Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Lower Bounds for Quantum Secure Function Evaluation Reductions

Esther Hänggi, Severin Winkler

TL;DR

This work analyzes the limits of quantum reductions in secure two-party computation, focusing on one-sided output secure function evaluation (SFE). It proves a non-asymptotic impossibility result: no ε-secure quantum protocol can securely compute any non-trivial function from noiseless channels, since Bob can recover function values for all his inputs; it then develops a framework for reductions to trusted randomness and derives a lower bound on the sum of conditional max-entropies, which translates into concrete lower bounds on the number of oblivious transfer instances required for secure implementations. The results yield quantitative bounds for fundamental tasks like inner-product and equality, showing that quantum protocols cannot substantially outperform classical limits in these cases. Together, the findings clarify the cryptographic capacity and resource requirements of quantum reductions and OT-based constructions in finite-resource regimes, with implications for the design of secure two-party protocols.

Abstract

One-sided output secure function evaluation is a cryptographic primitive where the two mutually distrustful players, Alice and Bob, both have a private input to a bivariate function. Bob obtains the value of the function for the given inputs, while Alice receives no output. It is known that this primitive cannot be securely implemented if the two players only have access to noiseless classical and quantum communication. In this work, we first show that Bob can extract the function values for all his possible inputs from any implementation of a non-trivial function that is correct and preserves the privacy of Bob's input. Our result holds in the non-asymptotic setting where the players have finite resources and the error is a constant. Then we consider protocols for secure function evaluation in a setup where the two players have access to trusted distributed randomness as a resource. Building upon the first result, we prove a bound on the efficiency of such cryptographic reductions for any non-trivial function in terms of the conditional entropies of the trusted randomness. From this result, we can derive lower bounds on the number of instances of different variants of OT needed to securely implement a given function.

Lower Bounds for Quantum Secure Function Evaluation Reductions

TL;DR

This work analyzes the limits of quantum reductions in secure two-party computation, focusing on one-sided output secure function evaluation (SFE). It proves a non-asymptotic impossibility result: no ε-secure quantum protocol can securely compute any non-trivial function from noiseless channels, since Bob can recover function values for all his inputs; it then develops a framework for reductions to trusted randomness and derives a lower bound on the sum of conditional max-entropies, which translates into concrete lower bounds on the number of oblivious transfer instances required for secure implementations. The results yield quantitative bounds for fundamental tasks like inner-product and equality, showing that quantum protocols cannot substantially outperform classical limits in these cases. Together, the findings clarify the cryptographic capacity and resource requirements of quantum reductions and OT-based constructions in finite-resource regimes, with implications for the design of secure two-party protocols.

Abstract

One-sided output secure function evaluation is a cryptographic primitive where the two mutually distrustful players, Alice and Bob, both have a private input to a bivariate function. Bob obtains the value of the function for the given inputs, while Alice receives no output. It is known that this primitive cannot be securely implemented if the two players only have access to noiseless classical and quantum communication. In this work, we first show that Bob can extract the function values for all his possible inputs from any implementation of a non-trivial function that is correct and preserves the privacy of Bob's input. Our result holds in the non-asymptotic setting where the players have finite resources and the error is a constant. Then we consider protocols for secure function evaluation in a setup where the two players have access to trusted distributed randomness as a resource. Building upon the first result, we prove a bound on the efficiency of such cryptographic reductions for any non-trivial function in terms of the conditional entropies of the trusted randomness. From this result, we can derive lower bounds on the number of instances of different variants of OT needed to securely implement a given function.
Paper Structure (21 sections, 17 theorems, 51 equations, 1 figure)

This paper contains 21 sections, 17 theorems, 51 equations, 1 figure.

Table of Contents

  1. Introduction
  2. Previous Results
  3. Our Results
  4. Outline
  5. Preliminaries
  6. Entropies
  7. Definitions of Secure Function Evaluation
  8. Impossibility of Secure Function Evaluation
  9. Reductions of Secure Function Evaluation
  10. Lower Bound for Secure Function Evaluation
  11. Applications of Lower Bound
  12. 1-out-of-n bit-OT cannot be extended
  13. The number of choices of OT cannot be extended
  14. Inner product function
  15. Equality function
  16. ...and 6 more sections

Key Result

Proposition 1

Let $f:\mathcal{X} \times \mathcal{Y} \rightarrow \mathcal{Z}$ be a function. For any protocol implementing the function that is correct with probability $1-\varepsilon$ and is $\varepsilon$-secure for Bob in the malicious model, there is an attack that allows a dishonest Bob to compute the values o

Figures (1)

  • Figure 1: Ideal (one-sided output) SFE.

Theorems & Definitions (31)

  • Definition 1: Trace Distance
  • Definition 2
  • Definition 3: Max-Entropy
  • Definition 4: Ideal SFE
  • Definition 5: Statistical Security of SFE
  • Proposition 1
  • Definition 6: Non-trivial Functions
  • Theorem 1
  • Definition 7: Non-redundant Functions
  • Theorem 2
  • ...and 21 more