Error-tolerant oblivious transfer in the noisy-storage model
Erika Andersson2023, arXiv (Cornell University)
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
The noisy-storage model of quantum cryptography allows for information-theoretically secure two-party computation based on the assumption that a cheating user has at most access to an imperfect, noisy quantum memory, whereas the honest users do not need a quantum memory at all. In general, the more noisy the quantum memory of the cheating user, the more secure the implementation of oblivious transfer, which is a primitive that allows universal secure two-party and multi-party computation. For experimental implementations of oblivious transfer, one has to consider that also the devices held by the honest users are lossy and noisy, and error correction needs to be applied to correct these trusted errors. The latter are expected to reduce the security of the protocol, since a cheating user may hide themselves in the trusted noise. Here we leverage entropic uncertainty relations to derive tight bounds on the security of oblivious transfer with a trusted and untrusted noise. In particular, we discuss noisy storage and bounded storage, with independent and correlated noise.
Related papers
Robust cryptography in the noisy-quantum-storage model
2009
It was shown in [WST08] that cryptographic primitives can be implemented based on the assumption that quantum storage of qubits is noisy. In this work we analyze a protocol for the universal task of oblivious transfer that can be implemented using quantum-key-distribution (QKD) hardware in the practical setting where honest participants are unable to perform noisefree operations. We derive trade-offs between the amount of storage noise, the amount of noise in the operations performed by the honest participants and the security of oblivious transfer which are greatly improved compared to the results in [WST08]. As an example, we show that for the case of depolarizing noise in storage we can obtain secure oblivious transfer as long as the quantum bit-error rate of the channel does not exceed 11% and the noise on the channel is strictly less than the quantum storage noise. This is optimal for the protocol considered. Finally, we show that our analysis easily carries over to quantum protocols for secure identification.
S.: Efficient unconditional oblivious transfer from almost any noisy channel
2004
Abstract. Oblivious transfer (OT) is a cryptographic primitive of cen-tral importance, in particular in two- and multi-party computation. There exist various protocols for different variants of OT, but any such realiza-tion from scratch can be broken in principle by at least one of the two involved parties if she has sufficient computing power—and the same even holds when the parties are connected by a quantum channel. We show that, on the other hand, if noise—which is inherently present in any physical communication channel—is taken into account, then OT can be realized in an unconditionally secure way for both parties, i.e., even against dishonest players with unlimited computing power. We give the exact condition under which a general noisy channel allows for realiz-ing OT and show that only “trivial ” channels, for which OT is obviously impossible to achieve, have to be excluded. Moreover, our realization of OT is efficient: For a security parameter α> 0—an upper bound on the...
An experimental implementation of oblivious transfer in the noisy storage model
Nature Communications, 2014
Cryptography's importance in our everyday lives continues to grow in our increasingly digital world. Oblivious transfer has long been a fundamental and important cryptographic primitive, as it is known that general two-party cryptographic tasks can be built from this basic building block. Here we show the experimental implementation of a 1-2 random oblivious transfer protocol by performing measurements on polarization-entangled photon pairs in a modified entangled quantum key distribution system, followed by all of the necessary classical postprocessing including one-way error correction. We successfully exchange a 1,366 bit random oblivious transfer string in B3 min and include a full security analysis under the noisy storage model, accounting for all experimental error rates and finite size effects. This demonstrates the feasibility of using today's quantum technologies to implement secure two-party protocols.
Imperfect 1-Out-of-2 Quantum Oblivious Transfer: Bounds, a Protocol, and its Experimental Implementation
PRX quantum, 2021
Oblivious transfer is an important primitive in modern cryptography. Applications include secure multiparty computation, oblivious sampling, e-voting, and signatures. Information-theoretically secure perfect 1-out-of 2 oblivious transfer is impossible to achieve. Imperfect variants, where both participants' ability to cheat is still limited, are possible using quantum means while remaining classically impossible. Precisely what security parameters are attainable remains unknown. We introduce a theoretical framework for studying semirandom quantum oblivious transfer, which is shown to be equivalent to regular oblivious transfer in terms of cheating probabilities. We then use it to derive bounds on cheating. We also present a protocol with lower cheating probabilities than previous schemes, together with its optical realization. We show that a lower bound of 2 3 on the minimum achievable cheating probability can be directly derived for semirandom protocols using a different method and definition of cheating than used previously. The lower bound increases from 2 3 to approximately 0.749 if the states output by the protocol are pure and symmetric. The oblivious transfer scheme we present uses unambiguous state elimination measurements and can be implemented with the same technological requirements as standard quantum cryptography. In particular, it does not require honest participants to prepare or measure entangled states. The cheating probabilities are 3 4 and approximately 0.729 for sender and receiver, respectively, which is lower than in existing protocols. Using a photonic testbed, we have implemented the protocol with honest parties, as well as optimal cheating strategies. Because of the asymmetry of the receiver's and sender's cheating probabilities, the protocol can be combined with a "trivial" protocol to achieve an overall protocol with lower average cheating probabilities of approximately 0.74 for both sender and receiver. This demonstrates that, interestingly, protocols where the final output states are pure and symmetric are not optimal in terms of average cheating probability.
Susceptible Two-Party Quantum Computations
Lecture Notes in Computer Science, 2008
In secure two-party function evaluation Alice holding initially a secret input x and Bob having a secret input y communicate to determine a prescribed function f (x, y) in such a way that after the computation Bob learns f (x, y) but nothing more about x other than he could deduce from y and f (x, y) alone, and Alice learns nothing. Unconditionally secure function evaluation is known to be essentially impossible even in the quantum world. In this paper we introduce a new, weakened, model for security in two-party quantum computations. In our model -we call it susceptible function computation -if one party learns something about the input of the other one with advantage ε then the probability that the correct value f (x, y) is computed, when the protocol completes, is at most 1 − δ(ε), for some function δ of ε. Thus, this model allows to measure the trade-off between the advantage of a dishonest party and the error induced by its attack. Furthermore, we present a protocol for computing the one-out-of-two oblivious transfer function that achieves a quadratic trade-off i.e. δ = Ω(ε 2 ).
Quantum Shannon Theory in Secure Transmission Schemes
Quantum computers use the power of quantum physics to give rise to new types of security. For example, classical bits can be copied, but qubits generally cannot. With the recent introduction of quantum computers, there is an emerging need to harness the power of quantum cryptography schemes to overshadow the computing force of counterfeiters. In this article, we will investigate 2 major questions in cryptography, namely (1) how to communicate a secret securely among multiple parties and (2) how to create a secure quantum currency that is sustainable to quantum attacks. We will rst investigate the No-cloning theorem and the errorcorrection schemes, and plug these notations into threshold schemes and quantum money schemes to analyze how quantum mechanisms work in encrypting data, as well as how interactive attacks can possibly break the schemes. We do not provide a concrete answer to either of the questions, as all the methods discussed in this article have been proven to be vulnerable to attackers with adequate computing ability. Regardless, they are important foundations to more recent development in cryptography and public-key quantum money.
Continuous-variable quantum cryptography using two-way quantum communication
Nature Physics, 2008
Quantum cryptography has been recently extended to continuous variable systems, e.g., the bosonic modes of the electromagnetic field. In particular, several cryptographic protocols have been proposed and experimentally implemented using bosonic modes with Gaussian statistics. Such protocols have shown the possibility of reaching very high secret key rates, even in the presence of strong losses in the quantum communication channel. Despite this robustness to loss, their security can be affected by more general attacks where extra Gaussian noise is introduced by the eavesdropper. In this general scenario we show a "hardware solution" for enhancing the security thresholds of these protocols. This is possible by extending them to a two-way quantum communication where subsequent uses of the quantum channel are suitably combined. In the resulting two-way schemes, one of the honest parties assists the secret encoding of the other with the chance of a non-trivial superadditive enhancement of the security thresholds. Such results enable the extension of quantum cryptography to more complex quantum communications.
Quantum cryptography beyond quantum key distribution: variants of quantum oblivious transfer
Quantum Computing, Communication, and Simulation III
Modern cryptography is more than sending secret messages, and quantum cryptography is more than quantum key distribution. One example is oblivious transfer, which is interesting partly because it can be used to implement secure multiparty computation. 1, 2 We discuss a protocol for quantum XOR oblivious transfer, and how non-interactive quantum oblivious transfer protocols can be "reversed", so that oblivious transfer is still implemented from a sender to a receiver, but so that it is the receiver who sends a quantum state to the sender, who measures it, instead of the other way round. This is useful when one party can only prepare and send quantum states, and the other party can only measure them, which is often the case in practical quantum communication systems. Both the "original" XOR oblivious transfer protocol and its reversed version have been implemented optically. We also discuss how quantum random access codes can be connected with quantum oblivious transfer.
Unconditional Privacy over Channels which Cannot Convey Quantum Information
Physical Review Letters, 2008
By sending systems in specially prepared quantum states, two parties can communicate without an eavesdropper being able to listen. The technique, called quantum cryptography, enables one to verify that the state of the quantum system has not been tampered with, and thus one can obtain privacy regardless of the power of the eavesdropper. All previous protocols relied on the ability to faithfully send quantum states. In fact, until recently, they could all be reduced to a single protocol where security is ensured though sharing maximally entangled states. Here we show this need not be the case -one can obtain verifiable privacy even through some channels which cannot be used to reliably send quantum states.
Quantum Oblivious Transfer
Journal of Modern Optics, 1994
In a One-out-of-two Oblivious Transfer, a party Alice has two messages m 0 ; m 1 that she sends to another party Bob in such a way that he can decide to get either of them at his choosing but not both. Alice never nds out which message Bob received. First introduced by Wiesner as \conjugate coding" this cryptographic tool was later introduced to the world of public-key cryptography, rst by Rabin (in a slightly di erent avour) and then by Even, Goldreich and Lempel who named it after Rabin's primitive called Oblivious Transfer. The One-out-of-two Oblivious Transfer was later showed extremely powerful to design general cryptographic tools. The current paper presents a new design of a One-out-of-two Oblivious Transfer based on the transmission of polarized light, improving the work of Wiesner 17] and Bennett, Brassard, Breidbart and Wiesner 3] and shows that the scheme is robust to general attacks.
Related papers
Cryptography from Noisy Storage
Physical Review Letters, 2008
We show how to implement cryptographic primitives based on the realistic assumption that quantum storage of qubits is noisy. We thereby consider individual-storage attacks, i.e. the dishonest party attempts to store each incoming qubit separately. Our model is similar to the model of bounded-quantum storage, however, we consider an explicit noise model inspired by present-day technology. To illustrate the power of this new model, we show that a protocol for oblivious transfer (OT) is secure for any amount of quantum-storage noise, as long as honest players can perform perfect quantum operations. Our model also allows the security of protocols that cope with noise in the operations of the honest players and achieve more advanced tasks such as secure identification.
Practical Quantum Oblivious Transfer
Advances in Cryptology — CRYPTO ’91
We describe a protocol for quantum oblivious transfer, utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two one-bit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about both messages (he wiU learn his chosen bit's value with exponentially small error probability and may gain at most exponentially little information about the value of the other bit), and Alice will be entirely ignorant of which bit he received. Neither party can cheat (ie deviate from the protocol while appearing to follow it) in such a way as to obtain more information than what is given by the description of the protocol. Our protocol
Quantum Privacy Amplification and the Security of Quantum Cryptography over Noisy Channels
Physical Review Letters, 1996
Existing quantum cryptographic schemes are not, as they stand, operable in the presence of noise on the quantum communication channel. Although they become operable if they are supplemented by classical privacy-amplification techniques, the resulting schemes are difficult to analyse and have not been proved secure. We introduce the concept of quantum privacy amplification and a cryptographic scheme incorporating it which is provably secure over a noisy channel. The scheme uses an 'entanglement purification' procedure which, because it requires only a few quantum Controlled-Not and singlequbit operations, could be implemented using technology that is currently being developed. The scheme allows an arbitrarily small bound to be placed on the information that any eavesdropper may extract from the encrypted 1 message. 89.70.+c, 03.65.Bz, 89.80.+h Typeset using REVT E X
A Weak Quantum Oblivious Transfer
2010
Due to the commonly known impossibility results, information theoretic security is considered impossible for oblivious transfer (OT) in both the classical and the quantum world. In this paper, we proposed a weak version of the all-or-nothing OT. In our protocol the honest parties do not need long term quantum memory, entanglements, or sophisticated quantum computations. We observe some difference between the classical and quantum OT impossibilities.
Efficient Oblivious Transfer Protocols Achieving a Non-zero Rate from Any Non-trivial Noisy Correlation
Lecture Notes in Computer Science, 2009
Oblivious transfer (OT) is a two-party primitive which is one of the cornerstones of modern cryptography. We focus on providing information-theoretic security for both parties, hence building OT assuming noisy resources (channels or correlations) available to them. This primitive is about transmitting two strings such that the receiver can obtain one (and only one) of them, while the sender remains ignorant of this choice. Recently, Winter and Nascimento proved that oblivious transfer capacity is positive for any non-trivial discrete memoryless channel or correlation in the case of passive cheaters. Their construction was inefficient. The OT capacity characterizes the maximal efficiency of constructing OT using a particular noisy primitive. Building on their result, we extend it in two ways: 1) we construct efficient passively-secure protocols achieving the same rates; 2) we show that an important class of noisy correlations actually allows to build OT with non-zero rate secure against active cheating (before, positive rates were only achieved for the erasure channel).
Asymptotically secure All-or-nothing Quantum Oblivious Transfer
arXiv (Cornell University), 2021
We present a device independently secure quantum scheme for p-threshold all-or-nothing oblivious transfer. Novelty of the scheme is that, its security does not depend-unlike the usual caseon any quantum bit commitment protocol, rather it depends on Hardy's argument for two-qubit system. This scheme is shown to be unconditionally secure against any strategy allowed by quantum mechanics. By providing a secure scheme for all-or-nothing quantum oblivious transfer, we have answered a long standing open problem, other than the quantum key distribution, whether there is any two-party quantum cryptographic protocol, which is unconditionally secure.
Secret Message Transmission over Quantum Channels under Adversarial Quantum Noise: Secrecy Capacity and Super-activations
2018 IEEE Information Theory Workshop (ITW), 2018
We determine the secrecy capacities of AVQCs (arbitrarily varying quantum channels). Both secrecy capacity with average error probability and with maximal error probability are derived. Both derivations are based on one common code construction. The code we construct fulfills a stringent secrecy requirement, which is called the strong code concept. We determine when the secrecy capacity is a continuous function of the system parameters and completely characterize its discontinuity points both for average error criterion and for maximal error criterion. Furthermore, we prove the phenomenon “super-activation” for secrecy capacities of AVQCs, i.e., two quantum channels both with zero secrecy capacity, which, if used together, allow secure transmission with positive capacity. We also discuss the relations between the entanglement distillation capacity, the entanglement generating capacity, and the strong subspace transmission capacity for AVQCs.
Secret message transmission over quantum channels under adversarial quantum noise: Secrecy capacity and super-activation
Journal of Mathematical Physics
We determine the secrecy capacities of arbitrarily varying quantum channels (AVQCs). Both secrecy capacities with average error probability and with maximal error probability are derived. Both derivations are based on one common code construction. The code we construct fulfills a stringent secrecy requirement, which is called the strong code concept. As an application of our result for secret message transmission over AVQCs, we determine when the secrecy capacity is a continuous function of the system parameters and completely characterize its discontinuity points both for average error criterion and for maximal error criterion. Furthermore, we prove the phenomenon "superactivation" for secrecy capacities of arbitrarily varying quantum channels, i.e., two quantum channels both with zero secrecy capacity, which, if used together, allow secure transmission with positive capacity. We give therewith an answer to the question "When is the secrecy capacity a continuous function of the system parameters?," which has been listed as an open problem in quantum information problem page of the Institut für Theoretische Physik (ITP) Hannover. We also discuss the relations between the entanglement distillation capacity, the entanglement generating capacity, and the strong subspace transmission capacity for AVQCs. Ahlswede et al. made in 2013 the conjecture that the entanglement generating capacity of an AVQC is equal to its entanglement generating capacity under shared randomness assisted quantum coding. We demonstrate that the validity of this conjecture implies that the entanglement generating capacity, the entanglement distillation capacity, and the strong subspace transmission capacity of an AVQC are continuous functions of the system parameters. Consequently, under the premise of this conjecture, the secrecy capacities of an AVQC differ significantly from the general quantum capacities.
Approximate reconstructability of quantum states and noisy quantum secret sharing schemes
Physical Review A
We introduce and analyze approximate quantum secret sharing in a formal cryptographic setting, wherein a dealer encodes and distributes a quantum secret to players such that authorized structures (sets of subsets of players) can approximately reconstruct the quantum secret and omnipotent adversarial agents controlling nonauthorized subsets of players are approximately denied the quantum secret. In particular, viewing the map encoding the quantum secret shares for players in an authorized structure as a quantum channel, we show that approximate reconstructability of the quantum secret by these players is possible if and only if the information leakage, given in terms of a certain entanglement-assisted capacity of the complementary quantum channel to the players outside the structure and the environment, is small.
Sequential Quantum Secret Sharing in a Noisy Environment aided with Weak Measurements
In this work we give a (n, n)-threshold protocol for sequential secret sharing of quantum information for the first time. By sequential secret sharing we refer to a situation where the dealer is not having all the secrets at the same time, at the beginning of the protocol; however if the dealer wishes to share secrets at subsequent phases she/he can realize it with the help of our protocol. First of all we present our protocol for three parties and later we generalize it for the situation where we have (n > 3) parties. Further in a much more realistic situation, we consider the sharing of qubits through two kinds of noisy channels, namely the phase damping channel (PDC) and the amplitude damping channel (ADC). When we carry out the sequential secret sharing in the presence of noise we observe that the fidelity of secret sharing at the k th iteration is independent of the effect of noise at the (k − 1) th iteration. In case of ADC we have seen that the average fidelity of secret sharing drops down to 1 2 which is equivalent to a random guess of the quantum secret. Interestingly, we find that by applying weak measurements one can enhance the average fidelity. This increase of the average fidelity can be achieved with certain trade off with the success probability of the weak measurements.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.