Multi-Database Classical Symmetric Private Information Retrieval with Quantum Key Distribution
This example protocol performs the task of symmetric private information retrieval (SPIR) and has unconditional security (a.k.a. information-theoretic security). It is a quantum multi-database one-round protocol, based on a classical multi-database SPIR protocol, that uses quantum key distribution (QKD) to share randomness between servers and to secure classical channels between the user and the servers, and thus do without the assumption of perfectly secured channels of classical multi-database SPIR protocols.
- All parties: All parties have a trusted random number generator and all QKD devices are honest. All messages sent through the classical channels are encrypted with a classical one-time pad.
- Data centres: Data centres are not allowed to communicate after the key exchange step. They do not leak QKD keys intentionally to other parties.
Outline for a generic one-round two-database SPIR protocol with QKD:
There are three parties, a user and two data centres. Each data centre has a copy of the database. In symmetric private information retrieval, the user wants to retrieve an element from a database owned by another party (here, two other parties: data centres 1 and 2) without revealing which element is retrieved; the user should not have access to other database elements.
- Sharing secret keys between parties: At the beginning of the protocol, for each pair of parties (i.e., user and data centre 1, data centre 1 and data centre 2, user and data centre 2), shared secret keys are established via a single round of quantum key distribution. If any of the key distribution protocols abort, then the whole SPIR protocol aborts.
The next steps are the same as these of a generic one-round two-database classical SPIR protocol.
- Query: Then, the user generates two queries; one for each data centre. Queries are some encryptions of the index of the desired database element using some local randomness.
- Answer: From the queries received, their copy of the database, and their secret key shared with the user, each data centre generates an answer and sends it to the user.
- Retrieval: Lastly, the user can reconstruct the desired database element from the answers of each datacentre and his own inputs.
- : user.
- : data centre.
- : Eve, an eavesdropper.
- : user’s local randomness (random variable); : given randomness ().
- : input random variable; : given input ().
- : database random variable; : given database ().
- : random variable which represents the database entry that the user wants to retrieve; : given desired database entry ().
- : query function, used by the user to generate his query to the data centre. Input and output are random variables.
- : answer function, used by the data centre to generate his answer to the user’s query. Input and output are random variables.
- : decoding function, used by the user to decode the desired database element. Input and output are random variables.
- : QKD key random variable (the user has and to communicate with data centres 1 and 2 respectively; data centre 1 has and to communicate with the user and data centre 2 respectively; data centre 2 has and to communicate with the user and data centre 1 respectively); : given QKD key ().
- : half of the key used for encryption (random variable); : given key ().
- : half of the key used for decryption (random variable); : given key ().
- : query generated by the user for the data centre.
- : query received by the data centre (may be different from ).
- : secure channel connecting the user with the data centre.
- : reply generated by the data centre for the user after receiving .
- : reply from the data centre received by the client (may be different from ).
- : database element retrieved by the user at the end of the protocol.
- : probability that at least one of the three QKD protocols aborted ().
- : probability that the QKD protocol between parties and aborts, where (: user; : data centre 1; : data centre 2).
- : this is the event “none of the three QKD protocols aborted”.
- : trace distance between two quantum systems ( where is the trace norm).
- : total view of the user and the eavesdropper conditioned by .
- : total view of data centre and the eavesdropper conditioned by .
- : total view of the eavesdropper conditioned by and .
- Quantum channels to perform QKD between parties.
- Classical authenticated channels.
- QKD devices to prepare and measure qubits.
For this protocol, SPIR security definitions (see (Symmetric) Private Information Retrieval) are extended as follow:
- -correctness: If the user and the data centres are honest, then for any index and database , .
- -user privacy: If the user is honest, then for any database and shared secret keys between the data centres , and for any data centre , for all indexes and .
- -database privacy: If the data centres are honest, then for any index , randomness and keys , then there exists an index such that for all databases and with , .
In addition to the above extended SPIR security definitions, the notion of protocol secrecy is added which allows to bound the amount of information that an external eavesdropper may obtain on the database or the index of the desired database element . This extra definition is required for this protocol as it relies on practical QKD protocols, which means that there is a non-zero probability that an eavesdropper may learn part of the QKD keys.
- -protocol secrecy: If the user and the data centres are honest, then for all index-database pairs and , .
Those extended security definitions result from the possibility of unperfect QKD keys and the non-zero probability that one of the three QKD protocols may abort.
A SPIR protocol that satisfies the four above conditions is said to be -secure.
A two-database one-round -secure SPIR protocol with ideal keys replaced by -secure QKD keys, where (see QKD security definitions), can be shown to be -secure (see Kon and Lim (2021) for a proof).
- User : index of desired database item, ; randomness ; ,,.
- Data centre : database .
- Data centre : database .
- User : retrieved database element (it may be different from the desired database element in the case of malicious parties).
- Sharing secret keys between parties: each pair of parties perform a single-round quantum key distribution protocol (see e.g., MDI-QKD and this specific protocol), so that at the end of the secret sharing phase, data centre and the user share secret key pair ; data centre and the user share secret key pair ; and data centres and share secret key pair . If any of the key distribution protocols abort, then the whole SPIR protocol aborts.
The next steps are the same as for a generic one-round two-database classical SPIR protocol like this of Gertner et al (2000).
- Query: Query (resp. ) is generated by the user and sent via QKD-secured (one-time pad encryption with QKD shared secret keys) classical channel (resp. ) to data centre (resp. ).
- Answer: After receiving query (resp. ), data centre (resp. ) generates answer (resp. ) and sends it to the user via (resp. ).
- Retrieval: The user decodes the received database element using : .
- This protocol is a one-round protocol where there is a single round of query from the user to the data centres and a single round of answer from the data centres to the user. It can be extended to multi-round protocols by simply allowing several successive rounds of queries and answers.
- Classical multi-database SPIR protocols require pre-shared secret keys between parties: to secure communication between user and data centres, and between data centres to achieve data privacy (private shared randomness between data centres is a key element to accomplish the task of conditional disclosure of secrets (CDS) as introduced by Gertner et al (2000)).
- With current QKD technology, this SPIR protocol is feasible, as shown by Kon and Lim (2021).