Device-Independent Oblivious Transfer: Difference between revisions

Added outline and notation
No edit summary
(Added outline and notation)
Line 14: Line 14:
==Outline==
==Outline==
<!-- A non-mathematical detailed outline which provides a rough idea of the concerned protocol -->
<!-- A non-mathematical detailed outline which provides a rough idea of the concerned protocol -->
* The protocol consists of multiple rounds, which are randomly chosen for testing or string generation
* The testing rounds are carried out to ensure that the devices used are following the expected behaviour. The self-testing protocol used is a modification of the one used in DIQKD. This modification is necessary as, unlike the DIQKD scenario, the parties involved in OT may not trust each other to cooperate. The self-testing protocol uses the computational assumptions associated with ''Extended noisy trapdoor claw-free'' (ENTCF) function families to certify that the device has created the desired quantum states. If the fraction of failed testing rounds exceeds a certain limit, the protocol is aborted.
* Following the generation rounds, the honest sender outputs two randomly generated strings of equal length, and the honest receiver outputs their chosen string out of the two.


==Notation==
==Notation==
<!--  Connects the non-mathematical outline with further sections. -->
<!--  Connects the non-mathematical outline with further sections. -->
* <math>S</math>: The sender
* <math>R</math>: The receiver
* <math>l</math>: Length of the output strings
* <math>s_0, s_1</math>: The strings output by the sender
* <math>c</math>: A bit denoting the receiver's choice
* For any bit <math>r</math>, ['''Computational, Hadamard''']<math>_r = \begin{cases}\mbox{Computational, if } r = 0\\ \mbox{Hadamard,        if } r = 1\end{cases}</math>


* <math>\sigma_Z = \begin{pmatrix}1 & 0 \\ 0 & -1 \end{pmatrix} </math>
* For bits <math>v^{\alpha},v^{\beta}: |\phi^{(v^{\alpha},v^{\beta})}\rangle = (\sigma_Z^{v^{\alpha}}\sigma_X^{v^{\beta}} \otimes I) \frac{|00\rangle+|11\rangle}{\sqrt{2}}</math>
* An ENTCF family consists of two families of function pairs: <math>F</math> and <math>G</math>. A function pair <math>(f_{k,0},f_{k,1})</math>is indexed by a public key <math>k</math>. If <math>(f_{k,0},f_{k,1}) \in F</math>, then it is a ''claw-free pair''; and if <math>(f_{k,0},f_{k,1}) \in G</math>, then it is called an ''injective pair''. ENTCF families satisfy the following properties:
*# For a fixed <math>k \in K_F, f_{k,0}</math> and <math>f_{k,1}</math> are bijections with the same image; for every image <math>y</math>, there exists a unique pair <math>(x_0,x_1)</math>, called a ''claw'', such that <math>f_{k,0}(x_0) = f_{k,1}(x_1) = y</math>
*# Given a ''key'' <math>k \in K_F</math>, for a claw-free pair, it is quantum-computationally intractable (without access to ''trapdoor'' information) to compute both a <math>x_i</math> and a single generalized bit of <math>x_0 \oplus x_1</math>, where <math>(x_0,x_1)</math> forms a valid claw. This is known as the ''adaptive hardcore bit'' property.
*# For a fixed <math>k \in K_G, f_{k,0}</math> and <math>f_{k_1}</math> are injunctive functions with disjoint images.
*# Given a key <math>k \in K_F \cup K_G</math>, it is quantum-computationally hard (without access to ''trapdoor'' information) to determine whether <math>k</math> is a key for a claw-free or an injective pair. This property is known as ''injective invariance''.
*# For every <math>k \in K_F \cup K_G</math>, there exists a trapdoor <math>t_k</math> which can be sampled together with <math>k</math> and with which 2 and 4 are computationally easy.
<!-- ==Knowledge Graph== -->
<!-- ==Knowledge Graph== -->
<!-- Add this part if the protocol is already in the graph -->
<!-- Add this part if the protocol is already in the graph -->
Write
33

edits