to pass are independent for Alice's and Bob's components. Intuitively, this implies that to pass the checks, any device needs to treat Alice's and Bob's components separately, i.e., always keep a product state in its register. Further, one can show that the checks in a product round also ensure that the device has prepared the correct product state.
Recall from Step 1 that a computationally bounded device does not know the bases θ A and θ B , and therefore does not know whether it is in a Bell round or a product round. To succeed in a product round with high probability, the device needs to behave honestly and prepare the correct single-qubit states. Since the device cannot distinguish between the two round types, one can show that the device also needs to prepare the correct singlequbit states, i.e., Hadamard basis states, at the start of Step b6 in a Bell round. An additional check in Bell rounds ensures that the controlled-Z operation has been applied correctly on these states, creating a Bell pair. The full security proof can be found in [23]. 6

A. Main ideas
We are now ready to describe our DIQKD protocol, Protocol 3 below. The main building block of our DIQKD protocol is the self-testing protocol, Protocol 1, introduced in the previous section. On a high level, the idea is the following: Alice and Bob each receive a component of the key generation device and execute n rounds (in sequence) of Protocol 1 (with some modifications, see Protocol 2 below), collecting the devices' inputs and outputs for each round. Then, they use the observed inputoutput behaviour in a subset of the n rounds to calculate the proportion of rounds that satisfy the winning condition of Protocol 1. If they find that the device wins a sufficiently high proportion of these test rounds, they can use the device's output in the remaining rounds to generate a secure key. The security of this key is based on Theorem 2, which certifies the states and measurements used by the device. This certification replaces the usual Bell-based certification of the device.
Note that in contrast to the self-testing setting, in the DIQKD setting the state of the computationally bounded device may additionally be entangled with the computationally unbounded adversary Eve. However, because Eve can only act on her part of the state and not assist the device in breaking the computational assumption, we can still apply Theorem 2 to the reduced state of the device. Then, Theorem 2 asserts that, after applying an isometry, the device's state is a Bell state tensored with some additional state, and that the device's measurements only act on the Bell state. Hence, the additional state is irrelevant for the measurement outcomes. Because the device's Bell state is a pure state, it cannot be entangled with the state of the adversary, so the adversary's marginal does not reveal any information about the device's measurement outcomes. We will additionally need to ensure that the classical information exchanged by Alice and Bob during the parameter estimation phase of Protocol 3 does not leak any information to the adversary, which is covered in detail in the proof of Theorem 1.
As mentioned in Section I, we would like the honest device to be able to succeed using only EPR pairs and local operations. This requires a modification to Protocol 1 because the honest behaviour in Step b6 of Protocol 1 uses a non-local controlled-Z-gate between Alice's and Bob's components of the device. We can remove the need for this non-local operation using gate teleportation with pre-shared EPR pairs [34]. For example, consider the following circuit (adapted from [35]) that only uses one EPR pair and local operations: If the initial state on registers A and B is |ψ AB , the output state on the middle two registers is where CZ is the controlled-Z gate. Hence, we have applied the desired controlled-Z operation to |ψ AB , followed by an additional "correction operator" Z . An honest device for Protocol 1 still needs to undo the correction operator In principle, the two components of the device could communicate the bits h A and h B to each other and apply local operations that cancel this correction operator. However, as explained above, we want an honest device to be able to succeed without communication between its components.
Instead of the honest device having to deal with the correction operators, we can modify the checks of Protocol 1. For this, note that the honest strategy in Protocol 1 measures the state in the computational or Hadamard basis immediately after applying the controlled-Z operation (up to applying a single-qubit Hadamard gate, which only relabels measurement bases and which we ignore here for simplicity). The correction operator only switches these measurement outcomes. Hence, the honest device can return the bits h A to Alice and h B to Bob in addition to the measurement outcomes a and b. Alice and Bob then use their authenticated classical communication to undo the effect that the correction operator had on the device's measurement outcomes. Furthermore, it turns out that if we are in the Bell case in Protocol 1, the state prepared by the honest device is an eigenstate of the correction operator, so in this case, Alice and Bob do not need to perform any correction on the device's reported outcomes (see Appendix A for details).

B. Formal protocol description and security analysis
We now describe our QKD protocol in more detail. First, we give a modified version of Protocol 1 adapted to the use of gate teleportation by an honest device as described above. 7 Protocol 2 (Modified self-testing protocol). Alice and Bob execute the same steps as in Protocol 1, with the 7 In addition, we also change how Alice and Bob sample the challenge type. In Protocol 1, they use shared randomness for this purpose. This would still work in the QKD setting (where they would use public classical communication to establish the shared randomness), but it slightly simplifies the security analysis to assume that they sample challenge types independently and then post-select on having sampled the same challenge type. The downside of this is a reduction of the key rate in Theorem 1 by a constant factor of 2.
following modifications. In Step 3, challenge types ct A and ct B are sampled independently by Alice and Bob, respectively, and sent to the device; and in Step b6, Alice additionally receives a bit h A and Bob a bit h B . The remaining steps are as in Protocol 1, where now Alice acts according to ct A and Bob according to ct B : for example, if ct A = a and ct B = b, then Alice will receive a string z A as in Step a4, and Bob will execute Steps b4-b6 (with the above modification, i.e. he will receive a bit h B in Step b6).
Honest behaviour: In the case ct A = ct B , behave as in Protocol 1, but in Step b6, use a pre-shared EPR pair and gate teleportation to apply the controlled-Z operation as in Eq. (4) and additionally return the bits h A , h B from the gate teleportation to Alice and Bob, respectively. Note that in this strategy, the actions of Alice's and Bob's side of the device are independent. Hence, we can extend the honest strategy to the case ct A = ct B with each side individually acting according to the challenge type it has received.
Like Protocol 1, this protocol depends (implicitly) on a security parameter λ. Both the honest behaviour and the winning condition used by Alice and Bob are described in more detail in Appendix A. Note that if we adapt the checks from Protocol 1 accordingly, Theorem 2 still applies to Protocol 2 since any device that could cheat in Protocol 2 (where also h A and h B are returned) can easily be converted into a device that cheats in the original protocol.
Our key distribution protocol below executes n rounds of Protocol 2, then uses classical communication to estimate the proportion of rounds satisfying the winning condition, and extracts a secure key using standard classical post-processing steps, namely classical error correction and privacy amplification. Recall that the setting for this protocol is that of Fig. 1b, i.e., Alice and Bob each receive a component of a device prepared by the adversary, and the two components can be connected by a quantum channel.
3. For every i ∈ {1, . . . , n}, Alice chooses T i , indicating a test round or generation round, as follows: -if rt i = Bell, choose T i ∈ {Test, Generate} uniformly at random; -else, set T i = Test. Alice publishes (T 1 , . . . , T n ) (so Bob also has access to it). Sifting: 4. Alice and Bob discard all rounds with rt i =⊥. Let n be the number of remaining rounds (re-indexed as 1, . . . , n ). Parameter estimation: 5. For every j ∈ {1, . . . , n } with T j = Test, Bob publishes his entire inputs and outputs from round j (described in Step 1). Using Bob's published data, Alice uses Eq. (A7) to compute which bits a j , b j the honest device would have returned (for the given values of h A , h B ). If a j = a j or b j = b j , she sets a variable W j to fail. 6. Alice computes the fraction of (sifted) test rounds where W j = fail. If this exceeds ε, the protocol aborts. Key extraction: 7. For every j ∈ {1, . . . , n } with T j = Generate (which, by definition of T j , is also a Bell round), Alice and Bob compute the bits s A j and s B j , respectively, using Eq. (A13). They publish their measurement bases x j , y j . If x j = y j = Computational, then Bob sets b j = b j ⊕ s B (while Alice keeps her bit a j unchanged). Otherwise, they set a j = b j =⊥ (no key can be generated). 8. Alice and Bob apply one-way error correction and privacy amplification to their strings A = a 1 . . . a n and B =b 1 . . .b n to generate their key.
An honest device will simply execute the honest behaviour for Protocol 2 identically and independently in each round (see Appendix A for details). As explained above, this only requires pre-shared EPR pairs and local operations.
Our goal is to prove Theorem 1: assuming that the device does not break the LWE assumption, we need to show that our protocol's key rate K is at least 1 128 − O(ε c log ε) − negl(λ), where c is the same constant as in Theorem 2.
The outline of the proof is as follows: we first define the state ρ that contains Alice and Bob's classical information at the end of the protocol, as well as Eve's quantum side information. This state is the result of measurements that the device performed on its state. Because the selftesting protocol (Protocol 1) gives us control over both the device's state and measurements, we can apply Theorem 2 to show that the state ρ is close to some ideal statẽ ρ, and that the device measuredρ in the requested bases. This ideal stateρ is essentially the final state of executing Protocol 3 with an honest device. We then show that the ideal stateρ leads to a key rate of at least 1 128 . For this, we need to show that the classical information publicly communicated between Alice and Bob in Protocol 3 does not reveal too much information about the secret key to Eve. Finally, writing the bound on the key rate of the ideal stateρ in terms of conditional entropies, we can derive a lower bound on the key rate of the actual state ρ using the closeness ofρ and ρ and a continuity bound on the conditional entropy from [36].
Proof of Theorem 1. The device used by Alice and Bob is prepared by the adversary Eve. Hence, if the initial state of the device is ψ AB , Eve can hold a purifying system, so that the system as a whole is described by |ψ ABE . 8 Consider the state at the end of Step 7: because we are making the IID assumption, this state is an n -fold tensor product of a state ρ XY ABT OE . Each of the n copies of ρ corresponds to one of the n rounds of the protocol (after the sifting step) and contains the following registers: -X, Y and A, B are classical random variables for Alice's and Bob's questions and answers, respectively. -T is a classical random variable indicating a test round (T = Test) or a generation round (T = Generate). -O is a classical random variable containing the remaining information that Alice and Bob publish in a round of the protocol. For test rounds, this comprises the entire interaction between Alice, Bob, and the device (i.e., the information listed in Step 1). For generation rounds, the state bases, challenge types, and measurement bases are published. Conditioning on T = Generate already fixes the state bases and challenge types. The questions x, y are stored in registers X and Y . Therefore, the register O is empty if T = Generate. -E contains Eve's quantum side-information. Note that Alice and Bob also hold additional private information in generation rounds (such as the bits s A and s B ), but this information can be discarded and is not included in ρ XY ABT OE .
Protocol 3 applies one-way error correction and privacy amplification to the raw key in registers A and B of ρ ⊗n XY ABT OE . Therefore, the key rate K ρ achieved by our protocol in the limit n → ∞ and under the IID assumption is lower-bounded by [37,38]: where H is the conditional von Neumann entropy. The additional factor of 1 2 arises because half the rounds are sifted out in Step 4.
We can split this expression according to the round type: where Pr[T = Test] = 1− 1 16 and Pr[T = Generate] = 1 16 are the probabilities of choosing a test and a generation round, respectively (conditioned on the round not having been sifted out). In a test round, Alice and Bob publish their entire inputs and outputs (now stored in register O), including a and b. Hence, the conditional entropies for T = Test are both 0.
We now turn to the analysis of a generation round. We denote by s A and s B the bits computed by Alice and Bob in Step 7. For a single round of the data generation step (Step 1 of Protocol 3), let σ (s A ,s B ) A B E be the joint state of the device and Eve's side information right before the device performs the measurements P (corresponding to the state before Step b6 of Protocol 1, with the notation introduced for Theorem 2). Here, A is the (quantum) register of Alice's component of the device, B is the (quantum) register of Bob's component, and E contains Eve's quantum side information.
Using the same notation as for Protocol 1, the state of Alice's and Bob's question and answer registers as well as Eve's quantum side information after a single round of Step 1 in Protocol 3 is x,y,a,b x,y A B ⊗ |x, y, a, b x, y, a, b| XY AB . (6) The factor of 1 4 arises because Alice and Bob choose the questions x, y ∈ {Computational, Hadamard} uniformly at random. Note that because we allow arbitrary quantum communication between Alice's and Bob's components of the device, the device's measurements P (a,b) x,y A B could be global measurements, not just product measurements (P a x ) A ⊗ (P b y ) B . Now observe that the checks applied by Alice and Bob in a test round are equivalent to the checks applied in the (modified) self-testing protocol, Protocol 2. Since we are considering the asymptotic IID case with n → ∞, if the protocol does not abort for threshold ε, this means that the winning condition from Protocol 2 must be satisfied with probability at least 1 − ε in test rounds. At the end of Step 1, it has not yet been decided whether a particular round will be a test or a generation round. Hence, Theorem 2 also applies to the state and measurements in a generation round.
Applying Theorem 2 to the state σ (s A ,s B ) A B E , and using the continuity and cyclicity of the trace as well as V † V = 1, we find that the physical state ρ at the end of Step 7 must be within trace distance O(ε c ) + negl(λ) of the ideal statẽ ρ = s A ,s B ,x,y,a,b∈{0,1} where is Eve's quantum side information. Here, we have used the same notation as in Theorem 2, andb = b ⊕ s B as in Step 7. As explained above, the side information register O is empty in a generation round. We now analyse the key rate of the ideal stateρ. If x = y = Computational does not hold, the key rate is 0 because Alice and Bob both set their output registers to ⊥.
Conditioned on x = y = Computational, the measurement outcomes for the ideal stateρ are either perfectly correlated or perfectly anti-correlated, depending on s B . Since Bob flips his bit b to getb in the anti-correlated case, we always have a =b. In other words, p a,b,s A ,s B x,y = 1 if a =b, and p a,b,s A ,s B x,y = 0 otherwise. Therefore, in this case we have (with x = Computational) ⊗|x, x, a, a x, x, a, a| XY AB .
Note that in this expression, the sum over a is independent of the rest. Hence, the state is in a product between the registers AB and the remaining registers. Therefore, in the calculation of the key rate, conditioning on the remaining registers does not change the entropy and we have that for the ideal stateρ: This is the key rate for the ideal stateρ. However, we are interested in the key rate for the state ρ that the device actually uses in the protocol. To connect the two, recall that by Theorem 2, the two states differ by at most O(ε c ) + negl(λ) in trace distance. Therefore, we can apply a continuity bound for the conditional entropy from [36]. Using the fact that the classical registers have a fixed constant dimension and absorbing the resulting constant from [36] into the O-notation, we find that This completes the proof of Theorem 1.
As we noted when we stated Theorem 1, the constant 1 128 is a consequence of fixing certain parameters in the protocol to 1 2 . Specifically, from the proof, we see that this constant arises from the probability 1 32 of being in a generation round, and the probability 1 4 of choosing x = y = Computational. For practical applications, these probabilities could be optimized and treated as functions of the number of rounds n to increase the key rate to up to 1−O(ε c log ε)−negl(λ) in the asymptotic IID scenario.

IV. DISCUSSION
We have considered the question whether there are alternatives to the no-communication assumption used in standard Bell inequality-based DIQKD protocols. For this, we have introduced a modified setting for DIQKD (see Fig. 1b) that drops the no-communication assumption and allows the two components of the key generation device to exchange quantum communication. Instead, we have assumed that the key generation device is computationally bounded and cannot break the LWE assumption, a standard assumption in post-quantum cryptography. For this setting, we have described a protocol that allows Alice and Bob to generate an information-theoretically secure key and shown that it achieves a positive key rate.
Unlike previous approaches to weakening the nocommunication assumption [19][20][21], which required an a priori device-dependent upper bound on the amount of information exchanged between different parts of the device, the LWE assumption is a general assumption about any computationally bounded quantum device, and our belief in it does not require us to inspect the specific device at hand in detail.
As noted in Section I, our modified DIQKD setting allows for arbitrary quantum communication between the components of the device, but requires that the adversary cannot access this communication channel. While a private channel between the device components is a strictly weaker assumption than the no-communication assumption, in practice, the privacy of the channel connecting the two components may be as hard to ensure as the original no-communication assumption, or the assumption that Eve can send EPR states to the device via a strictly one-way channel. The setting in Fig. 1b should therefore be viewed as an extreme case meant for studying DIQKD without the no-communication assumption. An actual implementation of DIQKD could adopt a multilayered approach: physical shielding of the device gives us some credence in the no-communication assumption, but we might still want to employ the protocol we developed in this paper to further boost our confidence in the security of the final key.
With this approach in mind, it is crucial that the behaviour of an honest device for any protocol developed for the setting in Fig. 1b can also be executed in the standard setting, i.e., that an honest device can succeed with local operations and pre-shared EPR pairs. Our Protocol 3 satisfies this requirement. If one drops this requirement and further assumes that Alice has access to trusted private randomness (whereas standard DIQKD and our protocol only require public randomness), then one could execute the following simple key distribution protocol: Alice inputs a random string into her component of the device and asks the device to output this string at Bob's end. Alice and Bob then publicly compare their strings at a subset of locations. If their strings agree, they can use the remainder of the shared string as a key. 9 While this protocol can, strictly speaking, be executed in the setting of Fig. 1b, there is no way for an honest device to succeed without access to the communication channel connecting its components. Accordingly, this protocol cannot be used as part of the multi-layered approach to closing possible loopholes described in the previous paragraph.
One conceptually interesting aspect of the setting in Fig. 1b is that while it relies on a computational assumption, the resulting key is information-theoretically secure, just as in the standard DIQKD setting. This means that even if the computational assumption is broken in the future, encrypted messages remain private, in contrast to classical public-key cryptography. This "lifting" of a computational assumption to an information-theoretic guarantee appears to be a uniquely quantum capability [31].
As noted in [31], the root of this "quantum advantage" lies in the interactive nature of the protocol and the in-compatibility of different quantum measurements. On a high level, the combination of interactivity and incompatibility allows the device to correctly answer any one of two questions (corresponding to the two challenge types in Protocol 3), but never both simultaneously. In contrast, a classical device that is able to answer any one of two questions is also able to answer both at the same time. 10 In particular, this kind of quantum advantage differs from both Bell non-locality because it does not require a device with spatially separated components, and from quantum computational supremacy because it is independent of whether or not quantum computation is classically simulable. Therefore, protocols with cryptographic assumptions such as ours may also yield new insights into what separates the capabilities of quantum and classical devices, and might lead to conceptually new quantum cryptographic capabilities [40][41][42].
There are several important directions for future work; we list a few. Firstly, here we have only shown the security of our protocol in the asymptotic IID scenario. The analysis should, of course, be extended beyond the IID setting. A related protocol for randomness expansion has been analysed in the non-IID setting [31], and we expect that an analogous analysis will work for our protocol, too. The analysis in [31], however, is highly technical and we hope that new techniques, similar to those used in DIQKD [43], can be developed to simplify the analysis of our protocol in the non-IID setting.
Another important task is to improve the dependence on ε in the key rate for our protocol to become practical. In particular, this means increasing the constant c (which we estimate is currently smaller than 10 −3 ). One can either approach this by streamlining the analysis of the selftesting protocol [23], or by taking a more direct approach that shows a lower bound on the key rate without explicitly using a self-testing statement (which is stronger than necessary for DIQKD). Additionally, to improve practicality, one should try to optimize the post-quantum cryptographic tools used in [23,[31][32][33] for smaller quantum devices [44].

ACKNOWLEDGMENTS
This work was done in part while all authors were visiting the Simons Institute for the Theory of Computing and while RAF was associated with the EECS department of the University of California, Berkeley. We (so intuitively, one can think of k as a set of instruction for how to evaluate f k,0 and f k,1 ).
(ii) For every key k ∈ K G (i.e., a key for an injective pair), the functions f k,0 and f k,1 are injective, have the same domain, but have disjoint images. As above, given the key k, a quantum computer can efficiently evaluate the functions f k,0 and f k,1 in superposition. We denote the common domain of all function pairs by X , and the codomain by Y, and assume that both are sets of all bit strings of a fixed length.
For the security proof of Protocol 2, additional cryptographic properties of these functions are used. We do not describe them here and refer to [23,31,32] for details, but note that ETCF families with these cryptographic properties can be constructed from the standard post-quantum cryptographic assumption that the LWE problem [22] is hard to solve on a quantum computer. 12 We can now describe the honest behaviour for Protocol 2, following the steps of Protocol 1. In Step 1, Alice's component of the device is given a key k A ∈ K F ∪ K G . Whether k A ∈ K F or k A ∈ K G is determined by the value of Alice's state basis θ A : θ A = Hadamard corresponds to k A ∈ K F , and θ A = Computational corresponds to k A ∈ K G . The device uses this key to evaluate the function pair (f k,0 , f k,1 ) on the uniform superposition over the domain (dropping a normalization factor): The device then measures the last register to obtain the string c A , which is returned to Alice. Bob's component of the device does the same with the key k B . At this point, it is instructive to consider the postmeasurement state. If k A ∈ K F , then there are unique so the post-measurement state is (up to normalization): On the other hand, if k A ∈ K G , then there exists a uniquê 12 In fact, one cannot quite construct ETCF families as we have described them here from the LWE problem, but only an approximate version (called extended noisy trapdoor claw-free families). The only consequence of this for our work is that an honest device cannot satisfy the winning conditions for Protocol 2 with probability 1, but only with probability 1 − negl(λ), where λ denotes the security parameter (intuitively, the length of the keys k ∈ K F ∪ K G ) and negl(λ) is a negligible function in λ, i.e., a function that decays faster than any inverse polynomial. We will ignore this subtlety for the rest of this appendix.
The post-measurement states on Bob's side are analogous. In Step 3, the device receives a challenge type ct A from Alice, and ct B from Bob. If ct A = a, the honest device simply measures the entire state |ψ A 1 in the computational basis and returns the outcome z A to Alice. The check applied by Alice is the following: let z A 1 be the first bit of z A , and z A r the remainder of the string. Then, Alice checks that From Eq. (A2) and Eq. (A3), it is easy to see that this check passes for the honest device, irrespective of whether k A ∈ K F or k A ∈ K G . The honest behaviour and checks are analogous on Bob's side.
If ct A =b, the honest device measures the second register of the state |ψ A 1 in the Hadamard basis and returns the outcome d A to Alice. In the case where k A ∈ K F , this leaves the first register in the state (up to normalization) where "·" denotes the inner product between bit strings. In the case where k A ∈ K G , this leaves the first register in the state The analogous statement holds on Bob's side. Alice and Bob now send questions x, y ∈ {Computational, Hadamard} to their respective components of the device. The honest device uses a pre-shared EPR pair to execute the teleportation circuit from the main text (Eq. (4)) on the state |ψ A 2 |ψ B 2 , obtaining h A , h B ∈ {0, 1}, applies a Hadamard gate on the second qubit, and finally measures the two qubits in the basis given by the questions x and y, respectively, obtaining a, b ∈ {0, 1} as outcomes. The bits h A and a are returned to Alice, and h B and b to Bob.
We call the state right before the measurement |ψ 3 . Using Eq. (5) from the main text and commuting the Hadamard gate past the correction operator, we get (up to a global phase) (A7) To understand the checks applied by Alice and Bob, note that unless k A and k B are both in K F (i.e., θ A = θ B = Hadamard), the state |ψ 3 is still a product state (i.e., we are considering a product round). Further, Alice and Bob know h A , h B , d A , and d B , and they can compute x A 0 and x A 1 orx A from c A (and the same on Bob's side). 13 Hence, Alice and Bob know which product state the honest device has prepared, and they check whether the answers returned by a (potentially dishonest) device are the same as what the honest device would have returned. Clearly, this means that an honest device succeeds with probability 1 in a product round.
In the case θ A = θ B = Hadamard (called a Bell round in the main text), let us first consider the state without the correction operator: By a direct calculation, one can verify that (up to a global phase) are the 4 Bell states as in the main text. It is easy to see that up to a global phase (which depends on s A , s B , h A , and h B , but which we can drop), the Bell states are invariant under the correction operator: Therefore, we have (up to global phase) Note that as in the previous case, Alice and Bob can determine from the device's responses which Bell state |φ (s A ,s B ) the honest device would have prepared: Alice can compute x A 0 and x A 1 from c A (and similarly Bob computes x B 0 and x B 1 from c B ), and from Eq. (A12) we have: The Bell states are uniquely characterized as joint eigenstates of σ X ⊗ σ X and σ Z ⊗ σ Z , where the eigenvalues depend on s A and s B . For example, |φ (0,1) is the unique state that is a (+1)-eigenstate of σ X ⊗ σ X and a (-1)-eigenstate of σ Z ⊗ σ Z . For questions x = y ∈ {Computational, Hadamard}, both components of the honest device will measure the same Pauli observable and report back the results a and b, respectively. Hence, Alice and Bob, knowing s A and s B , can check whether a ⊕ b is the correct eigenvalue.
In summary, the winning condition in the Bell case is as follows: - -if x = y, the device always wins. From Eq. (A12), it is clear that the honest device always wins in a Bell round.