Quantum Oblivious Transfer

From Quantum Protocol Zoo
Jump to navigation Jump to search

Oblivious transfer (OT) is a cryptographic primitive between two parties, sender and receiver. It is generally used as a building block for secure multi-party computation such as bit commitment. The functionality of OT is the following: Sender sends two bits/qubits to the receiver and the receiver can choose to receive only one of them. The protocol is secure when none of the parties obtain an information they are not supposed to obtain i.e. sender does not know which bit/qubit the receiver has chosen, and the receiver does not obtain information about the other bit/qubit. This example protocol achieves the task of practical OT where it can be realised with available optoelectronic apparatus while being computationally secure.

Tags: Two Party Protocols, Quantum Enhanced Classical Functionality, Specific Task


Experimental constraints

  • The demonstration of quantum oblivious transfer uses the transmission consisting of series of highly attenuated pulses of coherent or incoherent polarized light rather than individual photons.
  • The receiver measures the pulses using noisy, imperfectly quantum-efficient detectors such as photomultiplier tubes.
  • The protocol is a streaming protocol where the receiver measures each pulses on the fly. Thus it does not require the receiver to store the pulses in a quantum memory.

Outline

This section describes the quantum OT protocol Bennett et al. under realistic experimental assumptions in two phases. The preparation phase, followed by the computation phase.

Preparation phase

The protocol is adjusted to the physical limitations of the receiver's detection apparatus.

The receiver conveys to the sender the experimental imperfections of his detectors i.e. the quantum efficiency and dark count rate.

The sender conveys the intensity of the light pulses she will use which conveys the information about the fraction of sender's pulses that will be detected successfully by the receiver, and the bit error rate she will be willing to correct in his data to compensate for his dark counts and other noise sources in the detector.

The sender and receiver agree on the security parameter of the OT protocol and on the linear binary error-correcting code.

Finally, they perform a test run to verify that the receiver indeed detects the sender pulses with the said probability and error rate.

Computation phase

The sender sends a random sequence of highly attenuated coherent pulses of the four canonical polarizations from the standard basis and the Hadamard basis.

The receiver randomly decides for each pulse whether to measure it in the standard or the Hadamard basis, and records the basis and measurement results. The receiver then reports the arrival times of all pulses he received to the sender, but not the bases or the measurement results.

The sender then conveys to the receiver the bases measurement she used for each of the pulses received by the receiver.

The receiver partitions his pulses into two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the incorrect basis. He tells the sender the addresses of the two sets without telling which is the good and which is the bad one. Now, the receiver shares with the sender a word corresponding to his good set of measurements; he shares nothing with her with respect to his bad set of measurements. The sender does not know which word she shares with the receiver.

Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an error free channel. Given this data, the receiver is able to recover the original word corresponding to his good set but not that corresponding to his bad set. Furthermore, the sender computes the parity of a random subset of each set, and tells the receiver the addresses defining these random subsets, but not the resulting parities. At this point, the receiver knows one of these parities exactly, and nothing about the other parity, and he knows which parity he knows. The sender knows both parities, but she does not know which one the receiver knows.

The receiver tells the sender whether the index of the parity he knows and the index of the bit he wishes to know are equal. If they are equal, sender gives the xor of same indexed bit and the parity, otherwise she gives him the xor of opposite indexed bit and the parity. From this, the receiver extracts the desired bit.

Notation

  • and : The two one-bit messages of the sender out of which one is to be received by the receiver.
  • : Quantum efficiency of receiver's detectors.
  • : Dark count rate of receiver's detectors.
  • : Intensity of light pulses used by the sender.
  • : Fraction of pulses sender will expect receiver to detect successfully.
  • : Bit error rate sender will be willing to correct in receiver's data to compensate for his dark counts and other noise sources
  • : Security parameter, bits twice the number of which wil be used in communication
  • and : Parities of the two random subsets of each set.
  • : Receiver's choice of the one-bit message.
  • : Index of the set whose parity is known to the receiver.

Requirements

  • Basic state preparation and measurement devices.
  • Access to an error-free classical channel.


Properties

  • Nothing is known about the unconditional security of our protocol against coherent measurement attack
  • Any attack consistent with quantum physics can be thwarted from a computational point of view under the assumption that one-way functions exist
  • Any attack on the protocol must be carried out 'on-line', that is when the protocol is taking place.
  • Safe oblivious transfer can be achieved when H(~E) < - (1 - e-p - pe-@)/2a, where H is the entropy function. If this condition cannot be met, the sender aborts the protocol.
  • There is no need of quantum memory.


Pseudocode

Preparation phase

  1. The receiver tells the sender the quantum efficiency and the dark count rate of his detectors.
  2. If satisfactory, the sender tells the receiver the value of , , and .
  3. Then they agree on a linear binary error-correcting code capable of correcting with very high probability N-bit words transmitted with expected error rate .
  4. Finally, both the parties perform a test run.
    1. The sender sends pulses of intensity in a prearranged sequence of polarizations.
    2. The receiver reads each pulse in the correct basis
    3. He then verifies if he can detect the pulses with probability greater than and error rate less than .

Computation phase

  1. The sender sends a random sequence of Failed to parse (SVG (MathML can be enabled via browser plugin): Invalid response ("Math extension cannot connect to Restbase.") from server "https://wikimedia.org/api/rest_v1/":): {\displaystyle 2N/a} pulses in either of states.
  2. The receiver obtains roughly pulses after measuring each of them randomly in the standard or the Hadamard basis. He records the basis and the measurement.
  3. He then reports to the sender the arrival times of all 2N pulses he received, but not the bases he used or his measurement results.
  4. The sender then tells the receiver the bases she used to send each of the pulses he received.
  5. The receiver creates two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the wrong basis.
  6. He tells the sender the addresses of the two sets without telling which is the good and which is the bad one.
  7. Now, the receiver shares with the sender a -bit string corresponding to his good set and nothing with respect to his bad set of measurements.
  8. Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an errorfree channel.
  9. The receiver recovers the original word corresponding to his good set and gets to know nohing about the bad set.
  10. The sender now computes the parity of a random subset of each set and tells the receiver the addresses defining these random subsets.
  11. The receiver knows one of these parities, indexed , and nothing about the other parity, and he knows which parity he knows.
  12. The sender knows both the parities and , but does not know which one the receiver knows.
  13. The receiver tells the sender whether or not .
  14. If , sender sends and , else, she sends and .
  15. From this, the receiver extracts .

Further Information

*contributed by Natansh Mathur