Quantum Oblivious Transfer

This example protocol achieves the task of Oblivious Transfer in which the sender sends two messages and the receiver can choose which message he receives. The receiver gets to know nothing about the other message and the sender is oblivious of which one of the two messages was received by the receiver. Moreover, this protocol is practical in the sense that it can be realised with available optoelectronic apparatus while being immune to any technologically feasible attack for the foreseeable future.

Tags: Two Party Protocols, Quantum Enhanced Classical Functionality, Specific Task


Experimental constraints

  • The demonstration of quantum oblivious transfer uses the transmission consisting of series of highly attenuated pulses of coherent or incoherent polarized light rather than individual photons.
  • The receiver measures the pulses using noisy, imperfectly quantum-efficient detectors such as photomultiplier tubes.
  • The protocol is a streaming protocol where the receiver measures each pulses on the fly. Thus it does not require the receiver to store the pulses in a quantum memory.

Outline

The demonstration of oblivious transfer protocol occurs in two phases. The preparation phase, followed by the computation phase.

Preparation phase

The protocol is adjusted to the physical limitations of the receiver's detection apparatus.

The receiver tells the sender the quantum efficiency and dark count rate of his detectors.

The sender then tells the intensity of the light pulses she will use, the fraction of these pulses she will expect him to detect successfully, and the bit error rate she will be willing to correct in his data to compensate for his dark counts and other noise sources.

She also decides on a security parameter which she communicates to the receiver.

Both of them agree on a linear binary error-correcting code.

Finally, they perform a test run to verify that the receiver can indeed detect the pulses with the said probability and error rate.

Computation phase

The sender sends a random sequence of faint pulses of the four canonical polarizations from the standard basis and the Hadamard basis.

The receiver randomly decides for each pulse whether to measure it in the standard or the Hadamard basis, and records the basis and measurement result in a table. He then reports to the sender the arrival times of all pulses he received, but not the bases or the measurement results.

The sender then tells the receiver the bases she used to send each of the pulses he received.

The receiver partitions his pulses into two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the wrong basis. He tells the sender the addresses of the two sets without telling which is the good and which is the bad one. Now, the receiver shares with the sender a word corresponding to his good set of measurements; he shares nothing with her with respect to his bad set of measurements. The sender does not know which word she shares with the receiver.

Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an error free channel. Given this data, the receiver should be able to recover the original word corresponding to his good set but not that corresponding to his bad set. Furthermore, the sender computes the parity of a random subset of each set, and tells the receiver the addresses defining these random subsets, but not the resulting parities. At this point, the receiver knows one of these parities exactly, and nothing about the other parity, and he knows which parity he knows. The sender knows both parities, but she does not know which one the receiver knows.

The receiver tells the sender whether the index of the parity he knows and the index of the bit he wishes to know are equal. If they are equal, sender gives the xor of same indexed bit and the parity, otherwise she gives him the xor of opposite indexed bit and the parity. From this, the receiver extracts the desired bit.

Notation

  •   and  : The two one-bit messages of the sender out of which one is to be received by the receiver.
  •  : Quantum efficiency of receiver's detectors.
  •  : Dark count rate of receiver's detectors.
  •  : Intensity of light pulses used by the sender.
  •  : Fraction of pulses sender will expect receiver to detect successfully.
  •  : Bit error rate sender will be willing to correct in receiver's data to compensate for his dark counts and other noise sources
  •  : Security parameter, bits twice the number of which wil be used in communication
  •   and  : Parities of the two random subsets of each set.
  •  : Receiver's choice of the one-bit message.
  •  : Index of the set whose parity is known to the receiver.

Requirements

  • Basic state preparation and measurement devices.
  • Access to an error-free classical channel.


Properties

  • Nothing is known about the unconditional security of our protocol against coherent measurement attack
  • Any attack consistent with quantum physics can be thwarted from a computational point of view under the assumption that one-way functions exist
  • Any attack on the protocol must be carried out 'on-line', that is when the protocol is taking place.
  • Safe oblivious transfer can be achieved when H(~E) < - (1 - e-p - pe-@)/2a, where H is the entropy function. If this condition cannot be met, the sender aborts the protocol.
  • There is no need of quantum memory.


Pseudocode

Preparation phase

  1. The receiver tells the sender the quantum efficiency   and the dark count rate   of his detectors.
  2. If satisfactory, the sender tells the receiver the value of  ,  ,   and  .
  3. Then they agree on a linear binary error-correcting code capable of correcting with very high probability N-bit words transmitted with expected error rate  .
  4. Finally, both the parties perform a test run.
    1. The sender sends pulses of intensity   in a prearranged sequence of polarizations.
    2. The receiver reads each pulse in the correct basis
    3. He then verifies if he can detect the pulses with probability greater than   and error rate less than  .

Computation phase

  1. The sender sends a random sequence of   pulses in either of   states.
  2. The receiver receives roughly   pulses and randomly decides to measure each pulse in the standard or the hadamard basis and records the basis and the measurement.
  3. He then reports to the sender the arrival times of all 2N pulses he received, but not the bases he used or his measurement results.
  4. The sender then tells the receiver the bases she used to send each of the pulses he received.
  5. The receiver creates two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the wrong basis.
  6. He tells the sender the addresses of the two sets without telling which is the good and which is the bad one.
  7. Now, the receiver shares with the sender a  -bit string corresponding to his good set and nothing with respect to his bad set of measurements.
  8. Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an errorfree channel.
  9. The receiver recovers the original word corresponding to his good set and gets to know nohing about the bad set.
  10. The sender now computes the parity of a random subset of each set and tells the receiver the addresses defining these random subsets.
  11. The receiver knows one of these parities, indexed  , and nothing about the other parity, and he knows which parity he knows.
  12. The sender knows both the parities   and  , but does not know which one the receiver knows.
  13. The receiver tells the sender whether or not  .
  14. If  , sender sends   and  , else, she sends   and  .
  15. From this, the receiver extracts  .

Further Information

*contributed by Natansh Mathur