The Impossibility Of Secure Two-Party Classical Computation

We present attacks that show that unconditionally secure two-party classical computation is impossible for many classes of function. Our analysis applies to both quantum and relativistic protocols. We illustrate our results by showing the impossibility of oblivious transfer.

💡 Research Summary

The paper investigates the fundamental limits of two‑party classical computation when the parties are allowed to use quantum resources or relativistic signaling constraints. The authors formalize the task as the secure evaluation of a deterministic or randomized function f(x, y) where each party holds a private input (x for Alice, y for Bob) and wishes to obtain the correct output without revealing any additional information about the other’s input. An ideal functionality is defined that takes the two inputs, returns f(x, y) to both parties, and leaks nothing else. Any real protocol must be simulatable: a cheating party’s view in the real protocol must be indistinguishable from its view in an ideal world where a trusted third party implements the functionality.

The core contribution is a family of attacks that work against any protocol attempting to realize such an ideal functionality for a broad class of functions. The attacks exploit the freedom to postpone quantum measurements and to choose measurement bases adaptively after learning partial information about the other party’s input. By preparing entangled states in advance, a dishonest party can keep a coherent superposition of all possible inputs from the honest partner. When the honest party later sends a quantum message that depends on its secret input, the cheater measures the stored entangled system in a basis that maximally extracts information about that input while still allowing the correct output to be produced. This “measurement‑choice‑after‑the‑fact” strategy breaks the privacy requirement without compromising correctness from the cheater’s perspective.

The authors categorize functions for which the attack succeeds:

1. Non‑linear, jointly dependent functions – where the output cannot be expressed as a simple function of one party’s input alone. The entangled attack reveals correlations that enable the cheater to infer the other input with non‑negligible advantage.
2. Asymmetric functions – where fixing one input determines the output, but the other input still influences the result. By fixing its own input, a dishonest party can treat the protocol as a one‑way channel and extract the honest party’s secret.
3. Randomized functions – where the output is probabilistic. Even here, the cheater can bias the distribution of measurement outcomes to match the expected statistics while still learning extra information.

A particularly striking application is the impossibility of unconditionally secure 1‑out‑of‑2 Oblivious Transfer (OT). In OT, a sender holds two messages (m0, m1); the receiver chooses a bit b and learns mb while remaining oblivious to m1‑b, and the sender learns nothing about b. The paper shows that a cheating receiver can prepare a maximally entangled pair, receive the quantum encoding of both messages, and later decide which basis to measure based on the desired choice b. This yields the chosen message correctly while also retaining quantum information about the unchosen message, violating the sender’s privacy guarantee. Conversely, a cheating sender can embed extra information in the quantum states that allows him to learn the receiver’s choice after the fact. Thus, OT cannot be realized with information‑theoretic security even when quantum communication and relativistic constraints are available.

The relativistic aspect is addressed by noting that space‑like separation alone does not prevent the attack. Entanglement is non‑local, and the cheater’s ability to postpone measurements means that the timing of signal exchange is irrelevant: the cheating party can still adapt its measurement after receiving the honest party’s message, regardless of the imposed light‑speed limit.

In conclusion, the paper demonstrates that unconditional security for two‑party classical computation is unattainable for a wide range of functions, including the foundational primitive of oblivious transfer. Quantum mechanics and relativistic signaling do not close the information‑theoretic gap; instead, they introduce new avenues for cheating that undermine privacy. Consequently, any practical protocol must rely on computational assumptions, trusted setup, or additional physical constraints beyond those considered in the paper.