Capacity of Quantum Private Information Retrieval with Collusion of All But One of Servers
Seunghoan Song, Masahito Hayashi

TL;DR
This paper determines the maximum efficiency of quantum private information retrieval protocols that remain secure even if all but one server collude, showing quantum advantages over classical methods.
Contribution
It derives the capacity of $(n-1)$-private QSPIR with collusion among all but one server, providing explicit capacity formulas and protocols for even number of servers.
Findings
Capacity of $(n-1)$-private QSPIR is $2/n$ for even $n$ with entanglement.
Constructed a protocol with rate $rac{1}{ ext{ceil}(n/2)}$ matching the capacity upper bound.
Quantum QSPIR capacity exceeds classical counterparts.
Abstract
Quantum private information retrieval (QPIR) is a protocol in which a user retrieves one of multiple classical files by downloading quantum systems from non-communicating servers each of which contains a copy of all files, while the identity of the retrieved file is unknown to each server. Symmetric QPIR (QSPIR) is QPIR in which the user only obtains the queried file but no other information of the other files. In this paper, we consider the -private QSPIR in which the identity of the retrieved file is secret even if any servers collude, and derive the QSPIR capacity for this problem which is defined as the maximum ratio of the retrieved file size to the total size of the downloaded quantum systems. For an even number n of servers, we show that the capacity of the -private QSPIR is , when we assume that there…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Capacity of Quantum Symmetric Private Information Retrieval with Collusion of All But One of Servers
Seunghoan Song and Masahito Hayashi SS is supported by Rotary Yoneyama Memorial Master Course Scholarship (YM), Lotte Foundation Scholarship, and JSPS Grant-in-Aid for JSPS Fellows No. JP20J11484. MH is supported in part by Guangdong Provincial Key Laboratory (Grant No. 2019B121203002), a JSPS Grant-in-Aids for Scientific Research (A) No. 17H01280 and for Scientific Research (B) No. 16KT0017, and Kayamori Foundation of Information Science Advancement.Seunghoan Song is with Graduate school of Mathematics, Nagoya University, Nagoya, 464-8602, Japan (e-mail: [email protected]).Masahito Hayashi is with Shenzhen Institute for Quantum Science and Engineering, Southern University of Science and Technology, Shenzhen, 518055, China, Guangdong Provincial Key Laboratory of Quantum Science and Engineering, Southern University of Science and Technology, Shenzhen 518055, China, Shenzhen Key Laboratory of Quantum Science and Engineering, Southern University of Science and Technology, Shenzhen 518055, China, and the Graduate School of Mathematics, Nagoya University, Nagoya, 464-8602, Japan (e-mail:[email protected]).This paper was presented in part at Proceedings of 2019 IEEE Information Theory Workshop (ITW) [28].
Abstract
Quantum private information retrieval (QPIR) is a protocol in which a user retrieves one of multiple classical files by downloading quantum systems from non-communicating servers each of which contains a copy of all files, while the identity of the retrieved file is unknown to each server. Symmetric QPIR (QSPIR) is QPIR in which the user only obtains the queried file but no other information of the other files. In this paper, we consider the -private QSPIR in which the identity of the retrieved file is secret even if any servers collude, and derive the QSPIR capacity for this problem which is defined as the maximum ratio of the retrieved file size to the total size of the downloaded quantum systems. For an even number of servers, we show that the capacity of the -private QSPIR is , when we assume that there are prior entanglements among the servers. We construct an -private QSPIR protocol of rate and prove that the capacity is upper bounded by even if any error probability is allowed. The -private QSPIR capacity is strictly greater than the classical counterpart.
I Introduction
A private information retrieval (PIR) protocol is a protocol in which a user retrieves a file from servers without revealing the identity of the retrieved file. Since it was first proposed by the paper [1], it has been studied in classical settings [2, 3, 4, 5, 6] and quantum settings [7, 8, 9, 10, 11]. Especially, in the last few years, the classical PIR capacity has been extensively studied, which is the maximum rate of the retrieved file size over the download size when the file size is arbitrarily large and the upload size, i.e., the total size of queries, is negligible to the download size. The paper [14] derived the PIR capacity for the most trivial setting in which each server contains the replicated file set. Several PIR capacities have been derived, e.g., when some servers may collude [16], when the user is also prohibited to obtain any information about the non-queried files [15] (symmetric PIR, SPIR), and when the file set is coded and distributed to the servers [17]. Moreover, many other papers [18, 19, 20, 21, 22, 23, 24, 26, 25] have studied the PIR capacity and the capacity-achieving protocols.
As a quantum extension of the PIR capacity in [14] and the SPIR capacity in [15], the paper [27] proved that the quantum PIR (QPIR) capacity and the QSPIR capacity are both for the replicated servers. The above QPIR capacity is strictly greater than the classical counterparts [14] and [15]. However, it still needs to be clarified whether QPIRs in other settings have advantages over the classical counterparts in the sense of the PIR capacities. For instance, in the PIR for replicated servers where each server contains files and any servers may collude (-private PIR), the PIR capacity is \left(1-\mathsf{t}/\mathsf{n}\right)/\big{(}1-\left(\mathsf{t}/\mathsf{n}\right)^{\mathsf{f}}\big{)} [16] and the -private SPIR capacity is , but the QPIR capacity is unknown.
In this paper, we prove the -private QSPIR capacity is for any even number . For any number of servers , we construct an -private QSPIR protocol with the rate , no error, and the perfect secrecy. We also prove the strong converse bound in which the -private QSPIR capacity is upper bounded by even if we allow any asymptotic error probability less than . Since the -private PIR capacity for the infinite number of files and the -private SPIR capacity are , our QSPIR capacity implies the quantum advantage in PIR with colluding servers.
Our capacity-achieving protocol is a generalization of the QSPIR protocol in [27]. The protocol in [27] extended the classical PIR protocol [1] by the idea of the superdense coding [30]. Similarly, our protocol extends a classical -private PIR protocol explained below by the idea of the superdense coding [30] and the quantum teleportation [31]. The classical PIR protocol we extend is described as follows. Let -bit files be contained in each of servers and the queries be independently and uniformly chosen subsets of . To retrieve the -th file, the user chooses which satisfies , where is the symmetric difference, and sends the queries to each server. For each , the -th server returns to the user and then the user can retrieve , where both summations are with respect to the addition modulo . The protocol is private because the collection of any variables in is independent of the query index .
Our capacity-achieving protocol has several remarkable properties. First, our protocol is a symmetric QPIR protocol, i.e., it guarantees the server secrecy in which no file information other than the queried one is transmitted to the user. Second, the upload cost of our protocol is bits, which is linear for the number of servers and the number of files but independent of the file size . Third, our protocol requires the file size , i.e., bits, for any positive integer , whereas the -private PIR protocol in [16] requires the file size depending on and for a sufficiently large prime power .
Following the conference version of this work, the paper [13] proposed a QSPIR protocol for coded and colluding servers which works for any -MDS code and secure against -collusion with . Their protocol is an extension of the protocol of this paper by combination with the classical PIR protocol [18], and it achieves better rates than the classical counterparts [18, 24]. The paper [29] improved the capacity result of this paper for any number of colluding servers: For any , the -private QSPIR capacity is . Even though the capacity of [29] generalizes that of this paper, our protocol and converse proof have the following advantages compared to [29]. First, whereas the protocol of [29] requires multipartite entanglement as prior entanglement, our protocol only requires multiple copies of bipartite entangled states. Since the bipartite entanglement is more reliably generated with current technology, our construction is more suitable for the implementation on near-term quantum devices than that of [29]. Second, our protocol is more constructive and easier to understand than the protocol of [29]. Our protocol is a combination of two simple protocols: quantum teleportation [31] and superdense coding [30], which have been experimentally realized in [34, 35] and [36, 37], respectively. On the other hand, the protocol in [29] is constructed with the sophisticated method of stabilizer formalism. Thus, our protocol is more accessible to the experimentalists and the theorists who are not familiar with the stabilizer formalism. Lastly, the converse proof of our paper is much simpler than that of [29] because we only prove for the case of .
The rest of the paper is organized as follows. Section II defines the QPIR protocol and presents our main theorems for the -private QSPIR capacity. Section III is preliminaries for the protocol construction and Section IV constructs the QSPIR protocol with colluding servers. Section V proves the strong converse bound when the perfect secrecy is guaranteed.
Terms and Notations
*We summarized the basic notions of quantum information theory in Appendix A. For two sets and , define . The identity operator on any space is denoted by , or simply by if there is no confusion. For a state on a composite system , denote the quantum mutual information between the systems and by . The classical mutual information is denoted as without subscript. For states on a system which depend on the value of a random variable , we denote . For a matrix , we denote the transpose of by and the conjugate transpose of by . *
II Problem Statement and Main Results
In this section, we review the QPIR protocol given in the paper [27], which is defined in the same way for the -private QPIR except for the security measures. Then, we present two main theorems for the -private QSPIR capacity.
II-A Description of QPIR Protocol
Let be uniformly and independently distributed in . Each of non-communicating servers contains the replicated -file set . In addition, each server contains a quantum system and the servers share an arbitrary entangled state on . A user chooses the query index uniformly at random. The aim of the QPIR protocol is for the user to retrieve the file from the servers.
For this purpose, the user and the servers perform the following process. First, the user chooses a random variable from a set and encodes the queries by the user encoder as follows:
[TABLE]
where for any is a finite set for describing possible query indexes to the server . Then, for any , each query is sent to the server . After receiving the query , each server prepares a trace-preserving and completely positive (TP-CP) map111 Server operations induced by may contain random operations and measurements because TP-CP maps contain random operations and measurements. from to by the server encoder , i.e.,
[TABLE]
and the resultant state on is
[TABLE]
Then, each server sends to the user. Depending on and , the user chooses the decoder , which is a positive-operator valued measure (POVM) on . By performing the POVM measurement on , the user obtains the measurement outcome as the retrieval result, where the outcome is considered as decoding failure. With probability , the queried file is obtained, i.e., .
Given the number of servers and the number of files , a QPIR protocol is described by the four-tuple
[TABLE]
where . Note that the QPIR protocol characterizes the process in the previous paragraph. The upload cost, download cost, and rate of a protocol are defined by
[TABLE]
II-B Security Measures and -Private QPIR Capacity
We define security measures and the capacity of the -private QPIR.
II-B1 Security Measures
-Private QPIR is QPIR in which any servers may collude to determine but it should not be leaked even if the user does not know which servers are colluding. Furthermore, we also consider the server secrecy in which the user only obtains the queried file but no information of other files. Thus, we evaluate the security of a protocol by the error measure, the server secrecy measure, and the user secrecy measure. The error measure is defined by
[TABLE]
where is the average error probability of the protocol. The server and user secrecy measures and are defined respectively as
[TABLE]
where is the collection of queries to all servers other than . If these measures are zero, the protocol is called a -private QSPIR protocol, and if , it is called a -private QPIR protocol.
II-B2 -private QPIR Capacity
The -private QPIR capacity is defined with the security and upload constraints. For any , , , , the asymptotic and exact security-constrained -private QPIR capacities are defined by
[TABLE]
where the supremum is taken for sequences such that and sequences of QPIR protocols to satisfy either (3) or (4) given by
[TABLE]
and
[TABLE]
The parameters are the upper bounds of the error, server secrecy, user secrecy, and upload cost, respectively, and the two capacities , are defined as the supremum of QPIR rates for all QPIR protocols satisfying the upper bounds asymptotically and exactly, respectively. Since any protocols satisfying the upper bounds exactly also satisfy the bounds asymptotically, we have the inequality .
II-C Main Results
Two main theorems of the paper are as follows.
Theorem II.1**.**
For any servers and files, there exists a -private QSPIR protocol with the rate , zero security measures, -bit upload cost, and -bit files for any integer .
Section IV constructs the protocol that achieves the performance given in Theorem II.1. When , the protocol in Section IV corresponds to the protocol in [27].
Theorem II.2** (Capacity of -private QPIR).**
For any servers and files, the -private QPIR capacity satisfies
[TABLE]
for any and .
The last inequality in (5) follows from Theorem II.1 and the inequality (6) will be proved in Section V. From Theorem II.2, we obtain the following corollary.
Corollary II.1**.**
For any even number of servers and any number of files , the -private QSPIR capacity is .
III Preliminaries for Protocol Construction
In this section, we prepare two simple protocols to describe our -private QSPIR protocol.
III-A Preliminaries on States, Operations, and Measurements
A qubit is a two-dimensional complex Hilbert space spanned by an orthonormal basis . Define the maximally entangled state on two qubits by
[TABLE]
For any , define Pauli operations on by
[TABLE]
It can be easily checked that these operations satisfy the relations
[TABLE]
Applying (9) twice, we also have
[TABLE]
For any matrix on , we define the vector in by
[TABLE]
With this notation, the maximally entangled state is written as . Since , it holds . Moreover, for any unitaries on ,
[TABLE]
For the maximally entangled state on , the Pauli operation on the first (second) qubit can be translated to the operation on the second (first) qubit because
[TABLE]
The following proposition is a case of [27, Proposition III.1] for qubits.
Proposition III.1**.**
The set
[TABLE]
is an orthonormal basis of .
From Proposition III.1, we can define the projection-valued measure (PVM)
[TABLE]
where .
III-B Quantum Teleportation with an Operation
First, we give a modified version of the quantum teleportation protocol [31], where an operation is performed on before the quantum teleportation protocol starts.
Protocol III.1**.**
*Suppose that Alice possesses two qubits and , Bob possesses a qubit . The state on is and Alice and Bob share . Quantum teleportation protocol with an operation is given as follows. *
- Step 1
Bob applies the unitary operation on . 2. Step 2
Alice applies PVM on and sends the measurement outcome to Bob. 3. Step 3
Bob applies the unitary on .
The resultant state on is and it preserves the entanglement. Note that Protocol III.1 requires two-bit transmission from Alice to Bob. The protocol without Step 1 in Protocol III.1 is the quantum teleportation protocol [31].
III-B1 Analysis of Protocol III.1
We show that the resultant state on is and it preserves the entanglement (see Fig. 2).
Let be a qubit and be a purification of the state . Before the protocol starts, the state on is
[TABLE]
If the measurement outcome is in Step 2, the state on at the end of Step 2 is
[TABLE]
where the multiplicand in (17) is the normalizing multiplicand, (18) is from (8), and (19) is from (9). At the end of Step 3, the state on is
[TABLE]
where (20) is from (10) and (21) is from (9). Eq. (22) is an identical state to . Therefore, the resultant state on is and it preserves the entanglement.
Remark III.1**.**
Even in case that the order of Step 1 and Step 2 is reversed, the state before and after the operation is identical to (19) and (22).
III-C Two-Sum Transmission Protocol
Consider there are three parties Alice, Bob, and Carol. By the following protocol, Carol receives the sum of Alice’s information and Bob’s information .
Protocol III.2**.**
Suppose that the joint state of two qubits and is the maximally entangled state and Alice and Bob possess and , respectively. The two-sum transmission protocol is given as follows.
- Step 1
Alice and Bob apply on and on , respectively. 2. Step 2
Alice and Bob send the quantum systems and to Carol, respectively. 3. Step 3
Carol performs the PVM and obtains the measurement outcome as the protocol output.
In Protocol III.2, the output is , which can be proved trivially from (9) and (14). The protocol requires two-qubit transmission each from Alice and Bob.
IV Symmetric QPIR Protocol with Colluding Servers
In this section, we propose a -private QSPIR protocol that achieves the performance given in Theorem II.1 for any servers. In our protocol, each server contains the following file set. Given two arbitrary integers and , the file set is given by the collection of -bit files . Each file is denoted by
[TABLE]
Section IV-A presents our -private QSPIR protocol with three servers () and as the simplest case. Then, by using Protocol III.2 and the idea of the protocol in Section IV-A, Section IV-B presents our protocol for any servers and any .
IV-A Construction of Protocol for and
IV-A1 Protocol
Our protocol for three servers each containing the file set is described as follows (see Fig. 3).
- Step 1
The servers , , possess one qubit , two qubits , , and one qubit , respectively. The initial states on both of and are the maximally entangled state . 2. Step 2
Let be the index of the file to be retrieved. Choose two subsets and of independently and uniformly at random. Define by
[TABLE]
For each , the user sends the query to . 3. Step 3
For each , the server calculates
[TABLE]
The server () applies to ( to ) and transmits () to the user. The server applies on , performs the PVM on , and transmits the measurement outcome to the user. 4. Step 4
The user applies on and performs the PVM on , and the output of the protocol is the measurement outcome .
IV-A2 Analysis
First, we show the correctness of the protocol. The state of before the PVM at Step 3 is
[TABLE]
by (9), where is determined depending on and . After the PVM at Step 3 with the measurement outcome , the state on is
[TABLE]
where are determined by . Thus, after the user’s operation at Step 4, the state on is
[TABLE]
(Alternatively, we can also obtain the same result (27) by considering the servers and the user apply Protocol III.1 for and .) Therefore, the user obtains the measurement outcome , which implies the correctness of our protocol.
The user secrecy follows from the fact that any two of are independent of the query index . The server secrecy is proved as follows. The information the user obtains is the measurement outcome and the state (26). The measurement outcome is uniformly at random because the state on is the completely mixed state before the measurement at Step 3. Since the state (26) only depends on and , which are jointly independent of the files other than , the user obtains no information of the files other than .
The upload cost is bits because each of is written by bits. In the protocol, the user downloads qubits and bits but we count the download cost as qubits since we only count quantum communication in our QPIR model (Section II) and one qubit can convey one bit at most. The file size is bits. Therefore, the QPIR rate is .
IV-B Construction of Protocol for Servers
In this subsection, we present our protocol for any servers and any . The idea of our protocol construction is described as follows. The number of servers are generalized to be arbitrary by using the idea of the three-server protocol in Section IV-A. In this generalization, it is necessary for servers to transmit the sum of measurement outcomes to the user, and it is performed efficiently by using the two-sum transmission protocol (Protocol III.2). The index is increased by using the same query repetitively until the protocol retrieves the entire file information.
Our protocol for servers is described as follows (see Fig. 4).
IV-B1 Preparation
For each , prepare the following quantum systems and states. The servers and have qubits and , respectively. For each , the server has three qubits , , . If is odd, we consider the server has only two qubits , . The maximally entangled state is shared between each of pairs , , , … , , and for any .
IV-B2 Upload Step
Let be the index of the file to be retrieved. Choose subsets of independently and uniformly at random. Define by
[TABLE]
The user sends the query to for each .
IV-B3 Download Step
For each , depending on the query , the server calculates
[TABLE]
Then, for each , the servers perform the following process.
- a)
The server () applies to ( to ) and transmits () to the user. 2. b)
For each , the server applies on and performs the PVM on whose measurement outcome is denoted by . 3. c)
For each , the servers and transmit the sum to the user by the two-sum transmission protocol (Protocol III.2) with qubits and . 4. d)
If is odd, transmits to the user.
IV-B4 Retrieval Step
For each , the user performs the following process.
- a)
For any , the user receives the sum by Download Step c). If is odd, the user receives additionally. 2. b)
The user applies on . 3. c)
The user performs the PVM on whose measurement outcome is denoted by .
The protocol output is .
IV-C Analysis of Protocol for servers
In this subsection, we prove the correctness and the secrecy of the protocol, and analyze the costs and rate of the protocol.
IV-C1 Correctness
Let be any element of . As shown in the next paragraph, at the end of Download Step, the state on is
[TABLE]
where is determined depending on , … , , , … , . Then, at the end of Retrieval Step b), the state on is
[TABLE]
where is determined depending on , … , , , … , . Thus, at Retrieval Step c), the measurement outcome is . which implies that our protocol correctly retrieves . Since is retrieved correctly for any , the queried file is retrieved correctly.
Now, we prove (29). Since the operations of different servers are applied on different quantum systems, the order of the servers’ operations can be arbitrary. Therefore, in the following, we consider that the servers apply the operations sequentially. At the end of the operation of , the state on is
[TABLE]
where is determined depending on . Suppose that at the end of the operations of for any , the state on is
[TABLE]
where is determined depending on , … , , , … , . Note that the operations of corresponds to the steps 0 and 1 of Protocol III.1 for , , and . Therefore, after the operations of , the state on is
[TABLE]
where is determined depending on , … , , , …, and the system denotes for the case . By the mathematical induction, the state on after the operations of is
[TABLE]
and after the operation of , the state is
[TABLE]
where is determined depending on , … , , , … , . Thus, we have Eq. (29).
IV-C2 Secrecy
The user secrecy is obtained because the collection of any variables in is independent of the query index . Next, we consider the server secrecy. The user obtains and for any and any . If is odd, the user obtains additionally. Note that before the measurement of the qubits possessed by the server (), the states on and are the completely mixed states, which implies that the measurement outcomes for all are independent of any file. Therefore, the user obtains no file information other than .
IV-C3 Costs and Rate
The upload cost is bits because each subset of is written by bits. For each , the user downloads qubits , , … , , if is even, and downloads qubits , , … , , and two bits if is odd. Since we only count quantum communication in our QPIR model and one qubit can convey one bit at most, the total download cost is qubits when is even and qubits when is odd. The file size is bits, i.e., . Therefore, the QPIR rate is
[TABLE]
Moreover, the sequence of our protocols for achieves the negligible upload cost with respect to the download cost, i.e.,
[TABLE]
V Converse
In this section, we prove the converse bound (6)
[TABLE]
for any , .
The idea of the converse proof is described as follows. The converse bound (6) is for the case where the QPIR protocol satisfies the user and server secrecy conditions perfectly, i.e., and . From these perfect secrecies, we prove a lemma that the joint state of colluding servers is independent of the queried file . Then, using the lemma, the state from colluding servers can be used as shared entanglement between the honest server and the user, i.e., the honest server can communicate at most bits to the user by sending qubits, which follows from the entanglement-assisted classical capacity [38]. Since the user downloads qubits from servers, the QPIR rate is upper bounded by , which implies the converse bound (6). Based on this idea, we give the converse proof in the remainder of this section.
First, we prepare the following lemma. Recall that is the collection of queries to all servers other than for any . We denote by the composite system of all servers other than and by the dimensions of .
Lemma V.1**.**
*Suppose that and . Let be the state on after the server encoder. Then, the relation holds for any after the application of the server encoder. That is, the state on the system does not depend on the file information . *
Proof.
Due to the condition (2), the uploaded information is independent of . Since the is determined by , we have , which implies that for . Since server secrecy (Eq.(1)) implies
[TABLE]
we have for any . ∎
We also prepare the following propositions.
Proposition V.1** ([39, (4.66)]).**
Consider is encoded to a quantum state on and decoded by a POVM on , where the measurement outcome denotes decoding failure. Define the error probability by . Then, for any on and any , we have
[TABLE]
Proposition V.2** ([39, (5.53)]).**
For any states and , TP-CP map and , we have
[TABLE]
Proposition V.3**.**
For a pure state in a system , let be the reduced state of on and . For any , we have
[TABLE]
The proof of Proposition V.3 is given in Appendix B.
Now, we prove the converse bound by three steps with the assumption that and .
Step 1: In this step, we introduce several notations for simplicity. We denote the queried file, the collection of non-queried files, the collection of queries by , , , respectively, and we also denote . Then, denotes the quantum state on . We consider the entire quantum systems as a bipartite system . We also denote by the reduced state of on since the reduced state does not depend on from Lemma V.1.
Step 2: In this step, we prove the inequality
[TABLE]
Applying Proposition V.1 to the choice
[TABLE]
for any , we obtain
[TABLE]
where is the error probability when is fixed. By averaging with respect to and from the convexity of , we have
[TABLE]
for any .
Let . We choose orthonormal vectors such that with . We denote by the reduced state of on , i.e., . With this decomposition, we can upper bound the RHS of (40) as
[TABLE]
Here, Eq. (41) is obtained by applying Proposition V.2 for the choice
[TABLE]
since is the RHS of (41) and is the LHS of (41) from
[TABLE]
Eq. (42) follows from . Eq. (43) is obtained by applying Proposition V.3 for . Combining (40) for and (43), we have the desired inequality (37).
Step 3: In this step, we prove the converse bound by contradiction. Suppose that there exists a sequence of QPIR protocols such that
[TABLE]
This inequality is also written as
[TABLE]
which implies
[TABLE]
Furthermore, since
[TABLE]
we have
[TABLE]
Combining (37) and (46), the probability of correctness approaches [math], which contradicts with (44). Thus, any QPIR protocol with asymptotic error probability less than has QPIR rate at most , which implies (6).
VI Conclusion
We have presented the -private QSPIR capacity for even number of servers when any servers collude. We constructed a -private QSPIR protocol of rate , and proved that is the strong converse bound with the perfect server and user secrecy. Our protocol is constructed by using the quantum teleportation and the two-sum transmission protocol repetitively. The converse bound used the fact that the state of any servers is independent of the retrieved file, which follows from the perfect secrecy of the server and the user.
Following the conference version of this paper, the paper [29] proved that both symmetric and non-symmetric -private QPIR capacity for . However, for , the -private QPIR capacity is derived only for the case where the server secrecy, i.e., leakage to the user, is negligible with respect to the size of files. Thus, it is an open problem to derive the (non-symmetric) -private QPIR capacity for . For this problem, the converse proof of classical -private PIR [16] cannot be directly applied because the -private QPIR capacity for is and it is already greater than the classical capacity \left(1-\mathsf{t}/\mathsf{n}\right)/\big{(}1-\left(\mathsf{t}/\mathsf{n}\right)^{\mathsf{f}}\big{)} of [16]. Thus, we expect that the -private QPIR capacity for is also greater than its classical capacity of [16]. We leave this problem as an open problem.
Acknowledgement
The authors are grateful to Dr. Hsuan-Yin Lin and Dr. Eirik Rosnes for helpful discussions and comments for the comparison of classical PIRs to quantum PIRs [42].
Appendix A Fundamentals of Quantum Information Theory
In this appendix, we briefly introduce basic concepts of the quantum information theory. In the following, we give the mathematical definitions of quantum system, quantum state, quantum measurement, and quantum operation. For the physical motivations of these definitions and more detailed introduction of these definitions, we refer to [41, 39].
A quantum system, or simply system, is an object considered in quantum information theory and it is mathematically defined by a complex Hilbert space . In this paper, we only consider finite-dimensional Hilbert spaces. A two-dimensional Hilbert space is called a qubit.
The state of a quantum system, also called quantum state, represents the the information in a quantum system. A quantum state of is mathematically described by a density matrix defined by a positive-semidefinite matrix on such that . As a special case, the state is called the completely mixed state. When a density matrix is a rank-one matrix, we can denote with a unit vector and thus, we sometimes represent the state by the unit vector , called a pure state. A quantum state is mapped to another state by quantum operations.
For two quantum systems and , the composite quantum system is described by . When the state of is , the reduced state on is represented by , where is the partial trace on defined by the unique linear map such that for any matrices on and on . The Schmidt decomposition is the decomposition theorem for any pure state on a composite system as follows.
Proposition A.1** (Schmidt decomposition).**
For any pure state on a composite system , there exist orthonormal vectors of and of and a probability distribution such that .
A quantum operation is described by a trace-preserving and completely positive (TP-CP) map. A map from a system to a system is called a TP-CP map if is linear, for any state on , and is a positive-semidefinite matrix for any state on , where is the identity map on the system . The simplest example of a TP-CP map is a unitary map for a unitary matrix . When a unitary map of a unitary matrix is applied to the system with pure state , the resultant state is the pure state .
Classical information is extracted from a system by a quantum measurement. A quantum measurement on a system is described by a positive-operator valued measure (POVM). A POVM on is a set of positive-semidefinite matrices on such that . When the POVM measurement is performed on the system with state , the measurement outcome is obtained with probability . If all elements of POVM are projections, i.e., and , the POVM is also called a projection-valued measure (PVM). Sometimes an orthonormal basis of is considered as a PVM .
Appendix B Proof of Proposition V.3
By the Schmidt decomposition (Proposition A.1), the pure state on is decomposed as for some orthonormal vectors of and of and some probability distribution . Thus, the reduced states on and on have the same rank and therefore, . On the other hand, since the function for is concave, the LHS of (36) maximizes if have the same value for all , i.e., is the uniform distribution, by Karamata’s inequality [40]. Thus, we have the desired inequality as
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private information retrieval,” Journal of the ACM, 45(6):965–981, 1998.
- 2[2] C. Cachin, S. Micali, and M. Stadler, “Computationally Private Information Retrieval with Polylogarithmic Communication,” Advances in Cryptology - EUROCRYPT ’99, pp. 402–414, 1999.
- 3[3] H. Lipmaa, “First CPIR Protocol with Data-Dependent Computation,” Proceedings of the 12th International Conference on Information Security and Cryptology, pp. 193–210, 2009.
- 4[4] A. Beimel and Y. Stahl, “Robust information-theoretic private information retrieval,” Proceedings of the 3rd International Conference on Security in Communication Networks (SCN’02) , pp. 326–341, 2003.
- 5[5] C. Devet, I. Goldberg, and N. Heninger, “Optimally Robust Private Information Retrieval,” 21st USENIX Security Symposium , August 2012.
- 6[6] T. H. Chan, S.-W. Ho, and H. Yamamoto, “Private information retrieval for coded storage,” in Proceedings of 2015 IEEE International Symposium on Information Theory (ISIT) , pp. 2842–2846, June 2015.
- 7[7] I. Kerenidis and R. de Wolf. “Exponential lower bound for 2-query locally decodable codes via a quantum argument,” Proceedings of 35th ACM STOC , pp. 106–115, 2003.
- 8[8] I. Kerenidis and R. de Wolf, “Quantum symmetrically-private information retrieval,” Information Processing Letters , vol. 90, pp. 109–114, 2004.
