Image generated by AI
TLDR
- What: An adversarial co-learning framework utilizing the Exp3 bandit algorithm to dynamically resolve route selection (Alice) and attack placement (Eve) over quantum repeater networks without prior topological knowledge, verified via decision-tree symbolic explanations and local LLMs.
- Who's at risk: Multi-node entanglement-based Quantum Key Distribution (QKD) routing protocols and quantum repeater networks (e.g., networks built on frameworks like SeQUeNCe or NetSquid) that rely on static routing paths.
- Key number: A near-perfect Pearson correlation of
r = 0.99between the Exp3-learned retention and the full-matrix minimax reference across 50 distinct network topologies.
Securing the Quantum Internet: Adversarial Co-Learning and Explainable Robustness in E91 Repeater Networks
As metropolitan-scale quantum communication systems move from localized physics labs to distributed, multi-node routing architectures, safeguarding these setups against strategic interceptors becomes a primary concern. In entanglement-based Quantum Key Distribution (QKD) protocols like Ekert-91 (E91), routing decisions fundamentally dictate which physical fiber paths and repeater memories are exposed to potential adversaries. If an adversary ("Eve") can strategically place attacks to disrupt key generation, static routing engines will fail.
This research investigates how adversarial co-learning can dynamically uncover optimal routing defenses and attack surfaces over a corpus of 50 topologies, using discrete-event simulations modeled in the SeQUeNCe quantum network simulator.
Threat Model
| Attacker | Eve: An active eavesdropper with no initial knowledge of the network topology. Eve receives purely binary bandit feedback (whether her attack intersected Alice's chosen route) and chooses one attack surface per turn. |
| Victim | Alice & Bob: Routing controllers on an entanglement-based E91 quantum repeater network spanning up to 7 hops and 32 possible routes. |
| Goal | Eve: Disrupt quantum state transmission to break the Clauser-Horne-Shimony-Holt (CHSH) inequality violation, forcing routing aborts.Alice: Maximize the "retention" rate (the fraction of accepted turns with verified CHSH violations where ` |
| Budget | Eve: Limited to exactly 1 component-level attack per turn—either an edge intercept-resend (IR) attack or a memory degradation attack on an internal repeater node. |
Background / Problem Setup
In an E91 repeater network, security is continually monitored using Bell-test statistics. On any given routing turn, Alice and Bob distribute a budget of 350 entangled pairs end-to-end. If the resulting finite-sample statistic violates the CHSH bound (i.e., the Bell parameter |S| > 2), the turn is accepted; otherwise, it is aborted due to suspected eavesdropping or hardware failure.
This interaction sets up a classic zero-sum network interdiction game. While traditional routing models assume static, non-adversarial noise, this paper frames the problem as an active, online game where both defender and attacker adapt dynamically.
Comparison of Network Routing & Interdiction Frameworks
| Project / Framework | Approach | Routing Mechanism | Threat Model | Explainability |
|---|---|---|---|---|
| Traditional Interdiction (Washburn & Wood, 1995) | Game-theoretic | Static shortest path / Max-flow cuts | Omniscient attacker blocks physical edges | Mathematical proof of min-cut bottlenecks |
| SeQUeNCe (Wu et al., 2021) / NetSquid (Coopmans et al., 2021) | Discrete-event simulator | Fixed, heuristic-based routing | Passive/Unattacked physical hardware noise | Raw log output, diagnostic over-interpretation risks |
| This Work (Adversarial Co-Learning) | Game-theoretic co-learning with Exp3 bandits | Multi-route adaptive selection based on online rewards | Active, strategic adversary (Edge Intercept-Resend or Memory Degradation) | Shallow decision trees translated into natural language via local LLMs |
Methodology
The adversarial game is played over a corpus of 50 graph topologies categorized into eight structural families (including single/multi/deep bottlenecks, disjoint parallel paths, layered parallel paths, and Wheatstone chains).
[ Alice ]
|
(Route Selection)
|
v
[ E91 Simulation ] <--- (Edge IR or Memory Attack) --- [ Eve ]
|
(CHSH Test: |S| > 2)
|
+---> Accepted (Reward: 1 to Alice, 0 to Eve)
+---> Aborted (Reward: 0 to Alice, 1 to Eve)
1. Quantum Parameter Configuration
The simulation parameters are tuned to replicate realistic hardware performances:
- Base Entanglement Protocol: Barrett-Kok model with a memory fidelity of
0.98. - Memory Efficiency: Set to
0.544(motivated by recent trapped-ion node experiments). - Turn Budget: 350 entangled pairs per route. A pre-run health check demands at least 319 delivered pairs for Alice to compute CHSH statistics.
- Unattacked Baselines: In clean conditions, the mean Bell parameter
|S|falls from2.75at 1 hop to2.37at 7 hops. Approximately 20% of turns fail the CHSH check due to unattacked physical noise.
2. The Exp3 Learning Loop
Because Alice and Eve have zero prior knowledge of the underlying graph topology, both players employ the Exponential-weight algorithm for Exploration and Exploitation (Exp3) to update their mixed strategies over 5 * 10^5 turns.
The players update their weights using the following parameterization:
- Learning Rate: (where is the player's action-space size and is the current game turn)
- Exploration Parameter:
3. Explanation Pipeline
To make the learned policies auditable, the authors implemented a hybrid symbolic/connectionist explanation workflow:
- Symbolic Extraction: Fit depth-3 decision-tree regressors to the game logs.
- Natural Language Synthesis: Feed the decision-tree structure and rules into local, open-source Large Language Models (LLMs) via Ollama, utilizing a strictly formatted markdown prompt to minimize security-oriented hallucinations.
Key Results
The primary benchmark evaluates whether the model can rediscover the strategic vulnerabilities of each network topology.
- The Coverage Principle: In a homogeneous network with disjoint parallel paths, an optimal defense should yield a retention rate of
1 - 1/N. Conversely, any network containing a bottleneck node (where all routes intersect a single point) should collapse to0retention, as Eve can simply park her attack on that single node. - Strategic Recovery: As illustrated in Figure 2, the Exp3 bandit algorithm successfully converged to these theoretical limits. The final learned retention tracked the oracle's minimax calculations with a Pearson correlation of
r = 0.99.
Algorithm Convergence & Explanatory Power
| Performance Metric | Evaluation Target | Train | Held-Out | Held-Out MAE | Notes / Observations |
|---|---|---|---|---|---|
| Oracle Graph Retention | Complete Topology | 0.9984 |
0.9978 |
0.0081 |
Decision trees accurately isolate bottlenecks and count disjoint paths. |
| Eve Action Probability | Attacker Strategy | 0.7048 |
0.6886 |
0.0257 |
Captures major targets like memory degradation flags on multi-bottlenecks. |
| Expected Denial vs. Alice | Game Utility | 0.4344 |
0.3781 |
0.1305 |
Performance degrades due to the high variance of finite-sample CHSH evaluations. |
| Alice Route Probability | Routing Strategy | 0.2437 |
0.1723 |
0.0833 |
Very weak fit. Routing strategy exhibits high degeneracy (many routes are equally optimal). |
Local LLM Explanatory Quality (0.0 to 1.0 Scale)
The authors evaluated three local LLM architectures on 50 separate prompt runs. While the models excelled at parsing numerical data, they struggled to reason about why specific network features dictated those outcomes.
llama3.1:8b phi4:14b nemotron-3-super:120b
Numeric Faithfulness [ .95 ] [ .99 ] [ .92 ]
Scope Honesty [ .96 ] [ 1.0 ] [ 1.0 ]
Tree Referencing [ .90 ] [ .92 ] [ 1.0 ]
Section Completeness [ .90 ] [ .90 ] [ .80 ]
Human Interpretability[.51 ] [ .55 ] [ .57 ]
As shown above, none of the tested LLM models exceeded a score of 7 out of 10 (represented as 0.57 on the scale) for subjective human interpretability, revealing a significant reasoning gap when explaining strategic network security properties.
Limitations & Open Questions
- Offline Simulation Caching: To make the
5 * 10^5co-learning turns computationally feasible, the authors used pre-simulated caches of SeQUeNCe trials. In real-world deployments, these physical parameters (like fiber degradation or memory decoherence) will fluctuate dynamically, which could destabilize the Exp3 convergence rate. - The Explainability Wall: Although the shallow decision trees perfectly map the relationships (e.g., on retention prediction), the local LLMs proved to be poor explainers. They correctly repeated the tree leaf values (high "numeric faithfulness") but failed to explain the physics-based "why" behind the bottlenecks.
- Action-Space Scaling: The tested topologies were limited to a maximum of 32 routes and 7 hops. In larger, mesh-grid quantum networks, the action space will scale exponentially, leading to slower convergence and wider Nash-gaps over finite learning horizons.
What Practitioners Should Do
If you are designing, simulating, or defending quantum repeater networks, consider the following recommendations:
- Implement Threat-Aware Routing Regimes: Replace static routing algorithms with adaptive, bandit-based path selection (such as Exp3). Standard static routing is highly vulnerable to targeted physical attacks.
- Prioritize Node-Disjoint Path Redundancy: When planning physical fiber layouts for quantum key distribution (QKD), prioritize the creation of disjoint parallel routes. As demonstrated by the coverage principle, routing security scales directly with the path count , whereas bottleneck topologies collapse to zero retention under active interdiction.
- Incorporate Symbolic Verification Layers: Do not rely on LLMs to interpret or explain raw security logs and routing decisions. Instead, use symbolic models (like shallow decision-tree regressors) as a deterministic verification layer. This ensures that any natural-language summaries generated for security operators are grounded in verifiable, structured rules rather than statistical guesswork.
The Takeaway
Adversarial co-learning algorithms can successfully navigate the physical constraints of quantum communication networks to discover optimal routing paths and attack points without prior topological knowledge. However, while these algorithms can automatically secure the network, standard local LLMs cannot yet be trusted to explain why these routing decisions are secure, highlighting the continued necessity of symbolic verification in critical infrastructure defense.
Den's Take
I'm generally skeptical of papers that slap multi-agent algorithms onto quantum security and call it a day, but this work actually grounds its math in physical realities using the SeQUeNCe simulator. Achieving a near-perfect Pearson correlation of r = 0.99 between the Exp3-learned retention and the full-matrix minimax reference across 50 distinct topologies is genuinely impressive. It shows that online bandit algorithms can successfully navigate adaptive routing decisions (up to 7 hops and 32 routes) without needing prior topological maps.
However, as a practitioner, the threat model feels far too sanitized. Limiting Eve to exactly one component-level attack per turn—either an edge intercept-resend or memory degradation—assumes a highly constrained adversary. In the real world, an attacker won't nicely coordinate with your discrete-event steps to play a neat, turn-based zero-sum game. In my AI Security Digest — July 13, 2026, I argued that over-simplifying attacker capabilities in simulation runs the risk of deploying defenses that crumble under unexpected, out-of-distribution strategies. If we want truly explainable robustness in QKD networks, we must test these Exp3 routing models against adaptive, multi-point adversarial strategies, not just highly restricted single-action bandits.