Quantum key distribution (QKD) allows Alice and Bob to agree on a shared secret key, while communicating over a public (untrusted) quantum channel. Compared to classical key exchange, it has two main advantages: (i) The key is unconditionally hidden to the eyes of any attacker, and (ii) its security assumes only the existence of authenticated classical channels which, in practice, can be realized using Minicrypt assumptions, such as the existence of digital signatures. On the flip side, QKD protocols typically require multiple rounds of interactions, whereas classical key exchange can be realized with the minimal amount of two messages using public-key encryption. A long-standing open question is whether QKD requires more rounds of interaction than classical key exchange. In this work, we propose a two-message QKD protocol that satisfies everlasting security, assuming only the existence of quantum-secure one-way functions. That is, the shared key is unconditionally hidden, provided computational assumptions hold during the protocol execution. Our result follows from a new construction of quantum public-key encryption (QPKE) whose security, much like its classical counterpart, only relies on authenticated classical channels.

翻译：量子密钥分发允许Alice和Bob通过公共（不可信）量子信道协商共享密钥。与经典密钥交换相比，其两大优势在于：（i）密钥对于任何攻击者均具有无条件安全性；（ii）其安全性仅依赖于可实现的经典认证信道（实践中可通过数字签名等Minicrypt假设实现）。然而，量子密钥分发协议通常需要多轮交互，而经典密钥交换可通过公钥加密以最少两轮消息实现。一个长期悬而未决的问题是：量子密钥分发是否必然需要比经典密钥交换更多的交互轮次？本文提出一种满足永恒安全性的两轮消息量子密钥分发协议，其安全性仅依赖量子安全单向函数的存在性——即协议执行过程中若计算假设成立，则共享密钥具有无条件隐蔽性。这一结果源于量子公钥加密的新构造，其安全性与经典公钥加密类似，仅依赖经典认证信道。