Quantum Oblivious Transfer

Oblivious transfer (OT) is a foundational primitive in cryptography. In the canonical 1-out-of-2 OT protocol, a sender (Alice) holds two messages m_0 and m_1, and a receiver (Bob) holds a choice bit b. At the end of the protocol, Bob learns m_b and nothing about m_{1-b}, while Alice learns nothing about b. Despite its simplicity, OT is remarkably powerful: it is complete for secure two-party computation, meaning any function of two private inputs can be computed securely if the parties have access to an OT oracle. In classical cryptography, all known OT constructions rely on computational hardness assumptions such as the difficulty of factoring or the discrete logarithm problem, which means security holds only against computationally bounded adversaries and collapses under quantum attacks on those hardness assumptions.

Quantum mechanics offers a route to OT with information-theoretic security, meaning security holds against computationally unbounded adversaries. The intuition is that quantum states cannot be cloned and that measuring a quantum state disturbs it irreversibly. An early and influential construction by Bennett, Brassard, Breidbart, and Wiesner adapted BB84-style encoding: Alice encodes each message bit into a random basis (rectilinear or diagonal), Bob measures in a randomly chosen basis, and the mismatch between bases creates the asymmetric knowledge structure required for OT. Later work by Crepeau and Kilian formalized this into a provably secure QOT protocol under specific physical assumptions about the quantum channel and the devices.

A subtle but important result in quantum cryptography is that unconditionally secure QOT is impossible if both parties are fully quantum and dishonest, due to a reduction from OT to bit commitment and the known impossibility of unconditional quantum bit commitment. This is known as the Lo-Chau no-go theorem. Practical QOT protocols therefore either assume bounded quantum storage (the receiver cannot store arbitrarily many qubits coherently for an arbitrarily long time, known as the bounded or noisy quantum storage model), or they operate in the common reference string model with computational assumptions. The bounded storage model is physically motivated: current quantum memories have limited coherence times, which naturally limits the adversary’s quantum storage capacity.

The connection to secure multi-party computation makes QOT a cornerstone of quantum cryptographic theory. Because any classical computation can be reduced to a sequence of OT invocations, and because QOT can in principle achieve information-theoretic security, QOT is the quantum analog of a universal secure computation primitive. Proof-of-principle QOT demonstrations have been reported in optical systems using polarization-encoded photons, and the bounded storage model has been experimentally validated in settings where the adversary’s storage is limited by the coherence time of available quantum memories. However, as of 2025, no commercially deployed QOT system exists; practical deployment awaits quantum memories with sufficiently high fidelity and long coherence times to close the gap between experimental demonstrations and usable network primitives.