arxiv:cs/ v2 [cs.cr] 16 Apr 2004

Similar documents
Security Implications of Quantum Technologies

arxiv:quant-ph/ v1 10 Dec 1997

Quantum Cryptography

quantum distribution of a sudoku key Sian K. Jones University of South Wales

Optimal bounds for quantum bit commitment

Optimal quantum strong coin flipping

Generalized Oblivious Transfer by Secret Sharing

Lecture 2: Quantum bit commitment and authentication

arxiv: v7 [quant-ph] 20 Mar 2017

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

All this was changed by PKC. The idea of PKC is for each user (eg Alice) to randomly choose a pair of mutually inverse transformations a scrambling tr

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

Oblivious Evaluation of Multivariate Polynomials. and Applications

A probabilistic quantum key transfer protocol

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

ASPECIAL case of the general key agreement scenario defined

Research, Development and Simulation of Quantum Cryptographic Protocols

Quantum dice rolling

LECTURE NOTES ON Quantum Cryptography

Quantum Setting with Applications

arxiv: v1 [quant-ph] 3 Jul 2018

PERFECTLY secure key agreement has been studied recently

A. Quantum Key Distribution

Tight Bounds for Classical and Quantum Coin Flipping

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Optimal Reductions between Oblivious Transfers using Interactive Hashing

Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result

Introduction to Cryptography Lecture 13

Lecture 28: Public-key Cryptography. Public-key Cryptography

arxiv:quant-ph/ v2 2 Jan 2007

arxiv:quant-ph/ v1 13 Jan 2003

A New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC)

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Lecture 11: Quantum Information III - Source Coding

Network Security Based on Quantum Cryptography Multi-qubit Hadamard Matrices

Quantum Cryptography : On the Security of the BB84 Key-Exchange Protocol

Error-Tolerant Combiners for Oblivious Primitives

Susceptible Two-Party Quantum Computations

Quantum walks public key cryptographic system (Extended Abstract)

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Efficient Quantum Key Distribution. Abstract

CPSC 467b: Cryptography and Computer Security

10. Physics from Quantum Information. I. The Clifton-Bub-Halvorson (CBH) Theorem.

Oblivious Transfers and Privacy Amplification

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Multiparty Computation

Technical Report Communicating Secret Information Without Secret Messages

Analysis of the Influenceof the Rate of Spies Measure on the Quantum Transmission

Lecture 14: Secure Multiparty Computation

arxiv:quant-ph/ v1 27 Dec 2004

+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1

Oblivious Transfer from Weak Noisy Channels

Entanglement and information

Classical and Quantum Strategies for Two-Prover Bit Commitments

Perfectly secure cipher system.

Tight Bounds for Classical and Quantum Coin Flipping

Lecture Notes 20: Zero-Knowledge Proofs

Computer Science A Cryptography and Data Security. Claude Crépeau

Realization of B92 QKD protocol using id3100 Clavis 2 system

Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

Cryptography in a quantum world

Privacy-preserving cooperative statistical analysis

Quantum Cryptography

An Introduction to Quantum Information and Applications

Trustworthiness of detectors in quantum key distribution with untrusted detectors

RIVF 2006 Tutorial. Prof. Patrick Bellot PhD. Dang Minh Dung. ENST (Paris) & IFI (Hanoi) RIVF 2006 Tutorial. "Quantum Communications"

Lecture 3,4: Multiparty Computation

Stop Conditions Of BB84 Protocol Via A Depolarizing Channel (Quantum Cryptography)

QUANTUM COMMUNICATIONS BASED ON QUANTUM HASHING. Alexander Vasiliev. Kazan Federal University

Lecture 10: Zero-Knowledge Proofs

Uncertainty Principle

Quantum Cryptography

Quantum Cryptography and Security of Information Systems

Asymptotic Analysis of a Three State Quantum Cryptographic Protocol

Security of Quantum Cryptography using Photons for Quantum Key Distribution. Karisa Daniels & Chris Marcellino Physics C191C

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

State Decoding in Multi-Stage Cryptography Protocols

CPSC 467: Cryptography and Computer Security

arxiv:quant-ph/ v2 3 Oct 2000

Lecture 1: Introduction to Public key cryptography

Quantum information and quantum mechanics: fundamental issues. John Preskill, Caltech 23 February

Why quantum bit commitment and ideal quantum coin tossing are impossible.

Introduction to Modern Cryptography. Benny Chor

Problems of the CASCADE Protocol and Renyi Entropy Reduction in Classical and Quantum Key Generation

1 Secure two-party computation

Benny Pinkas Bar Ilan University

Universal Single Server Blind Quantum Computation Revisited

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

during signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech

Statistical Security Conditions for Two-Party Secure Function Evaluation

Ping Pong Protocol & Auto-compensation

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Teleportation of Quantum States (1993; Bennett, Brassard, Crepeau, Jozsa, Peres, Wootters)

Generation of Shared RSA Keys by Two Parties

Feasibility and Completeness of Cryptographic Tasks in the Quantum World

Cryptography and Security Final Exam

Quantum key distribution with 2-bit quantum codes

Transcription:

Quantum m-out-of-n Oblivious Transfer Zhide Chen, Hong Zhu Department of Computer Science, Fudan University, Shanghai 00433, P.R.China. arxiv:cs/0311039v [cs.cr] 16 Apr 004 Key Laboratory of Intelligent Information Processing, Fudan University, Shanghai 00433, P.R.China. Abstract In the m-out-of-n Oblivious Transfer (OT) model, one party Alice sends n bits to another party Bob, Bob can get only m bits from the n bits. However, Alice cannot know which m bits Bob received. Y.Mu and Naor presented classical m-out-of-n Oblivious Transfer based on discrete logarithm. As the work of Shor, the discrete logarithm can be solved in polynomial time by quantum computers, so such OTs are unsecure to the quantum computer. In this paper, we construct a quantum m-out-of-n OT (QOT) scheme based on the transmission of polarized light and show that the scheme is robust to general attacks, i.e. the QOT scheme satisfies statistical correctness and statistical privacy. Keywords. Quantum, Oblivious Transfer. 1 Introduction A number of recent papers have provided compelling evidence that certain computational, cryptographic, and information theoretic tasks can be performed more efficiently by models based on quantum physics than those based on classical physics [9]. Oblivious Transfer (OT) is used as a key component in many applications of cryptography [11, 5, 10]. Informally speaking in an Oblivious Transfer, Alice sends a bit to Bob that he receives half the time (this fact is out of their control), Alice does not find out whathappened, Bobknowsifhegetthebitornothing. Similarly, in a 1-out-of- Oblivious Transfer, Alice has twobits b 0,b 1 that she sends tobob in such a waythat This work is partially supported by a grant from the Ministry of Science and Technology (#001CCA03000), National Natural Science Fund (#6073045) and Shanghai Science and Technology Development Fund (#03JC14014). {001091, hzhu}@fudan.edu.cn he can decide to get either of them at his choosing but notboth. AliceneverfindsoutwhichbitBobreceived. In 001, Naor presented a 1-out-of-n Oblivious Transfer [8], Y.Mu showed that m-out-of-n Oblivious Transfer could also be realized based on the discrete logarithm. In the m-out-of-n Oblivious Transfer(1 m < n),alicesendsnbitstobob, Bobcangetonlym ofthem. In the caseof quantum, Claude Crépeauprovided a 1-out-of- quantum Oblivious Transfer based on the transmission of polarized light in 1994. The protocol of Crépeau s can be used directly to implement a one-out-of-three Oblivious Transfer. The organization of this paper is as following: in section, we give the definitions of the correctness and privacy of the m-out-of-n OT protocol. In section 3, we review the 1-out-of-OT of Claude Crépeauand its intuition. In section 4, we construct an m-out-of-n OT,andin section5weshowthat this schemesatisfies statistical correctness and statistical privacy. Definitions The natural constraints(see below) of correctness and privacy of a m-out-of-n OT(1 m < n) is showed below. Definition.1 Perfect Correctness: It should be that when Alice and Bob follow the protocol and start with Alice s input bits b 1,b,,b n and Bob s input c 1,c,...,c m {1,,,n}, they finish with Bob getting b c1,b c,,b cm { b 1, b,, b n }. Definition. Perfect Privacy: It should be that, Alice can not find out about c 1,c,...,c m, and Bob can not find out more than m of b 1,b,...,b n. The protocol we describe in the next section is of probabilistic nature. We cannot show that this protocol perfectly satisfies the above constraints but satisfies in a statistical sense: after an amount of work in

O(N) time the protocol will satisfy for some positive constant ǫ < 1. Definition.3 Statistical Correctness: It should be that, except with probability at most ε N, when Alice and Bob follow the protocol and start with Alice s input bits b 1,b,...,b n and Bob s input c 1,c,...,c m {1,,,n} they finish with Bob getting b c1,b c,,b cm {b 1,b,,b n }. Definition.4 Statistical Privacy: It should be that, except with probability at most ǫ N, Alice can not find out c 1,c,...,c m, and Bob can not find out more than m of b 1,b,...,b n. 3 Quantum 1-out-of- Oblivious Transfer In this section, we introduce the quantum 1-outof- OT provided by Claude Crépeau [3]. Let c denote the random variable that takes the binary value 0 with probability 1/ and 1 with probability 1/. Also, denote by [ ] i the selection function such that [a 0,a 1,,a k ] i = a i. Let = (, ) and տցրւ = ( տց, րւ ) denote respectively the bases of rectilinear and diagonal polarization in the quantum state space of a photon. The quantum 1-out-of- OT is as follows: 3.1 Quantum 1-out-of- OT Protocol 3.1 1-out-of- OT(b 0,b 1 )(c) 1. DO Alice picks a random bit r i c Alice picks a random bit β i c and defines her emission basis ( ϕ i, ϕ i ) [,տցրւ] β i Alice sends to Bob a photon π i with polarization [ ϕ i, ϕ i ] r i Bob picks a random bit β i c and measures π i in basis ( θ i, θi ) [,տցրւ] β i Bob. DO n r i { 0, if πi is observed as θ i 1, if π i is observed as θ i sets Bob runs commit(r i ), commit(β i ), commit(r n+i ), commit(β n+i ) with Alice Alice picks c i c and announces it to Bob Bob runs unveil(r nc i+i ),unveil(β nc i+i ) Alice checks that β nci+i = β nc i+i r nci+i = r nc i+i if c i = 0 then Alice sets β i β n+i and r i r n+i and Bob set β i β n+i and r i r n+i 3. Alice announces her choices β 1 β β n to Bob 4. Bob randomly selects two subsets I 0,I 1 {1,,,n} subject to I 0 = I 1 = n/3, I 0 I 1 = and i I c,β i = β i, and he announces I 0,I 1 to Alice 5. Alice receives J 0,J 1 = I 0,I 1, computes and sends b 0 b 0 j J 0 r j and b 1 b 1 j J 1 r j 6. Bob receives b 0, b 1 and computes b c b c j J c r j 3. Intuition behind 1-out-of- OT In this 1-out-of- QOT, Alice must prevent Bob from storing the photons and waiting until she discloses the bases before measuring them, which would allowhim to obtainboth ofalice sbits with certainty. To realize this, Alice gets Bob to commit to the bits that he receivedand the basesthat he usedto measure them. Before going ahead with r i, say, Alice checks that Bob had committed properly to r n+i when he read that bit in the basis that she used to encode it. If at any stage Alice observes a mistake (β n+i = β n+i but r n+i r n+i ), she stops further interaction with Bob who is definitely not performing his legal protocol (this should never happen if Bob follows his protocol). In this protocol, r 1 r r n are chosen by Alice in step1andaresenttobob viaanambiguouscodingreferred to as the BB84 coding [1]: when Alice and Bob choose the same emission and reception basis, the bit received is the same as what was sent and uncorrelated otherwise. Bob builds two subsets: one I c that will allow him to get b c, and one I c that will spoil b c. The calculationsof steps 5-6 are much that all the bits in a subset must be known by Bob in order for him to be able to obtain the output bit connected to that subset. 4 Protocol for Quantum m-out-of-n Oblivious Transfer 4.1 Weak Bit Commitment In 1993, Gilles Brassard, etc provided a quantum bit commitment scheme provably unbreakable by

both parties []. However, unconditionally quantum bit commitment was showed impossible [7]. In [4], Aharonov provided a weak bit commitment. Definition 4.1 [4] In the weak bit commitment protocol, the following requirements should hold. If both Alice and Bob are honest, then both Alice and Bob accept. (Binding) If Alice tries to change her mind about the value of b, then there is non zero probability that an honest Bob would reject. (Sealing) If Bob attempts to learn information about the deposited bit b, then there is non zero probability that an honest Alice would reject. In the following scheme, Bob will use this weak quantum bit commitment to commit. 4. Intuition for m-out-of-n OT In the m-out-of-n OT, Bob should build n subsets I 1,I,...,I n {1,,,n}, m of that will allow him to get b c1,b c,...,b cm (c 1,c,...,c m {1,,...,n}), and the other I s will spoil the remnant b s. In I 1 I I n, the rate of the i s satisfying β i = β i would be more than m n and less than n. i.e. m n #{i β i = β i,i I 1 I n } < I 1 I n n In our scheme, we let the rate to be m n + n As β s and β s are choice randomly, we have #{β i = β i lim } = 1 N N. =. For a large N, the rate of i s in {1,,,N} that satisfy β i = β i would be approximately 1, then Bob should remove some i s from the {1,,,N}. The number of i s that should be removed can be calculated as following: If, there are more i s that satisfy β i = β i than required, so Bob should remove x i s that satisfying β i = β i from {1,,,N}. x can be calculated as follows: N x N x = x = n () () N If, there are more i s that satisfy β i β i than required, so Bob should remove x i s that satisfying β i β i from {1,,,N}. x can be calculated as follows: N N x = x = () n N N must satisfy( ())() (() n)n so that x would be an interger. we let the i s that was removed from {1,,,N} be u 1,u,,u x. 4.3 Quantum m-out-of-n OT In the m-out-of-n QOT, Alice has input b 1,b,,b n, Bobhasinput c 1,c,,c m. Theoutput of the scheme is b c1,b c,,b cm. Protocol 4.1 m-out-of-n QOT(b 1,b,...,b n )(c 1,c,...,c m ) 1. DO N. DO N Alice picks a random bit r i c Alice picks a random bit β i c and defines her emission basis ( ϕ i, ϕ i ) [,տցրւ] β i Alice sends to Bob a photon π i with polarization [ ϕ i, ϕ i ] r i Bob picks a random bit β i c and measures π i in basis ( θ i, θi ) [,տցրւ] β i Bob { sets 0, if r i πi is observed as θ i 1, if π i is observed as θi Bob runs commit(r i ), commit(β i ), commit(r N+i ), commit(β N+i ) with Alice Alice picks d i c and announces it to Bob Bob runs unveil(r Nd i+i ),unveil(β Nd i+i ) Alice checks that β Ndi+i = β Nd i+i r Ndi+i = r Nd i+i if d i = 0 then Alice sets β i β N+i and r i r N+i and Bob set β i β N+i and r i r N+i 3. Alice announces her choices β 1 β β N to Bob 4. DO x j=1

If Bob runs unveil(r u j ), unveil(β u j ) that satisfying β uj = β u j, Alice checks that β uj = β u j r uj = r u j If Bob runs unveil(r u j ), unveil(β u j ) that satisfying β uj β u j 5. Bob randomly selects n subsets I 1,I,,I n {1,,,N} {u 1,u,...,u x } subject to I 1 = I = = I n = (N x)/n, j k, I j I k = and j I c1 I c I cm, β j = β j, and he announces I 1,I,,I n to Alice 6. Alice receives J 1,J,,J n = I 1,I,,I n, computes and sends b 1 b 1 j J 1 r j, b b j J r j,, b n b n j J n r j to Bob 7. Bob receives b 1, b,, b n and computes b ci bci j J ci r c j, i = 1,,,m 5 Analysis Inthem-out-of-nQOT, Bobmustreadthephotons sent by Alice as they come: he cannot wait and read them later, individually or together. We assume that the channel used for the quantum transmission is free oferrors,sothatitisguaranteedthatr i = r i whenever β i = β i. we now show that under the assumption this protocol satisfies the statistical version of the above constraints. 5.1 Correctness Lemma 5.1 Hoefding inequality [6] Let X 1,X,,X n be total independent random variables with identical probability distribution so that E(X i ) = µ and the range of X i is in [a,b]. Let the simple average Y = (X 1 +X + +X n )/n and δ > 0, then Pr[ Y µ δ] e δ b a So, if Pr[X i = 0] = Pr[X i = 1] = 1, then µ = 1 and a = 0,b = 1, we have the following inequality n X i Pr[ n 1 δ] e nδ We show that most of the time the output is correct if the parties abide to their prescribed protocol. In a given run of the protocol, Bob will succeed in computing b c1,b c,...,b cm properly provided satisfying the following conditions : when #{i β i = β i } x (N x)m/n or when #{i β i = β i} (N x)m/n Because in that case he can form I c1,i c,...,i cm as prescribed and then he can compute the output bit as bci j I ci r j which is bci r j = b c i j I ci j J ci r j r j = b c i r j r j j I ci j I ci because J ci is I ci. Since β i = β i r j r j = 0 makes all the right terms vanish, we end up with bci j I ci r j = b ci Therefore the protocol gives the correct output unless satisfying the following conditions : when or when #{i β i = β i} x < (N x)m/n #{i β i = β i } < (N x)m/n in which case Bob is unable to form the set I c1,i c,...,i cm as prescribed. Now, we can calculate the probability that Bob can not form I c1,i c,...,i cm If < 1 n () (i.e. < n, x = () N), then the probability that Bob can get less than m bits is given by P[#{i β i = β i} x < (N x)m/n] = P[#{i β i = β i } < (N x)m/n+x] = P[ β i β i n () > N ((N () N)m/n + n () () N)] = P[ 1 β i β i > 1 n () N () ] = P[ 1 N β i β i > β i β i 1 > () ] () 1 ] It is easy to check that () 1 > 0. Given that P[β i β i = 1] = 1/, let N >

ln ( () 1 by ), this probability can be easily bounded < e N( () 1 ) = e N( < e N( () 1 ) () 1 ) e N( () 1 ) (ε = e ( () 1 ) < 1) using Hoefding s inequality. If (i.e. m + 1 n, x = () n ), then the probability that Bob can get less than m bits is given by P[#{i β i = β i} < (N x)m/n] = P[ β i β i > N (N () n N)m/n] = P[ 1 N β i β i > 1 m ] β i β i 1 > 1 m ] It is easy to check that 1 m > 0. Given that P[β i β i ln = 1] = 1/, let N > this probability can be easily bounded by < e N(1 m ) = e N(1 m ) e N(1 m ) < e N(1 m ) ( 1 m ), (ε = e (1 m ) < 1) using Hoefding s inequality. So, Bob can get less than m bits that sent from Alice with probability less than ε N. 5. Privacy We analyse the privacy of each party individually as if he or she is facing a malicious opponent. 5..1 Privacy for Bob Theorem 5.1 Alice can not find out much about c 1,c,...,c m, Proof. The only things Alice gets though the protocol are the sets J 1,J,...,J n. β i s and β i s are independent from each other. J 1,J,...,J n will have uniform distribution over all possible pairs of disjoint subsets of size N x n for i = 1,i =,... as well as for i = n. Therefore Alice learns nothing about the c 1,c,...,c m. 5.. Privacy for Alice Theorem 5. Except with probability at most ǫ n, Bob can not find out much information about more that m of b 1,b,...,b n. Proof. The probability of that Bob gets more than m bits (i.e. get at least bits). So If (i.e. m + 1 < n, x = n () () N), the probability that Bob can get more than bits is given by P[#{i β i = β i} x (N x)()/n] = P[#{i β i = β i } (N x)()/n+x] = P[ β i β i N ((N n () () N)(m +1)/n+ n () () N)] = P[ 1 β i β i N 1 () ] β i β i 1 > 1 () ] It is easy to check that 1 () > 0. Given that P[β i β i = 1] = 1/, let N > ln ( 1 ), this probability can be easily bounded () by < e N(1 () ) = e N(1 () ) e N(1 < e N(1 () ) () ) (ε = e (1 () ) < 1) using Hoefding s inequality. If (i.e. m + 1 n, x = () n ), then the probability that Bob can get more than bits is given by P[#{i β i = β i } (N x)()/n] = P[ β i β i N (N () n N)(m

+1)/n] = P[ 1 β i β i 1 N ] β i β i 1 > 1 ] It is easy to check that 1 > 0. Given that P[β i β i ln = 1] = 1/, let N > the probability can be easily bounded by N( < e 1 ) N( = e N( < e 1 ) 1 ) N( e 1 ) ( 1 ), ( (ε = e 1 ) < 1) using Hoefding s inequality. Finally, we show that Bob cannot get more than m bits by attacking the weak quantum bit commitment. LettheprobabilitythathecancheatAliceintheweak QBC be p (0 < p < 1), the probability that he can get one more bit is p N x n < ǫ N (ǫ = p). 1 So, Bob can get more than m bits that sent from Alice with probability less than ε N. In the 1-out-of- OT scheme, n = and m = 1, = 3 4 > 1, then the probability is less than N ( e 1 ) = e N ( 3 1 ) = e N 18 6 Conclusions and Future Work In this paper, we construct an quantum m-out-ofn OT based on the transmission of polarized light, which is an extension of the quantum 1-out-f- OT, and prove that this scheme satisfies statistical correctness and statistical privacy, i.e. except with a small probability ǫ N, Bob can get the correct m bits, and cannot get one more bit than required. We think the following points is interesting for further research: 1. Implement and apply the QOT in the real world.. Find a QOT satisfies perfect correctness and perfect privacy. References [1] Bennett, C.H. and Brassard, G., Quantum Cryptography: Public-key Distribution and Coin Tossing, In Proceedings of the International Conference on Computers, Systems and Signal Processing, Bangalore, India, December 1984, pp. 175-179. [] Brassard, G., Crépeau, C. Jozsa, R. and Langlois, D., A Quantum Bit Commitment Scheme Probably unbreakable by both parties, In Proceedings of the 34th Annual IEEE Symposium on Foundations of Computer Science, November 1993, pp.36-371 [3] Claude Crépeau. Quantum Oblivious Transfer. Journal of Modern Optics, 41(1):455C466, 1994. [4] Dorit Aharonov, Amnon Ta-Shma, Umesh V. Vazirani, Andrew Chi-Chih Yao. Quantum bit escrow. Proceedings of the 3d Annual ACM Symposium on Theory of Computing(STOC 00), 000. [5] Even, S., Goldreich, O. and Lempel, A., A Randomized Protocol for Signing Contracts, Communications of the ACM, vol. 8, pp. 637-647, 1985. [6] W. Hoefding, Probability Inequalities for Sums of Bounded Random Variables, Journal of the American Statistical Association, Vol.58, 1936, pp.13-30 [7] Mayers, D. Unconditionally Secure Quantum Bit Commitment is Impossible. Physical Review Letters 78. pp 3414-3417 (8 April 1997). [8] Moni Naor, Benny Pinkas. Efficient Oblivious Transfer Protocols. SODA, 001 [9] P. W. Shor, Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer, SIAM Journal on Computing, V.6:(5), 1997. [10] Rabin, M.O., How to exchange secrets by Oblivious Transfer, technical report TR-81, Aiken Computation Laboratory, Harvard University, 1981. [11] Wiesner, S., Conjugate coding, Sigact News, vol.15, no. 1, 1983, pp.78-88; Manuscript written circa 1970, unpublished until it appeared in SIGACT News. [1] Yi Mu, Junqi Zhang, Vijay Varadharajan, m out of n oblivious transfer, ACISP 00, Lecture Notes in Computer Science 384, Springer Verlag, 00. pp. 395-405

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback