(Symmetric) Private Information Retrieval: Difference between revisions

Jump to navigation Jump to search
Added a "Optimal communication complexity of the (Q)(S)PIR problem" subsection in "Further Information" section + some minor edit on OT
m (Adding some use-cases)
(Added a "Optimal communication complexity of the (Q)(S)PIR problem" subsection in "Further Information" section + some minor edit on OT)
Line 4: Line 4:
==Description==
==Description==
<!-- Description: A lucid definition of functionality in discussion.-->
<!-- Description: A lucid definition of functionality in discussion.-->
Private information retrieval (PIR) is a classical cryptographic functionality that allows one party (user) to privately retrieve an element from a classical database owned by another party (server), i.e., without revealing to the other party which element is being retrieved (user privacy).<br><br>
Private information retrieval (PIR) is a classical cryptographic functionality that allows one party (user) to privately retrieve an element from a classical database owned by another party (server), i.e., without revealing to the other party which element is being retrieved (user privacy).<br></br>
Symmetric private information (SPIR) retrieval is PIR with the additional requirement that throughout and after the protocol, the user remains oblivious to other database elements, i.e., apart from the queried one (data privacy).<br><br>
Symmetric private information (SPIR) retrieval is PIR with the additional requirement that throughout and after the protocol, the user remains oblivious to other database elements, i.e., apart from the queried one (data privacy).<br></br>
In the quantum setting, the use of quantum systems is allowed to achieve (S)PIR: this may imply the use of a quantum channel between the user and the server, and the capability to prepare quantum states, apply quantum gates or measure quantum systems by one or both parties. (S)PIR in this setting is known as quantum (symmetric) private information retrieval (Q(S)PIR).<br><br>
In the quantum setting, the use of quantum systems is allowed to achieve (S)PIR: this may imply the use of a quantum channel between the user and the server, and the capability to prepare quantum states, apply quantum gates or measure quantum systems by one or both parties. (S)PIR in this setting is known as quantum (symmetric) private information retrieval (Q(S)PIR).<br></br>
Apart from using quantum techniques to enhance the classical functionality (i.e., design better protocols than their classical counterparts in terms of different metrics like e.g., communication complexity), there has also been a recent interest in a ‘fully’ quantum (S)PIR where a user wants to query a quantum database (items are quantum states)[[#References|[1]]].<br></br>
In the classical or quantum setting, (Q)SPIR and one-out-of-n (quantum) [[Oblivious Transfer|oblivious transfer]] (OT) are similar cryptographic tasks; the only minor difference between those functionalities is that protocols for OT are two-party protocols, while attempts at achieving SPIR have considered both two-party and multi-party protocols where the user communicates with several servers, each holding a copy of the database.<br></br>
Apart from using quantum techniques to enhance the classical (S)PIR functionality (i.e., design better protocols than their classical counterparts in terms of different metrics like e.g., communication complexity), there has also been a recent interest in a ‘fully’ quantum (S)PIR where a user wants to query a quantum database (items are quantum states)[[#References|[1]]].<br></br>


'''Tags:'''  
'''Tags:'''  
Line 43: Line 44:
====Single-database protocols====
====Single-database protocols====
As in the classical setting, in the case of the database being owned by a ''single'' server, the trivial solution (downloading the whole database) is the only way to achieve information-theoretically secure PIR – even in the case of a specious (may deviate from the protocol if its malicious operations are unknown to the user) server [[#References|[2]]]. <br>
As in the classical setting, in the case of the database being owned by a ''single'' server, the trivial solution (downloading the whole database) is the only way to achieve information-theoretically secure PIR – even in the case of a specious (may deviate from the protocol if its malicious operations are unknown to the user) server [[#References|[2]]]. <br>
As for (quantum or classical) SPIR, it is impossible to achieve information-theoretic security with a single-server; this result was proved in the quantum setting by Lo [[#References|[3]]]. Therefore, to design efficient PIR protocols or to achieve SPIR, several assumptions have been considered; they include:
As for (quantum or classical) SPIR, it is impossible to achieve information-theoretic security with a single-server; this result was proved in the quantum setting by Lo [[#References|[3]]]. Intuitively, this comes from the fact that the (unique) trivial solution of information-theoretically secure PIR is the worst in terms of data privacy. Therefore, to design efficient PIR protocols or to achieve SPIR, several assumptions have been considered; they include:
* Hardness assumptions: PIR protocols with computational security.
* Hardness assumptions: PIR protocols with computational security.
* Assumptions on the adversarial model:
* Assumptions on the adversarial model:
** to achieve SPIR: cheat-sensitive protocols (also known as quantum private queries (QPQ) protocols) where it is assumed that the server will not cheat if there is a non-zero probability that he will be caught cheating.  
** to achieve SPIR: cheat-sensitive protocols (also known as quantum private queries (QPQ) protocols) where it is assumed that the server will not cheat if there is a non-zero probability that he will be caught cheating.  
***[[Quantum Private Queries Protocol Based on Quantum Oblivious Key Distribution|QPQ protocols based on quantum oblivious key distribution]]
***[[Quantum Private Queries Protocol Based on Quantum Oblivious Key Distribution|QPQ protocols based on quantum oblivious key distribution]]
***[[Quantum Private Queries Protocol Based on Sending Quantum States to an Oracle|QPQ protocols based on sending quantum states to an oracle]]
***[[Quantum Private Queries Protocol Based on Quantum Random Access Memory|QPQ protocols based on quantum random access memory]]
** to achieve efficient PIR: assuming an honest server.
** to achieve efficient PIR: assuming an honest server.
***[[Single-Database Quantum Private Information Retrieval in the Honest Server Model|QPIR protocols in the honest server model]]
***[[Single-Database Quantum Private Information Retrieval in the Honest Server Model|QPIR protocols in the honest server model]]
Line 55: Line 56:
* Relativistic assumptions: quantum SPIR protocols whose security uses properties from special relativity.
* Relativistic assumptions: quantum SPIR protocols whose security uses properties from special relativity.
**[[Relativistic Quantum Oblivious Transfer|Relativistic QOT protocols]]
**[[Relativistic Quantum Oblivious Transfer|Relativistic QOT protocols]]
Nota bene: single-database (Q)SPIR and one-out-of-n (quantum) [[Oblivious Transfer|oblivious transfer]] ((Q)OT) are similar cryptographic tasks.


====Multi-database protocols====
====Multi-database protocols====
Line 88: Line 87:




<!-- ==Further Information== -->
==Further Information==
<!-- Any issue that could not be addressed or find a place in the above sections or any review paper discussing a feature of various types of protocols related to the functionality. -->
<!-- Any issue that could not be addressed or find a place in the above sections or any review paper discussing a feature of various types of protocols related to the functionality. -->
===Optimal communication complexity of the (Q)(S)PIR problem===
Below are summarised known bounds for the communication complexity of information-theoretically secure (S)PIR protocols in the classical and quantum settings, for a quantum or classical database.
*<math>f</math> : number of database elements (quantum states in the 'fully' quantum setting)
*<math>m</math> : total size of database elements (i.e., the sum of the sizes, in bits, of each database element)
*<math>d</math> : dimension of the quantum states stored in the quantum database (<math>d=2</math> if they are qubits)
*<math>k</math> : number of servers (or equivalently of replicated databases)
====Single-database case====
{| class="wikitable plainrowheaders"
! scope="col" | Problem
! scope="col" | Additional assumptions
! scope="col" | Optimal communication complexity
! scope="col" | Reference
|-
! scope="row" | Classical PIR
|  || <math>\Theta(m)</math> || [http://www.wisdom.weizmann.ac.il/~oded/PSX/pir2.pdf Chor et al (1995)]
|-
! scope="row" | Classical SPIR
|  || NA (impossible) ||
|-
! scope="row" rowspan="4" | Quantum PIR (Classical database)
| Specious server || <math>\Theta(m)</math> || [https://arxiv.org/pdf/1304.5490.pdf Baumeler and Broadbent (2015)]
|-
| Specious server & prior entanglement || <math>\Theta(m)</math> || [https://arxiv.org/pdf/1902.09768.pdf Aharonov et al (2019)]
|-
| Honest server || <math>O(poly \log (m))</math> || [https://repository.ubn.ru.nl/bitstream/handle/2066/155747/155747.pdf Kerenidis et al (2016)]
|-
| Honest server & prior entanglement || <math>O(\log (m))</math> || [https://repository.ubn.ru.nl/bitstream/handle/2066/155747/155747.pdf Kerenidis et al (2016)]
|-
! scope="row" rowspan="2" | Quantum SPIR (Classical database)
|  || NA (impossible) || [https://arxiv.org/pdf/quant-ph/9611031.pdf Lo (1997)]
|-
| The server will not cheat if there is a non-zero probability of being caught cheating & imperfect data privacy (the user should get at most two database items) || <math>O(\log (m))</math> || [https://arxiv.org/pdf/0708.2992.pdf Giovannetti et al (2008)]
|-
! scope="row" rowspan="3" | Quantum PIR (Quantum database)
| Honest server & blind setting || <math>\Theta(m)</math> || [https://arxiv.org/pdf/2101.09041.pdf Song and Hayashi (2021)]
|-
| Honest server & visible setting || <math>\Theta(m)</math> (for one-round) || [https://arxiv.org/pdf/2101.09041.pdf Song and Hayashi (2021)]
|-
| Honest server & prior entanglement || <math>O(\log (m))</math> || [https://arxiv.org/pdf/2101.09041.pdf Song and Hayashi (2021)]
|-
! scope="row" | Quantum SPIR (Quantum database)
|  ||  ||
|}
====Multi-database case====
{| class="wikitable plainrowheaders"
! scope="col" | Problem
! scope="col" | Additional assumptions
! scope="col" | Optimal communication complexity
! scope="col" | Reference
|-
! scope="row" | Classical PIR
|  ||  ||
|-
! scope="row" | Classical SPIR
| Servers do not communicate with each other & secure classical channels || <math>O(m^{\frac{1}{2k-1}}) \text{ bits}</math> || [https://dl.acm.org/doi/abs/10.1145/276698.276723 Gertner et al (2000)]
|-
! scope="row" | Quantum PIR (Classical database)
|  ||  ||
|-
! scope="row" rowspan="2" | Quantum SPIR (Classical database)
| Servers do not communicate with each other || <math>O(m^{\frac{1}{2k-1}}) \text{ bits}+ \text{ comm. complexity of QKD}</math> || [https://www.mdpi.com/1099-4300/23/1/54/htm Kon and Lim (2021)]
|-
| Servers do not communicate with each other & honest user & prior entanglement || <math>m^{O(\log \log (k)/k \log(k))}</math> || [https://arxiv.org/pdf/quant-ph/0307076.pdf Kerenidis and de Wolf (2004)]
|-
! scope="row" | Quantum PIR (Quantum database)
|  ||  ||
|-
! scope="row" rowspan="3" | Quantum SPIR (Quantum database)
| Servers do not communicate with each other & prior entanglement & visible setting & database contains pure qubit states || <math>O(f) \text{ bits} + O(1) \text{ qubits} + O(1) \text{ ebits}</math> || [https://arxiv.org/pdf/2101.09041.pdf Song and Hayashi (2021)]
|-
| Servers do not communicate with each other & prior entanglement & visible setting & database contains pure qudit states || <math>O(f) \text{ bits} + O(d^d \log (d)) \text{ qubits} + O(d^d \log (d)) \text{ ebits}</math> || [https://arxiv.org/pdf/2101.09041.pdf Song and Hayashi (2021)]
|-
| Servers do not communicate with each other & prior entanglement & visible setting & database contains commutative unitaries || <math>O(f) \text{ bits} + O(\log (d)) \text{ qubits} + O(\log (d)) \text{ ebits}</math> || [https://arxiv.org/pdf/2101.09041.pdf Song and Hayashi (2021)]
|}


==References==
==References==

Navigation menu