Experimental Secure Multiparty Computation from Quantum Oblivious Transfer with Bit Commitment

TL;DR

The first practical application of the QOT protocol is demonstrated by solving the private set intersection, a prime example of secure multiparty computation, where two parties aim to find common elements in their datasets without revealing any other information.

Abstract

Secure multiparty computation enables collaborative computations across multiple users while preserving individual privacy, which has a wide range of applications in finance, machine learning and healthcare. Secure multiparty computation can be realized using oblivious transfer as a primitive function. In this paper, we present an experimental implementation of a quantum-secure quantum oblivious transfer (QOT) protocol using an adapted quantum key distribution system combined with a bit commitment scheme, surpassing previous approaches only secure in the noisy storage model. We demonstrate the first practical application of the QOT protocol by solving the private set intersection, a prime example of secure multiparty computation, where two parties aim to find common elements in their datasets without revealing any other information. In our experiments, two banks can identify common suspicious accounts without disclosing any other data. This not only proves the experimental functionality of QOT, but also showcases its real-world commercial applications.

Figures (7)

• Figure 1: 1-out-of-2 Oblivious Transfer. Alice has two possible messages, $m_0$ and $m_1$, to send to Bob. Bob chooses a bit $c\in \{0, 1\}$, and at the end of the process, Bob receives the message $m_c$, without Alice learning the value of $c$.
• Figure 2: Quantum Oblivious Transfer Protocol
• Figure 3: Schematic of experimental setup. Alice uses an intensity modulator (IM) for decoy intensity modulation. A circulator (CIR), a polarization controller (PC), a polarization beam splitter (PBS) and a phase modulator (PM) constitute the polarization encoding part. The IM and the PM are controlled by a random number generator (RNG). The light is then attenuated to a single photon level with an attenuator (ATT) and sent to Bob via fiber for detection. Bob uses a beam splitter (BS) to measure in different bases and each basis is decoded by a PC and a PBS and detected by single-photon detectors (SPDs). Post-processing and key management are performed by the corresponding modules and an extra fiber channel is used for classical communication.
• Figure 4: The comparison of communication cost and runtime between QOT-based and OT-based PSI experiments. Sim-1, Sim-2 and Sim-3 correspond to simulation data with different data sizes. Real-1 and Real-2 both correspond to real world data. From left to right, the number of queries in each PSI experiment are $10^3$, $10^3$, $10^5$, $10^4$ and $10^5$ respectively, and the number of elements in the private set in each experiment are $10^4$, $10^5$, $10^5$, $10^4$ and $10^4$ respectively.
• Figure 5: The hierarchy of cryptographic assumptions. From up to down, the assumptions become weaker, and the corresponding cryptographic protocols are regarded as more reliable.