Quantum Key Agreement

In standard quantum key distribution (QKD) protocols such as BB84, one party (Alice) generates a random key, encodes it into quantum states, and sends it to a second party (Bob), who measures and recovers the key. The security guarantee is that no eavesdropper can intercept the key without introducing detectable disturbance. However, the asymmetry of this arrangement means Alice knows the final key before Bob does, and the final key is entirely determined by Alice’s initial random choices. Quantum key agreement (QKA) addresses this by requiring both parties to contribute randomness to the final shared secret, so neither Alice nor Bob unilaterally controls the agreed key. This property, sometimes called fairness, is important in settings where mutual trust between the communicating parties cannot be assumed.

W-state based QKA protocols are among the most studied quantum approaches. A W state |W> = (|100> + |010> + |001>)/sqrt(3) distributed across multiple parties has the property that tracing out any one party leaves the remaining parties in a partially entangled state that still contains correlations. In a two-party QKA protocol built on W states, Alice and Bob each hold subsystems of a multipartite entangled state and perform local measurements whose outcomes are correlated but individually random; the XOR or hash of their measurement results forms the shared key, and neither party’s measurement outcome alone determines the final key. Security against eavesdropping follows from the monogamy of entanglement: a third party holding a share of the entangled state cannot gain information about the key without disturbing the correlations between Alice and Bob.

Semi-quantum key agreement (SQKA) relaxes the assumption that both parties must have full quantum capability. In SQKA, one party (the quantum party) can prepare, send, and measure arbitrary quantum states, while the other (the classical or semi-quantum party) is restricted to reflecting qubits unchanged, measuring in the computational basis, or preparing fresh computational basis states. Security proofs for SQKA show that even with this asymmetric capability assumption, both parties can jointly agree on a key that neither determines alone, and an eavesdropper with full quantum capability cannot learn the key without being detected. This makes SQKA relevant for scenarios where one end of a communication channel has only simple quantum hardware.

Practical deployment of QKA faces the same physical obstacles as QKD: photon loss in optical fiber limits transmission distance, detector inefficiencies reduce key generation rates, and current quantum repeater technology is immature. Unlike QKD, which has seen commercial deployment by companies such as Toshiba, ID Quantique, and MagiQ, QKA protocols remain in the experimental and proof-of-principle phase as of 2025. No commercial QKA product is available. The primary near-term path to deployment involves integrating QKA into quantum network stacks alongside QKD as quantum internet infrastructure matures, particularly for multiparty scenarios such as secure voting or distributed computation where key fairness is a protocol requirement.