Quantum Private Information Retrieval with Sublinear Communication Complexity

Quantum Pri v ate Informa tion Retrie v al with Sublinear Communic ation Comple xity Franc ¸ ois Le Gall legall@is.s .u-tokyo.ac.jp Department of Computer Science Graduate School of Information Science and T echnology The Unive rsi ty of T okyo Abstract This note presents a quantum protoco l for priv ate inform ation retrie val, in the single-server case and with informatio n-theore tical priv acy , that has O ( √ n ) -qubit communication complexity , where n denotes the size of the database. In comparison , it is known that any classical pro tocol must use Ω ( n ) bits of communicatio n in this setting. 1 Introd uction Pri v ate informat ion retrie val deals with the design and the analysis of protoco ls that allo w a user to retrie ve an item from a server without re vealing which item it is retriev ing. This field, introd uced in a seminal paper by Chor , Kus hilevi tz, Goldreich, and S udan [CKGS98], has been the subject of intensi ve researc h due to the gro wing ubiquity of public dat abases. Examples of ap plications include en suring consu mer pri vac y in e-c ommerce transactions or reading webpages on the Intern et without re vealing the user’ s preferences. In the case of a single serv er and of information -theoretical pri vac y , which is the focus of this note, pri vate informa tion retrie val can be describ ed as fo llows. The server has a dat abase A = ( a 1 , a 2 , · · · , a ℓ ) ∈ Σ ℓ , where Σ = { 0 , 1 } r is a set of items represented as r -bit strin gs, and the user has an index i ∈ { 1 , . . . , ℓ } . A pri v ate info rmation retrie val prot ocol is a ( classic al or quantum) communicati on prot ocol between the serv er and the us er such that, when the user an d the serv er both follo w the prot ocol, the user always o ut- puts the item a i and the s erver gets no inf ormation about the index i , in t he follo w ing sense. L et V S ( A , i ) denote the serve r’ s view of the communication generat ed by the protoco l when the serv er has input A and the us er has input i . The priv acy condition is that, for an y da tabase A ∈ Σ ℓ and a ny two in dexes i , j ∈ { 1 , . . . , ℓ } , the vie ws V S ( A , i ) and V S ( A , j ) are identical . Note that, whi le sev eral sub tleties aris e when tryin g to formally define the ser ver ’ s vie w in an arbitrar y quantum proto col, the abov e description will be suf ficient f or our purpos e due to the limited interacti on between the serve r and the user in the quantu m protocols described in this note. It is easy to show that, classica lly , downloa ding the whole database is essentially optimal: any clas- sical protocol must communicate a number of bits linear in the size of the databa se [CKGS98]. The communica tion comple xity of quantum protocols for priv ate information retrie v al has first been in ves - tigated by Ke renidis and de W olf [KdW04a]. Their work focused on two-mess age quantum protoc ols, and e stablished a connection with l ocally decoda ble codes and ra ndom access c odes. In parti cular it was pro ved that, for a single server , an y priv ate two-mess age quantum protoc ol must use a linear amount of communica tion. This note sho ws that this lower b ound does not hold for qua ntum protocols using more than two messages and describe s how to construct a three-messag e quantum proto col for pri vate infor- mation retrie val with sublinear communicat ion complexity , t hus breaking for the first time the linear 1 barrier in the single-serv er and informati on-the oretical priv acy setting. O ur main result is the follo wing theore m . Theor em 1. Let ℓ and r be any positive inte ge rs. Ther e exist s a privat e information ret rieval quantu m pr otocol that, for any data base A ∈ Σ ℓ with Σ = { 0 , 1 } r , uses 2 ℓ + 2 r qubits of communic ation. Since the ov erall size of the database is ℓ r bits, T heorem 1 giv es a quadrat ic improv ement over classic al protoco ls and two-messag e quantum protocols whenev er ℓ + r = O ( √ ℓ r ) , for example when ℓ = Θ ( r ) . T his quadrat ic improv ement can actual ly be obtaine d for any v alues of ℓ and r : the idea is to decompose the database into about √ ℓ r blocks, each of size about √ ℓ r bits. T o illustra te this, let us consid er a binary database A = ( a 1 , . . . , a ℓ ) w hen ℓ = s 2 for some positi ve inte ger s . W e construct the databa se B = ( b 1 , . . . , b s ) such that, for each k ∈ { 1 , . . . , s } , the k -th block is b k = ( a ( k − 1 ) s + 1 , . . . , a ks ) ∈ { 0 , 1 } s . Note that the bit a i is containe d in the block b j with j = ⌈ i / s ⌉ . B y runnin g the protocol of Theorem 1 where, as inputs, the serve r has database B and the user has index j , the user is able to reco ver the whole block b j , and thus the bit a i , using O ( s ) qubits of communication . W e stress that this note considers only the setting w here the parties do not devia te from the pro- tocol, as often assumed in works focusing on algorithmic or complexit y-theoretic aspects of priv ate informat ion retrie val. While this restriction may reduce the applicabil ity of our result, we believ e that it ne verthele ss illustrates the subtle inte rplay of i nteraction and quan tum information in protectin g priv acy . Indeed , ev en in this setting, a linear amount of communication is needed for classic al protoc ols and for two-mes sage quantum protocol s. Other r elated works. Sev eral other aspects of quantum protocols for pri vate informatio n retrie v al ha ve been in vesti gated. The case of multiple serv ers has been studie d in [KdW04a , KdW04b], w hile the case of symmetric pri v ate informati on retrie val, where the serv er’ s priv acy is also taken into con- sidera tion, has been studied in [KdW04b, GLM08, JRS09]. P ri vac y issues in quantum communication comple xity ha ve been studied in [Kla04] as well. Let us mention that quantum protocols for symmetric pri vate informatio n retrie v al are also studie d under the name of quantu m obli vious transfer protoco ls, especi ally when the se rver and the use r may de viate from the pr otocol (i.e., when conside ring malicious parties ). 2 Pr oof of Theorem 1 W e suppose that the reader is familiar with quantu m computation and refer to, e.g., [NC00] for an introd uction to this field. Let us first describ e some of our notation s. G i ven two bits a , b ∈ { 0 , 1 } , we write their parity as a ⊕ b . For any two elements u = ( u 1 , . . . , u r ) and v = ( v 1 , . . . , v r ) in Σ = { 0 , 1 } r , let us write u · v = u 1 v 1 ⊕ · · · ⊕ u r v r and u ⊕ v = ( u 1 ⊕ v 1 , . . . , u r ⊕ v r ) . Note that u · v is a b it and u ⊕ v is an element of Σ . Our protoc ol will use the Pauli gate Z : = ∑ z ∈{ 0 , 1 } ( − 1 ) z | z ih z | acting on one qubit and the Quantum Fouri er Tr ansfor m QFT : = 1 p | Σ | ∑ y , z ∈ Σ ( − 1 ) y · z | y ih z | acting on r qubits. It will also use the gates CNO T ( R 1 , R 2 ) : = ∑ y , z ∈ Σ | y i R 1 | z ⊕ y i R 2 h y | R 1 h z | R 2 U ( R 1 , Q ) b : = ∑ y ∈ Σ , z ∈{ 0 , 1 } | y i R 1 | z ⊕ b · y i Q h y | R 1 h z | Q , 2 where R 1 and R 2 denote r -qubit regis ters, Q denotes a one-qubit registe r , and b is any element in Σ . W e no w present the proof of T heorem 1. Pr oof of Theor em 1. The proto col uses ℓ + 2 quant um regi sters: Registe rs R and R ′ each consisti ng of r qubits , and Register s Q 1 , . . . , Q ℓ each consisti ng of one qubit. For any database A = ( a 1 , . . . , a ℓ ) ∈ Σ ℓ , let us denot e by | Φ A i the quantum state | Φ A i : = 1 √ 2 r ∑ x ∈ Σ | x i R | x i R ′ | x · a 1 i Q 1 · · · | x · a ℓ i Q ℓ in Registe rs ( R , R ′ , Q 1 , . . . , Q ℓ ) . T he protoco l is described in Figure 1. It consist s of three messages and uses a total amount of 2 ℓ + 2 r qub its of communicatio n. Serv er’ s input: A = ( a 1 , . . . , a ℓ ) ∈ Σ ℓ User’ s inpu t: i ∈ { 1 , . . . , ℓ } 1. The serv er constructs the quantum state | Φ A i and sends Registers R ′ , Q 1 , . . . , Q ℓ to the user . 2. The use r applies Z ov er Register Q i and sends back Regis ters Q 1 , . . . , Q ℓ to the serve r . 3. The serv er applies U ( R , Q k ) a k , for each k ∈ { 1 , . . . , ℓ } , and sends to the user Register R . 4. The user applies CN O T ( R , R ′ ) , applies QF T ov er Register R , and then m easure s R in the computa- tional basis. Figure 1: Quantum pri vat e information retrie val protoco l. W e first show that in this protocol the user always output s the correct element of the databa se. Observ e that, at the end of Step 2, the state is | Φ i = 1 √ 2 r ∑ x ∈ Σ ( − 1 ) x · a i | x i R | x i R ′ | x · a 1 i Q 1 · · · | x · a ℓ i Q ℓ . At Step 4, just before the user performs the measurement, the state is | a i i R | 0 i R ′ | 0 i Q 1 · · · | 0 i Q ℓ , and mea- suring Register R giv es the element a i with probability 1. Let us no w conside r the user’ s pri vac y . The only information about i that a server following the protocol can obtain is from Registe rs R , Q 1 , . . . , Q ℓ of the state | Φ i . S ince tracing out Regis ter R ′ in | Φ ih Φ | giv es the density matrix 1 2 r ∑ x ∈ Σ | x i R | x · a 1 i Q 1 · · · | x · a ℓ i Q ℓ h x | R h x · a 1 | Q 1 · · · h x · a ℓ | Q ℓ , the serv er obtains no information about the user’ s input. Remark. As already mentioned, in this note w e only consider the case where the serv er follo ws the protoc ol. This assumption is used in the analysis of the protocol of F igure 1 in order to ensure that the serv er prepares the state | Φ A i at Step 1. Note that if, instead of | Φ A i , the serv er prepared for example the state | Φ ′ A i : = 1 √ 2 r ∑ x ∈ Σ | x i R | 0 i R ′ | x · a 1 i Q 1 · · · | x · a ℓ i Q ℓ , then it would be abl e to recov er the index i with probabi lity one at S tep 3. 3 Ackno wledgements The author is gratef ul to T akesh i K oshiba, Harumic hi Nishimura , and Ron ald de W olf for he lpful discu s- sions abou t this work. He also ackno wledges support from the JSPS, under the gran t-in-aid for resear ch acti vity start-up No. 2280000 6. Refer ences [CKGS98] Benn y Chor , Eyal Kushile vitz, Oded Goldreich , and Madhu S udan. Pri v ate informat ion retrie va l. Journa l of the ACM , 4 5(6):965–9 81, 1998. [GLM08] V ittori o Giov annetti, Seth Lloyd, a nd Lorenz o Maccone. Quantum priv ate q ueries. P hysica l Revie w L etter s , 100:2 30502, 2008. [JRS09] Rahul Jain, Jaikumar Radhakris hnan, and Pranab Sen. A property of quantum relati ve en- trop y with a n appl ication to pri va cy in quantum co mmunicatio n. Journa l of the ACM , 56(6), 2009. [KdW04a] Iordanis K erenidis and Ronald de W olf. Exponen tial l ower bound f or 2-query loca lly deco d- able codes via a quantum argu m ent. Jo urnal of C omputer and System Scienc es , 69(3):395– 420, 2004. [KdW04b] Iorda nis Kerenidi s and Ronald de W olf. Quan tum symmetrically -priv ate informat ion re- trie val. Information P r ocess ing Letters , 90(3): 109–1 14, 2004. [Kla04] Hartmut K lauck. Quantum and approxi mate pri va cy . Theory of Computing Systems , 37(1): 221–246, 2004. [NC00] Michael Nielsen and Isaac C huang . Quantum C omputat ion and Quantum Information . Cambridge Uni vers ity Press, 2000 . 4