Almost tight lower bounds for 1-out-of-2 quantum oblivious transfer

Oblivious transfer (OT) is one of the most important and fundamental primitives in modern classical cryptography, with a variety of applications including secure multiparty computation, oblivious sampling, e-voting, signatures and many more. Its prominence stems from the fact that it can be used as the foundation for all secure two-party computations; with OT, all secure two-party computations are possible [1, 2]. Perfectly secure OT is impossible to achieve in the information-theoretic setting, but imperfect variants, in which the participants’ ability to cheat is limited, are possible using quantum means despite remaining classically impossible. Precisely what security parameters are attainable in these imperfect variants remains unknown. For OT, as well as for many other cryptographic primitives, it has been an interesting and productive open question to determine the optimal achievable security parameters. For strong coin flipping, Kitaev [5] introduced the semi-definite programming formalism to show that the product of Alice’s and Bob’s cheating probabilities must be greater than 1/2, implying that the minimum cheating probability is at least 1/ √ 2. For weak coin flipping, it was shown by Mochon [6] that it is possible to achieve a cheating probability of 1/2 + for any > 0, and that this is optimal. Chailloux and Kerenidis [7] used the results on weak coin flipping to generate a protocol for strong coin flipping achieving the bound set by Kitaev. Lastly, for quantum bit commitment, Chailloux and Kerenidis [8] proved that the minimum cheating probability is 0.739, and presented a protocol achieving this bias. Thus, for both bit commitment, strong coin flipping and weak coin flipping, the known bounds are tight with the known protocols. For OT on the other hand, the situation is not so clear-cut. Even in terms of definitions, there is a wide spectrum of distinct protocols all referred to using the same umbrella term “oblivious transfer”. OT was first introduced informally by Wiesner as “a means for transmitting two messages, either but not both of which may be received” [9], and subsequently formalised as 1-out-of-2 OT (1-2 OT) in [11]. In related work, Rabin [12] introduced a protocol (now called Rabin OT), which was later shown by Crépeau [13] to be equivalent to 1-2 OT. Various “weaker” variants of OT have also been proposed, most notably Generalised OT, XOR OT and Universal OT, but all have been shown to be equivalent to 1-2 OT in the sense that if it is possible to do one, then it is possible to use this to implement the others [14, 15]. There is also work by Damg̊ard, Fehr, Salvail and Schaffner [16] who define OT in a slightly different way, and who use binary linear functions to characterise security. With these definitions (and their quantum counterparts), and by using the additional assumption of bounded quantum storage, the authors describe a perfectly secure protocol for 1-2 OT [17].