# Multi-Database Quantum Symmetric Private Information Retrieval without Shared Randomness

This example protocol by Kerenidis and de Wolf (2003) performs the task of symmetric private information retrieval (SPIR) and has information-theoretic security. It is a multi-database scheme that works on top of a classical multi-database PIR scheme by Beimel et al (2002). The main feature of this protocol is that is does not require any shared randomness between servers which is the main assumptions of most SPIR protocols; however, this is achieved in the honest user model only. Moreover, it satisfies the correctness, user privacy and data privacy conditions, hence, it is a perfectly secure SPIR scheme.

## Assumptions

• Honest user
• No communication assumption (between servers)

## Outline

A user wants to privately retrieve an element from a classical database that has been replicated and distributed among ${\displaystyle k}$ servers. Servers do not want the user to get any information on the database beyond the desired database item.

• Query: First, the user hides the index of the desired database element in several classical queries (one per server) and using some randomness. Then, the user prepares one quantum register (‘query register’) per server that depends on the classical query, on some new randomness (one per server) and on some function of the index of the desired database element and the randomness of the classical queries (which will be useful in the retrieval phase). Those quantum registers are entangled with another qubit kept by the user, and then sent to the user.
• Answer: Each server applies some unitary map on the received query register and sends the resulting register (‘answer register’) back to the client. The classical answer of a given server is encoded in the corresponding answer register.
• Retrieval: From all the received answer registers, the user can retrieve the desired database element: the user disentangles the answer registers from his qubit, then applies a Hadamard transform to his qubit and measures it in the computational basis. The outcome of the measurement is the desired database element.

## Notation

• ${\displaystyle k}$: number of servers involved in the protocol.
• ${\displaystyle n}$: number of database elements.
• ${\displaystyle x}$: database; this is an ${\displaystyle n}$ bit string.
• ${\displaystyle i}$: index of the desired database element, ${\displaystyle x_{i}}$.
• ${\displaystyle r}$: random string.
• ${\displaystyle t}$: length of a query bit string (sent by the user to one of the ${\displaystyle k}$ servers).
• ${\displaystyle a}$: length of an answer bit string (sent by one of the ${\displaystyle k}$ servers to the user).
• ${\displaystyle a_{j}}$: classical answer of the ${\displaystyle j^{\text{th}}}$ server in Beimel et al classical PIR scheme.
• ${\displaystyle b_{j}}$: combined with the ${\displaystyle a_{j}}$’s, the ${\displaystyle b_{j}}$’s (which are known only to the user) allow the user to reconstruct the desired database element at the end of Beimel et al protocol.

## Requirements

User:

• Has a random number generator.
• Can prepare, measure, and apply quantum gates to quantum registers.

Servers:

• Can apply gates to quantum registers.

Communication:

• A quantum channel.

## Properties

### Security

Precise security definitions for correctness, user privacy and data privacy that are used in this protocol are the following:

• Correctness (or Recovery): For all choices of database ${\displaystyle x}$ and index ${\displaystyle i}$, the probability that the output (bit) of the protocol on the user's side is the desired database element equals ${\displaystyle 1}$.
• User privacy: the density matrix of each server is independent of the index ${\displaystyle i}$ of the desired database item throughout the protocol.
• Data privacy: the concatenation of the density matrices of the user is independent of other database items than the desired one (${\displaystyle x_{j}\forall j\neq i}$) throughout the protocol.

This protocol ensures perfect user and data privacy and satisfies the correctness condition. Hence, it is secure.

### Communication Complexity

This protocol uses ${\displaystyle n^{O(\log \log(k)/k\log(k))}}$ qubits of communication.

## Protocol Description

Inputs:

• User: index of the desired database element ${\displaystyle i}$.
• Each of the ${\displaystyle k}$ servers: database ${\displaystyle x}$ (an ${\displaystyle n}$ bit string).

Output:

• User: desired database element ${\displaystyle x_{i}}$ (a single bit of ${\displaystyle x}$).

Protocol:

This protocol works on top of Beimel et al classical PIR scheme, which involves the following steps:

• Query: The user generates a random string ${\displaystyle r}$ and ${\displaystyle k}$ queries ${\displaystyle q_{1}(i,r),...,q_{k}(i,r)\in \{0,1\}^{t}}$. The user sends each query to the corresponding server.
• Answer: Each server answers the user: the ${\displaystyle j^{\text{th}}}$ server answers with classical answer ${\displaystyle a_{j}\in \{0,1\}^{a}}$.
• Retrieval: The user outputs the desired database element ${\displaystyle x_{i}=\sum _{j=1}^{k}a_{j}\cdot b_{j}}$ where ${\displaystyle b_{j}=b_{j}(i,r)\in \{0,1\}^{a}}$, and all operations are modulo 2.

Kerenidis and de Wolf quantum SPIR scheme works as follows:

• Query:
• The user generates a random string ${\displaystyle r}$, ${\displaystyle k}$ queries ${\displaystyle q_{1}(i,r),...,q_{k}(i,r)\in \{0,1\}^{t}}$ and ${\displaystyle k}$ random strings ${\displaystyle r_{1},...,r_{k}\in \{0,1\}^{a}}$.
• The user prepares a ${\displaystyle (k+1)}$-register state: ${\displaystyle {\frac {1}{\sqrt {2}}}|0\rangle |q_{1},r_{1}\rangle ...|q_{k},r_{k}\rangle +{\frac {1}{\sqrt {2}}}|1\rangle |q_{1},r'_{1}\rangle ...|q_{k},r'_{k}\rangle }$ where ${\displaystyle r'_{j}:=r_{j}+b_{j}}$ and ${\displaystyle b_{j}=b_{j}(i,r)\in \{0,1\}^{a}}$ is the part known only to the user that, together with the answers of the server, allows the user to reconstruct the desired database element at the end of Beimel et al PIR protocol: ${\displaystyle \sum _{j=1}^{k}a_{j}\cdot b_{j}=x_{i}}$.
• The user keeps the first ${\displaystyle 1}$-qubit register and sends the other ${\displaystyle k}$ registers to the corresponding server.
• Each server applies a unitary map to the received quantum register: ${\displaystyle |q_{j},r\rangle \rightarrow (-1)^{a_{j}\cdot r}|q_{j},r\rangle }$ where ${\displaystyle a_{j}=a_{j}(q_{j},x)\in \{0,1\}^{a}}$ is the classical answer of the ${\displaystyle j^{\text{th}}}$ server to the user in Beimel et al PIR protocol. The transformed quantum register is then sent back to the user.
• The complete state owned by the user is now of the form: ${\displaystyle {\frac {1}{\sqrt {2}}}|0\rangle (-1)^{a_{1}\cdot r_{1}}|q_{1},r_{1}\rangle ...(-1)^{a_{k}\cdot r_{k}}|q_{k},r_{k}\rangle +{\frac {1}{\sqrt {2}}}|1\rangle (-1)^{a_{1}\cdot r'_{1}}|q_{1},r'_{1}\rangle ...(-1)^{a_{k}\cdot r'_{k}}|q_{k},r'_{k}\rangle }$ ${\displaystyle ={\frac {1}{\sqrt {2}}}|0\rangle (-1)^{\sum _{j=1}^{k}a_{j}\cdot r_{j}}|q_{1},r_{1}\rangle ...|q_{k},r_{k}\rangle +{\frac {1}{\sqrt {2}}}|1\rangle (-1)^{\sum _{j=1}^{k}a_{j}\cdot r'_{j}}|q_{1},r'_{1}\rangle ...|q_{k},r'_{k}\rangle }$ ${\displaystyle ={\frac {1}{\sqrt {2}}}|0\rangle (-1)^{\sum _{j=1}^{k}a_{j}\cdot r_{j}}|q_{1},r_{1}\rangle ...|q_{k},r_{k}\rangle +{\frac {1}{\sqrt {2}}}|1\rangle (-1)^{\sum _{j=1}^{k}a_{j}\cdot (r_{j}+b_{j})}|q_{1},r'_{1}\rangle ...|q_{k},r'_{k}\rangle }$ ${\displaystyle =(-1)^{\sum _{j=1}^{k}a_{j}\cdot r_{j}}\left({\frac {1}{\sqrt {2}}}|0\rangle |q_{1},r_{1}\rangle ...|q_{k},r_{k}\rangle +{\frac {1}{\sqrt {2}}}|1\rangle (-1)^{\sum _{j=1}^{k}a_{j}\cdot b_{j}}|q_{1},r'_{1}\rangle ...|q_{k},r'_{k}\rangle \right)}$ Hence, up to a global phase ${\displaystyle (-1)^{\sum _{j=1}^{k}a_{j}\cdot r_{j}}}$, this state is: ${\displaystyle {\frac {1}{\sqrt {2}}}|0\rangle |q_{1},r_{1}\rangle ...|q_{k},r_{k}\rangle +{\frac {1}{\sqrt {2}}}|1\rangle (-1)^{x_{i}}|q_{1},r'_{1}\rangle ...|q_{k},r'_{k}\rangle }$.
• To retrieve the desired database element ${\displaystyle x_{i}}$, the user then maps the ${\displaystyle k}$ quantum registers to the ground state – this way, entanglement is destroyed, and the first qubit is in state ${\displaystyle {\frac {1}{\sqrt {2}}}(|0\rangle +(-1)^{x_{i}}|1\rangle )}$.
• Lastly, the user applies a Hadamard transform to the first qubit, which is now in state ${\displaystyle |x_{i}\rangle }$. Measuring in the computational basis ${\displaystyle \{|0\rangle ,|1\rangle \}}$ has classical outcome the desired bit ${\displaystyle x_{i}}$.