1: %Paper: cond-mat/9409111

2: %From: "DiVincenzo, David P." <divince@watson.ibm.com>

3: %Date: Mon, 26 Sep 94 14:39:19 EDT

4: 

5: %template for producing IEEE-format articles using LaTeX.

6: %written by Matthew Ward, CS Department, Worcester Polytechnic Institute.

7: %use at your own risk.  Complaints to /dev/null.

8: %make two column with no page numbering, default is 10 point

9: \documentstyle[twocolumn,psfig]{article}

10: \pagestyle{empty}

11: 

12: %set dimensions of columns, gap between columns, and space between paragraphs

13: \setlength{\textheight}{8.75in}

14: \setlength{\columnsep}{2.0pc}

15: \setlength{\textwidth}{6.8in}

16: \setlength{\footheight}{0.0in}

17: \setlength{\topmargin}{0.25in}

18: \setlength{\headheight}{0.0in}

19: \setlength{\headsep}{0.0in}

20: \setlength{\oddsidemargin}{-.19in}

21: \setlength{\parindent}{1pc}

22: 

23: \newtheorem{coro}{Corollary}[section]

24: \newtheorem{defi}{Definition}[section]

25: \newtheorem{exam}{Example}[section]

26: \newtheorem{lemma}{Lemma}[section]

27: \newtheorem{prop}{Proposition}[section]

28: \newtheorem{theo}{Theorem}[section]

29: \newtheorem{prot}{Protocol}[section]

30: \newtheorem{proo}{Proof}[section]

31: \newtheorem{Fact}{Fact}[section]

32: 

33: 

34: 

35: %I copied stuff out of art10.sty and modified them to conform to IEEE format

36: 

37: \makeatletter

38: %as Latex considers descenders in its calculation of interline spacing,

39: %to get 12 point spacing for normalsize text, must set it to 10 points

40: \def\@normalsize{\@setsize\normalsize{12pt}\xpt\@xpt

41: \abovedisplayskip 10pt plus2pt minus5pt\belowdisplayskip \abovedisplayskip

42: \abovedisplayshortskip \z@ plus3pt\belowdisplayshortskip 6pt plus3pt

43: minus3pt\let\@listi\@listI}

44: 

45: 

46: %need an 11 pt font size for subsection and abstract headings

47: \def\subsize{\@setsize\subsize{12pt}\xipt\@xipt}

48: 

49: 

50: %make section titles bold and 12 point, 2 blank lines before, 1 after

51: \def\section{\@startsection {section}{1}{\z@}{24pt plus 2pt minus 2pt}

52: {12pt plus 2pt minus 2pt}{\large\bf}}

53: 

54: 

55: %make subsection titles bold and 11 point, 1 blank line before, 1 after

56: \def\subsection{\@startsection {subsection}{2}{\z@}{12pt plus 2pt minus 2pt}

57: {12pt plus 2pt minus 2pt}{\subsize\bf}}

58: \makeatother

59: 

60: \begin{document}

61: 

62: %don't want date printed

63: %\date{}

64: 

65: \date{}

66: 

67: %make title bold and 14 pt font (Latex default is non-bold, 16 pt)

68: \title{\Large\bf Quantum $m$-out-of-$n$ Oblivious Transfer\thanks{

69: This work is partially supported by a grant from the Ministry of

70: Science and Technology (\#2001CCA03000), National Natural Science

71: Fund (\#60273045) and Shanghai Science and Technology Development

72: Fund (\#03JC14014).}}

73: 

74: 

75: %for single author (just remove % characters)

76: %\author{I. M. Author \\

77: %  My Department \\

78: %  My Institute \\

79: %  My City, ST, zip}

80: 

81: %for two authors (this is what is printed)

82: \author{ Zhide Chen,\

83:       \ Hong Zhu \\[.2cm]

84: \small{}\textit{Department of Computer Science, Fudan University, Shanghai 200433, P.R.China.} \\[.1cm]

85: \small{}\textit{Key Laboratory of Intelligent Information

86: Processing, Fudan University, Shanghai 200433, P.R.China.} \\[.1cm]

87:  \small{} \{02021091,  hzhu\}@fudan.edu.cn }

88: 

89: 

90: \maketitle

91: 

92: %I don't know why I have to reset thispagesyle, but otherwise get page numbers

93: \thispagestyle{empty}

94: 

95: \subsection*{\centering Abstract}

96: %IEEE allows italicized abstract

97: {\em In the $m$-out-of-$n$ Oblivious Transfer ($OT$) model, one

98: party $Alice$ sends $n$ bits to another party $Bob$, $Bob$ can get

99: only $m$ bits from the $n$ bits. However, $Alice$ cannot know

100: which $m$ bits $Bob$ received. Y.Mu and Naor presented classical

101: $m$-out-of-$n$ Oblivious Transfer based on discrete logarithm. As

102: the work of Shor, the discrete logarithm can be solved in

103: polynomial time by quantum computers, so such $OT$s are unsecure

104: to the quantum computer. In this paper, we construct a quantum

105: $m$-out-of-$n$ $OT$ ($QOT$) scheme based on the transmission of

106: polarized light and show that the scheme is robust to general

107: attacks, i.e. the $QOT$ scheme satisfies statistical correctness

108: and statistical privacy.\\

109: \\

110: \textbf{Keywords.} \ Quantum, Oblivious Transfer. }

111: 

112: \section{Introduction}

113: A number of recent papers have provided compelling evidence that

114: certain computational, cryptographic, and information theoretic

115: tasks can be performed more efficiently by models based on quantum

116: physics than those based on classical physics~\cite{[Shor97]}.

117: \par Oblivious Transfer (OT) is used as a key component in

118: many applications of cryptography~\cite{[WIE],[EGL85],[R81]}.

119: Informally speaking in an Oblivious Transfer, $Alice$ sends a bit

120: to $Bob$ that he receives half the time (this fact is out of their

121: control), $Alice$ does not find out what happened, $Bob$ knows if

122: he get the bit or nothing. Similarly, in a 1-out-of-2 Oblivious

123: Transfer, $Alice$ has two bits $b_0,b_1$ that she sends to  $Bob$

124: in such a way that he can decide to get either of them at his

125: choosing but not both. $Alice$ never finds out which bit $Bob$

126: received.

127: \par In 2001, Naor presented a 1-out-of-n Oblivious Transfer~\cite{[Naor01]},

128: Y.Mu showed that $m$-out-of-$n$ Oblivious Transfer could also be

129: realized based on the discrete logarithm. In the $m$-out-of-$n$

130: Oblivious Transfer($1\leq m<n$) , $Alice$ sends $n$ bits to $Bob$,

131: $Bob$ can get only $m$ of them. In the case of quantum, Claude

132: Cr\'{e}peau provided a 1-out-of-2 quantum Oblivious Transfer based

133: on the transmission of polarized light in 1994. The protocol of

134: Cr\'{e}peau's can be used directly to implement a one-out-of-three

135: Oblivious Transfer.

136: \par The organization of this paper is as following: in section 2,

137: we give the definitions of the correctness and privacy of the

138: $m$-out-of-$n$ OT protocol. In section 3, we review the 1-out-of-2

139: OT of Claude Cr\'{e}peau and its intuition. In section 4, we

140: construct an $m$-out-of-$n$ OT, and in section 5 we show that this

141: scheme satisfies statistical correctness and statistical privacy .

142: 

143: 

144: \section{Definitions}

145: The natural constraints(see below) of correctness and privacy of a

146: $m$-out-of-$n$ OT($1\leq m<n$) is showed below.

147: \begin{defi} \textbf{Perfect Correctness:} It should be that when $Alice$

148: and $Bob$ follow the protocol and start with $Alice's$ input bits

149: $b_{1},b_{2},\cdots,b_{n}$ and $Bob's$ input $c_1,c_2,\dots,c_m\in

150: \{1,2,\cdots,n\}$, they finish with $Bob$ getting

151: $b_{c_1},b_{c_2},\cdots,b_{c_m} \in $ $\{$ $b_{1}$, $b_{2}$,

152: $\cdots$, $b_{n}\}$.

153: \end{defi}

154: 

155: \begin{defi}

156: \textbf{Perfect Privacy:} It should be that, $Alice$ can not find

157: out about $c_1,c_2,\dots,c_m$, and $Bob$ can not find out more

158: than $m$ of $b_1,b_2,\dots,b_n$.

159: \end{defi}

160: \par The protocol we describe in the next section is of

161: probabilistic nature. We cannot show that this protocol perfectly

162: satisfies the above constraints but satisfies in a statistical

163: sense: after an amount of work in $O(N)$ time the protocol will

164: satisfy for some positive constant $\epsilon <1$.

165: 

166: 

167: \begin{defi}\textbf{Statistical

168: Correctness:} It should be that , except with probability at most

169: $\varepsilon^{N}$, when $Alice$ and $Bob$ follow the protocol and

170: start with $Alice's$ input bits $b_1,b_2,\dots,b_n$ and $Bob's$

171: input $c_1,c_2,\dots,c_m\in \{1,2,\cdots,n\}$ they finish with

172: $Bob$ getting $b_{c_1},b_{c_2},\cdots,b_{c_m}\in

173: \{b_{1},b_{2},\cdots,b_{n}\}$.

174: \end{defi}

175: 

176: \begin{defi}

177: \textbf{Statistical Privacy:} It should be that, except with

178: probability at most $\epsilon^{N}$, $Alice$ can not find out

179: $c_1,c_2,\dots,c_m$, and $Bob$ can not find out  more than $m$ of

180: $b_1,b_2,\dots,b_n$.

181: \end{defi}

182: 

183: \section{Quantum 1-out-of-2 Oblivious Transfer}

184: In this section, we introduce the quantum 1-out-of-2 OT provided

185: by Claude Cr\'{e}peau~\cite{[C94]}. Let $\copyright\!\!\!\!|$ \ \

186: denote the random variable that takes the binary value 0 with

187: probability 1/2 and 1 with probability 1/2. Also, denote by

188: $[\quad]_{i}$ the selection function such that

189: $[a_{0},a_{1},\cdots,a_{k}]_{i}=a_{i}$. Let $\leftrightarrow

190: \!\!\!\!\updownarrow\

191: =(|\!\!\!\leftrightarrow\rangle,|\!\!\uparrow\!\!\!\downarrow\rangle)$

192: and

193: $\nwarrow\!\!\!\!\!\!\searrow\!\!\!\!\!\!\nearrow\!\!\!\!\!\!\swarrow\

194: =(|\!\!\nwarrow\!\!\!\!\!\!\searrow\rangle,|\!\nearrow\!\!\!\!\!\!\swarrow

195: \rangle)$ denote respectively the bases of rectilinear and

196: diagonal polarization in the quantum state space of a photon. The

197: quantum 1-out-of-2 OT is as follows:

198: 

199: \subsection{Quantum 1-out-of-2 OT}

200: \begin{prot} 1-out-of-2 OT$(b_{0},b_{1})(c)$

201: \begin{enumerate}

202:     \item $DO_{i=1}^{2n}$

203:         \begin{itemize}

204:             \item $Alice$ picks a random bit $r_{i} \leftarrow \copyright\!\!\!\!|$

205:             \item $Alice$ picks a random bit $\beta_{i}\leftarrow

206:             \copyright\!\!\!\!|$ and defines her emission

207:             basis

208:             $(|\varphi_{i}\rangle, |\varphi_{i}^{\perp}\rangle)\leftarrow

209:             [\leftrightarrow \!\!\!\!\updownarrow,\nwarrow\!\!\!\!\!\!\searrow\!\!\!\!\!\!\nearrow\!\!\!\!\!\!\swarrow]_{\beta_{i}} $

210:             \item $Alice$ sends to Bob a photon $\pi_{i}$ with polarization $[|\varphi_{i}\rangle, |\varphi_{i}^{\perp}\rangle]_{r_i}$

211:             \item $Bob$ picks a random bit  $\beta'_i \leftarrow

212:             \copyright\!\!\!\!|$ and measures $\pi_{i}$ in basis $(|\theta_{i}\rangle, |\theta_{i}^{\perp}\rangle)\leftarrow[\leftrightarrow \!\!\!\!\updownarrow,\nwarrow\!\!\!\!\!\!\searrow\!\!\!\!\!\!\nearrow\!\!\!\!\!\!\swarrow]_{\beta_{i}'} $

213:             \item $Bob$ sets $r_{i}' \leftarrow

214:                 \left\{%

215:                 \begin{array}{ll}

216:                     0, & \hbox{if $\pi_{i}$ is observed as $|\theta_{i}\rangle$} \\

217:                     1, & \hbox{if $\pi_{i}$ is observed as $|\theta_{i}^{\bot}\rangle$} \\

218:                 \end{array}%

219:                 \right.$

220:         \end{itemize}

221: 

222:     \item $DO_{i=1}^{n}$

223:     \begin{itemize}

224:             \item Bob runs

225:             $commit(r'_{i})$, $commit(\beta'_{i})$, $commit(r'_{n+i})$, $commit(\beta'_{n+i})$

226:             with $Alice$

227:             \item $Alice$ picks $c_{i} \leftarrow \copyright\!\!\!\!|$ \ and

228:             announces it to $Bob$

229:             \item Bob runs $unveil(r'_{nc_{i}+i}), unveil(\beta'_{nc_{i}+i})$

230:             \item $Alice $ checks that $\beta_{nc_{i}+i}=\beta'_{nc_{i}+i}\rightarrow r_{nc_{i}+i}=r'_{nc_{i}+i}$

231:             \item if $c_{i}=0$ then $Alice$ sets

232:             $\beta_{i}\leftarrow\beta_{n+i}$ and $r_{i}\leftarrow r_{n+i}$  and $Bob$ set

233:             $\beta'_{i}\leftarrow\beta'_{n+i}$ and $r'_{i}\leftarrow r'_{n+i}$

234:     \end{itemize}

235: 

236: 

237:     \item $Alice$ announces her choices

238:     $\beta_{1}\beta_{2}\cdots\beta_{n}$ to $Bob$

239:     \item $Bob$ randomly selects two subsets $I_{0},I_{1}\subset

240:             \{1,2,\cdots,n\}$ subject to $|I_{0}|=|I_{1}|=n/3$, $I_{0} \cap

241:             I_{1}=\emptyset$ and $\forall i \in I_{c},

242:             \beta_{i}=\beta_{i}'$, and he announces $\langle I_{0},I_{1}

243:             \rangle$ to $Alice$

244:     \item $Alice$ receives $\langle J_{0},J_{1}  \rangle$=$\langle I_{0},I_{1}

245:             \rangle$, computes and sends $\widehat{b}_{0}\leftarrow b_{0} \oplus \bigoplus_{j \in J_{0}}r_{j}$ and  $\widehat{b}_{1}\leftarrow b_{1} \oplus \bigoplus_{j \in J_{1}}r_{j} $

246:     \item $Bob$ receives $\langle \widehat b_{0},\widehat b_{1}

247:     \rangle$ and computes $b_{c}\leftarrow \widehat {b}_{c} \oplus \bigoplus_{j \in J_{c}} r'_{j} $

248: \end{enumerate}

249: 

250: \end{prot}

251: 

252: 

253: \subsection{Intuition behind 1-out-of-2 OT}

254: \par In this 1-out-of-2 QOT, $Alice$ must prevent $Bob$ from storing

255: the photons and waiting until she discloses the bases before

256: measuring them, which would allow him to obtain both of $Alice's$

257: bits with certainty. To realize this, $Alice$ gets $Bob$ to

258: $commit$ to the bits that he received and the bases that he used

259: to measure them. Before going ahead with $r_i$, say, $Alice$

260: checks that $Bob$ had committed properly to $r_{n+i}$ when he read

261: that bit in the basis that she used to encode it. If at any stage

262: $Alice$ observes a mistake ($\beta_{n+i}=\beta'_{n+i}$ but

263: $r_{n+i}\neq r'_{n+i}$), she stops further interaction with $Bob$

264: who is definitely not performing his legal protocol (this should

265: never happen if $Bob$ follows his protocol).

266: \par

267: In this protocol, $r_{1}r_{2} \cdots r_{n}$ are chosen by $Alice$

268: in step 1 and are sent to $Bob$ via an ambiguous coding referred

269: to as the BB84 coding~\cite{[BB84]}: when $Alice$ and $Bob$ choose

270: the same emission and reception basis, the bit received is the

271: same as what was sent and uncorrelated otherwise. $Bob$ builds two

272: subsets: one $I_{c}$ that will allow him to get $b_{c}$, and one

273: $I_{\overline{c}}$ that will spoil $b_{\overline{c}}$. The

274: calculations of steps 5-6 are much that all the bits in a subset

275: must be known by $Bob$ in order for him to be able to obtain the

276: output bit connected to that subset.

277: 

278: \section{Protocol for Quantum $m$-out-of-$n$ Oblivious Transfer}

279: \subsection{Weak Bit Commitment}

280: In 1993, Gilles Brassard, etc provided a quantum bit commitment

281: scheme provably unbreakable by both parties~\cite{[BCJL]}.

282: However, unconditionally quantum bit commitment was showed

283: impossible~\cite{Mayers}. In~\cite{[DAUA]}, Aharonov provided a

284: weak bit commitment.

285: \begin{defi}~\cite{[DAUA]}

286: In the weak bit commitment protocol, the following requirements

287: should hold.

288: \begin{itemize}

289: \item If both Alice and Bob are honest, then  both Alice and Bob

290: accept.

291: 

292: \item (Binding) If Alice tries to change her mind about the value

293: of $b$, then there is non zero probability that an honest Bob

294: would reject.

295: 

296: \item (Sealing) If Bob attempts to learn information about the

297: deposited bit $b$, then there is non zero probability that an

298: honest Alice would reject.

299: \end{itemize}

300: \end{defi}

301: In the following scheme, $Bob$ will use this weak quantum bit

302: commitment to commit.

303: \subsection{Intuition for $m$-out-of-$n$ OT}

304: \par In the $m$-out-of-$n$ OT, $Bob$ should build $n$ subsets

305: $I_{1},I_{2},\dots,I_{n}\subseteq \{1,2,\cdots,n\}$, $m$ of that

306: will allow him to get $b_{c_1},b_{c_2},\dots,b_{c_m}$

307: ($c_1,c_2,\dots,c_m \in \{ 1,2,\dots,n \}$), and the other $I$'s

308: will spoil the remnant $b$'s. In $I_1\cup I_2\cup\cdots\cup I_n$,

309: the rate of the $i$'s satisfying $\beta_{i}'=\beta_{i}$ would be

310: more than $\frac{m}{n}$ and less than $\frac{m+1}{n}$. i.e.

311: $$\frac{m}{n}\leq \frac{\# \{i| \beta _{i}= \beta _{i}', i\in I_1\cup\cdots\cup I_n\}}{|I_1\cup\cdots\cup I_n|}<\frac{m+1}{n} $$

312: In our scheme, we let the rate to be

313: $\frac{\frac{m}{n}+\frac{m+1}{n}}{2}=\frac{2m+1}{2n}$. As

314: $\beta$'s and $\beta'$'s are choice randomly, we have

315: $$\lim_{N\rightarrow \infty} \frac{\#\{ \beta_i=\beta_i' \}}{N}=\frac{1}{2}.$$

316: For a large $N$, the rate of $i$'s in $\{1,2,\cdots,N \}$ that

317: satisfy $\beta_{i}'=\beta_{i}$ would be approximately

318: $\frac{1}{2}$, then $Bob$ should remove some $i$'s from the

319: $\{1,2,\cdots,N \}$. The number of $i$'s that should be removed

320: can be calculated as following:

321: \\If $\frac{2m+1}{2n}<\frac{1}{2}$, there are more $i$'s that satisfy $\beta_{i}'=\beta_{i}$ than

322: required, so $Bob$ should remove $x$ $i$'s  that satisfying

323: $\beta_{i}'= \beta_{i}$ from $\{1,2,\cdots,N \}$. $x$ can be

324: calculated as follows:

325: \begin{eqnarray*}

326:    \frac{\frac{N}{2}-x}{N-x}&=&\frac{2m+1}{2n}\\

327:    x&=&\frac{n-(2m+1)}{2n-(2m+1)}N

328: \end{eqnarray*}

329:  If $\frac{2m+1}{2n}\geq\frac{1}{2}$, there are more $i$'s

330: that satisfy $\beta_{i}'\neq\beta_{i}$ than required, so $Bob$

331: should remove $x$ $i$'s  that satisfying $\beta_{i}'\neq

332: \beta_{i}$ from $\{1,2,\cdots,N \}$. $x$ can be calculated as

333: follows:

334: \begin{eqnarray*}

335: \frac{\frac{N}{2}}{N-x}&=&\frac{2m+1}{2n}\\

336: x&=&\frac{(2m+1)-n}{2m+1}N

337: \end{eqnarray*}

338: $N$ must satisfy $(2n-(2m+1))(2m+1)|((2m+1)-n)N$ so that $x$ would

339: be an interger. we let the $i$'s that was removed from

340: $\{1,2,\cdots,N\}$ be $u_1,u_2,\cdots,u_x$.

341: 

342: 

343: \subsection{Quantum $m$-out-of-$n$ OT}

344: In the $m$-out-of-$n$ $QOT$, $Alice$ has input

345: $b_1,b_2,\cdots,b_n$, $Bob$ has input $c_1,c_2,\cdots,c_m$. The

346: output of the scheme is $b_{c_1},b_{c_2},\cdots,b_{c_m}$.

347: 

348: \begin{prot} $m$-out-of-$n$ QOT$(b_1,b_2,\dots,b_n)(c_1,c_2,\dots,c_m)$

349: \begin{enumerate}

350:     \item $DO_{i=1}^{2N}$

351:         \begin{itemize}

352:             \item $Alice$ picks a random bit $r_{i} \leftarrow \copyright\!\!\!\!|$

353:             \item $Alice$ picks a random bit $\beta_{i}\leftarrow

354:             \copyright\!\!\!\!|$\ \  and defines her emission basis

355:             $(|\varphi_{i}\rangle, |\varphi_{i}^{\perp}\rangle)\leftarrow[\leftrightarrow \!\!\!\!\updownarrow,\nwarrow\!\!\!\!\!\!\searrow\!\!\!\!\!\!\nearrow\!\!\!\!\!\!\swarrow]_{\beta_{i}} $

356:             \item $Alice$ sends to Bob a photon $\pi_{i}$ with polarization $[|\varphi_{i}\rangle, |\varphi_{i}^{\perp}\rangle]_{r_i}$

357:             \item $Bob$ picks a random bit  $\beta'_i \leftarrow

358:             \copyright\!\!\!\!|$\ \  and measures $\pi_{i}$ in basis

359:              $(|\theta_{i}\rangle, |\theta_{i}^{\perp}\rangle)\leftarrow[\leftrightarrow \!\!\!\!\updownarrow,\nwarrow\!\!\!\!\!\!\searrow\!\!\!\!\!\!\nearrow\!\!\!\!\!\!\swarrow]_{\beta_{i}'} $

360:             \item $Bob$ sets $r_{i}' \leftarrow

361:                 \left\{%

362:                 \begin{array}{ll}

363:                     0, & \hbox{if $\pi_{i}$ is observed as $|\theta_{i}\rangle$} \\

364:                     1, & \hbox{if $\pi_{i}$ is observed as $|\theta_{i}^{\bot}\rangle$} \\

365:                 \end{array}%

366:                 \right.    $

367:         \end{itemize}

368: 

369:     \item $DO_{i=1}^{N}$

370:     \begin{itemize}

371:             \item Bob runs

372:             $commit(r'_{i})$, $commit(\beta'_{i})$, $commit(r'_{N+i})$, $commit(\beta'_{N+i})$

373:             with $Alice$

374:             \item $Alice$ picks $d_{i} \leftarrow \copyright\!\!\!\!|$ \ \ and

375:             announces it to $Bob$

376:             \item Bob runs $unveil(r'_{Nd_{i}+i}), unveil(\beta'_{Nd_{i}+i})$

377:             \item $Alice $ checks that $\beta_{Nd_{i}+i}=\beta'_{Nd_{i}+i}\rightarrow r_{Nd_{i}+i}=r'_{Nd_{i}+i}$

378:             \item if $d_{i}=0$ then $Alice$ sets

379:             $\beta_{i}\leftarrow\beta_{N+i}$ and $r_{i}\leftarrow r_{N+i}$  and $Bob$ set

380:             $\beta'_{i}\leftarrow\beta'_{N+i}$ and $r'_{i}\leftarrow r'_{N+i}$

381:     \end{itemize}

382: 

383: 

384:     \item $Alice$ announces her choices

385:     $\beta_{1}\beta_{2}\cdots\beta_{N}$ to $Bob$

386: 

387:     \item $DO_{j=1}^{x}$

388:     \begin{itemize}

389:             \item If $\frac{2m+1}{2n}<\frac{1}{2}$ Bob runs

390:             $unveil(r'_{u_j})$, $

391:             unveil(\beta'_{u_j})$ that satisfying

392:                     $\beta_{u_j}= \beta'_{u_j}$, $Alice $ checks that $\beta_{u_j}=\beta'_{u_j}\rightarrow r_{u_j}=r'_{u_j}$

393:             \item If $\frac{2m+1}{2n}\geq \frac{1}{2}$ Bob runs

394:             $unveil(r'_{u_j})$, $unveil(\beta'_{u_j})$ that satisfying

395:                     $\beta_{u_j}\neq \beta'_{u_j}$

396: 

397:     \end{itemize}

398:     \item $Bob$ randomly selects n subsets $I_{1},I_{2},\cdots,I_{n}   \subset

399:             \{1,2,\cdots,N\}-\{ u_1,u_2,\dots,u_x \}$ subject to

400:             $|I_{1}|=|I_{2}|=\cdots=|I_{n}|=(N-x)/n$, $\forall j\neq k$, $ I_{j} \cap

401:             I_{k}=\emptyset$ and $\forall j$ $\in I_{c_1}\cup I_{c_2}\cup \cdots\cup

402:             I_{c_m}$, $\beta_{j}=\beta_{j}'$, and he announces $\langle

403:             I_{1},I_{2},\cdots,I_{n}

404:             \rangle$ to $Alice$

405:     \item $Alice$ receives $\langle J_{1},J_{2},\cdots ,J_{n} \rangle$=$\langle

406:             I_{1},I_{2},\cdots,I_{n}  \rangle$,    computes and sends $\widehat{b}_{1}\leftarrow b_{1} \oplus \bigoplus_{j \in J_{1}}r_{j}$, $\widehat{b}_{2}\leftarrow b_{2} \oplus \bigoplus_{j \in

407:     J_{2}}r_{j}$, $\cdots$, $\widehat{b}_{n}\leftarrow b_{n} \oplus \bigoplus_{j \in

408:     J_{n}}r_{j}$ to $Bob$

409:     \item $Bob$ receives $\langle \widehat b_{1},\widehat

410:     b_{2},\cdots, \widehat b_{n}

411:     \rangle$ and computes $b_{c_i}\leftarrow \widehat {b}_{c_i} \oplus \bigoplus_{j \in J_{c_i}}

412:     r'_{c_j} , $ $i=1,2,\cdots,m$

413: \end{enumerate}

414: 

415: \end{prot}

416: 

417: \section{Analysis}

418: In the $m$-out-of-$n$ $QOT$, $Bob$ must read the photons sent by

419: $Alice$ as they come: he cannot wait and read them later,

420: individually or together. We assume that the channel used for the

421: quantum transmission is free of errors, so that it is guaranteed

422: that $r_{i}'=r_{i}$ whenever $\beta_{i}'=\beta_{i}$. we now show

423: that under the assumption this protocol satisfies the statistical

424: version of the above constraints.

425: 

426: \subsection{Correctness}

427: 

428: \begin{lemma} $\mathbf{Hoefding \quad inequality}$~\cite{[HO]}

429: Let $X_1, X_2,\cdots, X_n$ be total independent random variables

430: with identical probability distribution so that $E(X_i)=\mu$ and

431: the range of $X_i$ is in $[a,b]$. Let the simple average

432: $Y=(X_1+X_2+\cdots+X_n)/n$ and $\delta>0$, then

433: $$Pr[|Y-\mu|\geq \delta]\leq

434: 2\cdot e^{\frac{-2n\cdot \delta^2}{b-a}}$$

435: 

436: 

437: \end{lemma}

438: 

439: So, if $Pr[X_i=0]=Pr[X_i=1]=\frac{1}{2}$, then $\mu=\frac{1}{2}$

440: and $a=0,b=1$, we have the following inequality

441: $$Pr[|\sum _{i=1}^{n}\frac{X_i}{n}- \frac{1}{2}  |\geq \delta]\leq

442: 2\cdot e^{-2\cdot n \delta^2}$$

443: \par We show that most of the time the output is correct if the

444: parties abide to their prescribed protocol. In a given run of the

445: protocol, $Bob$ will succeed in computing

446: $b_{c_1},b_{c_2},\dots,b_{c_m}$ properly provided satisfying the

447: following conditions :

448: \\ when $\frac{2m+1}{2n}< \frac{1}{2}$

449: $$\# \{i| \beta _{i}= \beta

450: _{i}'\}-x \geq  (N-x)m/n$$ or when $\frac{2m+1}{2n}\geq

451: \frac{1}{2}$

452: $$ \# \{i| \beta _{i}= \beta _{i}'\} \geq (N-x)m/n$$

453: Because in that case he can form $I_{c_1},I_{c_2},\dots,I_{c_m}$

454: as prescribed and then he can compute the output bit as

455: $\widehat{b}_{c_i}\oplus \bigoplus _{j\in I_{c_i} }r_{j}'$ which

456: is $$\widehat{b}_{c_i}\oplus \bigoplus _{j\in I_{c_i} }r_{j}'

457: =b_{c_i}\oplus \bigoplus _{j\in J_{c_i} }r_{j} \bigoplus _{j\in

458: I_{c_i} }r_{j}'=b_{c_i}\oplus \bigoplus _{j\in I_{c_i} }r_{j}

459: \oplus r_{j}'$$ because $J_{c_i}$ is $I_{c_i}$. Since

460: $\beta_{i}=\beta_{i}'\rightarrow r_{j} \oplus r_{j}'=0 $ makes all

461: the right terms vanish, we end up with

462: $$  \widehat{b}_{c_i}\oplus \bigoplus _{j\in I_{c_i}

463: }r_{j}' =b_{c_i} $$ Therefore the protocol gives the correct

464: output unless satisfying the following conditions : \\when

465: $\frac{2m+1}{2n}< \frac{1}{2}$

466: $$ \# \{i| \beta _{i}= \beta

467: _{i}'\}-x <  (N-x)m/n

468: $$ or when $\frac{2m+1}{2n}\geq \frac{1}{2}$

469: $$ \# \{i| \beta _{i}= \beta _{i}'\} <  (N-x)m/n  $$

470: in which case $Bob$ is unable to form the set

471: $I_{c_1},I_{c_2},\dots,I_{c_m}$ as prescribed. Now, we can

472: calculate the probability that $Bob$ can not form

473: $I_{c_1},I_{c_2},\dots,I_{c_m}$

474: \\If $\frac{2m+1}{2n}< \frac{1}{2}$ (i.e. $2m+1< n$,

475: $x=\frac{n-(2m+1)}{2n-(2m+1)}N$), then the probability that $Bob$

476: can get less than $m$ bits is given by

477: \begin{eqnarray*}

478: & & P[\# \{i| \beta _{i}= \beta _{i}'\}-x < (N-x)m/n]\\

479: &=& P[\# \{i| \beta _{i}= \beta _{i}'\} < (N-x)m/n+x]\\

480:  &=& P[\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

481:  >  N-((N-\frac{n-(2m+1)}{2n-(2m+1)}N)m/n\\

482: &&

483:  +\frac{n-(2m+1)}{2n-(2m+1)}N)]\\

484: &=& P[\frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

485:  >  1-\frac{n-(m+1)}{2n-(2m+1)}]\\

486: &=& P[\frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

487:  >  \frac{n-m}{2n-(2m+1)}]\\

488: &\leq & P[ | \frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta

489: _{i}'-\frac{1}{2}|> \frac{n-m}{2n-(2m+1)}-\frac{1}{2} ]

490: \end{eqnarray*}

491: It is easy to check that $\frac{n-m}{2n-(2m+1)}-\frac{1}{2}>0$.\\

492: Given that $P[\beta _{i} \oplus \beta _{i}'=1]=1/2$, let

493: $N>\frac{\ln 2}{(\frac{n-m}{2n-(2m+1)}-\frac{1}{2})^2}$, this

494: probability can be easily bounded by

495: \begin{eqnarray*}

496: &<& 2\cdot e^{-2\cdot N(\frac{n-m}{2n-(2m+1)}-\frac{1}{2})^2}\\

497: &=& 2\cdot e^{- N(\frac{n-m}{2n-(2m+1)}-\frac{1}{2}) ^2}

498: \cdot e^{- N(\frac{n-m}{2n-(2m+1)}-\frac{1}{2}) ^2} \\

499: &<& e^{- N(\frac{n-m}{2n-(2m+1)}-\frac{1}{2}) ^2}\\

500: &=&\varepsilon^N

501: \end{eqnarray*}

502: ($\varepsilon= e^{-(\frac{n-m}{2n-(2m+1)}-\frac{1}{2})^2}<1$)

503: using Hoefding's inequality.

504: \\If $\frac{2m+1}{2n} \geq \frac{1}{2}$ (i.e. $2m+1\geq n$,

505: $x=\frac{(2m+1)-n}{2m+1}$), then the probability that $Bob$ can

506: get less than $m$ bits is given by

507: \begin{eqnarray*}

508: & & P[\# \{i| \beta _{i}= \beta _{i}'\} < (N-x)m/n]\\

509: &=& P[\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

510:  >  N-(N-\frac{(2m+1)-n}{2m+1}N)m/n]\\

511: &=& P[\frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

512:  >  1-\frac{m}{2m+1}]\\

513: &\leq & P[ | \frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta

514: _{i}'-\frac{1}{2}|>\frac{1}{2}- \frac{m}{2m+1} ]

515: \end{eqnarray*}

516: It is easy to check that $\frac{1}{2}- \frac{m}{2m+1}>0$.\\

517: Given

518: that $P[\beta _{i} \oplus \beta _{i}'=1]=1/2$, let $N>\frac{\ln

519: 2}{(\frac{1}{2}-\frac{m}{2m+1}) ^2}$, this probability can be

520: easily bounded by

521: \begin{eqnarray*}

522: &<& 2\cdot e^{-2\cdot N  ( \frac{1}{2}-\frac{m}{2m+1}) ^2  }\\

523: &=& 2\cdot e^{- N  ( \frac{1}{2}-\frac{m}{2m+1}) ^2  }\cdot e^{- N  ( \frac{1}{2}-\frac{m}{2m+1}) ^2  }\\

524: &<& e^{- N  ( \frac{1}{2}-\frac{m}{2m+1}) ^2  } \\

525: &=&\varepsilon^N

526: \end{eqnarray*}

527:  ($\varepsilon=e^{-(\frac{1}{2}-\frac{m}{2m+1})^2}<1$) using Hoefding's

528: inequality.

529: \\So, $Bob$ can get less than $m$ bits that sent from $Alice$

530: with probability less than $\varepsilon^N$.

531: \subsection{Privacy}

532: We analyse the privacy of each party individually as if he or she

533: is facing a malicious opponent.

534: 

535: \subsubsection{Privacy for $Bob$}

536: \begin{theo}

537: $Alice$ can not find out much about $c_1,c_2,\dots,c_m$,

538: \end{theo}

539: \smallskip

540: \upshape \noindent \textit{Proof.}  The only things $Alice$ gets

541: though the protocol are the sets $J_1,J_2,\dots,J_n$.

542: $\beta_{i}$'s and $\beta_{i}'$'s are independent from each other.

543: $J_1,J_2,\dots,J_n$ will have uniform distribution over all

544: possible pairs of disjoint subsets of size $\frac{N-x}{n}$ for

545: $i=1,i=2,\dots$ as well as for $i=n$. Therefore $Alice$ learns

546: nothing about the $c_1,c_2,\dots,c_m$. $\hfill \Box$

547: 

548: 

549: \subsubsection{Privacy for $Alice$}

550: \begin{theo}

551: Except with probability at most $\epsilon^{n}$, $Bob$ can not find

552: out much information about more that $m$ of $b_1,b_2,\dots,b_n$.

553: \end{theo}

554: 

555: \smallskip

556: \upshape \noindent \textit{Proof.}  The probability of that $Bob$

557: gets more than $m$ bits (i.e. get at least $m+1$ bits). So

558: \\

559: \\If $\frac{2m+1}{2n}<\frac{1}{2}$ (i.e. $2m+1<n$,

560: $x=\frac{n-(2m+1)}{2n-(2m+1)}N$), the probability that $Bob$ can

561: get more than $m+1$ bits is given by

562: \begin{eqnarray*}

563: && P[\# \{i| \beta _{i}= \beta _{i}'\} - x\geq (N-x)(m+1)/n]\\

564: &=& P[\# \{i| \beta _{i}= \beta _{i}'\} \geq (N-x)(m+1)/n+x]\\

565:  &=& P[\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

566:  \leq  N-((N-\frac{n-(2m+1)}{2n-(2m+1)}N)(m\\

567: && +1)/n+\frac{n-(2m+1)}{2n-(2m+1)}N)]\\

568: &=& P[\frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

569:  \leq  1-\frac{n-m}{2n-(2m+1)}]\\

570: &\leq & P[ | \frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta

571: _{i}'-\frac{1}{2}|>\frac{1}{2}- \frac{n-m}{2n-(2m+1)} ]

572: \end{eqnarray*}

573: It is easy to check that $\frac{1}{2}- \frac{n-m}{2n-(2m+1)}>0$.\\

574:  Given that $P[\beta _{i} \oplus \beta _{i}'=1]=1/2$, let

575:  $N>\frac{\ln 2}{(\frac{1}{2}- \frac{n-m}{2n-(2m+1)}) ^2}$, this

576: probability can be easily bounded by

577: \begin{eqnarray*}

578: &<& 2\cdot e^{-2\cdot N ( \frac{1}{2}- \frac{n-m}{2n-(2m+1)}) ^2 }\\

579: &=& 2\cdot e^{-N ( \frac{1}{2}- \frac{n-m}{2n-(2m+1)}) ^2 }\cdot e^{- N ( \frac{1}{2}- \frac{n-m}{2n-(2m+1)}) ^2 }\\

580: &<& e^{- N ( \frac{1}{2}- \frac{n-m}{2n-(2m+1)}) ^2}\\

581: &=&\varepsilon^N

582: \end{eqnarray*}

583: ($\varepsilon=e^{-(\frac{1}{2}- \frac{n-m}{2n-(2m+1)})^2}<1$)

584: using Hoefding's inequality.

585: \\

586: \\If $\frac{2m+1}{2n}\geq \frac{1}{2}$ (i.e. $2m+1\geq n$,

587: $x=\frac{(2m+1)-n}{2m+1}$), then the probability that $Bob$ can

588: get more than $m+1$ bits is given by

589: \begin{eqnarray*}

590: && P[\# \{i| \beta _{i}= \beta _{i}'\} \geq (N-x)(m+1)/n]\\

591: &=& P[\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

592:  \leq  N-(N-\frac{(2m+1)-n}{2m+1}N)(m\\

593: &&+1)/n]\\

594: &=& P[\frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta _{i}'

595:  \leq  1-\frac{m+1}{2m+1}]\\

596: &\leq & P[ | \frac{1}{N}\sum_{i=1}^{N} \beta _{i} \oplus \beta

597: _{i}'-\frac{1}{2}|> \frac{m+1}{2m+1}-\frac{1}{2} ]

598: \end{eqnarray*}

599: It is easy to check that $\frac{m+1}{2m+1}-\frac{1}{2}>0$.\\

600:  Given that $P[\beta _{i} \oplus \beta _{i}'=1]=1/2$, let

601:  $N>\frac{\ln 2}{(\frac{m+1}{2m+1}-\frac{1}{2}) ^2}$,  the

602: probability can be easily bounded by

603: \begin{eqnarray*}

604: &<& 2\cdot e^{-2\cdot N ( \frac{m+1}{2m+1}-\frac{1}{2}) ^2  }\\

605: &=& 2\cdot e^{-N ( \frac{m+1}{2m+1}-\frac{1}{2}) ^2  }\cdot e^{- N ( \frac{m+1}{2m+1}-\frac{1}{2}) ^2  }\\

606: &<& e^{- N ( \frac{m+1}{2m+1}-\frac{1}{2}) ^2  }\\

607: &=&\varepsilon^N

608: \end{eqnarray*}

609: ($\varepsilon=e^{-(\frac{m+1}{2m+1}-\frac{1}{2})^2}<1$) using

610: Hoefding's inequality.

611: 

612: \par Finally, we show that $Bob$ cannot get more than $m$ bits by

613: attacking the weak quantum bit commitment. Let the probability

614: that he can cheat $Alice$ in the weak QBC be $p$ ($0<p<1$), the

615: probability that he can get one more bit is

616: $p^{\frac{N-x}{n}}<\epsilon^N$ ($\epsilon=p^{\frac{1}{2n}}$).

617: \par So, $Bob$ can get more than $m$ bits that sent from $Alice$

618: with probability less than $\varepsilon^N$.

619: 

620: $\hfill \Box$

621: 

622: In the 1-out-of-2 OT scheme, $n=2$ and $m=1$,

623: $\frac{2m+1}{2n}=\frac{3}{4}>\frac{1}{2}$, then the probability is

624: less than

625: $$2\cdot e^{-N \cdot 2(

626: \frac{m+1}{2m+1}-\frac{1}{2}) ^2  }=2\cdot e^{-N \cdot 2(

627: \frac{2}{3}-\frac{1}{2}) ^2  }=2\cdot e^{-\frac{N}{18} }$$

628: 

629: 

630: 

631: 

632: 

633: \section{Conclusions and Future Work}

634: In this paper, we construct an quantum $m$-out-of-$n$ OT based on

635: the transmission of polarized light, which is an extension of the

636: quantum 1-out-f-2 OT, and prove that this scheme satisfies

637: statistical correctness and statistical privacy, i.e. except with

638: a small probability $\epsilon^N$, $Bob$ can get the correct $m$

639: bits, and cannot get one more bit than required.

640: \par

641: We think the following points is interesting for further research:

642: 

643: \begin{enumerate}

644:     \item Implement and apply the QOT in the real world.

645:     \item Find a QOT satisfies perfect correctness and perfect

646:     privacy.

647: \end{enumerate}

648: 

649: 

650: 

651: 

652: \begin{thebibliography}{99}

653: \bibitem{[BB84]}    Bennett, C.H. and Brassard, G., ``Quantum Cryptography: Public-key Distribution and Coin

654: Tossing``, In Proceedings of the International Conference on

655: Computers, Systems and Signal Processing, Bangalore, India,

656: December 1984, pp. 175-179.

657: \bibitem{[BCJL]}  Brassard, G., Cr\'{e}peau, C. Jozsa, R. and

658: Langlois, D., ``A Quantum Bit Commitment Scheme Probably

659: unbreakable by both parties``, In Proceedings of the 34th Annual

660: IEEE Symposium on Foundations of Computer Science, November 1993,

661: pp.362-371

662: \bibitem{[C94]} Claude Cr\'{e}peau. ``Quantum Oblivious Transfer``. Journal of

663: Modern Optics, 41(12):2455¨C2466, 1994.

664: 

665: \bibitem{[DAUA]} Dorit Aharonov, Amnon Ta-Shma, Umesh V. Vazirani, Andrew Chi-Chih

666: Yao. ``Quantum bit escrow``. Proceedings of the 32nd Annual ACM

667: Symposium on Theory of Computing(STOC'00), 2000.

668: 

669: \bibitem{[EGL85]} Even, S., Goldreich, O. and Lempel, A., ``A Randomized Protocol for Signing

670: Contracts``, Communications of the ACM, vol. 28, pp. 637-647,

671: 1985.

672: \bibitem{[HO]} W. Hoefding, ``Probability Inequalities for Sums of Bounded Random Variables``, Journal of the American Statistical Association, Vol.58, 1936, pp.13-30

673: \bibitem{Mayers}    Mayers, D. ``Unconditionally Secure Quantum Bit Commitment is

674:                 Impossible``. Physical Review Letters 78 . pp 3414-3417 (28 April

675:                 1997).

676: \bibitem{[Naor01]} Moni Naor, Benny Pinkas. ``Efficient Oblivious Transfer Protocols``.  SODA, 2001

677: \bibitem{[Shor97]}P. W. Shor, ``Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer``, SIAM Journal on Computing, V.26:(5), 1997.

678: \bibitem{[R81]} Rabin, M.O., ``How to exchange secrets by Oblivious

679: Transfer``, technical report TR-81, Aiken Computation Laboratory,

680: Harvard University, 1981.

681: \bibitem{[WIE]} Wiesner, S., ``Conjugate coding``, Sigact News,

682: vol.15, no. 1, 1983,  pp.78-88; Manuscript written circa 1970,

683: unpublished until it appeared in SIGACT News.

684: \bibitem{[MJV02]}Yi Mu, Junqi Zhang, Vijay Varadharajan, "m out of n oblivious

685: transfer," ACISP 2002, Lecture Notes in Computer Science 2384,

686: Springer Verlag, 2002. pp. 395-405

687: 

688: 

689: \end{thebibliography}

690: \end{document}

691: