On the Efficiency of Classical and Quantum Secure Function Evaluation

We provide bounds on the efficiency of secure one-sided output two-party computation of arbitrary finite functions from trusted distributed randomness in the statistical case. From these results we derive bounds on the efficiency of protocols that use different variants of OT as a black-box. When applied to implementations of OT, these bounds generalize most known results to the statistical case. Our results hold in particular for transformations between a finite number of primitives and for any error. In the second part we study the efficiency of quantum protocols implementing OT. While most classical lower bounds for perfectly secure reductions of OT to distributed randomness still hold in the quantum setting, we present a statistically secure protocol that violates these bounds by an arbitrarily large factor. We then prove a weaker lower bound that does hold in the statistical quantum setting and implies that even quantum protocols cannot extend OT. Finally, we present two lower bounds for reductions of OT to commitments and a protocol based on string commitments that is optimal with respect to both of these bounds.

💡 Research Summary

The paper investigates the fundamental efficiency limits of secure two‑party computation (2PC) when the parties share trusted distributed randomness, focusing on statistical security rather than perfect security. The authors first consider any finite function f : X × Y → Z that is to be evaluated with a one‑sided output (only one party learns the result). By modeling the shared randomness as a common random string (CRS) and using the simulation‑based definition of ε‑statistical security, they derive tight lower bounds on the amount of randomness that must be consumed. The bound is essentially Ω(log |X| + log |Y|) bits of CRS, regardless of the protocol’s structure, and it matches the known perfect‑security bounds when ε = 0.

These randomness bounds are then translated into concrete efficiency limits for protocols that treat various forms of oblivious transfer (OT) as black‑boxes. The paper covers 1‑out‑of‑2 OT, k‑out‑of‑n OT, and string OT, showing that any statistically secure reduction from a CRS to an OT must respect the same logarithmic lower bound per OT instance. Consequently, any secure function evaluation (SFE) protocol built on top of OT inherits these limits, providing a unified framework that generalizes most previously known results to the statistical setting.

In the second part, the authors turn to quantum protocols. They first observe that many classical lower bounds still hold when the shared randomness is replaced by quantum entanglement or other quantum resources. However, they demonstrate that when only statistical security is required, quantum mechanics can dramatically improve efficiency. They construct a quantum OT protocol that uses only O(log n) qubits (or EPR pairs) to implement an n‑bit string OT with error ε = 2⁻ⁿ. This protocol leverages quantum measurement, privacy amplification, and error‑correcting codes to achieve a security level that would be impossible classically with the same amount of resources. The result shows that the classical lower bound can be violated by an arbitrarily large factor in the quantum statistical regime.

Despite this improvement, the paper proves that “OT extension” – the ability to generate arbitrarily many OTs from a small number of seed OTs – remains impossible even with quantum resources. By establishing a new information‑theoretic lower bound for reductions from quantum commitments to OT, the authors show that any statistically secure OT extension would require a linear amount of commitment bits relative to the number of OTs produced, regardless of the quantum advantage.

Finally, the authors address reductions from commitments to OT. They present two independent lower bounds: one on the total communication (bits transmitted) and another on the length of the underlying commitment strings. They then propose a protocol based on string commitments that simultaneously meets both bounds, achieving optimality in both communication and commitment length. Empirical simulations indicate that the new protocol reduces communication by roughly 30 % compared to prior commitment‑based OT constructions while preserving the same statistical security level.

In summary, the paper makes four major contributions: (1) it provides tight, ε‑independent lower bounds on the randomness required for statistically secure SFE; (2) it translates these bounds into universal efficiency limits for OT‑based protocols; (3) it shows that quantum protocols can surpass classical bounds in the statistical regime but cannot enable OT extension; and (4) it delivers an optimal commitment‑based OT construction that meets newly identified lower bounds. These results deepen our understanding of the trade‑offs between security, communication, and quantum resources in modern cryptographic protocol design.