Quantum Private Information Retrieval with Sublinear Communication Complexity

This note presents a quantum protocol for private information retrieval, in the single-server case and with information-theoretical privacy, that has O(\sqrt{n})-qubit communication complexity, where n denotes the size of the database. In comparison, it is known that any classical protocol must use \Omega(n) bits of communication in this setting.


Introduction
Private information retrieval deals with the design and the analysis of protocols that allow a user to retrieve an item from a server without revealing which item it is retrieving. This field, introduced in a seminal paper by Chor, Kushilevitz, Goldreich, and Sudan [CKGS98], has been the subject of intensive research due to the growing ubiquity of public databases. Examples of applications include ensuring consumer privacy in e-commerce transactions or reading webpages on the Internet without revealing the user's preferences.
In the case of a single server and of information-theoretical privacy, which is the focus of this note, private information retrieval can be described as follows. The server has a database A = (a 1 , a 2 , · · · , a ℓ ) ∈ Σ ℓ , where Σ = {0, 1} r is a set of items represented as r-bit strings, and the user has an index i ∈ {1, . . . , ℓ}.
A private information retrieval protocol is a (classical or quantum) communication protocol between the server and the user such that, when the user and the server both follow the protocol, the user always outputs the item a i and the server gets no information about the index i, in the following sense. Let V S (A, i) denote the server's view of the communication generated by the protocol when the server has input A and the user has input i. The privacy condition is that, for any database A ∈ Σ ℓ and any two indexes i, j ∈ {1, . . . , ℓ}, the views V S (A, i) and V S (A, j) are identical. Note that, while several subtleties arise when trying to formally define the server's view in an arbitrary quantum protocol, the above description will be sufficient for our purpose due to the limited interaction between the server and the user in the quantum protocols described in this note.
It is easy to show that, classically, downloading the whole database is essentially optimal: any classical protocol must communicate a number of bits linear in the size of the database [CKGS98]. The communication complexity of quantum protocols for private information retrieval has first been investigated by Kerenidis and de Wolf [KdW04a]. Their work focused on two-message quantum protocols, and established a connection with locally decodable codes and random access codes. In particular it was proved that, for a single server, any private two-message quantum protocol must use a linear amount of communication. This note shows that this lower bound does not hold for quantum protocols using more than two messages and describes how to construct a three-message quantum protocol for private information retrieval with sublinear communication complexity, thus breaking for the first time the linear barrier in the single-server and information-theoretical privacy setting. Our main result is the following theorem.
Theorem 1. Let ℓ and r be any positive integers. There exists a private information retrieval quantum protocol that, for any database A ∈ Σ ℓ with Σ = {0, 1} r , uses 2ℓ + 2r qubits of communication.
Since the overall size of the database is ℓr bits, Theorem 1 gives a quadratic improvement over classical protocols and two-message quantum protocols whenever ℓ + r = O( √ ℓr), for example when ℓ = Θ(r). This quadratic improvement can actually be obtained for any values of ℓ and r: the idea is to decompose the database into about √ ℓr blocks, each of size about √ ℓr bits. To illustrate this, let us consider a binary database A = (a 1 , . . . , a ℓ ) when ℓ = s 2 for some positive integer s. We construct the database B = (b 1 , . . . , b s ) such that, for each k ∈ {1, . . . , s}, the k-th block is b k = (a (k−1)s+1 , . . . , a ks ) ∈ {0, 1} s . Note that the bit a i is contained in the block b j with j = ⌈i/s⌉. By running the protocol of Theorem 1 where, as inputs, the server has database B and the user has index j, the user is able to recover the whole block b j , and thus the bit a i , using O(s) qubits of communication.
We stress that this note considers only the setting where the parties do not deviate from the protocol, as often assumed in works focusing on algorithmic or complexity-theoretic aspects of private information retrieval. While this restriction may reduce the applicability of our result, we believe that it nevertheless illustrates the subtle interplay of interaction and quantum information in protecting privacy. Indeed, even in this setting, a linear amount of communication is needed for classical protocols and for two-message quantum protocols.
Other related works. Several other aspects of quantum protocols for private information retrieval have been investigated. The case of multiple servers has been studied in [KdW04a,KdW04b], while the case of symmetric private information retrieval, where the server's privacy is also taken into consideration, has been studied in [KdW04b,GLM08,JRS09]. Privacy issues in quantum communication complexity have been studied in [Kla04] as well. Let us mention that quantum protocols for symmetric private information retrieval are also studied under the name of quantum oblivious transfer protocols, especially when the server and the user may deviate from the protocol (i.e., when considering malicious parties).

Proof of Theorem 1
We suppose that the reader is familiar with quantum computation and refer to, e.g., [NC00] for an introduction to this field. Let us first describe some of our notations. Given two bits a, b ∈ {0, 1}, we write their parity as a ⊕ b. For any two elements u = (u 1 , . . . , u r ) and v = (v 1 , . . . , v r ) in Σ = {0, 1} r , let us write u · v = u 1 v 1 ⊕ · · · ⊕ u r v r and u ⊕ v = (u 1 ⊕ v 1 , . . . , u r ⊕ v r ). Note that u · v is a bit and u ⊕ v is an element of Σ. Our protocol will use the Pauli gate Z := ∑ where R 1 and R 2 denote r-qubit registers, Q denotes a one-qubit register, and b is any element in Σ.
We now present the proof of Theorem 1.
Proof of Theorem 1. The protocol uses ℓ + 2 quantum registers: Registers R and R ′ each consisting of r qubits, and Registers Q 1 , . . . , Q ℓ each consisting of one qubit. For any database A = (a 1 , . . . , a ℓ ) ∈ Σ ℓ , let us denote by |Φ A the quantum state in Registers (R, R ′ , Q 1 , . . . , Q ℓ ). The protocol is described in Figure 1. It consists of three messages and uses a total amount of 2ℓ + 2r qubits of communication.
2. The user applies Z over Register Q i and sends back Registers Q 1 , . . . , Q ℓ to the server.
4. The user applies CNOT (R,R ′ ) , applies QFT over Register R, and then measures R in the computational basis.
Figure 1: Quantum private information retrieval protocol.
We first show that in this protocol the user always outputs the correct element of the database. Observe that, at the end of Step 2, the state is

At
Step 4, just before the user performs the measurement, the state is |a i R |0 R ′ |0 Q 1 · · · |0 Q ℓ , and measuring Register R gives the element a i with probability 1. Let us now consider the user's privacy. The only information about i that a server following the protocol can obtain is from Registers R, Q 1 , . . . , Q ℓ of the state |Φ . Since tracing out Register R ′ in |Φ Φ| gives the density matrix 1 2 r ∑ x∈Σ |x R |x · a 1 Q 1 · · · |x · a ℓ Q ℓ x| R x · a 1 | Q 1 · · · x · a ℓ | Q ℓ , the server obtains no information about the user's input.
Remark. As already mentioned, in this note we only consider the case where the server follows the protocol. This assumption is used in the analysis of the protocol of Figure 1 in order to ensure that the server prepares the state |Φ A at Step 1. Note that if, instead of |Φ A , the server prepared for example the state |Φ ′ A := 1 √ 2 r ∑ x∈Σ |x R |0 R ′ |x · a 1 Q 1 · · · |x · a ℓ Q ℓ , then it would be able to recover the index i with probability one at Step 3.