Professional Documents
Culture Documents
Messages
Seunghoan Songa and Masahito Hayashib,a
a
Graduate School of Mathematics, Nagoya University
b
Shenzhen Institute for Quantum Science and Engineering, Southern University of Science and Technology
Email: m17021a@math.nagoya-u.ac.jp & hayashi@sustech.edu.cn
quantum messages is the protocol in which a user retrieves one ρ1 , . . . , ρf 2. target index k ∈ [f]
of the multiple quantum states from one or multiple servers
without revealing which state is retrieved. We consider QPIR
in two different settings: the blind setting, in which the servers 3. queries
contain one copy of the message states, and the visible setting, in Q(1) , . . . , Q(r)
which the servers contain the description of the message states.
One trivial solution in both settings is downloading all states Server User
from the servers and the main goal of this paper is to find more
efficient QPIR protocols. First, we prove that the trivial solution
4. answers
is optimal for one-server QPIR in the blind setting. In one-round A(1) , . . . , A(r)
protocols, the same optimality holds even in the visible setting. On
the other hand, when the user and the server share entanglement, 5. retrieval ρk
we prove that there exists an efficient one-server QPIR protocol
in the blind setting. Furthermore, in the visible setting, we prove Fig. 1: One-server QPIR protocol with quantum messages.
that it is possible to construct symmetric QPIR protocols in which
At round i, the user uploads a query Q(i) and downloads an
the user obtains no information of the non-targeted messages. We
construct three two-server symmetric QPIR protocols for pure answer A(i) .
states. Note that symmetric classical PIR is impossible without
shared randomness unknown to the user.
protocols do not scale with the number of message states. On (c) Entropy does not change by unitary operations,
the other hand, as a trade-off, the size of the queries scales (d) H(XY ) + H(X) ≥ H(Y ),
linearly with the number of message states. P P
(e) H( s ps ρs ) = s ps (H(ρs ) − log ps ) if Tr ρs ρt = 0 for
The idea of our QSPIR protocols is explained as follows. In any s 6= t.
the visible setting, we can prepare the message states |ψℓ i by
the state preparation unitaries Uℓ such that Uℓ |0i = |ψℓ i. We The property (d) is proved as follows. Let Z be the reference
can decompose any state preparation unitaries Uℓ on qudits system in which the state on XY Z is pure. Then, H(XY ) +
by phase-shift operations and rotation operations, which are H(X) = H(Z) + H(X) ≥ H(XZ) = H(Y ). Throughout
described classically by 2(d − 1) angles. Then, with the query the paper, we use the symbols (a), (b), (c), (d), (e) to denote
(a)
structure of classical PIR, the servers collectively encode the which property is used, e.g., = means that the equality holds
phase-shift operations and the rotation operations composing from the property (a).
Uk into the maximally entangled states, where k is the index
of the targeted message state |ψk i. By the query structure Proposition 2. Consider two quantum systems A and B. If
of classical PIR, this encoding process can be accomplished any pure states ρAB and ρ′AB satisfy ρA = ρ′A , there exists a
without leaking k to each server. The user receives the maxi- unitary UB on B such that ρAB = (IA ⊗ UB )ρ′AB (IA ⊗ U∗B ).
mally entangled states encoded with the phase-shift operations
Proof. Diagonalize ρA = s ps |sihs|. When ρAB
P
=
and the rotation operations, and finally recovers the targeted ′ ′ ′
|ψ
PAB ihψ AB | and ρ = |ψ ihψ |, we have |ψAB =i
message state |ψk i by the entanglement-swapping. The QSPIR AB
′
AB AB
and where
P
p
s s |s, f (s)i |ψ i = p
s s |s, g(s)i, {|f (s)i}
protocol for qubit states is done more efficiently since only one AB
and {|g(s)i} are sets of orthonormal vectors of B. Thus,
rotation operation is necessary for decomposing Uℓ . For qudit
UB = s |f (s)ihg(s)| is the desired unitary.
P
states for d ≥ 3, the rotation operations for decomposing Uℓ
are non-commutative and this non-commutativity leads to the
increased complexity. For a d1 × d2 matrix
The remainder of the paper is organized as follows. Sec-
tion II is the preliminaries of the paper. Section III derives dX
1 −1 dX
2 −1
the lower bound of the communication complexity for one- M= mst |siht| ∈ Cd1 ×d2 , (1)
server QPIR. In the blind setting, Section IV proposes an s=0 t=0
efficient one-server QPIR protocol with prior entanglement.
Section V proposes an efficient QPIR protocol in the visible we define
setting. Section VI is the conclusion of the paper.
dX
1 −1 dX
2 −1
II. P RELIMINARIES |M⟫ = mst |si|ti ∈ Cd1 ⊗ Cd2 . (2)
We define [a : b] = {a, a + 1, . . . , b} and [a] = {1, . . . , a}. s=0 t=0
Proof of Theorem 1. First, we prove that B. Optimality of trivial protocol for one-server multi-round
n o QPIR in blind setting
1,|s ,...,s i
ρA(1)1T (1) f | sℓ ∈ [0 : dℓ − 1], ℓ ∈ [f] (13) In this subsection, we extend the the optimality of the trivial
solution to the case where the user and the server communicate
is a set composed of orthogonal states. Let (s1 , . . . , sf ), multiple rounds in the blind setting. To be precise, we define
(s′1 , . . . , s′f ) be any two different strings and k ∈ [f] be an the r-round QPIR protocol in the blind setting as follows (2-
index satisfying sk 6= s′k . We have round protocol is depicted in Figure 3).
k,|s ,...,s i k,|s′ ,...,s′ i
The message states are given as arbitrary f states ρ1 ⊗· · ·⊗ρf
Tr ρA(1)1T (1) f ρA(1)1T (1) f = 0, (14) on S (0) = X1 ⊗ · · · ⊗ Xf , where each of ρℓ is purified in
Xℓ ⊗Rℓ . The server contains the system S (0) . The user chooses
since the correctness condition (9) guarantees that the two the index of the targeted message K ∈ [f], i.e., ρk is the
states can be made orthogonal by the decoding unitary map targeted quantum state when K = k. When K = k, the user
D(1) . Furthermore, for the same (s1 , . . . , sf ) and (s′1 , . . . , s′f ), prepares the initial state as |ki⊗|0i ∈ A(0) ⊗T (0) , We assume
Eq. (14) implies that that the user and the server contain local quantum registers,
1,|s ,...,s i 1,|s′ ,...,s′ i respectively, which enable that all local operations are written
Tr ρA(1)1T (1) f ρA(1)1T (1) f = 0, (15) as unitary operations. A QPIR protocol Φ is described by
unitary maps D(0) , . . . , D(r) , E (1) , . . . , E (r) in the following
because there exists a unitary map UT1→k
(1) on T
(1)
such that
steps.
1,|s ,...,s i k,|s ,...,s i 1) Query: For all i ∈ [r], the user applies a unitary map
UT1→k 1
(1) ρ (1) (1)
f
(UT1→k † 1
(1) ) = ρ (1) (1)
f
, (16)
A T A T D(i−1) from A(i−1) ⊗ T (i−1) to Q(i) ⊗ T (i) , and sends
1,|s′1 ,...,s′f i k,|s′ ,...,s′ i
UT1→k
(1) ρ (1) (1)
A T
(UT1→k
(1) )
†
= ρA(1)1T (1) f (17) Q(i) to the sender.
2) Answer: For all i ∈ [r], the server applies a unitary map
from Lemma 1. Since (15) holds for any different (s1 , . . . , sf ) E (i) from Q(i) ⊗ S (i−1) to A(i) ⊗ S (i) and sends A(i) to
and (s′1 , . . . , s′f ), the set (13) is composed of orthogonal states. the user.
Next, we consider the case where the user’s input is k = 1 3) Reconstruction: The user applies D(r) from A(r) ⊗ T (r) to
and the server applies the CPTP map Y ⊗ E, and outputs the state on Y as the protocol output.
X 1 The input-output relation ΛΦ of the protocol Φ is written
E (1) [|s1 , . . . , sf i], (18) with a CPTP ΓΦ,k from X[f] to Y as
s ,...,s
d
1 f
ΛΦ (k, ρ1 , . . . , ρf ) = ΓΦ,k (ρ[f] )
which is the uniform mixture of encoding maps. Then, the
= TrS (r) ,E D ∗ E(ρ[f] ⊗ D(0) (|kihk| ⊗ |0ih0|)),
state on A(1) ⊗ R(1) is
X 1 where D ∗ E = (D(r) ◦ E (r) ) ◦ · · · ◦ (D(1) ◦ E (1) ). The QPIR
ρ∗ := E (1) [|s1 , . . . , sf i] ◦ D(0) (|1ih1| ⊗ |0ih0|) (19) protocol Φ should satisfy the following conditions.
d
s1 ,...,sf • Correctness: When |ψk ihψk | denotes a purification of ρk
X 1 1,|s ,...,s i
= ρA(1)1T (1) f , (20) with the reference system Rk , the correctness is
s ,...,s
d
1 f ΓΦ,k ⊗ idRk (ρ[f]\{k} ⊗ |ψk ihψk |) = |ψk ihψk |
R[f]
for any K = k and any state ρ[f] . for any k. Note that the state on R[f] ⊗ S (r) does not depend
• User secrecy: When the state on S (i−1) ⊗ Q(i) with the on k due to the secrecy condition (28). Thus, applying (29)
target index K = k is denoted by ρS (i−1) Q(i) (k), the user recursively for all k, we have
secrecy is
H(R[f] S (r) ) = H(Rf ) + H(R[f−1] S (r) ) (30)
′ (r)
ρS (i−1) Q(i) (k) = ρS (i−1) Q(i) (k ) (28) = H(Rf−1 Rf ) + H(R[f−2] S ) = ··· (31)
(r)
= H(R[f] ) + H(S ). (32)
for any k, k ′ , i.
The communication complexity
Pof the one-server multi-round
r
QPIR is written as CC(Φ) = i=1 log |Q(i) | + log |A(i) |. Proof of Theorem 2. From Lemmas 2 and 3, we derive the
Theorem 2. For any one-server multi-round QPIR protocol following inequalities:
Φ in the blind setting,P the communication complexity CC(Φ) r
X
f
is lower bounded by ℓ=1 log |Xℓ |, where Xℓ is the system CC(Φ) ≥ H(A(i) ) + H(Q(i) ) (33)
of the ℓ-th message ρℓ . i=1
r−1
X
For the proof of Theorem 2, we prepare the following = H(A(r) ) + H(Q(1) ) + H(A(i) ) + H(Q(i+1) ) (34)
lemmas. i=1
Lemma 2. H(A(i) ) + H(Q(i+1) ) ≥ H(T (i+1) ) − H(T (i) ). ≥ H(A(r) ) + H(Q(1) ) + H(T (r) ) − H(T (1) ) (35)
(a)
Proof. Lemma 2 is shown by the relation = H(A(r) ) + H(T (r) ) (36)
(b) (a)
H(A(i) ) + H(T (i) ) + H(Q(i+1) ) ≥ H(A(r) T (r) ) = H(R[f] S (r) ) (37)
(r)
(b) = H(R[f] ) + H(S ) (38)
≥ H(A(i) T (i) ) + H(Q(i+1) )
≥ H(R[f] ) = H(X[f] ), (39)
(c)
= H(Q(i+1) T (i+1) ) + H(Q(i+1) ) where (35) is obtained by applying Lemma 2 for all i =
(d)
(i+1) 1, . . . , r − 1, and (38) is from Lemma 3. Taking the maximum
≥ H(T ).
of H(X[f] ) over all states ρ1 , . . . , ρf , we obtain CC(Φ) ≥
Pf
ℓ=1 log |Xℓ |.
3) Answer: For all j ∈ [n], the j-th server applies a CPTP The protocols for pure states are constructed by the fol-
map Ej [ψ, qj ] from Sj to Aj and sends Aj to the user lowing idea. Any pure state is written as U|0i with unitary
when Qj = qj . matrices U which are decomposed by rotation operations and
4) Reconstruction: Let A := A1 ⊗ · · · ⊗ An and decompose phase-shift operations. With this fact, the user requests the
A = Y ⊗ Y ′ . The user performs a measurement by a servers to apply certain rotation operations and phase-shift
POVM {M, I − M} on Y ⊂ A. If M is measured, the operations on bipartite entangled states so that the user can
targeted state |ψk i is recovered correctly in Y ′ . If the recover the targeted pure state after receiving the entangled
reconstruction fails, i.e. I − M is measured, repeat from state. To guarantee the user secrecy, we import to our protocols
Step 2. the same query structure of two-server classical PIR protocol
The protocol Φ should satisfy the following conditions. by Chor et al. [1].
• Correctness: At each execution of Step 4, the user recov- We denote by U(Cd ) the unitary group on Cd and define
ers the targeted state |ψk i with positive probability p. the set of pure states associated with U(Cd ) as
• User secrecy: The user secrecy is
S(Cd ) = |U⟫ | U ∈ U(Cd ) .
(44)
I(Qj ; K) = 0 ∀j (41)
For a subset C of U(Cd ), we denote
for any distribution of K.
• Server secrecy: Let ρA (k, ψ) be the state on A with the S(C) := {|U⟫ | U ∈ C} ⊂ P(Cd ⊗ Cd ), (45)
target index k and the message states ψ = (|ψ1 i, . . . , |ψf i). d
P(C) := {U|0i | U ∈ C} ⊂ P(C ). (46)
The server secrecy is
We can find the following relation between QSPIR protocols
ρA (k, ψ) = ρA (k, φ) for S(C) and P(C).
for any k ∈ [f] and any states ψ = (|ψ1 i, . . . , |ψf i), φ = Proposition 3. Let C ⊂ U(Cd ). If there exists a QSPIR pro-
(|φ1 i, . . . , |φf i) ∈ P f such that |ψk i = |φk i. tocol for S(C) with communication complexity c, there exists
The average classical and quantum communication complexi- a QSPIR protocol for P(C) which succeeds with probability
ties are defined as 1/d and has the average communication complexity cd.
n
Proof. We construct a QSPIR protocol for P(C) as follows.
X
CC(Φ)c = log |Qj |, (42)
j=1 After applying the QSPIR protocol for S(C) whose output
n state is |Uk ⟫ on A ⊗ B, the user performs the basis measure-
1X
CC(Φ)q = log |Aj |, (43) ment {|0i, . . . , |d − 1i} on A. If the measurement outcome
p j=1 is 0, the resultant state on B is |ψk i = Uk |0i. Otherwise,
since the classical queries are uploaded once and the quantum repeat the process. Since the measurement outcome is 0 with
answers are downloaded 1/p times on average. probability 1/d, the expected number of trials is d. Thus, the
Our protocols will be defined for n = 2 servers with the average communication complexity is cd.
maximally entanglement states as the prior entanglement. The We also construct a QSPIR protocol for pure states repre-
prior entanglement can be replaced by user’s upload of the sented by commutative unitary matrices.
entangled states. However, we state our results with the prior
entanglement because the entangled states can be prepared Theorem 6. Let C ⊂ U(Cd ) consist of commutative unitary
without any user’s operation. matrices. In the visible setting, there exists a QSPIR protocol
We prove the following two theorems. for S(C) with 2f-bit classical communication, 4 log d-qubit
quantum communication, and 2 log d-ebit prior entanglement.
Theorem 4. In the visible setting, there exists a QSPIR pro-
tocol for P(C2 ) with 2f-bit average classical communication, Combining Theorem 6 with Proposition 3, we have the
8-qubit average quantum communication, and 4-ebit average following corollary.
prior entanglement.
Corollary 2. Let C ⊂ U(Cd ) consist of commutative unitary
Theorem 5. Let d ≥ 2. In the visible setting, there exists matrices. In the visible setting, there exists a QSPIR protocol
a QSPIR protocol for P(Cd ) with 2f-bit average classical for P(C) with 2f-bit classical communication, 8d log d-qubit
communication, 4dd log d-qubit average communication, and average quantum communication, and 4 log d-ebit average
2dd log d-ebit average prior entanglement. prior entanglement.
In the following subsections, we construct the QSPIR proto- • Correctness: Consider the case where Qk = 1. When
cols to achieve the communication complexity of Theorems 4, Q = q, the state on A ⊗ A′ after the measurement is
5, 6. Since the protocol for Theorem 6 is the most simplest q′ q′
and the similar idea is used in the other two protocols, we will (Uq11 · · · Uqf f ⊗ Ū11 · · · Ūf f )|Id ⟫ (55)
q′ q′
first construct the protocol for Theorem 6 and then the other = (Uq11 · · · Uqf f ⊗ Ū11 · · · Ūf f )|Id ⟫ (56)
two protocols.
|Uq11 · · · Uqf f (U†f )qf · · · (U†1 )q1 ⟫
′ ′
= (57)
B. QSPIR protocol for pure states described by commutative = |Uk ⟫, (58)
unitaries
where (58) follows from the commutativity of the unitaries
In this subsection, we construct a two-server QSPIR proto- U1 , . . . , Uf , qℓ ⊕qℓ′ = δℓ,k , and (qk , qk′ ) = (1, 0). By similar
col in the visible setting which achieves the communication analysis, if Qk = 0, the resultant state on B ⊗ B ′ is |Uk ⟫.
complexity in Theorem 6. • Secrecy: Throughout the protocol, the servers only obtain
Protocol 2 (Two-server QSPIR protocol for pure states de- the queries, and each query is uniformly random f bits.
scribed by commutative unitaries). For commutative f uni- Therefore, each server does not obtain any information
taries U1 , . . . , Uf on Cd , the message states are given as of k. On the other hand, at the end of the protocol,
the user obtains both of |Uk ⟫ and |U†k ⟫. Although |U†k ⟫
|U1 ⟫, . . . , |Uf ⟫ ∈ Cd ⊗ Cd . (47) is transmitted additionally, no information of all other
message states is leaked to the user.
When the user’s target index K is k ∈ [f], i.e., the targeted • Communication complexity: The query is 2f bits, the
state is |Uk ⟫, our protocol is given as follows. communication from the server to the user is 4 qudits,
1) Query: The user chooses Q = (Q1 , . . . , Qf ) ∈ {0, 1}f i.e., 4 log d qubits, and prior entanglement is 2 copies of
uniformly at random. The variable Q′ = (Q′1 , . . . , Q′f ) ∈ |Id ⟫, i.e., 2 log d ebits.
{0, 1}f is defined as
( C. QSPIR protocol for pure qubit states
′ Qℓ for ℓ 6= k, In this subsection, we construct a two-server QSPIR proto-
Qℓ = (48)
Qℓ ⊕ 1 for ℓ = k. col for pure qubit states in the visible setting which achieves
the communication complexity in Theorem 4.
The user sends Q and Q′ to Server 1 and Server 2, Define the rotation operation on C2 and the phase-shift
respectively. operation by
2) Entanglement Sharing: Let A, A′ , B, B ′ be qudits. Server −ιϕ/2
cos θ − sin θ e 0
1 and Server 2 share two maximally entangled state |Id ⟫ R(θ) = , S(ϕ) =
sin θ cos θ 0 eιϕ/2
on A ⊗ A′ and B ⊗ B ′ , where Server 1 (Server 2) contains
A ⊗ B (A′ ⊗ B ′ ). for θ, ϕ ∈ [0, 2π). For any ϕ, ϕ′ , θ, θ′ , we have
3) Answer: When Q = q and Q′ = q ′ , we define
R(θ)R(θ′ ) = R(θ + θ′ ), S(ϕ)S(ϕ′ ) = S(ϕ + ϕ′ ), (59)
(t1 , . . . , tf ) = q ⊕ (1, . . . , 1), (49)
and therefore, S(ϕ) and S(ϕ′ ) (R(θ) and R(θ′ )) are commu-
(t′1 , . . . , t′f ) = q ′ ⊕ (1, . . . , 1). (50) tative. We also have
Server 1 applies R(θ)⊤ = R(−θ), S(ϕ)⊤ = S(ϕ) (60)
Uq11 · · · Uqf f , (51) and
Ut11 · · · Utf f (52) XR(θ)X = R(−θ), XS(ϕ)X = S(−ϕ). (61)
on A and B, respectively, and sends A and B to the user. As special cases, we have Y := XZ = R(π/2) and Z = S(π).
Similarly, Server 2 applies Any pure qubit states |ψi are written with some ϕ ∈ [0, 2π)
q′ q′ and θ ∈ [0, π/2] as
Ū11 · · · Ūf f , (53)
t′ t′ |ψi = S(ϕ)R(θ)|0i. (62)
Ū11 · · · Ūf f (54)
Now, we construct a QSPIR protocol in the visible setting
on A′ and B ′ , respectively, and sends A′ and B ′ to the for qubit states, which achieves the communication complexity
user. in Theorem 4.
4) Reconstruction: The user outputs the state on A1 ⊗ A2 if
Qk = 1, otherwise outputs the state on B1 ⊗ B2 . Protocol 3 (Two-server QSPIR protocol for qubit states). For
any message qubit states |ψ1 i, . . . , |ψf i ∈ P(C2 ), we choose
Protocol 2 satisfies the correctness, secrecy, and communi- the parameters ϕℓ and θℓ as
cation complexity, desired in Theorem 6, which is shown as
follows. |ψℓ i = S(ϕℓ )R(θℓ )|0i. (63)
When the user’s target index K is k ∈ [f], i.e., the targeted outcome x is 0 and qk = 1, the resultant state is
state is |ψk i, our protocol is given as follows. |φk i = S(ϕk )R(θk )|0i ∈ B. If the measurement outcome
1) Query: The same as Protocol 2. x is 1 and qk = 0, the resultant state after the user’s
2) Entanglement Sharing: Let A, A′ , B, B ′ be qubits. Server operation X is
1 and Server 2 share two maximally entangled state |I2 ⟫ XS(−ϕk )R(−θk )|1i = XS(−ϕk )XXR(−θk )X|0i (74)
on A ⊗ A′ and B ⊗ B ′ , where Server 1 contains A ⊗ B (e)
and Server 2 contains A′ ⊗ B ′ . = S(ϕk )R(θk )|0i (75)
Pf
3) Answer: When Q = q, Server 1 calculates θ̃ := ℓ=1 qℓ θℓ = |ψk i, (76)
Pf
and ϕ̃ := ℓ=1 qℓ ϕℓ , applies R(−θ̃) and S(ϕ̃) on A and
where (e) is from (61).
B, respectively, and sends A ⊗ B to the user. P Similarly, For each execution of Step 4, the user obtains |ψk i with
when Q′ = q ′ , Server 2 calculates θ̃′ := fℓ=1 qℓ′ θℓ and
Pf probability 1/2. The probability to obtain |ψk i within n
ϕ̃′ := ′ ′ ′ ′
ℓ=1 qℓ ϕℓ , applies R(−θ̃ ) and S̄(ϕ̃ ) on A and repetition of Steps 3 and 4 is 1 − 1/2n , and the average
′ ′ ′
B , respectively, and sends A ⊗ B to the user. number of repetitions is 2.
4) Reconstruction: • Secrecy: Each server does not obtain any information of k
a) The user performs the Bell measurement MXZ defined since the query is the same as Protocol 2. At each repetition
in (7) on A′ ⊗ B ′ . Depending on the measurement of Step 4, the user obtains the states of (66) and (69), which
outcomes (a, b) ∈ {0, 1}2 , the user applies Y−a ⊗ Za+b only depends on the state |ψk i. Thus, the user obtains no
on A⊗B and performs the basis measurement {|0i, |1i} information of the other states.
on A. • Communication complexity: The query is 2f bits. For
b) If Qk = 1 and the measurement outcome is 0, the state each execution of Steps 2-4, necessary communication
on B is |ψk i. If Qk = 0 and the measurement outcome is 4 qubits and necessary prior entanglement is 2 ebits.
is 1, the user applies X operation on B and then the state Since the query is sent only once at Step 1, the classical
on B is |ψk i. This process succeeds with probability communication complexity is 2f bits. Thus, the average
1/2. Otherwise, repeat from Step 2. quantum communication complexity is 8 qubits, and the
Protocol 3 satisfies the correctness, secrecy, and communi- average size of entanglement is 4 ebits. If we replace
cation complexity, desired in Theorem 4, which is shown as the prior entanglement by the transmission of |I2 ⟫ ⊗ |I2 ⟫
follows. from the user to the servers, the average communication
complexity is 2f bits and 16 qubits.
• Correctness: When Q = q, after the operations of the
Compared to the QPIR’s trivial solution of downloading
servers, the states on A ⊗ A′ and B ⊗ B ′ are
all quantum messages, which requires the communication of f
R(−θ̃) ⊗ R(−θ̃′ )|I⟫ = |R(−θ̃)(R(−θ̃′ ))⊤ ⟫ (64) qubits, the above protocol has less quantum communication on
= |R(−θ̃ + θ̃ )⟫′
(65) average when f > 16 even if ebits are uploaded by the user. On
the other hand, our protocol requires classical communication
= |R((−1)qk θk )⟫ ∈ A ⊗ A′ , (66) of 2f bits.
S(ϕ̃) ⊗ S̄(ϕ̃′ )|I⟫ = |S(ϕ̃)(S(ϕ̃′ ))† ⟫ (67)
D. QSPIR protocol for pure qudit states (d ≥ 2)
= |S(ϕ̃ − ϕ̃′ )⟫ (68)
In this subsection, we construct a two-server QSPIR proto-
= |S((−1)qk +1 ϕk )⟫ ∈ B ⊗ B ′ . col for pure qudit states in the visible setting which achieves
(69) the communication complexity in Theorem 5.
After the Bell measurement of the user with the measure- Similar to Protocol 3, we first consider the parameterization
ment outcome (a, b), the state on A ⊗ B is derived from of pure states on d-dimensional systems. Define d×d matrices
(8) as R(θ1 , .., θd−1 ) and S(ϕ1 , .., ϕd−1 ) as
R(θ1 , . . . , θd−1 ) = R1 (θ1 ) · · · Rd−1 (θd−1 ), (77)
|R((−1)qk θk )Xa Z−b S((−1)qk +1 ϕk )⊤ ⟫ (70)
d−1
= |R((−1)qk θk )Ya Z−a−b S((−1)qk +1 ϕk )⟫ (71) s
X
S(ϕ1 , . . . , ϕd−1 ) = |0ih0| + eιϕ |sihs| (78)
= |Ya R((−1)qk θk )S((−1)qk +1 ϕk )Z−a−b ⟫. (72) s=1
1 0 0 0
−a a+b
After the user applies Y ⊗ Z on A ⊗ B in Step 4-a), 0 eιϕ1 0 0
the state (72) is changed as = , (79)
..
qk +1 qk +1
0 0 . 0
|R((−1) θk )S((−1) ϕk )⟫ ∈ A ⊗ B, (73) d−1
0 0 0 eιϕ
and if the basis measurement outcome in where Rs (θ) is the rotation
Step 4-b) is x ∈ {0, 1}, the last state on
B is (R((−1)qk θk )S((−1)qk +1 ϕk ))⊤ |xi = cos θ − sin θ
(80)
S((−1)qk +1 ϕk )R((−1)qk +1 θk )|xi. If the measurement sin θ cos θ
with respect to the two basis elements |s − 1i and |si. Notice If it fails to measure (0, α2 ), restarts from Step 4-a.
that S(ϕ1 , . . . , ϕd−1 ) for all ϕ1 , . . . , ϕd−1 (Rs (θs ) for all Repeating the similar conversions with |R3 (−θk3 )i, . . . ,
θs ) are commutative but any two of R1 (θ1 ), . . . , Rd−1 (θd−1 ) |Rd−1 (−θkd−1 )i, the user obtains
are not in general. We also have S(ϕ1 , . . . , ϕd−1 )⊤ = Pd−1
S(ϕ1 , . . . , ϕd−1 ), Rs (θs )⊤ = Rs (−θs ), and |Z s=1 αs
S(ϕk )R1 (θk1 ) · · · Rd−1 (θkd−1 )⟫. (87)
2πι 4πι 2(d − 1)πι
c) The user performs Steps 4-a, 4-b with the states of (84)
Zd = S , ,..., . instead of (83). The user finally obtains β1 , · · · , βd−1 ∈
d d d
[0 : d − 1] and
It can be easily checked that any pure state |ψi ∈ P(Cd ) is Pd−1
written in the form |Z s=1 βs
S(−ϕk )R1 (−θk1 ) · · · Rd−1 (−θkd−1 )⟫. (88)
|ψi = S(ϕ1 , . . . , ϕd−1 )R(θ1 , . . . , θd−1 )|0i (81) d) Let X ⊗ X ′ be the system of two qudits on which the
state (87) is. The user performs the basis measurement
with ϕ1 , . . . , ϕd−1 ∈ [0, 2π) and θ1 , . . . , θd−1 ∈ [0, π/2]. X ′ . If the measurement outcome is
{|0i, . . . , |d − 1i} on P
− d−1
Protocol 4 (Two-server QSPIR protocol for qudit states). For 0, the user applies Z s=1 αs on X and then the resultant
any message pure states |ψ1 i, . . . , |ψf i ∈ P(Cd ), we choose state on X is the targeted state |ψk i. This step is written
the parameters ϕ1ℓ , . . . , ϕd−1
ℓ and θℓ1 , . . . , θℓd−1 as as
Pd−1
|ψℓ i = S(ϕ1ℓ , . . . , ϕd−1
ℓ )R(θℓ1 , . . . , θℓd−1 )|0i. (82) |Z s=1 αs
S(ϕk )R1 (θk1 ) · · · Rd−1 (θkd−1 )⟫ (89)
Pd−1
When the user’s target index K is k ∈ [f], i.e., the targeted 7→ Z s=1 S(ϕk )R1 (θk1 ) · · · Rd−1 (θkd−1 )|0i
αs
(90)
state is |ψk i, our protocol is given as follows. 7→ S(ϕk )R1 (θk1 ) · · · Rd−1 (θkd−1 )|0i (91)
1) Query: The same as Protocol 2. = |ψk i. (92)
2) Entanglement Sharing: Server 1 and Server 2 share d
copies of the maximally entangled state |Id ⟫. Otherwise, repeat from Step 4-a.
3) Answer: Similar to Step 3 of Protocol 3 and as analyzed Protocol 4 satisfies the correctness, secrecy, and communi-
in (66) and (69), Server 1 and Server 2 can jointly generate cation complexity, desired in Theorem 5, which is shown as
the following quantum states follows.
|S(ϕk )⟫, |R1 (θk1 )⟫, . . . , |Rd−1 (θkd−1 )⟫, (83) • Correctness: As described in Step 4, the user recovers
|ψk i with positive probability by repeating until success.
and • Secrecy: This protocol satisfies the user secrecy, because
|S(−ϕk )⟫, |R1 (−θk1 )⟫, . . . , |Rd−1 (−θkd−1 )⟫. (84) the queries are the same as Protocol 3 and the number of
requests in Step 4. Step 4-d is necessary since the states
The servers generate and send these states to the user if it in (83) and (84) should be requested the same number
is requested in Step 4. of times. This protocol also satisfies the server secrecy,
4) Reconstruction: For this step, remind (8): If the state is because the only information that the user obtains from
|A⟫ ⊗ |B⟫ and Bell measurement MXZ defined in (7) the servers is states in (83) and (84) and these states only
is performed with outcome (a, b), the resultant state is depend on the state |ψk i.
|AXa Z−b B⊤ ⟫. • Communication complexity: At Step 1, the size of
a) The user requests the servers to send |S(ϕk )⟫ ∈ A ⊗ A′ queries is 2f bits. For downloading all states (83), 2d log d-
and |R1 (−θk1 )⟫ ∈ B ⊗ B ′ . The user performs the Bell qubit communication and d log d-ebit are required. The
measurement MXZ defined in (7) on A′ ⊗ B ′ . If the mea- probability to succeed to generate the state in (87) is
surement outcome is (0, α1 ) for some α1 , which happens 1/dd−1 and therefore, the expected number of execution
with probability 1/d, the user obtains the outcome of the of Steps from 4-a to 4-c is dd−1 . Thus, for finishing Steps
following conversions from 4-a to 4-c, the average quantum communication is
|S(ϕk )⟫|R1 (−θk1 )⟫ 7→ |S(ϕk )Zα1 R1 (θk1 )⟫ (85) less than 2dd log d = dd−1 ·2d log d qubits and the average
α1 shared entanglement is less than dd log d = dd−1 · d log d
= |Z S(ϕk )R1 (θk1 )⟫, (86)
ebits. Similarly, for Step 4-d, the same average quantum
where 7→ represents the state reduction by the measure- communication and the same average shared entanglement
ment. Otherwise, the user repeats Step 4-a. are required. Thus, Protocol 4 requires 2f-bit classical
b) Next, the user requests |R2 (−θk2 )⟫ to the servers and communication, 4dd log d-qubit average quantum commu-
performs the same measurement MXZ . If the measurement nication, and 2dd log d-ebit average prior entanglement.
outcome is (0, α2 ) for some α2 , the user obtains the The communication complexity of Protocol 4 does not
outcome of the following conversion: scale with the number of message states f. Since the QPIR’s
trivial solution of downloading all messages requires f log d-
|Zα1 S(ϕk )R1 (θk1 )⟫|R2 (−θk2 )⟫
qubit quantum communication, Protocol 4 is more efficient on
7→ |Zα1 +α2 S(ϕk )R1 (θk1 )R2 (θk2 )⟫, average if the number of messages f is greater than 4dd .
Remark 1 (Comparison of Protocols 3 and 4 for qubit states). QSPIR for mixed states are also open problems. Interesting
Both Protocols 3 and 4 can be applied for QPIR of qubit applications of our QSPIR protocols can also be considered
states. However, the average communication complexity of for other communication and computation problems. We leave
Protocol 3, which is 8 qubits and 4 ebits, is less than that these questions for interested readers.
of Protocol 4 for d = 2, which is 16 qubits and 8 edits. The
advantage of Protocol 3 comes from the commutation relation VII. ACKNOWLEDGEMENT
between the rotation operations R(θ) and Y = XZ = R(π/2). The authors are grateful to Prof. François Le Gall for helpful
Since the reduced state after the Bell measurement is repre- discussion and comments. SS is supported by JSPS Grant-in-
sented with Y, Z as (72) and Y is commutative with R(θ) for Aid for JSPS Fellows No. JP20J11484. MH was supported
any θ, the user can reconstruct the targeted state efficiently as in part by Guangdong Provincial Key Laboratory (Grant, No.
(73). On the other hand, the similar method cannot be applied 2019B121203002).
for Protocol 4 because the rotation operations R(θ) for d > 2
are not commutative with any multiplication of Xd and Zd . R EFERENCES
Thus, without using the commutative relation, Protocol 4 for [1] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private informa-
tion retrieval,” Journal of the ACM, 45(6):965–981, 1998.
d = 2 results in greater communication complexity. [2] C. Cachin, S. Micali, and M. Stadler, “Computationally Private Infor-
mation Retrieval with Polylogarithmic Communication,” Advances in
VI. C ONCLUSION Cryptology - EUROCRYPT ’99, pp. 402–414, 1999.
We have studied quantum private information retrieval for [3] H. Lipmaa, “First CPIR Protocol with Data-Dependent Computation,”
Proceedings of the 12th International Conference on Information Secu-
quantum messages in the blind and visible settings. We have rity and Cryptology, pp. 193–210, 2009.
proved that the trivial solution of downloading all messages is [4] A. Beimel and Y. Stahl, “Robust information-theoretic private infor-
optimal for honest one-server QPIR, which is a similar result mation retrieval,” Proceedings of the 3rd International Conference on
Security in Communication Networks (SCN’02), pp. 326–341, 2003.
to the classical PIR but different from QPIR for classical [5] S. Yekhanin, “Towards 3-query locally decodable codes of subexponen-
messages. In the one-round case, the optimality is proved tial length,” 39th STOC, 2007, pp. 266–274.
for both blind and visible settings, and in the multi-round [6] C. Devet, I. Goldberg, and N. Heninger, “Optimally Robust Private
Information Retrieval,” 21st USENIX Security Symposium, August 2012.
case, it is proved for the blind setting. On the other hand, [7] H.-K. Lo “Insecurity of quantum secure computations,” Phys. Rev. A.
we have constructed efficient QPIR protocols with two cases. 56 (2): 1154–1162, 1997.
The first case is one-server QPIR with prior entanglement [8] Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin. “Protecting data
privacy in private information retrieval schemes,” Journal of Computer
in the blind setting. We have constructed a reduction from and Systems Sciences, 60(3):592–629, 2000. Earlier version in STOC
any QPIR protocol for classical messages to a QPIR protocol 98.
for quantum messages and derived an efficient QPIR protocol [9] I. Kerenidis and R. de Wolf. “Exponential lower bound for 2-query
locally decodable codes via a quantum argument,” Proceedings of 35th
from the protocol by Kerenidis et al. [14]. The second case is ACM STOC, pp. 106–115, 2003.
multi-server QSPIR in the visible setting. We have constructed [10] I. Kerenidis and R. de Wolf, “Quantum symmetrically-private informa-
three protocols for pure qubit states, pure qudit states, and pure tion retrieval,” Information Processing Letters, vol. 90, pp. 109–114,
2004.
states described by commutative unitaries. These protocols in [11] L. Olejnik, “Secure quantum private information retrieval using phase-
the visible setting are symmetric QPIR protocols in which the encoded queries,” Physical Review A 84, 022313, 2011.
user obtains no information other than the targeted message [12] Ä. Baumeler and A. Broadbent, “Quantum Private Information Retrieval
has linear communication complexity,” Journal of Cryptology, vol. 28,
state. Thus, we proved that QSPIR is possible for quantum pp. 161–175, 2015.
messages. Furthermore, these protocols are also more efficient [13] F. Le Gall, “Quantum Private Information Retrieval with Sublinear
than the QPIR’s trivial solution when the number of messages Communication Complexity,” Theory of Computing, 8(16):369–374,
2012.
are sufficiently greater than the dimension of quantum systems. [14] I. Kerenidis, M. Laurière, F. Le Gall, and M. Rennela, “Information
There are many open problems related to the study of QPIR cost of quantum communication protocols,” Quantum information &
for quantum messages. Our optimality proof of the trivial computation, 16(3-4):181–196, 2016.
[15] D. Aharonov, Z. Brakerski, K.-M. Chung, A. Green, C.-Y. Lai, O.
one-server QPIR protocol is for the one-round visible setting Sattath, “On Quantum Advantage in Information Theoretic Single-Server
and the multi-round blind setting. It is unknown whether the PIR,” In: Ishai Y., Rijmen V. (eds) EUROCRYPT 2019, Springer, Cham,
optimality still applies for the multi-round one-server visible vol. 11478, 2019.
[16] S. Song and M. Hayashi, “Capacity of Quantum Private Information Re-
setting and the multi-server blind setting. Also, we have trieval with Multiple Servers,” Proceedings of 2019 IEEE International
only considered QPIR with information-theoretic security. Our Symposium on Information Theory (ISIT), pp. 1727–1731, 2019.
result does not preclude the possibility of the non-trivial one- [17] S. Song and M. Hayashi, “Capacity of Quantum Private Information
Retrieval with Collusion of All But One of Servers,” Proceedings of
server QPIR protocol with computational security. Further- 2018 IEEE Information Theory Workshop (ITW), pp. 1–5, 2019.
more, even if our QSPIR protocol for qudits is more efficient [18] S. Song and M. Hayashi, “Capacity of Quantum Private Information Re-
than the QPIR’s trivial solution when the number of message trieval with Colluding Servers,” Proceedings of 2020 IEEE International
Symposium on Information Theory (ISIT), 2020, in press.
states f is sufficiently large, the average communication com- [19] M. Allaix, L. Holzbaur, T. Pllaha, and C. Hollanti, “Quantum Private In-
plexity increases exponentially with the dimension d of the formation Retrieval From Coded and Colluding Servers,” IEEE Journal
system. In addition, our QSPIR protocols are for pure states on Selected Areas in Information Theory, vol. 1, no. 2, 2020.
[20] W. Y. Kon and C. C. W. Lim, “Provably-secure symmetric private
and it cannot be directly extended to protocols for the mixed information retrieval with quantum cryptography,” arXiv:2004.13921
state. Thus, more efficient QSPIR protocols for qudits and [quant-ph], 2020.
[21] R. Jozsa and B. Schumacher, “A new proof of the quantum noiseless
coding theorem,” J. Mod. Opt., 41(12), 2343–2349, 1994.
[22] B. Schumacher, “Quantum coding,” Phys. Rev. A, 51, 2738–2747, 1995.
[23] R. Jozsa, M. Horodecki, P. Horodecki, and R. Horodecki, “Universal
quantum information compression,” Phys. Rev. Lett., 81, 1714, 1998.
[24] M. Horodecki, “Limits for compression of quantum information carried
by ensembles of mixed states,” Phys. Rev. A, 57, 3364–3369, 1998.
[25] H. Barnum, C. M. Caves, C. A. Fuchs, R. Jozsa, and B. Schumacher,
“On quantum coding for ensembles of mixed states,” J. Phys. A Math.
Gen., 34, 6767–6785, 2001.
[26] M. Hayashi, “Exponents of quantum fixed-length pure state source
coding,” Phys. Rev. A, 66, 032321, 2002.
[27] T. H. Chan, S.-W. Ho, and H. Yamamoto, “Private information retrieval
for coded storage,” in Proceedings of 2015 IEEE International Sympo-
sium on Information Theory (ISIT), pp. 2842–2846, June 2015.
[28] H. Sun and S. Jafar, “The capacity of private information retrieval,”
IEEE Transactions on Information Theory, vol. 63, no. 7, pp. 4075–
4088, 2017.
[29] H. Sun and S. Jafar, “The Capacity of Symmetric Private Information
Retrieval,” 2016 IEEE Globecom Workshops (GC Wkshps), Washington,
DC, 2016, pp. 1–5.
[30] H. Sun and S. Jafar, “The capacity of robust private information retrieval
with colluding databases,” IEEE Transactions on Information Theory,
vol. 64, no. 4, pp. 2361–2370, 2018.
[31] R. Freij-Hollanti, O. W. Gnilke, C. Hollanti, and D. A. Karpuk, “Private
information retrieval from coded databases with colluding servers,”
SIAM J. Appl. Algebra Geometry, vol. 1, no. 1, pp. 647–664, 2017.
[32] S. Kumar, H.-Y. Lin, E. Rosnes, and A. Graell i Amat, “Achieving
maximum distance separable private information retrieval capacity with
linear codes,” IEEE Transactions on Information Theory, vol. 65, no. 7,
pp. 4243-4273, 2019.
[33] Q. Wang and M. Skoglund, “Symmetric private information retrieval
for MDS coded distributed storage,” Proceedings of 2017 IEEE Inter-
national Conference on Communications (ICC), pp. 1–6, May 2017.
[34] H.-Y. Lin, S. Kumar, E. Rosnes, and A. Graell i Amat, “An MDS-
PIR capacity-achieving protocol for distributed storage using non-MDS
linear codes,” Proc. IEEE Int. Symp. Inf. Theory, June 17–22, 2018.
[35] K. Banawan and S. Ulukus, “The Capacity of Private Information
Retrieval from Coded Databases,” IEEE Transactions on Information
Theory, vol. 64, no. 3, 2018.
[36] C. Tian, H. Sun and J. Chen, “A Shannon-Theoretic Approach to the
Storage-Retrieval Tradeoff in PIR Systems,” Proceedings of 2018 IEEE
International Symposium on Information Theory (ISIT), pp. 1904–1908,
June 2018.
[37] R. Tandon, “The capacity of cache aided private information retrieval,”
Proceedings of 2017 55th Annual Allerton Conference on Communica-
tion, Control, and Computing (Allerton), pp. 1078–1082, 2017.
[38] K. Banawan and S. Ulukus, “The capacity of private information
retrieval from byzantine and colluding databases,” IEEE Transactions
on Information Theory, vol. 65, no. 2, pp. 1206–1219, 2019.
[39] L. Holzbaur, R. Freij-Hollanti, J. Li, C. Hollanti, “Towards the Capacity
of Private Information Retrieval from Coded and Colluding Servers,”
arXiv:1903.12552 [cs.IT], 2019.
[40] S. Kadhe, B. Garcia, A. Heidarzadeh, S. El Rouayheb, A. Sprintson,
“Private information retrieval with side information,” IEEE Transactions
on Information Theory 66 (4), 2032–2043, 2019.
[41] R. Tajeddine, O. W. Gnilke, D. Karpuk, R. Freij-Hollanti and C. Hollanti,
“Private Information Retrieval From Coded Storage Systems With
Colluding, Byzantine, and Unresponsive Servers," IEEE Transactions
on Information Theory, vol. 65, no. 6, pp. 3898-3906, 2019.
[42] C. Bennett and S. Wiesner, “Communication via one- and two-particle
operators on Einstein-Podolsky-Rosen states,” Physical Review Letters,
69 (20): 2881, 1992.
[43] C. H. Bennett, G. Brassard, C. Crépeau, R. Jozsa, A. Peres, and W.
K. Wootters, “Teleporting an unknown quantum state via dual classi-
cal and Einstein-Podolsky-Rosen channels,” Physical Review Letters,
70(13):1895–1899, 1993.