1: \documentclass[runningheads]{llncs}
2:
3: \usepackage{amsmath}
4: \usepackage{amssymb}
5: \usepackage{times}
6: \usepackage{float}
7: %\usepackage{multicol}
8:
9: % For the case we want to redefine margins
10: %
11: % \setlength{\evensidemargin}{0in}
12: % \setlength{\oddsidemargin}{0in}
13: % \setlength{\textwidth}{6.5in}
14: % \setlength{\textheight}{9in}
15: % \setlength{\topmargin}{-0.4in}
16: % \setlength{\footskip}{0.6in}
17:
18: \floatstyle{boxed}
19: \newfloat{protocol}{bt}{lop}
20: \floatname{protocol}{Protocol}
21:
22: \newtheorem{fact}{Fact}
23:
24: \newcommand{\ceil}[1] {\left\lceil #1\right\rceil}
25: \newcommand{\pryes} {p_{\mathsf{yes}}}
26: \newcommand{\prans}[1] {p_{\mathsf{ans}_{#1}}}
27: \newcommand{\prcorrect} {p_{\mathsf{ct}}}
28: \newcommand{\pradv} {p_{\mathsf{adv}}}
29: \newcommand{\Set}[1] {\{#1\}}
30: \newcommand{\ot} {\leftarrow}
31: \newcommand{\otr} {\ot_R}
32: \newcommand{\lcm} {\operatorname{lcm}}
33: \newcommand{\floor}[1] {\lfloor #1\rfloor}
34:
35: \newcommand{\rket} {\rangle}
36: \newcommand{\lbra} {\langle}
37: \newcommand{\bra}[1] {\langle #1|}
38: \newcommand{\ket}[1] {| #1\rangle}
39: \newcommand{\defeq} {:=}
40: \newcommand{\ZZ} {\mathbb{Z}}
41: \newcommand{\brak}[1] {\left(#1\right)}
42: \newcommand{\var} {\operatorname{var}}
43:
44: %\newcommand{\xmarginpar}[1] {\marginpar{\small{#1}}}
45:
46: \newcommand{\AK}[1] {\mathsf{AK}(#1)}
47: \newcommand{\AKBOOLEAN}[1] {\mathsf{AKEncBool}(#1)}
48: \newcommand{\AKLIN}[1] {\mathsf{AKLin}(#1)}
49:
50: \newcommand{\COMM}[2] {\mathsf{C}_{#1}(#2)}
51:
52: \newcommand{\OT}[4] {\binom{1}{#1}\text{-}\mathsf{OT}_{#4}(#2;#3)}
53:
54: \newcommand{\ADVPI}[2] {\mathsf{Adv}^{\mathsf{pri-i}}_{#1}(#2)}
55: \newcommand{\ADVPR}[2] {\mathsf{Adv}^{\mathsf{pri-r}}_{#1}(#2)}
56: \newcommand{\ADVCORRECT}[2] {\mathsf{Adv}^{\mathsf{crct}}_{#1}(#2)}
57: \newcommand{\ADVLOR}[2] {\mathsf{Adv}^{\mathsf{lor}}_{#1}(#2)}
58:
59: \newcommand{\II} {\mathcal{I}}
60: \newcommand{\RR} {\mathcal{R}}
61:
62: \newcommand{\PAR}[1]{\vspace{2mm}\noindent\textbf{#1}}
63:
64: \newcommand{\comment}[1] {}
65:
66: \newcommand{\infinal}[1] {#1}
67: \newcommand{\insubmitted}[1] {}
68:
69: \newcommand{\abs}[1] {\left| #1\right|}
70: \title{Cryptographic Randomized Response Techniques}
71: %\subtitle{*** Draft, {\today} ***}
72:
73: \infinal{\author{Andris Ambainis\inst{1} \and Markus Jakobsson\inst{2}
74: \and Helger Lipmaa\inst{3}}
75:
76: \institute{Institute of Mathematics and CS, University of Latvia, Rai\c{n}a
77: bulv.~29\\ R\={\i}ga, LV-1459, Latvia,\\ \email{ambainis@lanet.lv}\\ \
78: RSA Laboratories, 174 Middlesex Turnpike, Bedford, MA 01730, USA\\
79: \email{mjakobsson@rsasecurity.com}\\ \and
80: Laboratory for Theoretical CS, Department of CS\&E\\
81: Helsinki University of Technology, P.O.Box 5400, FIN-02015 HUT, Espoo, Finland\\
82: \email{helger@tcs.hut.fi}}}
83:
84: \insubmitted{\institute{} \author{*** Anonymous submission to ACM CCS
85: 2003 ***}}
86:
87: \sloppy
88:
89: \begin{document}
90:
91: \maketitle
92:
93: \begin{abstract}
94: We develop cryptographically secure techniques to guarantee
95: unconditional privacy for respondents to polls. Our constructions
96: are efficient and practical, and are shown not to allow cheating
97: respondents to affect the ``tally'' by more than their own vote ---
98: which will be given the exact same weight as that of other
99: respondents. We demonstrate solutions to this problem based on both
100: traditional cryptographic techniques and quantum cryptography.
101:
102: \noindent
103: {\bf Keywords:} classical cryptography, oblivious transfer, polling,
104: privacy, privacy-preserving data-mining, quantum cryptography,
105: randomized response technique
106:
107: \end{abstract}
108:
109: \section{Introduction}
110:
111: In some instances, privacy is a matter of keeping purchase information
112: away from telemarketers, competitors, or other intruders. In other
113: instances, privacy translates to security against traffic analysis,
114: such as for web browsing; or to security of personal location
115: information. In still other instances, which we study in this paper,
116: privacy is a \emph{precondition} to being able to obtain answers to
117: important questions. Two concrete examples of instances of latter are
118: \emph{elections} and \emph{surveys/polls}.
119:
120: While the first of these examples is the one of the two that has
121: received --- by far --- the most attention in the field of
122: cryptography, there are important reasons to develop better privacy
123: tools for polling. Surprisingly, the two examples (namely, elections
124: and polls), while quite similar at a first sight, are very different
125: in their requirements. Since it is typically the case that there is
126: more funding available for providing privacy in elections than in
127: surveys and polls, it follows that the tallying process in the former
128: may involve more costly steps than that in the latter --- whether the
129: process is electronic (using, e.g., mix networks) or mechanic. Second,
130: while in the case of the voting scheme, we have that users need to
131: entrust their privacy with some set of authorities, it is often the
132: case that there is less trust established between the parties in
133: polls. Yet another reason to treat the two situations separately is
134: that elections involve many more respondents than polls typically do,
135: thereby allowing a unique opinion (e.g., vote) to be hidden among many
136: more in the case of elections than in the case of polls. Finally,
137: while elections require as exact tallying as is possible,
138: \emph{statistical truths} are both sufficient and desirable in polls.
139: This allows the use of polling techniques that are very different from
140: election techniques --- in terms of their cost; how tallying is done;
141: and how privacy is protected.
142:
143: While not given much attention in cryptography, important work on
144: polling has been done in statistics. In particular, the
145: \emph{randomized response technique} (RRT) was proposed by
146: Warner~\cite{JASA1965:Warner} in 1965, with the goal of being used in
147: polls relating to sensitive issues, such as drug abuse, sexual
148: preferences and shoplifting. The underlying idea behind Warner's
149: proposal is for respondents to randomize each response according to a
150: certain, and known, probability distribution. More precisely, they
151: answer the question truthfully with some probability $\prcorrect >
152: 1/2$, while with a fixed and known probability $1-\prcorrect$ they
153: lie. Thus, users can always claim that their answer --- if it is of
154: the ``incriminating'' type --- was a lie. When evaluating all the
155: answers of the poll, these lies become statistically insignificant
156: given a large enough sample (where the size of the sample can be
157: simply computed from the probability distribution governing lying.)
158:
159: However, a pure RRT by itself is not well suited for all types of
160: polls. E.g., it is believed that people are more likely to vote for
161: somebody who leads the polls than somebody who is behind. Therefore,
162: it could be politically valuable not to lie (as required by the
163: protocol) in polls relating to ones political opinion, and therefore
164: have one's ``vote'' assigned a greater weight. (This is the case since
165: people with the opposite opinion --- if honestly following the
166: protocol --- will sometimes cast a vote according to your opinion, but
167: you would never cast a vote according to their opinion, assuming you
168: are willing to cheat.) While the results of the poll remain
169: meaningful if \emph{everybody} cheats (i.e., tells the truth with a
170: probability different from that specified by the protocol), this is
171: \emph{not} the case when only some people deviate from the desired
172: behavior. Also, while one might say that the increased weight in the
173: polls is gained at the price of the cheater's privacy, this is not
174: necessarily the case if the cheater \emph{claims} to have followed the
175: protocol, and there is no evidence to the contrary.
176:
177: To address the problem of cheating respondents in RRT, we propose the
178: notion of \emph{cryptographic randomized response technique} (CRRT),
179: which is a modification of RRT that prevents cheating. We present
180: three efficient protocols for CRRT; two of them using classic
181: cryptographic methods (and being efficient for different values of
182: $\prcorrect$), and one using quantum methods. Importantly, the
183: quantum RRT protocol is implementable by using contemporary
184: technology. We give rigorous proofs of security for one of the
185: classical protocols and for the quantum protocol.
186:
187: For all of our proposed solutions, the privacy of the respondent will
188: be guaranteed information-theoretically (more precisely,
189: statistically). This is appropriate to stimulate truthful feedback on
190: topics that may affect the respondent for years, if not decades. All
191: proposed solutions also \emph{guarantee} that the respondents reply
192: based on the desired probability distributions. Clearly, this
193: requires that the respondent cannot determine the outcome of the
194: protocol (as viewed by the interviewer) before the end of the
195: protocol. Otherwise, he could simply halt the execution of the
196: protocol to suppress answers in which the communicated opinion was a
197: lie. We will therefore require protocols to offer privacy for the
198: \emph{interviewer} as well as for the respondent, meaning that the
199: respondent cannot learn what the outcome of the protocol is, as seen
200: by the interviewer. (One could relax this requirement slightly to
201: allow the respondent to learn the outcome at the same time as the
202: interviewer does, or afterward.)
203:
204: While we believe that it is important to prevent the respondent from
205: biasing the outcome by selective halting (corresponding to the
206: protocol being \emph{strongly secure}), we also describe simplified
207: versions of our protocols in which this protection mechanism is not
208: available. Such simplified versions (which we refer to as \emph{weakly
209: secure}) can still be useful in some situations. They may, for
210: example, be used as the default scheme for a given application ---
211: where they would be replaced by their strongly secure relatives if too
212: many interactions are halted prematurely. (The decision of when the
213: shift would be performed should be based on standard statistical
214: methods, and will not be covered herein.) The benefit of considering
215: such dual modes is that the weakly secure versions typically are
216: computationally less demanding than the strongly secure versions.
217:
218: Finally, we also discuss cryptographic enhancements to two alternative
219: RRT techniques. In the first, referred to as RRT-IQ, the respondent
220: always gives the truthful answer to the question he is presented with.
221: However, with a certain probability, he is presented with an
222: \underline{I}nnocous \underline{Q}uestion instead of the intended
223: question. A second alternative RRT technique is what is referred to as
224: \emph{polychotomous} RRT\@. In this version of RRT, the respondent is
225: given more than two possible options per question.
226:
227: In particular, our first protocol uses a novel protocol for
228: information-theoretically secure \emph{verifiable oblivious transfer}
229: that enables easier zero-knowledge proofs on the properties of the
230: transferred values. The described protocol may also be useful in other
231: applications. We also note that our techniques have applications in
232: the privacy-preserving data-mining, see Section~\ref{rel}.
233:
234: \PAR{Outline.}
235: We first review the details of the randomized response technique
236: (Section~\ref{sec:rrt}), after which we review some related work in
237: cryptography (Section~\ref{rel}). We then introduce the cryptographic
238: building blocks of our protocols (Section~\ref{sec:building}). We
239: then describe the functionality of our desired solution in terms of
240: functional black boxes and protocol requirements (Section~\ref{req}).
241: In Section~\ref{standard}, we present our secure CRRT protocols. In
242: Section~\ref{var} we describe cryptographic solutions to other
243: variants of the standard RRT. The appendix contains additional
244: information about the new oblivious transfer protocol and about the
245: quantum RRT protocol.
246:
247: \section{Short Review of Randomized Response Technique}\label{sec:rrt}
248:
249: When polling on sensitive issues like sexual behavior or tax evasion,
250: respondents often deny their stigmatizing behavior due to the natural
251: concern about their privacy. In 1965, Warner~\cite{JASA1965:Warner}
252: proposed the Randomized Response Technique (RRT) for organization of
253: polls where an unbiased estimator (UE) to the summatory information
254: --- the proportion of people belonging to a stigmatizing group $A$ ---
255: can be recovered, while the privacy of every individual respondent is
256: protected statistically. Since then, different variations of the RRT
257: have been proposed in statistics, see~\cite{book:ChaudhuriM:1988} for
258: a survey. These different variations provide, for example, smaller
259: variance, smaller privacy breaches, optimality under different
260: definitions of privacy, and ability to answer polychotomous questions.
261: Next we will give a short overview of three types of RRT.
262:
263: \PAR{RRT-W.}
264: In Wagner's original method (RRT-W), the respondents provide a
265: truthful answer to the question ``Do you belong to a stigmatizing
266: group $A$?'' with a certain fixed and publicly known probability
267: $\prcorrect > 1/2$. With probability $1-\prcorrect$ they lie --- i.e.,
268: answer the opposite question. Define $\pi_A$ to be the true
269: proportion of the population that belongs to $A$ (or whose \emph{type}
270: is $t=1$). Let $\pryes$ be the proportion of ``yes'' responses in the
271: poll. Clearly, in RRT-W the \textsl{a priori} probability of getting
272: a ``yes'' response is $\pryes=\prcorrect \cdot
273: \pi_A+(1-\prcorrect)(1-\pi_A)$. In the case of $N$ players, $L$ of
274: which answer ``yes'', an UE of $\pryes$ is $\widehat{\pryes}=L/N$, the
275: sample proportion of ``yes'' answers. From this, one can simply
276: compute the unbiased estimator of $\pi_A$. This equals
277: $\widehat{\pi_A}=
278: \frac{\widehat{\pryes}-(1-\prcorrect)}{2\prcorrect-1}=
279: \frac{\prcorrect-1}{2\prcorrect-1}+\frac{L}{N}\cdot
280: \frac{1}{(2\prcorrect-1)}$. Similarly, the variance
281: $\var(\widehat{\pi_A})$ and its UE can be computed.
282:
283: \PAR{RRT-IQ\@.}
284: An alternative RRT is the~\emph{innocuous question method} (RRT-IQ),
285: first analyzed in~\cite{JASA1969:GreenbergASH}. When using RRT-IQ, the
286: respondent answers the sensitive question with a probability
287: $\prcorrect$, while with probability $1-\prcorrect$ to an unrelated
288: and innocuous question, such as ``Flip a coin. Did you get tails?''.
289: The RRT-IQ achieves the same goals as RRT-W but with less
290: variance~\cite{book:ChaudhuriM:1988}, which makes it more suitable for
291: practical polling. Many other RRT-IQs are known, including some with
292: unknown estimate of the the proportion of the population belonging to
293: the innocuous group.
294:
295: \comment{If an \textsl{a priori} estimate $\pi_Y$ of the proportion of
296: population that belong to the innocuous group $Y$ is known, the
297: respondents could be reluctant to answer truthfully. E.g., if the
298: prior estimate on $\pi_Y$ is smaller than the estimate on $\pi_A$,
299: answering $1$ might indicate that one belongs to the group $A$. A
300: standard method for estimating $\pi_A$ with unknown proportion
301: $\pi_Y$ is to do two different polls with independent sample
302: populations and different values of $\prcorrect$. Moreover, if
303: there is no protection against cheating, a respondent may be tempted
304: to always answer ``no'' in order to remove any doubt regarding his
305: opinion.
306:
307: The simplest case of RRT-IQ is one in which the unrelated question
308: involves flipping a coin. As an example of RRT-IQ, we let the
309: respondent answer the sensitive question with a probability
310: $\prcorrect$, while he gets to flip a coin and answer whether it
311: came up tails with probability $1-\prcorrect$.}
312:
313: \PAR{PRRT.}
314: The RRTs for dichotomous polling (where the answer is yes or no) can
315: be generalized to \emph{polychotomous RRT} (PRRT) where the respondent
316: can belong to one of the $m$ mutually exclusive groups $A_1$, \ldots,
317: $A_m$, some of which are stigmatizing. A typical sensitive question of
318: this kind is ``When did you have your first child?'', with answers
319: ``$1$ --- while not married'', ``$2$ --- within $9$ months after the
320: wedding'' and ``$3$ --- more than $9$ months after the wedding''. In
321: many cultures, the answer $1$ is stigmatizing, the answer $3$ is
322: innocuous, while the answer $2$ is somewhere inbetween. The
323: interviewer wants to know an UE for the proportion $\pi_i$ of people
324: who belong to the group $A_i$, $i\in[1,m]$. There are many possible
325: PRRTs~\cite[Chapter~3]{book:ChaudhuriM:1988}. One of the simplest is
326: the following technique PRRT-BD by Bourke and
327: Dalenius~\cite{ISR1976:BourkeD}: first fix the probabilities
328: $\prcorrect$ and $p_1,\dots,p_m$, such that
329: $\prcorrect+\sum_{i\in[1,m]} p_i=1$. A respondent either reveals her
330: true type $t\in[1,m]$ with probability $\prcorrect$, or answers
331: $i\in[1,m]$ with probability $p_i$. To recover an UE of
332: $\vec{\pi}\defeq (\pi_1,\dots,\pi_m)^T$, define $\vec{p}\defeq
333: (p_1,\dots,p_m)^T$ and $\vec{\prans{}}=(\prans{1},\dots,\prans{m})^T$,
334: where $\prans{i}$ is the proportion of people who answer $i$. Then
335: $\vec{\prans{}}=\prcorrect \cdot \vec{\pi} + \vec{p}$, and hence
336: $\widehat{\vec{\pi}} = \prcorrect^{-1}\cdot
337: (\widehat{\vec{\prans{}}}-\vec{p})$.
338:
339: \section{Related Cryptographic Work.}
340: \label{rel}
341:
342: In~\cite{WIAPP1999:KikuchiANG}, Kikuchi et al.\ propose techniques
343: with similar goals as ours. Seemingly unaware of the previous work on
344: RRT, the authors reinvent this notion, and propose a protocol for
345: performing the data exchange. However, their protocol is considerably
346: less efficient than ours. Also, it does not offer strong security in
347: our sense. This vulnerability to cheating makes their protocol
348: unsuitable for their main application (voting), as well as polls where
349: respondents may wish to bias their answer. Our protocols can be used
350: in their framework.
351:
352: Our work has a relation to work on biased coin flipping, where heads
353: must come out with probability $\prcorrect=\ell/n$. In our case, the
354: coin can be biased by the first participant in several ways, where the
355: choice of the distribution encodes the opinion of the respondent to
356: the poll. More concretely, consider a coin where one outcome (say, 1)
357: corresponds to ``yes'', and the other (0) to ``no''. Let us assume
358: that the respondent should give his correct opinion with $75\%$
359: probability. Then, if his opinion is ``yes'', the coin will have bias
360: $0.75$, while it will have bias $0.25$ if his opinion is ``no''.
361: However, our technique is not merely a generalization of biased coin
362: flipping, as we also want our protocols to implement privacy. This is
363: an issue that is not important in the context of ordinary biased coin
364: flipping.
365:
366: In order to guarantee that responses are made according to the
367: intended distribution, we introduce a ``blinding'' requirement: we
368: need our protocols to be constructed such that they do not leak the
369: response to the respondent --- at least not until the response has
370: been delivered to the interviewer. From a bird's eye's view, this
371: makes our protocols similar to those in~\cite{CRYPTO1996:JakobssonY},
372: in which a party proves either language membership or language
373: non-membership to a verifier, but without being able to determine
374: which one. However, the similarities between our protocols and those
375: in~\cite{CRYPTO1996:JakobssonY} do not run much deeper than that.
376:
377: In contrast, there is a much closer relationship between our protocols
378: and protocols for oblivious transfer~\cite{Rabin81,CACM85:EvenGL}.
379: While our goals are orthogonal to those of oblivious transfer, the
380: techniques are hauntingly similar. In particular, one of our CRRT
381: protocols uses a protocol for oblivious transfer as a building block.
382: While in principle \emph{any} such protocol can be used, it is clear
383: that the properties of the building block will be inherited by the
384: main protocol. Therefore, in order to provide unconditional guarantees
385: of privacy for the respondents, we use a \emph{verifiable} variant of
386: the information theoretic protocol for oblivious transfer, namely that
387: proposed by Naor and Pinkas~\cite{SODA2001:NaorP}. (An efficient
388: protocol that offers computational security for the sender was
389: proposed by Tzeng~\cite{PKC2002:Tzeng}.)
390:
391: Cryptographic randomized response techniques are also related to
392: oblivious function evaluation~\cite{Goldreich2002:SMPC}, where one
393: party has data $\mu$, while another party needs to compute $f(\mu)$,
394: without getting to know any additional information on $\mu$, while the
395: first party will not get to know $f$. Cryptographic RRTs can be seen
396: as protocols for oblivious function evaluation of some specific
397: \emph{randomized} functions $f$.
398:
399: Furthermore, our work is related to the work on Private Information
400: Retrieval (PIR) --- and even to privacy-preserving data-mining --- in
401: that the goal of our interviewer is to retrieve some element from the
402: respondent, without the latter learning what was retrieved. More
403: specifically, if some $\ell$ out of $n$ elements represent the
404: respondent's opinion, and the remaining $n-\ell$ elements represent
405: the opposite opinion, then the interviewer will learn the respondent's
406: opinion with probability $\ell/n$ if he retrieves a random element. Of
407: course, in order to guarantee the interviewer that the elements are
408: correctly formed, additional mechanisms are required.
409:
410: In privacy-preserving data-mining a related data randomization
411: approach has been proposed~\cite{SIGMOD2000:AgrawalS}: namely, the
412: users input their data to the central database (e.g., a loyal customer
413: inputs the name of the product he bought), and the database maintainer
414: needs to do some statistical analysis on the database. However, the
415: maintainer should not be able to recover individual items. Database
416: randomization in the case when the maintainer is limited to the SUM
417: function corresponds exactly to the RRT. For the same reasons as in
418: the RRT, one should not be able to bias the data. Our protocols are
419: also applicable in the privacy-preserving data-mining and hopefully
420: even in the case when more elaborated
421: randomizations~\cite{KDDD2002:EvfimievskiSAG} are applied.
422:
423: \section{Cryptographic Building Blocks}\label{sec:building}
424:
425: Assume that $p$ is a large prime, and $q$, $q\mid (p-1)$, is another
426: prime. Then $\ZZ_p$ has a unique subgroup $G$ of order $q$. Let $g$
427: and $h$ be two generators of $G$, such that nobody knows their mutual
428: discrete logarithms $\log_g h$ and $\log_h g$. We let $k$ be the
429: security parameter, in our setting we can take $k=q$. The key $K$
430: consists of public parameters, $K\defeq (g;h)$.
431:
432: \PAR{Pedersen's Commitment Scheme.}
433: In this scheme~\cite{CRYPTO1991:Pedersen}, a message $\mu\in \ZZ_q$ is
434: committed by drawing a random $\rho\otr \ZZ_q$, and setting
435: $\COMM{K}{\mu;\rho}\defeq g^\mu h^\rho$. The commitment can be opened
436: by sending $\mu$ and $\rho$ to the verifier. This scheme is
437: \emph{homomorphic}, i.e.,
438: $\COMM{K}{\mu;\rho}\COMM{K}{\mu';\rho'}=\COMM{K}{\mu+\mu';\rho+\rho'}$.
439: Since it is also perfectly hiding and computationally binding, it can
440: be used as a building block in efficient zero-knowledge arguments,
441: such as protocols for arguing the knowledge of plaintext $\mu$.
442:
443: \PAR{Variant of Naor-Pinkas $1$-out-of-$n$ Oblivious Transfer.}
444: The oblivious transfer (OT) protocol by Naor and
445: Pinkas~\cite{SODA2001:NaorP} guarantees information-theoretic privacy
446: for the sender $\RR$, and computational privacy for the chooser $\II$.
447: Assume the sender $\RR$ has a vector $\mu=(\mu_1,\dots,\mu_n)\in M^n$
448: for some set $M\subseteq \ZZ_q$. The chooser $\II$ has made a choice
449: $\sigma\in[1,n]$. The Naor-Pinkas protocol works as follows:
450:
451: \begin{enumerate}
452: \item $\II$ generates random $a,b\ot \ZZ_q$ and sends $(A,B,C)\ot
453: (g^a,g^b,g^{ab-\sigma+1})$ to $\RR$.
454: \item $\RR$ performs the following, for $i\in[1,n]$: Generate random
455: $(r_i,s_i)$. Compute $w_i\ot g^{r_i}A^{s_i}$, compute an encryption
456: $y_i$ of $\mu_i$ using $v_i\ot B^{r_i}(C\cdot g^{i-1})^{s_i}$ as the
457: key. Send $(w_i, y_i)$ to $\II$.
458: \item $\II$ computes $w_\sigma^{b}(=v_\sigma)$ and decrypts $y_\sigma$
459: using $v_\sigma$ as the key, obtaining $\mu_\sigma$.
460: \end{enumerate}
461: (Both $\RR$ and $\II$ halt if any received transcript is not correctly
462: formatted.) Note that $w_i=g^{r_i+as_i}$, while $v_i=B^{r_i}(C\cdot
463: g^{i-1})^{s_i}=w_i^b\cdot g^{(i-\sigma)s_i}$. Thus,
464: $v_\sigma=w_\sigma^b$, while for $i\neq \sigma$, $v_i$ is a random
465: element of $G$. Thus, in the third step $\RR$ recovers $v_\sigma$,
466: while obtaining no information about $v_i$ for $i\neq \sigma$.
467:
468: The Naor and Pinkas~\cite{SODA2001:NaorP} paper does not specify the
469: encryption method, mentioning only that the encryption scheme must be
470: semantically secure\comment{(e.g.,
471: ElGamal~\cite{CRYPTO1984:ElGamal})}. We propose to use Pedersen's
472: commitment scheme instead of an encryption scheme. Herein, we use
473: $K=(g;h)$ as the parameters of the commitment scheme, and use $v_i$
474: instead of $r_i$ as the random coin, producing a commitment $y_i\defeq
475: \COMM{K}{\mu_i;v_i}$. We denote this version of Naor-Pinkas protocol,
476: where $y_i$ is defined as $y_i=C_K(\mu_i,v_i)$, by
477: $\OT{n}{\mu}{\sigma}{K}$. (The full protocol is presented in
478: Appendix~\ref{app:secot}.)
479:
480: The idea behind this unconventional trick is that as the result, the
481: sender can argue in zero-knowledge for all $i\in[1,n]$ that the values
482: $\mu_i$ satisfy some required conditions. (We call such an OT protocol
483: \emph{verifiable}.) The chooser cannot decrypt $y_i$ without knowing
484: $v_i$, and thus he cannot guess the value of $\mu_i$ for $i\neq
485: \sigma$ (with probability higher than $|M|^2/q$, as we will show in
486: Appendix~\ref{app:secot}), even if he knows that $\mu_i$ is chosen
487: from a fixed two-element set. (This constitutes the security of OT
488: protocol in the \emph{left-or-right} sense. See
489: Appendix~\ref{app:secot}.) On the other hand, $\II$ can ``decrypt''
490: $y_\sigma$ with the ``key'' $v_\sigma$, given that the possible
491: message space $M$ is small enough for the exhaustive search on the set
492: $\Set{g^x:x\in M}$ to be practical. In the case of dichotomous RRT,
493: $M=\Set{0,1}$.
494:
495: \PAR{Noninteractive Zero-Knowledge Arguments.}
496: We will use zero-knowledge arguments (and not proofs) of knowledge in
497: our protocol, since they are (at the very least) statistically hiding
498: and computationally convincing. This property is important in a
499: setting where a verifier must not be able to extract additional
500: information even if he is given infinite time. \comment{A HVSZK
501: argument system can be made non-interactive in the random oracle
502: model by using the Fiat-Shamir heuristic~\cite{CRYPTO1986:FiatS}.}
503:
504: Our first protocol uses only two very standard statistical
505: zero-knowledge arguments. (The arguments for the second protocol are
506: described in appendices.) The first one is an argument that a given
507: value $y_i$ (Pedersen-)commits to a Boolean value $\mu_i\in\Set{0,1}$.
508: One can use standard disjunctive proofs~\cite{CRYPTO1994:CramerDS} for
509: this. We denote the (possibly parallelized) argument that this holds
510: for $i\in[1,n]$ by $\AKBOOLEAN{y_1,\dots,y_n}$. The second argument
511: of knowledge, $\AKLIN{y_1,\dots,y_{n+1};a,b}$, is
512: an argument that %for all $i\in[1,n+1]$,
513: the prover knows some set of values $\mu_i$, for which $y_i$ is a
514: commitment of $\mu_i$, and such that $\sum_{i\leq
515: n}\mu_i+a\mu_{n+1}=b$. This argument of knowledge can be
516: constructed from Pedersen's commitment scheme by computing $y\ot
517: \prod_{i\leq n}y_i\cdot y_{n+1}^a$ and then arguing that the result
518: $y$ is a commitment to $b$. Note that such an argument of knowledge is
519: secure only when accompanied by zero-knowledge arguments of knowledge
520: of the values $\mu_i$; for this purpose, we employ
521: $\AKBOOLEAN{y_1,\dots,y_{n+1}}$ as described above.
522:
523: \section{Security Definitions}\label{req}
524:
525: In this section, we will give the definition of a weakly and strongly
526: secure cryptographic RRT (CRRT). The security definitions will be in
527: accordance with the ones in secure two-party
528: computation~\cite{Goldreich2002:SMPC}. We will also explain why these
529: requirements are relevant in the case of CRRT\@.
530:
531: Assume we have a concrete variant of RRT, like RRT-W or RRT-IQ\@. Let
532: $\Phi_p$ be the function that implements the desired functionality.
533: For example, in the case of RRT-W, $\Phi_{\prcorrect}(x)$ is a
534: randomized function that with probability $\prcorrect$ returns $x$,
535: and with probability $1-\prcorrect$ returns $1-x$. The ideal-world
536: CRRT protocol, has three parties, the interviewer $\II$, the
537: respondent $\RR$, and the trusted third party $\mathcal{T}$. $\RR$ has
538: her type, $t_\RR$ as her private input, while $\II$ has no private
539: input. Then, $\RR$ communicates $t_\RR$ to $\mathcal{T}$, who selects
540: the value $r_\RR \ot \Phi_{\prcorrect}(t_\RR)$ and sends $r_\RR$ to
541: $\II$. After that, the private output of $\II$ will be
542: $\Phi_{\prcorrect}(t_\RR)$, while $\RR$ will have no private output.
543: It is required that at the end of the protocol, the participants will
544: have no information about the private inputs and outputs of their
545: partners, except for what can be deduced from their own private inputs
546: and outputs. In particular, $\II$ (resp. $\RR$) has no information
547: about the value of $t_\RR$ (resp. $r_\RR$), except what they can
548: deduce from their private inputs and outputs.
549:
550: In an ideal world, exactly the next three types of attacks are
551: possible~\cite[Section~2.1.2]{Goldreich2002:SMPC}: a party can (a)
552: refuse to participate in the protocol; (b) substitute his private
553: input to the trusted third party with a different value; or (c) abort
554: the protocol prematurely. In our case, the attack (c) is irrelevant,
555: since $\RR$ has no output. (Attack (c) models the case when the first
556: party halts the protocol after receiving his private output but before
557: the second party has enough information to compute her output.)
558: Therefore, in an ideal-world RRT protocol, we cannot protect against a
559: participant, who (a) refuses to participate in polling
560: (\emph{non-participation attack}) or (b) claims that her type is
561: $1-t_\RR$, where $t_\RR$ is her real type (\emph{absolute denial
562: attack}). No other attacks should be possible. Note that neither
563: (a) nor (b) is traditionally considered an attack in the context of
564: polling or voting. The argument here is game-theoretic, and the
565: solutions must be proposed by mechanism design, instead of
566: cryptography: namely, a non-manipulable mechanism (e.g., the algorithm
567: with which the election winner is determined from all the collected
568: votes) must be designed so that answering against one's true type (or
569: non-participation) would not give more beneficial results to the
570: respondent than the truthful answer.
571:
572: On the other hand, as we stated, no other attacks should be allowed.
573: This requirement is very strict, so we will explain why it is
574: necessary in the RRT's context. Clearly, one must protect the privacy
575: of $\RR$, since this is the primarily goal of a RRT\@. It is also
576: necessary to protect the privacy of $\II$, although the reason here is
577: more subtle. Namely, if $\RR$ obtains any additional information
578: about $r_\RR$ before the end of the protocol (for example, if she
579: suspects that $r_\RR\neq t_\RR$), she might halt the protocol. Such a
580: behavior by a malicious respondent might cause a bias in the poll, as
581: already explained. (Halting the protocol while having no information
582: on $r_\RR$ is equivalent to the non-participation attack.) The third
583: requirement on the protocol, of course, is that $\II$ either halts or
584: receives $\Phi_{\prcorrect}(x)$, where $x$ is the input submitted by
585: the $\RR$.
586:
587: In a real-world implementation, we want to replace $\mathcal{T}$ by a
588: cryptographic protocol $\Pi=(\RR,\II)$ between $\RR$ and $\II$. This
589: protocol $(\RR,\II)$ is assumed to be ``indistinguishable'' from the
590: ideal-world protocol, that is, with a high probability, it should be
591: secure against all attacks that do not involve attacks (a) or (b).
592: ``Secure'' means that the privacy of $\RR$ (resp. $\II$) must be
593: protected, if $\RR$ (resp. $\II$) follows the protocol, and that
594: $\II$ either halts, or receives the value $\Phi_{\prcorrect}(x)$,
595: where $x$ was the submitted value of $\RR$. The security of the
596: respondent should be information-theoretical, while the security of
597: interviewer can be computational. That is, a secure CRRT-W protocol
598: must have the next three properties (here, $k$ is the security
599: parameter):
600:
601: \PAR{Privacy of Respondent:}
602: Let $\II^*$ be an algorithm. After the end of the protocol execution
603: $(\RR,\II^*)$, $\II^*$ will have no more information on $t_\RR$ than
604: it would have had after the execution of the ideal world protocol.
605: That is, assuming that $\mathsf{view}_{\II^*}$ is his view of the
606: protocol $(\RR,\II^*)$, define
607: \[
608: \ADVPR{k}{\RR,\II^*}\defeq \abs{\Pr[\II^*(\mathsf{view}_{\II^*},
609: r_\RR)=t_\RR]- \Pr[t_\RR|r_\RR]}\enspace,
610: \]
611: where the probability is taken over the internal coin tosses of
612: $\II^*$ and $\RR$. We say that a CRRT protocol is
613: \emph{privacy-preserving for the respondent}, if
614: $\ADVPR{k}{\RR,\II^*}$ is negligible (in $k$) for any unbounded
615: adversary $\II^*$.
616:
617: \PAR{Privacy of Interviewer:}
618: Let $\RR^*$ be an algorithm. Assume that $\II$ halts when $\RR^*$
619: halts. After the end of the protocol execution $(\RR^*,\II)$, $\RR^*$
620: will have no more information on $t_\RR$ than it would have had after
621: the execution of the ideal world protocol. That is, assuming that
622: $\mathsf{view}_{\RR^*}$ is her view of the protocol $(\II,\RR^*)$,
623: define
624: \[
625: \ADVPI{k}{\RR^*,\II}\defeq
626: \abs{\Pr[\RR^*(\mathsf{view}_{\RR^*},t_\RR)=r_\RR]-
627: \Pr[\RR^*(t_\RR)=r_\RR]}\enspace,
628: \]
629: where the probability is taken over the internal coin tosses of
630: $\RR^*$ and $\II$. We say that a CRRT protocol is
631: \emph{privacy-preserving for the interviewer}, if for any adversary
632: $\RR^*$, if $\ADVPI{k}{\RR^*,\II}\leq \varepsilon$ and $\RR^*$ takes
633: $\tau$ steps of computation then $\varepsilon\tau$ is negligible (in
634: $k$).
635:
636: \PAR{Correctness:}
637: Let $\RR^*(x)$ be an algorithm with private input $x$ to the protocol
638: $(\RR^*,\II)$. Assume that $\II$ halts when $\RR^*$ halts. We require
639: that at the end of the protocol execution $(\RR^*,\II)$, $\II$ will
640: either halt, or otherwise receive $\Phi_{\prcorrect}(x)$ with high
641: probability. That is, assuming that $\mathsf{view}_{\II}$ is $\II$'s
642: view of the protocol $(\RR^*,\II)$, define
643: \[
644: \ADVCORRECT{k}{\RR^*,\II}\defeq
645: 1-\Pr[\II(\mathsf{view}_{\II})=\Phi_{\prcorrect}(x)| \text{$\II$ does
646: not halt}]\enspace,
647: \]
648: where the probability is taken over the internal coin tosses of $\II$
649: and $\RR^*$. We say that a CRRT protocol is \emph{correct}, if for
650: any adversary $\RR^*$, if $\ADVCORRECT {\II}{\RR^*}=\varepsilon$ and
651: $\RR^*$ takes up to $t$ steps of computation then $\varepsilon\tau$ is
652: negligible (in $k$).
653:
654: We call a cryptographic RRT (CRRT) protocol \emph{weakly secure} if it
655: is privacy-preserving for the respondent and correct. We call CRRT
656: protocol \emph{(strongly) secure} if it is weakly secure and it is
657: privacy-preserving for the interviewer. While a secure CRRT protocol
658: is preferable in many situations, there are settings where a weakly
659: secure CRRT protocol suffices, such as where halting can be easily
660: detected and punished, or means for state recovery prevent
661: modifications between a first and second attempt of executing the
662: protocol.
663:
664: \section{Cryptographic RRT}\label{standard}
665:
666: We will propose three different CRRT-W protocols. In the first two
667: protocols, the common parameters are $\prcorrect=\ell/n > 1/2$;
668: generators $g$ and $h$ whose mutual discrete logs are unknown (at
669: least by $\RR$); and $K=(g;h)$. $\RR$ has private input $t=t_\RR$,
670: and $\II$'s private output is $r_\RR$.
671:
672: \PAR{CRRT Protocol Based on Oblivious Transfer.}
673: Our first implementation of RRT-W is described in
674: Protocol~\ref{prot:rrtw}. The arguments of knowledge can be
675: efficiently constructed, see Sect.~\ref{sec:building}. Here, we can
676: use $\AKLIN{y_1,\dots,y_{n+1};2\ell-n;\ell}$ since $\sum_{i\leq n}
677: \mu_i+(2\ell-n)\mu_{n+1}=\ell$ independently of the value of $t$. All
678: the steps in this protocol must be authenticated.
679: \begin{protocol*}[ht]
680: \textsc{Precomputation step:} \vspace*{-0.2cm}
681: \begin{enumerate}
682: \item $\RR$ prepares $n$ random bits $\mu_i\in\Set{0,1}$ for
683: $i\in[1,n]$, such that $\sum \mu_i=\ell$ if $t=1$ and $\sum
684: \mu_i=n-\ell$ if $t=0$. Additionally, she sets $\mu_{n+1}\ot
685: 1-t$.
686: \item $\II$ chooses an index $\sigma\in[1,n]$.
687: \end{enumerate}
688: \vspace*{-0.2cm} \textsc{Interactive step:} \vspace*{-0.2cm}
689: \begin{enumerate}
690: \item $\II$ and $\RR$ follow
691: $\OT{n}{g^{\mu_1},\dots,g^{\mu_n}}{\sigma}{K}$. $\II$ obtains
692: $g^{\mu_\sigma}$, and computes $\mu_\sigma$ from that.
693: \item $\RR$ sends to $\II$ noninteractive zero-knowledge arguments
694: $\AKBOOLEAN{y_1,\dots,y_{n+1}}$, and
695: $\AKLIN{y_1,\dots,y_{n+1};2\ell-n;\ell}$.
696: \item $\II$ verifies the arguments, and halts if the verification
697: fails.
698: \end{enumerate}
699: \caption{A secure CRRT-W protocol based on oblivious transfer}
700: \label{prot:rrtw}
701: \end{protocol*}
702:
703: If we take the number of bits that must be committed as the efficiency
704: measure (communication complexity of the protocol), then our protocol
705: has complexity $O(n)$. In the polling application, one can most
706: probably assume that $n\leq 5$. The security proofs of this protocol
707: follow directly from the properties of underlying primitives. As a
708: direct corollary from Theorem~\ref{thm:ot}, we get that
709: Protocol~\ref{prot:rrtw} is privacy-preserving for respondent
710: ($\ADVPR{k}{\RR,\II^*}\leq 2/q+O(1/q)$, where the constant comes in
711: from the use of statistically-hiding zero-knowledge arguments). It is
712: privacy preserving for interviewer, given the Decisional
713: Diffie-Hellman (DDH) assumption. The correctness of this protocol
714: follows from the properties of the zero-knowledge arguments used under
715: the DDH assumption.
716:
717: In a simplified weakly secure protocol based on the same idea, $\RR$
718: commits to all $\mu_i$ by computing and publishing $y_i\ot
719: \COMM{K}{\mu_i;\rho_i}$. Next, $\RR$ argues that
720: $\AKBOOLEAN{y_1,\dots,y_{n+1}}$, and
721: $\AKLIN{y_1,\dots,y_{n+1};2\ell-n;\ell}$. After that, $\II$ sends
722: $\sigma$ to $\RR$, who then reveals $\mu_\sigma$ and $\rho_\sigma$.
723: Upon obtaining these, $\II$ verifies the correctness of the previous
724: corresponding commitment, outputting $\mu_\sigma$.
725:
726: \PAR{CRRT from Coin-Flipping.}
727: Protocol~\ref{prot:rrtw2} depicts a secure CRRT-W protocol with
728: communication complexity $\Theta(d\log_2 n)$, where $d\defeq
729: \ceil{1/(1-\prcorrect)}$, and $\prcorrect=\ell/n$ as previously. While
730: in the common RRT application one can usually assume that $n$ is
731: relatively small, this second protocol is useful in some specific
732: game-theoretic applications where for the best outcome, $\prcorrect$
733: must have a very specific value. The idea behind this protocol is that
734: at least one of the integers $\mu+\nu+i\ell\mod{n}$ must be in
735: interval $[0,\ell-1]$, and at least one of them must be in interval
736: $[\ell,n-1]$. Hence, $\II$ gets necessary proofs for both the $0$ and
737: the $1$ answer, which is sufficient for his goal. For his choice to be
738: accepted, he must accompany the corresponding $r$ with $\RR$-s
739: signature on his commitment on $\sigma$.
740:
741: \begin{protocol*}[ht]
742: \textsc{Precomputation step:} \vspace*{-0.2cm}
743: \begin{enumerate}
744: \item $\RR$ chooses a random $\mu\otr[0,n-1]$.
745: \item $\II$ chooses random $\nu\otr[0,n-1]$ and $\sigma\otr[0,d-1]$.
746: \end{enumerate}
747: \vspace*{-0.2cm} \textsc{Interactive step:} \vspace*{-0.2cm}
748: \begin{enumerate}
749: \item $\RR$ commits to $t$ and $\mu$, and sends the commitments to
750: $\II$.
751: \item $\II$ commits to $\sigma$, by setting $y\ot
752: \COMM{K}{\sigma;\rho}$ for some random $\rho$. He sends $\nu$ and
753: $y$ to $\RR$, together with a zero-knowledge argument that $y$ is
754: a commitment of some $i\in[0,d-1]$.
755: \item\label{it:exmu} $\RR$ verifies the argument. She computes
756: values $\mu'_i$, for $i\in[0,d-1]$, such that $\mu'_i=t \iff
757: (\mu+\nu+i\ell\mod{n})< \ell$. She signs $y$, and sends her
758: signature together with $\Set{\mu'_i}$ and the next zero-knowledge
759: argument for every $i\in[0,d-1]$: $[\mu'_i=t \iff
760: (\mu+\nu+i\ell\mod{n})< \ell]$.
761: \item After that, $\II$ sets $r_\RR\ot \mu'_\sigma$. He will
762: accompany this with $\RR$-s signature on the commitment, so that
763: both $\RR$ and third parties can verify it.
764: \end{enumerate}
765: \caption{A secure CRRT-W protocol based on coin-flipping}
766: \label{prot:rrtw2}
767: \end{protocol*}
768:
769: A weakly secure version of this protocol is especially efficient.
770: There, one should set $d\ot 1$, and omit the steps in
771: Protocol~\ref{prot:rrtw2} that depend on $\sigma$ being greater than
772: $1$. (E.g., there is no need to commit to $\sigma$ anymore.) Thus,
773: such a protocol would have communication complexity $\Theta(\log_2
774: n)$. Now, $\prcorrect> 1/2$ (otherwise one could just do a bit-flip
775: on the answers), and hence $d>2$. On the other hand, the privacy of
776: respondents is in danger if say $\prcorrect\geq 3/4$. Thus, we may
777: assume that $d\in[3,4]$. Therefore, Protocol~\ref{prot:rrtw2} will be
778: more communication-efficient than Protocol~\ref{prot:rrtw} as soon as
779: $n/\log_2 n>4\geq d$, or $n\geq 16$. The weakly secure version will be
780: \emph{always} more communication-efficient.
781:
782: This protocol is especially efficient if the used commitment scheme is
783: an integer commitment
784: scheme~\cite{IEICE1999:FujisakiO,ASIACRYPT2002:DamgaardF}. In this
785: case, to argue that $(\mu+\nu+i\ell\mod{n})<\ell$ one only must do the
786: next two simple steps: first, argue that $\mu+\nu+i\ell=z+e n$ for
787: some $z$, $e$, and then, argue that $z\in[0,\ell-1]$. This can be done
788: efficiently by using the range proofs
789: from~\cite{EUROCRYPT2000:Boudot,Lipmaa:szkde:2001}. One can also use
790: Pedersen's scheme, but this would result in more complicated
791: arguments. \comment{See~\cite{EUROCRYPT2000:Boudot} for references.}
792:
793: \PAR{Quantum-Cryptographic RRT.}
794: We also present a \emph{quantum CRRT protocol} (see
795: Protocol~\ref{prot:qrrt}) that allows for a value $\prcorrect$ that
796: does not have to be a rational number, and which provides a relaxed
797: form of information-theoretic security to \emph{both} parties. While
798: not secure by our previous definitions, it provides meaningfully low
799: bounds on the probabilities of success for a cheater. Namely, (a) if
800: dishonest, $\RR$ cannot make his vote count as more than $\sqrt{2}$
801: votes: if $\prcorrect=\frac{1}{2}+\varepsilon$, then $\pradv\leq
802: \frac{1}{2}+\sqrt{2}\varepsilon$ (we also show a slightly better bound
803: with a more complicated expression for $\pradv$, cf. Appendix
804: \ref{quantumdetails}). (b) if dishonest strategy allows $\II$ to
805: learn $t$ with probability $\prcorrect+\varepsilon$, it also leads to
806: $\II$ being caught cheating with probability at least
807: $\frac{2\prcorrect-1}{2}\varepsilon$.
808: % Property (a) upper-bounds both
809: % $\ADVPI{k}{\RR^*,\II}$ and $\ADVCORRECT{k}{\RR^*,\II}$, while property
810: % (b) upper-bounds $\ADVPR{k}{\RR,\II^*}$.
811: This form of security (information-theoretic security with relaxed
812: definitions) is common for quantum protocols for tasks like bit
813: commitment \cite{STOC2000:AharonovTVY} or coin flipping
814: \cite{STOC2001:Ambainis,PRL2002:SpekkensR}. The security guarantees of
815: our quantum protocol compare quite well to ones achieved for those
816: tasks. A desirable property of this quantum protocol is that it can
817: be implemented by using contemporary technology, since it only
818: involves transmitting and measuring single qubits, and no maintaining
819: of coherent multi-qubit states.
820:
821:
822: \begin{protocol*}[tp]
823: \textsc{Precomputation step:} \vspace*{-0.2cm}
824: \begin{enumerate}
825: \item $\II$ chooses random $u_0\otr[0,1]$, $u_1\otr[0,1]$. He
826: generates quantum states
827: $\ket{\psi_0}=\sqrt{\prcorrect}\ket{u_0}+\sqrt{1-\prcorrect}\ket{1-u_0}$,
828: $\ket{\psi_1}=\sqrt{\prcorrect}\ket{u_1}+\sqrt{1-\prcorrect}\ket{1-u_1}$.
829: \item $\RR$ chooses a random $i\otr[0,1]$.
830: \end{enumerate}
831: \vspace*{-0.2cm} \textsc{Interactive step:} \vspace*{-0.2cm}
832: \begin{enumerate}
833: \item $\II$ sends $\ket{\psi_0}$ and $\ket{\psi_1}$ to $\RR$.
834: \item $\RR$ sends $i$ to $\II$.
835: \item $\II$ sends $u_i$ to $\RR$.
836: \item $\RR$ measures the state $\ket{\psi_i}$ in the basis
837: $\ket{\psi_{u_i}}=\sqrt{\prcorrect}\ket{u_i}+
838: \sqrt{1-\prcorrect}\ket{1-u_i}$,
839: $\ket{\psi^{\perp}_{u_i}}=\sqrt{1-\prcorrect}\ket{u_i}-
840: \sqrt{\prcorrect}\ket{1-u_i}$ and halts if the result is not
841: $\ket{\psi_{u_i}}$.
842: \item If the verification is passed, $\RR$ performs the
843: transformation $\ket{0}\rightarrow \ket{t}$, $\ket{1}\rightarrow
844: \ket{1-t}$ on the state $\ket{\psi_{1-i}}$ and sends it back to
845: $\II$.
846: \item $\II$ measures the state in the basis $\ket{0}$, $\ket{1}$,
847: gets outcome $s$. $\II$ outputs $r\ot u_i\oplus s$.
848: \end{enumerate}
849: \caption{A quantum CRRT-W protocol.}
850: \label{prot:qrrt}
851: \end{protocol*}
852:
853: To show the main ideas behind quantum protocol, we now show how to
854: analyze a simplified version of protocol \ref{prot:qrrt}. The
855: security proof for the full protocol is quite complicates and is given
856: in appendix \ref{quantumdetails}. We also refer to appendix
857: \ref{quantumdetails} for definitions of quantum states and operations
858: on them.
859: %If $\II$ has been honest, the verification yields $\ket{\psi_{u_i}}$.
860: %Briefly, if both parties are honest, $\II$ gets $t$ with probability
861: %$\prcorrect$ and $1-t$ with probability $1-\prcorrect$. The security is guaranteed by
862: %properties of quantum states. The first important property is that an
863: %unknown quantum state cannot be measured perfectly. This limits the
864: %ability of $\RR$ learning $u_{1-i}$ which would be necessary for
865: %successful cheating. The second property is that, if a description of
866: %a quantum state is known, the state can be verified. That means that,
867: %if $\RR$ prepares a state that is not
868: %$\sqrt{\prcorrect}\ket{0}+\sqrt{1-\prcorrect}\ket{1}$ or
869: %$\sqrt{\prcorrect}\ket{1}+\sqrt{1-\prcorrect}\ket{0}$, $\II$'s test catches that with a
870: %probability proportional to the difference between the actual state
871: %and the state claimed.
872: %(We postpone the formal statement to appendix.)
873: %This limits the ability of $\RR$ learning $t$ with probability more
874: %than $\prcorrect$.
875:
876: The simplified version of Protocol~\ref{prot:qrrt} is:
877: \begin{enumerate}
878: \item $\II$ chooses a random $u\otr[0,1]$, prepares a quantum bit in
879: the state
880: $\ket{\psi_u}=\sqrt{\prcorrect}\ket{u}+\sqrt{1-\prcorrect}\ket{1-u}$
881: and sends it to $\RR$.
882: \item $\RR$ performs a bit flip if her type $t=1$, and sends the
883: quantum bit back to $\II$.
884: \item $\II$ measures the state in the computational basis $\ket{0}$,
885: $\ket{1}$, gets answer $s$. The answer is $r=u\oplus s$.
886: \end{enumerate}
887:
888: If both parties are honest, the state returned by respondent is
889: unchanged: $\sqrt{\prcorrect}\ket{u}+\sqrt{1-\prcorrect}\ket{1-u}$ if
890: $t=0$ and $\sqrt{\prcorrect}\ket{1-u}+\sqrt{1-\prcorrect}\ket{u}$ if
891: $t=1$. Measuring this state gives the correct answer with probability
892: $1-\prcorrect$. Next, we show that respondent is unable to misuse
893: this protocol.
894:
895: \begin{theorem}\label{thm:q-honesti}
896: For any respondent's strategy $\RR^*$, the probability of honest
897: interviewer $\II$ getting $r=1$ is between $1-\prcorrect$ and
898: $\prcorrect$. Therefore, the previous protocol is both correct and
899: privacy-preserving for the interviewer.
900: \end{theorem}
901: \begin{proof}
902: We show that the probability of $r=1$ is at most $\prcorrect$. The
903: other direction is similar. We first modify the (simplified)
904: protocol by making $\RR^*$ to measure the state and send the
905: measured result to $\II$, this does not change the result of the
906: honest protocol since the measurement remains the same. Also, any
907: cheating strategy for $\RR^*$ in the original protocol can be used
908: in the new protocol as well. So, it is sufficient to bound the
909: probability of $r=1$ in the new protocol.
910:
911: Now, the answer is $r=1$ if $\II$ sent $\ket{\psi_i}$ and $\RR^*$
912: sends back $j$, with $i=j$. Thus, we have the setting of
913: Fact~\ref{TTheoremPure} (see Appendix~\ref{sec:qback}). The rest is
914: a calculation: to determine the angle $\beta$ between $\ket{\psi_0}$
915: and $\ket{\psi_1}$, it suffices to determine the inner product which
916: is $\sin\beta=2\sqrt{\prcorrect(1-\prcorrect)}$. Therefore,
917: $\cos\beta=\sqrt{1-\sin^2 \beta}=2\prcorrect-1$ and
918: $\frac{1}{2}+\frac{\cos\beta}{2}=\prcorrect$. \qed
919: \end{proof}
920:
921: On the other hand, when using this simplified version, a dishonest
922: interviewer $\II^*$ can always learn $t$ with probability 1. Namely,
923: it suffices to send the state $\ket{0}$. If $t=0$, $\RR$ sends
924: $\ket{0}$ back unchanged. If $t=1$, $\RR$ applies a bit flip. The
925: state becomes $\ket{1}$. $\II$ can then distinguish $\ket{0}$ from
926: $\ket{1}$ with certainty by a measurement in the computational basis.
927:
928: Note that this is similar to a classical ``protocol'', where $\II$
929: first generates a random $u$ and sends a bit $i$ that is equal to $u$
930: with probability $\prcorrect$ and $1-u$ with probability
931: $1-\prcorrect$. $\RR$ then flips the bit if $t=1$ and sends it back
932: unchanged if $t=0$. The interviewer XORs it with $u$, getting $t$ with
933: probability $\prcorrect$ and $1-t$ with probability $1-\prcorrect$.
934: In this "protocol", $\RR$ can never cheat. However, $\II^*$ can learn
935: $t$ with probability $1$ by just remembering $i$ and XORing the answer
936: with $i$ instead of $u$. In the classical world, this flaw is fatal
937: because $\II$ cannot prove that he has generated $i$ from the correct
938: probability distribution and has not kept a copy of $i$ for himself.
939: In the quantum case, $\II$ can prove to $\RR$ that he has correctly
940: prepared the quantum state. Then, we get Protocol~\ref{prot:qrrt}
941: with $\II$ sending two states $\ket{\psi_{u_0}}$ and
942: $\ket{\psi_{u_1}}$, one of which is verified and the other is used for
943: transmitting $t$. (See Appendix \ref{quantumdetails} for detailed
944: analysis of this protocol.)
945:
946:
947:
948: \section{Protocols for Other RRTs and Extensions}
949: \label{var}
950:
951: \PAR{Protocol for Cryptographic RRT-IQ\@.}
952: Recall that in one version of RRT-IQ, the respondent would reply with
953: his true opinion $t_\RR$ with a rational probability
954: $\prcorrect=\ell/n$, while he would otherwise flip a coin and answer
955: whether it came up tails. Like for CRRT-W, it is important to
956: guarantee the use of correct distributions. Protocol~\ref{prot:rrtw}
957: can be easily changed to work for this version of RRT-IQ\@. Instead of
958: $n$ random bits, $\RR$ prepares $2n$ random bits $\mu_i$, so that
959: $\sum \mu_i=n+\ell$ if $t_\RR=1$, and $\sum \mu_i=n-\ell$ if
960: $t_\RR=0$. She also prepares a checksum bit $\mu_{2n+1}=1-t_\RR$. The
961: rest of the protocol is principally the same as in
962: Protocol~\ref{prot:rrtw}, with $n$ changed to $2n$, and $\RR$ arguing
963: that $\AKLIN{y_1,\dots,y_{2n+1};2\ell;2n-\ell}$.
964:
965: \PAR{Protocol for Cryptographic PRRT-BD.}
966: The next protocol is a modification of Protocol~\ref{prot:rrtw} as
967: well. Let $p_i$ be such that $\prcorrect+\sum_{i\in[1,m]} p_i=1$, and
968: assume that every respondent has a type $t_\RR\in[1,m]$. Assume
969: $\prcorrect=\ell/n$, $p_i=\ell_i/n$ and that $p_i=0$ if
970: $i\not\in[1,m]$. Assume $D\geq \max(\ell,\ell_1,\dots,\ell_m)+1$. The
971: respondent prepares $n$ numbers $D^{\mu_i}$, such that
972: $\sharp\Set{i:\mu_i=t_\RR}=\ell_{t_\RR}+\ell$, and
973: $\sharp\Set{i:\mu_i=j}=\ell_j$, if $j\neq t_\RR$. Then the interviewer
974: and respondent will execute a variant of OT with choice $\sigma$,
975: during which the interviewer only gets to know the value $\mu_\sigma$.
976: Then the respondent argues that the sum of all commitments is a
977: commitment to the value $\sum \ell_i D^{\mu_i}+\ell D^j$, for some
978: $j\in[1,m]$, by using range-proofs in
979: exponents~\cite{FC2002:LipmaaAN}. (A more efficient proof methodology
980: is available when $D$ is a prime~\cite{FC2002:LipmaaAN}, given that
981: one uses an integer commitment scheme.) Additionally, she argues that
982: every single commitment corresponds to a value $D^i$ for $i\in[1,m]$,
983: also using range-proofs of exponents~\cite{FC2002:LipmaaAN}. After the
984: OT step, the interviewer gets $g^{\mu_\sigma}$, and recovers
985: $\mu_\sigma$ from it efficiently. (Note that $m\leq 10$ is typical in
986: the context of polling.)
987:
988: \PAR{Extensions to Hierarchies of Interviewers.}
989: One can consider a hierarchy of interviewers, reporting to some
990: central authority. If there is a trust relationship between these two
991: types of parties, no changes to our protocol would be required.
992: However, if the central authority would like to be able to avoid
993: having to trust interviewers, the following modifications could be
994: performed. First, each respondent would have to authenticate the
995: transcript he generates, whether with a standard signature scheme, a
996: group signature scheme, etc. Second, and in order to prevent
997: collusions between interviewers and respondents, the interviewers must
998: not be allowed to know the choice $\sigma$ made in a particular
999: interview. Thus, the triple $(A,B,C)$ normally generated by the
1000: interviewer during the Naor-Pinkas OT protocol would instead have to
1001: be generated by the central authority, and kept secret by the same.
1002: More efficient versions of \emph{proxy} OT satisfying our other
1003: requirements are beneficial for this
1004: application~\cite{ASIACRYPT2000:NaorP}.
1005:
1006: \infinal{\subsection*{Acknowledgments}
1007:
1008: We would like to thank Jouni K. Sepp\"{a}nen for introducing us to
1009: the RRT, and for fruitful discussions on the topic. We would like to
1010: thank Benny Pinkas for comments.}
1011:
1012: \bibliographystyle{alpha}
1013: % Let the comment be in! Helger
1014: \begin{thebibliography}{KANG99}
1015:
1016: \bibitem[Amb01]{STOC2001:Ambainis}
1017: Andris Ambainis.
1018: \newblock {A New Protocol and Lower Bounds for Quantum Coin Flipping}.
1019: \newblock In {\em {Proceedings of the Thirty-Third Annual ACM Symposium on the
1020: Theory of Computing}}, pages 134--142, Heraklion, Crete, Greece, July~6--8
1021: 2001. ACM Press.
1022:
1023: \bibitem[AS00]{SIGMOD2000:AgrawalS}
1024: Rakesh Agrawal and Ramakrishnan Srikant.
1025: \newblock {Privacy-Preserving Data Mining}.
1026: \newblock In {\em Proceedings of the ACM SIGMOD Conference on Management of
1027: Data}, pages 439--450, Dallas, TX, USA, May 2000.
1028:
1029: \bibitem[ATVY00]{STOC2000:AharonovTVY}
1030: Dorit Aharonov, Amnon {Ta-Shma}, Umesh~V. Vazirani, and Andrew Chi-Chih Yao.
1031: \newblock {Quantum Bit Escrow}.
1032: \newblock In {\em {Proceedings of the Thirty-Second Annual ACM Symposium on the
1033: Theory of Computing}}, pages 705--714, Portland, Oregon, USA, May~21--23
1034: 2000. ACM Press.
1035:
1036: \bibitem[BD76]{ISR1976:BourkeD}
1037: Patrick~D. Bourke and Tore Dalenius.
1038: \newblock {Some New Ideas in the Realm of Randomized Inquiries}.
1039: \newblock {\em International Statistics Review}, 44:219--221, 1976.
1040:
1041: \bibitem[Bou00]{EUROCRYPT2000:Boudot}
1042: Fabrice Boudot.
1043: \newblock {Efficient Proofs that a Committed Number Lies in an Interval}.
1044: \newblock In Bart Preneel, editor, {\em Advances in Cryptology --- EUROCRYPT
1045: 2000}, volume 1807 of {\em Lecture Notes in Computer Science}, pages
1046: 431--444, Bruges, Belgium, May~14--18 2000. Springer-Verlag.
1047: \newblock ISBN 3-540-67517-5.
1048:
1049: \bibitem[CDS94]{CRYPTO1994:CramerDS}
1050: Ronald Cramer, Ivan Damg{\aa}rd, and Berry Schoenmakers.
1051: \newblock {Proofs of Partial Knowledge and Simplified Design of Witness Hiding
1052: Protocols}.
1053: \newblock In Yvo~G. Desmedt, editor, {\em Advances in Cryptology---CRYPTO~'94},
1054: volume 839 of {\em Lecture Notes in Computer Science}, pages 174--187, Santa
1055: Barbara, USA, August~21--25 1994. Springer-Verlag.
1056:
1057: \bibitem[CM88]{book:ChaudhuriM:1988}
1058: Arijit Chaudhuri and Rahul Mukerjee.
1059: \newblock {\em {Randomized Response: Theory and Techniques}}, volume~95 of {\em
1060: {Statistics: Textbooks and Monographs}}.
1061: \newblock Marcel Dekker, Inc., 1988.
1062: \newblock ISBN: 0824777859.
1063:
1064: \bibitem[DF02]{ASIACRYPT2002:DamgaardF}
1065: Ivan Damg{\aa}rd and Eiichiro Fujisaki.
1066: \newblock {An Integer Commitment Scheme Based on Groups with Hidden Order}.
1067: \newblock In Yuliang Zheng, editor, {\em Advances on Cryptology --- ASIACRYPT
1068: 2002}, volume 2501 of {\em Lecture Notes in Computer Science}, pages
1069: 125--142, Queenstown, New Zealand, December~1--5 2002. Springer-Verlag.
1070:
1071: \bibitem[EGL85]{CACM85:EvenGL}
1072: Shimon Even, Oded Goldreich, and Abraham Lempel.
1073: \newblock {A Randomized Protocol for Signing Contracts}.
1074: \newblock {\em Communications of the ACM}, 28(6):637--647, June 1985.
1075:
1076: \bibitem[ESAG02]{KDDD2002:EvfimievskiSAG}
1077: Alexandre Evfimievski, Ramakrishnan Srikant, Rakesh Agrawal, and Johannes
1078: Gehrke.
1079: \newblock {Privacy Preserving Mining of Association Rules}.
1080: \newblock In {\em Proc. of the 8th ACM SIGKDD International Conference on
1081: Knowledge Discovery in Databases and Data Mining}, pages 217--228, Edmonton,
1082: Canada, July23--26 2002. ACM.
1083:
1084: \bibitem[FO99]{IEICE1999:FujisakiO}
1085: Eiichiro Fujisaki and Tatsuaki Okamoto.
1086: \newblock {Statistical Zero-Knowledge Protocols to Prove Modular Polynomial
1087: Relations}.
1088: \newblock {\em IEICE Transaction of Fundamentals of Electronic Communications
1089: and Computer Science}, E82-A(1):81--92, January 1999.
1090:
1091: \bibitem[GASH69]{JASA1969:GreenbergASH}
1092: Bernard~G. Greenberg, Abdel-Latif~A. {Abul-Ela}, Walt~R. Simmons, and Daniel~G.
1093: Horvitz.
1094: \newblock {The Unrelated Question Randomized Response Model: Theoretical
1095: Framework}.
1096: \newblock {\em Journal of the American Statistical Association},
1097: 64(326):520--539, June 1969.
1098:
1099: \bibitem[Gol02]{Goldreich2002:SMPC}
1100: Oded Goldreich.
1101: \newblock {Secure Multi-Party Computation}.
1102: \newblock Final (Incomplete) Draft, October~27 2002.
1103:
1104: \bibitem[JY96]{CRYPTO1996:JakobssonY}
1105: Markus Jakobsson and Moti Yung.
1106: \newblock {Proving Without Knowing: On Oblivious, Agnostic and Blindfolded
1107: Provers}.
1108: \newblock In Neal Koblitz, editor, {\em Advances in Cryptology---CRYPTO~'96},
1109: volume 1109 of {\em Lecture Notes in Computer Science}, pages 186--200, Santa
1110: Barbara, California, USA, August~18--22 1996. Springer-Verlag.
1111:
1112: \bibitem[KANG99]{WIAPP1999:KikuchiANG}
1113: Hiroaki Kikuchi, Jin Akiyama, Gisaku Nakamura, and Howard Gobioff.
1114: \newblock {Stochastic Voting Protocol To Protect Voters Privacy}.
1115: \newblock In {\em 1999 IEEE Workshop on Internet Applications}, pages 103--111,
1116: July~26--27 1999.
1117:
1118: \bibitem[LAN02]{FC2002:LipmaaAN}
1119: Helger Lipmaa, N.~Asokan, and Valtteri Niemi.
1120: \newblock {Secure Vickrey Auctions without Threshold Trust}.
1121: \newblock In Matt Blaze, editor, {\em Financial Cryptography --- Sixth
1122: International Conference}, volume 2357 of {\em Lecture Notes in Computer
1123: Science}, pages 87--101, Southhampton Beach, Bermuda, March~11--14 2002.
1124: Springer-Verlag.
1125:
1126: \bibitem[Lip01]{Lipmaa:szkde:2001}
1127: Helger Lipmaa.
1128: \newblock {Statistical Zero-Knowledge Proofs from Diophantine Equations}.
1129: \newblock Cryptology ePrint Archive, Report 2001/086, November~20 2001.
1130: \newblock {\tt http://eprint.iacr.org/}.
1131:
1132: \bibitem[NC00]{book:NielsenC:QC}
1133: Michael Nielsen and Isaac Chuang.
1134: \newblock {\em {Quantum Computation and Quantum Information}}.
1135: \newblock Cambridge University Press, 2000.
1136:
1137: \bibitem[NP01a]{ASIACRYPT2000:NaorP}
1138: Moni Naor and Benny Pinkas.
1139: \newblock {Distributed Oblivious Transfer}.
1140: \newblock In Tatsuaki Okamoto, editor, {\em Advances on Cryptology ---
1141: ASIACRYPT 2001}, volume 1976 of {\em Lecture Notes in Computer Science},
1142: pages 205--219, Kyoto, Japan, 3--7~December 2001. Springer-Verlag.
1143: \newblock ISBN 3-540-41404-5.
1144:
1145: \bibitem[NP01b]{SODA2001:NaorP}
1146: Moni Naor and Benny Pinkas.
1147: \newblock {Efficient Oblivious Transfer Protocols}.
1148: \newblock In {\em Proceedings of the Twelfth Annual ACM-SIAM Symposium on
1149: Discrete Algorithms}, pages 448--457, Washington, DC, USA, January~7--9 2001.
1150:
1151: \bibitem[Ped91]{CRYPTO1991:Pedersen}
1152: Torben~P. Pedersen.
1153: \newblock {Non-Interactive and Information-Theoretic Secure Verifiable Secret
1154: Sharing}.
1155: \newblock In J.~Feigenbaum, editor, {\em Advances in Cryptology---CRYPTO~'91},
1156: volume 576 of {\em Lecture Notes in Computer Science}, pages 129--140, Santa
1157: Barbara, California, USA, August~11--15 1991. Springer-Verlag, 1992.
1158:
1159: \bibitem[Rab81]{Rabin81}
1160: Michael Rabin.
1161: \newblock {How to exchange secrets by oblivious transfer}.
1162: \newblock Technical Report TR-81, Aiken Computation Laboratory, Harvard
1163: University, 1981.
1164:
1165: \bibitem[SR02]{PRL2002:SpekkensR}
1166: Robert Spekkens and Terry Rudolph.
1167: \newblock {A Quantum Protocol for Cheat-Sensitive Weak Coin Flipping}.
1168: \newblock {\em Physical Review Letters}, 89:227901, 2002.
1169:
1170: \bibitem[Tze02]{PKC2002:Tzeng}
1171: Wen-Guey Tzeng.
1172: \newblock {Efficient 1-Out-n Oblivious Transfer Schemes}.
1173: \newblock In David Naccache and Pascal Paillier, editors, {\em Public Key
1174: Cryptography '2002}, volume 2274 of {\em Lecture Notes in Computer Science},
1175: pages 159--171, Paris, France, February12--14 2002. Springer-Verlag.
1176:
1177: \bibitem[War65]{JASA1965:Warner}
1178: Stanley~L. Warner.
1179: \newblock {Randomized Response: A Survey Technique for Eliminating Evasive
1180: Answer Bias}.
1181: \newblock {\em Journal of the American Statistical Association},
1182: 60(309):63--69, March 1965.
1183:
1184: \end{thebibliography}
1185:
1186:
1187: %\bibliography{/home/helger/research/biblio/helger.bib}
1188:
1189:
1190: \appendix
1191:
1192: \section{Security of Modified Oblivious Transfer Protocol}\label{app:secot}
1193:
1194: From our oblivious transfer protocol $\OT{n}{\mu}{\sigma}{K}$ we will
1195: require that it must be secure in the next sense. The attack scenario
1196: consists of the following game. The chooser $\II^*$ chooses $\sigma$
1197: and two different vectors, $\mu[1]=(\mu[1]_1,\dots,\mu[1]_n)\in M^n$
1198: and $\mu[2]=(\mu[1]_1,\dots,\mu[1]_n)\in M^n$, such that
1199: $\mu[1]_\sigma=\mu[2]_\sigma$. Denote an $\II^*$ that has made such
1200: choices by $\II^*(\mu[1],\mu[2])$. He submits both tuples to the
1201: responder, who flips a fair coin $b\otr[1,2]$. After that, the chooser
1202: and the responder execute the protocol $\OT{n}{\mu[b]}{\sigma}{K}$.
1203: After receiving $\mu[b]_\sigma$, $\II^*$ guesses the value of $b$. Let
1204: $\ADVLOR{k}{\II^*,\RR}$ be the probability that $\II^*$ guesses the
1205: correct $b$, where probability is taken over the internal coin tosses
1206: of $\II^*$ and $\RR$. We say that the oblivious transfer protocol is
1207: $\varepsilon$-secure in the \emph{left-or-right} sense, if for any
1208: unbounded algorithm $\II^*$, $\ADVLOR{k}{\II^*,\RR}\leq \varepsilon$.
1209:
1210: Recall that the proposed variant of the Naor-Pinkas protocol works as
1211: follows:
1212: \begin{enumerate}
1213: \item $\II$ generates random $a,b\ot \ZZ_q$ and sends $(A,B,C)\ot
1214: (g^a,g^b,g^{ab-\sigma+1})$ to $\RR$.
1215: \item $\RR$ performs the following, for $i\in[1,n]$: Generate random
1216: $(r_i,s_i)$. Compute $w_i\ot g^{r_i}A^{s_i}$, compute an encryption
1217: $y_i\ot g^{\mu_i}h^{v_i}$, where $v_i\ot B^{r_i}(C\cdot
1218: g^{i-1})^{s_i}$. Send $(w_i, y_i)$ to $\II$.
1219: \item $\II$ computes $w_\sigma^{b}(=v_\sigma)$ and recovers
1220: $g^{\mu_\sigma}\ot y_\sigma/h^{w_\sigma^b}$.
1221: \end{enumerate}
1222:
1223: \begin{theorem}\label{thm:ot}
1224: Let $\OT{n}{\cdot}{\cdot}{K}$ be the described oblivious transfer
1225: protocol. (a) If a malicious $\RR^*$ can guess the value of $\sigma$
1226: with advantage $\varepsilon$, then he can solve the Decisional
1227: Diffie Hellman (DDH) problem with the same probability and in
1228: approximately the same time. (v) This protocol is $(m-d)(m-1)/q\leq
1229: m(m-1)/q$-secure in the left-or-right sense, where $d\defeq
1230: q\mod{m}$ and $m\defeq |M|$.
1231: \end{theorem}
1232:
1233: \begin{proof}[Sketch.]
1234: (a) Assume that $\RR^*$ can guess $\sigma$ with probability
1235: $\varepsilon$, given her view $(A, B, C) = (g^a, g^b, g^{a b -
1236: \sigma + 1}$). But then she can solve the DDH problem (given
1237: $(g^a, g^b, g^c)$ for random $a$ and $b$, decide whether $c = a b$
1238: or not) with probability $\varepsilon$: given an input $(g^a, g^b,
1239: g^c)$, she just computes such a $\sigma$, for which $c = a b -
1240: \sigma + 1$. After that, she only has to check whether $\sigma=1$
1241: or not.
1242:
1243: (b) W.l.o.g., assume that $\sigma=1$. Define $\nu[j]$ to be a
1244: vector, for which which $\nu[j]_i=\mu[1]_i$ if $i>j$, and
1245: $\nu[j]_i=\mu[2]_i$ if $i\leq j$. Thus $\nu[1]=\mu[1]$ (since
1246: $\mu[1]_1=\mu[2]_1$), while $\nu[n]=\mu[2]$, and for all $j$,
1247: $\nu[j-1]$ and $\nu[j]$ differ only in the $j$th element
1248: $\nu[j]_j\neq \nu[j+1]_j$. Thus, our goal is to show that
1249: $\II^*(\nu[1],\nu[n])\leq m(m-1)/q$. For this we will prove that
1250: $\II^*(\nu[j-1],\nu[j])\leq (m-d)/q \leq m/q$ for every $j\in[2,n]$
1251: and then use the triangle equality to establish that
1252: $\ADVLOR{k}{\II^*(\mu[1],\mu[2]),\RR}\leq \sum_{i=2^n}
1253: \ADVLOR{k}{\II^*(\nu[j-1],\nu[j]), \RR}$.
1254:
1255: Now, fix a $j\in[2,n]$. After the protocol execution $(\II^*,\RR)$,
1256: $\RR$ flipping the coin $b\otr[1,2]$, $\II^*$ must guess the value
1257: of $b$, based on his private input $(\mu[1],\mu[2])$, his private
1258: output $\mu[b]_1$, and the protocol view. Since
1259: $\nu[j-1]_i=\nu[j]_i$ for $i\neq j$, this is equivalent to guessing
1260: whether $\nu[j-2+b]_j= \nu[j-1]_j$ or $\nu[j-2+b]_j= \nu[j]_b$.
1261: Clearly, his success is maximized here when $\nu[j-1]_j\neq
1262: \nu[j]_j$. Next, $\II^*$'s view consists of $(A,B,C;\Set{(w_j,
1263: y_j)})$, where $(w_j,y_j) \ot (g^{r_j} A^{s_j}, g^{\mu_j}
1264: h^{B^{r_j} \cdot (C \cdot g^{j - 1})^{s_j}})$ for $A$, $B$ and $C$
1265: chosen by himself. Since $\II^*$ is unbounded, he can find the
1266: value of $\alpha \neq 0$, and therefore he knows that $(w_j,y_j)=
1267: (g^{r_j+as_j},g^{\mu_j+\alpha B^{r_j}(C\cdot g^{j-1})^{s_j}})$.
1268: Since $r_j$ and $s_j$ are randomly chosen by a honest $\RR$, then
1269: the elements $w_j$ look completely random to $\II^*$, and do not
1270: help in guessing the value of $\mu_j$. He also cannot use any
1271: information in $(w_j,y_j)$, $j\neq j$, since these values do not
1272: depend on $\mu_j$.
1273:
1274: Thus, to guess the value $\nu[j-2+b]_j$, he must find a bias in the
1275: value $a B^{r_j}(C g^{j-1})^{s_j} = \alpha g^{b r_j+(ab+j-\sigma)
1276: s_j} \mod{q}$. Note that $x\defeq \alpha g^{b r_j + (a b + j -
1277: \sigma) s_j}$ is a random element of $\ZZ_p^*$ due to the choice
1278: of $r_j$ and $s_j$, unless $b=ab+j-\sigma=0$. The latter will
1279: automatically hold if $i = \sigma$, but only with a negligible
1280: probability otherwise. Thus, we can assume that $x$ is chosen
1281: randomly from $\ZZ_p^*$. Guessing $\mu_j \in \ZZ_m$ from $y_j$ is
1282: equivalent to guessing the value $(x \mod{q}) \mod{m}$. Denote
1283: $e\defeq \floor{q/m}$. Since $q \mid (p - 1)$ then $x \mod{q}$ is a
1284: random element of $\ZZ_q$, and $\sharp \Set{x: x\mod{q}\mod{m}=j}
1285: \in e+c$, where $c \in \Set{ 0, 1}$ is $1$ iff $j < d$. Thus the
1286: best strategy of $\II^*$ is to guess that $x$ is equivalent to some
1287: element $j< d$, and equivalently, that $\nu[j-2+b]_j\mod{m}\geq d$.
1288: He will achieve this by choosing exactly one of the two element
1289: $\nu[j-1]_b$ and $\nu[j-1]_b$ to have residue modulo $m$ that is
1290: less than $d$. Then he will succeed with probability $e/q+1/q$
1291: which gives him an advantage $e/q+1/q-1/m=(m-d)/q\leq m/q$ over
1292: random guessing the bit $b$. \qed
1293: \end{proof}
1294:
1295: Security in the left-or-right sense is both necessary and sufficient
1296: for our purposes. Namely, in the RRT-W protocol
1297: (Sect.~\ref{standard}), the interviewer $\II^*$ knows that the input
1298: is --- up to the permutation of indices --- one of the two values. For
1299: small $n$, the number of permutations is small, and thus with a high
1300: probability $\II^*$ can guess that $\mu$ is one of the two, known for
1301: him, Boolean vectors. Without security in the left-or-right sense, he
1302: would be able to guess which of the two vectors is currently used, and
1303: thus to find the type of the respondent. On the other hand, if the
1304: oblivious transfer protocol is secure in the left-or-right sense,
1305: $\II^*$ cannot predict the Hamming weight $w_h(\mu)=\sharp
1306: \Set{i:\mu_1=1}$ of $\RR$'s input.
1307:
1308: \section{Detailed Quantum CRRT}
1309: \label{quantumdetails}
1310:
1311: \subsection{Background on Quantum Information}\label{sec:qback}
1312:
1313: In this section, we describe the basic notions of quantum information
1314: needed to understand the quantum protocol and the analysis of its
1315: simplified version in section \ref{standard}.
1316:
1317: For a more detailed introduction to quantum information, we refer to
1318: book by Nielsen and Chuang \cite{book:NielsenC:QC}. A \emph{qubit} is
1319: the basic unit of quantum information, similar to a bit in the
1320: conventional (classical) computing. A qubit has two basis states that
1321: are denoted by $\ket{0}$ and $\ket{1}$. \comment{They correspond to
1322: conventional $0$ and $1$.} A general state of a qubit is
1323: $\alpha\ket{0}+\beta\ket{1}$, with $\alpha$, $\beta$ being complex
1324: numbers with $|\alpha|^2+|\beta|^2=1$.
1325:
1326: We can perform two types of operations on quantum bits: unitary
1327: transformations and measurements. The simplest \emph{measurement} of
1328: of a qubit $\alpha\ket{0}+\beta\ket{1}$ is in the \emph{computational
1329: basis} that gives the result $0$ with probability $|\alpha|^2$ and
1330: $1$ with probability $|\beta|^2$. The state of the qubit then becomes
1331: $\ket{0}$ or $\ket{1}$. Therefore, repeating the measurement gives the
1332: same outcome. As long as we only consider this one type of
1333: measurement, the state $\alpha\ket{0}+\beta\ket{1}$ behaves similarly
1334: to a probabilistic state that has been prepared as $0$ with
1335: probability $|\alpha|^2$ and $1$ with probability $|\beta|^2$. This
1336: analogy disappears, though, when we consider other transformations.
1337: \emph{A unitary transformation} is a linear transformation on the
1338: two-dimensional space of all $\alpha\ket{0}+\beta\ket{1}$ that
1339: preserves the vector norm. Two examples of unitary transformations
1340: are the identity
1341: $I(\alpha\ket{0}+\beta\ket{1})=\alpha\ket{0}+\beta\ket{1}$ and the bit
1342: flip $X(\alpha\ket{0}+\beta\ket{1})=\alpha\ket{1}+\beta\ket{0}$.
1343: \comment{ and sign flip
1344: $Z(\alpha\ket{0}+\beta\ket{1})=\alpha\ket{0}-\beta\ket{1}$. To
1345: specify a unitary transformation, it suffices to specify $U\ket{0}$
1346: and $U\ket{1}$. Then, by linearity, $U(\alpha\ket{0}+\beta\ket{1})=
1347: \alpha U\ket{0}+\beta U\ket{1}$. For a transformation $U$ to be
1348: unitary, it is necessary and sufficient that $U\ket{0}$ and
1349: $U\ket{1}$ are orthogonal.} A \emph{general von Neumann measurement}
1350: on a qubit~$\ket{\Psi}$ is specified by two orthogonal vectors
1351: $\ket{\Phi_0}$ and $\ket{\Phi_1}$. The outcome is either $0$ or~$1$;
1352: the probability of outcome~$i$ is equal to the squared inner product
1353: of $\ket{\Psi}$ and $\ket{\Phi_i}$. The state of the qubit becomes
1354: $\ket{\Phi_i}$. This measurement can be reduced to the measurement in
1355: the computational basis as follows. We take a unitary $U$ that maps
1356: $\ket{\Phi_0}$ to $\ket{0}$ and $\ket{\Phi_1}$ to $\ket{1}$. We apply
1357: $U$ to the state $\ket{\Psi}$ that we want to measure. Then, we
1358: measure the resulting state in the computational basis and apply
1359: $U^{-1}$.
1360:
1361: \PAR{Distinguishability.}
1362: Assume someone prepares two states $\ket{\Phi_0}$ and $\ket{\Phi_1}$,
1363: flips a fair coin $i\otr[0,1]$, and sends $\ket{\Phi_i}$ it to us. We
1364: would like to guess $i$ by measuring the state. We measure our
1365: success by the probability that our guess $j\in\Set{0, 1}$ coincides
1366: with $i$. If $\ket{\Phi_0}$ and $\ket{\Phi_1}$ are orthogonal, a von
1367: Neumann measurement in $\ket{\Phi_0}$, $\ket{\Phi_1}$ basis tells $i$
1368: with certainty. For non-orthogonal states, no measurement gives $i$
1369: with certainty.
1370:
1371: \begin{fact}\cite{book:NielsenC:QC}\label{TTheoremPure}
1372: The maximum success probability with what we can distinguish
1373: $\ket{\Phi_0}$ from $\ket{\Phi_1}$ is
1374: $\frac{1}{2}+\frac{\sin\beta}{2}$, $\beta$ being the angle between
1375: $\ket{\Phi_0}$ and $\ket{\Phi_1}$.
1376: \end{fact}
1377:
1378: The above definitions are sufficient to understand the protocol and
1379: the analysis of simplified version in section \ref{standard}. For the
1380: full security proof, more advanced notions like \emph{density
1381: matrices} are needed, which are described in
1382: Sect.~\ref{sec:density}.
1383:
1384:
1385: \subsection{Density Matrices}\label{sec:density}
1386:
1387: To prove the security of protocol~\ref{prot:qrrt}, we need the more
1388: advanced formalism of \emph{density matrices}.
1389: % that are a useful
1390: %formalism for quantum states.
1391: We interpret $\ket{\psi}=\alpha\ket{0}+\beta\ket{1}$ as a column
1392: vector $(\alpha,\beta)^T$. Let $\bra{\psi}$ denote a row vector
1393: $(\alpha^* \beta^*)$, with~$*$ being the complex conjugation operator.
1394: Then, the density matrix of $\ket{\psi}$ is
1395: \[
1396: \ket{\psi}\bra{\psi}=
1397: \begin{pmatrix}
1398: \alpha \\
1399: \beta
1400: \end{pmatrix}
1401: (\alpha^* \beta^* ) =
1402: \begin{pmatrix}
1403: \alpha\alpha^* & \alpha\beta^* \\
1404: \beta\alpha^* & \beta\beta^*
1405: \end{pmatrix}\enspace.
1406: \]
1407:
1408: Next, assume that we generate a classical random variable that is $i$
1409: with probability $p_i$ and then prepare a quantum state $\ket{\psi_i}$
1410: dependent on $i$. This creates a \emph{mixed} quantum state. It can
1411: be also described by a density matrix $\rho=\sum_{i}
1412: p_i\ket{\psi_i}\bra{\psi_i}$. If we measure a mixed state with a
1413: density matrix $\rho$ in a basis $\ket{\Phi_0}$, $\ket{\Phi_1}$, the
1414: probability of getting outcome $i$ is $\lbra \Phi_i | \rho |
1415: \Phi_i\rket$ (i.e., we multiply the density matrix with the row vector
1416: $\bra{\Phi_i}$ on the left and the column vector $\ket{\Phi_i}$ on the
1417: right and get a number which is the probability). The following is a
1418: counterpart of Fact~\ref{TTheoremPure} for mixed states.
1419:
1420: \begin{fact}\cite{book:NielsenC:QC}\label{TTheorem}
1421: The maximum success probability with which we can distinguish
1422: $\rho_0$ from $\rho_1$ is
1423: $\frac{1}{2}+\frac{\|\rho_0-\rho_1\|_t}{4}$, where $\|A\|_t$ is the
1424: trace norm of $A$ (the trace (sum of diagonal entries) of matrix
1425: $\sqrt{A^\top A}$).
1426: \end{fact}
1427:
1428: \subsection{Security Proofs for Protocol~\ref{prot:qrrt}}
1429:
1430: \PAR{Security against Malicious Interviewer.}
1431: \begin{theorem}\label{ISecurity}
1432: If a strategy for dishonest $\II^*$ leads to being caught with
1433: probability at most $\varepsilon$, $\II^*$ can learn $r$ correctly
1434: with probability at most
1435: $\prcorrect+\frac{2}{2\prcorrect-1}\varepsilon$.
1436: \end{theorem}
1437:
1438: The security of this type (cheating is possible but not without risk
1439: of being detected) is common to many quantum protocols, for example
1440: quantum bit commitment \cite{STOC2000:AharonovTVY} or coin flipping
1441: \cite{PRL2002:SpekkensR}. We note that our security guarantee is
1442: stronger than one achieved in \cite{STOC2000:AharonovTVY}. Namely, in
1443: the bit commitment protocol of \cite{STOC2000:AharonovTVY}, a
1444: dishonest party can successfully cheat with probability $\varepsilon$
1445: so that the probability of being detected is just $O(\varepsilon^2)$.
1446:
1447: \begin{proof}[Theorem~\ref{ISecurity}]
1448: Assume that we are given a strategy for dishonest $\II^*$. First,
1449: notice that if we reverse the roles of $\ket{0}$ and $\ket{1}$
1450: everywhere in this strategy, both the probability of passing the
1451: test and the probability of learning $t$ correctly remain the same.
1452: Therefore, we can assume that the protocol is symmetric w.r.t.\
1453: switching $\ket{0}$ and $\ket{1}$.
1454:
1455: Consider the state of the first quantum bit sent by $\II^*$. In the
1456: general case, $\II^*$ can send probabilistic combinations of various
1457: quantum states. Therefore, the first quantum bit can be in a mixed
1458: state with some density matrix
1459: \[
1460: \rho=
1461: \begin{pmatrix}
1462: a & \alpha+\beta i \\
1463: \alpha-\beta i & b
1464: \end{pmatrix}\enspace.
1465: \]
1466: Since the strategy is symmetric w.r.t.\ switching $\ket{0}$ and
1467: $\ket{1}$, $\rho$ must be also symmetric in the same sense, implying
1468: that $a=b=1/2$ and $\beta=0$. Thus,
1469: \[
1470: \rho=
1471: \begin{pmatrix}
1472: 1/2 & \alpha \\
1473: \alpha & 1/2
1474: \end{pmatrix}\enspace.
1475: \]
1476: If $\II$ is honest, $\alpha=\sqrt{\prcorrect(1-\prcorrect)}$.
1477: Theorem~\ref{ISecurity} follows from the following two lemmas.
1478:
1479: \begin{lemma}\label{ICheat1}
1480: The probability of $\II^*$ failing the test if the first quantum
1481: bit is chosen for verification is at least
1482: $(\sqrt{\prcorrect(1-\prcorrect)}-\alpha)\sqrt{\prcorrect(1-\prcorrect)}$.
1483: \end{lemma}
1484:
1485: \begin{lemma}\label{ICheat2}
1486: The probability of $\II^*$ learning $t$ correctly if the first bit
1487: is used for protocol and the second bit used for verification is
1488: at most $\frac{1}{2}+\frac{\sqrt{1-4\alpha^2}}{2}$.
1489: \end{lemma}
1490: We will for a moment assume the validity of these theorems (their
1491: proofs are given slightly later), and will now continue with the
1492: proof of the theorem.
1493:
1494: Let $\varepsilon$ be the probability with which $\II^*$ allows to be
1495: caught. By Lemma~\ref{ICheat1},
1496: $(\sqrt{\prcorrect(1-\prcorrect)}-\alpha)
1497: \sqrt{\prcorrect(1-\prcorrect)}\leq \varepsilon$. Therefore,
1498: $\alpha\geq \sqrt{\prcorrect(1-\prcorrect)}-
1499: \frac{\varepsilon}{\sqrt{\prcorrect(1-\prcorrect)}}$. By
1500: substituting that into Lemma~\ref{ICheat2}, we get $
1501: \frac{1}{2}+\frac{\sqrt{1-4\alpha^2}}{2} \leq
1502: \frac{1}{2}+\frac{\sqrt{1-4\prcorrect(1-\prcorrect)+8
1503: \varepsilon}}{2}$. If $\II$ is honest, the probability that
1504: $r=t$ is $\frac{1}{2}+\frac{\sqrt{1-4\prcorrect(1-\prcorrect)}}{2}$.
1505: The extra advantage gained by $\II^*$ is at most
1506: $\frac{\sqrt{1-4\prcorrect(1-\prcorrect)+8 \varepsilon}}{2}-
1507: \frac{\sqrt{1-4\prcorrect(1-\prcorrect)}}{2} \leq
1508: \frac{2\varepsilon}{2\prcorrect-1}$ (assuming that
1509: $\prcorrect>1/2$).\qed
1510: \end{proof}
1511:
1512: \begin{proof}[Lemma~\ref{ICheat1}]
1513: When the first bit is chosen for verification, $\II^*$ either claims
1514: that it is $\ket{\psi_0}$ or $\ket{\psi_1}$. By symmetry, the
1515: probability of each of those is 1/2. We partition
1516: $\rho=\frac{1}{2}\rho_0+\frac{1}{2}\rho_1$, with $\rho_i$ being the
1517: part for which $\II^*$ claims that the state is $\ket{\psi_i}$. Let
1518: \[
1519: \rho_0=
1520: \begin{pmatrix}
1521: a' & \alpha' \\
1522: \alpha' & b'
1523: \end{pmatrix}\enspace.
1524: \]
1525: By symmetry, $\rho_1$ should be the same with $\ket{0}$ and
1526: $\ket{1}$ reversed:
1527: \[
1528: \rho_1=
1529: \begin{pmatrix}
1530: b' & \alpha' \\
1531: \alpha' & a'
1532: \end{pmatrix}\enspace.
1533: \]
1534: Since $\rho=\frac{1}{2}\rho_0+\frac{1}{2}\rho_1$, $a'+b'=1$ and
1535: $\alpha'=\alpha$. Therefore, we have
1536: \[
1537: \rho_0=
1538: \begin{pmatrix}
1539: a' & \alpha \\
1540: \alpha & 1-a'
1541: \end{pmatrix}\enspace.
1542: \]
1543: The probability of this state passing verification as $\ket{\psi_0}$
1544: is
1545: \begin{align*}
1546: \lbra \Psi_0 | \rho_0 | \Psi_0\rket = &
1547: \begin{pmatrix}
1548: \sqrt{\prcorrect} & \sqrt{1-\prcorrect}
1549: \end{pmatrix}
1550: \left( \begin{array}{cc} a' & \alpha \\ \alpha & 1-a' \end{array}
1551: \right) \left( \begin{array}{c} \sqrt{\prcorrect} \\
1552: \sqrt{1-\prcorrect} \end{array} \right)\\
1553: =& a' \prcorrect +
1554: (1-a')(1-\prcorrect)+2\alpha\sqrt{\prcorrect(1-\prcorrect)}\\
1555: \leq& \prcorrect^2 +
1556: (1-\prcorrect)^2+2\alpha\sqrt{\prcorrect(1-\prcorrect)}\\
1557: =& (\prcorrect+(1-\prcorrect))^2 -
1558: (\sqrt{\prcorrect(1-\prcorrect)}-\alpha)\sqrt{\prcorrect(1-\prcorrect)}\\
1559: =& 1-
1560: (\sqrt{\prcorrect(1-\prcorrect)}-\alpha)\sqrt{\prcorrect(1-\prcorrect)}\enspace.
1561: \end{align*}\qed
1562: \end{proof}
1563:
1564: \begin{proof}[Lemma~\ref{ICheat2}]
1565: We assume that the second qubit has been prepared perfectly and
1566: its verification always succeeds. (If $\II^*$ cheated in
1567: preparing the second qubit as well, this only decreases the
1568: probability of success for $\II^*$ and the claim that we prove
1569: remains valid.)
1570:
1571: After the test is passed on the second qubit, $\RR$ has the first
1572: qubit in the mixed state $\rho$. The mixed state $\rho$ is the
1573: same as one obtained by taking
1574: $\frac{1}{\sqrt{2}}\ket{0}+\frac{1}{\sqrt{2}}\ket{1}$ with
1575: probability $2\alpha$ and $\ket{0}$, $\ket{1}$ with probabilities
1576: $\frac{1}{2}-\alpha$ each. Therefore, the joint state of $\II^*$
1577: and $\RR$ is equivalent to
1578: $\ket{\psi_{(\RR,\II^*)}}=\sqrt{\frac{1}{2}-\alpha}\ket{0}_{\II^*}\ket{0}_{\RR}+
1579: \sqrt{\frac{1}{2}-\alpha}\ket{1}_{\II^*}\ket{1}_{\RR}+
1580: \sqrt{2\alpha} \ket{2}_{\II^*}
1581: (\frac{1}{\sqrt{2}}\ket{0}+\frac{1}{\sqrt{2}}\ket{1})_{\RR}$. If
1582: $\RR$'s secret bit $t=0$, he just sends his part back to $\II^*$.
1583: After that, $\II^*$ possesses the entire state
1584: $\ket{\psi_{(\RR,\II^*)}}$. Otherwise, $\RR$ flips the qubit
1585: before sending back and $\II^*$ gets
1586: $\ket{\psi'_{(\RR,\II^*)}}=\sqrt{\frac{1}{2}-\alpha}\ket{0}_{\II^*}\ket{1}_{\RR}+
1587: \sqrt{\frac{1}{2}-\alpha}\ket{1}_{\II^*}\ket{0}_{\RR}+
1588: \sqrt{2\alpha} \ket{2}_{\II^*}
1589: (\frac{1}{\sqrt{2}}\ket{0}+\frac{1}{\sqrt{2}}\ket{1})_{\RR}$. Now,
1590: the question is how well can $\II^*$ distinguish these two states.
1591: By Fact~\ref{TTheoremPure}, the best probability with which he can
1592: get $t$ is
1593: $\frac{1}{2}+\frac{\sin\beta}{2}=\frac{1}{2}+\frac{\sqrt{1-\cos^2\beta}}{2}$
1594: where $\beta$ is the angle between the two states. $\cos\beta$ is
1595: equal to the inner product of $\ket{\psi_{(\RR,\II^*)}}$ and
1596: $\ket{\psi'_{(\RR,\II^*)}}$ which is $2\alpha$ ( because the first
1597: two components of $\ket{\psi_{(\RR,\II^*)}}$ are orthogonal to the
1598: first two components of $\ket{\psi'_{(\RR,\II^*)}}$ but the third
1599: component is equal).\qed
1600: \end{proof}
1601:
1602: \PAR{Security against Malicious Respondent.}
1603:
1604: \begin{theorem}
1605: \label{thm:malres}
1606: Let $\prcorrect<\frac{1}{2}+\frac{ \sqrt{3} }{4}=0.933...$. If $\II$
1607: is honest, $\RR^*$ cannot achieve $t=0$ (or $t=1$) with probability
1608: more than $\pradv\leq \frac{1}{2}+
1609: \sqrt{\sqrt{4\prcorrect-4\prcorrect^2}-(4\prcorrect-4\prcorrect^2)}$.
1610: \end{theorem}
1611:
1612: The probability $\pradv$ remains less than 1 for all
1613: $\prcorrect<0.933...$. Thus, our protocol offers nontrivial security
1614: guarantees for all $\prcorrect<0.933...$. Since the expression for
1615: $\pradv$ is quite complicated, we also present a simple but less
1616: precise bound. Let $\prcorrect=\frac{1}{2}+\epsilon$. Then,
1617: $\pradv\leq \frac{1}{2}+\sqrt{2}\epsilon$. Informally, this means
1618: that no $\RR^*$ can make his vote count as more than $\sqrt{2}$ votes.
1619: This gives a non-trivial bound on $\pradv$ for $\prcorrect<
1620: \frac{1}{2}+\frac{1}{2\sqrt{2}}=0.853...$.
1621:
1622: If $0.853...\leq \prcorrect\leq 0.933...$, then
1623: $\frac{1}{2}+\sqrt{2}\epsilon\geq 1$ but $\pradv<1$ which can be seen
1624: by evaluating the expression of theorem \ref{thm:malres} directly.
1625:
1626: \begin{proof}
1627: There are four possible states that a responder can receive from an
1628: honest $\II$: $\ket{\psi_0}\ket{\psi_0}$,
1629: $\ket{\psi_0}\ket{\psi_1}$, $\ket{\psi_1}\ket{\psi_0}$,
1630: $\ket{\psi_1}\ket{\psi_1}$. An honest responder then randomly
1631: requests to verify one of two quantum bits. A dishonest $\RR^*$ can
1632: measure the state and then decide to verify one of two bits based on
1633: the result of the measurement so that his chances of guessing the
1634: other state are maximized. Without loss of generality, $\RR^*$'s
1635: measurement has two outcomes: $0$ and $1$ and the index $i$ that is
1636: sent back to $\II$ is equal to the outcome of the measurement.
1637: Then, we have
1638: \[ \ket{\psi_{u_0}\psi_{u_1}}=
1639: \alpha_{u_0u_1}\ket{0}\ket{\psi'_{u_0u_1}}+
1640: \beta_{u_0u_1}\ket{1}\ket{\psi''_{u_0u_1}} ,\] where the first qubit
1641: is the one being measured and $\ket{\psi'_{u_0u_1}}$
1642: ($\ket{\psi''_{u_0u_1}}$) is the rest of the quantum state that
1643: remains with $\II$ after the measurement. By symmetry, we can assume
1644: that $\alpha_{u_0u_1}=\beta_{u_0 u_1}=\frac{1}{\sqrt{2}}$.
1645:
1646: Similarly to the simplified protocol in Sect.~\ref{standard}, the
1647: probability of $\RR^*$ fixing $r=0$ (or $r=1$) is equal to the
1648: probability that he correctly guesses $u_{1-i}$. We bound this
1649: probability. For brevity, assume that $\RR^*$ has requested $u_1$
1650: from $\II$ and received $u_1=0$. Then, if $u_0=0$, his remaining state
1651: is $\ket{\psi'_{00}}$ and, if $u_0=1$, his remaining state is
1652: $\ket{\psi'_{10}}$. The probability with which he can guess $u_0$ is,
1653: by Fact~\ref{TTheoremPure}, at most
1654: $\pradv=\frac{1}{2}+\frac{\sin\beta'}{2}$ where $\beta'$ is the angle
1655: between $\ket{\psi'_{00}}$ and $\ket{\psi'_{10}}$. Remember that, by
1656: analysis of Sect.~\ref{standard}, the probability of $r=t$ in the
1657: honest case is described by similar expression
1658: $\prcorrect=\frac{1}{2}+\frac{\sin\beta}{2}$ where $\beta$ is the
1659: angle between $\ket{\psi_0}$ and $\ket{\psi_1}$.
1660:
1661: Next, we express $\beta'$ by $\beta$. Remember that $\lbra
1662: \psi|\psi'\rket$ denotes the inner product between $\ket{\psi}$ and
1663: $\ket{\psi'}$. The inner product $\lbra \psi_0 | \psi_1\rket$ is
1664: equal to $\cos\beta$. The inner product between
1665: $\ket{\psi_0}\ket{\psi_0}$ and $\ket{\psi_1}\ket{\psi_0}$ is the same
1666: $\cos\beta$ because the second qubit is in the same state in both
1667: cases. This inner product is also equal to $\frac{1}{2} \lbra
1668: \psi'_{00} |\psi'_{10}\rket+ \frac{1}{2} \lbra \psi''_{00}
1669: |\psi''_{10}\rket$. The first part is $\cos\beta'$, the second part
1670: is at most 1. Therefore, $\frac{1}{2}(\cos\beta'+1)\geq \cos\beta$
1671: and $\cos\beta'\geq 2 \cos\beta -1$. We have
1672: $\sin\beta'=\sqrt{1-\cos^2\beta'}\leq \sqrt{4(\cos\beta-\cos^2
1673: \beta)}$ and $\pradv\leq \frac{1}{2}+\frac{\sin\beta'}{2}\leq
1674: \frac{1}{2}+\sqrt{\cos\beta-\cos^2 \beta}$. Remember that in the
1675: honest protocol, the probability that $r=t$ is
1676: $\prcorrect=\frac{1}{2}+\frac{\sin\beta}{2}$. Therefore,
1677: $\sin\beta=2\prcorrect-1$,
1678: $\cos\beta=\sqrt{1-\sin^2\beta}=\sqrt{4\prcorrect-4\prcorrect^2}$ and,
1679: by substituting this into
1680: $\pradv\leq\frac{1}{2}+\sqrt{\cos\beta-\cos^2 \beta}$, we get the
1681: theorem. \qed\end{proof}
1682:
1683: To show the $\pradv\leq \frac{1}{2}+\sqrt{2}\epsilon$ upper bound, it
1684: suffices to show $\sqrt{\cos\beta-\cos^2\beta}\leq \sqrt{2}\epsilon$.
1685: Since $\epsilon=\frac{\sin\beta}{2}$, this follows from
1686: \[ \frac{\sqrt{\cos\beta-\cos^2\beta}}{(\sin\beta)/2} =
1687: \frac{2\sqrt{\cos\beta-\cos^2\beta}}{\sqrt{1-\cos^2\beta}} =
1688: \frac{2\sqrt{\cos\beta}}{\sqrt{1+\cos\beta}} \leq
1689: \frac{2\sqrt{\cos\beta}}{\sqrt{2\cos\beta}}=\sqrt{2} \]
1690:
1691:
1692:
1693:
1694:
1695: \end{document}
1696: