Unconditional security from noisy quantum storage

We consider the implementation of two-party cryptographic primitives based on the sole assumption that no large-scale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide security even against the most general attack. Such unconditional results were previously only known in the so-called bounded-storage model which is a special case of our setting. Our protocols can be implemented with present-day hardware used for quantum key distribution. In particular, no quantum storage is required for the honest parties.

💡 Research Summary

The paper introduces a novel security model for two‑party cryptographic primitives that relies solely on the physical limitation that an adversary cannot maintain large‑scale, reliable quantum storage. This “noisy‑quantum‑storage” model generalizes the earlier bounded‑storage model by replacing the hard cap on memory size with a realistic assumption that any stored quantum information inevitably suffers decoherence and noise over time. Under this assumption, the authors design and rigorously analyze protocols for oblivious transfer (OT) and bit commitment (BC) that achieve unconditional security even against the most general quantum attacks.

The core technical insight is the combination of quantum uncertainty relations with smooth min‑entropy bounds in the presence of quantum side information. By modeling the adversary’s storage as a noisy quantum channel (e.g., a depolarizing or amplitude‑damping channel) acting for a fixed storage time (t), the authors derive a lower bound on the conditional smooth min‑entropy (H_{\min}^{\varepsilon}(X|Q)) of the honest party’s classical string (X) given the adversary’s quantum register (Q). This bound is a function (\gamma(p,t)) of the channel noise parameter (p) and the storage duration (t). When (\gamma(p,t) > 0), the adversary’s knowledge about (X) is provably limited, which directly translates into security guarantees for the higher‑level protocols.

The OT protocol proceeds in four steps. First, the sender (Alice) prepares (n) BB84 qubits in randomly chosen bases and transmits them to the receiver (Bob). Bob measures each qubit immediately in a basis of his choice, storing the classical outcomes while the quantum states are forced to pass through the noisy storage channel for time (t). After the storage phase, Alice reveals two classical messages (m_0) and (m_1) that are each hashed with a universal hash function. Bob, using the subset of measurement outcomes that match his chosen basis, can recover only the message corresponding to his selection, while the other message remains information‑theoretically hidden because the smooth min‑entropy of the unrevealed bits is high. The security proof shows that Bob’s probability of guessing the non‑chosen message exceeds (1/2) by at most a negligible (\varepsilon), provided the noise level satisfies the derived threshold.

The BC protocol follows a similar structure. In the commitment phase, the committer sends BB84 qubits to the receiver, who measures them immediately. The committer then sends a classical commitment consisting of a hash of the committed bit concatenated with a random string. During the opening phase, the committer reveals the bit and the random string; the receiver checks consistency with the previously measured outcomes and the hash. Because the stored quantum information decoheres, any attempt by the committer to change the bit after the commitment phase would require altering the already measured classical data, which is impossible without being detected. The binding error probability decays exponentially in (n) as long as the storage noise satisfies the same condition used for OT.

A notable practical contribution is that the honest parties need no quantum memory at all. All quantum operations are limited to the preparation, transmission, and immediate measurement of BB84 states—exactly the capabilities of current quantum key distribution (QKD) hardware. Consequently, the protocols can be deployed with existing fiber‑optic or free‑space QKD systems, and the security analysis incorporates realistic experimental parameters such as typical QKD error rates (≈1–2 %) and decoherence times on the order of tens of microseconds. The authors demonstrate that these realistic values already place the system well within the secure regime, meaning unconditional security can be achieved with today’s technology.

Beyond the core results, the paper discusses extensions and open problems. The authors outline how the framework could be adapted to multi‑bit OT, multi‑party commitment, and more general noise models, including non‑Markovian dynamics. They also suggest hybrid approaches that combine noisy‑storage assumptions with quantum error‑correcting codes to tolerate lower noise levels, potentially broadening the applicability of the model as quantum memory technologies improve.

In summary, this work bridges a gap between physical constraints (inevitable quantum noise) and information‑theoretic security, providing the first unconditional security proofs for OT and BC that rely only on the assumption that an adversary’s quantum storage is sufficiently noisy. By leveraging existing QKD infrastructure and eliminating the need for quantum memory on the honest side, the protocols present a realistic pathway toward secure two‑party cryptography in the quantum era.