Editing Quantum Private Queries Protocol Based on Quantum Oblivious Key Distribution

<!-- This is a comment. You can erase them or write below -->


<!-- Intro: brief description of the protocol -->
This [https://arxiv.org/pdf/1002.4360.pdf example protocol] performs the task of [[(Symmetric) Private Information Retrieval|symmetric private information retrieval]] (SPIR) and has information-theoretic security. It is based on a [[Quantum Oblivious Key Distribution|quantum oblivious key distribution]] scheme. Like any quantum private queries protocol, it is cheat-sensitive, in the sense that user privacy relies on the non-zero probability for a cheating server to be detected. As for data privacy, the amount of information accessed by the user about the database is bounded.

<!--Tags: related pages or category -->
'''Tags:''' [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]], [[:Category:Two Party Protocols|Two Party Protocol]], [[Information-Theoretic Security]], [[(Symmetric) Private Information Retrieval|Symmetric Private Information Retrieval]], [[Quantum Private Queries]], [[Quantum Key Distribution]], [[Quantum Oblivious Key Distribution]], [[Single-Database]].

==Assumptions==
<!-- It describes the setting in which the protocol will be successful. -->
The security of this protocol relies on fundamental physics principles:
*	Impossibility of superluminal communication (for user privacy).
*	Impossibility to deterministically discriminate non-orthogonal states (for database privacy).
To achieve ''perfect'' user privacy, one must make the following assumption:
*	The server (Bob) will not cheat if he has a non-zero probability of being caught cheating.


==Outline==
<!-- A non-mathematical detailed outline which provides a rough idea of the concerned protocol -->
''A user, Alice, wants to retrieve an element from a database owned by a server, Bob, without revealing to Bob which element was retrieved (user privacy). Bob wants the amount of information that Alice can get on other database elements than the desired one to be bounded (data privacy).''<br></br>
*'''Quantum oblivious key distribution:''' Alice and Bob perform a [[Quantum Key Distribution|quantum key distribution]] (QKD) protocol in such a way that at the end of the protocol, Alice and Bob share a bit string known entirely to Bob and in a quarter to Alice: such a protocol is referred to as [[Quantum Oblivious Key Distribution|quantum ''oblivious'' key distribution]]. Then the key length is reduced to match the size of the database, while ensuring that Alice knows approximately one bit of the new key (the position of the known bit is unknown to Bob).<br></br>
*'''Query:''' Alice announces to Bob a (classical) shift corresponding to the difference between the index of the known bit of the key and the index of the desired database element.<br></br>
*'''Answer:''' Bob encodes the database by bitwise adding the key, shifted by Alice’s shift. Then Bob announces the encoded database.<br></br>
*'''Retrieval:''' By adding bitwise the shifted key to the encoded database, Alice can recover each database element for which she knew the corresponding (shifted) bit of the key.


==Notation==
<!--  Connects the non-mathematical outline with further sections. -->
*	<math>N</math>: number of elements in the database.
*	<math>X</math>: database; <math>X_n</math>: <math>n^\text{th}</math> database element.
*	<math>i</math>: index of the desired database element
*	<math>j</math>: index of a bit of the QKD key known to Alice.
*	<math>k</math>: a security parameter for the QKD key.
*	<math>|\uparrow\rangle,|\downarrow\rangle,|\leftarrow\rangle,|\rightarrow\rangle</math>: [[BB84 Quantum Key Distribution|BB84]] states.
*	<math>\updownarrow</math>: <math>\{|\uparrow\rangle,|\downarrow\rangle\}</math> basis.
*	<math>\leftrightarrow</math>: <math>\{|\leftarrow\rangle,|\rightarrow\rangle\}</math> basis.
*	<math>K^f</math>: key used to encode the database; it is a random bit string of length <math>N</math>.
*	<math>C</math>: encoded database (by bitwise adding the shifted QKD key).



<!--==Knowledge Graph==-->
<!-- Add this part if the protocol is already in the graph -->
<!--{{graph}}-->
==Requirements==
'''User''' (Alice):
*	Can measure single qubits.
'''Server''' (Bob):
*	Can prepare single qubits.
'''Communication''':
*	A quantum channel.
*	A classical authenticated channel.



==Properties==
<!-- important information on the protocol: parameters (threshold values), security claim, success probability... -->
*	'''User privacy''': In the case of an honest server (Bob), there is perfect user privacy as Alice never communicates about the index of her known bit of the key. However, there are strategies that allow a malicious server to infer which bit of the key is known to Alice; but any such strategy implies a loss of knowledge on the bit value of this specific key element, and so Bob may introduce errors in the encoding of the database that would automatically be detected by Alice. Hence, assuming that the server will not cheat if there is a non-zero probability of being caught cheating, this protocol ensures perfect user privacy.<br></br>
*	'''Data privacy''': An honest Alice may know more than one bit of the final QKD key as the number of bits known to her is probabilistic; this means she could access as many extra database elements with certainty as the number of extra bits of the key that she knows. Moreover, for any other database elements whose encoding is unknown to an honest Alice, she has a 50% chance of guessing correctly the corresponding key element. There are some cheating strategies that increase this probability; however, its increase is constrained by the choice of the security parameter <math>k</math>. Lastly, it is important to note that a cheating Alice cannot be detected by Bob.



==Protocol Description==
<!-- Mathematical step-wise protocol algorithm helpful to write a subroutine. -->
'''Inputs:'''
*	User (Alice): index <math>i</math> of the desired database element.
*	Server (Bob): classical database <math>X</math> with <math>N</math> elements: <math>X_1,...,X_N</math>.
*	Both (Alice & Bob): a security parameter <math>k</math>.
'''Output:'''
*	User (Alice): desired database element <math>X_i</math>.
'''Protocol:'''
* '''Quantum oblivious key distribution:'''
#	Bob generates a random bit string of length <math>k\times N</math>.
#	Bob encodes each bit of the string in the state of a qubit belonging to one of two bases <math>\updownarrow := \{|\uparrow\rangle ,|\downarrow \rangle \}</math> or <math>\leftrightarrow :=\{|\leftarrow\rangle,|\rightarrow\rangle\}</math>: for each bit, if it is <math>0</math>, Bob chooses between <math>|\uparrow\rangle</math> and <math>|\downarrow\rangle</math>, if it is <math>1</math>, Bob chooses between <math>|\leftarrow\rangle</math> and <math>|\rightarrow\rangle</math>.
#	Bob sends the prepared qubits to Alice.
#	Alice measures each state in the <math>\updownarrow </math> basis or <math>\leftrightarrow </math> basis at random.
#	Alice announces to Bob in which instances she detected the sent qubit.
#	For each qubit that Alice successfully detected, Bob announces a pair of two states including the state that was sent. The other state is chosen at random in the other basis.
#	Partial reconstruction of the key: Using her measurement outcomes and Bob’s announced pairs of qubits, Alice can deduce the bit value of part of the key (<math>1/4</math> of conclusive results). 

''At this stage, Alice and Bob share a secret key of length <math>k\times N</math> which is known partially (<math>{1/4}^\text{th}</math>) to Alice and entirely to Bob. Bob does not know which bits of the key are known to Alice.''

#	Reduction of the key length: The key is cut into <math>k</math> substrings of length <math>N</math>.  Then pieces of the key are added bitwise to create a new key of length <math>N</math>, <math>K^f</math>. This reduces the number of bits of the new key that Alice knows to roughly one bit (ideally, Alice should know exactly one bit of the new key).
*'''Query:''' Alice announces to Bob a shift <math>s=j-i</math> where <math>i</math> is the index of the desired database element and <math>j</math> is the index of a bit of the key known to Alice.
*'''Answer:''' Bob announces to Alice <math>N</math> bits <math>C_n=X_n\oplus K_{n+s}^f</math> corresponding to the encoded database.
*'''Retrieval:''' Alice recovers the desired database element <math>X_i</math> by adding her known bit of the key, <math>K_j^f</math> to the <math>i^\text{th}</math> received bit <math>C_i</math>: <math>C_i\oplus K_j^f=X_i\oplus K_{i+s}^f\oplus K_j^f=X_i\oplus K_{i+j-i}^f\oplus K_j^f=X_i</math>.



==Further Information==
<!-- theoretical and experimental papers including requirements, security proof (important), which protocol does it implement, benchmark values... -->
*	The QKD part of this quantum private queries protocol is based on the [https://arxiv.org/pdf/quant-ph/0211131.pdf SARG04 QKD scheme]. However, any QKD protocol that is compatible with the SARG04 scheme would work.
*	This protocol is loss resistant and scalable to large databases.



<!--==References==-->

<div style='text-align: right;'>''*contributed by Marine Demarty''</div>