Device-Independent Oblivious Transfer

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This example protocol achieves the task of device-independent oblivious transfer in the bounded quantum storage model using a computational assumption.

Assumptions

The quantum storage of the receiver is bounded during the execution of the protocol
The device used is computationally bounded - it cannot solve the Learning with Errors (LWE) problem during the execution of the protocol
The device behaves in an IID manner - it behaves independently and identically during each round of the protocol

Outline

Notation

Protocol Description

Protocol 1: Rand 1-2 OT $^{l}$

A device prepares $n$ uniformly random Bell pairs $|\phi ^{(v_{i}^{\alpha },v_{i}^{\beta })}\rangle ,i=1,...,n$ , where the first qubit of each pair goes to $S$ along with the string $v^{\alpha }$ , and the second qubit of each pair goes to $R$ along with the string $v^{\beta }$ .
R measures all qubits in the basis $y=[$ Computational,Hadamard $]_{c}$ where $c$ is $R$ 's choice bit. Let $b\in \{0,1\}^{n}$ be the outcome. $R$ then computes $b\oplus w^{\beta }$ , where the $i$ -th entry of $w^{\beta }$ is defined by
$w_{i}^{\beta }:={\begin{cases}0,{\mbox{if }}y={\mbox{ Hadamard}}\\v_{i}^{\beta },{\mbox{if }}y={\mbox{ Computational}}\end{cases}}$
$S$ picks uniformly random $x\in \{$ Computational, Hadamard $\}^{n}$ , and measures the $i$ -th qubit in basis $x_{i}$ . Let $a\in \{0,1\}^{n}$ be the outcome. $S$ then computes $a\oplus w^{\alpha }$ , where the $i$ -th entry of $w^{\alpha }$ is defined by
$w_{i}^{\alpha }:={\begin{cases}v_{i}^{\alpha },{\mbox{if }}x_{i}={\mbox{ Hadamard}}\\0,{\mbox{if }}x_{i}={\mbox{ Computational}}\end{cases}}$
$S$ picks two uniformly random hash functions $f_{0},f_{1}\in F$ , announces $x$ and $f_{0},f_{1}$ to $R$ and outputs $s_{0}:=f_{0}(a\oplus w^{\alpha }|_{I_{0}})$ and $s_{1}:=f_{1}(a\oplus w^{\alpha }|_{I_{1}})$ where $I_{r}:=\{i\in I:x_{i}=[$ Computational,Hadamard $]_{r}\}$
$R$ outputs $s_{c}=f_{c}(b\oplus w^{\beta }|_{I_{c}})$

Protocol 2: Self-testing with a single verifier

Alice chooses the state bases $\theta ^{A},\theta ^{B}\in$ {Computational,Hadamard} uniformly at random and generates key-trapdoor pairs $(k^{A},t^{A}),(k^{B},t^{B})$ , where the generation procedure for $k^{A}$ and $t^{A}$ depends on $\theta ^{A}$ and a security parameter $\eta$ , and likewise for $k^{B}$ and $t^{B}$ . Alice supplies Bob with $k^{B}$ . Alice and Bob then respectively send $k^{A},k^{B}$ to the device.
Alice and Bob receive strings $c^{A}$ and $c^{B}$ , respectively, from the device.
Alice chooses a challenge type $CT\in \{a,b\}$ , uniformly at random and sends it to Bob. Alice and Bob then send $CT$ to each component of their device.
If $CT=a$ :
1. Alice and Bob receive strings $z^{A}$ and $z^{B}$ , respectively, from the device.
If $CT=b$ :
1. Alice and Bob receive strings $d^{A}$ and $d^{B}$ , respectively, from the device.
2. Alice chooses uniformly random measurement bases (questions) $x,y\in$ {Computational,Hadamard} and sends $y$ to Bob. Alice and Bob then, respectively, send $x$ and $y$ to the device.
3. Alice and Bob receive answer bits $a$ and $b$ , respectively, from the device. Alice and Bob also receive bits $h^{A}$ and $h^{B}$ , respectively, from the device.

Protocol 3: DI Rand 1-2 OT $^{l}$

Data generation:

The sender and receiver execute $n$ rounds of Protocol 2 (Self-testing) with the sender as Alice and receiver as Bob, and with the following modification:
If $CT_{i}=b$ , then with probability $p$ , the receiver does not use the measurement basis question supplied by the sender and instead inputs $y_{i}=[$ Computational, Hadamard $]_{c}$ where $c$ is the receiver's choice bit. Let $I$ be the set of indices marking the rounds where this has been done.
For each round $i\in \{1,...,n\}$ , the receiver stores:
- $c_{i}^{B}$
- $z_{i}^{B}$ if $CT_{i}=a$
- or $(d_{i}^{B},y_{i},b_{i},h_{i}^{B})$ if $CT_{i}=b$
The sender stores $\theta _{i}^{A},\theta _{i}^{B},(k_{i}^{A},t_{i}^{A}),(k_{i}^{B},t_{i}^{B}),c_{i}^{A},CT_{i};$ and $z_{i}^{A}$ if $CT_{i}=a$ or $(d_{i}^{A},x_{i},a_{i},h_{i}^{A})$ and $y_{i}$ if $CT_{i}=b$
For every $i\in \{1,...,n\},$ the sender stores the variable $RT_{i}$ (round type), defined as follows:
- if $CT_{i}=b$ and $\theta _{i}^{A}=\theta _{i}^{B}=$ Hadamard, then $RT_{i}=$ Bell
- else, set $RT_{i}=$ Product
For every $i\in \{1,...,n\},$ the sender chooses $T_{i}$ , indicating a test round or generation round, as follows:
- if $RT_{i}=$ Bell, choose $T_{i}\in$ {Test, Generate} uniformly at random
- else, set $T_{i}=$ Test
The sender sends ( $T_{1},...,T_{n}$ ) to the receiver

Testing:
The receiver sends the set of indices $I$ to the sender. The receiver publishes their output for all $T_{i}=$ Test rounds where $i\notin I$ . Using this published data, the sender determines the bits which an honest device would have returned.
The sender computes the fraction of test rounds (for which the receiver has published data for) that failed. If this exceeds some $\epsilon$ , the protocol aborts

Preparing data:
Let ${\tilde {I}}:=\{i:i\in I$ and $T_{i}=$ Generate} and $n^{\prime }=|{\tilde {I}}|$ . The sender checks if there exists a $k>0$ such that $\gamma n^{\prime }\leq n^{\prime }/4-2l-kn^{\prime }$ . If such a $k$ exists, the sender publishes ${\tilde {I}}$ and, for each $i\in {\tilde {I}}$ , the trapdoor $t_{i}^{B}$ corresponding to the key $k_{i}^{B}$ (given by the sender in the execution of Protocol 2,Step 1); otherwise the protocol aborts.
For each $i\in {\tilde {I}},$ the sender calculates $v_{i}^{\alpha }=d_{i}^{A}.(x_{i,0}^{A}\oplus x_{i,1}^{A})$ and defines $w^{\alpha }$ by
$w_{i}^{\alpha }={\begin{cases}v_{i}^{\alpha },{\mbox{if }}x_{i}={\mbox{Hadamard}}\\0,{\mbox{if }}x_{i}={\mbox{Computational}}\end{cases}}$

and the receiver calculates $v_{i}^{\beta }==d_{i}^{B}.(x_{i,0}^{B}\oplus x_{i,1}^{B})$ and defines $w^{\beta }$ by

$w_{i}^{\beta }={\begin{cases}0,{\mbox{if }}y_{i}={\mbox{Hadamard}}\\v_{i}^{\beta },{\mbox{if }}y_{i}={\mbox{Computational}}\end{cases}}$

Obtaining output:
The sender randomly picks two hash functions $f_{0},f_{1}\in F$ , announces $f_{0},f_{1}$ and $x_{i}$ for each $i\in {\tilde {I}}$ , and outputs $s_{0}=f_{0}(a\oplus w^{\alpha }|_{{\tilde {I}}_{0}})$ and $s_{1}=f_{1}(a\oplus w^{\alpha }|_{{\tilde {I}}_{1}})$ , where ${\tilde {I}}_{r}:=\{i\in {\tilde {I}}:x_{i}=[$ Computational,Hadamard $]_{r}\}$
Receiver outputs $s_{c}=f_{c}(a\oplus w^{\beta }|_{{\tilde {I}}_{c}})$

Properties

Further Information

References

*contributed by Chirag Wadhwa