We show how to implement cryptographic primitives based on the realistic assumption that quantum storage of qubits is noisy. We thereby consider individual-storage attacks, i.e. the dishonest party attempts to store each incoming qubit separately. Our model is similar to the model of bounded-quantum storage, however, we consider an explicit noise model inspired by present-day technology. To illustrate the power of this new model, we show that a protocol for oblivious transfer (OT) is secure for any amount of quantum-storage noise, as long as honest players can perform perfect quantum operations. Our model also allows the security of protocols that cope with noise in the operations of the honest players and achieve more advanced tasks such as secure identification.
Traditional cryptography is concerned with the secure and reliable transmission of messages. With the advent of widespread electronic communication new cryptographic tasks have become increasingly important. Examples of such tasks are secure identification, electronic voting, online auctions, contract signing and other applications where the protocol participants do not necessarily trust each other. It is well-known that almost all these interesting tasks are impossible to realize without any restrictions on the participating players, neither classically nor with the help of quantum communication [8]. It is therefore an important task to come up with a cryptographic model which restricts the capabilities of adversarial players and in which these tasks become feasible. It turns out that all such two-party protocols can be based on a simple primitive called 1-2 Oblivious Transfer [1] (1-2 OT), first introduced in [3,4,5]. Hence, 1-2 OT is commonly used to provide a "proof of concept" for the universal power of a new model. In 1-2 OT, the sender Alice starts off with two bit strings S 0 and S 1 , and the receiver Bob holds a choice bit C. The protocol allows Bob to retrieve S C in such a way that Alice does not learn any information about C (thus, Bob cannot simply ask for S C ). At the same time, Alice must be ensured that Bob only learns S C , and no information about the other string S 1-C (thus, Alice cannot simply send him both S 0 and S 1 ). A 1-2 OT protocol is called unconditionally secure when neither Alice nor Bob can break these conditions, even when given unlimited resources.
In this letter, we propose a cryptographic model based on current practical and near-future technical limitations, namely that quantum storage is noisy. Thus the presence of noise, the very problem that makes it so hard to implement a quantum computer, can actually be turned to our advantage. Recently it was shown that secure OT is possible when the receiver Bob has a lim-ited amount of quantum memory [13,14] at his disposal. Within this ‘bounded-quantum-storage model’ OT can be implemented securely as long as a dishonest receiver Bob can store at most n/4-O(1) qubits coherently, where n is the number of qubits transmitted from Alice to Bob. This approach assumes an explicit limit on the physical number of qubits (or more precisely, on the rank of the adversary’s quantum state). However, at present we do not know of any practical physical situation which enforces such a limit for quantum information. We therefore propose an alternative model of noisy quantum storage inspired by present-day physical implementations: We require no explicit memory bound, but we assume that any qubit that is placed into quantum storage undergoes a certain amount of noise. The advantage of our model is that we can evaluate the security parameters of a protocol explicitly in terms of the noise. In this letter, we show that the OT protocol from [14] is secure in our new model. This simple OT protocol could be implemented using photonic qubits (using polarization or phase-encoding) with standard BB84 quantum key distribution [15,16] hardware, only with different classical post-processing.
We analyze the case where the adversary performs individual-storage attacks. More precisely, Bob may choose to (partially) measure (a subset of) his qubits immediately upon reception using an error-free product measurement. In addition he can store each incoming qubit, or post-measurement state from a prior partial measurement, separately and wait until he gets additional information from Alice (at Step 3 in Protocol 1). Once he obtained the additional information he may perform an arbitrary coherent measurement on his stored qubits using the stored classical data. We thereby assume that qubit q i undergoes some noise while in storage, and we also assume that the noise acts independently on each qubit. In the following, we use the super-operator S i to denote the combined channel given by Bob’s initial (partial) measurement and the noise. Practically, noise can arise as a result of transferring the qubit onto a different physical carrier, such as an atomic ensemble or atomic state for example, or into an error-correcting code with fidelity less than 1. In addition, the (encoded) qubit will undergo noise once it has been transferred into ‘storage’. Hence, the quantum operation S i in any real world setting necessarily includes some form of noise.
First, we show that for any initial measurement, and any noisy superoperator S i the 1-2 OT protocol is secure if the honest participants can perform perfect noise-free quantum operations. As an explicit example we consider the case of depolarizing noise during storage. In particular, we can show the following all-or-nothing result: if Bob’s storage noise is above a certain threshold, his optimal cheating strategy is to perform a measurement in the so-called Breidbart basis. On the other hand, if the noise level is below t
This content is AI-processed based on open access ArXiv data.