Editing Quantum Oblivious Transfer

This [https://link.springer.com/chapter/10.1007/3-540-46766-1_29 example protocol] achieves the task of Oblivious Transfer in which the sender sends two messages and the receiver can choose which message he receives.
The receiver gets to know nothing about the other message and the sender is oblivious of which one of the two messages was received by the receiver.
Moreover, this protocol is practical in the sense that it can be realised with available optoelectronic apparatus while being immune to any technologically feasible attack for the foreseeable future. 

'''Tags:''' [[:Category:Two Party Protocols|Two Party Protocols]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]]
[[Category:Two Party Protocols]] [[Category:Quantum Enhanced Classical Functionality]][[Category:Specific Task]]


==Assumptions==

* The quantum transmission consists of series of very dim pulses of coherent or incoherent polarized light rather than individual photons.
* The receiver attempts to detect the pulses by noisy, imperfectly quantum-efficient detectors such as photomultiplier tubes.
* The pulses cannot be stored for a significant length of time, so the receiver must measure each pulse before the next one arrives or else lose the opportunity of measuring it at all.


==Outline==

The dark count rate is a detector's probability of registering a count during a time slot when no photons are incident on it.
The quantum efficiency is the excess probability of registering a count when one photon is incident on the detector.

===Preparation phase===

The protocol is adjusted to the physical limitations of the receiver's detection apparatus.

The receiver tells the sender the quantum efficiency and dark count rate of his detectors.

The sender then tells the intensity of the light pulses she will use, the fraction of these pulses she will expect him to 
detect successfully, and the bit error rate she will be willing to correct in his data to compensate for his dark counts and other noise sources.

She also decides on a security parameter which she communicates to the receiver.

Both of them agree on a linear binary error-correcting code.

Finally, they perform a test run to verify that the receiver can indeed detect the pulses with the said probability and error rate. 

===Computation phase===

The sender sends a random sequence of faint pulses of the four canonical polarizations from the standard basis and the hadamard basis.

The receiver randomly decides for each pulse whether to measure it in the standard or the hadamard basis, and records the basis and measurement result in a table.
He then reports to the sender the arrival times of all pulses he received, but not the bases or the measurement results.

The sender then tells the receiver the bases she used to send each of the pulses he received.

The receiver partitions his pulses into two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the wrong basis.
He tells the sender the addresses of the two sets without telling which is the good and which is the bad one.
Now, the receiver shares with the sender a word corresponding to his good set of measurements; he shares nothing with her with respect to his bad set of measurements.
The sender does not know which word she shares with the receiver.

Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an errorfree channel.
Given this data, the receiver should be able to recover the original word corresponding to his good set but not that corresponding to his bad set.
Furthermore, the sender computes the parity of a random subset of each set, and tells the receiver the addresses defining these random subsets, but not the resulting parities.
At this point, the receiver knows one of these parities exactly, and nothing about the other parity, and he knows which parity he knows.
The sender knows both parities, but she does not know which one the receiver knows.

The receiver tells the sender whether the index of the parity he knows and the index of the bit he wishes to know are equal.
If they are equal, sender gives the xor of same indexed bit and the parity, otherwise she gives him the xor of opposite indexed bit and the parity.
From this, the receiver extracts the desired bit.


==Notation==

* <math>b_0</math> and <math>b_1</math>: The two one-bit messages of the sender out of which one is to be received by the receiver.
* <math>q</math>: Quantum efficiency of receiver's detectors.
* <math>d</math>: Dark count rate of receiver's detectors.
* <math>\mu</math>: Intensity of light pulses used by the sender.
* <math>a</math>: Fraction of pulses sender will expect receiver to detect successfully.
* <math>\epsilon</math>: Bit error rate sender will be willing to correct in receiver's data to compensate for his dark counts and other noise sources
* <math>N</math>: Security parameter, bits twice the number of which wil be used in communication
* <math>x_0</math> and <math>x_1</math>: Parities of the two random subsets of each set.
* <math>c</math>: Receiver's choice of the one-bit message.
* <math>\hat{c}</math>: Index of the set whose parity is known to the receiver.

==Requirements==

* Basic state preparation and measurement devices.
* Access to an error-free classical channel.

<br/>

[[File:Quantum Oblivious Transfer.png|center|Quantum Oblivious Transfer]]

==Properties==

* Nothing is known about the unconditional security of our protocol against coherent measurement attack
* Any attack consistent with quantum physics can be thwarted from a computational point of view under the assumption that one-way functions exist
* Any attack on the protocol must be carried out 'on-line', that is when the protocol is taking place.
* Safe oblivious transfer can be achieved when H(~E) < - (1 - e-p - pe-@)/2a, where H is the entropy function. If this condition cannot be met, the sender aborts the protocol.
* There is no need of quantum memory.


==Pseudocode==

===Preparation phase===

# The receiver tells the sender the quantum efficiency <math>q</math> and the dark count rate <math>d</math> of his detectors.
# If satisfactory, the sender tells the receiver the value of <math>\mu</math>, <math>a</math>, <math>\epsilon</math> and <math>N</math>.
# Then they agree on a linear binary error-correcting code capable of correcting with very high probability N-bit words transmitted with expected error rate <math>\epsilon</math>.
# Finally, both the parties perform a test run.
## The sender sends pulses of intensity <math>\mu</math> in a prearranged sequence of polarizations.
## The receiver reads each pulse in the correct basis
## He then verifies if he can detect the pulses with probability greater than <math>a</math> and error rate less than <math>\epsilon</math>.

===Computation phase===

# The sender sends a random sequence of <math>2N/a</math> pulses in either of <math>\{|0\rangle, |1\rangle, |+\rangle, |-\rangle\}</math> states.
# The receiver receives roughly <math>2N</math> pulses and randomly decides to measure each pulse in the standard or the hadamard basis and records the basis and the measurement.
# He then reports to the sender the arrival times of all 2N pulses he received, but not the bases he used or his measurement results.
# The sender then tells the receiver the bases she used to send each of the pulses he received.
# The receiver creates two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the wrong basis.
# He tells the sender the addresses of the two sets without telling which is the good and which is the bad one.
# Now, the receiver shares with the sender a <math>N</math>-bit string corresponding to his good set and nothing with respect to his bad set of measurements.
# Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an errorfree channel.
# The receiver recovers the original word corresponding to his good set and gets to know nohing about the bad set.
# The sender now computes the parity of a random subset of each set and tells the receiver the addresses defining these random subsets.
# The receiver knows one of these parities, indexed <math>\hat{c}</math>, and nothing about the other parity, and he knows which parity he knows.
# The sender knows both the parities <math>x_0</math> and <math>x_1</math>, but does not know which one the receiver knows.
# The receiver tells the sender whether or not <math>c = \hat{c}</math>.
# If <math>c = \hat{c}</math>, sender sends <math>x_0 \oplus b_0</math> and <math>x_1 \oplus b_1</math>, else, she sends <math>x_0 \oplus b_1</math> and <math>x_1 \oplus b_0</math>.
# From this, the receiver extracts <math>b_c</math>.

== Further Information ==

<div style='text-align: right;'>''*contributed by Natansh Mathur''</div>