Privacy-Preserving Decision Protocols Based on Quantum Oblivious Key Distribution

: Oblivious key transfer (OKT) is a fundamental problem in the field of secure multi-party computation. It makes the provider send a secret key sequence to the user obliviously, i.e., the user may only get almost one bit key in the sequence which is unknown to the provider. Recently, a number of works have sought to establish the corresponding quantum oblivious key transfer model and rename it as quantum oblivious key distribution (QOKD) from the well-known expression of quantum key distribution (QKD). In this paper, a new QOKD model is firstly proposed for the provider and user with limited quantum capabilities, where both of them just perform computational basis measurement for single photons. Then we show that the privacy for both of them can be protected, since the probability of getting other’s raw-key bits without being detected is exponentially small. Furthermore, we give the solutions to some special decision problems such as set-member decision and point-inclusion by announcing the improved shifting strategies followed QOKD. Finally, the further discussions and applications of our ideas have been presented.

failure probability in 2015. Wei et al. [Wei, Gao, Wen et al. (2014); Wei, Wang and Gao (2016) ;Wei, Cai, Liu et al. (2018)] provided some practical QPQ protocols by improving the performance of QOKD. The detailed analysis of QOKD applied in QPQ can be seen in Gao et al. [Gao, Qin, Huang et al. (2019)]. With our analysis, the reason why QOKD can be widely applied in QPQ is that it provides a solution to reduce the communication and computational complexity in practical sense. That is to say, even if large database is concerned, the dimension of oracle operations will be not increased. Moreover, the participants' privacy can be naturally preserved without so much complex analysis. With its better performance, a question is directly arising that "Shall we solve some SMPC problems in practice with QOKD except for QPQ ones?" In order to answer this question, we focus on the solution of privacy-preserving decision (PPD) problems [Gu, Yang and Yin (2018); Yin, Ju, Yin et al. (2019)] in SMPC by applying the technique of QOKD. Specifically, the proposed PPD requires a user (Alice) to decide whether her private secret is an element of a server's (Bob) private set, while Alice and Bob should not reveal their secrets to each other. Recently, Shi et al. creatively gave the corresponding quantum PPD versions by expressing quantum oblivious set-member decision (QOSMD) [Shi, Mu, Zhong et al. (2015)] and quantum point inclusion decision (QPID) [Shi, Mu, Zhong et al. (2017)]. For QOSMD, Alice's private secret is her identity and Bob's private set involves a list of members in his group. For QPID, Alice has a private point and Bob has a private area. They would determine whether the point is inside the area secretly. Both of them can be seen as special types of PPD in quantum area. In this paper, the solutions to privacy-preserving decision (PPD) problems will be presented with the technique of QOKD. Specifically, a new method to design QOKD protocol is proposed in Section 2, where the provider and user just have limited quantum capabilities by performing computational basis measurement for single photons. And its security analysis is also provided in this section. Then, we present a universal model to solve some PPD problems (OSMD and PID) based on QOKD with different encoding and shifting strategies in Section 3. Furthermore, the necessary comparisons and further discussions are given in Section 4. Finally, we summarize a conclusion in Section 5.
2 The QOKD protocol for the participants with limited quantum capabilities Compared with QKD, the task of QOKD is to share asymmetric keys between the provider and user in an oblivious manner, where the provider gets the whole key sequence and the user has to recognize only one key bit which is unknown to the provider. In this section, a more practical QOKD model is proposed in terms of following scenario: The users Alice and Bob have limited quantum capabilities, i.e., both of them can only receive quantum signals and perform computational basis measurement for single photons. In order to simplify our description, a trusted center Charlie is involved to prepare and distribute the necessary entangled particles for Alice and Bob. Without loss of generality, the following four-party entangled state [Pivoluska, Huber and Malik (2018)] is previously introduced to the presented QOKD protocol ( ) 331 220 111 000 2 (1)

The proposed QOKD protocol
Here the summarized process of our QOKD protocol can be seen in Fig. 1 and the detailed steps are shown as follows: Figure 1: The summarized process of QOKD protocol [ Step 1] The trusted center Charlie firstly prepares n Ψ with three registers 1 t , 2 t , 3 t to store the qudits, where the first qudit sequence is stored in 1 t , and the second and third qudit sequences are randomly stored in 2 t or 3 t . Then he randomly inserts some decoy states into the transferred qudit sequence and sends the new register ' 1 t to the provider Bob, register ' 2 t to the user Alice and keeps 3 t himself, here the decoy states are chosen from the four-dimensional computational basis and Fourier basis. [Step 2] After confirming the received registers, Charlie announces the positions of decoy states to detect eavesdropping. For each of the announced positions, Alice and Bob randomly choose computational basis or Fourier basis to measure the announced states and publish their measurement results. If the error rate is larger than threshold value, the protocol will be aborted and restarted by Charlie. [Step 3] For the left qudits, Alice and Bob measure them in the computational basis and generate the raw key sequence A K and B K respectively with the following encoding rule: ( In this sense, Alice can only recognize some bits of B K according to the structure of Ψ with the following reasons: (1) When Alice gets the measurement result 0 ( ) 1 , the state Ψ will collapse into site with the probability of 16 3 , because she cannot determine whether her kept qudit is from 2 t or 3 t .
(2) When Alice gets 2 ( 3 ), Ψ will collapse into 220 ( 331 ). Here she can directly recognize Bob's corresponding raw key bits. From the analysis above, Alice will only keep the measurement results 2 , 3 and discard the other results. Hence the expression of the shared A K and B K may be seen as (4) [Step 4] Once the raw key-bit sequences are established without dispute, Charlie will discard his kept particles 3 t . [ Step 5] Finally, the subsequent postprocess of A K and B K should be introduced in the following two phases.
[Compression Phase] In this phase, Zhao et al.'s method [Zhao, Yin, Chen et al. (2017)] can be used to compress the raw keys, and ensure Alice only get one bits of the final sequence. If Alice finds she has no final key bit left, then the protocol will be restarted.
[Error Correction Phase] Similarly, the necessary error correction is implied in our protocol using the method proposed by Gao et al. ]. If the error rate is less than some threshold value, Alice and Bob will accept the protocol. Otherwise, the protocol should be aborted. Finally, the optimal case for shared oblivious key sequence is Alice can recognize only one bit of B K .

The secure analysis of the proposed QOKD protocol
For a secure QOKD protocol, Alice's and Bob's privacy should be protected. In the view of this, the security analysis of our protocol is shown with the following two aspects: Bob's privacy If Alice is dishonest, she will do her best to obtain more key bits beyond her legally authority. However, in the presented QOKD protocol above, it is not difficult to see that Alice cannot get additional information of B K from her local measurement with the following two situations: (1) If Alice gets 0 ( 1 ) in Step 3, she will recognize Bob's key bit 0 or 1 with the probability of 16 3 . In order to show that, it should be firstly pointed out that Alice gets 0 ( 1 ) with the probability of ( ) . When Alice gets the measurement result 0 ( 1 ), she cannot make sure whether the state collapses into 000 or 220 ( 111 or 331 ). Hence the corresponding result in Bob's site may be 0 or 2 . According to the encoding rule in Eq. (2), she infers Bob's key bit is 0 or 1 with the probability of 2 1 . Above all, she infers Bob's one key bit with the probability of 16 3 .
From the analysis above, it can be seen that Alice can infer Bob's one key bit in specify position with the average successful probability Alice would like to get m bits, the successful probability will be here n represents the number of shared key bits. While another idea may be arising that "Is Alice able to perform other attack strategies?" Since the exchange of classical messages is assumed secure, the dishonest Alice has to perform intercept-resend attack to the qudits transferred from Charlie to Bob and try to get additional key bits of B K beyond her authority. In order to show the availability of the intercept-resend attack, Alice is assumed to intercept x particles of the transferred d n + qudits and measure them with local computational basis measurement without loss of generality, here d is the number of inserted decoy states. Obviously, there is only one case for all x particles to escape the detection and get Bob's keys, that is all of them are not decoy states. Actually, Alice's attack will not be detected with the probability of ( ) So, if the number of the decoy states d is large enough, e P will approach to zero. That is to say, this attack cannot pass the eavesdropping detection step. Alice's privacy Fortunately, Alice's privacy can be also protected in the presented protocol, as Bob cannot determine which positions of the raw key-bit sequence are known to Alice with the special structure of the applied entangled states. In order to simplify our description, the analysis is also focused on one bit with Bob's local computational basis measurement as follows: (1) If Bob gets 0 ( 1 ) in Step 3, the entangled state will collapse into 000 ( 111 ). In 1 , as the entangled state collapses into 220 or 331 . Since Bob gets 2 ( 3 ) with the probability of ( ) 4 1 ' 3 ' 2 = p p and Alice receives the register 2 t , 3 t randomly, Bob will infer Alice's key bit is 0 or 1 with the probability of 8 1 .
Similarly, Bob can infer Alice's one key bit in specify position with the average successful probability here n represents the number of shared key bits. The performed intercept-resend attack can be also unavailable with similar analysis according to Eq. (6). In addition, it should be pointed out that the postprocessing of the shared keys are performed locally by the users. Hence there exist no chance for anyone else to get the valid information of each private keys. That is why we just discuss the intercept-resend attack in this paper. From the analysis above, both the participants' privacy can be protected in the presented QOKD protocol.

Solutions to privacy-preserving decision (PPD) problems based on QOKD
As we know, privacy-preserving decision (PPD) problems have many special and significant applications in economic activities. In this section, we will solve some PPD problems such as set-member decision (SMD) and point-inclusion decision (PID) with the technique of QOKD. , where Bob holds the whole key sequence and Alice only knows 3 k .

Set-member decision protocol with QOKD
In Step 2, Alice firstly announces a shift value 2 3 5 = − = S to Bob. Then Bob shifts his key string cyclically with 2 bits and generates a shifted key sequence (10) In Step 3, Alice computes 1 1 1 3 3 ' 5 3 " 5 3 and recognizes her private secret 5 is a member of Bob's secret set.

Point-inclusion decision protocol with QOKD
Here we discuss a similar solution with QOKD to the extended PPD problem in space case---point-inclusion decision (PID). In the presented protocol, Alice is assumed to have a private point Q and Bob holds a private area A . In PID, Alice wants to decide whether Q is inside A without disclosing their respective private information. The detailed process is described as follows: [Step 1] Generally there exists a large plane area including Alice's point Q and Bob's area B . This area is uniformly partitioned into r r × grids, where r is a large enough integer, and its size can be determined by their accuracy requirements.
and recognizes her private point 20 is inside of B .

Further discussion
In this section, the availability and efficiency of the presented solutions of PPD problems will be discussed.

The availability of presented solutions
From the description above, three key factors make the solutions of PPD problems available---oblivious key sequence, accurate shifting value and encoding rule. For SMD and PID, it can be seen that the accurate shifting values K , Bob can hide his set M or area B with the encoding rule above. In the view of this, the most important step of our solutions is to design a secure and efficient method to distribute oblivious keys. Fortunately, we give one model to design QOKD protocols in Section 2, and prove it is immune to leak both the participants' privacy. Hence that is the reason why we do not provide additional security analysis of our solutions in Section 3. Moreover, the presented QOKD protocol does not only improve its availability for the providers and users with limited quantum abilities, but also give a dispute resolution for the center. For example, Alice or Bob may want to verify whether both of them have performed the required local measurement or the shared entangled state is in the accurate form of Eq. (1). In this sense, Charlie just directly announces his own measurement results in the computational basis for single photons. If all the measurement results do not satisfy the certain property of Eq. (1), the protocol will be invalid. Hence this irrational denial of service is not helpful for each participant to get more information beyond his (her) authority in practice.

The efficiency of presented solutions
For a quantum cryptography protocol, improving its efficiency is as important as ensuring the security. From Tab. 1, the communication cost of our solutions is expressed.
Combing with the QOKD protocol in Section 2, n 2 qudits are transferred to the two users in order to distribute oblivious keys. It should be pointed out that the number of decoy states is determined by the security threshold required in practical quantum secure communication. Hence the cost of decoy states is not discussed here. From the measurement resource cost, only single qudit measurement in the computational basis is performed by the users in our QOKD protocol. Hence the presented solutions of PPD problems can be realized by the current optical devices. For the classical communication complexity, only s n + classical bits are transferred in the SMD and PID protocols, here s represents the shifted values announced by Alice, and n means the length of final encrypted key sequence. However, in Shi et al. [Shi, Mu, Zhong et al. (2017)], the n 4 qubits and n 2 classical bits should be transferred.
While it should be pointed out that the requirement to distribute entangled particles indeed affects the efficiency of our method to some extent. For the quantum cryptography protocols based on multiparty entangled states, the third party is necessary introduced to distribute entangled particles. If we assume one user to prepare and distribute entangled states in a two-party protocol, he (she) will be able to measure or entangle auxiliary particles to eavesdrop the other's privacy. However how to distribute entangled particles in an insecure environment to the rational users (they may perform some attacks to get their own profits later) is still an open problem for the further research.

Quantum Operations Null
Quantum Measurements 2n single measurement with C-basis The Transferred Quantum Messages 2n qudits The Transferred Classical Messages n+s bits

Conclusion
In conclusion, a new QOKD protocol based on four-dimension entangled state is proposed. Here the provider and user just need to have limited quantum capabilities by performing computational basis measurement for single photons. Then it is proved to be secure without leaking the privacy of the participants. Based on the technique of QOKD, some direct solutions have been presented to the extended PPD problems---SMD and PID. Moreover, some further discussions of the solutions are provided in the view of availability and efficiency. Finally, it should be pointed out that QOKD is a significant technique to design QSMC protocols. From the early attempts of QPQ to the presented SMD and PID, sharing oblivious keys between the users plays a fundamental role. It is hoped that our results would be helpful to the further study of quantum cryptography based on QOKD. LBH-Z17048. Professor Shenggen Zheng and Xiangfu Zou also give us some helpful comments. We are grateful for their constructive opinions.

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present study.