One-out-of-two Quantum Oblivious Transfer based on Nonorthogonal States

Yao-Hsin Chou, Guo-Jyun Zeng, Shu-Yu Kuo
2018 Scientific Reports  
This research proposes the first one-out-of-two quantum oblivious transfer (QOT) scheme that does not have a two-level structure and is not subject to Lo's no-go theorem. Instead, the proposed scheme is a simple and efficient approach based on nonorthogonal states. The nonorthogonality causes one of a pair of messages to be unable to be measured to achieve the irreversible goal of discarding a message, resulting in a one-out-of-two selection effect. The proposed QOT protocol is therefore built
more » ... is therefore built directly on quantum resources rather than on a two-level structure in which two classical keys must first be created using quantum resources (all-or-nothing QOT) and then a one-out-of-two protocol is built from there. Furthermore, the proposed protocol allows Alice and Bob to test each other's loyalty by comparing measurement results. In addition, the relationship with the no-go theorem is discussed in detail; this relationship is often overlooked in other studies. A security analysis demonstrates that the proposed protocol is secure against both external and internal attacks. In addition, an efficiency analysis shows that the proposed protocol is more efficient than other, two-level-structured protocols. Oblivious transfer (OT) is an important branch of cryptography with many useful and important applications, such as secure computation, bit commitment, remote coin-flipping, and digital contract signing, for which OT protocols are the cryptographic primitives. The two most commonly used OT protocols are the all-or-nothing protocol and the one-out-of-two protocol. All-or-nothing OT was first introduced by Rabin 1 in 1981. In the all-or-nothing OT protocol, a sender Alice wants to send a secret message, m ∈ {0, 1}, to a receiver Bob who has only a 50% probability of receiving m. He will either learn the message m with 100% reliability or learn nothing about m. At the end of all-or-nothing OT, Alice remains oblivious as to whether Bob received the message m. Following the proposal of this protocol, Even et al. 2 presented one-out-of-two OT (or it can be abbreviated as 1-2 OT), in which Alice transfers two messages, m 0 and m 1 , to Bob, and he can choose only one of them and will have no idea what the other message is. When the one-out-of-two OT protocol is complete, Alice learns nothing about which message Bob selected. In 1988, Crépeau 3 presented a method for building a one-out-of-two OT protocol by using p-all-or-nothing OT, in which the receiver has a probability p of receiving the message m, called Crépeau's reduction. The receiver builds two key sets to represent his choice, key 0 and key 1 , one of which he learns with 100% certainty and the other of which he learns with 0% certainty. Based on Bob's choice j ∈ {0, 1}, he asks Alice to encrypt her messages m 0 and m 1 using key j and key j , where = ⇒ j key 0 0 or = ⇒ j key 1 1 . Then, Bob can receive m j under this two-level-structured method. Classical OT protocols are almost all based on the RSA cryptosystem 4 . However, Shor showed that a quantum algorithm 5 can be used to break the RSA cryptosystem in polynomial time, which means that such protocols may be unsafe against quantum algorithms. In 1984, Bennett and Brassard proposed the first quantum key distribution protocol 6 , called BB84, thereby initiating the study of quantum cryptography. Researchers later showed that BB84 is unconditionally secure 7-10 both in theory and in implementation by achieving a one-time pad. The security of quantum cryptography is based on physical laws, unlike that of classical cryptography, which is based on mathematical complexity. This physical basis allows quantum cryptography to easily achieve many goals that were difficult or unthinkable in the past, including unconditional security. Since the proposal of BB84 6 , researchers have been designing quantum oblivious transfer (QOT) protocols using quantum properties. Crépeau and Kilian 11 proposed the first all-or-nothing QOT scheme in 1988, and Bennett et al. 12 proposed the first one-out-of-two QOT scheme protected by a quantum error-correcting code in 1992. In 1994, Crépeau 13 presented a one-out-of-two QOT scheme based on quantum bit commitment (QBC), which guarantees security under the assumption that Bob cannot delay the quantum measurement. In 1995, Yao 14 further proved that this protocol is secure against coherent measurement if QBC is secure. However, in 1997, Lo 15 doubted that all one-sided two-party computations (in which two parties must input i and j to calculate a function f(i, j) but only one of the two parties is allowed to learn the result) may be insecure, including one-out-of-two QOT (the function f in one-out-of-two QOT is a selector). This was called Lo's no-go theorem, and because of the computational equivalent 3,12 to two OTs, this theorem has caused extreme difficulties in the development of QOT research. Recent studies have, however, proposed various methods of avoiding Lo's no-go theorem. In 2002, Shimizu and Imoto 16 presented an interesting communication method analogous to one-out-of-two QOT with a 50% probability of completing the communication. They 17 then improved the security of their protocol against entangled pair attacks in 2003. Moreover, in 2006, He and Wang 18 proposed a secure all-or-nothing QOT scheme using four entangled states, which, as a result, was no longer subject to Lo's no-go theorem 15 . Consequently, He claimed that Lo's no-go theorem 15 did not truly cover all QOT conditions. Thereafter, He 19 demonstrated that a one-out-of-two QOT scheme built on all-or-nothing QOT protocol using Crépeau's reduction 3 also is not subject to Lo's no-go theorem 15 . The key is that the receiver inputs his choice before the sender inputs her messages m 0 and m 1 , causing the functions f of the one-out-of-two protocol and Lo's no-go theorem 15 to be different. Following He's proof 19 , researchers have been designing new one-out-of-two QOT schemes 19 . In 2007, Wei Yang et al. 20 presented a one-out-of-two QOT scheme using tripartite entangled states based on He's proof 19 and also showed that this scheme is not covered by the cheating strategy of Lo's no-go theorem 15 . Li Yang 21 presented an all-or-nothing QOT scheme using nonorthogonal states, similar to B92 22 , and used it as a basis for constructing a one-out-of-two QOT scheme in 2013. Subsequently, Yu-Guang Yang and his research team, as part of a research effort that began in 2014, have proposed several QOT protocols. They have been testing various schemes for building one-out-of-two QOT protocols using He's proof 19 . In 2014, they 23 proposed all-or-nothing and one-out-of-two QOT protocols based on an untrusted third party. In 2015, they 24 developed an all-or-nothing QOT protocol by analyzing the probability of the qubit state distribution, which led them to propose a method of testing the loyalty of the sender and then to build a one-out-of-two QOT protocol on this basis. They 25 also designed a one-out-of-two QOT scheme with a two-level structure using BB84 6 and reduced it to B92 22 for an all-or-nothing QOT scheme. In addition, they 26 attempted to use Bell states to achieve the same effect as B92 22 for one-out-of-two QOT. Furthermore, in 2017, they 27 proposed a method of using any two nonorthogonal states by cooperatively measuring the qubit sequence and then built a one-out-of-n QOT scheme using this method. However, these protocols 21,23-27 all have two-level structures, in which two classical keys are created using an all-or-nothing QOT protocol and then a one-out-of-two QOT protocol is built on top. The two-level structure is clearly inefficient, because many quantum resources are consumed for all-or-nothing QOT instead of being used to transfer the message. In addition, this structure reduces the elasticity and diversity of protocol design because such designs can only follow He's proof 19 with minor revisions to the details of the all-or-nothing QOT scheme. In our opinion, He's proof 19 not only revealed a different function f, which is not subject to Lo's no-go theorem 15 , based on a two-level structure but also provided a new approach in the sense that if any protocol can achieve the same effect as that of f in He's proof 19 , then it is also covered by He's proof 19 . In this work, the first one-out-of-two QOT protocol is proposed that is directly based only on the properties of quantum resources, namely, nonorthogonal states, rather than a two-level structure, while also being covered by He's proof 19 . The key to our protocol is that Bob's choice is made before Alice inputs her messages m 0 and m 1 . The property of nonorthogonality ensures that one of the two messages cannot be measured and thus maintains obliviousness, thereby achieving the same effect as that of f in He's proof 19 . Therefore, our protocol is not only secure (and not subject to Lo's no-go theorem) but can achieve greater efficiency than protocols 21,23-27 that are based on a two-level structure. Results This section consists of six subsections, including the preliminaries, the basic idea of our protocol, the proposed protocol itself, its relationship with Lo's no-go theorem 15 and He's proof 19 , and its security and efficiency analyses. The preliminaries introduce the properties of quantum machines and define some notation. Then, the basic idea of the proposed protocol is introduced before the details of the protocol itself, which are described in the subsequent section. Moreover, the relationship among Lo's no-go theorem 15 , He's proof 19 and the proposed protocol is discussed in the subsection titled "Resisting Lo's cheating strategy 15 ". Finally, security and efficiency analyses are presented in the last two subsections. Preliminaries. This subsection introduces the basic definitions of concepts relevant to quantum machines, such as quantum bits, superposition, entanglement, gates, and operations, as well as some properties of quantum machines.
doi:10.1038/s41598-018-32838-9 fatcat:4z6mjxunfjgxjblyc3xwjrvd7a