Device-Independent Oblivious Transfer

This example protocol achieves the task of device-independent oblivious transfer in the bounded quantum storage model using a computational assumption.

Assumptions

• The quantum storage of the receiver is bounded during the execution of the protocol
• The device used is computationally bounded - it cannot solve the Learning with Errors (LWE) problem during the execution of the protocol
• The device behaves in an IID manner - it behaves independently and identically during each round of the protocol

Outline

Notation

Protocol Description

Protocol 1: DI Rand 1-2 OT${\displaystyle ^{l}}$

Data generation:

1. The sender and receiver execute ${\displaystyle n}$ rounds of Protocol 2 (Self-testing) with the sender as Alice and receiver as Bob, and with the following modification:

   If ${\displaystyle CT_{i}=b}$, then with probability ${\displaystyle p}$, the receiver does not use the measurement basis question supplied by the sender and instead inputs ${\displaystyle y_{i}=[}$Computational, Hadamard${\displaystyle ]_{c}}$ where ${\displaystyle c}$ is the receiver's choice bit. Let ${\displaystyle I}$ be the set of indices marking the rounds where this has been done.

   For each round ${\displaystyle i\in \{1,...,n\}}$, the receiver stores:

   • ${\displaystyle c_{i}^{B}}$
   • ${\displaystyle z_{i}^{B}}$ if ${\displaystyle CT_{i}=a}$
   • or ${\displaystyle (d_{i}^{B},y_{i},b_{i},h_{i}^{B})}$ if ${\displaystyle CT_{i}=b}$

   The sender stores ${\displaystyle \theta _{i}^{A},\theta _{i}^{B},(k_{i}^{A},t_{i}^{A}),(k_{i}^{B},t_{i}^{B}),c_{i}^{A},CT_{i};}$ and ${\displaystyle z_{i}^{A}}$ if ${\displaystyle CT_{i}=a}$ or ${\displaystyle (d_{i}^{A},x_{i},a_{i},h_{i}^{A})}$ and ${\displaystyle y_{i}}$ if ${\displaystyle CT_{i}=b}$

2. For every ${\displaystyle i\in \{1,...,n\},}$ the sender stores the variable ${\displaystyle RT_{i}}$ (round type), defined as follows:
   • if ${\displaystyle CT_{i}=b}$ and ${\displaystyle \theta _{i}^{A}=\theta _{i}^{B}=}$Hadamard, then Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle RT_{i}=} Bell
   • else, set Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle RT_{i}=} Product
3. For every ${\displaystyle i\in \{1,...,n\},}$ the sender chooses ${\displaystyle T_{i}}$, indicating a test round or generation round, as follows:
   • if Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle RT_{i}=} Bell, choose ${\displaystyle T_{i}\in }$ {Test, Generate} uniformly at random
   • else, set Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle T_{i}=} Test

   The sender sends (Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle T_{1},...,T_{n}} ) to the receiver

   Testing:

4. The receiver sends the set of indices ${\displaystyle I}$ to the sender. The receiver publishes their output for all Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle T_{i}=} Test rounds where Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle i\notin I} . Using this published data, the sender determines the bits which an honest device would have returned.
5. The sender computes the fraction of test rounds (for which the receiver has published data for) that failed. If this exceeds some ${\displaystyle \epsilon }$, the protocol aborts

   Preparing data:

6. Let ${\displaystyle {\tilde {I}}:=\{i:i\in I}$ and Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle T_{i}=} Generate} and Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle n^{\prime }=|{\tilde {I}}|} . The sender checks if there exists a Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle k>0} such that Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle \gamma n^{\prime }\leq n^{\prime }/4-2l-kn^{\prime }} . If such a ${\displaystyle k}$ exists, the sender publishes Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle {\tilde {I}}} and, for each Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle i\in {\tilde {I}}} , the trapdoor Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle t_{i}^{B}} corresponding to the key ${\displaystyle k_{i}^{B}}$ (given by the sender in the execution of Protocol 2,Step 1); otherwise the protocol aborts.
7. For each ${\displaystyle i\in {\tilde {I}},}$ the sender calculates Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle v_{i}^{\alpha }} and defines ${\displaystyle w^{\alpha }}$ by

   Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle w_{i}^{\alpha }={\begin{cases}v_{i}^{\alpha },{\mbox{if }}x_{i}={\mbox{Hadamard}}\\0,{\mbox{if }}x_{i}={\mbox{Computational}}\end{cases}}}

   and the receiver calculates Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle v_{i}^{\beta }} and defines ${\displaystyle w^{\beta }}$ by

   Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle w_{i}^{\beta }={\begin{cases}0,{\mbox{if }}y_{i}={\mbox{Hadamard}}\\v_{i}^{\beta },{\mbox{if }}y_{i}={\mbox{Computational}}\end{cases}}}

   Obtaining output:

8. The sender randomly picks two hash functions ${\displaystyle f_{0},f_{1}\in F}$, announces ${\displaystyle f_{0},f_{1}}$ and ${\displaystyle x_{i}}$ for each Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle i\in {\tilde {I}}} , and outputs ${\displaystyle s_{0}=f_{0}(a\oplus w^{\alpha }|_{{\tilde {I}}_{0}})}$ and ${\displaystyle s_{1}=f_{1}(a\oplus w^{\alpha }|_{{\tilde {I}}_{1}})}$, where ${\displaystyle {\tilde {I}}_{r}:=\{i\in {\tilde {I}}:x_{i}=[}$Computational,HadamardFailed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle ]_{r}\}}
9. Receiver outputs Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle s_{c}=f_{c}(a\oplus w^{\beta }|_{{\tilde {I}}_{c}})}

Protocol 2: Self-testing with a single verifier

1. Alice chooses the state bases ${\displaystyle \theta ^{A},\theta ^{B}\in }$ {Computational,Hadamard} uniformly at random and generates key-trapdoor pairs Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle (k^{A},t^{A}),(k^{B},t^{B})} , where the generation procedure for ${\displaystyle k^{A}}$ and Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle t^{A}} depends on Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle \theta ^{A}} and a security parameter ${\displaystyle \eta }$, and likewise for Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle k^{B}} and Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle t^{B}} . Alice supplies Bob with Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle k^{B}} . Alice and Bob then respectively send Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle k^{A},k^{B}} to the device.
2. Alice and Bob receive strings ${\displaystyle c^{A}}$ and ${\displaystyle c^{B}}$, respectively, from the device.
3. Alice chooses a challenge type Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle CT\in \{a,b\}} , uniformly at random and sends it to Bob. Alice and Bob then send Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle CT} to each component of their device.
4. If ${\displaystyle CT=a}$:
   1. Alice and Bob receive strings Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle z^{A}} and ${\displaystyle z^{B}}$, respectively, from the device.
5. If Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle CT=b} :
   1. Alice and Bob receive strings Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle d^{A}} and Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle d^{B}} , respectively, from the device.
   2. Alice chooses uniformly random measurement bases (questions) Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle x,y\in } {Computational,Hadamard} and sends ${\displaystyle y}$ to Bob. Alice and Bob then, respectively, send ${\displaystyle x}$ and ${\displaystyle y}$ to the device.
   3. Alice and Bob receive answer bits ${\displaystyle a}$ and ${\displaystyle b}$, respectively, from the device. Alice and Bob also receive bits ${\displaystyle h^{A}}$ and Failed to parse (Conversion error. Server ("https://wikimedia.org/api/rest_") reported: "Cannot get mml. Server problem."): {\displaystyle h^{B}} , respectively, from the device.

Properties

Further Information

References