universidadedelisboa institutosuperiortÉcnico...
TRANSCRIPT
UNIVERSIDADE DE LISBOAINSTITUTO SUPERIOR TÉCNICO
Quantum Oblivious Transfer
João Paulo do Amaral de Jesus Rodrigues
Advisor: Doctor Paulo Alexandre Carreira Mateus
Co-Advisor: Doctor Nikola Paunković
Thesis specifically prepared to obtain the PhD Degree in Information Security
Draft
December 2015
Quantum Oblivious Transfer
Abstract
Distributed computation has been growing throughout recent years due to the ease of
communication between different devices and the growth of computational power.
On the other hand, there has always been the need for separate entities to share critical
information with some designated party in order to calculate the market price for goods,
voting, auctions, and so on.
Nowadays, all these functionalities are carried out entrusting critical data to a trusted
third party (TTP). By the nature of those data, any leakage could be harmful for some of
the entities.
Secure Multiparty Computation (SMC) emerges in this context where multiple entities
wish to jointly process their data without entrusting critical data to TTP.
A well stablished result is that SMC can be implemented using oblivious transfer protocols
(see, for example, [50]). As a drawback, the security of these protocols, as well as of almost all
key exchange and asymmetric encryption schemes,rely on computational hardness of some
mathematical problem. Quantum computers, for now only in the theoretical level, are a
serious threat to all those cryptographic systems aforementioned.
Quantum systems are a threat to classical cryptographic systems, but they are also a
solution when it comes to key exchange protocols. Bennet and Brassard proposed the first
quantum key exchange protocol which was proven unconditionally secure at the theoreti-
cal level. Ever since then, more proposals began to appear and some were proven to be
unconditionally secure. Security of these protocols is based on the laws of physics.
This thesis is dedicated to the proposal and the study of oblivious transfer protocols
based on quantum mechanics. We will present a bit string oblivious transfer protocol based
on single-qubits rotations, a bit oblivious transfer with discrete-time quantum random walks
3
and two bit-string oblivious transfer protocols based on coherent quantum states and discuss
its security under practical assumptions.
Keywords: Oblivious Transfer, Perfect Secrecy, Quantum Walks, Qubits, Coherent
States.
4
Quantum Oblivious Transfer
João Paulo do Amaral de Jesus Rodrigues
Doutoramento em Segurança de Informação
Orientador: Doutor Paulo Alexandre Carreira Mateus
Co-Orientador: Doutor Nikola Paunković
Resumo
A computação distribuída tem vindo a ganhar cada vez mais terreno devido à facilidade
de comunicação entre dispositivos que tem vindo a aumentar, e ao avanço na capacidade
de processamento de grandes quantidades de dados. A Computação Distribuída Segura (em
inglês, Secure multiparty Computation, SMC) emerge num contexto onde se quer processar
dados de múltiplas entidades, mas em que a privacidade destes dados têm que ser mantidas.
A SMC possibilita a mineração de dados privados, votação electrónica, leilões electrónicos,
entre outras funcionalidades seguras.
Actualmente, todas estas funcionalidades são feitas recorrendo a uma entidade de confi-
ança (trusted third party, TTP, em inglês) que idealmente permite a privacidade dos dados
de cada entidade. Mas a informação terá que ser acedida pela TTP. O SMC permite cumprir
a função do TTP sem essa partilha de dados.
Um resultado bem estabelecido é que o SMC pode ser concedido recorrendo ao protocolo
de transferência oblívia entre dois participantes (vide, por exemplo, [50]). No entanto, a
segurança destes protocolos, bem como as de distribuição de chaves e os sistemas de chave
públicas reduzem-se à resolução de problemas computacionais intratáveis em tempo útil. Os
computadores quânticos, ainda que só em teoria, constituem uma ameaça a estes problemas.
Por outro lado, a segurança perfeita de protocolos de distribuição de chaves pode ser
atingida recorrendo a tecnologias quânticas. A segurança baseia-se nas leis da física e actual-
mente existem várias propostas de distribuição de chaves a serem estudadas. Comercialmente
já existem soluções baseadas no protocolo BB84 proposto por Bennet e Brassard, o primeiro
protocolo demonstrado ser, teoricamente, incondicionalmente seguro.
Esta tese é dedicada ao estudo de propriedades quânticas para a implementação de pro-
tocolos de transferência oblívia. Apresentaremos um protocolo de transferência oblívia de
uma mensagem baseados em rotações em qubits, um de transferência oblívia de um bit com
passeio aleatório quântico discreto e dois protocolos de transferência oblívia de mensagens
recorrendo a estados quânticos coerentes, cujas seguranças se baseiam nas leis da física.
Palavras-chave: Transferência Oblívia, Segurança Perfeita, Passeio Aleatório Quântico,
Qubits, Estados Coerentes.
6
Acknowledgements
Firstly, I would like to thank my advisor Prof. Paulo Mateus and co-advisor Prof. Nikola
Paunković for the oportunity to work in such a multidisciplinary and stimulating area as
quantum cryptography. I would like to express my gratitude for their support and guidance.
I would also like to thank Dr. André Souto for his support and usefull discussions.
I would also like to thank Dr. Jeroen van de Graaf, who provided me an opportunity to
join his team and for his support.
I thank my office collegues for all the support and funny coffe brakes, and challenging
lunch times.
Also, my gratitude goes to Prof. Armando Pinto and Nuno Nuno Silva for the oportunity
to work in the laboratory of optics at Aveiro while finnishing the thesis.
I would like to thank my family: my father and my brothers for all the support they gave
me, specially through the dificult times.
A special thanks goes to my mother, who is no longer with us.
I have been partly supported by the institute Instituto de Telecomunicações with the
grants PDTC/EIA/67661/2006QSec, (P385) and UID/EEA/50008/2013 Refa615/2015.
I have also been partly supported by the Portuguese Science Foundation (FCT) grant
SFRH/BD/75085/2010.
Contents
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1 Introduction 15
1.1 The need for Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . 19
1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2 Oblivious Transfer using Single Qubit Rotations 23
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.4.1 Soundness of the protocol . . . . . . . . . . . . . . . . . . . . . . . . 33
2.4.2 Concealingness of the protocol . . . . . . . . . . . . . . . . . . . . . . 34
2.4.3 Probabilistic transfer of the protocol . . . . . . . . . . . . . . . . . . 36
2.4.4 Obliviousness of the protocol . . . . . . . . . . . . . . . . . . . . . . . 38
2.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3 Discrete-Time Quantum Walks 43
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2 Discrete-time quantum walks . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.2.1 Quantum walks with specific boundary conditions and topologies . . 48
3.2.2 Noise and decoherence: broken links and different coins . . . . . . . . 50
3.3 Quantities computed by the simulator . . . . . . . . . . . . . . . . . . . . . . 52
9
3.4 The simulator at work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.4.1 A particle on a square lattice . . . . . . . . . . . . . . . . . . . . . . 60
3.4.2 Two particles on a line . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.4.3 A particle on a line . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.4.4 Example: Anderson localization . . . . . . . . . . . . . . . . . . . . . 74
3.4.5 Example: Static Broken Links . . . . . . . . . . . . . . . . . . . . . . 78
3.5 Oblivious transfer with Quantum Walks . . . . . . . . . . . . . . . . . . . . 81
3.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4 Oblivious Transfer with Continuous Variables 87
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.2 Quantum optics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.2.1 Coherent states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.2.2 Squeezed state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.3 QKD with coherent light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.4 Basic results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.5 Semi-honest(
21
)-OT with coherent states . . . . . . . . . . . . . . . . . . . . 94
4.5.1 Setting up two simultaneous binary noisy channels . . . . . . . . . . 94
4.5.2 The protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.6 Gaussian Sources and Gaussian Noise . . . . . . . . . . . . . . . . . . . . . . 101
4.6.1 Setting up two simultaneous Gaussian channels . . . . . . . . . . . . 102
4.6.2 CV−(
21
)−OT (m0,m1) with Gaussian modulation . . . . . . . . . . . 103
4.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5 Future Work 106
Bibliography 106
10
List of Figures
1.1 Classical reductions between cryptographic primitives. The green arrows rep-
resent straightforward reductions; the orange ones are non-trivial reductions;
the red one is the impossible implication. . . . . . . . . . . . . . . . . . . . . 18
2.1 Schematic description of the transfering phase of our oblivious transfer pro-
tocol for messages of length k. The full arrows represent the actual states of
qubits, while the dashed arrows in the last two lines (encryption of a message)
represent |0i〉 states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2 The optimal discrimination between the bit value 0, encoded in quantum state
ρ0(si) = 12(|0(si)〉+ 〈0(si)| + |0(si)〉− 〈0(si)|), and the bit value 1, ρ1(si) =
12(|1(si)〉+ 〈1(si)| + |1(si)〉− 〈1(si)|). The optimal observable is given by the
vectors from the computational basis, |0〉 for inferring the bit value 0, and |1〉
for inferring the bit value 1. Note that ϕi = siθn/2. . . . . . . . . . . . . . . 37
3.1 Relation between the representations of quantum walks of one particle on a
lattice and two particles on a line. . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2 Evolution of one particle on a square lattice with broken link probability of
0.5 for 30 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3 Evolution of one particle on a square lattice with broken link probability of
0.5 for 30 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.4 Evolution of one particle on a square lattice with broken link probability of
0.5 for 30 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
11
3.5 Evolution of one particle on a square lattice with broken link probability of
0.5 for 30 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.6 Evolution of one particle on a square lattice with broken link probability of
0.5 for 30 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.7 Evolution of one particle on a square lattice with broken link probability of
0.5 for 30 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.8 Evolution of one particle on a square lattice with broken link probability of
0.5 for 30 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.9 Evolution of one particle on a square lattice with broken link probability of
0.5 for 30 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.10 Evolution of one particle on a line of length 201, for 10000 steps with absorbing
boundary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.11 Evolution of one particle on a line of length 201, for 10000 steps with absorbing
boundary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.12 Probability distribution (a) and average probability distribution (b) of the par-
ticle position for one-particle quantum walk on a line with reflecting boundary
conditions at nodes ±4000 after 107 steps. The initial state is |ψ(0)〉 = |0〉 |L〉,
and the random coin parameters are set within the interval θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8]. 73
3.13 Position probability distribution of one particle on the lattice with dimension
61× 61× 61, for 100 steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.14 Position probability distribution of one particle on the lattice of dimension
61 × 61, for 100 steps with different random coin factors and random broken
link factors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.15 Position probability distribution of particle on the lattice of dimension 61×61,
for 100 steps with same both broken link and random coin factors. . . . . . . 76
12
3.16 Probability distribution (a) and average probability distribution (b) of the
particle position for one-particle quantum walk on the open line after 4000
steps. The initial state is |ψ(0)〉 = |0〉 |R〉, the probability that at each step a
link will be broken (index broken link) is 0.3 and the random coin parameters
are set within the interval θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8]. . . . . . . . . . . . . . . . 77
3.17 Probability distribution (a) and average probability distribution (b) of the
particles positions for two-particle quantum walk on open lines after 100 steps.
The initial state is |ψ(0)〉 = |0, 0〉 |RR〉, for the first walker the random coin
parameters are set within the interval θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8], while for the
second walker the fixed coin is given by the Hadamard operator and the index
broken link is 0.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.18 Probability distribution (a) and average probability distribution (b) of parti-
cle position for one-particle quantum walk on a lattice with reflecting bound-
ary conditions at x, y = ±45 after 1000 steps. The initial state is |ψ(0)〉 =
12(|−30,−30〉 (|E〉 + i |N〉) + |30, 30〉 (|W 〉 + i |S〉)), with the fixed coin given
by the Hadamard operator.The static broken links are set between positions
(−15, y)&(−14, y) and (14, y)&(15, y), for y ∈ −45, . . . , 45\−30, 0, 30, and
positions (x,−15)&(x,−14) and (x, 14)&(x, 15), for x ∈ −45, . . . , 45\−30, 0, 30.
Note that the entire grid is divided into 9 equally-sized loosely connected
squares, and the initial state of the walker is a linear superposition of two dis-
tant positions (and the corresponding coin states) located in different squares. 80
3.19 Position probability distributions of a particle with initial states (a) |ψ(0)〉 =
|−10〉 |R〉 and (b) |ψ(0)〉 = |10〉 |R〉, with coin parameters set as θ = 1.2798, ζ =
1.4228, ξ = 0.1995, line size equal to 50 and K = 500 steps. . . . . . . . . . . 83
3.20 Position probability distributions of a particle with initial states (a) |ψ(0)〉 =
|−10〉 |R〉 and (b) |ψ(0)〉 = |10〉 |R〉, with coin parameters set as θ = 1.2798, ζ =
1.4228, ξ = 0.1995, line size equal to 50 and k = 750 steps. . . . . . . . . . . 84
13
3.21 Position probability distributions of a particle with initial states (a) |ψ(0)〉 =
|−10〉 |R〉 and (b) |ψ(0)〉 = |10〉 |R〉, with coin parameters set as θ = 1.2798, ζ =
1.4228, ξ = 0.1995, line size equal to 50 and k = 1000 steps. . . . . . . . . . . 84
3.22 Position probability distributions of a particle with initial states (a) |ψ(0)〉 =
|−10〉 |R〉 and (b) |ψ(0)〉 = |10〉 |R〉, with coin parameters set as θ = 1.2798, ζ =
1.4228, ξ = 0.1995, line size equal to 50 and k = 1500 steps. . . . . . . . . . . 85
4.1 Modulation of the signal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
14
Chapter 1
Introduction
Cryptography begins as the art of covering messages from undesirable readers.
The first cryptographic primitive used in history belongs to a class called private key
encryption schemes. These schemes provide a mean for secret communication between two
parties. These parties must share a common information called the secret key. The sending
party uses the secret key to encrypt the original message, and the receiving party uses the
same key to decrypt the encrypted message. The main caveat of this cryptographic primitive
is that it assumes the two parties to share a secret key.
To overcome this problem, Whitfield Diffie and Martin Hellman developed a key exchange
protocol [1]. This protocol provides the means for two parties to exchange a secret key without
prior common information. Latter on, Ron Rivest, Adi Shamir and Leonard Adleman devised
a protocol, named RSA [2]. In this protocol, a party (the receiver) creates two keys, a private
key known only by the sender, and a public-key, which is publicly revealed. In this way any
party can encrypt a message, but only the receiver can decrypt it. This protocol opened
the door to the so called public-key encryption schemes. Moreover, it was soon realized that
public-key protocols could be used for authentication purposes.
Needless to say, any cryptographic system must be secure by some defined criteria.
Intuitively, perfect secrecy means that, upon interception of a ciphertext, the chances an
intercepter retreive the original message is equal to that of guessing it. The Vernam cipher,
or one-time pad was proven by Shannon to be the only cryptographic system with perfect
15
secrecy [3]. Although this cipher system is perfectly secret, the key has to be of the same size
as the plaintext, and can be used only once. For these two reasons, a looser sense of security
is introduced.
Practical considerations like reusability of the key and the possibility of using shorter
keys, in comparison to the plain text, had paved the way for the definition of computational
security. A cryptographic system is computationally secure if an adversary is able to decipher
correctly the message in an efficient amount of time with negligible probability.
In practice,the security of cryptographic systems is usually reduced to cryptographic
assumptions. These assumptions are problems believed to be hard to be solved efficiently.
The most common ones are: integer factorization, RSA problem, Higher residuosity problem,
computational Diffie-Hellman assumption and Decisional Diffie-Hellman assumption [4].
On the other hand, distributed computing was developed to cope with more and more
demanding services, such as cloud data storage, and so on. In some cases a paramount de-
mand is to ensure information privacy, while maintaining data processing capabilities. These
cases comprise business data, homeland security, to name just a few. In this context, Se-
cure Multiparty Computation, SMC, emerges to provide secure distributed computing tasks.
SMC is build upon oblivious transfer, coin-tossing, zero-knowledge and bit-commitment pro-
tocols. The most commonly referred uses of SMC are electronic voting, electronic auctions,
electronic cash schemes, contract signing, anonymous transactions and private information
retrieval schemes.
To illucidate how SMC can help build secure protocols for the above examples, let us
focus on auction market. In this type of auction, sellers must announce the lowest price
of their goods and buyers must anounce the highest price they are willing to pay. Each
party must send their bids to the auctioneer who, in turn, computes the market price, that
is, the balanced value between demand and supply. Bids must be sent in a secure way to
the auctioneer and the later must keep the data secret from any bider. Moreover, he must
compute a function which will yield the market price, and communicate it to all biders.
In SMC, a party that collects all the data from the users and computes a function,
maintaining the input data secret, is called an ideal Trusted Third Party (TTP). All the
16
above examples can be described recurring to a TTP. However, secrecy of input data are
kept solely through confidentiality contracts. In this context, a SMC protocol is secure if and
only if it behaves as the ideal TTP.
Motivation for studying Oblivious Transfer, OT, can be found in Yao’s work [5, 6], where
he showed that oblivious transfer is suficient for building SMC (for a detailed explanation
the reader should see [7]).
OT can be seen as a game played by two parties, Alice and Bob. Alice has many secrets
that wishes to share with Bob in such a way that at the end, on average, Bob learns half of
those secrets and Alice does not know which secrets Bob really knows. Each instance of this
protocol, used to reveal in half of the cases Alice’s secret, is the Oblivious Transfer Protocol.
OT consists of two distinct phases: (i) the transferring phase, during which Alice sends
an encoded secret information to Bob; (ii) the opening phase, during which Alice reveals
enough information so that Bob can decode the secret with probability 1/2. Note that Bob
knows if he got the message or not.
OT is said to be secure if the following properties hold: (i) the protocol is concealing, i.e.,
before the opening phase, Bob is not able to learn the message sent by Alice, while after the
opening phase Bob learns the message with probability 1/2; (ii) the protocol is oblivious, i.e.,
after the opening phase, Alice remains oblivious to whether or not Bob got the message.
Rabin was the first to formally present an oblivious transfer protocol in 1981 [8]. The
security of Rabin’s OT relies on the fact that factoring large integers is not known to be
possible to perform in polynomial time. Later, Even, Goldreich and Lempel presented a
variation of this scheme called 1-out-of-2 oblivious transfer,(
21
)-OT [102]. The difference to
Rabin’s OT is that Alice sends two messages and Bob gets only one of the two with equal
probability (again, Alice does not know which message Bob decoded).(21
)-OT also consists of two phases: (i) the transferring phase, during which Alice sends
two encoded secret messages to Bob; (ii) the opening phase, during which Alice reveals
enough information so that Bob can decode the secret of one of the messages. In tis case,
Bob chooses which message to decode.(21
)-OT is said to be secure if the following properties hold: (i) the protocol is concealing,
17
i.e., before the opening phase, Bob is not able to learn any of the messages sent by Alice,
while after the opening phase Bob learns only one of them of his choosing; (ii) the protocol is
oblivious, i.e., after the opening phase, Alice remains oblivious to which message Bob chose.
Crépeau showed that when the messages are single bits, the two flavors of oblivious
transfer protocols are equivalent, in the sense that one can be built out of the other and vice
versa [10]. Furthermore, one can build an 1-out-of-2 oblivious transfer protocol that transmits
bit-string messages from 1-out-of-2 oblivious transfer protocol for single bits [11, 12, 13].
Another cryptographic primitive worth mentioning (but not detailed, as it is not within
the scope of this thesis) is bit-commitment [14], due to its intimate link to oblivious transfer
protocols throughout the literature. Although it is not possible to construct an OT protocol
out of a bit-commitment [15] it was shown that bit-commitment can be reduced to 1-out-of-2
single-bit oblivious transfer protocol [16]. In Figure 1.1 we schematically present the classical
reductions between the above discussed cryptographic primitives.
Figure 1.1: Classical reductions between cryptographic primitives. The green arrows repre-
sent straightforward reductions; the orange ones are non-trivial reductions; the red one is the
impossible implication.
18
1.1 The need for Quantum Cryptography
Quantum computers, on a theoretical level, were shown to play a major role in cryp-
tography when Peter Shor, by exploring quantum superpositions, presented an algorithm to
solve large number factorization problem efficiently [17]. Peter Shor’s factoring algorithm
was further adapted to solve discrete logarithm problem as well [18]. The ability of quantum
algorithms to brake the security of cryptographic protocols based on computational hard-
ness assumptions has led researches to shift their attention to designing quantum-computing
resilient protocols. Moreover, quantum cryptography gained more attention as well.
The objective of quantum cryptography is to enable practical cryptographic primitives,
and to prove perfect security from the laws of physics. There are three features of quan-
tum mechanics explored in a variety of quantum cryptographic protocols. They are the
measurement, the no-cloning theorem and the entanglement between quantum systems:
• General quantum measurements disturb the state one wishes to measure in non-linear
and probabilistic fashion.
• No-cloning theorem : it is impossible to make perfect copies of an unknown quantum
state.
• Using quantum entangled states, it is possible for two parties to obtain correlated classi-
cal values (after measurement) that were never pre-established, unparalleled to classical
correlations
Wiesner launched the field of quantum cryptography in 1969 by presenting notions such
as quantum money and quantum multiplexing (and only managed to publish his results in
1983 [19]), the latter being essentially a quantum counterpart of a 1-out-of-2 oblivious transfer
protocol.
The development of cryptographic applications resilient to quantum adversaries has been
extensively studied in the last decades. The best known application of quantum mechanics
in cryptography is the quantum key exchange. Bennett and Brassard presented the famous
19
BB84 quantum key distribution protocol [20], which was subsequently showed to be uncon-
ditionally secure [21, 22, 23, 24], while its classical counterparts are only computationally
secure.
Several quantum bit-commitment protocols were designed and claimed/believed to be
unconditionally secure until Lo and Chau [25], and Mayers [26], independently, showed that
unconditionally secure quantum bit-commitment protocol were impossible [27]. Subsequently,
Lo [28] proved similar no-go theorem for all “one-sided two-party computation” protocols. An
immediate consequence of this result is the impossibility of having unconditionally secure 1-
out-of-2 oblivious transfer.
Moreover, due to the equivalence between the two flavors of oblivious transfer [10], one
might conclude that impossibility of having unconditionally secure 1-out-of-2 oblivious trans-
fer would imply the same for oblivious transfer as well.
But the rules of quantum physics present a wider range of possibilities, thus compro-
mising classical reduction schemes. Namely, as to build the 1-out-of-2 oblivious transfer
one has to run several oblivious transfer protocols as black boxes, the possibility of the
so-called coherent attacks – joint quantum measurements on several black boxes – arises.
Thus, having unconditionally secure quantum oblivious transfer protocol does not necessar-
ily mean that it is possible to construct unconditionally secure 1-out-of-2 oblivious trans-
fer. Indeed, He and Wang recently showed that in quantum domain the various types of
oblivious transfer are no longer equivalent [29] and constructed an unconditionally secure
quantum single-bit oblivious transfer [30] using entanglement. Consequently, classical reduc-
tions of bit-string to a single-bit protocols are also compromised in the quantum setting and
need to be re-examined. Recent example of constructing an unconditionally secure quantum
bit-string commitment protocol [31], despite the above mentioned no-go theorems for single-
bit-commitment [25, 26] is yet another example of invalidity of classical reductions (see also
a quantum bit-string generation protocol [32]). Therefore, a need to explicitly construct-
ing quantum bit-string oblivious transfer protocol which is not based on classical reductions
mentioned above, arises [10, 11, 12, 13].
20
Nonetheless, unconditionally secure protocols that use relativistic effects are possible [33,
39, 40]). Other alternative, ensuring practical security of such protocols, is to consider noisy
or bounded memories [33, 34, 35, 36, 41, 42]. Recently, a (quantum) computationally secure
version of oblivious transfer protocol was presented in [52].
1.2 Contributions
The main focus of this thesis is the implementation of Oblivious Transfer protocols explor-
ing three conceptually different quantum systems without violating the Lo’s no-go theorem
that prevents the unconditional security of 1-out-of-2 oblivious transfer.
In Chapter 2, we present a bit-string quantum oblivious transfer protocol based on single-
qubit rotations.
In Chapter 3, OT with discrete-time quantum walk, DTQW, is briefly presented. Due to
the complexity of the analysis of DTQW statistical propeties, a simulator, called qwsim, was
developed. After a description of DTQW and the simulator, an OT protocol construction
based on DTQW is proposed and an informal security analysis is presented.
In Chapter 4, coherent Gaussian States with continuous variables is examined in the
context of(
21
)−OT .
21
22
Chapter 2
Oblivious Transfer using Single Qubit
Rotations
2.1 Introduction
In this Chapter we present a quantum oblivious transfer protocol for bit-strings, based on
the recently proposed public-key cryptosystem [53]. Each bit of the string to be transferred is
encoded in a quantum state of a qubit, in such a way that states corresponding to bit values
0 and 1 form an orthonormal basis. The key point of the protocol is that for each qubit, the
encoding basis is chosen at random, from some discrete set of bases.
Next section provides a brief survey of quantum information, including basic definitions
and important results necessary for understanding our proposal.
Section 2.3 describes our proposal for a bit-string oblivious transfer protocol. The analysis
of its correctness and security is presented in Section 2.4.
Finally, we summarize the results and discuss future directions of research.
2.2 Preliminaries
In this Section, we provide notation, necessary definitions and results for defining and
reasoning about the security of our proposal.
23
For a complete study of quantum information we suggest the reading of [62]. Here, we
present some relevant notions. According to the postulates of quantum mechanics, the state
of a closed quantum system is represented by a unit vector from a complex Hilbert space H,
and its evolution is described by a unitary transformation on H. In this chapter we work
only with finite-dimensional Hilbert spaces reflecting the realistic examples of systems with
finite number degrees of freedom (strings of quantum bits, i.e. qubits).
Contrary to the classical case where a bit can only have values 0 or 1, in the quantum case a
qubit can be in a unit superposition of 0 or 1, denoted by α |0〉+β |1〉, with complex coefficients
α and β, such that |α|2 + |β|2 = 1. The Dirac notation |0〉 and |1〉 denotes vectors forming an
orthonormal basis of a 2-dimensional complex vector space. Note that we can define many
orthonormal bases for that space, such as |+〉 =
1√2(|0〉+ |1〉), |−〉 = 1√
2(|0〉 − |1〉)
, but it
is common to distinguish the basis |0〉 , |1〉 from all the others, and call it the computational
basis.
The state of two qubits is from the tensor product of single-qubit spaces, that is,
|ψ〉 = α |00〉+ β |01〉+ γ |10〉+ δ |11〉 ,
with |α|2 + |β|2 + |γ|2 + |δ|2 = 1. The state |ψ〉 is said to be separable if
|ψ〉 = (α |0〉+ β |1〉)⊗ (α′ |0〉+ β′ |1〉) = αα′ |00〉+ αβ′ |01〉+ α′β |10〉+ ββ′ |11〉 .
Otherwise, it is called entangled. Although entangled states are particularly important in
quantum information, in this chapter we only work with separable states. Note that a
system with k qubits can be described by a unit vector over a space with dimension 2k.
One of the most important results of quantum information states that the maximal clas-
sical information that can be stored in a qubit is the same as that contained in a bit. This
means that we cannot extract more than a bit of classical information from a qubit, although
there is potentially an infinite number of states available to encode in a qubit. The reason
for this is that it is impossible to obtain coefficients α and β from a single qubit in a state
|ψ〉 = α |0〉 + β |1〉 (the no-cloning theorem [43]). Indeed, what is possible is to perform
a measurement given by an orthogonal decomposition of the Hilbert space H =⊕d
i=1Hi,
24
with Pi being the projectors onto Hi. Then, upon performing such a measurement on a
qubit in state |ψ〉 ∈ H, there are d possible outcomes 1, . . . , d, where the probability of
observing i ∈ 1, . . . , d is given by ‖Pi |ψ〉 ‖, and then the state evolves to Pi |ψ〉 /‖Pi |ψ〉 ‖.
For instance, the outcome of a measurement of a qubit can only take two possible values.
To understand the protocol we need to consider a function that is easy to compute, but,
without the help of a secret trapdoor, it is impossible to invert with non-negligible probability
according to the laws of quantum physics. One candidate for such a function was proposed
in [53], which uses sinlge-qubit rotations and is given by
f(s) = R(sθn) |0〉 = cos (sθn/2) |0〉+ sin (sθn/2) |1〉
where |0〉 , |1〉 is a fixed computational basis and for some fixed n, s ∈ 0, . . . , 2n − 1,
θn = π/2n−1. Moreover, f can be used to construct a quantum trapdoor function F (s, b),
where s is the trapdoor information for learning an unknown bit b [53]:
F (s, b) = R(bπ)f(s) = R(bπ)R(sθn) |0〉 = R(sθn + bπ) |0〉 .
Note that inverting F (learning both s and b) is at least as hard as inverting f . In [53] it
was shown that every binary measurement that could be used to infer unknown bit b would
outcome a completely random value. Nevertheless, if s is known, by applying the rotation
R(−sθn) to F (s, b), and measuring the result in the computational basis, one obtains b with
certainty.
Using the properties of f and F , a secure public-key cryptographic protocol was proposed
in [53]: using the private key s, the public-key is generated by computing f(s); the encryp-
tion of a secret message corresponds to computing F (s, b); the decryption of the message
corresponds to inversion of F (s, b), using the trapdoor information s.
Finally, in order to guarantee that at the end of the OT protocol Bob knows if he got the
message m or not, Alice is required to send both m and h(m), where h is a universal hash
function. A hash function maps strings to other strings of smaller size . Bellow, we present
a definition of universal hash function and a an important basic result.
Definition 2.2.1. Consider two sets A and B of size a and b, respectively, such that a > b,
25
and consider a collection H of hash functions h : A→ B. If
Prh∈H
[h(x) = h(y)] ≤ 1
b
then H is called a universal family of hash functions.
Theorem 2.2.1. Let H be a collection of hash functions h : A→ B, where A and B are sets
of size a and b, respectively, such that a > b. The size of a set Ax of strings x ∈ A mapped
to the same hash value h(x) is at most N/b.
In our particular case we consider A and B as the sets of strings of length ` and `/2,
respectively. Hence, there are 2`/2 different strings for each hash value (for an overview
see [64]).
2.3 Results
In this section we present the protocol that achieves oblivious transfer of a bit-string
message from Alice to Bob. The scheme uses hash functions which allow to certify if after
the opening phase Bob got the message or not. A hash function produces a digest of a message
– a string of smaller size – such that: (i) the probability of generating at random strings with
the same hash value is negligible; (ii) the hash values are almost uniformly distributed over
the set of all possible digests.
Our protocol is based on the public-key cryptosystem [53], and can be briefly summarized
as follows. Given a reference, so-called computational, basis β0 = |0〉 , |1〉, Alice first
encodes each bit mi of the message m = m1 . . .mk into the state |mi〉 of the corresponding
qubit. Then, she randomly chooses a bit value a, and for each mi a rotation angle ϕi (taken
from a given set of angles Φ), and rotates |mi〉 by (−1)aϕi. Finalizing the transferring phase,
she sends the qubits to Bob. Note that for each qubit i the encoding quantum states
|0(a)i 〉 = R((−1)aϕi) |0〉 (2.1)
|1(a)i 〉 = R((−1)aϕi) |1〉 = R(π) |0(a)
i 〉 , (2.2)
26
where rotations R are defined by R(ϕ) |0〉 = cos(ϕ/2) |0〉+i sin(ϕ/2) |1〉, are mutually orthog-
onal and hence fully distinguishable, provided one knows the direction a and the angle ϕi of
the rotation. Therefore, Bob cannot decipher the message m, unless given additional infor-
mation about the encoding bases βi = |0(a)i 〉 , |1
(a)i 〉. In Figure 2.1 we present a schematic
description when the length of the message to be transferred is k.
In the opening phase, Alice provides Bob with such (partial) information: she sends the
so-called secret key, a string ϕ = (ϕ1, . . . , ϕk) of rotation angles, but not the rotation direction
a. Oblivious to the rotation direction, Bob can only guess it, which he will get correctly in
50% of the cases.
Encrypted in quantum states of qubits, Alice sends the message m, together with its
digest d = h(m), given by a suitably chosen hash function h. Upon decrypting the states of
qubits sent by Alice, Bob recovers a string which is a pair (m′, d′). Note that m′ and d′ are
not necessarily the message m and its hash value d = h(m). Bob checks if d′ = h(m′). If so,
he is convinced that the received message m′ is indeed the intended message m (for technical
details, see Section 2.4).
27
Figure 2.1: Schematic description of the transfering phase of our oblivious transfer protocol
for messages of length k. The full arrows represent the actual states of qubits, while the
dashed arrows in the last two lines (encryption of a message) represent |0i〉 states.
Below, we present a rigorous description of our bit-string OT protocol, where ϕi = siθn.
28
Protocol 2.3.1 (Bit-string OT).
Message to transfer m = m1 . . .mk;
Security parameter n ∈ N, and the corresponding θn = π/2n−1;
Hash function h : 0, 1k → 0, 1ω, where ω = b√kc from a pre-agreed universal family
of hash functions;
Secret key s = (s1, . . . , sk+ω), where each si ∈ 0, . . . , 2n − 1.
Transfering phase:
1. Alice chooses uniformly at random the hash function h and a bit a ∈ 0, 1 and
prepares the following state:
|ψ〉 =k⊗i=1
R(miπ + (−1)a × siθn) |0〉
ω⊗i=1
R(hi(m)π + (−1)a × si+kθn) |0〉 (2.3)
(Note that hi(m) represents the ith bit of the binary string h(m)).
2. Alice sends the state |ψ〉 to Bob.
Opening phase:
3. Alice sends to Bob the secret key s = (s1, . . . , sk+ω), the security parameter n and
the hash function h.
4. Bob checks if s is likely to be a possible output of a random process.
5. Bob chooses uniformly at random a bit a′ ∈ 0, 1 and applies R((−1)a′siθn) to
each qubit of |ψ〉.
6. Bob applies the measurement operator M⊗(k+ω) = (0× |0〉 〈0|+ 1× |1〉 〈1|)⊗(k+ω).
29
7. Let m′ · h′ be the message that Bob recovers (notice that here h′ is a bit-string, a
potential value of the hash, and not a function itself). He checks if h′ = h(m′). If
that is the case then Bob is almost sure that m′ = m, otherwise he knows that m′
is not the correct message.
Notice that knowing h(m) can potentially reveal the whole set Am of the strings mapped to
the same value of hash. Knowing Am decreases Bob’s uncertainty about the unknown string
m, thus effectively revealing ω = b√kc bits of information about string m. This information
may help Bob to increase the probability of finding m, thus compromising the security of the
protocol. Therefore we encrypt both the message m and h(m) into a quantum state sent by
Alice. Since, in order to confirm that he obtained the message m, Bob needs to learn the
value h(m) as well, one can consider the pair (m,h(m)) as a message to be transferred. For
simplicity, in the rest of the Chapter we will denote the pair (m,h(m)) as a single message
m to be transferred. Note though, that there are correlations between the message m and
the value h(m), which might become relevant for the Concealing property, and in particular
for achieving the Probabilistic transfer, after Bob learns the particular function h chosen by
Alice. We will address this issue when discussing the above mentioned cases.
In Step 4 Bob checks if the secret key s was indeed randomly chosen. By encoding si’s
into binary numbers Alice has to provide an n × (k + ω) long bit-string produced by a fair
coin. A number of possible tests of random-number generators exist in literature, such as
χ2, Kolmogorov-Smirnov, Serial correlation, Two-level, K-distributivity, Serial and Spectral
tests (for more details, see [54], Chapter 27). Step 4 of the protocol is used to overcome the
hypothetical chance of Alice to cheat by sending particular elements si of the secret key s
which allow Bob to recover the message with probability close to 1. Notice that if si is such
that the angle of rotation is ϕi = siθn/2 = 0, or ϕi = siθn/2 = π/2, then Bob will with
certainty get the correct bit value mi. Therefore, if the elements si of the secret key were
close to 0 or π/2, Alice would know with probability significantly higher than 1/2 that Bob
received the message m (for a detailed analysis of possible cheating strategies of Alice, see
the proof of the obliviousness criterion in Section 2.4.4). If si’s were indeed chosen uniformly
at random, than significant portion of them would not be close to 0 nor π/2, preventing Alice
30
from cheating.
Nevertheless, for the protocol to be secure, a much simpler criterion can be used, one
that is satisfied whenever a string is indeed produced uniformly at random. If Alice chooses
each si uniformly at random, then on average half of such choices satisfy ϕi = siθn/2 ∈
[π/8, 3π/8] ∪ [5π/8, 7π/8]. These si’s are already far enough from 0 and π/2 to secure the
protocol against cheating Alice. For a detailed discussion on the degree of Bob’s confidence
against cheating strategies of Alice, see Section 2.4.4.
Finally, we present a simple way of using our protocol to achieve oblivious transfer of a
single bit b by sending a bit-string message m with parity b.
Protocol 2.3.2 (Single-bit oblivious transfer).
Message to transfer b;
Security parameter k;
1. Alice chooses bit b.
2. Alice chooses a k-bit message m, such that⊕k
i=1mi = b.
3. Alice and Bob perform protocol 4.6.1.
4. If Bob had got the right message m, then he performs⊕k
i=1mi = b. Other-
wise, he cannot recover the bit.
2.4 Methods
In this Section we prove the security of our oblivious transfer protocol. Oblivious transfer
has to satisfy the following four properties (the first express the correctness, while the last
three assure the security of the protocol):
Soundness If both Alice and Bob are honest, then with probability 1/2 Bob will obtain
the right message. Bob knows if he got the right message or not;
Concealingness If Alice is honest Bob cannot learn the content of the message that Alice
meant to send before the opening phase (the protocol is concealing).
31
Probabilistic transfer After the opening phase, Bob cannot learn the message in more
than 50% of the cases (with probability higher than 1/2).
Obliviousness If Bob is honest then Alice does not know if Bob received the message –
she can only guess with probability 1/2 (the protocol is oblivious).
In case of bit-string protocols, the probability 1/2 that appears in the above definition is
relaxed to 1/2 + ε(k), where k is the length of the message and ε : N → R is a negligible
function, i.e., for every positive polynomial p there exists a k0 ∈ N such that for all k > k0,
ε(k) ≤ 1/p(k).
In general, both quantum and classical cryptographic security protocols for exchanging
messages depend on several parameters, one of them being the length of the message. As a
rule, such protocols are said to be secure if the cheating probability is negligible with respect
to the length of the message, provided that the other parameters are suitably chosen.
In our case, as well as in the case of the public-key scheme presented in [53] (on which
our protocol is based), one such parameter is n, and for both protocols the level of security
indeed depends on the choice of n. Nevertheless, as proven in [53], with a proper choice of n,
(for example k = n), the public-key scheme is secure against eavesdropping. Consequently,
with the same choice of a proper n, our protocol is Sound (correct) and Concealing (before
the opening phase Bob cannot learn the message sent by Alice). On the other hand, the
other two security criteria (Probabilistic Transfer and Obliviousness) do not depend on the
choice of n, as shown in the respective proofs presented below.
Note that in [53], in order to further reduce the probability of a successful attack, security
parameter n was treated as a part of the secret key (together with s). But it was noted that
the protocol would still be secure even if n were public. In a subsequent paper [55], in which
the robustness of the public-key cryptosystem introduced in [53] was further analyzed, n was
treated as a part of a public-key, i.e. the cryptosystem is secure even if (a properly chosen)
n were known. Note that in both cases, according to the above definition, the protocol is
secure, but with different negligible functions ε(k): when n is private, the corresponding
negligible function is smaller than when n is public.
32
2.4.1 Soundness of the protocol
In the following we prove the soundness of our protocol: if both parties are honest, then
with probability 1/2 + ε(k) Bob will get the right message, where ε(k) is negligible function
on the size of the message m = m1 . . .mk.
First assume that Alice and Bob had chosen to rotate the state in opposite directions,
i.e., a 6= a′. Without loss of generality assume that Alice chooses a = 0, to rotate clockwise
all the qubits. The qubits Alice sent to Bob are in the following state:
|ψ〉 =k⊗i=1
R(miπ + siθn) |0〉
=k⊗i=1
cos
(miπ + siθn
2
)|0〉+ sin
(miπ + siθn
2
)|1〉 . (2.4)
In the opening phase Bob receives from Alice the additional information, the secret key
s = (s1, . . . , sk).
By the assumption, Bob decides to rotate each qubit received from Alice counterclockwise
(a′ = 1) by −siθn. The states he gets are either |0〉 or |1〉:
R(−siθn)(R(miπ + siθn) |0〉) = R(miπ) |0〉
= cos(miπ
2
)|0〉+ sin
(miπ
2
)|1〉
= |mi〉 . (2.5)
Bob measures M on the above state and the result ismi with probability 1. We conclude that
if Bob chooses to rotate in the direction contrarily to Alice’s choice, then with probability 1
Bob will recover the bit sent by Alice.
On the other hand, if Alice and Bob decide to rotate each qubit of the message in the
same direction (a = a′), say clockwise, the qubits’ states are transformed into (i = 1 . . . k):
R(siθn)(R(miπ + siθn) |0〉
= R(miπ + 2siθn) |0〉)
= cos
(2siθn +miπ
2
)|0〉+ sin
(2siθn +miπ
2
)|1〉
= |mi〉 . (2.6)
33
If mi = 0 then the above state becomes |mi〉 = cos (siθn) |0〉 + sin (siθn) |1〉 and by measur-
ing M Bob gets the correct answer with probability cos2(siθn); if mi = 1 then the above
state becomes |mi〉 = − sin (siθn) |0〉+ cos (siθn) |1〉 and again Bob gets the correct bit with
probability cos2(siθn). Hence
Pr(mi; M, |mi〉
)= cos2(siθn). (2.7)
Assuming that the key s is chosen at random, the probability of recovering the whole
message by rotating in the wrong direction becomes negligible, and the expected probability
of recovering message m when measuring M⊗k on the state |ψ′〉 =⊗k
i=1 R((−1)a′siθn) |ψ〉 is:
Pr(m; M⊗k, |ψ′〉) = Pr(a′ 6= a)× Pr(m|a′ 6= a)+
Pr(a′ = a)× Pr(m|a′ = a)
≤+1
2+
1
2
k∏i=1
cos2(siθn). (2.8)
Clearly, when Alice chooses the values si at random, the expected probability of Bob
recovering the message m in case Alice and Bob perform equal rotations becomes negligible,
i.e., ε(k) = 12
∏ki=1 cos2(siθn) is negligible. To see that, notice that on average half of values
for the rotation angles siθn/2 fall in the region [π/8; 3π/8] ∪ [5π/8; 7π/8], giving the upper
bound ε(k) ≤ 2−k/2.
The information received by Bob consists of two parts: one corresponding to the actual
message sent by Alice, and the other corresponding to its hash value. At the end of the
protocol, Bob checks if he recovered the correct message by comparing its hash value with the
latter part of information received. Note that by the properties of universal hash functions,
the probability that the hash of the first part matches the second one is negligible in the case
Alice and Bob performed the same rotation.
2.4.2 Concealingness of the protocol
In this subsection we show that if Alice is honest, the probability of Bob recovering Alice’s
message before the opening phase is negligible. Furthermore, after the opening phase Bob
recovers the message with, up to a negligible value, probability 1/2.
34
The first part of the statement follows directly from the security of the public-key crypto
system [53], and is basically a consequence of the fact that, depending on the secret key
component si, the same state |ψi〉 of a single qubit can be encrypting either a 0 or a 1: for
each si there exists s′i such that |ψi〉 = R(siθn) |0〉 encrypts 0, while |ψi〉 = R(s′iθn + π) |0〉
encrypts 1. In fact, before the opening phase, our protocol is as secure as the cryptographic
system underlying our protocol.
We stress that the additional information provided by Alice, the hash function cannot
help Bob recovering the message m. In fact, below, we prove that even if Bob had access
directly to the hash value h(m) this would not help him (note that since the value h(m) is
encrypted makes Bob’s task even harder). In the following, we provide the reasoning for a
particular hash function of a universal family of hash functions.
Given a message m, consider its partition into ω = b√kc consecutive blocks of bits mi
(i = 1, . . . ω), each with length b√kc: m = m1 . . . mω. Each bit hi(m) of the hash value h(m)
is the parity of the i-th block of the message m: h1(m) = m1 ⊕ . . .⊕mω, etc. Hence, all the
bits of h(m) are mutually independent.
Suppose that h(m) allows to recover m with some non-negligible probability p. Then,
in particular, the bit h1(m) helps to recover the possible block m1 = m1 ⊕ . . . ⊕ mω, with
the same probability p. We claim that this is impossible, assuming that the cryptographic
system [53], used to design our protocol, is secure.
In fact, if a cryptographic system is secure for coding a message m of length k, then a
fortiori the encryption of a polynomially shorter message, say m1, is also secure. So, if h1(m)
would help to recover the first block with non-negligible probability p then, by randomly
guessing the value h1(m) (that will be correct with probability 1/2), it would be possible to
break the crypto system presented in [53] with non-negligible probability p/2.
One can easily describe a universal family of hash functions by considering all possible
forms of dividing k elements into groups of ω elements, i.e. by using the above hash function
h on the permuted message. Given a permutation π ∈ Sk of length k, one can define the hash
function hπ(m) = hidk(mπ(1) . . .mπ(k)), where hidk is the above h. Obviously, the concealing
property is valid for the whole family hπ|π ∈ Sk of universal hash functions.
35
2.4.3 Probabilistic transfer of the protocol
After receiving the secret key s, Bob’s description of the qubits sent by Alice is given by
the mixed state (for convenience, we consider a ∈ +,−, where “+” stands for clockwise
rotation and “−” otherwise):
ρB(s) =1
2
∑a∈+,−
(1
2
)k ∑m1∈0,1
. . .∑
mk∈0,1
k⊗i=1
|mi(si)〉a 〈mi(si)| , (2.9)
where |mi(si)〉± = cos(miπ
2± siθn
2
)|0〉 + sin
(miπ
2± siθn
2
)|1〉. The single-qubit partial states
are completely mixed, and can be written in the following suitable form: ρB(si) = 12(ρ0(si) +
ρ1(si)), where ρmi(si) = 12(|mi(si)〉+ 〈mi(si)| + |mi(si)〉− 〈mi(si)|). Note though that the
overall state ρB(s) is not a tensor product of single-qubit states: the rotation direction a is
the same for all qubit thus correlating single-qubits. Nevertheless, if Bob is constrained to
perform only a few-qubit coherent measurements, these correlations, as well as the knowledge
of h(m), cannot help him to increase the probability of learning m.
First, we give the proof for the case of single-qubit measurements. As before, the hash
function h is determined by the parity of blocks mi of size ω. Since the parity of block mi
is completely uncorrelated to the value of each of its bits, unless we know the values of all
other ω − 1 remaining bits, the choice of the optimal single-qubit measurement of at least
ω − 1 qubits of a single block does not depend on the hash value hi(m).
The correlations between single-qubit states established by the same choice of the rota-
tion direction cannot help either. A possible cheating strategy would be to, as prescribed by
the protocol, randomly choose the rotation direction, and perform the corresponding mea-
surement on first few qubits only. With probability 1/2 the choice will be right, and the
bits would be correctly decrypted; with probability 1/2 though, the wrong choice would lead
to wrong decryption which, in case Bob can detect it, would result in measuring the right
observable on the remaining qubits. But Bob can detect the wrong choice only by comparing
the results with the hash value, the parity of blocks of length ω. Thus, only upon measuring
all qubits of at least one block of size ω Bob can spot the mistake. This however leaves
him uncertain which, among 2ω−1 possible messages, was the message sent by Alice, which is
36
exponentially many on the size k of the whole message m (note that ω =√k). Thus, since
for each si the states ρ0(si) and ρ1(si) are not fully distinguishable, what Bob can do is to
try to distinguish between the two states as best as possible.
The optimal probability of guessing bit’s value mi is then given by the Helstrom for-
mula [56]:
PH(ρ0(si), ρ1(si)) =1
2+
1
4Tr|ρ0(si)− ρ1(si)| =
1
2(1 + | cos(siθn)|). (2.10)
Note that the optimal observable for such measurement is the same for each possible si, and
is given by the computational basis |0〉 , |1〉 (see Figure 2.2). Analogously as in the proof
of soundness of the protocol, since on average half of values si satisfy | cos(siθn)| ≤ 1/√
2, we
have ε(k) ≤ q−k/2, where q = 12(1 + 1/
√2) < 1.
Figure 2.2: The optimal discrimination between the bit value 0, encoded in quantum state
ρ0(si) = 12(|0(si)〉+ 〈0(si)|+ |0(si)〉− 〈0(si)|), and the bit value 1, ρ1(si) = 1
2(|1(si)〉+ 〈1(si)|+
|1(si)〉− 〈1(si)|). The optimal observable is given by the vectors from the computational basis,
|0〉 for inferring the bit value 0, and |1〉 for inferring the bit value 1. Note that ϕi = siθn/2.
Suppose now Bob is allowed to perform at most two-qubit coherent measurements. Then,
for each pair, say (s1, s2), the four quantum states
ρ00(s1s2) =1
2(ρ+
00(s1s2) + ρ−00(s1s2))
=1
2(|0(s1)0(s2)〉+ 〈0(s1)0(s2)|+ |0(s1)0(s2)〉− 〈0(s1)0(s2)|), (2.11)
(and analogously for ρ01(s1s2), ρ10(s1s2) and ρ11(s1s2)), would also not be fully distinguish-
able. Therefore, the optimal strategy that Bob can adopt will produce wrong decryption,
37
with finite error probability q > 0. As in the case of single-qubit measurements, this leads to
negligible advantage over the 1/2 probability of recovering m, given sufficiently large k (and
thus the block length ω =√k).
Given the maximal length ` of the multi-qubit measurement, each block m of length
` is from Bob’s point of view described by the mixed state ρm(s) = 12(ρ+m(s) + ρ−m(s)) =
12(|m(s)〉+ 〈m(s)|+ |m(s)〉− 〈m(s)|), where s is the part of the secret key s corresponding to
the block m. As ` increases, the states |m(s)〉± and |m′(s)〉±, corresponding to two different
messages m and m′, become increasingly distinguishable. The precise relation between the
maximal length ` of the allowed coherent measurements and the size k of the message m is
to be addressed in a separate study.
2.4.4 Obliviousness of the protocol
To finish the security discussion we prove that the protocol is unconditionally oblivious:
at the end of the protocol Alice does not know whether Bob received the right message of
not.
At the end of the protocol, since Bob performs local operations and measurements, Alice
has no way of knowing if Bob had chosen the right rotation, or not. Therefore, if being
honest and sending the state prescribed by the Protocol, Alice cannot know if an honest Bob
received the message or not.
To increase her probability of knowing if Bob received the message or not, while main-
taining the 50% of Bob’s success, a cheating Alice can only use the following strategy: in
50% of the cases she sends a cheating state |ψch〉 that would reveal m independently of Bob’s
choice of rotation (i.e. with probability 1 Alice knows that Bob received the message), and
in the remaining cases she sends a completely random state, such that the probability of
Bob receiving m is negligible in the length of the message (i.e. with probability 1, up to a
negligible value, Alice knows that Bob did not receive the message). Here, for simplicity we
assumed that the cheating permits Alice to know with certainty if Bob received the message
or not. Nevertheless, if Alice is dishonest and wants to ensure that an honest Bob would
get the message by sending |ψch〉, her probability to do so without being noticed will be
38
exponentially close, with respect to the message length k, to 1/2. Below, we give an upper
bound to the mentioned probability, showing the security of the protocol against cheating
Alice.
Let l be the number of si’s for which ϕi = siθn/2 ∈ [π/8; 3π/8] ∪ [5π/8; 7π/8]. For such
cases we can consider the rearranged secret key s = s1 . . . sl and the corresponding message
m = m1 . . .ml. Depending on his choice of rotation direction a′ Bob will measure one of the
two observables ˆC±(s) =
∑2l−1m=0m · P±(m; s), where one-dimensional projectors are given by
P±(m; s) =⊗l
i=0 P±(mi; si) =⊗l
i=0 |mi(si)〉± 〈mi(si)|.
For given m and s Alice wants to maximize the probability Prch of Bob obtaining m
measuring ˆC±(s) on |ψch〉 (and thus her probability of knowing if he got the message or not),
which is given by
Prch =1
2
(||P+(s) |ψch〉 ||2 + ||P−(s) |ψch〉 ||2
). (2.12)
From triangle inequality of the trace distance D(|φ〉 , |ψ〉) =√
1− | 〈φ|ψ〉 |2, we have (|±〉 =⊗li=0 |mi(si)〉±):
Prch ≤1
2
(1 + | 〈+|−〉 |2
)≤ 1
2
(1 + cos2l(π/8)
). (2.13)
If the values si were produced uniformly at random, then the probability that ϕi =
siθn/2 ∈ [π/8; 3π/8]∪ [5π/8; 7π/8] is 1/2. As a consequence, the random variable that counts
the number l of such ϕi’s follow the binomial distribution B(k, 1/2), with k being the number
of trials (the total number of rotation angles ϕi, equal to the length of the messagem) and 1/2
being the success probability of each trial (where by “success” we mean that the rotation angle
falls within the above mentioned intervals). For sufficiently large k, the binomial distribution
can be approximated by the normal distribution N (µ, σ2) with the mean µ = k/2 and the
variance σ2 = k/4. This allows Bob to set the degree of confidence of Alice’s obliviousness.
For example, choosing the 3σ criterion, if (k− 3√k)/2 ≤ l ≤ (k+ 3
√k)/2 Alice’s probability
to learn if Bob got the message or not will be Prch = 1/2 + ε(k), where ε(k) is negligible
(which happens in 99.8% of the cases if si were chosen uniformly at random).
39
2.5 Discussion
In this Chapter we proposed a novel scheme for obliviously transferring a bit-string
message from Alice to Bob. The scheme presented does not violate the Lo’s no-go theorem
[28] and its security is based on the laws of quantum physics.
We proved that the protocol is unconditionally secure against any cheating strategy of
Alice (it is unconditionally oblivious). Furthermore, we proved that it is unconditionally
concealing, provided Bob performs only single-qubit measurements. Although intuitively
our protocol should, at least for sufficiently large n, be secure against multi-qubit measure-
ments, a detailed analysis of its security against Bob’s coherent attacks remains to be done
(similarly as for the case of recently proposed and performed quantum signature protocols
[57, 58]). Finally, we note that, according to the security criterion adopted in this paper, our
all-or-nothing OT protocol is secure against violating only one out of the three requirements
(concealingness, probabilistic transfer and obliviousness), while keeping the other two satis-
fied. Nevertheless, having a protocol such as ours, together with a bit-commitment protocol
(such as those presented in [39, 40, 41, 42]), using the reduction presented in [65] one can
achieve an all-or-nothing OT secure against a wider range of cheating strategies, such as the
one in which, by never sending the intended message, a cheating Alice violates the oblivi-
ousness criterion while at the same time decreasing to zero Bob’s probability to receive the
message (see [66] for a detailed discussion on the example of the computationally secure OT
presented in [52]).
Our protocol does not use entanglement and its optical implementation could be per-
formed using today’s technology.
Finally we discuss the need for the use of hash functions. Recall that at the end of the
protocol Bob must be sure if he got the intended message or not. This property is guaranteed
by comparing the computed hash value of the received message m with the presumed hash
value sent by Alice together with m. Such acknowledgment of the validity of the message
decoded by Bob could be done differently. Suppose that out of all possible messages (PM),
Alice is constrained to send m from a smaller set of messages (VM), such that verifying that
40
m is in VM can be easily done, but only Alice knows the elements of VM. Note that in order
to keep the probability of receiving a message from Alice to 1/2, up to a negligible term, the
size of VM must be exponentially smaller than the size of PM. For example, VM could be
the set of solutions to a hard mathematical problem, say 3-SAT problem. Alternatively, the
message sent might be written in an existing human language, say English, making it easily
recognizable by any English-language speaker.
Future lines of research include formulating other quantum security protocols that use
single-qubit rotations to encode bit values into quantum states taken from a number of differ-
ent bases. One such immediate application is in designing a quantum bit-string commitment
protocol and compare it with the existing proposals. Furthermore, similarly when gener-
ating (randomized) secret keys, single-qubit rotations could be used in creating undeniable
signatures.
41
42
Chapter 3
Discrete-Time Quantum Walks
3.1 Introduction
This Chapter is dedicated to the quantum walk simulator, qwsim, and the OT protocol
based on DTQW on a line. A bit is encoded by initial position of a DTQW state. Initially,
bit-1 state and bit-0 state ar mutuallye orthogonal. After performing a random choice of a
quantum walk, the mixed states corresponding to initial bit-1 and bit-0 states will no longer
be orthogonal. This is the fundamental point of our proposal.
In order to study the statistics of the states mentioned above, a simulator for two-particle
quantum walks on the line and one particle on a two-dimensional square lattice was developed.
This simulator can be used to investigate the equivalence between the two cases (one- and
two- particle walks) for various boundary conditions (open, circular, reflecting, absorbing and
their combinations). For the case of a single walker on a two-dimensional lattice, the simulator
can also implement the Möbius strip. Furthermore, other topologies for the walker are also
simulated by the proposed tool, like certain types of planar graphs with degree up to 4, by
considering missing links over the lattice.
After this Introduction, in Section 2 we present a mathematical description of a discrete-
time quantum walk on a line with one and two particles, and show the equivalence of the
latter with a one-particle quantum walk on a square lattice. We discuss different boundary
conditions (circular, reflecting, absorbing, etc.) and for the case of a one-particle walk on
43
a lattice, different topologies (Möbius trip, Klein bottle, etc.). Finally, we describe two
models of a noise in a quantum walk: dynamic breaking of links between certain nodes, and
varying coins for random nodes. In Section 3 we describe the quantities that our simulator
is calculating and analyze their relevance, with the emphasis on a two-particle quantum
walk picture, where joint properties depending on correlation and entanglement can exhibit
specific non-classical quantum features. In Section 4 we present some illustrative examples.
Finally, Section 5 is dedicated to OT based on DTQW on a line and a brief examination of
its security. Finally, conclusions on qwsim and on the OT protocol are in Section 6.
3.2 Discrete-time quantum walks
In a discrete-time quantum walk on a line, we consider the movement of a walker along
discrete positions, labeled on a line x ∈ Z. At each step this particle can move to the left or to
the right of the line. The direction is controlled by an internal degree of freedom, commonly
called the coin degree of freedom. Both position and coin states of a given particle can be
modeled using Hilbert spaces HP = span|x〉 : x ∈ Z and HC = span|R〉 , |L〉, for the
position space and the coin space respectively. The total Hilbert space of a particle doing a
discrete-time quantum walk on a line is given by H = HP ⊗HC . The one-step time evolution
of the system is described by the unitary operator
U = S(IP ⊗ UC
), (3.1)
where S is the shift operator given by
S =
(∑x
|x+ 1〉 〈x|
)⊗ |R〉 〈R|+
(∑x
|x− 1〉 〈x|
)⊗ |L〉 〈L| , (3.2)
Ip is the identity operator on HP , and UC ∈ U(2) acts on HC .
Now, consider two non-interacting particles on a line. The joint Hilbert space of the
composite system, consisting of two distinguishable particles 1 and 2 doing a quantum walk
over the same1 line, is
H12 ≡ H1 ⊗H2
1From mathematical point of view, it is irrelevant whether two particles are performing the walk over the
44
where H1 = HP,1⊗HC,1 and H2 = HP,2⊗HC,2 represent the Hilbert spaces of particles 1 and
2, respectively. The joint one-step time evolution of this system is simply the tensor product
between the unitary operators for time evolutions of each particle
U12 = U1 ⊗ U2 =[S1
(IP,1 ⊗ UC,1
)]⊗[S2
(IP,2 ⊗ UC,2
)](3.3)
= S12
([IP,1 ⊗ IP,2
]⊗ UC,12
), (3.4)
where S12 = S1 ⊗ S2 has the form
S12 =∑x1,x2
|x1 + 1, x2 + 1〉12 〈x1, x2| ⊗ |RR〉12 〈RR|
+ |x1 + 1, x2 − 1〉12 〈x1, x2| ⊗ |RL〉12 〈RL|
+ |x1 − 1, x2 + 1〉12 〈x1, x2| ⊗ |LR〉12 〈LR|
+ |x1 − 1, x2 − 1〉12 〈x1, x2| ⊗ |LL〉12 〈LL| , (3.5)
and the joint coin operator is
UC,12 = UC,1 ⊗ UC,2.
Note that the labels of ket states denote the joint and single-particle Hilbert spaces H12, H1
and H2, such that |x1, x2〉12 ≡ |x1〉1 |x2〉2, etc.
It is easy to see that a quantum walk of two particles on a line, in which initial positions
of both walkers are equal, say 0, is equivalent to a quantum walk of one particle along a
two-dimensional square lattice xOy, whose nodes are labeled by their coordinates (x, y) :
x, y ∈ Z along two perpendicular axes x and y. Indeed, if the positions of the two particles
on a line represent the two orthogonal coordinates, along the axes 1 and 2, of a node in the
square lattice, then the two-particle configuration (1, 1) corresponds to a position (1, 0) of a
same or different lines: both descriptions are identical. Yet, it is crucial for the applications. For example,
in the study of the effects of entanglement between the two walkers on the features of quantum walk-based
search algorithms, in which the two walkers are performing a search over the same data-base. For the same
reason, we assume that the walks are performed simultaneously, which is the reason for requiring particle
distinguishability: otherwise, the states of two identical particles would be subject to bosonic and fermionic
symmetrization and anti-symmetrization rules. On the other hand, such states are possible to study in the
case of distinguishable particles as well.
45
LEFT RIGHT
LEFT (DOWN)
RIGHT (UP )
W
E
S
N
x1
x2
xy
Figure 3.1: Relation between the representations of quantum walks of one particle on a lattice
and two particles on a line.
particle on the xOy lattice whose axes x and y are rotated by π/4 with respect to the axes
1 and 2, see Figure 3.1.
In general, the correspondence between a two-particle configuration (x1, x2) and a position
(x, y) of a node in a rotated xOy lattice is given by:
x =1
2(x2 + x1)
y =1
2(x2 − x1), (3.6)
which establishes the correspondence between the states from a two-particle position Hilbert
space (HP,12 ≡ HP,1 ⊗ HP,2) and a position Hilbert space HP,xy = span|x, y〉 : x, y ∈ Z
of a single particle on a square lattice xOy. According to this, moving both particles to
the right along a line is equivalent to a particle on a lattice moving East (to the right
with respect to the x-axis). This induces the following correspondence between the states
from a two-particle coin Hilbert space HC,12 ≡ HC,1 ⊗HC,2 and the one-particle coin space
HC,xy = span|E〉 , |S〉 , |N〉 , |W 〉:
46
|E〉 = |RR〉12 , |S〉 = |RL〉12
|N〉 = |LR〉12 , |W 〉 = |LL〉12 . (3.7)
Therefore, the overall Hilbert space of a single particle doing a quantum walk along the xOy
square lattice is Hxy ≡ HP,xy ⊗HC,xy (note that, for reasons of simplicity, we drop the labels
of the ket states form Hxy). The above correspondences (3.6) and (3.7) give the shift operator
equivalent to S12
Sxy =∑xy
|x+ 1, y〉 〈x, y| ⊗ |E〉 〈E|
+ |x, y − 1〉 〈x, y| ⊗ |S〉 〈S|
+ |x, y + 1〉 〈x, y| ⊗ |N〉 〈N |
+ |x− 1, y〉 〈x, y| ⊗ |W 〉 〈W | , (3.8)
while the coin operator for a quantum walk of a particle on the lattice, equivalent to a given
two-particle walk on a line, is unchanged: UC,xy = UC,12. Note that in general UC,xy ∈
U(4) ⊃ U(2)⊗U(2), which in the case of two particles on a line would correspond to a global
coin operation that could increase the entanglement between the coins of two particles. The
unitary time evolution of each step of the quantum walk is given by:
Uxy = Sxy ⊗(IP,xy ⊗ UC,xy
),
where IP,xy is the identity operator on HP,xy.
Note that the above correspondence between a two-particle walk on a line and a single-
particle walk on a square lattice is valid as long as initial positions of two particles on a line
are of the same parity. Otherwise, using (3.6) we see that the two-particle walk is equivalent
to a walk on a different square lattice whose node positions are half-integers. This way, we can
use our simulator for two particles on a line to simulate quantum walks of two distinguishable
particles on the same lattice, as long as their joint state is a product between one-particle
states.
47
3.2.1 Quantum walks with specific boundary conditions and topolo-
gies
Quantum walks with certain boundary conditions are quite interesting. Firstly, from the
theoretical point, it is essential to understand how these boundaries affect the features of
quantum walks, in particular the entanglement between the particles as well as the other
mentioned quantities that we study. Moreover, from a practical point of view, these bound-
aries might reduce significantly the state space, which leads to a numerically feasible analysis.
Finally, quantum walks with particular boundaries can be used to simulate various (finite-
size) physical systems.
First, we will consider boundary conditions for particles on a line. Then, we turn to the
case of the square lattice. The correspondence between the two cases is given by (3.6) and
(3.7).
For a particle on a line, two simplest cases are circular and the reflecting boundary
conditions. In the case of circular boundary conditions, we connect two points M and −M .
Our system is finite (a circle with 2M+1 points), which affects the shift operator: the sum in
(3.2) goes from −(M−1) to (M−1), while the connected points −M andM are represented
by adding the term
C = |−M〉 〈M | ⊗ |R〉 〈R|+ |M〉 〈−M | ⊗ |L〉 〈L|
+ |M − 1〉 〈M | ⊗ |L〉 〈L|+ |−(M − 1)〉 〈−M | ⊗ |R〉 〈R| . (3.9)
For reflecting boundary conditions at positions M and −M , a coin operator that describes
the reflection of particle’s direction of movement (i.e. coin state) is changed at the points of
reflection:
(IP ⊗ UC)→
M−1∑x1=−(M−1)
|x1〉 〈x1| ⊗ UC
+ (|−M〉 〈−M |+ |M〉 〈M |)⊗ (|L〉 〈R|+ |R〉 〈L|). (3.10)
Note that a general case of different two positions is equivalent to moving the initial position.
One can also consider reflection in a single position M as well.
48
Combining the above two circular and reflecting (finite) together with open (infinite)
boundary conditions, one can in the case of two particles on a line obtain different topologies:
torus (two circles), finite and infinite cylinder (circular and reflection/open), square (both
particles reflect on both sides of 0), etc. The corresponding corrected shift operators are
obtained as a tensor product between the two single-particle corrected operators.
Analogously, one can study the circular and reflecting boundary conditions for the case
of one particle on a two-dimensional lattice as well. For example, the correction of the shift
operator for the case of circular conditions connecting points with different positions on the
x-axis (M and −M), resulting in the (infinite) cylinder geometry, is given by
Cx =∑y
|−M, y〉 〈M, y| ⊗ |E〉 〈E|+ |M, y〉 〈−M, y| ⊗ |W 〉 〈W |
|−(M − 1), y〉 〈−M, y| ⊗ |E〉 〈E|+ |M − 1, y〉 〈M, y| ⊗ |W 〉 〈W | , (3.11)
while the reflection over the lines x = ±M results in the correction of the coin operator given
by:
Rx =∑y
|M, y〉 〈M, y| ⊗ |W 〉 〈E|+ |−M, y〉 〈−M, y| ⊗ |E〉 〈W |+
+M−1∑
x=−(M−1)
M∑y=−M
|x, y〉 〈x, y| ⊗ UC . (3.12)
In addition to the above two cases, for a two-dimensional lattice one more option of a
boundary along one axis occur, presenting us with the Möbius strip. Connecting the points
(M, y) of the line x = M , and (−M,−y) of the line x = −M , results in the shift operator
for which the sum for the x component is again going as above (from −M + 1 to M − 1),
while the correction term is
Mx =∑y
|−M,−y〉 〈M, y| ⊗ |E〉 〈E|+ |M,−y〉 〈−M, y| ⊗ |W 〉 〈W |
|M − 1, y〉 〈M, y| ⊗ |W 〉 〈W |+ |−(M − 1), y〉 〈−M, y| ⊗ |E〉 〈E| , (3.13)
and analogously for connecting the y = M and y = −M axes according to Möbius topology.
Combining the two results in the topology of Klein bottle.
49
Note that the Möbius boundary conditions for the case of two particles on a line would
require a non-local shift operation, connecting distant sites x2 and −x2 of a second particle,
whenever the first one is in the position x1 = M or x1 = −M . Clearly, the shift operation
is not a simple product of two one-particle operations. It is rather a controlled operation:
conditioned to a position of the first particle, the second one is moving either locally (x2 →
j ± 1), if x1 6= ±M , or non-locally, otherwise. This can bring interesting consequences for
the properties of a quantum walk, as it may introduce entanglement between the walkers.
Another type of boundary conditions are absorbing ones. They are modeled by mea-
surements at certain points (of a line or a lattice) at each step of the walk. For example,
an absorption at point x1 on a line of a particle, coming from the left or right, is mod-
eled by performing a measurement given by the projector P (x1) = |x1〉 〈x1| ⊗ IC . If a
particle is found at position i, it is absorbed and a walk stopped. Otherwise, a particle is
for sure not in a position x1, its state |ψ(n)〉, after n steps of the walk, is collapsed onto
IPC − P (x1) = (IP − |x1〉 〈x1|) ⊗ IC |ψ(n)〉, renormalized to unity, and evolved by the one
step evolution operator described above. Such walks, known as measured walks, were studied
before [69, 91] in relation to various hitting times (see our discussion in the next Section).
Partial measurements modeling absorption of a particle can be also used to model noise
and decoherence effects. The other two ways to model noise and decoherence effects are
breaking the links between certain nodes, or using different coins for different nodes and/or
steps.
3.2.2 Noise and decoherence: broken links and different coins
Studying decoherence effects by breaking the links between two nodes was first introduced in
[92] for the case of a walk on a line, and later generalized to a two-dimensional case [93]. In
a one-dimensional case, breaking the link between two neighboring nodes x0 and x0 + 1, at a
step n of a walk, is equivalent to imposing the reflecting boundary conditions in between the
two nodes, for particle coming from both directions. In other words, a particle coming from
the node x0 to the right will, instead of arriving to node x0 + 1, change its direction (coin
state, from |R〉 to |L〉) and return back to x0, and analogously for the particle coming from
50
the node x0 + 1 to the left. Therefore, breaking the link between the nodes x0 and x0 + 1, at
a step n of the walk, changes the shift operator S at that step from (3.2) to:
S =
(∑x1 6=x0
|x1 + 1〉 〈x1|
)⊗ |R〉 〈R|+ |x0〉 〈x0| ⊗ |L〉 〈R| (3.14)
+
( ∑x1 6=x0+1
|x1 − 1〉 〈x1|
)⊗ |L〉 〈L|+ |x0 + 1〉 〈x0 + 1| ⊗ |R〉 〈L| .
Analogously, the shift operator (3.8) for the case of a single walker in two-dimensions is
changed as well. For example, breaking the link between the nodes (x0, y0) and (x0 + 1, y0)
changes |x0 + 1, y0〉 〈x0, y0| ⊗ |E〉 〈E| to |x0, y0〉 〈x0, y0| ⊗ |W 〉 〈E|, and |x0, y0〉 〈x0 + 1, y0| ⊗
|W 〉 〈W | changes as well to |x0 + 1, y〉0 〈x0 + 1, y0| ⊗ |E〉 〈W |.
Note that in the case of two walkers on a line, breaking of the links has to be identical
for both walkers, if we want them to walk over the same line. Also, note that breaking of
one link of only one of the two lines correspond to breaking of infinitely many links in the
corresponding two-dimensional walk on the xOy plane.
If in every step different (possibly randomly chosen) links are broken, the shift operation
changes from step to step and the breaking is dynamic. Breaking of the links can be either
static or dynamic. If links (given by the pairs of nodes that are supposed to be connected
by them) that are broken are fixed throughout the whole walk, the shift operator is changed
according to the above description and fixed as well: in every step of the walk the same
shift operation is applied (breaking is static). Otherwise, if in every step different (possibly
randomly chosen) links are broken, the shift operation changes from step to step and the
breaking is dynamic. Note that static breaking of the links allow to study walks over planar
graphs with nodes having at most degree four.
The other possibility of studying noise and decoherence effects is by introducing different
coin operation for different nodes. In the one-dimensional case (analogously for two dimen-
sions and higher), changing the unique coin operation UC to UCi , for each node i, changes
51
the one-step evolution (3.1), from U = S(IP ⊗ UC
)to
U = S
(∑x1
|x1〉 〈x1| ⊗ UCx1
)(3.15)
=
(∑x1
|x1 + 1〉 〈x1| ⊗ |R〉 〈R| UCx1 + |x1 − 1〉 〈x1| ⊗ |L〉 〈L| UCx1
), (3.16)
and analogously for one particle on the lattice.
Again, altering coin operations can be either static or dynamic. Quantum-to classical
transition driven by many coins was studied in [94]. The particle localization due to varying
coin in time was also studied in [88, 89, 90]. The physical explanation of the particle local-
ization can be explained as follows: a quantum walk, say on a lattice, can be seen as a model
for a scattering process of a particle (say, electron) over the ions of a crystal lattice, such that
a coin operators model the transition amplitudes between the neighboring ions. Introducing
for some nodes coins different from the common one corresponds to introducing impurities
(ions different from the one of a crystal lattice), which in the static case (impurities fixed in
time) leads to Anderson-type particle localization [95].
3.3 Quantities computed by the simulator
In this Section, we describe the quantities that characterize quantum walk that our
simulator is computing. Since the emphasis of the program is to study the joint properties of
a multi-particle quantum walk, we will use notation compatible with the case of two walkers
on a line. Using (3.6) and (3.7), one can easily obtain the corresponding quantities for the
case of a single walker in two dimensions.
A pure state of two walkers is a unit vector in a two-particle Hilbert space H12 ≡ H1⊗H2,
where one-particle mutually isomorphic spaces Hi = HP,i⊗HC,i, with i ∈ 1, 2, have each a
position and a coin factor space. WritingH12 = (HP,1⊗HP,2)⊗(HC,2⊗HC,2) = HP,12⊗HC,12,
one can talk of a two-particle position and coin (generally mixed) states.
If the initial state is |ψ(0)〉12 ∈ H12, then after n steps the state is
|ψ(n)〉12 = Un12 |ψ(0)〉12 .
52
Partial one-particle mixed states, after n steps of a walk, are given by density operators
obtained by performing partial trace, ρ1(n) = Tr2 |ψ(n)〉 〈ψ(n)|12, and analogously for the
second particle. The joint position state is evaluated by performing partial trace over the
joint coin space HC,12, ρP,12(n) = TrC,12 |ψ(n)〉 〈ψ(n)|12, while to obtain the coin state, we
do a partial trace over the joint position space HP,12, ρC,12(n) = TrP,12 |ψ(n)〉 〈ψ(n)|12. The
one-particle position and coin states are obtained analogously, from one-particle states ρi(n),
with i ∈ 1, 2.
The main quantity from which we compute relevant joint properties is a joint two-particle
probability distribution p12(i, j;n), a probability that the position x1 of the first particle is
i, and the position x2 of the second is j. It is easily computed from the overall position state
ρP,12(n) as
p12(i, j;n) =12 〈i, j| ρP,12(n) |i, j〉12 . (3.17)
Often, for reasons of simplicity, we assume the time dependence (i.e. step n) as implicit, and
write p12(i, j), ρP,12, etc. Also, sometimes we will drop the labels 12, 1 and 2 that denote
whether a given quantity is a two-particle or a single-particle quantity: for example p(i, j)
instead of p12(i, j;n), or ρP instead of ρP,12(n).
Marginal probability, p1(i;n) =∑
j p12(i, j;n) can also be obtained from partial one-
particle state, p1(i;n) =1 〈i| ρ1(n) |i〉1, and analogously for particle 2.
As the evolution of quantum walks is unitary, there exist no stationary state of the
system, a fixed point of the evolution, as in the case of classical random walks. There-
fore, there exist no stationary probability distribution (for detailed discussion, see for ex-
ample [82] or [83]). Yet, the time (or rather, step) average of the probability distribution,
p12(i, j;n) = 1n
∑nk=1 p12(i, j; k), does converge to a limiting distribution (analogously for
one-particle distribution):
π12(i, j) = limn→∞
p12(i, j;n).
One can thus study how fast (in steps n) an average distribution p12(i, j;n) approaches the
limiting one π12(i, j), globally (mixing time), point-wise (sampling time), etc. (for definitions
of the mixing, sampling, filling and dispersion time, see for example [83]).
53
The first global quantity of the two walker to consider is the average distance between
the two:
〈d〉 = 〈|x1 − x2|〉 =∑i,j
p12(i, j;n)|i− j|.
Note that the n-dependence is implicit as the average is an expectation value of an opera-
tor d = |x1 − x2| taken for the state |ψ(n)〉12. This is clearly a global quantity that is not
dependent only on marginal probability distributions p1(i;n) and p2(i;n), but on the corre-
lations between the two random variables x1 and x2, which can in this case have particular
entanglement-induced quantum features different from any classical-like correlations, like it
was first shown in [79].
Next, we discuss various types of the so-called mixing times. First, we describe the one-
particle case, then we move to the case of two walkers.
In algorithmic applications of quantum walks, like in search problems, a solution to the
problem is given by a particular node i0 (or more than one node, but the generalization is
straightforward) and one is interested in the probability of finding this solution. In other
words, we are interested in the probability of finding the walker in the position i0.
Let us define two (one-particle) orthogonal projectors, P0 = |i0〉 〈i0|⊗ Ic and P1 = I− P0,
where Ic is the identity in the coin space. Then, the one-shot hitting time for a given
probability p is the number of steps N (1)o (i0, p) for which the probability of the walker to
be found in position i0 is bigger or equal than p [69]. It is determined by the (one-particle)
one-shot probability to hit:
P(1)o (i0;n) = ‖P0 |ψ(n)〉 ‖2 = ‖〈i0|ψ(n)〉‖2. (3.18)
The above definition of hitting time is useful in cases one can estimate step n around which
the one-shot probability to hit P1o (i0;n) is relatively high, like it was the case of Shor’s
algorithm [17].
If we check after each step whether the particle is in position i0, we effectively perform
the above measurement M(i0) = 0 · P0 + 1 · P1 after each step. Such a walk, in which after
each step the measurement given by M(i0) is performed, is called the |i0〉-measured walk [69]:
if the particle is collapsed (absorbed) onto the ray |i0〉 〈i0| (result 0 obtained), the solution
54
to the problem (data-base search, etc.) is found and the walk terminated; otherwise, if the
result is 1, the walk is evolved one more step by U .
For |i0〉-measured walk, let P(1)f (i0;n) be the probability to detect (for the first time) the
particle at position i0, at step n (first-time probability to hit):
P(1)f (i0;n) = ‖P0U [P1U ]n−1 |ψ(0)〉 ‖2. (3.19)
Then, the average hitting time of the |i0〉-measured walk is [91]:
N (1)a (i0) =
∞∑n=1
nP(1)f (i0;n). (3.20)
The above hitting time corresponds to a typical (average, expected) running time for the
quantum-walk based algorithm [91].
Finally, one might be interested in a number of steps N (1)c (i0, p) after which a |i0〉-
measured walk has probability to stop greater or equal than certain given p. Such N (1)c (i0, p)
is called the concurrent hitting time [69], and is given by the concurrent probability to hit
P(1)c (i0;n) for the walk to stop at any of the steps n′ ≤ n:
P(1)c (i0;n) =
n∑n′=1
‖P0U [P1U ]n′−1 |ψ(0)〉 ‖2. (3.21)
As noted in [91], the concurrent hitting time corresponds to the number of steps after which
the probability to find the solution is greater or equal than p.
The above hitting times were defined for one-particle quantum walks and are given by
the probabilities (3.18) – (3.21). For two particles, the corresponding hitting times are given
by the analogous two-particle probabilities P(2)o (i0;n), P(2)
f (i0;n) and P(2)c (i0;n) that at least
one of the two particles is detected in position i0. Indeed, if the solution to the problem is
given by the marked position i0, it is enough if only one of the two walkers finds it. The
two-particle probabilities and hitting times are obtained as in the case of one-particle walks,
by substituting one-particle P0 (and its complement P1) by it’s two-particle equivalent
P0 =(|i0〉 〈i0|P,1 ⊗ IP,2 + IP,1 ⊗ |i0〉 〈i0|P,2 − |i0〉 〈i0|P,1 ⊗ |i0〉 〈i0|P,2
)⊗ IC,12
55
in equations (3.18) – (3.21). Note the subtraction of the term |i0〉 〈i0|P,1 ⊗ |i0〉 〈i0|P,2 which
is twice counted in the sum of the first two terms of the expression. Formally, without the
subtraction this would not be an idempotent projector for which P 20 = P0.
In finding solutions by searching certain data base, for example, we would prefer if the two
particles search different regions at each given moment: if the two walkers are following each
other, than there is little help of such "parallel processing”. In other words, the probability
that both walkers are found in the same position should be as small as possible; their average
distance as big as possible. In [79] it was shown that the maximal one-shot probability
P2o (i0;n) to find at least one particle in position i0 corresponds to the case of maximal average
distance, when the initial coin state is the fermionic one, i.e. maximally anti-symmetric Bell
state (|RL〉 − |LR〉)/√
2, while the initial position state2 is |00〉.
Global quantities do not depend on marginal probability distributions, but on the cor-
relations between the random variables, in our case the positions of the two walkers. They
are given by the covariance. For the case of the positions x1 and x2 of the two walkers, the
covariance is given by:
Cov(x1, x2) = 〈(x1 − 〈x1〉)(x2 − 〈x2〉)〉 = 〈x1x2〉 − 〈x1〉〈x2〉, (3.22)
The other way to quantify correlations between two walkers is by classical (Shannon)
and quantum (von Neumann) mutual information. Classical (Shannon) mutual information
between the two random variables, say positions x1 and x2, is (note the implicit dependence
on the step n):
I(x1 : x2) = H(x1) +H(x2)−H(x1, x2), (3.23)
where H(xp) = −∑
i p1(i) log p1(i), with p = 1, 2, is the Shannon entropy of the random
variable xp taking the values i ∈ Z, and
H(x1, x2) = −∑i,j
p12(i, j) log p12(i, j) (3.24)
is the joint (Shannon) entropy of x1 and x2.2Note that in all of the above quantities the dependence on the initial state of the walker(s) is, for reasons
of simplicity, left implicit.
56
The corresponding quantum (von Neumann) mutual information between the position
degrees of freedom of two walkers is given in terms of their global and partial position states
ρP,12, ρP,1 and ρP,2:
I(ρP,12) = S(ρP,1) + S(ρP,2)− S(ρP,12), (3.25)
where S(ρP,1) = −Tr(ρP,1 log ρP,1), and analogously for other two mixed states.
As it was shown in [79], the initial entanglement in the joint two-particle coin state can,
starting from the initially product position state |0, 0〉12, bring about correlations between
the positions of the two, the correlations beyond those achievable by any classical (i.e. mixed,
but separable) initial state. In other words, a two-particle quantum walk can, in the course
of steps, transfer the entanglement, and thus correlations, from the coin to the position
degree of freedom. Therefore, one might be interested in analyzing the dynamics of mutual
information (Shannon and von Neumann) between the (joint) coin and position degrees of
freedom, or between the coins of the two walkers, or finally between the two walkers. They
are given by expressions analogous to (3.23) and (3.25).
Finally, one can directly study entanglement between the two degrees of freedom. This
is, being purely quantum feature, the most interesting quantity to study since it brings, in
some settings, features of quantum walks classically impossible to achieve [79]. Nevertheless,
unlike the correlations or (classical and quantum) mutual information, entanglement is more
complex to characterize and quantify. In the case of pure bipartite states, entanglement
between the two degrees of freedom is well defined and easy to evaluate: it is nothing but
the von Neumann entropy of either of the two partial mixed states. Thus, if the initial state
is pure, entanglement between the coin and position degree of freedom is given by:
EC,P = S(ρC,12) = S(ρP,12). (3.26)
Obviously, from the numerical point of view, it is much easier, and more accurate, to use the
first equality and deal with much smaller 4 × 4 matrix representation of ρC,12. Writing the
joint two-particle state |ψ〉 in the Schmidt bi-orthogonal expansion between the joint position
and coin degrees of freedom
|ψ〉 =4∑
k=1
√rk |ϕk〉P |k〉C ,
57
the partial coin and position mixed states are given as ρC =∑4
k=1 rk |k〉 〈k|C and ρP =∑4k=1 rk |ϕk〉 〈ϕk|P (note that, for reasons of simplicity, we dropped the step n dependence,
and subscripts 12).
Calculating the coin state is computationally easy, its complexity is only quadratic in
the number of steps n, as one has to evaluate |ψ(n)〉 and then a simple trace ρC(n) =
TrP |ψ(n)〉 〈ψ(n)|. Solving the characteristic equation and finding eigenvalues rk and eigen-
vectors |k〉c of a four-dimensional system given by ρC is easy task as well. Finally, the eigen-
vectors |ϕk〉P are easily calculated by obtaining the partial scalar product, |ϕk〉P = 1√rk〈k|ψ〉.
Finally, the partial position state is ρP =∑4
k=1 rk |ϕk〉 〈ϕk|P and the entanglement between
the position and the coin degree of freedom is:
EC,P = S(ρC,12) = S(ρP,12) = −4∑
k=1
rk log(rk).
But, finding the entanglement between the positions of two walkers, or the two coins,
is much more difficult problem. The partial position and coin states, ρP,12 and ρC,12, are
mixed, and mixed-state entanglement is neither unique, nor easy to evaluate. One possible
mixed-state entanglement measure is the entanglement of formation [96]. For the case of
two-particle position state, one possible upper bound to the entanglement of formation could
be given as:
EF (ρP,12) =4∑
k=1
rkE(|ϕk〉P,12),
with E(|ϕk〉P,12) = S(TrP,2 |ϕk〉 〈ϕk|P,12).
A relevant measure for the quantumness of correlations is the quantum discord [98]. In
classical information theory, we have that the mutual information between random variables
X and Y is given by I(X : Y ) = H(X) + H(Y ) − H(X, Y ) or, equivalently, J (X : Y ) =
H(Y )−H(Y |X).
For the general joint state ρXY a subsystem’s partial state after a measurement performed
on the other sub-system is determined by the choice of the measurement and its outcome. Let
Mx =∑
i iΠXi be a sub-system’s X observable, where ΠX
i = |i〉 〈i| represent one-dimensional
58
orthogonal projectors corresponding to the measurement outcome i. Upon measuring MX ⊗
IY onto the joint state ρXY , and obtaining the result i, the partial state of the subsystem Y
is
ρY |ΠXi= TrX
(ΠX ⊗ IY )ρXY (ΠX ⊗ IY )
pi
where pi = TrXY (ρXY (ΠXi ⊗ IY )).The expected entropy of the sub-system Y , conditioned by
the measurement MX performed on the sub-system X is:
S(Y |MXi ) =
∑i
piS(ρY |πXi ).
The difference between the uncertainty of the state of the sub-system Y (measured by the von-
Neumann entropy) before the sub-system measurement Mx was performed, and the expected
uncertainty after it has been performed is
J (X : Y )Mx= S(ρY )− S(Y |MX),
where ρY = ρXY .
The quantum discord, with respect to the measurement MX , is given by
δ(X : Y )ΠXi = I(X : Y )− J (X : Y )Mx
= S(ρY )− S(ρXY ) + S(Y |MX). (3.27)
In the case of two particles on the line, X denotes the position of particle 1 and Y the
position of particle 2. For one particle on the lattice, X and Y denote the positions of the
particle along the x and y axes, respectively.
3.4 The simulator at work
Here we illustrate the simulator at work. The simulator is constituted by three main
programs: one for simulating one particle on a square lattice; another for simulating two
particles on a line; and, finally, one to simulate a single particle on a line. All the quantities
described in Section 3.3 can be outputted by the simulator, and are chosen in a configuration
file. The configuration file is parsed by the simulator and contains the following information:
59
dimension of the grid, number of steps to simulate, initial state for the particles, broken links
in the grid, boundary conditions of the grid, measurement points, distribution of random
quantum coins over the grid, quantities to simulate.
Next, we present several examples of usage of the simulator, one for each main program.
For the program simulating one particle on a square lattice we consider a quantum walk with
broken links. For two walkers on the line, we study a case of entangled states. Finally, for
one particle in the line, we illustrate the simulator with a circular boundary condition.
3.4.1 A particle on a square lattice
For this case we illustrate the simulator by computing several relevant quantities for a quan-
tum walk over a square lattices with several broken links. The idea is to get a picture of
the effect of broken links (or impurities) in the simulated quantities. In particular we verify
Anderson-like localization by noticing that the average probability distribution is concen-
trated around the initial position. For this particular simulation we consider:
• a grid of size 61× 61;
• a number of steps 30;
• broken link probability of 0.5;
• initial state |ψ(0)〉 = |0, 0〉 |E〉.
The results of the quantities are depicted in Figures 3.2, 3.3, 3.4 and 3.5.
60
−200
20
−20
0
20
0
0.01
0.02
0.03
0.04
x
pXY
(i,j;n)
y
(a) Probability on plane after 30 steps.
−200
20
−20
0
20
0
0.05
0.1
x
πXY
(i,j)
y
(b) Average probability distribution.
0 5 10 15 20 25 300
0.5
1
1.5
2
2.5
3
time
Upper Bound for Ef
(c) Upper bound of Ef .
0 5 10 15 20 25 300
0.5
1
1.5
2
2.5
3
3.5
4
time
H(X)
(d) Shannon entropy for positions X.
Figure 3.2: Evolution of one particle on a square lattice with broken link probability of 0.5
for 30 steps.
61
0 5 10 15 20 25 300
0.5
1
1.5
2
2.5
3
3.5
4
time
H(Y)
(a) Shannon entropy for positions Y .
0 5 10 15 20 25 300
1
2
3
4
5
6
7
time
H(X,Y)
(b) Shannon entropy for variables X and Y .
0 5 10 15 20 25 300
0.1
0.2
0.3
0.4
0.5
0.6
0.7
time
I(X;Y)
(c) Shannon mutual information for position
variables X and Y .
0 5 10 15 20 25 300
0.5
1
1.5
2
time
EC,P
(d) von Neumann entropy of ρC,XY .
Figure 3.3: Evolution of one particle on a square lattice with broken link probability of 0.5
for 30 steps.
62
0 5 10 15 20 25 300
0.5
1
1.5
2
2.5
3
3.5
time
S(ρP,X
)
(a) von Neumann entropy of ρP,X .
0 5 10 15 20 25 300
0.5
1
1.5
2
2.5
3
3.5
time
S(ρP,Y
)
(b) von Neumann entropy of ρP,Y .
0 5 10 15 20 25 300
1
2
3
4
5
time
I(ρP,XY
)
(c) von Neumann mutual information of ρP,XY .
0 5 10 15 20 25 300
0.5
1
1.5
2
2.5
3
3.5
time
δ(Y:X)
(d) Quantum discord of Y given measurements
ΠXi on X.
Figure 3.4: Evolution of one particle on a square lattice with broken link probability of 0.5
for 30 steps.
63
0 5 10 15 20 25 300
0.5
1
1.5
2
2.5
3
3.5
4
time
<|X−Y|>
(a) Mean distance of variables X and Y .
0 5 10 15 20 25 300.5
0.6
0.7
0.8
0.9
1
time
<X>
(b) Mean value of variable X.
0 5 10 15 20 25 30−0.6
−0.4
−0.2
0
0.2
0.4
time
<Y>
(c) Mean value of variable Y .
0 5 10 15 20 25 30−1.2
−1
−0.8
−0.6
−0.4
−0.2
0
0.2
0.4
time
cov(X,Y)
(d) Covariance of variables X and Y .
Figure 3.5: Evolution of one particle on a square lattice with broken link probability of 0.5
for 30 steps.
3.4.2 Two particles on a line
The effect of entanglement on quantum walks is a relevant problem which is hard to tackle
analytically. For this reason the simulator is designed to determine various information
theoretical quantities, such as entropy, mutual information, (upper-bound) entanglement of
64
formation, which quantify the effect of entanglement between the coins on the joint position
probability distribution of two walkers. Indeed, one can check that entangled particles evolve
differently than non entangled ones [79].
For this particular simulation we consider:
• a grid of size 61× 61;
• a number of steps 30;
• initial state |ψ(0)〉12 = |0, 0〉12 (|RR〉 − |LL〉).
The results of the quantities are depicted in Figures 3.6, 3.7, 3.8 and 3.9.
65
−200
20
−20
0
20
0
0.01
0.02
0.03
0.04
x
p12
(i,j;n)
y
(a) Probability on plane after 30 steps.
−200
20
−20
0
20
0
0.01
0.02
0.03
0.04
x
π12
(i,j)
y
(b) Average probability distribution.
0 5 10 15 20 25 300
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
time
Upper Bound for Ef
(c) Upper bound of Ef .
0 5 10 15 20 25 300
1
2
3
4
5
time
H(x1)
(d) Shannon entropy for positions x1.
Figure 3.6: Evolution of one particle on a square lattice with broken link probability of 0.5
for 30 steps.
66
0 5 10 15 20 25 300
1
2
3
4
5
time
H(x2)
(a) Shannon entropy for positions x2.
0 5 10 15 20 25 300
2
4
6
8
10
time
H(x1,x
2)
(b) Shannon entropy for variables x1 and x2.
0 5 10 15 20 25 300
0.2
0.4
0.6
0.8
1
time
I(x1;x
2)
(c) Shannon mutual information for position
variables x1 and x2.
0 5 10 15 20 25 300
0.2
0.4
0.6
0.8
1
1.2
1.4
time
EC,P
(d) von Neumann entropy of ρC,12.
Figure 3.7: Evolution of one particle on a square lattice with broken link probability of 0.5
for 30 steps.
67
0 5 10 15 20 25 300
0.2
0.4
0.6
0.8
1
1.2
1.4
time
S(ρP,1
)
(a) von Neumann entropy of ρP,1.
0 5 10 15 20 25 300
0.2
0.4
0.6
0.8
1
1.2
1.4
time
S(ρP,2
)
(b) von Neumann entropy of ρP,2.
0 5 10 15 20 25 300
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
time
I(ρP,12
)
(c) von Neumann mutual information of ρP,12.
0 5 10 15 20 25 300
0.1
0.2
0.3
0.4
0.5
0.6
0.7
time
δ(x2:x
1)
(d) Quantum Discord
Figure 3.8: Evolution of one particle on a square lattice with broken link probability of 0.5
for 30 steps.
68
0 5 10 15 20 25 300
5
10
15
20
25
30
time
<|X1−X
2|>
(a) Mean distance of variables x1 and x2.
0 5 10 15 20 25 30−1
−0.5
0
0.5
1
time
<x1>
(b) Mean value of variable x1.
0 5 10 15 20 25 30−1
−0.5
0
0.5
1
time
<x2>
(c) Mean value of variable x2.
0 5 10 15 20 25 30−150
−100
−50
0
time
cov(x1,x
2)
(d) Covariance of variables x1 and x2.
Figure 3.9: Evolution of one particle on a square lattice with broken link probability of 0.5
for 30 steps.
3.4.3 A particle on a line
Although the case of a particle on a line is quite well studied, we also included it in the
simulator. To take profit of the features of the simulator we considered an absorbing boundary
condition. For this particular simulation we consider:
69
• a line of length 100;
• a number of steps 10000;
• absorbing boundary condition;
• initial state |φ0〉 = |0〉 |R〉.
The results of the quantities are depicted in Figures 3.10 and 3.11.
70
(a) Probability distribution for position. (b) Average probability distribution for position.
0 2 4 6 8 10
x 104
−10
0
10
20
30
40
50
time
<x>
(c) Mean value of variable x.
0 2 4 6 8 10
x 104
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
time
H(C)
(d) Shannon entropy of coin state density ma-
trix.
Figure 3.10: Evolution of one particle on a line of length 201, for 10000 steps with absorbing
boundary.
71
0 2 4 6 8 10
x 104
0
10
20
30
40
50
60
70
time
σx
(a) Standard deviation of x.
0 2 4 6 8 10
x 104
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
time
S(ρC
)
(b) von Neumann entropy of coin state density
matrix
Figure 3.11: Evolution of one particle on a line of length 201, for 10000 steps with absorbing
boundary.
Recently, a so called feed-forward DTQW was introduced in [99], where the authors
analysed the results of a 1D walk on an open line for up to n = 108 steps. Our program can
perform simulations of a walk on an open line (without boundaries) for up to n ∼ 106 steps
(taking over 17, 4 days to complete the simulation), which might seem as a disadvantage when
compared to the simulator used in [99]. Nevertheless, the two types of quantum walks differ
significantly in their long-time behaviour, as the cited paper thoroughly analyses: while the
standard DTQW has a ballistic behaviour, i.e. its diffusion scales as σ ∼ n, the feed-forward
DTQW diffusion scales as σ ∼ n0.4. Consequently, the memory needed to encode the relevant
part of a state of a 1D feed-forward DTQW on an open line after 108 steps is just a fraction
of the memory needed to encode the relevant part of a state of a standard 1D DTQW after
the same number of steps on an open line (see figure 2.A of [99], where the x-axis goes from
−4500 to +4500). Indeed, the memory needed to encode the relevant part of a quantum state
of a standard 1D DTQW on an open line after n = 108 steps would be about 38.4 Gbits3,3For the case of a 1D DTQW on an open line, at each step n only half of the nodes between −n and n
72
which exceeds the limits of any conceivable computer RAM memory that can be found on
the market.
Nevertheless, when posing similar constraints to a standard 1D DTQW, for example
reflecting boundary conditions, thus effectively limiting the area of a walk, our simulator
can perform many more steps. In particular, for a line that goes from node −4000 to node
+4000, our program was able to finish the simulation for 106 steps in roughly 3 hours, while
to simulate 107 steps took roughly 30 hours. Consequently, running time for 108 steps would
take roughly about two weeks, which is reasonable for a well defined scientific research. Below
we present probability distribution and average probability distribution of particle position
for the mentioned simulation of 107 steps.
(a) Probability distribution of the parti-
cle position.
(b) Average probability distribution for
position.
Figure 3.12: Probability distribution (a) and average probability distribution (b) of the
particle position for one-particle quantum walk on a line with reflecting boundary conditions
at nodes ±4000 after 107 steps. The initial state is |ψ(0)〉 = |0〉 |L〉, and the random coin
parameters are set within the interval θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8].
have non-zero amplitude. Thus, after 108 steps we need to encode complex amplitudes for 108 nodes. For
each node there are two complex amplitudes assigned: one for the left, and the other for the right coin state.
Therefore, we need to encode 2 ∗ 108 complex numbers, or 2 ∗ 2 ∗ 108 real numbers. Each real number is
encoded as double format, which takes 64 bits per number. Therefore, one needs about 38.4 Gbits of memory
to encode a quantum state.
73
3.4.4 Example: Anderson localization
Here we simulate the effect of two types of decoherence due to random broken links and
random coins, in order to see if Anderson localization will occur, as well as to find some
difference between the two models. In the case of random broken link, the broken link factor
gives the probability of each link to be broken. For random coins, the random coin factor is
the probability of the coin operator, at each position, to be randomly chosen.
For this particular simulation we consider:
• a 2D lattice of size 61× 61;
• a number of steps 100;
• Klein Bottle boundary condition;
• initial state |φ0〉 = |0〉 (|E〉+ |S〉).
• Simulations ran for 10 cases: normal, random coin factors of 0.2, 0.5 and 0.9, random
broken link factors of 0.2, 0.5 and 0.9 and random coin and broken link factors of 0.2,
0.5 and 0.9.
The results of the quantities are depicted in Figures 3.13 through 3.15.
−200
20
−20
0
20
0
0.005
0.01
0.015
x
pXY
(i,j;n)
y
Figure 3.13: Position probability distribution of one particle on the lattice with dimension
61× 61× 61, for 100 steps.
74
−200
20
−20
0
20
0
2
4
x 10−3
x
pXY
(i,j;n)
y
(a) Probability distribution for position
with random coin factor 0.2.
−200
20
−20
0
20
0
0.005
0.01
x
pXY
(i,j;n)
y
(b) Probability distribution for position
with random broken link factor 0.2.
−200
20
−20
0
20
0
2
4
6
8
x 10−3
x
pXY
(i,j;n)
y
(c) Probability distribution for position
with random coin factor 0.5.
−200
20
−20
0
20
0
0.005
0.01
x
pXY
(i,j;n)
y
(d) Probability distribution for position
with random broken link factor 0.5.
−200
20
−20
0
20
0
0.005
0.01
0.015
x
pXY
(i,j;n)
y
(e) Probability distribution for position
with random coin factor 0.9.
−200
20
−20
0
20
0
0.02
0.04
x
pXY
(i,j;n)
y
(f) Probability distribution for position
with random broken link factor 0.9.
Figure 3.14: Position probability distribution of one particle on the lattice of dimension
61× 61, for 100 steps with different random coin factors and random broken link factors.
75
−200
20
−20
0
20
0
2
4
6
x 10−3
x
pXY
(i,j;n)
y
(a) Position probability distribution with
broken link and random coin factors 0.2.
−200
20
−20
0
20
0
0.005
0.01
x
pXY
(i,j;n)
y
(b) Position probability distribution with
broken link and random coin factors 0.5.
−200
20
−20
0
20
0
0.01
0.02
0.03
0.04
x
pXY
(i,j;n)
y
(c) Position probability distribution with bro-
ken link and random coin factors 0.9.
Figure 3.15: Position probability distribution of particle on the lattice of dimension 61× 61,
for 100 steps with same both broken link and random coin factors.
Figures 3.13 , 3.14 and 3.15 suggest that both random broken link and random coin can
lead to Anderson localization. Moreover, based on figure 3.14 one can conclude that for
the same factors, the localization is sharper for random broken links compared to random
coins. figure 3.15 shows the Anderson localization due to both random broken links and
76
coins. Further analysis/simulation is needed to to characterize Anderson localization.
Anderson Localization for quantum walk on the line can be achieved by defining static
random coins of parameters θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8], illustrated in figure 3.16 with the following
conditions:
• a line of size 8001;
• a number of steps 4000;
• reflecting boundary condition;
• initial state |0〉 |R〉;
• static random coin with parameters θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8].
(a) Probability distribution of the parti-
cle position.
(b) Average probability distribution of
the particle position.
Figure 3.16: Probability distribution (a) and average probability distribution (b) of the
particle position for one-particle quantum walk on the open line after 4000 steps. The initial
state is |ψ(0)〉 = |0〉 |R〉, the probability that at each step a link will be broken (index broken
link) is 0.3 and the random coin parameters are set within the interval θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8].
In the case of two particles on separate lines we can simulate two different types of
decoherences leading to localization. In figure 3.17 one particle is under the influence of
static random coins, the other is other the influence of random coins at random positions.
77
• two lines of size 201;
• a number of steps 100;
• reflecting boundary conditions;
• initial state√
2 |0, 0〉 |RR〉;
• static random coin with parameters θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8] for the first walker;
• broken link index of 0.3 for the second walker, with Hadamard coin.
(a) Probability distribution of the parti-
cles positions.
(b) Average probability distribution of
the particles positions.
Figure 3.17: Probability distribution (a) and average probability distribution (b) of the
particles positions for two-particle quantum walk on open lines after 100 steps. The initial
state is |ψ(0)〉 = |0, 0〉 |RR〉, for the first walker the random coin parameters are set within
the interval θ, ζ, ξ ∈ [π4− π
8, π
4+ π
8], while for the second walker the fixed coin is given by the
Hadamard operator and the index broken link is 0.3.
3.4.5 Example: Static Broken Links
To illustrate the usage of static broken links, we consider a 2D lattice with nine boxes of
equal dimensions and slits between them, as indicated bellow:
78
• 2D lattice of size 91× 91;
• a number of steps 1000;
• reflecting boundary conditions;
• initial state 12(|−30,−30〉 (|E〉+ i |N〉) + |30, 30〉 (|W 〉+ i |S〉));
• Hadamard coin;
• The static broken links are set between positions (−15, y)&(−14, y) and (14, y)&(15, y),
for y ∈ −45, . . . , 45\−30, 0, 30, and positions (x,−15)&(x,−14) and (x, 14)&(x, 15),
for x ∈ −45, . . . , 45\−30, 0, 30;
79
(a) Probability distribution of the parti-
cle position.
(b) Average probability distribution of
the particle position.
Figure 3.18: Probability distribution (a) and average probability distribution (b) of par-
ticle position for one-particle quantum walk on a lattice with reflecting boundary condi-
tions at x, y = ±45 after 1000 steps. The initial state is |ψ(0)〉 = 12(|−30,−30〉 (|E〉 +
i |N〉) + |30, 30〉 (|W 〉 + i |S〉)), with the fixed coin given by the Hadamard operator.The
static broken links are set between positions (−15, y)&(−14, y) and (14, y)&(15, y), for
y ∈ −45, . . . , 45\−30, 0, 30, and positions (x,−15)&(x,−14) and (x, 14)&(x, 15), for
x ∈ −45, . . . , 45\−30, 0, 30. Note that the entire grid is divided into 9 equally-sized
loosely connected squares, and the initial state of the walker is a linear superposition of two
distant positions (and the corresponding coin states) located in different squares.
80
3.5 Oblivious transfer with Quantum Walks
In this Section, we sketch the oblivious transfer protocol based on discrete-time quantum
walk, and highlight the analysis of the protocol.
Protocol 3.5.1 (Oblivious Transfer).
Message to transfer m ∈ 0, 1;
Security parameter k;
Secret key k ∈ 1, . . . , n, UR, θ;
Transferring Phase:
1. Alice wishes to send the bit m ∈ 0, 1.
2. Alice chooses randomly a unitary coin operator UR, an integer
k ∈ 1, . . . , n, an integer a ∈R −1, 1 and the position x for
m = 0. m = 1 will be located at x+ n/2 + 1.
3. Alice generates the state
|ψ(m)〉 = [S ⊗ (UR)a]k |x− 1 + (n/2 + 2)m〉P |ψ(θ)〉c
and sends it to Bob.
Revealing Phase:
4. Alice sends x, k, UR and θ to Bob.
5. Bob guesses the value of −a, a′, and determines
|ϕ〉 = [S ⊗ (UR)a′]k |ψ(m)〉 .
If a′ = −a then Bob recovers the bit m. Otherwise, Bob will get
a value different from x and x+ n/2 + 1 with high probability.
81
Before the opening phase, Bob would have to guess the private key and a as well. From
Bob’s perspective, the state he receives is the completely mixed state
ρ = Uakk
1
2n+1
2n−1∑l=0
∑s∈L,R
|l〉 〈l| ⊗ |s〉 〈s|
(Uakk
)†(3.28)
= Uakk
(1
2n+1IP ⊗ IC
)(Uakk
)†(3.29)
=
(1
2n+1IP ⊗ IC
)Uakk
(Uakk
)†(3.30)
=1
2n+1IP ⊗ IC . (3.31)
Thus the protocol is conceiling.
At the end of the protocol, since Bob performs local operations and measurements, Alice
has no way of knowing if Bob had chosen the right bit, or not. Hence, the protocol is
oblivious.
We will need a notion of distance of random variables and states to shed some light on
to the probabilistic transfer and soudness properties of the protocol. Given two random
variables Z1 and Z2 over the same finite set Ω, statistical difference is defined as
∆(Z1, Z2) =1
2
∑α∈Ω
|Pr[Z1 = α]− Pr[Z2 = α]| , (3.32)
and if we define Zi =∑
α∈Ω Pr[Z1 = α] |α〉 〈α|, where |α〉 is an orthonormal set of vectors,
we get the relation between statistical diference and trace distance as follows
∆(Z1, Z2) =1
2||Z1 − Z2||1. (3.33)
For general density operators σi, the trace distance is defined in the same manner,
1
2||σ1 − σ2||1. (3.34)
After Alice reveils the secret, one might think that Bob must only distinguish between
the states ρ0 and ρ1 sent by Alice, where ρm = |ψ(m)〉 〈ψ(m)|. But in reality, Bob must
distinguish between four possible states, ρ(−1)0 , ρ(−1)
1 , ρ(1)0 and ρ
(1)1 where the superscript
indicates Alice’s choice a ∈ −1, 1.
82
(a) Probability distribution of the parti-
cle with initial position −10.
(b) Probability distribution of the par-
ticle with initial position 10.
Figure 3.19: Position probability distributions of a particle with initial states (a) |ψ(0)〉 =
|−10〉 |R〉 and (b) |ψ(0)〉 = |10〉 |R〉, with coin parameters set as θ = 1.2798, ζ = 1.4228, ξ =
0.1995, line size equal to 50 and K = 500 steps.
One can use the simulator to compare the statistical difference between particle’s position
for m = 0 and m = 1 for a variety of matrices UR, states |ψ(θ)〉c and k. Depicted in Figures
3.19, 3.20, 3.21 and 3.22 are the probability distributions of a particle, with coin parameters
set as θ = 1.2798, ζ = 1.4228, ξ = 0.1995, line of size 50 and k equal to 500, 750, 1000 and
1500.
Figures 3.21 and 3.22 have twice the number of steps compared to figures 3.19 and 3.20
respectively. This enables one to analise Bob’s chance of getting the right message when he
guesses wrong.
Nontheless, there is no hint on the optimal strategy for Bob. Further scenarios for simu-
lations should be explored in order to further develop intuitions and strategies for a formal
proof of soundness.
83
(a) Probability distribution of the parti-
cle with initial position −10.
(b) Probability distribution of the par-
ticle with initial position 10.
Figure 3.20: Position probability distributions of a particle with initial states (a) |ψ(0)〉 =
|−10〉 |R〉 and (b) |ψ(0)〉 = |10〉 |R〉, with coin parameters set as θ = 1.2798, ζ = 1.4228, ξ =
0.1995, line size equal to 50 and k = 750 steps.
(a) Probability distribution of the parti-
cle with initial position −10.
(b) Probability distribution of the par-
ticle with initial position 10.
Figure 3.21: Position probability distributions of a particle with initial states (a) |ψ(0)〉 =
|−10〉 |R〉 and (b) |ψ(0)〉 = |10〉 |R〉, with coin parameters set as θ = 1.2798, ζ = 1.4228, ξ =
0.1995, line size equal to 50 and k = 1000 steps.
84
(a) Probability distribution of the parti-
cle with initial position −10.
(b) Probability distribution of the par-
ticle with initial position 10.
Figure 3.22: Position probability distributions of a particle with initial states (a) |ψ(0)〉 =
|−10〉 |R〉 and (b) |ψ(0)〉 = |10〉 |R〉, with coin parameters set as θ = 1.2798, ζ = 1.4228, ξ =
0.1995, line size equal to 50 and k = 1500 steps.
3.6 Conclusions
We developed a simulator for a two-particle quantum walk on a line and one particle on
a two-dimensional square lattice. The simulator can be used to investigate the equivalence
between the two cases (one- and two- particle walks) for various boundary conditions (open,
circular, reflecting, absorbing and their combinations). For the case of a single walker on
a two-dimensional lattice, the simulator can implement the Möbius strip and other similar
boundary conditions. Furthermore, other topologies for the walker are also simulated by the
proposed tool, like planar graphs with degree up to four, by considering missing links over
the lattice. The simulator is able to compute a vast number of relevant quantities, namely:
average position probability distribution, standard deviation/covariances, Shannon and von
Neumann entropy and mutual information, upper bounds for the entanglement formation
and quantum discord. The simulator is available at http://qwsim.weebly.com/ and allows
for computational experiments for quantum walks covering new aspects and quantities that
were not available before.
85
The simulator is useful for studying and gaining intuition for specific problems of quantum
computation/cryptography. Here, although briefly, we showed how our simulator can help
channel the ideas towards a formal proof of probabilistic transfer and soundness of the OT
protocol. Due to the generality of the simulator, it might be of interest to study the possibility
of using two-particle quantum walk and one particle quantum walk on a lattice to implement
OT and other cryptographic primitives.
86
Chapter 4
Oblivious Transfer with Continuous
Variables
4.1 Introduction
In this Chapter, Gaussian states are studied and two(
21
)-OT protocols are proposed. Here
we explore how the Heisenberg Uncertainty Relation (HRU) for non-commuting observables
can allow Alice to send two messages to Bob, such that he can decode only one of the two.
In Section 4.2 we present an introduction to quantum optics and coherent states. In
Section 4.3 a brief description of continuous variable QKD is given. Section 4.4 is dedicated
to the secret capacity theorem. The characterization of coherent state channels is given
in Section 4.5 and finally, in Section 4.6, our(
21
)-OT protocol is described along with the
security analysis. In Section 4.6 we study Gaussian sources of information, their emission
through coherent states and a(
21
)-OT with Gaussian modulation. Conclusions can be found
in Section 4.7.
87
4.2 Quantum optics
The Hamiltonian of a harmonic oscillator has the following form
H =1
2(p2 + ω2x2), (4.1)
with the commutation relation
[x, p] = i~ (4.2)
for the position and momentum operators, x and p. As is common, to ease the notation, one
usually works with dimensionless operators
X =
√ω
~x (4.3)
P =1√~ω
p (4.4)
and we can write the commutation relation as
[X, P ] = i. (4.5)
In this cotext, the Hamiltonian is usually written in terms of the annihilation and creation
operators, a and a†, as
H = a†a+1
2, (4.6)
where
a =1√2~ω
(ωx+ ip) (4.7)
a† =1√2~ω
(ωx− ip) . (4.8)
The quantisation of the electromagnetic field settles the electric field amplitude operator of
an electromagnetic wave with frequency ω and the wave vector k to be
E = E0
[aeiφ + a†e−iφ
](4.9)
88
with φ = k · r− ωt. If we expand the complex exponential terms, we will get
E = 2E0[X cos(ωt− k · r) + P sin(ωkt− k · r)], (4.10)
where X and P are
X =1
2(a+ a†) (4.11)
P =1
2i(a+ a†), (4.12)
which is in perfect analogy to the harmonic oscillator, with the same commutation relation
(4.5).
The variance of an operator F is
〈∆F 2〉 = 〈F 2〉 − 〈F 〉2
(4.13)
and by the HUR for two observables G and F , we get
〈∆F 2〉 〈∆G2〉 ≥ 1
4| 〈[F , G]〉 |2. (4.14)
In the case of position and momentum operators, we have from equation (4.5)
〈∆X2〉 〈∆P 2〉 ≥ 1
4. (4.15)
Important classes of states that we will consider are coherent and squeezed states of light
which are both Gaussian in position and momentum space. For Gaussian states we define
σ2X = 〈∆X2〉 and σ2
P = 〈∆P 2〉 and express (4.15) as
σ2Xσ
2P ≥
1
4. (4.16)
Further,both coherent and squeezed states saturate the limit (4.16) [101, 100].
4.2.1 Coherent states
In position space the eigenfunction equation of the annihilation operator, aψ(x) = αψ(x),
takes the form of a differential equation
aψ(x) =1√2
(x+
∂
∂x
)ψ(x) = αψ(x), (4.17)
89
where α = x0 + ip0. The solution of (4.17) in position space is
ψ(x)α =1
π1/4exp
−(x− x0)2
2+ ip0x−
ip0x0
2
(4.18)
(4.19)
and by performing a Fourier transform on ψ(x)α one gets the wave equation for momentum
space,
ψ(p)α =1
π1/4exp
−(p− p0)2
2+ ix0p−
ip0x0
2
. (4.20)
The probability density functions for measuring X and P are
P (x) = ψ(x)αψ(x)∗α =1
π1/2exp
−(x− x0)2
(4.21)
P (p) = ψ(p)αψ(p)∗α =1
π1/2exp
−(p− p0)2
, (4.22)
respectively, which are Gaussians with mean values x0 and p0, and variance σ2X = σ2
P = 1/2.
4.2.2 Squeezed state
Squeezed states are created from coherent states, |α〉 = |x+ ip〉, by applying the squeezing
operator S(ζ) = exp(ζ∗
2a2 − ζ
2a†2), where ζ = −r exp(iΘ). The phase components will be
transformed into
x(r) = erx (4.23)
p(r) = e−rp. (4.24)
Consequently, the probability density functions for measuring X and P are
P (x) = ψ(x)αψ(x)∗α =1
π1/2eζ exp
−2e2ζ(x− x0)2
(4.25)
P (p) = ψ(p)αψ(p)∗α =1
π1/2e−ζ exp
−2e−2ζ(p− p0)2
, (4.26)
rewspectively, which are Gaussians with mean values x0 and p0 and corresponding variances
σ2x = e−2r/2 and σ2
P = e2r/2.
90
4.3 QKD with coherent light
The use of coherent states for (QKD) has been extensively explored throughout the last
years [113, 119, 120, 121]. Compared to single particle states, coherent states of light are
easily produced and manipulated with current technology, by using existing lasers, optical
fibers, beam splitters, photodetectors, amplifiers, and so on.
In the context of quantum cryptography, up until now, continuous variables (i.e.,coherent
states) have been explored mainly to establish a secret key between two parties Alice and
Bob. They are called Continuous Variables Quantum Key Distribution, CV-QKD.
Denoting by (X,P ) the quadrature components of the coherent state |X + iP 〉, each com-
ponent can be seen as a classical one-way channel with Gaussian noise [139, 140]. But, unlike
classical channels, due to anticomutiativity of X and P the more precise the measurement of
X is, the worst will be the precision upon measuring P , and vice versa [113, 115, 116, 119,
131, 139, 140].
In classical information theory, a channel capacity is proportional to the signal-to-noise-
ratio (SNR) which, in turn, is proportional to the variance of the input signal divided by the
variance of the noise [107, 108]. Depending on the precision (amount of squeezing) of the
measurements on one of the quadrature ”channel”, the SNR of the other ”channel” will suffer a
change by an amount related to the Heisenberg uncertainty relation ([113, 115, 116, 119, 131]).
Let Ix be the classical information carried that Bob obtains by measuring X and anal-
ogously for Ip and P . If Bob measures X, then ideally (no loss scenario) the amount of
information he gains will be Ix and similarly for P . The mutual information between Alice
and Bob is denoted by IAB, and is maximal in the ideal case of a losless channel and without
eavesdropping [107, 108].
In the case of quantum key distribution with coherent light, Alice prepares n pairs of
random variables XjA and P j
A, 1 ≤ j ≤ n, and sends the coherent states |XjA + iP j
A〉 to Bob.
In the most common setup, Bob will select what operator X, P to measure.
When Eve is in the middle, she will deteriorate the signal received by Bob. This is
accounted with the mutual information shared by Bob and Eve (IAE), as well as with that
91
between Alice and Bob (IAB). According to Csizár-Körner theorem, the raw key Alice and
Bob can extract is Kraw = IAB − IBE [133].
Key reconciliation is a technique that enables two parties to extract the same secret key
whenever each of them is in possession of correlated random variables exchanging the least
possible information. A well known algorithm for key reconciliation is called Cascade [134].
Another algorithm designed specifically for the quantum distributed Gaussian keys is pre-
sented in [136]. Studies of the efficiency of key reconciliation (measured by the number of
bits extracted and the bits exchanged) were made [135]. When Eve guesses Bob’s measure-
ment correctly, she will get the same information as him. To overcome this problem, privacy
amplification with universal classes of hash functions [124] is used [122, 123].
The proof of security is established in three results: (1) first, general attacks are as-
symptotically close to Collective attacks; (2) second, Gaussian attacks are the best attacks
amongst collective attacks; (3) the CV-QKD is secure against Gaussian attacks.
The first result is accomplished either recuring to the quantum de Finetti theorem [153],
or the postselection technique [149]. The second and third results are proven in [154] and
[132].
Furthure, it was proven in [155] that CV-QKD is secure against general attacks in the
finite-size regime. Here, a bound on the number of photons is imposed.
4.4 Basic results
The proposed OT protocol is useful thanks to the following established results [5, 6] that
shows that all SMC reduces to performing(
21
)oblivious transfer (for a detailed explanation
the reader should see [7]). In these seminal papers, it is assumed that the agents (or their
majority) are semi-honest, that is, they follow the protocol, but are able to perform extra
computation in order to extract private information from the exchanged messages.
Theorem 4.4.1. (Yao’s Garbled Circuits) All secure multiparty computation, in the semi-
honest model, can be performed using(
21
)-OT together with a symmetric encryption scheme.
92
Recall that a(
21
)-OT protocol is a protocol where Alice prepares two messages, m0 and
m1, while Bob inputs a bit b, receiving only the message mb. Two privacy criteria must
be fulfilled: Alice cannot know b, and Bob cannot learn both messages. Here, the(
21
)-OT
protocol requires only to be secure against semi-honest Alice, as the full Garbled circuit
method assumes this criteria.
Extensions to these seminal works have been proposed recently in order to cope with
malicious agents, that is, agents that do not necessarily follow correctly the protocol, and
may change their inputs. Indeed, in order to perform secure multiparty computation robust
against malicious agents, one needs to consider more secure version of(
21
)-OT, where agents
are not allowed to change their inputs and must be enforced to follow the protocol [157]. One
way to address this issue is to consider a(
21
)-OT protocol secure against semi-honest agents,
and use the result by [158] to compile this protocol into a(
21
)-OT secure against malicious
agents. To this end, one needs a secure bit commitment protocol [31, 39, 40, 41, 42]. In
this chapter we propose a(
21
)-OT protocol perfectly secure against semi-honest agents that
can be incorporated into the previously mentioned compiler, in order to attain an(
21
)-OT
protocol perfectly secure against malicious agents.
To derive the security of the proposed(
21
)-OT protocol in the semi-honest model we
consider that the channel for Bob to read each or both X and P , with different accuracy, is
Gaussian. In fact, Pauli proved that all minimum uncertainty states are displaced Gaussian
States [100, 101]. Both coherent and squeezed states are Gaussian in X and P and are known
to saturate HUR [103]. If Bob performs homodyne detection on X or P , the variance will
be 1/2. On the other hand, if he performs heterodyne measurement of both observables, the
variance on each component will be doubled [144, 101, 140]. We will consider the worst case
to be the one where Bob can perform squeezing of the incoming states and the variances only
vary according to expression (4.16).
The main idea is to show that given a very simple bit modulation of the Gaussian channels
X and P allows for an honest Bob to retrieve only one of the bits encoded either in X or
P . Moreover, Heisenberg uncertainty guarantees that Bob has no resolution to read both
channels simultaneously, and so the mutual information between what Alice prepared and
93
Bob retrieves decreases. To this end we need first to state the result by Csizár-Körner
[133], that characterizes the secret capacity of a channel where the attacker can extract less
information than an honest party. In the next result we use the notation I(X;Y ) for mutual
information.
Theorem 4.4.2. (Csizár-Körner secret capacity) Let Alice communicate via a noisy binary
broadcast channel with both Bob and Eve, such that when Alice places a message A (with
uniform distribution) in the channel, Bob receives (random) message B and Eve receives
(random) message E. If r = I(A;B)− I(A;E) > 0, then for all ε > 0 there is N ∈ N, such
that for all n > N , there is an encoder-decoder pair (e, d), with e : 0, 1rn → 0, 1n and
d : 0, 1n → 0, 1rn, such that
• P (d(Bn) = m|An = e(m)) < ε,
• I(En;An) < ε, whenever An = e(m) and m is uniformly distributed.
We shall use this result, together with the fact that from a coherent state Bob cannot
read both X and P with a resolution above some threshold (induced by HUR), to show that
it is possible to perform a perfectly secure OT protocol.
4.5 Semi-honest(
21
)-OT with coherent states
We start by presenting the oblivious transfer protocol in detail and then proceed to
analyze its security. First, we must set up two binary channels for Alice to communicate
with Bob in such a way that Bob cannot read both channels with very high resolution.
4.5.1 Setting up two simultaneous binary noisy channels
Alice and Bob start by agreeing a constant γ ∈ R+, and use it to encode a bit b ∈ 0, 1 by
c(b) =(−1)1−b
2+ γ. (4.27)
94
We shall consider a different γ for each phase component, say γ1 for P and γ2 for X. To
depict this scenario, if Alice wants to send b0 through one channel and b1 through the other
channel, she prepares a coherent light pulse |c(b0) + ic(b1)〉 to be sent to Bob. This leads to
the modulation presented in Figure 4.1.
γ1
γ2 X
P
Figure 4.1: Modulation of the signal.
Bob can choose to read either X or P or try to read both simultaneously.
In the above setting Alice and Bob have two Gaussian channels, X and P , with probability
density functions respectively:
fσX (B = y|A = z) =1√2π
exp
(−(y − z)2
2σ2X
)(4.28)
fσP (B = y|A = z) =1√2π
exp
(−(y − z)2
2σ2P
)(4.29)
where, by the HUR, the two functions are correlated, since σ2Xσ
2P = 1/4.
Under these conditions, and given our bit encoding in the Gaussian channels, we can
compute the joint probability distribution of Alice sending a bit a and Bob receiving a bit b
for a component with standard deviation σ as:
Pσ(B = b|A = a) =
∫ b
b
fσ(z|c(a))dz (4.30)
where 0 = −∞, 0 = 1 = γ and 1 = +∞. Assuming that Alice sends with equal probability
0 and 1 through the channels, the marginal probabilities are given by
P (A = a) =1
2and Pσ(B = b) =
1∑a=0
Pσ(A = a,B = b),
95
where Pσ(A = a,B = b) = P (A = a)Pσ(B = b|A = a).
To ease the notation, and whenever it is clear from the context, we drop the random
variables from the probabilities, and write Pσ(a, b) instead of Pσ(A = a,B = b). The mutual
information between the random variable representing Alice ’s bits and Bob’s bits received
in a Gaussian channel with standard deviation σ is
Iσ(A;B) = 1 +1∑b=0
(−Pσ(b) log(Pσ(b)) +
1∑a=0
Pσ(a, b) log(Pσ(a, b))
). (4.31)
We next show that Iσ(A;B) decreases with σ.
Theorem 4.5.1. The mutual information Iσ(A;B) is a decreasing function of σ.
Proof. The analysis is straightforward, we compute analytically the derivative:
∂Iσ(A;B)
∂σ=
e−1
8σ2
4√
2πσ2log
Erfc(
12√
2σ
)(Erfc
(− 1
2√
2σ
)− 2)
Erfc(− 1
2√
2σ
)(Erfc
(1
2√
2σ
)− 2) ,
where
Erfc(x) =2√π
∫ ∞x
e−t2
dt.
Since Erfc(x) is a decreasing function, upper bounded by 2 and lower bounded by 0, taking
the value 1 at 0, it is easy to conclude that
0 <
Erfc(
12√
2σ
)(Erfc
(− 1
2√
2σ
)− 2)
Erfc(− 1
2√
2σ
)(Erfc
(1
2√
2σ
)− 2) < 1.
Therefore the partial derivative is negative, and consequently the mutual information de-
creases with σ.
In a quantum scenario, the adversaries can perform a wider variety of attacks. In fact,
they can perform joint POVM against a block of signals in order to potentially extract more
information than just by performing a separable joint Gaussian measurement for each signal.
There is a plethora of results for discrete QKD case [150, 151, 149] and further extentions for
CV-QKD case [131, 148, 152], where it is shown that the measurement extracting the most
information will be, up to a small neighborhood, the same as performing a separable joint
96
measurement. However, it is not clear if such results can be directly applied to the present
scenario. For this reason, we consider a different approach and use bit-string commitment
in order to enforce separable measurements from Bob’s side, that is Bob has to commit
the output of each measurement over the coherent state. Then a standard cut-and-choose
technique is used for Alice to check the honesty of Bob, and for Bob to keep his input private.
As we shall see, in this way it is possible to check that the quantum channel is behaving as
a memoryless noisy channel and apply Theorem 4.4.2.
We argue that if Bob has a set of uncorrelated coherent states, then he cannot gain more
information of the quadrature components by performing any other sort of measurements.
Lets say he can, by performing coherent measurements, extract more information of the
quadrature components of a coherent state |α〉. Then he will be able to violate HUR and
even violate the no-cloning theorem.
Coherent measurements are important in the QKD scenario, since Alice and Bob must
exchange classical information regarding the information they extracted from the quantum
states. In the scenario, when Eve was undetected during the quantum communication phase,
she could use the classical information to refine her measurements on the eavesdropped states.
But it was recently shown that coherent attacks are not substantially better than colective
attacks [152, 153, 155].
4.5.2 The protocol
Consider the practical achievable scenario where Bob can attain either σX = 1/2 or σP = 1/2,
i.e., Bob can prepare the so called homodyne detection. In this setting the mutual information
between Alice and Bob’s random variables I 12(A;B) satisfies, r = I 1
2(A;B)− I 3
4(A;B) > 0.
According to the Csizár-Körner secret capacity Theorem 4.4.2, for any given ε > 0, and
for large enough n, there is an encoder-decoder pair (e, d), such that if Alice prepares the
message e(m) in a channel, Bob can only retrieve m if the mutual information between A
and B in that channel is above I 34(A;B). Given that σXσP ≥ 1, if Alice prepares the state
|e(m0) + ie(m1)〉, then if Bob can recover m0 and m1 both with probability above ε, it means
that both IσX (A;B) ≥ I 34(A;B) and IσP (A;B) ≥ I 3
4(A;B), and so σX ≤ 3
4and σX ≤ 3
4,
97
which would violate the HUR. Thus, we have established the following result:
Proposition 4.5.1. Let r = I 12(A;B) − I 3
4(A;B). For all ε > 0, and sufficiently large n,
consider the encoder guaranteed to exist by Csizár-Körner secret capacity theorem. Given the
state |e(m0) + ie(m1)〉, where m0 and m1 are independent and uniformly generated, then Bob
performing separable Gaussian measurements cannot extract both m0 and m1 with probability
greater than ε.
Proof. Assume Bob performs separable Gaussian measurements (however, each measurement
may be dishonest). In this way, both channels behave as memoryless channels and we can
apply CK secrecy capacity theorem (Theorem 4.4.2). According to this theorem, if Bob
extracts both m0 and m1 then IσX (A;B) ≥ I 34(A;B) and IσP (A;B) ≥ I 3
4(A;B). Since this
fact violates the HUR, it follows that Bob cannot extract both m0 and m1.
It remains to impose that Bob performs separable Gaussian measurements. As we shall
see, this will be achieved using a bit commitment scheme.
Protocol 4.5.2 (CV(
21
)oblivious transfer of bit strings protocol).
Bit string to transfer m0 and m1 where mi ∈ 0, 1`;
Randomness Sharing phase
1. Alice prepares two random bitstrings w0 and w1 with each consisting of 2k blocks
of size `.
2. Alice computes the strings
z0 = e(w0 1) . . . e(w0 2k) and z1 = e(w1 1) . . . e(w1 2k)
where |z0| = |z1| = 2n` encoded with the CZ code (e, d) from Theorem 4.5.1.
3. For each j = 1 to 2n
(a) Bob chooses random bit rj determining whether for block j he will measure
the position or the momentum.
98
(b) For each i = 1 to `
i. Alice sends the state |c(z0ji) + ic(z1ji)〉 to Bob.
ii. Bob performs a Gaussian measurement according to rj and extracts zrjji.
iii. Bob commits to the pair (rj, zrjji).
(c) Bob decodes wrjj from zrjj1 . . . zrjj` = e(wrjj).
Cut-and-Choose
1. Alice prepares a random set IA ⊆ 1, . . . , 2n with n elements. Alice sends IA to
Bob.
2. Bob reveals (rj, zrjji) to Alice for all j ∈ IA and i ∈ 1 . . . `.
3. Alice checks the values with the commitment Bob did in the randomness sharing
phase. If all the values are correct, the protocol continues, else Alice aborts.
Reconciliation phase
1. Alice and Bob employ a direct reconciliation protocol,For example, Alice and Bob
could use Error Correcting Codes.
Opening phase:
1. Bob chooses a bit c and sets Ic = (rj, j)|j 6∈ IA and Ic = (rj, j)|j 6∈ IA.
2. Bob sends Ic and Ic to Alice.
3. Alice chooses a hash function h. Let wI0 be the string of bits indexed by I0, and
wI1 for I1.
4. Alice computes
m′0 = m0 ⊕ h(wI0) and m′1 = m1 ⊕ h(wI1)
and sends it to Bob.
5. Bob determines mc = m′c ⊕ h(wIc).
Finally, the security of the above protocol follows.
99
Lemma 4.5.3. If Bob tries to perform a joint measurement, Alice will abort the protocol up
to exponentially negligible probability.
Proof. In this proof we will only consider perfect bit commitments. In order for Bob to per-
form the collective measurement, he must go undetected through the cut-and-choose phase.
Lets assume that Bob is able to get throught the cut-and-choose phase undetected.
First, we address two extremal cases when Bob can succeed: 1) for a set IA chosen
randomly by Alice, Bob had the right commitment value for all the values asked by Alice, or
2) Bob was lucky guessing the values of the coherent state information he commited too;
In the first case, Alice can choose a set from(
2nn
)≥ 2n sets. The probability that Bob
guesses correctly is lower or equal to 2−n.
In the second case, Bob was lucky to guess correctly the values of the coherent states.
For each state, Bob would have to guess 2l bits acording to the encoding. His probability of
success is of the order of 2−2ln, which is substaincially lower then guessing IA.
Now we consider the case where Bob guesses k indexes of IA and measure the correspond-
ing coherent states.
In this case, the number of sets IA with k fixed elements are(
2nk
)(2nn−k
). The probability
that Bob guesses correcly k elements is 1
(2nk )( 2n
n−k)≤ 2−n. Now, guessing the values contained
in n − k coherent states is given by 2−(2n−k)l. The overall probability of success is bounded
from above by 2−(2n−k)l2−n, which is exponencially low with respect to n, k and l.
We conclude that in both the above cases Bob’s chance of success is expenoencially low.
Now, lets consider the scenario where Bob slipts the beam he receives, or even perform a
quantum cloning attack or even perform heterodyne detection.
Due to the HUR, there must be degradation of the coherent states upon such procedures
and the best Bob could do in the commiting phase would be the heterodyne detection, as
this is the best technique to obtain both quadrature components with the minimum error.
This case is allready covered by Theorem 4.5.3. We conclude that Bob will succeed with up
to a negligible exponential probability.
100
Theorem 4.5.2. If Bob can obtain both messages then the Heisenberg uncertainty relation
is violated.
Proof. Due to Lemma 4.5.3 the most effective attack Bob can perform is the joint measure-
ment on non-commuting components of each state. By Proposition 4.5.1, Bob is unable to
obtain both messages of each cooherent state, otherwise the HUR will be violated.
4.6 Gaussian Sources and Gaussian Noise
Shannon, in his seminal paper [107], showed that the continuous source that maximizes
the differencial entropy is a Gaussian one. The entropy of such a source, X ∼ N (0, σ2), is
given by
h(X) = log(2πeσ2). (4.32)
Additive white Gaussian noise is a widespread model used in telecommunications. In the
additive Gaussian noise model, one wants to estimate a random variable A, but only have
access to the random variable B = A + N where N ∼ N (0, σ2N) is the Gaussian noise. The
mutual information is given by
I(A,B) = H(B)−H(B|A) = H(B)− log(2πeσ2N). (4.33)
The variance of B will be
E[B2] = E[(A+N)2] = E[A2] + 2E[AN ] + E[N2] (4.34)
= E[A2] + 2E[A]E[N ] + E[N2] (4.35)
= E[A2] + σ2N . (4.36)
If A is a Gaussian with variance σ2A, then B will be a Gaussian random variable with variance
σ2B = σ2
A + σ2N . The mutual information will be
I(A,B) = log
(1 +
σ2A
σ2N
)(4.37)
101
and one defines the signal-to-noise-ratio (SNR) as
SNR =σ2A
σ2N
. (4.38)
4.6.1 Setting up two simultaneous Gaussian channels
We have already seen that a coherent state is a Gaussian state, where upon measurement,
the quadrature components behave as Gaussian variables. In order to achieve maximum
information capacity Alice prepares two random variables X and P , drawn from Gaussian
distributed sources, X ∼ N (0, V 14) and P ∼ N (0, (V 1
4)), where V is a predetermined integer.
Then, Alice creates the coherent state |X + iP 〉 and sends it to Bob. Upon the reception of
the state, Bob measures and obtains XB = X +Nx and PB = P +Np, where Nx and Np are
additive Gaussian noise with variances σx and σp, respectively. The variance must satisfy
the HUR σ2xσ
2p ≥ 1/4.
Given the above characterization, we can use standard techniques employed in the classical
channels. Namely, it is possible to characterize the channel capacity of both channels and to
relate the precision of one of the channels relative to the other.
The mutual information between X and XB is
IX(A,B) = H(XB)−H(XB|XA) = H(XB)− log(2πeσ2X) (4.39)
where
H(XB) = log(2πe(σ2X + V
1
4)) (4.40)
and
IX(A,B) = log
(1 + V
(1/4
σ2X
)). (4.41)
and similarly we get for mutual information between P and PB
IP (A,B) = log
(1 + V
(1/4
σ2P
))(4.42)
The signal-to-noise-ratio is given by SNRX = V 1/4σ2xand SNRP = V 1/4
σ2prespectively.
102
In [145] the problem of Gaussian variables reconciliation was written as a channel coding
problem. Further, it was experimentally demonstrated that the approach from [146] was
effective over a distance of 80 km.
Moreover, these codes are available for a wide range of signal-to-noise ratios on an additive
white Gaussian noise Channel [147] and they are very close to the channel capacity limit.
The efficiency of the code can be obtained in function of the signal-to-noise-ratio.
The advantage of using Gaussian modulation is that Csiszár-Körner’s secret capacity
increases with V . For instance, choosing V = 2, r = I 12− I 3
2= log
(1+V
1+V/9
)≈ 1, 29 bits.
4.6.2 CV−(
21
)−OT (m0,m1) with Gaussian modulation
The protocol presented here differs from the previous protocol 4.5.2 simply by using Gaussian
modulation. There are two main reasons for doing so: first, Gaussian modulation enables
the transmition of more classical information, and second the proofs of security for Gaussian
modulated QKD is already established.
Protocol 4.6.1 (CV−(
21
)−OT (m0,m1)(c)).
Message to transfer b1 and b2;
Security parameter n and m.
Randomness Sharing Phase
1. Alice prepares 2n pairs of real numbers XjA ∼ N (0, V/2) and P j
A ∼ N (0, V/2).
2. For all 1 ≤ j ≤ n Alice sends the state |e(XA)j + ie(PA)j〉 to Bob, where e is an
error correcting code studied in [145, 146, 147].
3. Bob chooses random bit rj determining whether for block j he will measure the
position or the momentum.
4. For each i = 1 to `
(a) Alice sends the state |c(z0ji) + ic(z1ji)〉 to Bob.
(b) Bob performs a Gaussian measurement according to rj and extracts zrjji.
103
(c) Bob commits to the pair (rj, zrjji).
5. Bob decodes wrjj from zrjj1 . . . zrjj` = e(wrjj).
Cut-and-Choose
1. Alice prepares a random set IA ⊆ 1, . . . , 2n with n elements. Alice sends IA to
Bob.
2. Bob reveals (rj, zrjji) to Alice, for all j ∈ IA and i ∈ 1 . . . `.
3. Alice checks the values with the commitment Bob did in the randomness sharing
phase. If all the values are correct, the protocol continues, else Alice aborts.
Reconciliation Phase
1. Alice and Bob employ the direct reconciliation protocol described in [145, 146, 147].
Opening phase:
1. Alice chooses a hash function h. Let wI0 be the string of bits indexed by I0, and
wI1 for I1.
2. Alice computes
m′0 = m0 ⊕ h(wI0) and m′1 = m1 ⊕ h(wI1)
and sends it to Bob.
3. Bob determines mc = m′c ⊕ h(wIc).
The proof of the security is essencially the same as for the former protocol.
A study of this protocol without the cut-and-choose and the commitment phases will be
presented elsewhere.
4.7 Conclusions
Using a bit commitment protocol, we showed that CV-OT secure against malitious Bob is
possible. String commitment protocols appears as a means to achieve Markovian behavior of
104
the separatetly generated coherent states. We argue that, in the case bit commitment protocol
is not used (hence, nor the cut and choose), the best Bob could do are Gaussian operations
and then homodyne and/or heterodyne detection, allways having loss of information due
to the HUR. If this isn’t the case, then Bob could create more coherent states and make a
joint measurement on the overall state obtaining the necessary information to extract both
messages, violating the HUR and, acordingly, the no-cloning theorem. Further study on this
topic will be presented elsewhere. Moreover, the quantum de Finetti theorem for Gaussian
states might be used here to prove that Coherent attacks could do no better than Collective
attacks [152].
Appart from that, due to the experimental implementation successes of CV-QKD schemes,
and due to recent improvements on the enconding of Gaussian variables permiting key ex-
change close to the theoretical limit, we affirm that our OT protocol is implementable using
today’s commertially available and cheaper technology compared to single state quantum
technology, which is an advantage.
105
106
Chapter 5
Future Work
A further study onto the unconditional security of the(
21
)-OT with Gaussian states against
coherent attacks is an ongoing research.
Moreover, the use of Gaussian states for other cryptographic primitives, such as zero-
knowledges, authentication and so on, as well as the experimental implementation of some
algorithms with those states are matters I would like to engage on.
107
Bibliography
[1] W. Diffie and M. Hellman, New directions in cryptography, IEEE Transactions on
Information Theory, 22 (6):644-654 (1976).
[2] R. L. Rivest, A. Shamir and L. Adleman A method for obtaining digital signatures and
public-key cryptosystems, Communications of the ACM, 21(2): 120-126 (1978).
[3] C.E. Shannon, Communication theory of secret systems, Bell SystemTechnical Journal
(28-4): 656-715 (1949).
[4] J. Katz and Y. Lindell, Introduction to modern cryptography: principles and protocols,
CRC Press.
[5] A. Yao, Protocols for secure computations, In Proceedings of the IEEE Symposium on
Foundations of Computer Science, pp. 160-164 (1982)
[6] A. Yao, How to generate and exchange secrets, Paper presented at IEEE Symposium
on Foundations of Computer Science, Washington, DC, USA. IEEE. (1986).
[7] Oded Goldreich, Foundatins of Cryptography, Volume II, Cambridge University Press
[8] M. Rabin, How to exchange secrets by oblivious transfer, Tech. Rep., Harvard Univer-
sity, https://eprint.iacr.org/2005/187.pdf (1981). Accessed on 14th October 2014.
[9] S. Even, , O. Goldreich, A. Lempel, A randomized protocol for signing contracts,
Commun. ACM, 28, 637–647, (1985).
108
[10] C. Crépeau, Equivalence between two flavours of oblivious transfers, Paper presented at
International Conference on the Theory and Applications of Cryptographic Techniques
on Advances in Cryptology: CRYPTO ’87, London, UK, Springer-Verlag. (1988).
[11] G.Brassard, C. Crépeau and J. Robert, Information theoretic reductions among disclo-
sure problems, Paper presented at 27th Annual Symposium on Foundations of Computer
Science: FOCS’86, Toronto, Canada. (1986).
[12] C. Crépeau, M. Santha, Efficient reduction among oblivious transfer protocols based on
new self-intersecting codes, Paper presented at Sequences II: Methods in Communica-
tion, Security, and Computer Science, Positano, ltaly. Springer New York. (1993).
[13] G. Brassard, C. Crépeau and M. Santha, Oblivious transfers and intersecting codes,
IEEE Transactions on Information Theory, 42, 1769–1780, (1996).
[14] G. Brassard, D. Chaum, and C. Crépeau, Minimum disclosure proofs of knowledge,
Journal of Computer and System Sciences, 37, 156–189, October (1988).
[15] L. Salvail, The search for the holy grail in quantum cryptography, Paper presented
at Lectures on Data Security: Modern Cryptology in Theory and Practice. Denmark.
Springer Berlin Heidelberg. (1998).
[16] C. Bennett, G. Brassard, , C. Crépeau, and M. Skubiszewska, Practical quantum oblivi-
ous transfer, Paper presented at Advances in Cryptology: CRYPTO’91. Santa Barbara,
California, USA Springer Berlin Heidelberg. (1991).
[17] P. W. Shor, Algorithms for quantum computation: Discrete logarithms and factoring,
Proc. 35nd Annual Symposium on Foundations of Computer Science, IEEE Press, 124
(1994).
[18] A. Childs, and W. van Dam, Quantum algorithms for algebraic problems, Review of
Modern Physics, Vol. 82 (2010)
[19] S. Wiesner, Conjugate coding, SIGACT News, 15, 78–88, (1983).
109
[20] C. Bennett, and G. Brassard, Quantum Cryptography: public-key Distribution and
Coin Tossing, Paper presented at International Conference on Computers, Systems and
Signal Processing, Bangalore, India. New York: IEEE. (1984).
[21] H. Lo, and H. Chau, Unconditional security of quantum key distribution over arbitrarily
long distances, Science, 283, 2050–2056, (1999).
[22] P. Shor, and J. Preskill, Simple proof of security of the BB84 quantum key distribution
protocol, Physical Review Letter, 85, 441–444, (2000).
[23] D. Mayers, Unconditional security in quantum cryptography, J. ACM, 48, 351–406,
(2001).
[24] V. Scarani et al, The security of practical quantum key distribution, Review of Modern
Physics, 81,1301–1350, (2009).
[25] H. Lo and H. Chau, Is quantum bit-commitment really possible?, Physical Review
Letter, 78, 3410–3413, (1997).
[26] D. Mayers, Unconditionally secure quantum bit-commitment is impossible, Physical
Review Letter, 78, 3414–3417 (1997).
[27] G. M. D’Adriano, D. Kretschmann, D. Schlingemann and R. F. Werner, Reexamination
of quantum bit commitment: the possible and the impossible, Physical Review A, 76,
032328
[28] H. Lo, Insecurity of quantum secure computations, Physical Review A, 56, 1154–1162,
(1997).
[29] G. He and Z. Wang, Oblivious transfer using quantum entanglement, Physical Review
A, 73, 012331, (2006).
[30] G. He, Z. Wang, Nonequivalence of two flavors of oblivious transfer at the quantum
level, Physical Review A, 73, 044304, (2006).
110
[31] A. Kent, Quantum bit string commitment, Physical Review Letter, 90, 237901, (2003).
[32] J. Barrett, S. Massar, Security of quantum bit-string generation, Physical Review A,
70, 052310, (2004).
[33] N. Bouman, S. Fehr, C. Gonzalez-Guillen and C. Schaffner, An all-but-one entropic
uncertainty relation, and application to password-based identification, Paper presented
at Theory of Quantum Computation, Communication, and Cryptography. Tokyo, Japan.
Springer Berlin Heidelberg. (2013).
[34] S. Wehner, C. Schaffner and B. Terhal, Cryptography from noisy storage, Physical
Review Letter, 100, 220502, (2008).
[35] C. Schaffner, B. Terhal, and S. Wehner, Robust cryptography in the noisy-quantum-
storage model, Quantum Information & Computation, 9, 963–996, (2011).
[36] R. Koenig , S. Wehner, and J. Wullschleger, Unconditional security from noisy quantum
storage, IEEE Transactions on Information Theory, 58, 1962–1984, (2012).
[37] N. Ng, S. Joshi, C. Ming, C. Kurtsiefer, S. Wehner, Experimental implementation of
bit-commitment in the noisy-storage model, Nature Communications, 3, 1326, (2012).
[38] R. Loura et al, Noise and measurement errors in a practical two-state quantum bit
commitment protocol, Physical Review A, 89, 052336 (2014).
[39] A. Kent, Unconditionally secure bit-commitment, Physical Review Letter, 83, 1447–
1450, (1999).
[40] A. Kent, Secure classical bit-commitment using fixed capacity communication channels,
Journal of Cryptology, 18, 313–335, (2005).
[41] Ng, N., Joshi, S., Ming, C., Kurtsiefer, C. & Wehner, S. Experimental implementation
of bit commitment in the noisy-storage model. Nat. Commun, 3, 1326, (2012).
[42] Loura R., et al. Noise and measurement errors in a practical two-state quantum bit
commitment protocol. Phys. Rev. A, 89, 052336 (2014).
111
[43] W. Wootters and W. Zurek, A single quantum cannot be cloned, Nature 299: 802-803
(1982)
[44] A. Ekert, Quantum cryptography based on bell’s theorem, Physical Review Letter, 67,
661–663, (1991).
[45] C. Bennett, Quantum cryptography using any two nonorthogonal states, Physical
Review Letter, 68, 3121–3124 (1992).
[46] J. Kilian, Founding crytpography on oblivious transfer, Paper presented at 20th Annual
ACM Symposium on Theory of Computing: STOC ’88. New York, USA. ACM.(1988).
[47] L. Harn and H. Lin, An oblivious transfer protocol and its application for the exchange
of secrets, Paper presented at International Conference on the Theory and Application
of Cryptology: Advances in Cryptology - ASIACRYPT ’91, Fujiyosida, Japan. Springer
Berlin Heidelberg, (1993).
[48] R. Cramer, I. Damgård, and U. Maurer, General secure multi-party computation from
any linear secret-sharing scheme, Paper presented at 19th International Conference
on Theory and Application of Cryptographic Techniques: EUROCRYPT’00, Heverlee,
Belgium. Springer-Verlag Berlin. (2000).
[49] Y. Lindell, B. Pinkas, Secure two-party computation via cut-and-choose oblivious trans-
fer, J. Cryptol, 25, 680–722, (2012).
[50] Y. Lindell, and H. Zarosim, On the feasibility of extending oblivious transfer, Paper
presented at 10th Theory of Cryptography Conference, Tokyo, Japan. Springer Berlin
Heidelberg. (2013).
[51] N. Paunković, J. Bouda and P. Mateus, Fair and optimistic quantum contract signing,
Physical Review A, 84, 062331–062331, (2011).
[52] A. Souto, P. Mateus, P. Adão and N. Paunković, Bit-string oblivious transfer based on
quantum state computational distinguishability, http://arxiv.org/pdf/1403.6022v1.pdf
(2014). Accessed on 14th October 2014.
112
[53] G. Nikolopoulos, Applications of single-qubit rotations in quantum public-key cryptog-
raphy, Physical Review A, 77, 032348, (2008).
[54] R. Jain, The art of computer systems performance analysis - techniques for experimental
design, measurement, simulation, and modeling, (Wiley professional computing, New
York, USA, 1991).
[55] U. Seyfarth, G. Nikolopoulos and G. & Alber, Symmetries and security of a quantum-
public-key encryption based on single-qubit rotations, Physical Review A 85, 022342
(2012).
[56] C. Helstrom, Quantum detection and estimation theory, Journal of Statistical Physics,
1, 231–252, (1969).
[57] V. Dunjko, P. Wallden and E. Andersson, Quantum digital signatures without quantum
memory, Physical Review Letter, 112, 040502, (2014).
[58] R. Collins et. al, Realization of quantum digital signatures without the requirement of
quantum memory, Physical Review Letter, 113, 040502, (2014).
[59] X. Lu and D. Feng, Quantum digital signature based on quantum one-way functions,
Paper presented at the 7th International Conference on Advanced Communication Tech-
nology: ICACT’05. Korea, IEEE (2005).
[60] D. Gottesman and I. Chuang, Quantum digital signatures, Tech. Rep.,
http://arxiv.org/pdf/quant-ph/0105032v2.pdf (2001) – Accessed on 14th October 2014.
[61] H. Buhrman, R. Cleve, J. Watrous, and R. D. Wolf, Quantum fingerprinting, Physical
Review Letter 87, 2001 (2001).
[62] M. Nielsen and I. Chuang, Quantum Computation and Quantum Information, (Cam-
bridge University Press, UK, 2004).
[63] P. Boykin, and V. Roychowdhury, Optimal encryption of quantum bits, Physical Review
A 67, 042317 (2003).
113
[64] J. Carter and M. Wegman, Universal classes of hash functions, Journal of Computer
and System Sciences, 18, 143–154 (1979).
[65] Choi, S., Dachman-Soled, D., Malkin, T. & Wee, H. Simple, Black-Box Constructions
of Adaptively Secure Protocols. Paper presented at Theory of Cryptography Conference
- TCC 2009, pages 387-402, San Francisco, CA, USA (Lect. Notes Comput. Sci. Vol.
5444, Springer) (2009 March 15-17).
[66] Souto, A., Mateus, P., Adão, P. & Paunković, N. Reply to “Comment on ‘Bit-string
oblivious transfer based on quantum state computational distinguishability’ ”. Phys.
Rev. A, 92, 046302 (2015).
[67] Y. Aharonov , L. Davidovicg and N. Zagury, Quantum random walks, Physical Review
A 48, 1687 (1993).
[68] A. M. Childs, R. Cleve, E. Deotto, E. Farhi, S. Gutmann, D. A. Spielman, Exponential
Algorithmic Speedup by Quantum Walk, Proc. 35th ACM Symposium on Theory of
Computing (STOC 2003), pp. 59-68, arXiv:quant-ph/0209131v2.
[69] J. Kempe, Quantum Random Walks Hit Exponentially Faster, Probability Theory
and Related Fields, Bol. 133(2), p. 215 - 235 (2005), conference version in Proc. 7th
RANDOM, p. 354-69, 2003, quant-ph/0205083v1.
[70] Edward Farhi and Sam Gutmann, Quantum Computation and decision trees, Physical
Review A 58, 915Ò928 (1998).
[71] E. Agliari, A. Blumen, and O. Mülken, Quantum-walk approach to searching on fractal
structures, Physical Review A 82, 012305 (2010).
[72] A. M. Childs and J Goldstone, Spatial search by quantum walk, Physical Review A 70,
022314 (2004).
[73] S. Aaronson, A. Ambainis, Quantum Search of Spatial Regions, arXiv:quant-
ph/0303041v3.
114
[74] N. Shenvi, J. Kempe and K.B. Whaley, A Quantum Random Walk Search Algorithm,
Physical Review A 67, 052307 (2003).
[75] A. Ambainis, J. Kempe and A. Rivosh, Coins make quantum walks faster, SODA ’05:
Proceeding of the Sixteenth Annual ACM-SIAM Symposium of Discrete Algorithms, 1099
(2005).
[76] A. Tulsi, Faster quantum walk algorithm for the two dimensional spatial search, Physical
Review A 78, 012310 (2008).
[77] M. Szegedy, Quantum Speed-up of Markov Chain Based Algorithms, Proc. of 45th
Annual IEEE Symposium on Foundations of Computer Science, pp. 32ñ41, 2004.
[78] F. Magniez, A. Nayak, J. Roland, M. Santha, Search via Quantum Walk, SIAM Journal
on Computing, 40(1):142-164, 2011, arXiv:quant-ph/0608026v4.
[79] Y. Omar, N. Paunković, L. Sheridan and S. Bose, Quantum walk on a line with two
entangled particles, Physical Review A 74, 042304 (2006).
[80] M. Štefaňák, T. Kiss, I. Jex and B. Mohring, The meeting problem in the quantum
walk, J. Phys. A: Math. Gen. 39 (2006), 14965-14983.
[81] S. E. Venegas-Andraca, S. Bose, Quantum Walk-based Generation of Entanglement
Between Two Walkers, arXiv:0901.3946.
[82] J. Kempe, Quantum random walks - an introductory overview, Cont. Phys. 44, 307
(2003), arXiv:quant-ph/0303081.
[83] D. Aharonov, A. Ambainis, J. Kempe, U. Vazirani, Quantum Walks on Graphs, Pro-
ceedings of ACM Symposium on Theory of Computation (STOC’01), July 2001, p. 50-59,
arXiv:quant-ph/0012090v2
[84] F.L. Marquezino and R. Portugal, The QWalk Simulator of Quantum Walks, Computer
Physics Communications 179, 359 (2008).
115
[85] S. Berry, P. Bourke, J. Wang, qwViz: Visualization of quantum walks on graphs,
Computer Physics Communications volume182, issue 10, pages 2295-2302 (2011).
[86] I. Carneiro, M. Loo, X. Xu, M. Girerd, V. Kendon and P. L Knight, Entanglement in
coined quantum walks on regular graphs, New Journal of Physics 7, 156 (2005).
[87] M. Annabestani, M. R. Abolhasani and G. Abal, Asymptotic entanglement in a two-
dimensional quantum walk, J. Phys. A: Math. Theor. 43, 075301 (2010).
[88] M. C. Bañuls, C. Navarrete, A. Pérez, Eugenio Roldán and J. C. Soriano, Quantum
walk with a time-dependent coin, Physical Review A 73, 062304 (2006).
[89] C. M. Chandrashekar, Disordered quantum walk-induced localization of a Bose-Einstein
condensate, Physical Review A 83, 022320 (2011).
[90] H. Obuse and N. Kawakami, Topological phases and delocalization of quantum walks
in random environments, Physical Review B 84, 195139 (2011).
[91] H. Krovi and T. Brun, Hitting time for quantum walks on the hypercube, Physical
Review A 73, 032341 (2006).
[92] A. Romanelli, R. Siri, G. Abal, A. Auyuanet and R. Donangelo, Decoherence in the
quantum walk on the line, Phys. A 347C, 137 (2005).
[93] A. C. Oliveira, R. Portugal and R. Donangelo, Decoherence in two-dimensional quantum
walks, Physical Review A 74, 012312(2006).
[94] T. A. Brun, H. A. Carteret, and A. Ambainis, Quantum walks driven by many coins,
Physical Review A 67, 052317 (2003).
[95] P. W. Anderson, Absence of Diffusion in Certain Random Lattices, Physical Review
109, 1492 (1958).
[96] C. H. Bennett, D. P. DiVincenzo, J. Smolin, and W. K. Wootters, Mixed-state entan-
glement and quantum error correction, Physical Review A 54, 3824 (1996).
116
[97] W. K. Wootters, Entanglement of formation of an arbitrary state of two qubits, Physical
Review Letter 80, 2245 (1998).
[98] H. Ollivier and W. H. Zurek, Quantum Discord: A measure of the quantumness of
correlations, Physical Review Letter 88, 017901 (2001).
[99] Yutaka Shikano, Tatsaki Wada, Junsei Horikawa, Discrete-time quantum walk
with feed-forward quantum coin, Scientific Reports 4, 4427[7 pages] (2014). DOI:
10.1038/srep04427
[100] W. Pauli, General Principles of Quantum Optics, Springer, Berlin, 1980.
[101] U. Leonhardt, Essential Quantum Optics, Cambridge University Press
[102] S. Even, O. Goldreich and A. Lempel, A Randommized Protocol for Signing Contracts,
Communications of the ACM, 28(6):637-647, 1985.
[103] L. Mandel and E. Wolf, Optical Coherence and Quantum Optics, Cambridge University
Press.
[104] Roy J. Glauber, Quantum Theory of Optical Coherence: Selected Papers and Lectures,
WILEY-VCH Verlag GmbH & Co. KGaA, Weinheim.
[105] Gilbert Grynberg, Alain Aspect and Claude Fabre, Introduction to Quantum Optics
From Semi-Classical Approach to Quantized Light, Cambridge University Press.
[106] N. J. Cerf, M. évy and Van Assche, Quantum Distribution of Gaussian Keys using
Squeezed States, Pyisical Review A, Vol. 63, 052311.
[107] C. E. Shannon, A Mathematical Theory of Communication, Bell System Technical
Journal 27, 623 (1948).
[108] T. Cover and J. Thomas, Elements of Information Theory, 1991 John Wiley & Sons.
[109] Philippe Grangier and Frédéric Grosshans, Quantum Teleportation criteria for contin-
uous variables, quant-ph/0009079v1.
117
[110] Philippe Grangier and Frédéric Grosshans, Quantum Cloning and Teleportation Cri-
teria for Continuous Quantum Variables, Physical Review A, 64, 010301.
[111] N. J. Cerf and S. Iblisdir, Optimal N-to-M Cloning of Conjugate Quantum Variables,
Phys. Review Letter A, 62, 040301(R).
[112] Y. Yamamoto and H.A. Haus, Preparation, measurement and information capacity of
optical quantum states, Review of Modern Physics, Vol. 58, No. 4, October 1986.
[113] F. Grosshans, G. Van Assche, J. Wenger, R. Brouri, N. J. Cerf, Ph. Grangier, Quantum
Key Distribution using Gaussian-Modulated Coherent States, Nature (London) 421, 238
(2003).
[114] Philippe Grangier, Juan Ariel Levenson and Jean-Philippe Poizat, Quantum non-
demolition measurements in optics, Nature, 396, 1998.
[115] T. C. Ralph, Continuous Variable Quantum Cryptography, Physical Review A, 61,
010303 (R) (2000).
[116] T. C. Ralph, Security of continuous-time quantum cryptography, Physical Review A,
62, 062306.
[117] E. Arthurs and M. S. Goodman, Quantum Correlations: A Generalized Heisenberg
Uncertainty Relation, Physical Review Letters, 60, N. 24 (1988).
[118] N. J. Cerf, A. Ipe and X. Rottenberg, Cloning of continuous quantum variable, Physical
Review Letter, 85, 1754-1757 (2000).
[119] Nicolas J. Cerf and Philipe Grangier, From quantum cloning to quantum key distri-
bution with continuous variables: a review, Journal of the Optical Society of America
B/Vol. 24, No. 2/February 2007.
[120] J. Lodewick, T. Debuisschert, R. Tualle-Brouri, and P. Grangier, Controlling excess
noise in fiber-optics continuous-variable quantum key distribution, Physical Review A.
75, 050303(R) (2005).
118
[121] F. Grossman and N. J. Cerf, Continuous-variable quantum cryptography is secure
against non-Gaussian attacks, Physical Review Letter 92, 047905 (2004).
[122] Charles H. Bennet, Gilles Brassard, Jean-Marc Roberts, Privacy Amplification by
Public Discussion, SIAM Journal on Computing, Vol. 7, No. 2, April 1988.
[123] Charles H. Bennet, Gilles Brassard, Claude Crépeau, Ueli Maurer, Generalized Privacy
Amplification", IEEE Transactions on Information Theory, Vol. 41, No. 6, November.
1995.
[124] J. Lawrence Carter and Mark N. Wegman, "Universal Classes of Hash Functions",
Journal of Computer And System Sciences, 18, 143-154 (1979).
[125] Arkadiusz Orlowski, Information Entropy and Squeezing of quantum Fluctuations,
Physical Review A, 56, N. 4 1997.
[126] Stephanie Wehner, Andreas Winter, Entropic Uncertainty Relations - A Survey, New
Journal of Physics, 12, 025009.
[127] Clause Crépeau, Efficient Cryptographic Protocols based on Noisy Channels, EURO-
CRYPT 1997: 306-317.
[128] Claude Crépeau, Kirill Morozov, Stefan Wolf, Efficient Unconditional Oblivious Trans-
fer from Almost Any Noisy Channel, Lecture Notes in Computer Science Volume 3352,
2005, pp 47-59.
[129] Christian Weedbrook, Andrew M. Lance, Warwick P. Bowen, Thomas Symul, Timothy
C. Ralph and Ping Koy Lam, Coherent State Quantum Key Distribution Without
Random Basis Switching, Physical Review A 73, 022316.
[130] Claude Crépeau, Jeroen van der Graaf and Alain Tapp, Committed Oblivious Transfer
and Private Multi-Party Computation, Proceeding CRYPTO ’95 Proceedings of the
15th Annual International Cryptology Conference on Advances in Cryptology, Pages
110-123.
119
[131] Frédéric Grosshans, Nilocals J. Cerf, Jérôme Wenger, Rosa Tualle-Brouri and Philippe
Grangier, Virtual Entanglement and Reconciliation Protocols for Quantum Cryptogra-
phy with Continuous Variables, Quantum Information and Computation, Vol. 3, No.
Special (2003) 535-552.
[132] Raúl García-Patrón and Nicolas Cerf, Unconditional Optimality of Gaussian Attacks
against Continuous-Variable QKD, Physical Review Letter 97, 190503 (2006).
[133] I. Csíszar and J. Körner, Broadcast Channels with Confidential Messages, IEEE
Transactions on Information Theory 24, 339 (1978).
[134] G. Brassard and L. Silvail, Secret-key Reconciliation by Public Discussion, Advances
in Cryptology — EUROCRYPT ’93, Lecture Notes in Computer Science Volume 765,
1994, pp 410-423.
[135] Jesus Martinez-Meteo, David Elkouss and Vicente Martin, Key Reconciliation for
High Performance Quantum Key Distribution, Scientific Reports 3, Article number:
1576 (2012).
[136] Gilles Van Assche, Jean Cardinal and Nicolas J. Cerf, Reconciliation of a Quantum-
Distributed Gaussian Key, IEEE Transactions on Information Theory, 50 , Issue: 2
(2004).
[137] Wootters, William; Zurek, Wojciech, A Single Quantum Cannot be Cloned, Nature
299: 802–803 (1982).
[138] Gilles Van Assche, Jean Cardinal and Nicolas J. Cerf, Reconciliation of a Quantum-
Distributed Gaussian Key, IEEE Transactions on Information Theory, VOL. 50, NO. 2,
FEBRUARY 2004
[139] D. F. Walls and G. J. Milburn, Quantum Optics, Berlin, Germany: Springer-Verlag,
1994
120
[140] Stefano Pirantola, Samuel L. Braunstein, Seth Lloyd and Stefano Mancini, Confidential
Direct Communications: A Quantum Approach Using Continuous Variables, IEEE
Journal of Selected Topics in Quantum Electronics, 15, No. 6, November/December
2009
[141] A. Agelow, M. Batoni, Translation with annotation of the original paper of Er-
win Schrödinger (1930) in English, Bulg. J. Physics, 26, no. 5/6 (1999) pp. 193-203,
http://arxiv.org/abs/quant-ph/9903100
[142] H. P. Robertson, The Uncertainty Principle Physical Review 34: 163–64 (1929)
[143] Lorenzo Maccone and Arun K. Pati, Stronger Uncertainty Relations for All Incompat-
ible Observables, Physical Review Letters 113, 260401 (2014)
[144] E. Arthurs and J. L. Kelly, On the Simultaneous Measurement of a Pair of Conjugate
Observables, Bell System Technical Journal, 44: 4. April 1965 pp 725-729. B.S.T.J.
Brief
[145] A. Leverrier, R. Alléaume, J. Boutros, G. Zémor and P. Grangier, Multidimensional
reoniliation for a ontinuous-variable quantum key distribution Physical Review A, 77,
042325 (2008)
[146] P. Jouguet, Sébastien Kunz-Jacques, Anthony Leverrier, Philippe Grangier and Eleni
Diamanti, Experimental demonstration of long-distance continuous-variable quantum
key distribution Nature Photonics 7, 378 (2013)
[147] P. Jouguet, Sébastien Kunz-Jacques, Anthony Leverrier, Long-distance continuous-
variable quantum key distribution with a Gaussian Modulation Physical Review A 84,
062317 (2011)
[148] M. Navascués, F. Grosshans and A. Acín, Unconditional Optimality of Gaussian At-
tacks against Continuous-Variable Quantum-Key Distribution, Physical Review Letter
97, 190502 (2006)
121
[149] M. Christandl, R. König and R. Renner, Postselection Technique for Quantum Chan-
nels with Applications to Quantum Cryptography Physical Review Letter 102, 020504
(2009)
[150] R. Renner, N. Gisin and B. Kraus, Information-theoretic Security Proof for Quantum-
key-distributin Protocols, Physical Review A 72, 012332 (2005)
[151] R. Renner, N. Gisin and B. Kraus, Security of Quantum Key Distribution, Ph.D.
thesis, ETH Zürich, 2005
[152] A. Leverrier, Composable Security Proof for Continuous-Variable Quantum Key Dis-
tribution with Coherent States Physical Review Letter 114, 070501 (2015)
[153] R. Renner and J. I. Cirac, de Finetti Representation Theorem for Infinite-Dimensional
Quantum Systems and Applications to Quantum Cryptography Physical Review Letter,
102, 110504 (2009)
[154] M. M. Wolf, G. Giedke and J. I. Cirac, Extremality of Gaussian Quantum States
Physical Review Letter, 96, 080502 (2006)
[155] A. Leverrier, R. García-Patrón and N. J. Cerf, Security of Continuous-Variable Quan-
tum Key Distribution Against General Attacks Physical Review Letter, 110, 030502
(2013)
[156] A. Leverrier and N. J. Cerf, Quantum de Finetti Theorem in Phase-Space Represen-
tation, Physical Review A 80, 010102(R) (2009)
[157] Y. Lindell and B. Pinkas, An efficient protocol for secure two-party computation in the
presence of malicious adversaries, Journal of Cryptology 28(2): 312-350 (2015)
[158] S. G. Choi, D. Dachman-Soled, T. Malkin and H. Wee, Simple, black-box constructions
of adaptively secure protocols, In Omer Reingold, editor, Theory of Cryptography,
Volume 5444 of Lecture Notes in Computer Sience, 387-402. Springer Berlin Heidelberg
(2009).
122