Long distance two-party quantum cryptography made simple
Any two-party cryptographic primitive can be implemented using quantum communication under the assumption that it is difficult to store a large number of quantum states perfectly. However, achieving reliable quantum communication over long distances remains a difficult problem. Here, we consider a large network of nodes with only neighboring quantum links. We exploit properties of this cloud of nodes to enable any two nodes to achieve security even if they are not directly connected. Our results are based on techniques from classical cryptography and do not resort to technologically difficult procedures like entanglement swapping. More precisely, we show that oblivious transfer can be achieved in such a network if and only if there exists a path in the network between the sender and the receiver along which all nodes are honest. Finally, we show that useful notions of security can still be achieved when we relax the assumption of an honest path. For example, we show that we can combine our protocol for oblivious transfer with computational assumptions such that we obtain security if either there exists an honest path, or, as a backup, at least the adversary cannot solve a computational problem.
Quantum communication allows us to achieve cryptographic security without relying on unproven computational assumptions. Two nodes, Alice and Bob, can establish a secure key using quantum key distribution Bennett and Brassard (1984); Ekert (1991), and, moreover, solve any two-party cryptographic problem even if they do not trust each other in the noisy-storage model Wehner et al. (2008); König et al. (2009); Schaffner (2010). Well-known examples of such problems include secure identification Damgård et al. (2007), as well as electronic voting and secure auctions. More generally, Alice and Bob wish to solve problems where Alice holds an input (eg. the amount of money she is willing to bid for an item sold by Bob) and Bob holds an input (e.g. his minimum asking price), and they want to obtain the value of some function (e.g. output no if , and otherwise) as depicted below. In this setting, there is no outside eavesdropper but Alice or Bob themselves may be dishonest. Security thereby means that Alice should not learn anything about and Bob should not learn anything about , apart from what can be inferred from the value of Yao (1982).
Unfortunately, quantum communication over long distances poses a formidable problem. At present, quantum key distribution has been achieved over a distance of at most 145km in fiber Rosenberg et al. (2008) or 144km in freespace Schmitt-Manderbach et al. (2007); Ursin et al. (2007). In addition, having a direct communication link between any two nodes that may wish to communicate is an infeasible problem even when it comes to classical communication. Instead, we have networks of nodes, such as the present day internet, in which only some nodes are directly connected, but are willing to relay communication for other nodes who do not share a direct link. Typically it is easy to connect two nodes who are physically close. In order to achieve longer distances, many forms of quantum repeaters have been proposed in order extend the range of quantum communication to obtain a quantum version of the internet Lloyd et al. (2004); Kimble (2008). Broadly speaking, quantum repeaters used in key distribution come in two variants: in the first, the nodes along the path between Alice and Bob are trusted, and we perform quantum key distribution between each two neighbours. This form of repeater is known as trusted relay and was for example used in the network of SECOQC Alleaume et al. (2007). The second method is to have the intermediary nodes create entanglement, allowing Alice and Bob to create entanglement between them using the concept of entanglement swapping Żukowski et al. (1993). This is clearly more desirable than relying on trusted relays, but technologically very difficult to achieve especially when there are many intermediary nodes. Many experiments have been done over the last twelve years Pan et al. (1998); Riebe et al. (2008); Goebel et al. (2008), but still we are far from using this technology for QKD Alleaume et al. (2007), and similarly for the case of two-party computation in the noisy-storage model. What both of these approaches have in common is that they first try to create the analog of a point-to-point link between Alice and Bob to solve the final cryptographic task.
Here, we take a novel approach using techniques from classical cryptography to bridge the potentially large physical distance between Alice and Bob. Concretely, we for the first time consider the case where any two nodes that are directly connected by a (quantum) communication link can securely solve the universal cryptographic problem of oblivious transfer (OT), which in turn enables them to solve any two-party cryptographic problem Kilian (1988). Implementations of such protocols (link-OT) can be found in noisy-storage model Wehner et al. (2008); König et al. (2009); Schaffner (2010). Any node in the network may behave honestly, or be dishonest in the sense that it will collaborate with the dishonest Alice or Bob. A dishonest node also has full control over the communication links attached to it, making it more powerful than for example the eavesdropper in QKD who only has access to the communication link and not to any of the individual labs.
Results We first provide a simple protocol for oblivious transfer between Alice and Bob, who do not share a direct quantum link, that is secure, as long as all nodes along one of the paths from Alice to Bob are honest (path-OT). We will refer to this path as an honest path from Alice to Bob, which is in flavor similar to recent extensions to the idea of trusted relays for QKD Salvail et al. (2010). However, we prove that this is in fact all we can hope to achieve for secure two-party computation without any additional resources: Given only the resource of link-OT and classical communication, no protocol between Alice and Bob can be secure without the existence of an honest path. Furthermore, we show that link-OT is in fact a necessary condition for any protocol to be secure, i.e., having access to a large network of nodes does not allow us to solve the problem of oblivious transfer on its own 111Note that there could be only a single node on the honest path from Alice to Bob, which means we cannot simply solve this problem by assuming only very few of the nodes are dishonest as in secure multi party computation..
Then, we successively relax the assumption of an honest path. First, since relying on an honest path alone may still be rather unsatisfactory, we show that we can add a security backup in the sense that our protocol can be made secure if there is either an honest path, or at least the dishonest node cannot break a computational assumption. We then show that the assumption of the honest path can be relaxed if each pair of nodes are given a classical shared key for free, and finally that a non-trivial notion of security is still achievable for a node, even if everyone else in the network is dishonest.
Our results open the door for extending implementations of oblivious transfer in the noisy-storage model to large distances similar to the case of QKD Alleaume et al. (2007).
I The protocol
Let us first explain the problem of oblivious transfer (OT) Rabin (1981); a formal definition can be found in König et al. (2009). Alice (the sender) holds two input strings 222Chosen uniformly at random, unknown to Bob. and Bob (the receiver) holds a choice bit . If both nodes are honest, Bob should receive the input of his choosing, , at the end of the protocol. If Bob is honest, then our goal is to ensure that whatever attack Alice may mount, she can nevertheless not gain any information about . Conversely, if Alice is honest, we want that a dishonest Bob is unable to gain any information about at least one of Alice’s inputs, . Whereas oblivious transfer by itself may seem like a rather obscure task, it has in fact been shown that Alice and Bob can use it to solve any other cryptographic problem securely Kilian (1988). Below we use to indicate that we use a link-OT protocol as a black box.
We now provide two protocols, where the first is unconditionally secure for the sender Alice 333It is secure even if there is no honest path. and secure for the receiver Bob provided there is an honest path. The second has exactly opposite security properties: it is unconditionally secure for Bob and secure for Alice provided there is an honest path. Let be the number of paths connecting Alice to Bob and denote by the nodes adjacent to Alice on the possible paths. We use ’’ and ’’ to indicate bitwise addition and multiplication modulo respectively, and to denote that a variable has been chosen uniformly and independently at random.
First, the protocol is correct when both players are honest, since Bob computes
We now argue that the protocol is also secure; details can be found in the appendix. Suppose first that Bob is dishonest. Since Alice uses fresh keys in each round, and and are themselves randomly chosen bit strings unknown to Bob, Bob would need to retrieve at least entries in order to compute both and . However, even if Bob is working together with all intermediary nodes, he can only learn at most one of from each of the link-OTs with Alice. Hence, Bob learns nothing about one of or as desired.
Suppose now that Bob is honest, and there exists an honest path between Alice and Bob. Note that Bob effectively performs a secret sharing of his input along all paths, so that Alice needs all shares in order to recover Shamir (1979). However, the share on the honest-path remains unknown to Alice. The security of the link-OT ensures she cannot use it to gain any information about either.
Our second protocol is similar, but with Alice performing a secret sharing of her inputs. Let be the nodes adjacent to Bob on the possible paths.
Clearly, the protocol is correct if both parties are honest. The security of the link-OT for the receiver ensures that even if a dishonest Alice controls all nodes adjacent to Bob, she nevertheless cannot learn . Finally, the protocol is secure against a dishonest Bob, assuming that there exists an honest path: In this case, at least one of the shares or remains unknown to Bob, since they are securely transmitted to node via the honest path, and the link-OT protocol between and Bob is secure for the sender. Hence, he cannot learn both inputs .
One may wonder whether we could have constructed a path-OT protocol without relying on the existence of a link-OT protocol, which is impossible to obtain without assumptions Lo (1997). However, it is easy to see that the existence of any path-OT protocol would imply a secure link-OT protocol between two directly connected parties, Anne and Bill: First, Anne picks a path from Alice to Bob in the original setting. Then Bill picks a path from Bob to Alice. The remaining paths they split arbitrarily. Now Anne acts as Alice would and in addition simulates the action of all nodes in the paths assigned to her. Bill also simulates the actions of Bob together with all nodes in the paths assigned to him. Clearly, no matter who will be dishonest, we are always in the setting where there is an honest path in the original protocol, as one path is always simulated by someone being honest. This means that we cannot hope to achieve OT in the honest-path model without additional assumptions either Lo (1997).
Ii Security without an honest path
However, one might still hope that given such a strong primitive as link-OT we might be able to achieve security using only classical communication, even without the assumption of an honest path. Unfortunately, it turns out that an honest path is indeed a necessary condition for security: If there is no honest path, then there exists a subset of corrupted nodes , such that any communication between Alice and Bob goes through them. Intuitively (see appendix for details) this means that either can gain information about , or else must know enough about and to be able to supply Bob with the desired output. In the first case, dishonest Alice can learn from , and in the second dishonest Bob can break security by learning information about both of Alice’s inputs.
A security backup: Nevertheless, the assumption of an honest path may appear quite strong, and it would be useful to have some security guarantees even if this assumption fails. Fortunately, it is straightforward to adopt existing techniques from classical cryptography Harnik et al. (2005); Meier et al. (2007) to extend our protocols to be secure if either the honest-path assumption holds, or else if the dishonest party cannot break a certain computational problem. To this end, we combine our protocol with a protocol for classical oblivious transfer. OT can be achieved classically under a large variety of assumptions. Here, we choose to combine our protocol with the protocol of Naor and Pinkas Naor and Pinkas (2001), which is secure against a dishonest sender if he cannot break the decisional Diffie Hellman problem (DDH), and unconditionally secure against a dishonest receiver. Note that this means that just like for our honest-path assumption, we have unconditional security against one party, and security according to either the DDH or the honest-path assumption against the other 444We can similarly construct a protocol that is secure against a dishonest receiver if there exists an honest path or he cannot break the decisional Diffie Hellman problem (DDH), and unconditionally secure against a dishonest sender.. Using the -robust uniform OT-combiner from (Meier et al., 2007, Theorem 2) we hence immediately obtain that there exists an oblivious transfer protocol that is secure if either the honest path or the DDH assumption holds using two instances of protocol 1, and two instances of the OT protocol of Naor and Pinkas (2001). An explicit protocol can be found in Meier et al. (2007).
Secret keys: In the classical model for secure multiparty computation one usually assumes that there exist private links between all nodes and we are trying to show security against subsets of dishonest nodes. Clearly, this is a strong assumption as it requires us to establish keys over potentially long distances. Nevertheless, it is interesting to consider a hybrid-model, where there exists a complete network of classical private links and also a network of quantum links between neighboring nodes allowing them to perform link-OT. It is easy to see that our protocol can be transformed to achieve security as long as one of the neighbours of Alice and Bob is honest, instead of the entire path being honest: we use the private channels to directly communicate with the immediate neighbours instead of relying on the entire path. This easy example shows that allowing link-OT is indeed more powerful than what one can hope to gain in the classical model of secure multi-party computation.
No assumptions: Finally, let us consider what happens if we allow an arbitrary number of network nodes to be dishonest. Curiously, some weak notion of security still remains. More specifically, by performing our two protocols sequentially with different inputs for Alice and Bob in the two executions, we can trivially construct a form of path-OT where Alice has four inputs, and Bob has two choice bits such that: if everyone is honest, then Bob learns two of the four bits, and Alice learns nothing about Bob’s two index bits. If Alice is honest, but everyone else in the network is dishonest, then Bob learns three bits, but not all four of them. If Bob is honest, but everyone else is dishonest, then Alice learns one of the two index bits of Bob, but not both of them. These properties follow directly from our previous analysis.
Note that this weak form of security is still impossible classically on a complete network with private links, unless computational assumptions are added. In our model, it becomes possible because we added the neighboring quantum links and assumed that we can perform short distance OT protocols via these quantum links. One can turn this weak OT protocol into some weak bit commitment protocol as well, leading to weak forms of coin tossing over long distances.
We have shown security against dishonest Alice (or Bob) whenever there is at least one honest path, or the dishonest party cannot break a computational assumption. One can easily extend our protocol to be robust against the case where the intermediary nodes may be dishonest independently of Alice and Bob, and try to alter Alice’s or Bob’s input. In our present protocols this is of course possible since they could for example flip one of the bits . To make the protocol robust we can simply use a more advanced secret sharing scheme that, similar to an error correcting code, protects against ‘errors’ introduced in the secrets B. Chor and Awerbuch (1985). Note that depending on our choice of secret sharing scheme, we may require more than one honest path to achieve robustness or more communciation rounds 555By letting Alice and Bob use some runs of the protocol to detect tampering by any intermediary nodes..
Our protocols show that two-party cryptographic primitives can be implemented over long distances in an extremely simple manner. Our result enables us to extend the range of protocols in the noisy-storage model in a similar way as has been done in QKD Alleaume et al. (2007). Clearly, our protocols still require a considerable amount of classical communication. However, this is technologically much easier to achieve than entanglement swapping which of course still remains the more desirable solution. The quantum operations that the nodes are performing are no harder than the ones necessary in the link-OT protocols, i.e. it suffices that they create and measure BB84 Bennett and Brassard (1984) states König et al. (2009). No complicated operations like Bell state measurements, or memory are required.
Acknowledgements.SW was supported by NSF grants PHY-04056720, PHY-0803371, as well as the National Research Foundation and the Ministry of Education, Singapore. IK was supported by ANR grants ANR-09-JCJC-0067-01 and ANR-08-EMER-012. Part of this work was done while SW was at the Institute for Quantum Information, Caltech.
- Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (1984), pp. 175–179.
- Ekert (1991) A. Ekert, Physical Review Letters 67, 661 (1991).
- Wehner et al. (2008) S. Wehner, C. Schaffner, and B. M. Terhal, Physical Review Letters 100, 220502 (2008).
- König et al. (2009) R. König, S. Wehner, and J. Wullschleger (2009), arXiv:0906.1030.
- Schaffner (2010) C. Schaffner (2010), arXiv:1002.1495. Workshop on Cryptography from Storage Imperfections, Recent work, Caltech, March 20–22.
- Damgård et al. (2007) I. B. Damgård, S. Fehr, L. Salvail, and C. Schaffner, in Advances in Cryptology—CRYPTO ’07 (Springer-Verlag, 2007), vol. 4622 of Lecture Notes in Computer Science, pp. 342–359.
- Yao (1982) A. C. Yao, in Proceedings of the 23rd Annual IEEE FOCS (1982), pp. 160–164.
- Rosenberg et al. (2008) D. Rosenberg, C. Rosenberg, J. Harrington, P. Rice, N. Dallman, K. Tyagi, K. McCabe, R. Hughes, J. Nordholt, R. Hadfield, et al., in Proceedings of the Conference on Optical Fiber communication (2008), pp. 1–3.
- Schmitt-Manderbach et al. (2007) T. Schmitt-Manderbach, H. Weier, M. FÃÂ¼rst, R. Ursin, F. Tiefenbacher, T. Scheidl, J. Perdigues, Z. Sodnik, J. G. Rarity, A. Zeilinger, et al., Physical Review Letters 98, 010504 (2007).
- Ursin et al. (2007) R. Ursin, F. Tiefenbacher, T. Schmitt-Manderbach, H. Weier, T. Scheidl, M. Lindenthal, B. Blauensteiner, T. Jennewein, J. Perdigues, P. Trojek, et al., Nature Physics 3, 481 (2007).
- Lloyd et al. (2004) S. Lloyd, J. H. Shapiro, F. N. C. Wong, P. Kumar, S. M. Shahriar, and H. Yuen, ACM SIGCOMM Computer Communication Review 34, 9 (2004).
- Kimble (2008) H. J. Kimble, Nature 453, 1023 (2008).
- Alleaume et al. (2007) R. Alleaume, J. Bouda, C. Branciard, T. Debuisschert, M. Dianati, N. Gisin, M. Godfrey, P. Grangier, T. Langer, A. Leverrier, et al. (2007), arXiv:quant-ph/0701168.
- Żukowski et al. (1993) M. Żukowski, A. Zeilinger, M. A. Horne, and A. K. Ekert, Physical Review Letters 71, 4287 (1993).
- Pan et al. (1998) J. Pan, D. Bouwmeester, H. Weinfurter, and A. Zeilinger, Physical Review Letters 80, 3891 (1998).
- Riebe et al. (2008) M. Riebe, T. Monz, K. Kim, A. S. Villar, P. Schindler, M. Chwalla, M. Hennrich, and R. Blatt, Nature Physics 4, 839 (2008).
- Goebel et al. (2008) A. M. Goebel, C. Wagenknecht, Q. Zhang, Y. Chen, K. Chen, J. Schmiedmayer, and J. Pan, Physical Review Letters 101, 080403 (2008).
- Kilian (1988) J. Kilian, in Proceedings of 20th ACM STOC (1988), pp. 20–31.
- Salvail et al. (2010) L. Salvail, M. Peev, E. Diamanti, R. Alleaume, N. Lütkenhaus, and T. Länger, Journal of Computer Security 18, 61 (2010).
- Rabin (1981) M. Rabin, Tech. Rep., Aiken Computer Laboratory, Harvard University (1981), technical Report TR-81.
- Shamir (1979) A. Shamir, Communications of the ACM 22, 612Â (1979).
- Lo (1997) H.-K. Lo, Physical Review A 56, 1154 (1997).
- Harnik et al. (2005) D. Harnik, J. Kilian, M. Naor, O. Reingold, and A. Rosen, in Advances in Cryptology — EUROCRYPT (2005), vol. 3494 of Lecture Notes in Computer Science, pp. 96–113.
- Meier et al. (2007) R. Meier, B. Przydatek, and J. Wullschleger, in Theory of Cryptography Conference — TCC (2007), Lecture Notes in Computer Science.
- Naor and Pinkas (2001) M. Naor and B. Pinkas, in Proceedings of 12th SODA (2001), pp. 448–457.
- B. Chor and Awerbuch (1985) S. M. B. Chor, S. Goldwasser and B. Awerbuch, in Proceedings of 44th IEEE FOCS (1985), pp. 383–395.
Appendix A Security of protocol 1
Whereas we ideally show security using the formal definitions for fully-randomized OT König et al. (2009), we restrict ourselves to the simple arguments below in order to not obscure our argument, which is sufficient since our setting is very straightforward to analyze.
Protocol 1 forms a secure oblivious transfer scheme with unconditional security against Alice, and security against Bob whenever there exists an honest path.
We first show that the protocol is correct when both Alice and Bob are honest. This follows immediately by noting that Bob can compute
We now show that the protocol is secure if Alice is honest, where we allow all intermediary players and Bob to be dishonest. From the security of the link-OT protocol, it follows that Bob can learn at most one of Alice’s inputs from each invocation. In the most general cheating strategy, Bob can arbitrarily choose values as his input bits to the link-OT protocols. Let denote these inputs and let be the inputs of Alice that Bob learns. Note that for any choice of Bob’s inputs there exists a such that . Moreover, . Our goal is now to show that Bob cannot gain any information about . First of all, note that since Alice uses fresh keys in each link-OT, and and are themselves randomly chosen bit strings unknown to Bob, the values of and are all independent. Hence, Bob would need to retrieve all such entries in order to compute both and , which contradicts the security of the link-OT.
It remains to prove security if Bob is honest. Note that Bob effectively performs a secret sharing of his input
along all paths such that the bit can only be recovered if and only if Alice learns all shares . However, Alice has no information about the value of on the honest-path as links between honest players are secure. Furthermore, the link-OT used between Alice and is secure for the receiver, and hence we conclude that Alice cannot learn as promised. ∎
Appendix B Necessity of the honest path
We now prove that an honest-path is a necessary condition for OT, where we use a weaker definition which is implied by the formal ones given e.g. for (fully randomized) oblivious transfer in König et al. (2009). Note that this is sufficient to prove the impossibility of the more difficult task as well. More concretely, the following conditions must hold for any protocol that is both correct and secure. Any impossibility proof for a protocol aiming for perfect security is rather unsatisfactory since we would be willing to accept a very small probability of failure. We hence include a security parameter which intuitively corresponds to the error we are willing to accept.
First of all, for any protocol that is correct we must have that the probability that honest Bob with input can guess honest Alice’s input, , satisfies
Furthermore, if Alice is honest, then for whatever attack Bob may conceive we have that he cannot guess at least one of the two inputs
Finally, if Bob is honest and his input bit is , then for any strategy of dishonest Alice, she is unable to learn Bob’s choice bit
To obtain an impossibility proof, our goal is now to show that (4), (5) and (6) can never be satisfied simultaneously for small values of . That is, we can only hope to achieve very imperfect version of oblivious transfer with a large error .
There exists no protocol for oblivious transfer based on only link-OT and classical communication that is secure without an honest path between Alice and Bob with security parameter .
If there is no honest path, then there exists some subset of potentially dishonest nodes that separates the network into two disconnected components, one containing Alice and the other Bob. Let us now establish some basic properties of the probabilities that Alice, Bob or can learn and in an honest execution of any protocol.
Note that in any protocol, Bob cannot gain more information about Alice’s inputs than can, since all information between Alice and Bob runs through (wlog we can furthermore assume that dishonest Bob would give any shared secret keys with Alice to for free). Hence, we have that
Similarly, Alice cannot gain more information about Bob’s input than can, hence
First, suppose that for an honest execution of any protocol the probability that is able to guess satisfies . Then, Alice can violate the security condition (6) by running the protocol honestly with Bob and then asking for a guess of . Hence, it must hold that
Third, suppose that for an honest execution of any protocol, . Then, Bob can violate the security condition (5) by running the protocol honestly with Alice and then asking for a guess for both and . Hence, it must hold that
We now show that these conditions imply that whenever Bob is honest, there exists a cheating strategy for Alice. Alice first chooses two random inputs , and runs the protocol as an honest Alice would do. Afterwards, she picks a random and asks , who by definition will willingly cooperate with any cheating party, to send her a guess for . Note that (10) and (11) now tell us that the probability that succeeds is very large for , but extremely small for . Alice then outputs as her guess for if guessed correctly and if guessed wrongly. The probability that Alice succeeds using this strategy obeys
Note, however, that OT is of course possible if would be fully quantum, and in particular would be able to perform entanglement swapping between Alice and Bob.