An Experimental Implementation of Oblivious Transfer in the Noisy Storage Model
Abstract
Cryptography’s importance in our everyday lives continues to grow in our increasingly digital world. Oblivious transfer (OT) has long been a fundamental and important cryptographic primitive since it is known that general twoparty cryptographic tasks can be built from this basic building block. Here we show the experimental implementation of a 12 random oblivious transfer (ROT) protocol by performing measurements on polarizationentangled photon pairs in a modified entangled quantum key distribution system, followed by all of the necessary classical postprocessing including oneway error correction. We successfully exchange a 1,366 ROT string in 3 and include a full security analysis under the noisy storage model, accounting for all experimental error rates and finite size effects. This demonstrates the feasibility of using today’s quantum technologies to implement secure twoparty protocols.
Cryptography, prior to the modern computing age, was synonymous with the protection of private communications using a variety of encryption techniques, such as a wax seal or substitution cypher. However, with the advent of modern digital computing and an increasingly internetdriven society, important new cryptographic challenges have arisen. People now wish to do business and interact with others they neither know nor trust. In the field of cryptography this is known as secure twoparty computation. Here we have two users, Alice and Bob, who wish to perform a computation on their private inputs in such a way that they obtain the correct output but without revealing any additional information about their inputs.
A particularly important and familiar example is the task of secure identification, which we perform any time we use a bank’s ATM to withdraw money. Here honest Alice (the bank) and honest Bob (the legitimate customer) share a password. When authenticating a new session, Alice checks to make sure she is really interacting with Bob by validating his password before dispensing any money. However, we do not want Bob to simply announce his password since a malicious Alice could steal his password and impersonate him in the future. What we require is a method for checking whether Bob’s password is valid without revealing any additional information. While protocols for general twoparty cryptographic tasks such as this one may be very involved, it is known that they can be built from a basic cryptographic building block called oblivious transfer (OT) Kil88 .
Many classical cryptography techniques currently in use have their security based on conjectured mathematical assumptions such as the hardness of finding the prime factors of a large number, assumptions which no longer hold once a sufficiently large quantum computer is built Sho94 . Alternatively, quantum cryptography offers means to accomplish cryptographic tasks which are provably secure using fewer assumptions that are ideally much more stringent than those employed classically. However, until now almost all of the experimental work has focused exclusively on quantum key distribution, yet there are many other cryptographic primitives Wie83 ; HBB99 ; GW07 ; BBBGST11 which can make use of quantum mechanics to augment their security. OT is a prime example.
While it has been shown that almost no cryptographic twoparty primitives, save for QKD, are secure if a quantum channel is available and no further restrictions are placed on an adversary May97 ; LC97 ; Lo97 , twoparty protocols are so pivotal to modern cryptography that we are required to explore scenarios that place realistic restrictions on an adversary which allow provable security to be restored in important real world settings. Moreover, if we can efficiently implement lowcost quantum cryptography while making it much harder and more expensive for adversaries to break it as compared to classical schemes, even if not provably secure without added assumptions, then we have still provided a benefit.
One can regain provable security for OT within the noisystorage model WST08 ; KWW12 under the physical assumption that an adversary does not possess a large reliable quantum memory. This model most accurately captures the difficulty facing a potential adversary since most quantum memories currently suffer from one or more of the following problems: either the transfer of the photonic qubit into the physical system used for the memory is noisy; or the memory is unable to sufficiently maintain the integrity of the quantum information over time; or the memory suffers from an inability to perform consistently (ie. photons are often lost causing the memory to act as an erasure channel).
With current technology, the quantum information stored in a quantum memory is lost within a few milliseconds BRDRDSLLZP12 ; ZLYLG12 ; RLVBRD12 . While there have been recent demonstrations of systems with coherence times on the order of seconds and even minutes MKLJYBPHCMTCL12 ; SSSDRABPMT13 , high fidelity transfer of quantum information from another physical system into the memory system and its subsequent storage have not yet been demonstrated. Further, a reliable memory also requires fault tolerant error correction built into its architecture. Until these significant experimental challenges are met, security is assured under the noisy storage model. Even with the advent of practical quantum storage, for any storage size with a finite upper bound, security can still be achieved by simply increasing the number of qubits exchanged during the protocol. Moreover, the currently executed protocol holds secure even if a dishonest party obtains a better quantum memory in the future.
Because of its huge potential, securing OT with quantum means has recently received interest both from this experiment, as well as the recent 1outofN OT experiment performed by Chan et al. CLMST13 . We note however that, in contrast to our implementation, Chan et al. achieves only a weak version of 1outofN OT in which the attacker gains a significant amount of information. Additionally, continued theoretical work KWW12 has been used to propose a number of different experimentally feasible protocols that could be implemented using today’s technology WCSL10 ; Sch10 . Notably, quantum bit commitment secure under the noisy storage model was recently shown by Ng et al. NJMKW12 . And while it is indeed known that oblivious transfer can in principle be built from secure bit commitment and additional quantum communication Yao95 , the protocol for such a reduction is inefficient and has not been analyzed in a setting where errors are present.
In this work, we show the first experimental implementation of OT secured under the noisystorage model using a modified entangled quantum key distribution system and all of the necessary classical postprocessing algorithms including oneway error correction. During a 3 quantum and classical exchange we generate 1,366 of secure ROT key accounting for all experimental error rates and finite size effects. Using a new minentropy uncertainty relation to derive much higher OT rates we examine a number of tradeoffs and analyze the secure parameter regimes. This demonstrates the feasibility of using today’s quantum technologies to implement secure twoparty protocols, most notably the building block necessary to construct a secure identification scheme DFSS07 to securely authenticate oneself at an ATM one day.
Results
The Oblivious Transfer Protocol
In a 12 OT protocol we have two parties, Alice and Bob. Alice holds two secret binary strings of length . Bob wishes to learn one of these two strings, and the string he decides to learn is given by his choice bit . The protocol is called oblivious transfer because of its security conditions: if Alice is honest, then in learning the string of his choice, , Bob should learn nothing about Alice’s other string, ; while if Bob is honest, Alice should not be able to discern which string Bob chose to learn, i.e. Alice should not learn C. Security is not required in the case where both parties are dishonest. The 12 refers to the fact that Bob learns one and only one of Alice’s two secret strings.
In order to implement 12 OT we actually first implement 12 random oblivious transfer (ROT) which is then converted into 12 OT with an additional step at the end. In the randomized protocol, rather than Alice choosing her two strings she instead receives the two secret binary strings , , chosen uniformly at random, as an output of the protocol. After the ROT protocol is complete, Alice can use these random strings as onetime pads to encrypt her original desired inputs and and send them both to Bob. Bob can then recover Alice’s original intended string by using the he learned during the ROT protocol in order to decrypt his desired thus completing a 12 OT protocol.
For the protocol to hold correct when both parties are honest, it is crucial that Alice and Bob have devices satisfying a minimum set of requirements, for example the loss and error rates have to be upper bounded. In the correctness proof, Alice and Bob’s devices are assumed not to exceed a maximum loss and error rate. It is these upper bounded values that will be used in the secure ROT string formula (Eq. 8) in order to determine the maximum allowable size for the generated ROT string. Whenever their devices fulfill these criteria, the protocol can be executed correctly. On the contrary, in the security proof, a dishonest party is assumed to be all powerful: in particular he/she can use perfect devices to eliminate losses and errors in order to use them as a cheating advantage instead. The only restriction on a cheating party in this model is that of the quantum memory accessible. We refer the reader to the formal security definition of this protocol in Sch10 .
Fig. 1 outlines our 12 ROT protocol Sch10 ; WCSL10 . A source of polarizationentangled photon pairs distributes one photon from each pair to Alice and Bob. In fact, Alice holds the entanglement source as it has been shown that this does not affect either correctness or security. Alice and Bob measure in one of the two usual BB84 bases, H/V (+) or / (), using passive polarization detectors. For every photon they detect, they record their measurement basis as and , their bit value as and , and their measurement time as and respectively. Bob then sends his timing information to Alice so that she can perform a coincidence search allowing them to sift down to those measurement results where they both detected a photon from a pair. Alice then checks that the number of photons Bob detected falls within the secure interval allowing them to proceed. At this point Alice obtains basis and bit strings and , while Bob obtains basis and bit strings and , all of which are of length .
Both parties now wait a time, , long enough for any stored quantum information of a dishonest party to decohere. Note that the information Bob sends to Alice after this point does not provide her information about his choice bit , provided that Bob’s choice of basis is completely uniform. To ensure the uniformity of this choice, an honest Bob can perform symmetrization over all his detectors to make them all equally efficient NJMKW12 , so that Alice cannot make a better guess of his choice bit than a random guess. Hence, it is really only Alice who is waiting here to protect against a dishonest Bob who might have been storing some of his photons. Once the secure wait time is observed, Alice sends Bob her basis information, . This allows Bob to divide his bits into two subsets: , where his measurement basis matched Alice’s () leading eventually to the shared bit string ; and , where his measurement basis did not match Alice’s (), which leads to the second bit string which Bob should know nothing about.
Next, Bob sends his index lists, and , to Alice so that she can partition her data identically. Note that it is Bob’s choice of labelling the subset where his measurement bases matched Alice’s as which allows him to eventually learn his desired from Alice since this is the subset in which error correction will succeed. However, this does not reveal to Alice since from her point of view she always receives an and from Bob and there is never any information in the partitioning which would allow her to deduce .
Continuing, Alice performs oneway error correction by encoding syndrome information for each of her two subsets, and , which she then sends to Bob. Bob is able to use the syndrome information for the subset where his measurement bases matched Alice’s, , to correct any errors in his string to obtain his error corrected string . Note that Bob will only be able to correct his string if the devices and quantum channel are operating within their design parameters since this is what the oneway error correction code has been optimized for. If Bob is dishonest, then we do not need to worry about him being able to decode, the goal of the protocol is to ensure that honest Bob can learn his desired string.
The last step is to perform privacy amplification CW79 ; Kra94 , which is a cryptographic technique that allows a situation of partial ignorance to be turned into a situation of (essentially) complete ignorance. For example, suppose Alice has a long string (here ) which is difficult, but not impossible, for Bob to guess. That is, Bob’s minentropy about the string is large. Applying a randomly chosen twouniversal hash function to allows Alice to obtain a (typically much shorter) string which is essentially impossible for Bob to guess. That is, if the length of the short string is , then Bob’s guessing probability is very close to which means that Bob has learned nothing about the short string. The only cost to Alice for performing this is to reduce the size of her output strings somewhat according to Eq. 8.
To perform privacy amplification, Alice and Bob use the secure ROT string rate formula (Eq. 8) and the estimates of the error rate and loss due to their devices and the quantum channel to calculate the length of extractable ROT string which they can keep after privacy amplification. Alice applies the twouniversal hash functions and to her two substrings and and obtains the shorter strings and as her private outputs, while Bob applies the appropriate twouniversal hash function to his subset obtaining his desired as his private output. Privacy amplification is extremely important since Bob has potentially gained a significant amount of information about Alice’s second string, which a secure protocol requires he know nothing about. This extra information has come from the syndrome information Alice sent for her second subset, , where their measurement bases did not match and from Bob’s ability to store partial quantum information and attempt to cheat. In our proof, we show that has a high minentropy and hence the output is close to uniform after privacy amplification. Of course, dishonest Bob could use the error correction information to correct errors in his own storage device or he could open his device, remove all its imperfections, and then perform a partial attack to gain extra information without raising the error rate above the allowed limit. Regardless, by subtracting the entire length of the error correction information from the initial extractable ROT string Alice can extract a shorter string via privacy amplification, which looks uniform to Bob, ensuring the security of the protocol.
As the above protocol has just summarized, even though breaking the security of our protocol requires a large quantum memory with long storage times, neither quantum memory nor the ability to perform quantum computations are needed to actually run the protocol. Thus, as we shall see below, the technological requirements for honest parties are comparable to QKD and hence well within reach of current technology.
Experimental Parameters
It is important to realize that the techniques used here to prove the security of ROT are fundamentally different than those used in proving the security of QKD. Contrary to QKD, there is no realtime parameter estimation which needs to be performed. Instead, the two parties estimate the parameters before performing the OT protocol. The only requirement is that it should be possible for honest parties to bring certain hardware to execute the protocol. Dishonest parties can have arbitrary devices and still security will be assured based on the following:

Alice holds the source and can completely characterize it. Thus, if Alice is honest she can rely on the source following the estimated parameters. If she is dishonest, she is allowed to replace the source with an arbitrary quantum device (it could be a full quantum computer with arbitrary storage since the storage assumption is only needed to deal with a dishonest Bob).

Honest Bob can always test his device himself without relying on Alice.

The channel parameters (ie. the loss and error rate) can be estimated jointly by Alice and Bob. Depending on their estimate, Alice decides how much error correction information she needs to send. If Bob was dishonest and lied during the estimate then one of the following scenarios happens (both of which are secure):

Alice finds there is no such that secure OT can be performed in which case she either demands Bob get a better device or for the two of them to invest in a better channel.

Alice tunes such that security can be obtained for their estimated parameters. Dishonest Bob could have lied and later eliminated his losses and errors for the OT exchange; however, this is already accounted for in the security analysis which assumes a dishonest Bob can have a perfect channel and perfect devices (his only limitation is the memory bound).


If the parameters turn out to be different for the honest parties during the protocol (e.g. the errors turn out to be much higher) compared to what was estimated earlier, then the protocol may not succeed. Hence, once the parameters are estimated and fixed, then the honest parties need to use hardware satisfying these parameters if they want to perform the protocol correctly. However, security is not affected by the actual amount of losses and errors.
To evaluate security we model our parametric downconversion (PDC) entangled photon source in the standard way KB00 by measuring the mean photon pair number per pulse () which is directly related to the amplitude of the pump laser. Since it is a continuously pumped source we define our pulse length as the coherence time of our laser. Three other measured parameters are also required: the total transmission efficiency or transmittance, , the intrinsic detection error rate of the system, , and the probability of a dark count in one of Alice’s or Bob’s detectors, . The detection error is the probability that a photon sent by the source causes a click in the wrong detector, which can happen due to deficiencies or misalignments in Alice and Bob’s equipment or due to processes in the quantum channel. For the dark count probability Alice and Bob take the value of their worst detector. Note that the parameters measured are necessary for allowing correctness of the protocol between two honest parties. In light of this, Alice and Bob perform a device and channel characterization and use these estimates in all subsequent security checks of the system. In the security analysis, a malicious party is assumed to have full power over their devices, such as eliminating all losses and noise in the communication while tricking the honest party to believe otherwise. Their values are summarized in the top of Table 1.
Experimental Parameters  Value 

Adversary’s Memory Limitations  Value 
2  
0.75  
0.002  
Security Parameters  Value 
1.491 
With these definitions we compute a number of probabilities needed for the security statements, which are conditioned on the event that Alice observed a single click, namely: the probability that exactly one entangled photon pair is emitted from the source (all double pair emissions are assumed to give an adversary full information), the probability an honest Bob did not detect a photon, and the probability that a dishonest Bob did not detect a photon. Note that due to dark counts in Alice’s detectors. Thus, even if a dishonest Bob removes all loss in the quantum channel and uses perfect detectors, there will still be pairs registered by Alice (she cannot differentiate between dark counts and valid detections of photons from entangled pairs) which a dishonest Bob misses. These probabilities are derived from our PDC model following Refs. Sch10 ; WCSL10 using the parameters given in Table 1 (more details can be found in the “Methods: Experimental Security Parameters” section).
Correctness
Whenever Alice and Bob are both honest, we desire that the protocol runs correctly even in the presence of experimental imperfections except with some failure probability. To quantify this probability, Alice and Bob can beforehand agree on some correctness error, , which will be used to lower bound the failure probability of this protocol. This parameter can also be seen as a bound on the maximum allowable fluctuations observed during the protocol allowing one to form acceptable intervals around the expected values for , , and wherein correctness will hold. For example, the acceptable interval for is given by with
(1) 
given by invoking Hoeffding’s inequality Uhl63 . According to Hoeffding’s inequality, the number of detected rounds fall out of this interval with probability less than . For our experiment, we chose a correctness error of . Note that in our analysis there is a correctness error and a security error (discussed in the next section) which we represent by the same variable, , since they take the same value, but they could in general be different.
During the protocol Alice checks whether the number of rounds reported as lost by Bob lies outside the interval that would be expected based on the parameters estimated before starting the protocol. We emphasize that this test is not part of the parameter estimation, but rather ensures that the absolute number of rounds reported lost by Bob is limited. Intuitively, this is a critical step since it prevents a dishonest Bob, who has a perfect channel, from using the fact that he can report rounds as lost to discard some or all of the single photon rounds (for which he only potentially gains partial information) in favour of multiphoton rounds (where he gains full information). Thus, the step prevents a dishonest Bob from performing the equivalent of the wellknown photonnumbersplitting attack from QKD Hwa03 in our protocol. For more details, please refer to Ref. (WCSL10, , Sec. III).
Error correction is also necessary in order to correct errors due to the quantum channel, so that Bob can faithfully recover . Error correction must be done with a oneway forward error correction protocol to maintain the security of the protocol. The errorcorrecting code is chosen such that Bob can decode faithfully except with a probability at most . Thus, our ROT protocol will succeed except with probability . For our error correction code, we have found an (empirically tested) upper bound to the error correction failure probability of . Thus, the total correctness error is upper bounded by . Note that while the decoding error has a large effect on the total correctness error of the protocol, it does not affect the security error of the protocol. In particular, the security error can be much lower than the correctness error, which we will see in the next section.
Security
In this section, we show that the security error can be made small, i.e. the protocol holds secure against dishonest parties except with error . Note that in our analysis we first fix the security error, , and then derive the corresponding rate of OT. Thus, just like in QKD, one can reduce at the expense of shortening the final OT string if a particular situation calls for a smaller security error.
To evaluate security for honest Alice, we need to prove that Bob does not know at least one of the extracted strings. This is done by quantifying Bob’s knowledge about the string that Alice has. The minentropy serves as a suitable quantification in such cases, and is defined as
(2) 
where is the probability of Bob guessing correctly, maximized over all possible measurements he can perform on his system. The minentropy can also be understood operationally as the number of bits extractable from , which appear random to Bob Ren08 . To allow for imperfect states we use the smoothed minentropy which is the minentropy maximized over all joint states of close (in terms of purified distance) to the original state , where is the joint state of Alice’s variable and Bob’s entire system.
Note that a dishonest Bob’s strategy, upon receiving information from Alice, can in general be as follows: he performs some arbitrary encoding upon the received state, and stores the state into some quantum memory (possibly retaining some additional classical information). After receiving Alice’s basis information, he utilizes the stored qubits to perform strategic measurements again, gaining more classical information from his measurement outcome. Therefore, the main goal is to show that given all of Bob’s information his guessing probability of is still low, i.e. Bob’s minentropy is lower bounded.
To do so, we employ the minentropy uncertainty relation recently derived by Ng et al. NBW12 , given by
(3) 
where is the vector of measurement bases of an honest Alice, represents some arbitrary classical side information, while is a constant that depends solely on the measurements and arises due to bounding a family of Rényi entropies. The quantity is a lower bound (including finite size effects) for the number of single photon pair rounds exchanged WCSL10 , except with probability . We use this to bound the minimum amount of uncertainty Bob has about Alice’s overall string . The value of is given by
(4) 
The bound on the minentropy in Eq. 3 also implies that, for security to hold at all we require
(5) 
to generate a positive and by extension a positive minentropy. This condition provides the regime of parameters, specifically with respect to and , wherein secure ROT can be performed.
Subsequently, we further bound Bob’s minentropy conditioned on his quantum memory. ROT has been proven secure against adversaries whose memories satisfy the strongconverse property. This states that the success probability of decoding a randomly chosen nbit string sent through the quantum memory decays exponentially for rates above the classical memory capacity. Recent theoretical results also show that this can be refined by linking security to the entanglement cost BFW12 and quantum capacity BCBW12 of the memory, instead of the classical capacity. To explicitly evaluate security, we follow Refs. Sch10 ; WCSL10 and model the memory as a ddimensional depolarizing channel, given by
(6) 
which successfully transmits the state with probability and otherwise replaces it with the completely mixed state with probability , as the typical action of a quantum memory specializing to the case of qubits (ie. ). A memory has one other pertinent parameter we need; namely, a storage rate, , which represents the fraction of qubits which an adversarial Bob can store in memory. Intuitively, the noise () and storage rate () are related since increasing the amount of quantum error correction in the memory would decrease the noise at the cost of using more memory qubits for error correction thus decreasing the storage rate. However, for this analysis we leave them as two independent parameters. The choices for and in the middle of Table 1 are made for an assumed future quantum storage device subjected to depolarizing noise that retains the state with probability . The storage rate implies we assume that a dishonest party cannot store more than of all the qubits. Note that our experiment is quite secure as all current memories decohere after 1 and can only store a handful of photons.
There is a second condition necessary for security to hold given by
(7) 
where is the classical capacity of the memory (). This implies that the classical capacity of the total quantum memory (assumed to satisfy the strong converse property) should be strictly less than the total minentropy of Bob’s knowledge of , including some finite size effects.
Finally, we can explore the ROT rate formula Sch10 ; NBW12 which tells Alice and Bob how many secure ROT bits they can keep from the privacy amplification operation. It is given by
(8) 
where is the strong converse parameter of an adversary’s memory () which essentially gives the classical memory capacity, is the rate at which a dishonest Bob would need to store quantum information, is the number of rounds where Alice and Bob both measured a photon from the pair, is the error correction efficiency relative to the Shannon limit, and is the total probability of an error between Alice’s and Bob’s subset where their basis choices matched (including dark counts, their intrinsic detector error (), and any errors induced by the quantum channel). It is instructive to think of the three terms in Eq. 8 in the following way. The first term represents the amount of uncertainty Bob has over at least one of Alice’s strings, regardless of the classical/quantum information he has. This is also the maximum ROT string that could be produced. From this one has to subtract the second term representing the information potentially leaked to an adversarial party during error correction, just as one would in QKD. This quantity is exactly the length of the error correction syndrome information which (as mentioned earlier) we must subtract from Bob’s initial minentropy to ensure security holds. Finally, the third term represents a safety margin guaranteeing the maximum security failure probability.
We conclude, that security holds for an honest Alice except with probability , where the error comes from the finite size effects due to the number of single photon rounds, from smoothing of the minentropy, and the error of privacy amplification. Note that the preceding security discussion used a simplified detector model and neglected vulnerabilities from a number of well known attacks in QKD GLLSKM11 ; LAMSM11 ; Mak09 ; QFLM07 ; MAS06 most of which target the detectors used.
Analysis of Secure Parameter Regimes
The ROT rate is sensitive to four parameters: the depolarizing noise, ; the storage rate, ; the intrinsic error rate of the system, ; and the transmittance, . Further, the secure range of each of these individual parameters depends on the values of the others, though we emphasize that the sensitivity is due in part to the fact that we tried to obtain the maximum length of OT string compatible with our , , and storage assumptions. Similarly to QKD, one could make security less sensitive by being less demanding about the output length of the OT string. Nonetheless, we examine here the two most important parameters which determined the final ROT string length; namely, the transmittance and the error rate.
Fig. 2 (left) shows the ROT rate versus the transmittance for error rates of 0.93% (red  this experiment), 1.75% (green), and 2.3% (blue) from which we can see why loss is so crucial to the security of ROT. The secure ROT rate quickly drops as the transmittance decreases; indeed, for higher error rate values the ROT rate can quickly become negative even for relatively large transmittances, e.g. . Already with our table top experiment we experienced a total transmission efficiency of 1.5%, which just allowed us to get a positive ROT string length. Our transmittance and the corresponding ROT rate are shown by the magenta point on the far left of this graph. The situation only gets worse when one thinks about using the scheme in a distributed quantum network where loss will be even higher.
Just as importantly, Fig. 2 (right) shows the ROT rate versus the detection error, , for transmittances of (red  this experiment), (green), and (blue). From our system’s transmittance of we can see that in order to get a positive ROT rate we needed to observe an error rate of less than 0.954% over the course of the experiment. Fortunately for this experiment, we managed to decrease the error rate to 0.93%. Our error rate and the corresponding ROT rate are shown by the magenta point on this graph. While the constraint on the maximum allowable error rate does relax somewhat as the transmittance of the system increases, it never gets above a tolerable error rate of 2.38% even at transmittances as high as 25%. This represents an extremely experimentally challenging constraint, one that is much stronger than the typical safe QBER levels for QKD (). This fact alone prevents most of the existing QKD systems in the world from being easily converted into a secure ROT implementation through a classical postprocessing software update alone. Each of these two constraints can be individually relaxed at the cost of more stringent conditions on the other. However, our hope is that future theoretical work on the security of ROT in the noisy storage model can improve these bounds.
Experiment
Before starting the experiment, all the pertinent parameters are estimated/selected and shown in Table 1 in order for Alice and Bob to evaluate the length of the ROT strings, given by Eq. 8, which they could subsequently extract from their data. Over the course of 50, Alice and Bob measured 1,347,412 coincident detection events. With the photon pairs distributed Alice verified that the number of Bob’s reported measurements fell within the secure interval. After waiting for a minimum time for any stored quantum information of a dishonest party to decohere, Alice sent her basis measurement information () to Bob. Using his choice bit, , Bob partitioned his data into where his measurement basis matched Alice’s (ie. ), and where his measurement basis did not match Alice’s (ie. ), truncating both subsets to 600,000 (the block size needed for the error correction algorithm). He then sent his partitioning, and , to Alice.
Alice partitioned her data accordingly, encoded the syndrome information for each subset, and sent it to Bob. With the system operating within the design parameter requirements, Bob was successfully able to error correct his subset of data, , where his measurement basis matched Alice’s in 2 14. Using the the estimate of the error rate in Eq. 8, Alice and Bob calculated the size of their secure final ROT string to be 1,366. To complete the protocol, Alice then chose two 2universal hash functions Kra94 , , sent her choices to Bob, and calculated her private outputs and retaining the last 1,366 from the 2universal hash operation in each case. Having chosen , Bob used to compute as his private output, obtaining the ROT string he desired from Alice.
Lastly, if Alice and Bob had wanted to remove the randomness from the protocol to implement OT with specific strings desired by Alice, she could have used and as onetime pads to encrypt her desired strings and sent the results to Bob. Using his he could then have decrypted Alice’s last communication, recovering his desired string from Alice.
Discussion
It is important to notice that ROT is a fundamentally different cryptographic primitive than QKD and represents an important new tool at our disposal. Using the example of securing one’s banking information at an ATM, it has long been suggested to use a small handheld QKD device to accomplish this DGHMR06 . However, if one were to employ ROT to build a secure identification scheme, as opposed to QKD, one’s bank card number and PIN would never physically be exchanged over any communication line. Rather, the ATM and the user would merely be evaluating the joint equality function, , on each of their copies of the login information. This starkly illustrates the difference between ROT and QKD, as well as highlights ROT’s potential in certain situations.
The use of the new minentropy relation NBW12 was crucial to making our experimental implementation practical since it could be applied to much smaller block lengths while taking into account finite size effects. To put it in perspective, estimates using the original analysis from Ref. Sch10 suggested we required on the order of  requiring Alice and Bob to measure photon pairs for over 4. Any realworld secure identification protocol, such as at an ATM, making use of such an ROT implementation would obviously be entirely impractical. However, by employing the new minentropy uncertainty relation we were able to generate positive OT lengths with an as low as . In fact, the limiting factor in our protocol became the minimum block size necessary for our oneway error correction code to succeed with high probability at the required efficiency.
Though the current work is secure for memories which follow the strong converse property, many important channels exhibit this property; for instance, the depolarizing channel assumed for this work. Moreover, while a few quantum memories have already been shown to work with high fidelity, they are all postselected results. In other words, many photons are lost during their operation causing them to act as erasure channels. An adversary using one of these memories would find its action looking very close to a depolarizing channel since the best they could do is replace any lost photons with a random state. Moreover, recent theoretical results have shown this argument can be refined by linking the success probability of decoding to the entanglement cost BFW12 and quantum capacity BCBW12 of the memory, instead of the classical capacity.
There a number of other shortcomings that should be addressed in future work. As shown earlier, the ROT string length is constrained drastically by the transmittance, . In order for ROT to be useful over longer distances, for instance over a future quantum communication network covering a city, the impact of loss on security has to be mitigated. One option could be to analyze the security proof for the case of an entangled photon source more carefully since a similar analysis for QKD has found that entangled systems can tolerate more loss than decoystate prepareandsend systems. Indeed, Wehner et al. WCSL10 themselves point out they simplified their security proof for ROT in the case of an entangled source, giving all information in a double pair (and higher) emission to Bob. However, not only could the double pair emission rate be overestimated in the assumed PDC model, but as has been pointed out in connection with QKD it is far from clear that double pair emissions give much, if anything, to an adversary. In fact the probability of double pair emission is one of the key quantities limiting the acceptable error rate, transmittance, and overall ROT rate; thus, there is likely much to be gained from a more detailed analysis. Another possibility to limit the impact of loss could be to find a secure version of Kocsis et al.’s heralded noiseless amplification scheme KXRP13 which allowed both Alice and Bob to trust its operation.
Smaller issues to make ROT more practical include relaxing the tolerable error rate in order to use ROT in a long distance quantum network setting. Even at short distances with the new minentropy relation NBW12 requiring us to detect as few as entangled pairs in approximately 2.5, the extremely low error rate required makes it almost impossible to find an efficient error correction code at this block length.
Lastly, parameter estimation in the ROT protocol is fundamentally different than in QKD. Here parameters are estimated before the protocol begins and then the security statements are evaluated using the agreed upon experimental parameters. This does not present any security problems for the reasons outlined in Section “Results: Experimental Parameters”; however, as a practical effect if the parameters are poorly estimated then honest parties will have a difficult time correctly executing the protocol. Heuristically it seems one would like to estimate the parameters for a long time such that the error bars on them are smaller than the intervals for Alice’s security checks. This is not a problem since it only needs to be done once in advance and will not affect the number of rounds in the actual ROT protocol. In the case of devices (e.g. the source) which are not constant but have relatively slow fluctuations which would increase the error bars on the parameters during a long estimation, Alice and Bob could instead intersperse their ROT experiments with new parameter estimations. It is a very interesting open question for future work whether and how one could incorporate the error bars on the parameter estimates into the security proof.
In this work, we have shown the first experimental implementation of OT using a modified entangled quantum key distribution system and secured under the noisystorage model. We performed an updated security analysis using a new minentropy relation including finite statistics in order to show a drastic improvement in the secure ROT rate. We also examined the pertinent parameters which the ROT rate depends on, the most important being the transmittance and error rate. It will be very interesting to see whether future work on security proofs and experimental implementations can make the protocol even more practical in realworld scenarios.
Methods
Experimental Implementation
The security proof for ROT guarantees security against adversaries with quantum memories and a quantum computer; however, the actual implementation of ROT for honest parties does not require these devices and is possible with today’s technology WCSL10 ; Sch10 . Thus, we modified our existing entangled QKD system ECLW08 ; EHRLW10 to implement the first ROT protocol secured under the noisy storage model. The key difference to keep in mind is that while loss merely affects the overall key rate in a QKD system, in ROT loss is integral to the security of the scheme and if not properly bounded can prevent any secure ROT string from being generated.
A schematic of the system is shown in Fig. 3. Entangled photon pairs are produced with a Sagnac interferometric entangled photon source KFW06 ; FHPJZ07 ; EHRLW10 ; PGW12 consisting of a periodically poled KTP (PPKTP) nonlinear optical crystal produced for a collinear configuration placed in the middle of an interferometer loop. Entangled photons are produced by sending polarized light at 404 onto a dual wavelength polarizing beamsplitter (dual PBS) at the apex of the loop, thus bidirectionally pumping the PPKTP crystal. A dual wavelength halfwaveplate (dual HWP) at on one side of the loop properly polarizes the pump laser so that the crystal produces downconverted polarization correlated photons at 808 in both directions around the loop. The dual HWP also rotates the polarization of the downconverted photons travelling clockwise around the loop by thus ensuring that when the photon pairs are split on the dual PBS their path information is erased and true polarization entangled photon pairs are generated. The first half of the entangled photon pairs are collected directly from one port of the PBS, while the second half of the pairs are collected via a dichroic mirror responsible for removing residual photons from the pump laser.
Since the ROT protocol is useful even over very short distances, such as to securely identify oneself to an ATM machine over , Alice and Bob each measure their half of the entangled photon pairs while located next to the source connected to it with short singlemode optical fibres. The photons are measured with passive polarization detector boxes consisting of: a filter to reject background light, a 50/50 nonpolarizing beamsplitter (BS) to perform the measurement basis choice, a PBS in the reflected arm of the BS to separate horizontally and vertically polarized photons, and a HWP and PBS in the transmitted arm of the BS to separate photons polarized at and . Avalanche photodiode single photon detectors convert the photons into electronic pulses which are recorded with timetagging hardware which saves the measured polarization and detection time with a precision of 156.25. The data is transferred to Alice’s and Bob’s laptops where custom written software then performs the rest of the ROT protocol including entangled photon pair identification (based on the detection times), security checking, sifting, error correction, and 2universal hashing of the final outputs.
While the majority of QKD systems, including ours, have used an interactive algorithm known as Cascade BS94 for error correction, we are not permitted to use it in ROT since the interaction would quickly reveal Bob’s choice bit, C, to Alice. Instead, we chose to implement oneway forward error correction using low density parity check (LDPC) codes Gal62 ; MN97 updated for use in a QKD system Pea04 ; MCMHT09 ; Cha09 . LDPC codes are gaining popularity in a number of QKD experiments Pea04 ; MCMHT09 since they can relieve much of the classical communication bottleneck that interactive error correction algorithms cause. However, there is an important difference between oneway error correction in QKD compared to ROT; namely, in a QKD protocol error correction is permitted to fail on a block of key. In this case for QKD, Bob would let Alice know decoding failed on that block and they would have three options. They could either publicly reveal the block (in order to maintain an accurate estimate of the QBER) and then throw it away, they could try another oneway code optimized for a higher QBER, or they could revert to a twoway error correction procedure. We are not permitted to do any of these here as the error correction failure probability, , is the failure probability for running error correction on the entire data set generated during the ROT protocol. A single failure of the error correction protocol requires Alice and Bob to start the protocol over.
In our LDPCbased error correction protocol, Alice and Bob share a large paritycheck matrix, , which is constructed using a modified version of Hu et al.’s ProgressiveEdge Growth (PEG) software HEA05 with known optimal degree distribution profiles ELAB09 ; Mat11 . Alice computes and by treating her two bit strings as column vectors and applying to them. Using the syndromes sent to him from Alice, Bob then employs an iterative message passing (or belief propagation) decoding algorithm known as the sumproduct algorithm to correct any errors between his bit string and Alice’s (where their basis choices matched) with high probability. Our sumproduct LDPC decoder is written in C# and is based on the Matlab code found in Ref. Cha09 . With a block size of (matrix dimensions were ) and average row weight of 40, we achieved an error correction efficiency of 1.491. Our particularly low source error rate, required to securely implement the protocol, made it very challenging to find an efficient code and necessitated the large block sizes. This in turn made decoding particularly time intensive with a single block taking on average 2 14.
For the ROT experiment the source was pumped with 7 of power as a compromise between a high pair rate and minimal error rate. Alice and Bob exchanged timing information in realtime to sort down to coincidence events. These measurements formed their raw strings ( and respectively) combined with their record of measurement basis for each detection ( and respectively) and resulted in raw files 1.17 in size. It took Alice and Bob 50 to measure 1,347,412 coincident detection events which meant that a total of pairs (before losses) were distributed by the source. Due to slightly uneven detection probabilities and the inherent statistics of the source, Alice and Bob had to measure for slightly longer than the minimum time necessary to ensure that they measured 600,000 photon pairs with matching bases and 600,000 pairs with different bases. After error correction, Alice and Bob used an LFSR algorithm Kra94 , capable of operating on the entire key at once, to perform privacy amplification. This is a key requirement to maintain security both in ROT and QKD, but one that is rarely, if ever, implemented in experimental and commercial QKD systems. All of the pertinent figures of merit from performing the ROT protocol are summarized in Table 2.
Figure of Merit  Value 

total # of pairs created  
# of entangled pairs measured  1,347,412 
photon measurement time  50 
1  
size of  600,000 
size of  600,000 
error correction time  2 14 
size of ROT key  1,366 
Experimental Security Parameters
The security proofs for ROT Sch10 ; WCSL10 assumed that the states emitted by a PDC source can be written as KB00
(9) 
where the probability distribution is given by
(10) 
and the states are given by
(11) 
The states are written here in the basis and is directly related to the amplitude of the pump laser resulting in a mean photon pair number per pulse of . Using this assumption and a few other measured parameters, the authors of Refs Sch10 ; WCSL10 derived all of the other necessary quantities used in their proofs of security.
Following this prescription, the first thing we calculate is the parameter which is slightly more involved since we have a continuously pumped source which creates pairs at random times rather than the pulsed source assumed in the model. Using of pump power, we measure Alice and Bob’s single photon count rates per second, and , as well as their coincident detection rate, , measured with a coincidence window of (see Table 3). We then estimate Alice and Bob’s total transmittances (including their source coupling, polarization analyzer, and detectors) using the formula BGN00 which yields for Alice and for Bob. Using these numbers we back out the loss and estimate the total number of pairs produced at the crystal as with the formula . For all count rates Poissonian error bars have been assumed, and Gaussian error propagation has been applied for the error bars on all derived quantities. Finally to calculate , we define our pulse length as the coherence time of our laser since the security statements use with Eqs. 9, 10, and 11 to determine a bound on the possible double pair emission contributions which might expose additional information to a dishonest party. It is well known with PDC sources that pairs separated by more than a coherence time are independent and thus would not give a dishonest party additional information. It is only those pairs generated within the same coherence time which might pose a security risk. Thus, with a coherence length of for our laser (iWave405S laser specifications, Toptica Photonics Toptica ) and a corresponding coherence time of , we can calculate using the formula
(12) 
Experimental Parameter  Value 

432,148 657  
343,470 586  
47,197 217  
3,145,182 16,148 
There are three other parameters that are necessary for the security statements: the total transmittance, , which can be calculated from Fig. 3; the intrinsic error rate (QBER) of the system, ; and the probability of obtaining a dark count in one of Alice’s or Bob’s detectors, . The dark count probability is defined similarly to (ie. by multiplying the dark count rate per second by the coherence time), and is taken as the value of their worst detector. Strictly speaking each detector will have a slightly different detection efficiency which will provide some partial information to the parties about the strings; however, this information can be removed by symmetrizing the losses of each user to their worst detector NJMKW12 so that they become independent of the basis choice. All of these values are summarized in the top half of Table 1.
The security statements (Eqs. 4 – 8) require the following important quantities: , which is the probability only one photon pair is sent; , which is the probability that an honest Bob receives no click from a photon pair in his detector; and , which is the minimum probability that a dishonest Bob receives no click from a photon pair in his detector. All of these are derived from the PDC model given by Eq. 9 with the experimental parameters given in Table 1. For the derivations we refer the reader to Ref WCSL10 .
Acknowledgements.
Acknowledgements: Support for this work by NSERC, QuantumWorks, CIFAR, CFI, CIPI, ORF, ORDCF, ERA, and the Bell family fund is gratefully acknowledged. NN and SW are supported by MOE Tier 3 Grant MOE2012T31009. The authors would like to thank: Marcos Curty (Universida de Vigo) for many interesting discussions on the practical aspects of the security statements for real implementations of ROT; and Philip Chan (University of Calgary) for numerous explanations and discussions on implementing oneway forward error correction with LDPC codes as well as discussions on the security implications for using oneway codes.References
 (1) Kilian, J. Founding cryptography on oblivious transfer. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC), 20–31 (ACM Press, New York, 1988).
 (2) Shor, P. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on the Foundations of Computer Science, 124–134 (IEEE Computer Society, Los Alamitos, CA, 1994).
 (3) Wiesner, S. Conjugate coding. Sigact News 15, 78–88 (1983).
 (4) Hillery, M., Buz̆ek, V. & Berthiaume, A. Quantum secret sharing. Phys. Rev. A 59, 1829 (1999).
 (5) Gutoski, G. & Watrous, J. Toward a general theory of quantum games. Proceedings of the 39th Annual ACM Symposium on Theory of Computing 565–574 (2007).
 (6) Berlin, G. et al. Experimental losstolerant quantum coin flipping. Nat. Comm. 2, 561 (2011).
 (7) Mayers, D. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett. 78, 3414–3417 (1997).
 (8) Lo, H. & Chau, H. Is quantum bit commitment really possible? Phys. Rev. Lett. 78, 3410–3413 (1997).
 (9) Lo, H. Insecurity of quantum secure computations. Phys. Rev. A 56, 1154–1162 (1997).
 (10) Wehner, S., Schaffner, C. & Terhal, B. Cryptography from noisy storage. Phys. Rev. Lett. 100, 220502 (2008).
 (11) König, R., Wehner, S. & Wullschleger, J. Unconditional security from noisy quantum storage. Information Theory, IEEE Transactions on 58, 1962–1984 (2012).
 (12) Bao, X.H. et al. Efficient and longlived quantum memory with cold atoms inside a ring cavity. Nature Physics 8, 517–521 (2012).
 (13) Zhou, Z.Q., Lin, W.B., Yang, M., Li, C.F. & Guo, G.C. Realization of reliable solidstate quantum memory for photonic polarization qubit. Phys. Rev. Lett. 108, 190505 (2012).
 (14) Riedl, S. et al. Boseeinstein condensate as a quantum memory for a photonic polarization qubit. Phys. Rev. A 85, 022318 (2012).
 (15) Maurer, P. et al. Roomtemperature quantum bit memory exceeding one second. Science 336, 1283–6 (2012).
 (16) Saeedi, K. et al. Roomtemperature quantum bit storage exceeding 39 minutes using ionized donors in silicon28. Science 342, 830–833 (2013).
 (17) Chan, P., LucioMartinez, I., Mo, X., Simon, C. & Tittel, W. Performing private database queries in a realworld environment using a quantum protocol. eprint quantph/1303.0865 (2013).
 (18) Wehner, S., Curty, M., Schaffner, C. & Lo, H. Implementation of twoparty protocols in the noisystorage model. Phys. Rev. A 81, 052336 (2010).
 (19) Schaffner, C. Simple protocols for oblivious transfer and secure identification in the noisyquantumstorage model. Phys. Rev. A 82, 032308 (2010).
 (20) Ng, N. H., Joshi, S., Ming, C. C., Kurtsiefer, C. & Wehner, S. Experimental implementation of bit commitment in the noisystorage model. Nat. Comm. 3, 1326 (2012).
 (21) Yao, A. C.C. Security of quantum protocols against coherent measurements. In Proceedings of the 27th Annual ACM Symposium on Theory of Computing (STOC), 67–75 (ACM Press, New York, 1995).
 (22) Damgård, I., Fehr, S., Salvail, L. & Schaffner, C. Secure identification and QKD in the boundedquantumstorage model. Advances in Cryptology  CRYPTO ’07, volume 4622 of Lecture Notes in Computer Science 4622, 342–359 (2007).
 (23) Carter, J. & Wegman, M. Universal classes of hash functions. Journal of Computer and System Sciences 18, 143 (1979).
 (24) Krawczyk, H. Lfsrbased hashing and authentication. Advances in Cryptology  CRYPTO ’94  Lecture Notes in Computer Science 839, 129–139 (1994).
 (25) Kok, P. & Braunstein, S. Postselected versus nonpostselected quantum teleportation using parametric downconversion. Phys. Rev. A 61, 042304 (2000).
 (26) Uhlmann, W. Probability inequalities for sums of bounded random variables. Journal of the American Statistical Association 58(301), 13–30 (1963).
 (27) Hwang, W.Y. Quantum Key Distribution with High Loss: Toward Global Secure Communication. Phys. Rev. Lett. 91, 057901 (2003).
 (28) Renner, R. Security of quantum key distribution. International Journal of Quantum Information 6, 1 (2008).
 (29) Ng, N., Berta, M. & Wehner, S. Minentropy uncertainty relation for finitesize cryptography. Phys. Rev. A 86, 042315 (2012).
 (30) Berta, M., Fawzi, O. & Wehner, S. Quantum to classical randomness extractors. vol. 7417 of Lecture Notes in Computer Science, 776–793 (2012).
 (31) Berta, M., Christandl, M., Brandao, F. & Wehner, S. Entanglement cost of quantum channels. In Information Theory Proceedings (ISIT), 2012 IEEE International Symposium on, 900–904 (2012).
 (32) Gerhardt, I. et al. Fullfield implementation of a perfect eavesdropper on a quantum cryptography system. Nat. Comm. 2, 349 (2011).
 (33) Lydersen, L., Akhlaghi, M., Majedi, H., Skaar, J. & Makarov, V. Controlling a superconducting nanowire singlephoton detector using tailored bright illumination. New J. Phys. 13, 113042 (2011).
 (34) Markarov, V. Controlling passively quenched single photon detectors by bright light. New J. Phys. 11, 065003 (2009).
 (35) Qi, B., Fung, C., Lo, H. & Ma, X. Timeshift attack in practical quantum cryptosystems. Quant. Info. Compu. 7, 73 (2007).
 (36) Makarov, V., Anisimov, A. & Skaar, J. Effects of detector efficiency mismatch on security of quantum cryptosystems. Phys. Rev. A 74, 022313 (2006).
 (37) Duligall, J., Godfrey, M., Harrison, K., Munro, W. & Rarity, J. Low cost and compact quantum key distribution. New J. Phys. 8, 249 (2006).
 (38) Kocsis, S., Xiang, G., Ralph, T. & Pryde, G. Heralded noiseless amplification of a photon polarization qubit. Nature Physics 9, 23–28 (2013).
 (39) Erven, C., Couteau, C., Laflamme, R. & Weihs, G. Entangled quantum key distribution over two freespace optical links. Opt. Exp. 16, 16840–16853 (2008).
 (40) Erven, C., Hamel, D., Resch, K., Laflamme, R. & Weihs, G. Entanglement based quantum key distribution using a bright sagnac entangled photon source. In Akan, O. et al. (eds.) Quantum Communication and Quantum Networking, vol. 36 of Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 108–116 (Springer Berlin Heidelberg, 2010).
 (41) Kim, T., Fiorentino, M. & Wong, F. Phasestable source of polarizationentangled photons using a polarization sagnac interferometer. Phys. Rev. A 73, 012316 (2006).
 (42) Fedrizzi, A., Herbst, T., Poppe, A., Jennewein, T. & Zeilinger, A. A wavelengthtunable fibercoupled source of narrowband entangled photons. Opt. Exp. 15, 15377 (2007).
 (43) Predojević, A., Grabher, S. & Weihs, G. Pulsed sagnac source of polarization entangled photon pairs. Opt. Exp. 20, 25022–25029 (2012).
 (44) Brassard, G. & Salvail, L. Secretkey reconciliation by public discussion. Lect. Notes Comput. Sci. 765, 410 (1994).
 (45) Gallager, R. Low density parity check codes. IRE Trans. Info. Theory IT8, 21–28 (1962).
 (46) MacKay, D. & Neal, R. Near shannon limit performance of low density parity check codes. Electronics Letters 33, 457–458 (1997).
 (47) Pearson, D. Highspeed qkd reconciliation using forward error correction. In QCMC (2004).
 (48) Martinez, I., Chan, P., Mo, X., Hosier, S. & Tittel, W. Proofofconcept of realworld quantum key distribution with quantum frames. New J. Phys. 11, 095001 (2009).
 (49) Chan, P. LowDensity ParityCheck Codes for Quantum Key Distribution. Master’s thesis, University of Calgary (2009).
 (50) Hu, X., Eleftheriou, E. & Arnold, D. Regular and irregular progressive edgegrowth Tanner graphs. Information Theory, IEEE Transactions on 51, 386 –398 (2005).
 (51) Elkouss, D., Leverrier, A., Alléaume, R. & Boutros, J. Efficient reconciliation protocol for discretevariable quantum key distribution. In Proceedings of the 2009 IEEE international conference on Symposium on Information Theory  Volume 3, ISIT’09, 1879–1883 (IEEE Press, 2009).
 (52) Mateo, J. Efficient Information Reconciliation for Quantum Key Distribution. Ph.D. thesis, Universidad Politecnica de Madrid (2011).
 (53) Brida, G., Genovese, M. & Novero, C. An application of twophoton entangled states to quantum metrology. J. Mod. Opt. 47, 2099–2104 (2000).

(54)
Toptica Photonics (2013).
Http://www.toptica.com/
products/diode_lasers/industrial_oem_diode_lasers/
single_mode/narrow_linewidth_uv_blue_diode_laser_iwave.html.