Quantum Oblivious Transfer: Difference between revisions

From Quantum Protocol Zoo
Jump to navigation Jump to search
No edit summary
 
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This protocol achieves the task of Oblivious Transfer in which the sender sends two bit strings and the receiver can choose which message he receives.
Oblivious transfer (OT) is a cryptographic primitive between two parties, sender and receiver. It is generally used as a building block for secure multi-party computation such as bit commitment. The functionality of OT is the following: Sender sends two bits/qubits to the receiver and the receiver can choose to receive only one of them. The protocol is secure when none of the parties obtain an information they are not supposed to obtain i.e. sender does not know which bit/qubit the receiver has chosen, and the receiver does not obtain information about the other bit/qubit.  
The receiver gets to know nothing about the other message and the sender is oblivious of which one of the two messages was received by the receiver.
This [https://link.springer.com/chapter/10.1007/3-540-46766-1_29 example protocol] achieves the task of practical OT where it can be realised with available optoelectronic apparatus while being computationally secure.  
Moreover, this protocol is practical in that it can be realised with available optoelectronic apparatus while being immune to any technologically feasible attack for the foreseeable future.  


==Assumptions==
'''Tags:''' [[:Category:Two Party Protocols|Two Party Protocols]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]]
[[Category:Two Party Protocols]] [[Category:Quantum Enhanced Classical Functionality]][[Category:Specific Task]]


* The quantum transmission consists of series of very dim pulses of coherent or incoherent polarized light rather than individual photons.
* The receiver attempts to detect the pulses by noisy, imperfectly quantum-efficient detectors such as photomultiplier tubes.
* The pulses cannot be stored for a significant length of time, so the receiver must measure each pulse before the next one arrives or else lose the opportunity of measuring it at all.


==Experimental constraints==
* The demonstration of quantum oblivious transfer uses the transmission consisting of series of highly attenuated pulses of coherent or incoherent polarized light rather than individual photons.
* The receiver measures the pulses using noisy, imperfectly quantum-efficient detectors such as photomultiplier tubes.
* The protocol is a streaming protocol where the receiver measures each pulses on the fly. Thus it does not require the receiver to store the pulses in a quantum memory.


==Outline==
==Outline==


The dark count rate is a detector's probability of registering a count during a time slot when no photons are incident on it.
This section describes the quantum OT protocol [https://link.springer.com/chapter/10.1007/3-540-46766-1_29 Bennett et al.] under realistic experimental assumptions in two phases. The preparation phase, followed by the computation phase.  
The quantum efficiency is the excess probability of registering a count when one photon is incident on the detector.


===Preparation phase===
===Preparation phase===
Line 19: Line 20:
The protocol is adjusted to the physical limitations of the receiver's detection apparatus.
The protocol is adjusted to the physical limitations of the receiver's detection apparatus.


The receiver tells the sender the quantum efficiency and dark count rate of his detectors.
The receiver conveys to the sender the experimental imperfections of his detectors i.e. the quantum efficiency and dark count rate.
 
The sender then tells the intensity of the light pulses she will use, the fraction of these pulses she will expect him to
detect successfully, and the bit error rate she will be willing to correct in his data to compensate for his dark counts and other noise sources.


She also decides on a security parameter which she communicates to the receiver.
The sender conveys the intensity of the light pulses she will use which conveys the information about the fraction of sender's pulses that will be detected successfully by the receiver, and the bit error rate she will be willing to correct in his data to compensate for his dark counts and other noise sources in the detector.


Both of them agree on a linear binary error-correcting code.
The sender and receiver agree on the security parameter of the OT protocol and on the linear binary error-correcting code.


Finally, they perform a test run to verify that the receiver can indeed detect the pulses with the said probability and error rate.  
Finally, they perform a test run to verify that the receiver indeed detects the sender pulses with the said probability and error rate.


===Computation phase===
===Computation phase===


The sender sends a random sequence of faint pulses of the four canonical polarizations from the standard basis and the hadamard basis.
The sender sends a random sequence of highly attenuated coherent pulses of the four canonical polarizations from the standard basis and the Hadamard basis.


The receiver randomly decides for each pulse whether to measure it in the standard or the hadamard basis, and records the basis and measurement result in a table.
The receiver randomly decides for each pulse whether to measure it in the standard or the Hadamard basis, and records the basis and measurement results. The receiver then reports the arrival times of all pulses he received to the sender, but not the bases or the measurement results.
He then reports to the sender the arrival times of all pulses he received, but not the bases or the measurement results.


The sender then tells the receiver the bases she used to send each of the pulses he received.
The sender then conveys to the receiver the bases measurement she used for each of the pulses received by the receiver.  


The receiver partitions his pulses into two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the wrong basis.
The receiver partitions his pulses into two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the incorrect basis.
He tells the sender the addresses of the two sets without telling which is the good and which is the bad one.
He tells the sender the addresses of the two sets without telling which is the good and which is the bad one.
Now, the receiver shares with the sender a word corresponding to his good set of measurements; he shares nothing with her with respect to his bad set of measurements.
Now, the receiver shares with the sender a word corresponding to his good set of measurements; he shares nothing with her with respect to his bad set of measurements.
The sender does not know which word she shares with the receiver.
The sender does not know which word she shares with the receiver.


Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an errorfree channel.
Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an error free channel.
Given this data, the receiver should be able to recover the original word corresponding to his good set but not that corresponding to his bad set.
Given this data, the receiver is able to recover the original word corresponding to his good set but not that corresponding to his bad set.
Furthermore, the sender computes the parity of a random subset of each set, and tells the receiver the addresses defining these random subsets, but not the resulting parities.
Furthermore, the sender computes the parity of a random subset of each set, and tells the receiver the addresses defining these random subsets, but not the resulting parities.
At this point, the receiver knows one of these parities exactly, and nothing about the other parity, and he knows which parity he knows.
At this point, the receiver knows one of these parities exactly, and nothing about the other parity, and he knows which parity he knows.
Line 53: Line 50:
If they are equal, sender gives the xor of same indexed bit and the parity, otherwise she gives him the xor of opposite indexed bit and the parity.
If they are equal, sender gives the xor of same indexed bit and the parity, otherwise she gives him the xor of opposite indexed bit and the parity.
From this, the receiver extracts the desired bit.
From this, the receiver extracts the desired bit.


==Notation==
==Notation==
Line 68: Line 64:
* <math>\hat{c}</math>: Index of the set whose parity is known to the receiver.
* <math>\hat{c}</math>: Index of the set whose parity is known to the receiver.


==Hardware Requirements==
==Requirements==


* Basic state preparation and measurement devices.
* Basic state preparation and measurement devices.
* Access to an error-free classical channel.
* Access to an error-free classical channel.


==Knowledge Graph==
{{graph}}


==Properties==
==Properties==
Line 83: Line 82:




==Pseudocode==
==Protocol Description==


===Preparation phase===
===Preparation phase===
Line 93: Line 92:
## The sender sends pulses of intensity <math>\mu</math> in a prearranged sequence of polarizations.
## The sender sends pulses of intensity <math>\mu</math> in a prearranged sequence of polarizations.
## The receiver reads each pulse in the correct basis
## The receiver reads each pulse in the correct basis
## He then verifies if he can detect the pulses with probability greater than </math>a</math> and error rate less than <math>\epsilon</math>.      
## He then verifies if he can detect the pulses with probability greater than <math>a</math> and error rate less than <math>\epsilon</math>.


===Computation phase===
===Computation phase===


# The sender sends a random sequence of <math>2N/a</math> pulses in either of <math>\{|0\rangle, |1\rangle, |+\rangle, |-\rangle\}</math> states.
# The sender sends a random sequence of <math>2N/a</math> pulses in either of <math>\{|0\rangle, |1\rangle, |+\rangle, |-\rangle\}</math> states.
# The receiver receives roughly <math>2N</math> pulses and randomly decides to measure each pulse in the standard or the hadamard basis and records the basis and the measurement.
# The receiver obtains roughly <math>2N</math> pulses after measuring each of them randomly in the standard or the Hadamard basis. He records the basis and the measurement.
# He then reports to the sender the arrival times of all 2N pulses he received, but not the bases he used or his measurement results.
# He then reports to the sender the arrival times of all 2N pulses he received, but not the bases he used or his measurement results.
# The sender then tells the receiver the bases she used to send each of the pulses he received.
# The sender then tells the receiver the bases she used to send each of the pulses he received.

Latest revision as of 15:34, 16 October 2019

Oblivious transfer (OT) is a cryptographic primitive between two parties, sender and receiver. It is generally used as a building block for secure multi-party computation such as bit commitment. The functionality of OT is the following: Sender sends two bits/qubits to the receiver and the receiver can choose to receive only one of them. The protocol is secure when none of the parties obtain an information they are not supposed to obtain i.e. sender does not know which bit/qubit the receiver has chosen, and the receiver does not obtain information about the other bit/qubit. This example protocol achieves the task of practical OT where it can be realised with available optoelectronic apparatus while being computationally secure.

Tags: Two Party Protocols, Quantum Enhanced Classical Functionality, Specific Task


Experimental constraints[edit]

  • The demonstration of quantum oblivious transfer uses the transmission consisting of series of highly attenuated pulses of coherent or incoherent polarized light rather than individual photons.
  • The receiver measures the pulses using noisy, imperfectly quantum-efficient detectors such as photomultiplier tubes.
  • The protocol is a streaming protocol where the receiver measures each pulses on the fly. Thus it does not require the receiver to store the pulses in a quantum memory.

Outline[edit]

This section describes the quantum OT protocol Bennett et al. under realistic experimental assumptions in two phases. The preparation phase, followed by the computation phase.

Preparation phase[edit]

The protocol is adjusted to the physical limitations of the receiver's detection apparatus.

The receiver conveys to the sender the experimental imperfections of his detectors i.e. the quantum efficiency and dark count rate.

The sender conveys the intensity of the light pulses she will use which conveys the information about the fraction of sender's pulses that will be detected successfully by the receiver, and the bit error rate she will be willing to correct in his data to compensate for his dark counts and other noise sources in the detector.

The sender and receiver agree on the security parameter of the OT protocol and on the linear binary error-correcting code.

Finally, they perform a test run to verify that the receiver indeed detects the sender pulses with the said probability and error rate.

Computation phase[edit]

The sender sends a random sequence of highly attenuated coherent pulses of the four canonical polarizations from the standard basis and the Hadamard basis.

The receiver randomly decides for each pulse whether to measure it in the standard or the Hadamard basis, and records the basis and measurement results. The receiver then reports the arrival times of all pulses he received to the sender, but not the bases or the measurement results.

The sender then conveys to the receiver the bases measurement she used for each of the pulses received by the receiver.

The receiver partitions his pulses into two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the incorrect basis. He tells the sender the addresses of the two sets without telling which is the good and which is the bad one. Now, the receiver shares with the sender a word corresponding to his good set of measurements; he shares nothing with her with respect to his bad set of measurements. The sender does not know which word she shares with the receiver.

Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an error free channel. Given this data, the receiver is able to recover the original word corresponding to his good set but not that corresponding to his bad set. Furthermore, the sender computes the parity of a random subset of each set, and tells the receiver the addresses defining these random subsets, but not the resulting parities. At this point, the receiver knows one of these parities exactly, and nothing about the other parity, and he knows which parity he knows. The sender knows both parities, but she does not know which one the receiver knows.

The receiver tells the sender whether the index of the parity he knows and the index of the bit he wishes to know are equal. If they are equal, sender gives the xor of same indexed bit and the parity, otherwise she gives him the xor of opposite indexed bit and the parity. From this, the receiver extracts the desired bit.

Notation[edit]

  • and : The two one-bit messages of the sender out of which one is to be received by the receiver.
  • : Quantum efficiency of receiver's detectors.
  • : Dark count rate of receiver's detectors.
  • : Intensity of light pulses used by the sender.
  • : Fraction of pulses sender will expect receiver to detect successfully.
  • : Bit error rate sender will be willing to correct in receiver's data to compensate for his dark counts and other noise sources
  • : Security parameter, bits twice the number of which wil be used in communication
  • and : Parities of the two random subsets of each set.
  • : Receiver's choice of the one-bit message.
  • : Index of the set whose parity is known to the receiver.

Requirements[edit]

  • Basic state preparation and measurement devices.
  • Access to an error-free classical channel.

Knowledge Graph[edit]

Properties[edit]

  • Nothing is known about the unconditional security of our protocol against coherent measurement attack
  • Any attack consistent with quantum physics can be thwarted from a computational point of view under the assumption that one-way functions exist
  • Any attack on the protocol must be carried out 'on-line', that is when the protocol is taking place.
  • Safe oblivious transfer can be achieved when H(~E) < - (1 - e-p - pe-@)/2a, where H is the entropy function. If this condition cannot be met, the sender aborts the protocol.
  • There is no need of quantum memory.


Protocol Description[edit]

Preparation phase[edit]

  1. The receiver tells the sender the quantum efficiency and the dark count rate of his detectors.
  2. If satisfactory, the sender tells the receiver the value of , , and .
  3. Then they agree on a linear binary error-correcting code capable of correcting with very high probability N-bit words transmitted with expected error rate .
  4. Finally, both the parties perform a test run.
    1. The sender sends pulses of intensity in a prearranged sequence of polarizations.
    2. The receiver reads each pulse in the correct basis
    3. He then verifies if he can detect the pulses with probability greater than and error rate less than .

Computation phase[edit]

  1. The sender sends a random sequence of pulses in either of states.
  2. The receiver obtains roughly pulses after measuring each of them randomly in the standard or the Hadamard basis. He records the basis and the measurement.
  3. He then reports to the sender the arrival times of all 2N pulses he received, but not the bases he used or his measurement results.
  4. The sender then tells the receiver the bases she used to send each of the pulses he received.
  5. The receiver creates two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the wrong basis.
  6. He tells the sender the addresses of the two sets without telling which is the good and which is the bad one.
  7. Now, the receiver shares with the sender a -bit string corresponding to his good set and nothing with respect to his bad set of measurements.
  8. Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an errorfree channel.
  9. The receiver recovers the original word corresponding to his good set and gets to know nohing about the bad set.
  10. The sender now computes the parity of a random subset of each set and tells the receiver the addresses defining these random subsets.
  11. The receiver knows one of these parities, indexed , and nothing about the other parity, and he knows which parity he knows.
  12. The sender knows both the parities and , but does not know which one the receiver knows.
  13. The receiver tells the sender whether or not .
  14. If , sender sends and , else, she sends and .
  15. From this, the receiver extracts .

Further Information[edit]

*contributed by Natansh Mathur