H H. In the binary case ( A and B both have dimension two), the above two conditions are equivalent and suﬃcient for the possibility of quantum key agree- ment: all entangled binary states can be puriﬁed. The same even holds if one Xxxxxxx space is of dimension 2 and the other one of dimension 3. However, for larger dimensions there are examples showing that these conditions are not equivalent: There are entangled states whose partial transpose has no negative eigenvalue, hence cannot be puriﬁed [17]. Such states are called bound entangled, in contrast to free entangled states, which can be puriﬁed. Moreover, it is be- lieved that there even exist entangled states which cannot be puriﬁed although they have negative partial transposition [9].

H H. If the set of bases is large enough, then for all z there is a basis with posi- tive intrinsic information, hence the mean is also positive. Clearly, this result is stronger if the set of bases is small. Nothing is proven about the achievable size of such sets of bases, but it is conceivable that max dim A, dim B bases are always suﬃcient.

H H. – Commitment. From Lemma 2, all honest parties that complete AVSS-Sh would agree on the same h and c. According to the collision-resistance of hash function, the adversary cannot find a Cj = C such that h = (Cj) = (C ) with all but negligible probability, so there is a fixed C except with negligible probability. Moreover, C is computationally binding conditioned on DLog assumption, so all honest parties agree on the same polynomial A∗(x) committed to C , which fixes a unique key∗, and they also receive the same cipher c. So there exists a unique m∗ = c key∗, which can be fixed once some honest party outputs in AVSS-Sh. Now we prove that m∗ can be reconstructed when all honest parties activate AVSS-Rec. Any honest party outputs in the AVSS-Sh subprotocol must receive 2f + 1 Ready messages from distinct parties, at least f + 1 of which are from honest parties. Thus, at least one honest party has received 2f + 1 Echo messages from distinct parties. This ensures that at least f + 1 honest parties get the same commitment C and a valid quorum proof Π. Due the unforgeability of signatures in Π, that means at least f +1 honest parties did store valid shares of A∗(x) and B∗(x) along with the corresponding commitment C except with negligible probability. So after all honest parties start AVSS-Rec, there are at least f + 1 honest parties would broadcast KeyRec messages with valid shares of A∗(x) and B∗(x). These messages can be received by all parties and can be verified by at least f + 1 honest parties who record C . With overwhelming probability, at least f + 1 parties can ⊕ interpolate A∗(x) to compute A∗(0) as key and broadcast it, and all parties can receive at least f + 1 same key∗ and then output the same m∗ = c key∗ as they obtain the same ciphertext c from AVSS-Sh. − H

H H. In the binary case ( A and B both have dimension two), the above two conditions are equivalent and su cient for the possibility of quantum key agree- ment: all entangled binary states can be xxxx xx. The same even holds if one Xxxxxxx space is of dimension 2 and the other one of dimension 3. However, for larger dimensions there are examples showing that these conditions are not equivalent: There are entangled states whose partial transpose has no negative eigenvalue, hence cannot be xxxx xx [17]. Such states are called bound entangled, in contrast to free entangled states, which can be xxxx xx. Moreover, it is be- lieved that there even exist entangled states which cannot be xxxx xx although they have negative partial transposition [9].

H H. So we have shown on the one hand that the agents not in ε1 at tj are in ε2 at t1. On the other hand, the agents in ε1 at tj remain in δ1 at t1 from (5.5), and therefore remain in ε2 at t1 because δ1 ε2 . Hence, at time t1, ε2 (x(tj)) has at least two agents. Let V2 and V2∗ be a partition of the node set V such that i ∈ V2 if xi(t1) ∈ Hε2 and i ∈ V2∗ otherwise. Note that by (5.5) (5.5) k ∈ V1 =⇒ xk(tj) ∈ Hε1 =⇒ xk(t1) ∈ Hδ1 ⊂ Hε2 =⇒ k ∈ V2, so V1 ⊂ V2. In particular ck2 , the center node of G([τk2 , τk2 + Tj]), is in V2 because it is in V1. Then we can apply the same argument to conclude that there are a t2 ∈ [t1, tj + k2T ] and an i in V2∗ such that xi(t2) ∈ Hε3 and therefore, Hε3 has at least three agents at t2. Repeating this argument n − 1 times leads to the result that there is a tn−1 ∈ [tj, tj + kn−1T ] ⊂ [tj, tj + T¯] such that Hεn has n agents at tn−1. Hence, V1(x(tn−1)) ≤ V1(x(tj)) − εn = V1(x(tj)) − η(V1(x(tj))), and (5.4) follows.

H H. Finally, uncertainty is introduced by assuming a Gaussian distribution f (μc, 4, 3) for the mean critical wind speed μc, with mean 4 and standard deviation 3. Putting all components together, we obtain an expression for the expected value of the loss ratio LH Lf E[ ] = ∫ 1 ( ( ) H dμ(L) ) d 4, 3 dL H

H H queries : Suppose WV is received as the challenge and the designated verifier is IDV . For any signing query of IDI , knows the corresponding private key, so the simulation can be done as a typical protocol invocation. Except for the following special handling for IDJ , α and h are chosen randomly from Z∗q and setting h = 0(αP hQJ , m). If 0(αP hQJ , m) is previously queried, another α is chosen. The signature (WJ , eJ ) can be computed by WJ = αP hQJ and eJ = eˆ(αxP, WV ). It is easy to see the signature is valid since eˆ(x(WJ + hQJ ), WV ) = eˆ(αxP, WV ). Forgery : Suppose F does not halt, now S returns σ∗ = (WJ∗, eJ∗ ) as a valid signature. If it is not made on behalf of IDJ , the simulation fails. Event 0 would not occur if IDJ were chosen by F as the target of attack, such choice is made with probability 1/NQ where NQ is the number of H queries. Suppose the simulation does not abort we have e∗J = eˆ(WJ∗ + h∗JyP, zP )x where h∗J = H0(WJ∗, m∗). We ignore the small probability that F can correctly guess the value of H0(WJ∗, m∗) without making the corresponding H0 query. Now S runs F for a second time with the same settings except setting the response of H0 query of (WJ , m∗) as hJj . By the standard forking lemma argument [26], in this second time F gives a valid forgery with ej = eˆ(W ∗ +hj yP, zP )x. The solution of the BDH problem is given by (ej /e∗ )(hr −h∗ )−1 = eˆ(yP, zP )x. J J J J J

H Hthe global state Ψ factorizes, i.e., Ψ = ψAB ψE, where ψAB A B and ψE E. In this case Xxxxx and Xxx are independent of Eve: Eve cannot obtain any information on Alice’s and Bob’s states by measuring her system. After a measurement, Xxxxx and Xxx obtain a classical distribution PXY . However, in order to obtain a well-defined classical scenario one has to as- sume that also Eve performs a measurement, i.e., that Eve treats her in- formation on the classical level. Indeed, only then a classical distribution PXY Z is defined. But considering thatin practice all PXY Z result from some physical process, the assumption that Eve performs the measurement one would like her to perform is not founded on basic principles3. For example, Eve’s measurement could be done later and depend on the public discussion between Xxxxx and Xxx. Consequently, the common approach which starts from PXY Z to prove the security of a key agreement protocol hides an as- sumption about Eve’s measurement. As we shall see, avoiding this hidden 2We assume all bases to be orthonormal. 3One could argue that if the system in Eve’s hand is classical, then she has no choice for her measurement. But ultimately all systems are quantum mechanical and the apparent lack of choice might purely be a matter of technology. assumption and staying in the quantum regime can actually simplify the analysis of the scenario. When Xxxxx and Xxx share many independent systems4 ρAB, there are basically two possibilities for generating a secret key. Either they first mea- sure their systems and then run a classical protocol (process classical infor- mation) secure against all measurements Eve could possibly perform (i.e., against all possible distributions PXY Z that can result after Eve’s measure- ment). Or they first run a quantum protocol (i.e., process the information in the quantum domain) and then perform their measurements. The idea of quantum protocols is to processthe systems in state ρAB and to produce fewer systems in a pure state (i.e., to purify ρAB), thus to eliminate Eve from the scenario. Moreover, the pure state Xxxxx and Xxx end up with should be maximally entangled (i.e., even for some different and incompatible mea- surements, Alice’s and Bob’s results are perfectly correlated). Finally, Xxxxx and Xxx measure their maximally entangled systems and establish a secret key. This way of obtaining a key directly from a quantum state Ψ, without any error correction nor classical privacy amplification,...