Generation and Distribution of Quantum Oblivious Keys for Secure Multiparty Computation

The oblivious transfer primitive is sufficient to implement secure multiparty computation. However, secure multiparty computation based only on classical cryptography is severely limited by the security and efficiency of the oblivious transfer implementation. We present a method to efficiently and securely generate and distribute oblivious keys by exchanging qubits and by performing commitments using classical hash functions. With the presented hybrid approach, quantum and classical, we obtain a practical and high-speed oblivious transfer protocol, secure even against quantum computer attacks. The oblivious distributed keys allow implementing a fast and secure oblivious transfer protocol, which can pave the way for the widespread of applications based on secure multiparty computation.


Introduction
In Secure Multiparty Computation (SMC), several agents compute a function that depends on their own inputs, while maintaining them private [1]. Privacy is critical in the context of an information society, where data is collected from multiple devices (smartphones, home appliances, computers, street cameras, sensors, etc.) and subjected to intensive analysis through data mining. This data collection and exploration paradigm offers great opportunities, but it also raises serious concerns. A technology able to protect the privacy of citizens, while simultaneously allowing to profit from extensive data mining, is going to be of utmost importance. SMC has the potential to be that technology if it can be made practical, secure and ubiquitous. Secure multiparty computation demands extensive use of asymmetric cryptography primitives, which are considered significantly more computationally complex than symmetric cryptography [2]. Besides that, in its current standards, asymmetric cryptography cannot be considered secure anymore due to the expected increase of computational power that a large-scale quantum computer will bring [3]. A large-scale quantum computer can make it trivial to break current public key encryption and key exchange algorithms [4]. Although it is still uncertain when a large-scale quantum computer will be available, small-scale quantum computers, i.e., quantum computers with a limited number of qubits are already available commercially [5]. This represents a very serious threat and it has triggered several research initiatives to develop quantum-resistant algorithms. These research initiatives have been following two paths, one based on the development of more hard-to-break classical cryptographic algorithms [6] and another based on quantum protocols [7]. The former is limited by the little understanding we have of the security of new post-quantum cryptographic algorithms (particularly in the presence of quantum computers), and by the amount of computational resources needed to implement them. The later is limited by the immaturity of quantum technologies. Here, we explore a Figure 1: In secure multiparty computation, N parties compute a function preserving the privacy of their own input. Each party only has access to their own input-output pair.
hybrid approach, mixing both classical and quantum cryptography, and we show that this approach can provide a quantum-resistant, practical and fast solution to support secure multiparty computation.
This paper is organized as follows. In Section II, we describe the connection between SMC and the Oblivious Transfer (OT) primitive. In Section III, we define the concept of oblivious keys, and explain how having pre-shared oblivious keys can significantly decrease the computational cost of OT during SMC. In Section IV, we describe an efficient quantum protocol for oblivious key generation and distribution, the security and efficiency of which is discussed in Section V and VI. Finally, Section VII, we summarize the main conclusions of this work.

Secure Multiparty Computation and Oblivious Transfer
Let {P 1 , . . . , P N } be a set of agents and f (x 1 , x 2 , ..., x N ) = (y 1 , y 2 , ..., y N ) a multivariate function. For every agent P i , a SMC service (see Fig. 1) receives the input x i and outputs back the value y i in such a way that no additional information is revealed about the remaining x j , y j , for j = i. Additionally, this definition can be strengthened by requiring that for some number M < N of corrupt agents working together, no information about the remaining agents gets revealed (secrecy). It can also be imposed that if at most M < N agents do not compute the function correctly, the protocol identifies it and aborts (authenticity). Some of the most promising approaches towards implementing SMC are based on oblivious circuit evaluation techniques (such as Yao's garbled circuits) [8]. It has been shown that to achieve SMC it is enough to implement OT [9]. Furthermore, without additional assumptions, the security of the resulting SMC depends only on that of the OT.
Let Alice and Bob be two agents. A 1-out-of-2 OT service receives strings m 0 , m 1 as input from Alice and b as input from Bob, b ∈ {0, 1}, then outputs m b to Bob. This is done in a way that Bob gets no information about the other message, i.e., m b , and Alice gets no information about Bob's choice, i.e., the value of b [10]. Classical OT implementations, based on the use of asymmetric keys, suffer from two types of problems. The first one is the efficiency: asymmetric cryptography relies on relatively complex key generation, encryption, and decryption algorithms [11,Chapter 1], [12,Chapter 6]. This limits achievable rates of OTs, and since implementations of SMC require a very large number of OTs [2,13], this has hindered the development of SMC-based applications. The other serious drawback is that asymmetric cryptography, based on integer number factorization or discrete-logarithm problems, is insecure in the presence of quantum computers, and therefore, it has to be progressively abandoned. There are strong research efforts in order to find other hard problems that can support asymmetric cryptography [3]. However, while the security of these novel solutions is not fully understood, its complexity should prevent is massive usage to support SMC. A possible way to circumvent this problem is by using quantum cryptography to improve the efficiency and security of current techniques. Quantum solutions for secure key distribution, Bit Commitment (BC) and OT have been already proposed [7]. The former was proved to be unconditionally secure (assuming an authenticated channel) and realizable using current technology. Although, it was shown to be impossible to achieve unconditionally secure quantum BC and OT [14][15][16], one can impose restrictions on the power of adversaries in order to obtain practically secure versions of these protocols [17,18]. These assumptions include physical limitations on the apparatuses, such as noisy or bounded quantum memories [19,20]. For instance, quantum OT and BC protocols have been developed and implemented (see [21][22][23][24][25]) under the noisy storage model. Nevertheless, solutions based on hardware limitations may not last for long, because as quantum technology improves the rate of secure OT instances is going to decrease. Other solutions include exploring relativistic scenarios using the fact that no information can travel faster than light [26][27][28]. However, at the moment, these solutions do not seem to be practical enough to allow the large dissemination of SMC. A more promising approach is based on the fact that, under the Quantum Random Oracle Model (QROM), it has been shown that OT can be securely implemented using a quantum protocol [29]. From a practical point of view, the QROM corresponds to the assumption that there exists a hash function, such as SHA-256, for which a quantum computer cannot find collisions efficiently. Indeed, it is not believed that quantum computers have a significant advantage in finding collisions for currently used cryptographic hash functions [30]. Thus, a way to achieve a secure and fast rate of OT is by using quantum communications along with classical hash functions. This has the potential to leverage SMC to a practical use.

Oblivious keys as a shared resource
As mentioned earlier, one of the more promising solutions for implementing SMC consists in describing the function to compute as a logical circuit, which is then evaluated using the oblivious circuit evaluation technique. In the worst case, this requires each party to perform one OT for each gate of the circuit being evaluated. This number can be reduced by weakening the security or by increasing the amount of exchanged data [31]. Either way, the OT cost of SMC represents a major bottleneck for its practical implementation. To address this problem, we introduce the concept of oblivious keys. In this section, we will describe how they can be used to delegate part of the computation outside of the main SMC protocol, and in the next section, we will describe a quantum protocol for their distribution.
Let Alice and Bob be two agents. Oblivious Key Distribution (OKD) is a service that outputs to Alice the string k = k 1 k 2 . . . k and to Bob the stringk =k 1k2 . . .k together with the bit string x = x 1 x 2 . . . x , such that k i =k i whenever x i = 0 andk i does not give any information about k whenever x i = 1. All of the strings are chosen at random for every invocation of the service. A pair (k, (k, x)) distributed as above is what we call an oblivious key pair. Alice, who knows k, is referred to as the sender, and Bob, who holds k and x, is the receiver. In other words, when two parties share an oblivious key, the sender holds a string k, while the receiver has only approximately half of the bits of k, When two parties share an oblivious key pair of length , they can use it to send messages of length r < /2 via OT. This can be securely performed using the protocol in Fig. 2. This protocol is significantly faster than current implementations of OT without any previous shared resource. Note that the agents can perform, previously or concurrently, an OKD protocol to share a sufficiently large oblivious key, which can be then partitioned and used to perform as many instances of OT as needed for SMC. This effectively reduces the overall cost of the OTs during the circuit evaluation, but does not make the whole endeavour faster unless there is a fast way of sharing such oblivious keys. Fortunately, it is possible to achieve fast oblivious key exchange if the parties have access to fast and secure communications and commitments, which can be implemented through a photonics quantum communication channel and quantum computer resistant classical hash functions.
Protocol πOK→OT Parameters: Integers , r < /2, a universal hash function family F onto {0, 1} r . Parties: The sender Alice and the receiver Bob. Inputs: Alice gets two strings m0, m1 ∈ {0, 1} r . Bob gets a bit b. Setup phase 1. Alice calls an OKD service, which, from an oblivious key (k, (k, x)) of length , sends k to Alice andk, x to Bob.

Oblivious key distribution protocol
In this section, we describe how to share an oblivious key pair by exchanging qubits. The protocol in Fig. 3 is based on the standard randomized quantum oblivious transfer protocol [32], with the difference that it uses hash functions as a resource to implement commitments and it outputs an oblivious key instead. The two logical qubit sates |0 and |1 represent the computational basis, and the states |+ = (|0 + |1 )/ √ 2, |− = (|0 − |1 )/ √ 2 represent the Hadamard basis. We also define the states |(s i , b i ) for s i , b i ∈ {0, 1} according to the following rule: Note that these states can be physically instantiated using, for instance, a polarization encoding fiber optic quantum communication system, provided that a fast polarization encoding/decoding process and an algorithm to control random polarization drifts in optical fibers are available [33].
Intuitively, this protocol works because the computational and the Hadamard are conjugate bases. Performing a measurement in the preparation basis of a state, given by b i , yields a deterministic outcome, whereas measuring in the conjugate basis, given byb i , results in a completely random outcome. By preparing and measuring in random bases, as shown in steps 1 and 2, approximately half of the measurement outcomes will be equal to the prepared states, and half of them will have no correlation. As Alice sends the information of preparation bases to Bob, he gets to know which of his bits are correlated with Alice's. Steps 3 to 6 instantiate a commit/open subprotocol π COM H (see [34]) that spends part of the shared bits to ensure that Bob measures all qubits as intended and the resulting strings will have the desired properties.
The test described in step 6) of π OKD checks whether the outcomes of Bob's measurement always coincide with Alice's generated states whenever the measure-generation bases are the same. In real implementations of the protocol one should consider imperfect sources, noisy channels, and measurement errors. Thus, in this step Alice should perform parameter estimation for the statistics of the measurements. Following this, Alice and Bob perform standard post-processing techniques of information reconciliation and privacy amplification before continuing to step 7). For the former, LDPC codes or the cascade algorithm can be used, and the latter can be done with universal hashing.
Note that this protocol can be iterated several times and the concatenation of all the outputs results in a single larger oblivious key. This key can then be re-partitioned as needed for SMC purposes. Parties expecting to engage in multiparty computation can share these keys beforehand and spend them as needed to perform OTs with flexibility on the size of the strings.

Security
We analyze the composable security of the resulting OT obtained using π OK→OT from an oblivious key produced by π OKD . We refer to the composition of these two protocols as the Hybrid Oblivious Keys (π HOK ) protocol. Fig. 5 shows a diagram of the security relations between π HOK , hash functions, and OT. Note that authenticated classical channels are assumed available during the protocol execution, which is a standard requirement for any protocol that realizes OT. The π HOK protocol is closely related to the standard Quantum OT protocol π QOT , which is proven statistically secure in the quantum composability framework [32]. The difference between the two being that π QOT uses ideal commitments, as opposed to the hash-based commitments in π HOK . In the context of the Random Oracle Model (ROM), the commitment subprotocol π COM H is computationally secure and universally composable under the assumption that the hash function is cryptographic [34] (the outcome of the hash function is random: it cannot be predicted for each input, although if the same input is given to the hash function, it produces the same output). The ROM is acceptable in the quantum setting, as it has been shown that a quantum computer does not have any significant advantage in finding collisions when compared with a classical one [30]. This means that π HOK securely realizes OT against computationally bounded classical and quantum adversaries.
One point to note about the security of π OKD is that is not susceptible to intercept now-decrypt later style attacks. This means that attacking the protocol by finding collisions of the hash function is only effective if it is done in real time, that is, between steps 3) and 5) of the protocol. This is in contrast to asymmetric cryptography based OT, in which Bob can obtain the whole key if he is able to overcome the computational security at a later time.

Efficiency
One of the major bottlenecks in using Yao's garbled circuits is the number of instances of OT required. A single Advanced Encryption Standard (AES) circuit can be obtained with the order of 10 6 instances of OT. However, with current solutions, i.e., with computational implementations of OT based on asymmetric classical cryptography, one can generate ∼ 10 3 secure OTs per second in standard devices [35]. It is possible to use OT extension algorithms to increase its size up to rates of the order of 10 6 OT per second [2], which is still too slow for moderately complex applications, such as private data mining. Several of this techniques are based on symmetric cryptography primitives [35], such as hash functions, and could also be used to extend the OTs generated by π HOK .
Due to the popularity of crypto-currencies, fast and efficient hashing machines have recently become more accessible. Dedicated hashing devices are able to compute SHA-256 at rates of 10 12 hashes/s (see Bitfury, Ebit, and WhatsMiner, for example). In addition, existent standard Quantum Key Distribution (QKD) setups can be adapted to implement OKD since both protocols share the same requirements for the generation and measurement of photons. Notably, QKD setups have already demonstrated secret key rates of the order of 10 6 bits per second [36][37][38][39][40]. Is also worth mentioning that, as opposed to QKD, OKD is useful even in the case where Alice and Bob are in the same location. This is because in standard key distribution the parties trust each other and, if in the same location, they can just exchange hard drives with the shared key, whereas while sharing oblivious keys, the parties don't trust each other and need a protocol that enforces security. Thus, for the cases in which both parties being in the same location is not an inconvenience, the oblivious key rates can be further raised, as the effects of channel noise are minimized.
Direct comparisons of OT generation speed between asymmetric cryptography techniques and quantum techniques are difficult because the algorithms run on different hardware. Nevertheless, as quantum technologies keep improving, the size and cost of devices capable of implementing quantum protocols will decrease and their use can result in significant improvements in the efficiency of OTs in the short-to-medium term future.

Conclusions
Motivated by the usefulness of SMC as a privacy-protecting data mining tool, and identifying its OT cost as its main implementation challenge, we have proposed a potential solution for practical implementation of OT as a subroutine SMC. The scheme consists on pre-sharing an oblivious key pair and then using it to compute fast OT during the execution of the SMC protocol. We call this approach hybrid because it uses resources traditionally associated with classical symmetric cryptography (cryptographic hash functions), as well as quantum state communication and measurements on conjugate observables, resources associated with quantum cryptography. The scheme is secure as far as the chosen hash function is secure against quantum π HOK π QOT

String Commitment
Oblivious Transfer π OK→OT π OKD π COMH UC-secure in the quantum framework Equivalent up to the security of the hash function Computationally secure Figure 5: Analysis of the composable security of OTs obtained using the Hybrid Oblivious Keys protocol. The OTs are implemented with pre-computed Oblivious Keys that are distributed using the Oblivious Key Distribution protocol π OKD . The security of π OKD is equivalent to the security of the hash functions, which have been shown to be secure against computationally bounded classical and quantum adversaries.
attacks. In addition, by comparing the state of current technology with the protocol requirements, we concluded that it has the potential to surpass current asymmetric cryptography based techniques. Future work includes designing an experimental setup, meeting the implementation challenges, and experimentally testing the speed, correctness, and security of the resulting oblivious key pairs. This includes computing oblivious key rate bounds for realistic scenarios and comparing them with current alternative technologies.