Performance of Practical Quantum Oblivious Key Distribution

TL;DR

The paper tackles the key challenge of secure multiparty computation by proposing a practical quantum randomized ROT that relies solely on symmetric cryptography primitives via OWFs, avoiding public-key cryptography. It builds on the BBCS92 OT construction and integrates weakly-interactive commitments and verifiable information reconciliation to achieve indistinguishability-based security in a finite-key setting, with formal security and composability analyses. An experimental demonstration using polarization-entangled photons validates the protocol's feasibility, providing concrete performance metrics and highlighting realistic trade-offs between security parameters and operational speed. The work situates quantum ROT as a viable alternative to classical OT under weaker cryptographic assumptions, while acknowledging current speed limitations and outlining clear paths for enhancement and integration into MPC workflows.

Abstract

Motivated by the applications of secure multiparty computation as a privacy-protecting data analysis tool, and identifying oblivious transfer as one of its main practical enablers, we propose a practical realization of randomized quantum oblivious transfer. By using only symmetric cryptography primitives to implement commitments, we construct computationally-secure randomized oblivious transfer without the need for public-key cryptography or assumptions imposing limitations on the adversarial devices. We show that the protocol is secure under an indistinguishability-based notion of security and demonstrate an experimental implementation to test its real-world performance. Its security and performance are then compared to both quantum and classical alternatives, showing potential advantages over existing solutions based on the noisy storage model and public-key cryptography.

Figures (9)

• Figure 1: Quantum oblivious transfer protocol based on commitments
• Figure 2: Maximum key rate output $\frac{n}{N_0}$ versus error rate $p_{\max}$. The blue line represents the upper bound for the key rate, when $N_0 \rightarrow \infty$, $\alpha, \delta_1, \delta_2$ are taken to be 0 and $f = 1$. The orange line represents a more typical case with $\alpha = 0.35$, $\delta_1 = 0.01, \delta_2 = 0.025$, and $f=1.2$.
• Figure 3: Maximum key rate behaviour as a function of $N_0$ for different security levels. Parameter values used are $\alpha =0.35; \delta_1 = 9.2e-3; \delta_2 = 3.0e-3;p_{\textnormal{max}} = 0.01; f=1.2$.
• Figure 4: Critical value $N_{\textnormal{crit}}$ of the number of shared qubits needed to obtain positive key rates as a function of the security level. The values of $N_{\textnormal{crit}}$ were computed using the parameters $\alpha, \delta_1, \delta_2$ that minimize the value of $N_{\textnormal{crit}}$ for each $\varepsilon_{\max}$.
• Figure 5: Maximum potential ROT rates as a function of the pump power P for $\varepsilon_{\max} = 10^{-7}$. We see that the best performance is obtained at a laser pump power of $P = 170$ mW, corresponding to a coincidence rate close to $2.45$ kHz. The uncertainty on the power measurement (x-axis) along with the error bars resulting from the Poissonian noise on the coincidence counts (used to calculate y-values) are negligible with respect to the current plot scale.

Theorems & Definitions (39)

• Definition 2.1
• Definition 2.2
• Definition 2.3
• Theorem 3.1
• Lemma 3.1
• Lemma 3.2
• Lemma 4.1
• Lemma 4.2
• Lemma 4.3
• Lemma 4.4