C. Cr'epeau, Quantum Oblivious Transfer, submitted to the Journal of Modern Optics'special issue on Quantum Cryptography,1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....information about the bits. In that case the overall protocol becomes totally insecure. We refer to the case where Bob does not measure the photons and store them as the photon storing attack. To protect Alice against the photon storing attack the original BBCS protocol can be modified slightly ([Cr]) The modification is very simple. Before she announces the bases, Alice simply ask Bob to commit the outcome of his measurement as well as the basis that he used. Next, Alice with probability one half requests Bob to open this commitment. If Bob does not read the photon, he Supported by ....

.... straightforward approach to formalize the above discussion, in particular the concept of disturbance, in the context of the most general attack allowed by quantum mechanics, is to use the model for generalised measurements that is described in [Ma] Using this model and building on the work of [Cr], BBCM] and [MC] our contribution is to show that with the protection against photon storing the protocol is secure under the following assumption: Assumption 2 Every measurement is performed on individual photons. The case of coherent measurements (i.e. removing assumption 2) in a context ....

C. Cr'epeau, Quantum Oblivious Transfer, submitted to the Journal of Modern Optics'special issue on Quantum Cryptography,1994.

....assumption than the existence of a one way function (as for the first solution) solutions based on Oblivious Transfers are more interesting because they can be implemented in non computational scenarios. Oblivious Transfer can be implemented under the assumption that quantum mechanics is correct [9, 3] or under the assumption that reliable noisy channels exist [10] for the 10th anniversary of the CWI Crypto course. 3 Section 5 describes a new simple and e#cient protocol based on the existence of a one out of two Oblivious Transfer. The scheme of Fagin, Naor and Winkler uses O(n 2 ) ....

....2.3 is indeed a trapdoor function (but not a permutation) since the extra information y = P is su#cient to calculate x from f(x) x 2 . In non computational models, as mentioned in the introduction, 2 1 OT 2 can be implemented under the assumption that quantum mechanics is correct [9, 3] or under the assumption that reliable noisy channels exist [10] 3.4 Oblivious Transfer of two bits In protocol 5 below, we use a One out of two Oblivious Transfer of two bit elements from F 4 , denoted by 2 1 OT 4 . Each such transfer is achieved securely (even if one party tries to ....

Cr epeau, C., "Quantum Oblivious Transfer", Journal of Modern Optics, vol. 41, no 12, pp. 2455 -- 2466, 1994.

....shown insecure from the start (circa 1969) it was not until 1988 that Claude Cr epeau and Joe Kilian [29] presented the first alternative protocol. This protocol was clearly secure provided neither parties could store photons for long periods of time and only von Neumann measurements were allowed [25, 26]. The vulnerability to photon storage was easy to circumvent if only a secure bit commitment scheme were available. A more robust version of this protocol, capable of dealing with transmission errors on the quantum channel, was subsequently developed [10] Then Mayers and Salvail [61] analysed the ....

Cr' epeau, C., "Quantum oblivious transfer", Journal of Modern Optics, Vol. 41, no. 12, December 1994, pp. 2445 -- 2454.

....constraints of correctness and privacy . These notions have been defined before for general protocols by Cr epeau [13] Micali and Rogaway [36] and Beaver [1] using simulators. In this paper, we use the language of information theory to express definitions similar to those introduced by Cr epeau [14]. Our goal is not to discuss definitions for general two party protocols: we restrict our study to oblivious transfers. 2.2.1 Correctness Let [P 0 ; P 1 ] a) b) be the random variable (since P 0 and P 1 may be probabilistic programs) that describes the outputs obtained by A and B when they ....

C. Cr'epeau, "Quantum oblivious transfer", Journal of Modern Optics, Vol. 41, no. 12, December 1994, pp. 2445 -- 2454.

....one would like to find a way to force the cheater to execute real measurements, as requested in the honest protocol. This would be useful not only to realize quantum bit commitment protocols, but to realize many other quantum protocols, including the important quantum oblivious transfer protocols[23, 14]. A better understanding of the situation came after that Cr epeau proposed a quantum protocol [3, 5] that uses a computationally secure classical bit commitment [21, 22] as a subprotocol. The idea was to rely temporarily on the limitation (in speed) on the cheater during the commit phase to force ....

....of quantum protocols on unconditionally concealing bit commitment schemes, even if they were proven secure in the classical world. Notice however that it is still possible to use computationally concealing BC protocols such as [10] to get a computationally secure Quantum Oblivious Transfer [23, 14] protocol based on (quantum) one way functions; a result unlikely to be true in the classical scenario. The big lesson to learn from all this is that quantum information is always more elusive than its classical counterpart: extra care must be taken when reasoning about quantum cryptographic ....

Cr' epeau, C., "Quantum oblivious transfer", Journal of Modern Optics, Vol. 41, no. 12, December 1994, pp. 2445 -- 2454.

....1 Introduction Work on quantum cryptography was started by Wiesner [Wi70] twenty five years ago. Much knowledge on how to exploit quantum physics for cryptographic purposes has been gained through the work of Bennet and Brassard ( BBBW83] BB84] BBBSS92] and later Cr epeau ( Cr90] BC91] BBCS92][Cr94]) Furthermore, prototypes for implementing some of these This research was supported in part by the National Science Foundation under grant CCR 9301430. algorithms have been built ( BB89] TRT93] TRT94] How to design securely the important cryptographic primitive oblivious transfer in ....

....in part by the National Science Foundation under grant CCR 9301430. algorithms have been built ( BB89] TRT93] TRT94] How to design securely the important cryptographic primitive oblivious transfer in quantum cryptography has received much attention in the recent literature [BBCS92] Cr90][Cr94][MS94] Central to all the proposed protocols is the transmission of a large number of polarized photons from Alice to Bob. At present, the strongest security result [MS94] obtained is that if Bob is allowed to make arbitrary measurements only on individual photons, then neither Alice nor Bob may ....

C. Cr'epeau, "Quantum oblivious transfer," in Journal of Modern Optics, special issue on quantum cryptography, to appear.

....the security of a QKD protocol. 1 Introduction The goal of quantum cryptography is to design cryptographic protocols that are secure against unlimited quantum or classical computational power. At present, the quantum protocols that have been designed are commitment [BC, BCJL] oblivious transfer [Cr87, Cr94, BBCS, MS, Yao], key distribution [BB84, BBBSS, BBBW] and identification [CS] Furthermore, prototypes for implementing some of these protocols have been built [BBBSS, MT, To94, TRT1, TRT2] However, the full security of some of these protocols has not yet been proved. One of the difficulties in providing a full ....

....s; b; b, etc. associated with an execution of the protocol are values taken by random variables S; B; Theta; B, etc. The remainder of the section contains the formal definitions of security that we use in our proof. As for the definition of security for Gamma 1 2 Delta OT found in [Cr94], our definitions are formulated in terms of the amount of information received by a given participant. Any initial information about s that may have this participant, Bob in sections 2.2 and 2.4 and Eve in section 2.3, corresponds to an apriori probability distribution on S which is implicit in ....

C. Cr'epeau, Quantum oblivious transfer, Journal of Modern Optics, vol. 41, no. 12, December 1994, pp. 2445 -- 2454.

....from these results, have come up with another variation. In particular, their approach deals with MPC in a computational setting, which for a long time was considered to be difficult, but which makes it also less relevant here. A completely different avenue was pursued by Crepeau and Brassard [CR94, BCS96, BC97], who give a definition of One out of Two Oblivious Transfer purely in terms of information theory. The goal of this chapter is not to present a complete formal model of security for protocols for MPC, with formal proofs of all composition theorems etc. this could easily be the subject of a ....

....obtained from previous protocols. This issue is crucial in order to prove that the concatenation of secure protocols remains secure. To see why the definition presented here is equivalent to one where the universal quantifier ranges over all possible input and auxiliary input (see for instance [GMR89, GO94, CR94, BE91A]) observe the following: from A s point of view, the variable X given an (arbitrary) auxiliary input can be regarded as another stochastic variable X 0 ; its corresponding probability distribution is simply a readjustment of the probability distribution on X using the rules of conditional ....

[Article contains additional citation context not shown here]

CR EPEAU, C., "Quantum oblivious transfer", Journal of Modern Optics 41, 12 (1994), pp. 2445--2454.

....assumption than the existence of a one way function (as for the first solution) solutions based on Oblivious Transfers are more interesting because they can be implemented in non computational scenarios. Oblivious Transfer can be implemented under the assumption that quantum mechanics is correct [9, 3] or under the assumption that reliable noisy channels exist [10] Section 5 describes a new simple and efficient protocol based on the existence of a one out of two Oblivious Transfer. The scheme of Fagin, Naor and Winkler uses O(n 2 ) one out of two Oblivious Transfers while ours, based on ....

....indeed a trapdoor function (but not a permutation) since the extra information y = P is sufficient to calculate x from f(x) x 2 . In non computational models, as mentioned in the introduction, Gamma 2 1 Delta OT 2 can be implemented under the assumption that quantum mechanics is correct [9, 3] or under the assumption that reliable noisy channels exist [10] 3.4. Oblivious Transfer of two bits In protocol 5 below, we use a One out of two Oblivious Transfer of two bit elements from F 4 , denoted by Gamma 2 1 Delta OT 4 . Each such transfer is achieved securely (even if one party ....

C. Cr' epeau (1994) Quantum Oblivious Transfer, Journal of Modern Optics, vol. 41, no 12, pp. 2455 -- 2466, 1994.

....1 prepared by Alice but she does not learn his choice b. Bob learns a b and obtains no information about a b . Implementations of ot can only exist under some assumption. For instance, ot can be constructed if trapdoor functions exist [16] from a noisy channel [11, 12] or from a quantum channel [2, 10]. It is also a well known fact that using O(n) of Rabin s Oblivious Transfers [26] one can construct one out of two Oblivious Transfer [7] In a Bit Commitment Alice sends a committed bit a to Bob in such a way that she is able to reveal it later in a unique way (a) but Bob is not able to find ....

C. Cr'epeau, Quantum Oblivious Transfer, Journal of Modern Optics, vol. 41, No. 12, 1994.

....distribution was conceivable. We will look more closely at the quantum bit commitment scheme behind Bennett Brassard s coin flipping protocol and its attack in section 2. More recently, Cr epeau and Kilian [12] have presented an alternative protocol for oneout of two Oblivious Transfer. Cr epeau [9, 10] showed that this protocol is secure if neither parties can store photons for long periods of time and if only Von Neumann measurements are allowed. Alternatively, the first restriction may be dropped if we have a secure bit commitment protocol. A more robust version of this protocol that deals ....

....(computational for instance) in order to limit the measurements of the players and later drop this short term assumption to obtain a quantum bit commitment not relying on any long term assumption. We first present a protocol inspired from Cr epeau s protocol for one out of two Oblivious Transfer[10] without the temporary bit commitment in order to explain clearly its features and then proceed with the full protocol. Protocol 5.1 ( C96(b) 1: n DO i=1 A picks bits b i ; m i and sends a photon i with polarization jb i ; m i i to B, 2: n DO i=1 B picks a bit b 0 i and measures i ....

C. Cr'epeau, "Quantum oblivious transfer", Journal of Modern Optics, Vol. 41, no. 12, December 1994, pp. 2445 -- 2454.

....from the appendix uses quantum transmission both for Oblivious Transfer and Bit Commitment. At first glance, it seems like the quantum transmission of data must go in both directions, since the Oblivious Transfer goes from Alice to Bob and the Bit Commitment goes the other way. As pointed out in [12], there is no need for photons traveling both ways. These two protocols may be implemented with the photons going in a single direction. It does not matter who send the photons to who, the same result can be achieved from them. A similar idea was suggested by Hans Joachim Knobloch [19] ....

Cr'epeau, C., Quantum Oblivious Transfer, Journal of Modern Optics, Dec. 1994.

.... quantum bit commitment is a serious concern because other quantum protocols such as quantum oblivious transfer depend on the security of bit commitment [10, 17, 18, 12] On the other hand, not all of Quantum Cryptography fall apart because our earlier proof of security for quantum key distribution [19] holds even if secure quantum bit commitment is not possible despite the fact that it is based on an earlier proof of security for quantum oblivious transfer that fails in the absence of a secure bit commitment scheme. The reason is that the proof of security for quantum key distribution does ....

....bit commitment is insecure. Note that as a consequence, Yao s proof of security for Quantum Oblivious Transfer [12] fails because it is built on insecure foundations (through no fault of Yao) Ironically, as we stated in the Introduction, the proof of security for Quantum Key Distribution shown in [19] stands despite the fact that it draws on Yao s work because it does not depend on the security of Bit Commitment. ....

Cr' epeau, C., "Quantum oblivious transfer", Journal of Modern Optics, Vol. 41, no. 12, December 1994, pp. 2445 -- 2454.

No context found.

C. Cr'epeau, "Quantum Oblivious Transfer", Journal of Modern Optics, Vol. 41, no. 12, December 1994, pp. 2445 -- 2454.

No context found.

Cr'epeau, Claude, Quantum oblivious transfer, Journal of Modern Optics, 1994, vol. 41, No. 12, 2445-2445.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC