This note presents a quantum protocol for private information retrieval, in the single-server case and with information-theoretical privacy, that has O(\sqrt{n})-qubit communication complexity, where n denotes the size of the database. In comparison, it is known that any classical protocol must use \Omega(n) bits of communication in this setting.
Private information retrieval deals with the design and the analysis of protocols that allow a user to retrieve an item from a server without revealing which item it is retrieving. This field, introduced in a seminal paper by Chor, Kushilevitz, Goldreich, and Sudan [CKGS98], has been the subject of intensive research due to the growing ubiquity of public databases. Examples of applications include ensuring consumer privacy in e-commerce transactions or reading webpages on the Internet without revealing the user's preferences.
In the case of a single server and of information-theoretical privacy, which is the focus of this note, private information retrieval can be described as follows. The server has a database A = (a 1 , a 2 , • • • , a ℓ ) ∈ Σ ℓ , where Σ = {0, 1} r is a set of items represented as r-bit strings, and the user has an index i ∈ {1, . . . , ℓ}.
A private information retrieval protocol is a (classical or quantum) communication protocol between the server and the user such that, when the user and the server both follow the protocol, the user always outputs the item a i and the server gets no information about the index i, in the following sense. Let V S (A, i) denote the server’s view of the communication generated by the protocol when the server has input A and the user has input i. The privacy condition is that, for any database A ∈ Σ ℓ and any two indexes i, j ∈ {1, . . . , ℓ}, the views V S (A, i) and V S (A, j) are identical. Note that, while several subtleties arise when trying to formally define the server’s view in an arbitrary quantum protocol, the above description will be sufficient for our purpose due to the limited interaction between the server and the user in the quantum protocols described in this note.
It is easy to show that, classically, downloading the whole database is essentially optimal: any classical protocol must communicate a number of bits linear in the size of the database [CKGS98]. The communication complexity of quantum protocols for private information retrieval has first been investigated by Kerenidis and de Wolf [KdW04a]. Their work focused on two-message quantum protocols, and established a connection with locally decodable codes and random access codes. In particular it was proved that, for a single server, any private two-message quantum protocol must use a linear amount of communication. This note shows that this lower bound does not hold for quantum protocols using more than two messages and describes how to construct a three-message quantum protocol for private information retrieval with sublinear communication complexity, thus breaking for the first time the linear barrier in the single-server and information-theoretical privacy setting. Our main result is the following theorem.
Theorem 1. Let ℓ and r be any positive integers. There exists a private information retrieval quantum protocol that, for any database A ∈ Σ ℓ with Σ = {0, 1} r , uses 2ℓ + 2r qubits of communication.
Since the overall size of the database is ℓr bits, Theorem 1 gives a quadratic improvement over classical protocols and two-message quantum protocols whenever ℓ + r = O( √ ℓr), for example when ℓ = Θ(r). This quadratic improvement can actually be obtained for any values of ℓ and r: the idea is to decompose the database into about √ ℓr blocks, each of size about √ ℓr bits. To illustrate this, let us consider a binary database A = (a 1 , . . . , a ℓ ) when ℓ = s 2 for some positive integer s. We construct the database B = (b 1 , . . . , b s ) such that, for each k ∈ {1, . . . , s}, the k-th block is b k = (a (k-1)s+1 , . . . , a ks ) ∈ {0, 1} s . Note that the bit a i is contained in the block b j with j = ⌈i/s⌉. By running the protocol of Theorem 1 where, as inputs, the server has database B and the user has index j, the user is able to recover the whole block b j , and thus the bit a i , using O(s) qubits of communication.
We stress that this note considers only the setting where the parties do not deviate from the protocol, as often assumed in works focusing on algorithmic or complexity-theoretic aspects of private information retrieval. While this restriction may reduce the applicability of our result, we believe that it nevertheless illustrates the subtle interplay of interaction and quantum information in protecting privacy. Indeed, even in this setting, a linear amount of communication is needed for classical protocols and for two-message quantum protocols.
Other related works. Several other aspects of quantum protocols for private information retrieval have been investigated. The case of multiple servers has been studied in [KdW04a,KdW04b], while the case of symmetric private information retrieval, where the server’s privacy is also taken into consideration, has been studied in [KdW04b,GLM08,JRS09]. Privacy issues in quantum communication complexity have been studied in [Kla04] as well. Let us mention that quantum protocols for symmetric private information retrieval are
This content is AI-processed based on open access ArXiv data.
