Composable Security in the Bounded-Quantum-Storage Model

We present a simplified framework for proving sequential composability in the quantum setting. In particular, we give a new, simulation-based, definition for security in the bounded-quantum-storage model, and show that this definition allows for sequential composition of protocols. Damgard et al. (FOCS ‘05, CRYPTO ‘07) showed how to securely implement bit commitment and oblivious transfer in the bounded-quantum-storage model, where the adversary is only allowed to store a limited number of qubits. However, their security definitions did only apply to the standalone setting, and it was not clear if their protocols could be composed. Indeed, we first give a simple attack that shows that these protocols are not composable without a small refinement of the model. Finally, we prove the security of their randomized oblivious transfer protocol in our refined model. Secure implementations of oblivious transfer and bit commitment then follow easily by a (classical) reduction to randomized oblivious transfer.

💡 Research Summary

The paper revisits the bounded‑quantum‑storage model (BQSM), where an adversary can keep only a limited number of qubits, and addresses a crucial gap in earlier work by Damgård et al. (FOCS ’05, CRYPTO ’07). Those earlier protocols for bit‑commitment and oblivious transfer (OT) were proven secure only in the stand‑alone setting; their security definitions did not guarantee that the protocols remain secure when composed sequentially or in parallel. The authors first demonstrate a simple attack that exploits the ability of an adversary to reuse a small quantum memory across multiple protocol executions, thereby breaking composability under the original definitions.

To overcome this, the authors introduce a refined BQSM that imposes an additional constraint: before re‑using quantum memory, the adversary must retain a certain amount of classical memory. This restriction prevents the adversary from “resetting” its quantum storage without leaving a trace in the classical domain. Within this refined model they propose a new simulation‑based security definition that follows the classic ideal‑world/real‑world paradigm but explicitly incorporates the quantum‑storage bound. Crucially, the definition is crafted to ensure sequential composability: any number of protocol instances executed in any order behave as if they were a single ideal functionality.

Using the new framework, the paper proves security for a randomized oblivious transfer (ROT) protocol originally presented by Damgård et al. The proof proceeds in two parts. First, the bounded quantum memory limits the adversary’s ability to retain enough entangled qubits to gain useful information, which is shown via an entropy‑based argument. Second, a classical information‑theoretic analysis (using entropy loss and statistical distance) constructs a simulator that can reproduce the adversary’s view in the ideal world, thereby satisfying the simulation definition. The authors verify that the required quantum‑memory bound remains realistic for today’s experimental capabilities.

Having established ROT’s composable security, the authors show that standard OT and bit‑commitment can be obtained through classical reductions: OT is built from ROT, and bit‑commitment is built from OT. The reductions preserve security parameters without significant degradation, and the overall quantum‑memory requirements stay within the refined BQSM limits.

The paper’s contributions are threefold. (1) It identifies and remedies a composability flaw in earlier BQSM protocols. (2) It proposes a refined model and a simulation‑based definition that explicitly guarantee sequential composability, bridging the gap between stand‑alone proofs and real‑world protocol engineering. (3) It provides a concrete, composably secure ROT construction, from which other fundamental primitives follow. This work therefore sets a new standard for designing and analysing quantum‑storage‑limited cryptographic protocols, paving the way for practical implementations that remain secure under composition.