Quantum Private Queries Protocol Based on Quantum Oblivious Key Distribution
This example protocol performs the task of symmetric private information retrieval (SPIR) and has information-theoretic security. It is based on a quantum oblivious key distribution scheme. Like any quantum private queries protocol, it is cheat-sensitive, in the sense that user privacy relies on the non-zero probability for a cheating server to be detected. As for data privacy, the amount of information accessed by the user about the database is bounded.
Tags: Quantum Enhanced Classical Functionality, Specific Task, Two Party Protocol, Information-Theoretic Security, Symmetric Private Information Retrieval, Quantum Private Queries, Quantum Key Distribution, Quantum Oblivious Key Distribution, Single-Database.
The security of this protocol relies on fundamental physics principles:
- Impossibility of superluminal communication (for user privacy).
- Impossibility to deterministically discriminate non-orthogonal states (for database privacy).
To achieve perfect user privacy, one must make the following assumption:
- The server (Bob) will not cheat if he has a non-zero probability of being caught cheating.
A user, Alice, wants to retrieve an element from a database owned by a server, Bob, without revealing to Bob which element was retrieved (user privacy). Bob wants the amount of information that Alice can get on other database elements than the desired one to be bounded (data privacy).
- Quantum oblivious key distribution: Alice and Bob perform a quantum key distribution (QKD) protocol in such a way that at the end of the protocol, Alice and Bob share a bit string known entirely to Bob and in a quarter to Alice: such a protocol is referred to as quantum oblivious key distribution. Then the key length is reduced to match the size of the database, while ensuring that Alice knows approximately one bit of the new key (the position of the known bit is unknown to Bob).
- Query: Alice announces to Bob a (classical) shift corresponding to the difference between the index of the known bit of the key and the index of the desired database element.
- Answer: Bob encodes the database by bitwise adding the key, shifted by Alice’s shift. Then Bob announces the encoded database.
- Retrieval: By adding bitwise the shifted key to the encoded database, Alice can recover each database element for which she knew the corresponding (shifted) bit of the key.
- : number of elements in the database.
- : database; : database element.
- : index of the desired database element
- : index of a bit of the QKD key known to Alice.
- : a security parameter for the QKD key.
- : BB84 states.
- : basis.
- : basis.
- : key used to encode the database; it is a random bit string of length .
- : encoded database (by bitwise adding the shifted QKD key).
- Can measure single qubits.
- Can prepare single qubits.
- A quantum channel.
- A classical authenticated channel.
- User privacy: In the case of an honest server (Bob), there is perfect user privacy as Alice never communicates about the index of her known bit of the key. However, there are strategies that allow a malicious server to infer which bit of the key is known to Alice; but any such strategy implies a loss of knowledge on the bit value of this specific key element, and so Bob may introduce errors in the encoding of the database that would automatically be detected by Alice. Hence, assuming that the server will not cheat if there is a non-zero probability of being caught cheating, this protocol ensures perfect user privacy.
- Data privacy: An honest Alice may know more than one bit of the final QKD key as the number of bits known to her is probabilistic; this means she could access as many extra database elements with certainty as the number of extra bits of the key that she knows. Moreover, for any other database elements whose encoding is unknown to an honest Alice, she has a 50% chance of guessing correctly the corresponding key element. There are some cheating strategies that increase this probability; however, its increase is constrained by the choice of the security parameter . Lastly, it is important to note that a cheating Alice cannot be detected by Bob.
- User (Alice): index of the desired database element.
- Server (Bob): classical database with elements: .
- Both (Alice & Bob): a security parameter .
- User (Alice): desired database element .
- Quantum oblivious key distribution:
- Bob generates a random bit string of length .
- Bob encodes each bit of the string in the state of a qubit belonging to one of two bases or : for each bit, if it is , Bob chooses between and , if it is , Bob chooses between and .
- Bob sends the prepared qubits to Alice.
- Alice measures each state in the basis or basis at random.
- Alice announces to Bob in which instances she detected the sent qubit.
- For each qubit that Alice successfully detected, Bob announces a pair of two states including the state that was sent. The other state is chosen at random in the other basis.
- Partial reconstruction of the key: Using her measurement outcomes and Bob’s announced pairs of qubits, Alice can deduce the bit value of part of the key ( of conclusive results).
At this stage, Alice and Bob share a secret key of length which is known partially () to Alice and entirely to Bob. Bob does not know which bits of the key are known to Alice.
- Reduction of the key length: The key is cut into substrings of length . Then pieces of the key are added bitwise to create a new key of length , . This reduces the number of bits of the new key that Alice knows to roughly one bit (ideally, Alice should know exactly one bit of the new key).
- Query: Alice announces to Bob a shift where is the index of the desired database element and is the index of a bit of the key known to Alice.
- Answer: Bob announces to Alice bits corresponding to the encoded database.
- Retrieval: Alice recovers the desired database element by adding her known bit of the key, to the received bit : .
- The QKD part of this quantum private queries protocol is based on the SARG04 QKD scheme. However, any QKD protocol that is compatible with the SARG04 scheme would work.
- This protocol is loss resistant and scalable to large databases.