Abstract
Oblivious transfer is an important primitive in modern cryptography. Applications include secure multiparty computation, oblivious sampling, -voting, and signatures. Information-theoretically secure perfect 1-out-of 2 oblivious transfer is impossible to achieve. Imperfect variants, where both participants’ ability to cheat is still limited, are possible using quantum means while remaining classically impossible. Precisely what security parameters are attainable remains unknown. We introduce a theoretical framework for studying semirandom quantum oblivious transfer, which is shown to be equivalent to regular oblivious transfer in terms of cheating probabilities. We then use it to derive bounds on cheating. We also present a protocol with lower cheating probabilities than previous schemes, together with its optical realization. We show that a lower bound of on the minimum achievable cheating probability can be directly derived for semirandom protocols using a different method and definition of cheating than used previously. The lower bound increases from to approximately if the states output by the protocol are pure and symmetric. The oblivious transfer scheme we present uses unambiguous state elimination measurements and can be implemented with the same technological requirements as standard quantum cryptography. In particular, it does not require honest participants to prepare or measure entangled states. The cheating probabilities are and approximately 0.729 for sender and receiver, respectively, which is lower than in existing protocols. Using a photonic testbed, we have implemented the protocol with honest parties, as well as optimal cheating strategies. Because of the asymmetry of the receiver’s and sender’s cheating probabilities, the protocol can be combined with a “trivial” protocol to achieve an overall protocol with lower average cheating probabilities of approximately 0.74 for both sender and receiver. This demonstrates that, interestingly, protocols where the final output states are pure and symmetric are not optimal in terms of average cheating probability.
- Received 16 July 2020
- Accepted 15 January 2021
DOI:https://doi.org/10.1103/PRXQuantum.2.010335
Published by the American Physical Society under the terms of the Creative Commons Attribution 4.0 International license. Further distribution of this work must maintain attribution to the author(s) and the published article's title, journal citation, and DOI.
Published by the American Physical Society
Physics Subject Headings (PhySH)
Popular Summary
Oblivious transfer is a cryptographic task involving a sender Alice and a receiver Bob who do not trust each other. Alice has two messages and wants Bob to obtain only one of them, and not learn the other. Bob, on the other hand, does not want Alice to know which of the messages he got. Oblivious transfer enables many applications, including -voting and other privacy-preserving tasks. Unfortunately, it is impossible to achieve it with perfect security. However, oblivious transfer with partial security can be realized using quantum capabilities, but is still impossible classically. It is important to find the limits of what can be achieved and to design good quantum protocols that are still practical to implement.
In this work, we explore how good quantum protocols can be. We give lower bounds on Alice’s and Bob’s cheating probabilities for any possible quantum protocol. These bounds agree with, and some cases improve on, previous bounds. We also design a concrete quantum oblivious transfer protocol that is simple to implement. Finally, we implement this protocol using a photonic system, illustrating that our protocol is practical. Moreover, with our experiment, we find good agreement between the cheating probabilities and the theoretical bounds.
Our work sets the stage for future explorations of imperfect oblivious transfer, by quantifying how good quantum protocols can be and presenting and implementing a practical protocol. Finding applications for our practical protocol for quantum oblivious transfer can be a crucial next step and could open new directions in quantum-enhanced modern cryptography.