1 Introduction
Deniability represents a fundamental privacyrelated notion in cryptography. The ability to deny a message or an action is a desired property in many contexts such as offtherecord communication, anonymous reporting, whistleblowing and coercionresistant secure electronic voting. The concept of nonrepudiation is closely related to deniability in that the former is aimed at associating specific actions with legitimate parties and thereby preventing them from denying that they have performed a certain task, whereas the latter achieves the opposite property by allowing legitimate parties to deny having performed a particular action. For this reason, deniability is sometimes referred to as repudiability.
The definitions and requirements for deniable exchange can vary depending on the cryptographic task in question, e.g., encryption, authentication or key exchange. Roughly speaking, the common underlying idea for a deniable scheme can be understood as the impossibility for an adversary to produce cryptographic proofs, using only algorithmic evidence, that would allow a thirdparty, often referred to as a judge, to decide if a particular entity has either taken part in a given exchange or exchanged a certain message, which can be a secret key, a digital signature, or a plaintext message. In the context of key exchange, this can be also formulated in terms of a corrupt party (receiver) proving to a judge that a message can be traced back to the other party [16].
In the publickey setting, an immediate challenge for achieving deniability is posed by the need for remote authentication as it typically gives rise to binding evidence, e.g., digital signatures, see [16, 17]. The formal analysis of deniability in classical cryptography can be traced back to the original works of Canetti et al. and Dwork et al. on deniable encryption [11] and deniable authentication [18], respectively. These led to a series of papers on this topic covering a relatively wide array of applications. Deniable key exchange was first formalized by Di Raimondo et al. in [16] using a framework based on the simulation paradigm, which is closely related to that of zeroknowledge proofs.
Despite being a wellknown and fundamental concept in classical cryptography, rather surprisingly, deniability has been largely ignored by the quantum cryptography community. To put things into perspective, with the exception of a single paper by Donald Beaver [3], and a footnote in [20] commenting on the former, there are no other works that directly tackle deniable QKE.
In the adversarial setting described in [3], it is assumed that the honest parties are approached by the adversary after the termination of a QKE session and demanded to reveal their private randomness, i.e., the raw key bits encoded in their quantum states. It is then claimed that QKE schemes, despite having perfect and unconditional security, are not necessarily deniable due to an eavesdropping attack. In the case of the BB84 protocol, this attack introduces a binding between the parties’ inputs and the final key, thus constraining the space of the final secret key such that key equivocation is no longer possible.
Note that since Beaver’s work [3] appeared a few years before a formal analysis of deniability for key exchange was published, its analysis is partly based on the adversarial model formulated earlier in [11] for deniable encryption. For this reason, the setting corresponds more closely to scenarios wherein the honest parties try to deceive a coercer by presenting fake messages and randomness, e.g., deceiving a coercer who tries to verify a voter’s claimed choice using an intercepted ciphertext of a ballot in the context of secure evoting.
1.1 Contributions and Structure
In Section 3 we revisit the notion of deniability in QKE and provide more insight into the eavesdropping attack aimed at detecting attempts at denial described in [3]. Having shed light on the nature of this attack, we show that while coercerdeniability can be achieved by uncloneable encryption (UE) [19], QKE obtained from UE remains vulnerable to the same attack. We briefly elaborate on the differences between our model and simulationbased deniability [16]. To provide a firm foundation, we adopt the framework and security model for quantum authenticated key exchange (QAKE) developed by Mosca et al. [24] and extend them to introduce the notion of coercerdeniable QKE, which we formalize in terms of the indistinguishability of real and fake coercer views.
We establish a connection between the concept of covert communication and deniability in Section 4, which to the best of our knowledge has not been formally considered before. More precisely, we apply results from a recent work by Arrazola and Scarani on obtaining covert quantum communication and covert QKE via noise injection [1] to propose DCQKE, a simple construction for coercerdeniable QKE. We prove the deniability of DCQKE via a reduction to the security of covert QKE. Compared to the candidate PQECC protocol suggested in [3] that is claimed to be deniable, our construction does not require quantum computation and falls within the more practical realm of prepareandmeasure protocols.
Finally, in Section 5 we consider how quantum entanglement distillation can be used not only to counter eavesdropping attacks, but also to achieve informationtheoretic deniability. We conclude by presenting some open questions in Section 6. It is our hope that this work will rekindle interest, more broadly, in the notion of deniable communication in the quantum setting, a topic that has received very little attention from the quantum cryptography community.
1.2 Related Work
We focus on some of the most prominent works in the extensive body of work on deniability in classical cryptography. The notion of deniable encryption was considered by Canetti et al. [11] in a setting where an adversary demands that parties reveal private coins used for generating a ciphertext. This motivated the need for schemes equipped with a faking algorithm that can produce fake randomness with distributions indistinguishable from that of the real encryption.
In a framework based on the simulation paradigm, Dwork et al. introduced the notion of deniable authentication [18], followed by the work of Di Raimondo et al. on the formalization of deniable key exchange [16]. Both works rely on the formalism of zeroknowledge (ZK) proofs, with definitions formalized in terms of a simulator that can produce a simulated view that is indistinguishable from the real one. In a subsequent work, Di Raimondo and Gennaro gave a formal definition of forward deniability [15], requiring that indistinguishability remain intact even when a (corrupted) party reveals real coins after a session. Among other things, they showed that statistical ZK protocols are forward deniable.
Pass [26] formally defines the notion of deniable zeroknowledge and presents positive and negative results in the common reference string and random oracle model. In [17], Dodis et al. establish a link between deniability and ideal authentication and further model a situation in which deniability should hold even when a corrupted party colludes with the adversary during the execution of a protocol. They show an impossibility result in the PKI model if adaptive corruptions are allowed. Cremers and Feltz introduced another variant for key exchange referred to as peer and time deniability [13], while also capturing perfect forward secrecy. More recently, Unger and Goldberg studied deniable authenticated key exchange (DAKE) in the context of secure messaging [31].
To the best of our knowledge, the only work related to deniability in QKE is a single paper by Beaver [3], in which the author suggests a negative result arguing that existing QKE schemes are not necessarily deniable.
2 Preliminaries in Quantum Information and QKE
We use the Dirac braket notation and standard terminology from quantum computing. Here we limit ourselves to a description of the most relevant concepts in quantum information theory. More details can be found in standard textbooks [25, 32]. For brevity, let and denote the honest parties, and the adversary.
Given an orthonormal basis formed by and in a twodimensional complex Hilbert space , let denote the computational basis and the diagonal basis.
If the state vector of a composite system cannot be expressed as a tensor product
, the state of each subsystem cannot be described independently and we say the two qubits are
entangled. This property is best exemplified by maximally entangled qubits (ebits), the socalled Bell statesA noisy qubit that cannot be expressed as a linear superposition of pure states is said to be in a mixed
state, a classical probability distribution of pure states:
. The density operator , defined as a weighted sum of projectors, captures both pure and mixed states: .Given a density matrix describing the joint state of a system held by and , the partial trace allows us to compute the local state of (density operator ) if ’s system is not accessible to . To obtain from (the reduced state of on ), we trace out the system : . As a distance measure, we use the expected fidelity between a pure state and a mixed state given by .
A crucial distinction between quantum and classical information is captured by the wellknown NoCloning theorem [33], which states that an arbitrary unknown quantum state cannot be copied or cloned perfectly.
2.1 Quantum Key Exchange and Uncloneable Encryption
QKE allows two parties to establish a common secret key with informationtheoretic security using an insecure quantum channel, and a public authenticated classical channel. In Protocol 1 we describe the BB84 protocol, the most wellknown QKE variant due to Bennett and Brassard [5]. For consistency with related works, we use the wellestablished formalism based on errorcorrecting codes, developed by Shor and Preskill [28]. Let and be two classical linear binary codes encoding and bits in bits such that where is the binary vector space on bits. A mapping of vectors to a set of basis states (codewords) for the CalderbankShorSteane (CSS) [10, 29] code subspace is given by: . Due to the irrelevance of phase errors and their decoupling from bit flips in CSS codes, Alice can send along with classical errorcorrection information where and , such that Bob can decode to a codeword in from where is an error codeword, with the final key being the coset leader of .
Uncloneable encryption (UE) enables transmission of ciphertexts that cannot be perfectly copied and stored for later decoding, by encoding carefully prepared codewords into quantum states, thereby leveraging the NoCloning theorem. We refer to Gottesman’s original work [19] for a detailed explanation of the sketch in Protocol 2. Alice and Bob agree on a message length , a Message Authentication Code (MAC) of length , an errorcorrecting code having message length and codeword length with distance for average error rate , and another errorcorrecting code (for privacy amplification) with message length and codeword length and distance to correct more errors than , satisfying , where is the dual code containing all vectors orthogonal to . The preshared key is broken down into four pieces, all chosen uniformly at random: an authentication key
, a onetime pad
, a syndrome , and a basis sequence .QKE from UE.
3 CoercerDeniable Quantum Key Exchange
Following the setting in [3], in which it is implicitly assumed that the adversary has established a binding between the participants’ identities and a given QKE session, we introduce the notion of coercerdeniability for QKE. This makes it possible to consider an adversarial setting similar to that of deniable encryption [11] and expect that the parties might be coerced into revealing their private coins after the termination of a session, in which case they would have to produce fake randomness such that the resulting transcript and the claimed values remain consistent with the adversary’s observations.
Beaver’s analysis [3] is briefly addressed in a footnote in a paper by Ioannou and Mosca [20] and the issue is brushed aside based on the argument that the parties do not have to keep records of their raw key bits. It is argued that for deniability to be satisfied, it is sufficient that the adversary cannot provide binding evidence that attributes a particular key to the classical communication as their measurements on the quantum channel do not constitute a publicly verifiable proof. However, counterarguments for this view were already raised in the motivations for deniable encryption [11] in terms of secure erasure being difficult and unreliable, and that erasing cannot be externally verified. Moreover, it is also argued that if one were to make the physical security assumption that random choices made for encryption are physically unavailable, the deniability problem would disappear. We refer to [11] and references therein for more details.
Bindings, or lack thereof, lie at the core of deniability. Although we leave a formal comparison of our model with the one formulated in the simulation paradigm [16] as future work, a notable difference can be expressed in terms of the inputs presented to the adversary. In the simulation paradigm, deniability is modelled only according to the simulatability of the legal transcript that the adversary or a corrupt party produces naturally via a session with a party as evidence for the judge, whereas for coercerdeniability, the adversary additionally demands that the honest parties reveal their private randomness.
Finally, note that viewing deniability in terms of “convincing” the adversary is bound to be problematic and indeed a source of debate in the cryptographic research community as the adversary may never be convinced given their knowledge of the existence of faking algorithms. Hence, deniability is formulated in terms of the indistinguishability of views (or their simulatability [16]) such that a judge would have no reason to believe a given transcript provided by the adversary establishes a binding as it could have been forged or simulated.
3.1 Defeating Deniability in QKE via Eavesdropping in a Nutshell
We briefly review the eavesdropping attack described in [3] and provide further insight. Suppose Alice sends qubit to Bob, which encodes a singlebit message prepared in a basis determined by . Let denote the state obtained after sending , relayed and possibly modified by an adversary . Moreover, let denote the view presented to the judge, obtained by tracing over inaccessible systems. Now for a qubit measured correctly by Eve, if a party tries to deny by pretending to have sent instead of , e.g., by using some local transformation to simply negate a given qubit, then , where denotes the fidelity between and . Thus, the judge can successfully detect this attempt at denial.
This attack can be mounted successfully with nonnegligible probability without causing the session to abort: Assume that qubits will be transmitted in a BB84 session and that the tolerable error rate is , where clearly . Eve measures each qubit with probability (choosing a basis at random) and passes on the remaining ones to Bob undisturbed, i.e., she plants a number of decoy states proportional to the tolerated error threshold. On average, measurements will come from matching bases, which can be used by Eve to detect attempts at denial, if Alice claims to have measured a different encoding. After discarding half the qubits in the sifting phase, this ratio will remain unchanged. Now Alice and/or Bob must flip at least one bit in order to deny without knowledge of where the decoy states lie in the transmitted sequence, thus getting caught with probability upon flipping a bit at random.
3.2 On the CoercerDeniability of Uncloneable Encryption
The vulnerability described in Section 3.1 is made possible by an eavesdropping attack that induces a binding in the key coming from a BB84 session. Uncloneable encryption remains immune to this attack because the quantum encoding is done for an already onetime padded classical input. More precisely, a binding established at the level of quantum states can still be perfectly denied because the actual raw information bits are not directly encoded into the sequence of qubits, instead the concatenation of and the corresponding authentication tag , i.e., , is masked with a onetime pad to obtain , which is then mapped onto a codeword that is encoded into quantum states. For this reason, in the context of coercerdeniability, regardless of a binding established on by the adversary, Alice can still deny to another input message in that she can pick a different input to compute a fake pad , so that upon revealing to Eve, she will simply decode , as intended.
However, note that a prepareandmeasure QKE obtained from UE still remains vulnerable to the same eavesdropping attack due to the fact that we can no longer make use of the deniability of the onetime pad in UE such that the bindings induced by Eve constrain the choice of the underlying codewords.
3.3 Security Model
We adopt the framework for quantum AKEs developed by Mosca et al. [24]. Due to space constraints, we mainly focus on our proposed extensions. Parties
, including the adversary, are modelled as a pair of classical and quantum Turing machines (TM) that execute a series of interactive computations and exchange messages with each other through classical and quantum channels, collectively referred to as a
protocol. An execution of a protocol is referred to as a session, identified with a unique session identifier. An ongoing session is called an active session, and upon completion, it either outputs an error term in case of an abort, or it outputs a tuple in case of a successful termination. The tuple consists of a session key , a party identifier and two vectors and that model public values and secret terms, respectively.We adopt an extended version of the adversarial model described in [24], to account for coercerdeniability. Let be an efficient, i.e. (quantum) polynomial time, adversary with classical and quantum runtime bounds and , and quantum memory bound , where bounds can be unlimited. Following standard assumptions, the adversary controls all communication between parties and carries the messages exchanged between them. We consider an authenticated classical channel and do not impose any special restrictions otherwise. Additionally, the adversary is allowed to approach either the sender or the receiver after the termination of a session and request access to a subset of the private randomness used by the parties for a given session, i.e. set of values to be faked.
Security notions can be formulated in terms of security experiments in which the adversary interacts with the parties via a set of welldefined queries. These queries typically involve sending messages to an active session or initiating one, corrupting a party, learning their longterm secret key, revealing the ephemeral keys of an incomplete session, obtaining the computed session key for a given session, and a testsession() query capturing the winning condition of the game that can be invoked only for a fresh session. Revealing secret values to the adversary is modeled via partnering. The notion of freshness captures the idea of excluding cases that would allow the adversary to trivially win the security experiment. This is done by imposing minimal restrictions on the set of queries the adversary can invoke for a given session such that there exist protocols that can still satisfy the definition of sessionkey security. A session remains fresh as long as at least one element in and remains secret, see [24] for more details.
The transcript of a protocol consists of all publicly exchanged messages between the parties during a run or session of the protocol. The definition of “views” and “outputs” given in [3] coincides with that of transcripts in [16] in the sense that it allows us to model a transcript that can be obtained from observations made on the quantum channel. The view of a party consists of their state in along with any classical strings they produce or observe. More generally, for a twoparty protocol, captured by the global density matrix for the systems of and , the individual system corresponds to a partial trace that yields a reduced density matrix, i.e., , with a similar approach for any additional couplings.
3.4 CoercerDeniable QKE via View Indistinguishability
We use the security model in Section 3.3 to introduce the notion of coercerdeniable QKE, formalized via the indistinguishability of real and fake views. Note that in this work we do not account for forward deniability and forward secrecy.
CoercerDeniability Security Experiment.
Let denote this experiment and the same set of queries available to the adversary in a security game for sessionkey security, as described in Section 3.3, and [24]. Clearly, in addition to deniability, it is vital that the security of the session key remains intact as well. For this reason, we simply extend the requirements of the security game for a sessionkey secure KE by having the challenger provide an additional piece of information to the adversary when the latter calls the testsession() query. This means that the definition of a fresh session remains the same as the one given in [24]. invokes queries from until issues testsession() to a fresh session of their choice. decides on a random bit and if , provides with the real session key and the real vector of private randomness , and if , with a random (fake) key and a random (fake) vector of private randomness . Finally, guesses an output and wins the game if . The experiment returns 1 if succeeds, and 0 otherwise. Let denote the winning advantage of .
Definition 1 (CoercerDeniable QKE)
For adversary , let there be an efficient distinguisher on security parameter . We say that is a coercerdeniable QKE protocol if, for any adversary , transcript , and for any , and a vector of private random inputs , there exists a denial/faking program that running on produces such that the following conditions hold:

is a secure QKE protocol.

The adversary cannot do better than making a random guess for winning the coercerdeniability security experiment, i.e.,
Equivalently, we require that for all efficient distinguisher
where the transcript is a tuple consisting of a vector , containing classical message exchanges of a session, along with the local view of the adversary w.r.t. the quantum channel obtained by tracing over inaccessible systems (see Section 3.3).
A function is negligible if for any constant , there exists a such that , we have . In other words, it approaches zero faster than any polynomial in the asymptotic limit.
Remark 1
We introduced a vector of private random inputs to avoid being restricted to a specific set of “fake coins” in a coercerdeniable setting such as the raw key bits in BB84 as used in Beaver’s analysis. This allows us to include other private inputs as part of the transcript that need to be forged by the denying parties without having to provide a new security model for each variant. Indeed, in [24], Mosca et al. consider the security of QKE in case various secret values are compromised before or after a session. This means that these values can, in principle, be included in the set of random coins that might have to be revealed to the adversary and it should therefore be possible to generate fake alternatives using a faking algorithm.
4 Deniable QKE via Covert Quantum Communication
We establish a connection between covert communication and deniability by providing a simple construction for coercerdeniable QKE using covert QKE. We then show that deniability is reduced to the covertness property, meaning that deniable QKE can be performed as long as covert QKE is not broken by the adversary, formalized via the security reduction given in Theorem 4.2.
Covert communication becomes relevant when parties wish to keep the very act of communicating secret or hidden from a malicious warden. This can be motivated by various requirements such as the need for hiding one’s communication with a particular entity when this act alone can be incriminating. While encryption can make it impossible for the adversary to access the contents of a message, it would not prevent them from detecting exchanges over a channel under their observation. Bash et al. [2, 27] established a squareroot law for covert communication in the presence of an unbounded quantum adversary stating that covert bits can be exchanged over channel uses. Recently, Arrazola and Scarani [1] extended covert communication to the quantum regime for transmitting qubits covertly. Covert quantum communication consists of two parties exchanging a sequence of qubits such that an adversary trying to detect this cannot succeed by doing better than making a random guess, i.e., for sufficiently small , where denotes the probability of detection and the detection bias.
4.1 Covert Quantum Key Exchange
Since covert communication requires preshared secret randomness, a natural question to ask is whether QKE can be done covertly. This was also addressed in [1] and it was shown that covert QKE with unconditional security for the covertness property is impossible because the amount of key consumption is greater than the amount produced. However, a hybrid approach involving pseudorandom number generators (PRNG) was proposed to achieve covert QKE with a positive key rate such that the resulting secret key remains informationtheoretically secure, while the covertness of QKE is shown to be at least as strong as the security of the PRNG. The PRNG is used to expand a truly random preshared key into an exponentially larger pseudorandom output, which is then used to determine the timebins for sending signals in covert QKE.
Covert QKE Security Experiment.
Let denote the security experiment. The main property of covert QKE, denoted by , can be expressed as a game played by the adversary against a challenger who decides on a random bit and if , runs , otherwise (if ), does not run . Finally, guesses a random bit and wins the game if . The experiment outputs 1 if succeeds, and 0 otherwise. The winning advantage of is given by and we want that .
Definition 2
Let be a PRNG secure against all efficient distinguishers running in time at most with success probability at most , where . A QKE protocol is considered to be covert if the following holds for any efficient adversary :

is a secure QKE protocol.

The probability that guesses the bit correctly (), i.e., manages to distinguish between Alice and Bob running or not, is no more than plus a negligible function in the security parameter , i.e.,
Theorem 4.1
(Sourced from [1]) The secret key obtained from the covert QKE protocol is informationaltheoretically secure and the covertness of is as secure as the underlying PRNG.
4.2 Deniable Covert Quantum Key Exchange (DCQKE)
We are now in a position to describe DCQKE, a simple construction shown in Protocol 4, which preserves unconditional security for the final secret key, while its deniability is as secure as the underlying PRNG used in . In terms of the Security Experiment 3.4, is run to establish a real key , while noncovert QKE is used to produce a fake key aimed at achieving deniability, where and are the respective vectors of real and fake private inputs.
Operationally, consider a setting wherein the parties suspect in advance that they might be coerced into revealing their private coins for a given run: their joint strategy consists of running both components in Protocol 4 and claiming to have employed to establish the fake key using the fake private randomness (e.g. raw key bits in BB84) and provide these as input to the adversary upon termination of a session. Thus, for Eve to be able to produce a proof showing that the revealed values are fake, she would have to break the security of covert QKE to detect the presence of , as shown in Theorem 4.2. Moreover, note that covert communication can be used for dynamically agreeing on a joint strategy for denial, further highlighting its relevance for deniability.
Remark 2
The original analysis in [3] describes an attack based solely on revealing fake raw key bits that may be inconsistent with the adversary’s observations. An advantage of DCQKE in this regard is that Alice’s strategy for achieving coercerdeniability consists of revealing all the secret values of the noncovert QKE honestly. This allows her to cover the full range of private randomness that could be considered in different variants of deniability as discussed in Remark 1. A potential drawback is the extra cost induced by , which could, in principle, be mitigated using a less interactive solution such as QKE via UE.
Remark 3
If the classical channel is authenticated by an informationtheoretically secure algorithm, the minimal entropy overhead in terms of preshared key (logarithmic in the input size) for can be generated by .
Example 1
In the case of encryption, can send over a covert channel to , while for denying to , she can send over a noncovert channel. Alternatively, she can transmit a single ciphertext over a noncovert channel such that it can be opened to two different messages. To do so, given , Alice computes , and she can then either encode as a codeword, as described in Section 2.1, and run via uncloneable encryption, thus allowing her to reveal the entire transcript to Eve honestly, or she can agree with Bob on a suitable privacy amplification (PA) function (with PA being manytoone) as part of their denying program in order to obtain .
Theorem 4.2
Proof
The main idea consists of showing that breaking the deniability property of DCQKE amounts to breaking the security of covert QKE, such that coercerdeniability follows from the contrapositive of this implication, i.e., if there exists no efficient algorithm for compromising the security of covert QKE, then there exists no efficient algorithm for breaking the deniability of DCQKE. We formalize this via a reduction, sketched as follows. Let and denote the two views. Flip a coin for an attempt at denial: if , then , else (), , where and denote the transcripts of covert and noncovert exchanges from and . Now if DCQKE is constructed from , then given an efficient adversary that can distinguish from with probability , we can use to construct an efficient distinguisher to break the security of covert QKE with probability such that . Indeed, given an instance of a DCQKE security game, we construct a distinguisher that uses on input and , with the goal to win the game described in the Security Experiment 3.4. The distinguisher would simply run (with negligible overhead) and observe whether succeeds at distinguishing from . Since the only element that is not sampled uniformly at random is in containing exchanges from the covert channel, which relies on a PRNG, the only way can distinguish from is if she can distinguish from . If succeeds, then guesses that a covert QKE session has taken place, thereby winning the Security Experiment 4.1 for covert QKE. ∎
5 Deniability via Entanglement Distillation
Here we consider the possibility of achieving informationtheoretic deniability via entanglement distillation (ED). In its most general form, ED allows two parties to distill maximally entangled pure states (ebits) from an arbitrary sequence of entangled states at some positive rate using local operations and classical communication (LOCC), i.e. to move from to , where .
In the noiseless model, independent identically distributed (i.i.d.) copies of the same partially entangled state can be converted into Bell pairs in the limit , i.e., from to , where denotes the von Neumann entropy of entanglement. If the parties start out with pure states, local operations alone will suffice for distillation [4, 7], otherwise the same task can be achieved via forward classical communication (oneway LOCC), as shown by the DevetakWinter theorem [14], to distill ebits from many copies of some bipartite entangled state. See also the early work of Bennett et al. [8] on mixed state ED. Buscemi and Datta [9] relax the i.i.d. assumption and provide a general formula for the optimal rate at which ebits can be distilled from a noisy and arbitrary source of entanglement via oneway and twoway LOCC.
Intuitively, the eavesdropping attack described in [3] and further detailed in Section 3.1, is enabled by the presence of noise in the channel as well as the fact that Bob cannot distinguish states sent by Alice from those prepared by Eve. As a result, attempting to deny to a different bit value encoded in a given quantum state  without knowing if this is a decoy state prepared by Eve  allows the adversary to detect such an attempt with nonnegligible probability.
In terms of deniability, the intuition behind this idea is that while Alice and Bob may not be able to know which states have been prepared by Eve, they can instead remove her “check” decoy states from their set of shared entangled pairs by decoupling her system from theirs. Once they are in possession of maximally entangled states, they will have effectively factored out Eve’s state such that the global system is given by the pure tensor product space . Thus the pure bipartite joint system between Alice and Bob cannot be correlated with any system under Eve’s control, thereby foiling her crosschecking strategy. The singlet states can then be used to perform QKE via quantum teleportation [6].
5.1 Deniable QKE via Entanglement Distillation and Teleportation
We now argue why performing randomness distillation at the quantum level, thus requiring quantum computation, plays an important role w.r.t. deniability. The subtleties alluded to in [3] arise from the fact that randomness distillation is performed in the classical postprocessing step. This allows Eve to leverage her tampering in that she can verify the parties’ claims against her decoy states. However, this attack can be countered by removing Eve’s knowledge before the classical exchanges begin. Most security proofs of QKE [22, 28, 23] are based on a reduction to an entanglementbased variant, such that the fidelity of Alice and Bob’s final state with is shown to be exponentially close to 1. Moreover, secret key distillation techniques involving ED and quantum teleportation [7, 14] can be used to faithfully transfer qubits from to by consuming ebits. To illustrate the relevance of distillation for deniability in QKE, consider the generalized template shown in Protocol 5, based on these wellknown techniques.
By performing ED, Alice and Bob make sure that the resulting state cannot be correlated with anything else due to the monogamy of entanglement (see e.g. [21, 30]), thus factoring out Eve’s system. The parties can open their records for steps and honestly, and open to arbitrary classical inputs for steps and : deniability follows from decoupling Eve’s system, meaning that she is faced with a reduced density matrix on a pure bipartite maximally entangled state, i.e., a maximally mixed state , thus obtaining key equivocation.
In terms of the hierarchy of entanglementbased constructions mentioned in [3], this approach mainly constitutes a generalization of such schemes. It should therefore be viewed more as a step towards a theoretical characterization of entanglementbased schemes for achieving informationtheoretic deniability. Due to lack of space, we omit a discussion of how techniques from deviceindependent cryptography can deal with maliciously prepared initial states.
Going beyond QKE, note that quantum teleportation allows the transfer of an unknown quantum state, meaning that even the sender would be oblivious as to what state is sent. Moreover, ebits can enable uniquely quantum tasks such as traceless exchange in the context of quantum anonymous transmission [12], to achieve incoercible protocols that allow parties to deny to any random input.
6 Open Questions and Directions for Future Research
Studying the deniability of publickey authenticated QKE both in our model and in the simulation paradigm, and the existence of an equivalence relation between our indistinguishabilitybased definition and a simulationbased one would be a natural continuation of this work. Other lines of inquiry include forward deniability, deniable QKE in conjunction with forward secrecy, deniability using covert communication in stronger adversarial models, a further analysis of the relation between the impossibility of unconditional quantum bit commitment and deniability mentioned in [3], and deniable QKE via uncloneable encryption. Finally, gaining a better understanding of entanglement distillation w.r.t. potential pitfalls in various adversarial settings and proposing concrete deniable protocols for QKE and other tasks beyond key exchange represent further research avenues.
Acknowledgments
We thank Mark M. Wilde and Ignatius William Primaatmaja for their comments. This work was supported by a grant (QCoDe) from the Luxembourg FNR.
References
 [1] Arrazola, J.M., Scarani, V.: Covert quantum communication. Physical review letters 117(25), 250503 (2016)
 [2] Bash, B.A., Goeckel, D., Towsley, D., Guha, S.: Hiding information in noise: Fundamental limits of covert wireless communication. IEEE Communications Magazine 53(12), 26–31 (2015)
 [3] Beaver, D.: On deniability in quantum key exchange. In: Knudsen, L.R. (ed.) Advances in Cryptology — EUROCRYPT 2002. pp. 352–367. Springer Berlin Heidelberg, Berlin, Heidelberg (2002)
 [4] Bennett, C.H., Bernstein, H.J., Popescu, S., Schumacher, B.: Concentrating partial entanglement by local operations. Physical Review A 53(4), 2046 (1996)
 [5] Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing int. In: Conf. on Computers, Systems and Signal Processing (Bangalore, India, Dec. 1984). pp. 175–9 (1984)
 [6] Bennett, C.H., Brassard, G., Crépeau, C., Jozsa, R., Peres, A., Wootters, W.K.: Teleporting an unknown quantum state via dual classical and einsteinpodolskyrosen channels. Physical review letters 70(13), 1895 (1993)
 [7] Bennett, C.H., Brassard, G., Popescu, S., Schumacher, B., Smolin, J.A., Wootters, W.K.: Purification of noisy entanglement and faithful teleportation via noisy channels. Physical review letters 76(5), 722 (1996)
 [8] Bennett, C.H., DiVincenzo, D.P., Smolin, J.A., Wootters, W.K.: Mixedstate entanglement and quantum error correction. Physical Review A 54(5), 3824 (1996)
 [9] Buscemi, F., Datta, N.: Distilling entanglement from arbitrary resources. Journal of Mathematical Physics 51(10), 102201 (2010)
 [10] Calderbank, A.R., Shor, P.W.: Good quantum errorcorrecting codes exist. Physical Review A 54(2), 1098 (1996)
 [11] Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Annual International Cryptology Conference. pp. 90–104. Springer (1997)
 [12] Christandl, M., Wehner, S.: Quantum anonymous transmissions. In: International Conference on the Theory and Application of Cryptology and Information Security. pp. 217–235. Springer (2005)
 [13] Cremers, C., Feltz, M.: Oneround strongly secure key exchange with perfect forward secrecy and deniability. Tech. rep., ETH Zurich (2011)
 [14] Devetak, I., Winter, A.: Distillation of secret key and entanglement from quantum states. Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences 461(2053), 207–235 (2005)
 [15] Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. Journal of cryptology 22(4), 572–615 (2009)
 [16] Di Raimondo, M., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Proceedings of the 13th ACM conference on Computer and communications security. pp. 400–409. ACM (2006)
 [17] Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and online deniability of authentication. In: Theory of Cryptography Conference. pp. 146–162. Springer (2009)

[18]
Dwork, C., Naor, M., Sahai, A.: Concurrent zeroknowledge. In: Proceedings of
the
Annual ACM Symposium on Theory of Computing. pp. 409–418. STOC ’98, ACM, New York, NY, USA (1998)
 [19] Gottesman, D.: Uncloneable encryption. Quantum Info. Comput. 3(6), 581–602 (Nov 2003)
 [20] Ioannou, L.M., Mosca, M.: A new spin on quantum cryptography: Avoiding trapdoors and embracing public keys. In: International Workshop on PostQuantum Cryptography. pp. 255–274. Springer (2011)
 [21] Koashi, M., Winter, A.: Monogamy of quantum entanglement and other correlations. Physical Review A 69(2), 022309 (2004)
 [22] Lo, H.K., Chau, H.F.: Unconditional security of quantum key distribution over arbitrarily long distances. science 283(5410), 2050–2056 (1999)
 [23] Mayers, D.: Unconditional security in quantum cryptography. Journal of the ACM (JACM) 48(3), 351–406 (2001)
 [24] Mosca, M., Stebila, D., Ustaoğlu, B.: Quantum key distribution in the classical authenticated key exchange framework. In: International Workshop on PostQuantum Cryptography. pp. 136–154. Springer (2013)
 [25] Nielsen, M.A., Chuang, I.: Quantum computation and quantum information (2002)
 [26] Pass, R.: On deniability in the common reference string and random oracle model. In: Annual International Cryptology Conference. pp. 316–337. Springer (2003)
 [27] Sheikholeslami, A., Bash, B.A., Towsley, D., Goeckel, D., Guha, S.: Covert communication over classicalquantum channels. In: Information Theory (ISIT), 2016 IEEE International Symposium on. pp. 2064–2068. IEEE (2016)
 [28] Shor, P.W., Preskill, J.: Simple proof of security of the bb84 quantum key distribution protocol. Physical review letters 85(2), 441 (2000)
 [29] Steane, A.: Multipleparticle interference and quantum error correction. Proc. R. Soc. Lond. A 452(1954), 2551–2577 (1996)
 [30] Streltsov, A., Adesso, G., Piani, M., Bruß, D.: Are general quantum correlations monogamous? Physical review letters 109(5), 050503 (2012)
 [31] Unger, N., Goldberg, I.: Deniable key exchanges for secure messaging. In: Proceedings of the 22nd acm sigsac conference on computer and communications security. pp. 1211–1223. ACM (2015)
 [32] Wilde, M.M.: Quantum information theory. Cambridge University Press (2013)
 [33] Wootters, W.K., Zurek, W.H.: A single quantum cannot be cloned. Nature 299(5886), 802–803 (1982)