Oblivious transfer (OT) is a two-party cryptographic primitive described as follows: Sender sends two bits/qubits to the receiver and the receiver can choose to receive only one of them. The protocol is secure when none of the parties obtain an information they are not supposed to obtain i.e. sender does not know which bit/qubit the receiver has chosen, and the receiver does not obtain information about the other bit/qubit. This protocol achieves the task of practical OT where it can be realised with available optoelectronic apparatus while being computationally secure.

Practical Quantum Oblivious Transfer

This quantum OT protocol [1] under realistic experimental assumptions has two phases. The preparation phase, followed by the computation phase.

Preparation phase:

• The protocol is adjusted to the physical limitations of the receiver’s detection apparatus.
• The receiver conveys to the sender the experimental imperfections of his detectors i.e. the quantum efficiency and dark count rate.
• The sender conveys the intensity of the light pulses she will use which conveys the information about the fraction of sender’s pulses that will be detected successfully by the receiver, and the bit error rate she will be willing to correct in his data to compensate for his dark counts and other noise sources in the detector.
• The sender and receiver agree on the security parameter of the OT protocol and on the linear binary error-correcting code.
• Finally, they perform a test run to verify that the receiver indeed detects the sender pulses with the said probability and error rate.

Computation phase:

• The sender sends a random sequence of highly attenuated coherent pulses of the four canonical polarizations from the standard basis and the Hadamard basis.
• The receiver randomly decides for each pulse whether to measure it in the standard or the Hadamard basis, and records the basis and measurement results. The receiver then reports the arrival times of all pulses he received to the sender, but not the bases or the measurement results.
• The sender then conveys to the receiver the bases measurement she used for each of the pulses received by the receiver.
• The receiver partitions his pulses into two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the incorrect basis. He tells the sender the addresses of the two sets without telling which is the good and which is the bad one. Now, the receiver shares with the sender a word corresponding to his good set of measurements; he shares nothing with her with respect to his bad set of measurements. The sender does not know which word she shares with the receiver.
• Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an error free channel. Given this data, the receiver is able to recover the original word corresponding to his good set but not that corresponding to his bad set. Furthermore, the sender computes the parity of a random subset of each set, and tells the receiver the addresses defining these random subsets, but not the resulting parities. At this point, the receiver knows one of these parities exactly, and nothing about the other parity, and he knows which parity he knows. The sender knows both parities, but she does not know which one the receiver knows.
• The receiver tells the sender whether the index of the parity he knows and the index of the bit he wishes to know are equal. If they are equal, sender gives the xor of same indexed bit and the parity, otherwise she gives him the xor of opposite indexed bit and the parity. From this, the receiver extracts the desired bit.

The protocol uses physical/experimental assumptions instead of the usual computational ones. However, the assumptions can be rendered as the assumption of the existence of one-way functions.

Network Stage: Prepare and Measure

• Basic state preparation and measurement devices.
• Access to an error-free classical channel.

• $b_0$ and $b_1$: The two one-bit messages of the sender out of which one is to be received by the receiver.
• $q$: Quantum efficiency of receiver’s detectors.
• $d$: Dark count rate of receiver’s detectors.
• $mu$: Intensity of light pulses used by the sender.
• $a$: Fraction of pulses sender will expect receiver to detect successfully.
• $epsilon$: Bit error rate sender will be willing to correct in receiver’s data to compensate for his dark counts and other noise sources.
• $N$: Security parameter, bits twice the number of which will be used in communication.
• $x_0$ and $x_1$: Parities of the two random subsets of each set.
• $c$: Receiver’s choice of the one-bit message.
• $hat{c}$: Index of the set whose parity is known to the receiver.

• Nothing is known about the security of this protocol against coherent measurement attack.
• Any attack consistent with quantum physics can be thwarted from a computational point of view under the assumption that one-way functions exist.
• Any attack on the protocol must be carried out ‘on-line’, that is when the protocol is taking place.
• Safe oblivious transfer can be achieved when $H(tilde{E}) < – frac{1 – e-p – pe-@}{2a}$, where $H$ is the entropy function. If this condition cannot be met, the sender aborts the protocol.
• There is no need of quantum memory.

Preparation phase:

• The receiver tells the sender the quantum efficiency $q$ and the dark count rate $d$ of his detectors.
• If satisfactory, the sender tells the receiver the value of $mu$, $a$, $epsilon$, and $N$.
• Then they agree on a linear binary error-correcting code capable of correcting with very high probability $N$-bit words transmitted with expected error rate $epsilon$.
• Finally, both the parties perform a test run.
• The sender sends pulses of intensity $mu$ in a prearranged sequence of polarizations.
• The receiver reads each pulse in the correct basis.
• He then verifies if he can detect the pulses with probability greater than $a$ and error rate less than $epsilon$.

Computation phase:

• The sender sends a random sequence of $frac{2N}{a}$ pulses in either of ${|0rangle, |1rangle, |+rangle, |-rangle}$ states.
• The receiver obtains roughly $2N$ pulses after measuring each of them randomly in the standard or the Hadamard basis. He records the basis and the measurement.
• He then reports to the sender the arrival times of all $2N$ pulses he received, but not the bases he used or his measurement results.
• The sender then tells the receiver the bases she used to send each of the pulses he received.
• The receiver creates two sets: a “good” set consisting of pulses he received in the correct basis, and a “bad” set consisting of pulses he received in the wrong basis.
• He tells the sender the addresses of the two sets without telling which is the good and which is the bad one.
• Now, the receiver shares with the sender a $N$-bit string corresponding to his good set and nothing with respect to his bad set of measurements.
• Using the error-correcting code, sender computes the syndromes of the words corresponding to each set, and she sends them to the receiver over an error-free channel.
• The receiver recovers the original word corresponding to his good set and gets to know nothing about the bad set.
• The sender now computes the parity of a random subset of each set and tells the receiver the addresses defining these random subsets.
• The receiver knows one of these parities, indexed $hat{c}$, and nothing about the other parity, and he knows which parity he knows.
• The sender knows both the parities $x_0$ and $x_1$, but does not know which one the receiver knows.
• The receiver tells the sender whether or not $c = hat{c}$.
• If $c = hat{c}$, sender sends $x_0 oplus b_0$ and $x_1 oplus b_1$, else, she sends $x_0 oplus b_1$ and $x_1 oplus b_0$.
• From this, the receiver extracts $b_c$.

Although this protocol was designed with practical considerations in mind, it was not directly implemented. 
More recent and loss tolerant variants QOT has been implemented: Two independent practical experiments implemented OT in the noisy storage model: Erven et al. [2] implementation was based on Discrete Variables and generated a 1366-bit random oblivious transfer string in ∼3 min. the second one is by Furrer et al. [3] which is based on Continuous Variables and achieved a generation rate of around 1000 oblivious bit transfers per second.

1. Bennett, Charles H., Gilles Brassard, Claude Crépeau, and Marie-Hélene Skubiszewska. “Practical quantum oblivious transfer.” In Annual international cryptology conference, pp. 351-366. Berlin, Heidelberg: Springer Berlin Heidelberg, 1991.
2. Erven, Christopher, N. Ng, Nikolay Gigov, Raymond Laflamme, Stephanie Wehner, and Gregor Weihs. “An experimental implementation of oblivious transfer in the noisy storage model.” Nature communications 5, no. 1 (2014): 3418.
3. Furrer, Fabian, Tobias Gehring, Christian Schaffner, Christoph Pacher, Roman Schnabel, and Stephanie Wehner. “Continuous-variable protocol for oblivious transfer in the noisy-storage model.” Nature communications 9, no. 1 (2018): 1450.