The symmetrical private information retrieval (SPIR) problem Chor95 ; GIKM00 is usually modeled by a user querying a database , actually one of its items, say (what is usually a bit and ), while keeping private not only the value of (so-called user privacy), but also all other items (so-called data privacy). This is one of the fundamental problems in the area of secure multiparty computation and communication. In the classical world, solutions to this problem rely on unproven computational hardness assumptions from the complexity theory, in order to guarantee privacy of both parties involved Chor95 . Actually, no perfect solution to this problem seems to be known even in the quantum world Lo97 ; KW03 .
On the other hand, for this fundamental problem, significant advantages in communication efficiency can be obtained using quantum resources. Only of data is needed to be exchanged in some of the known protocols GLM08 ; Ole12 ; Yu14 , which allows an exponential reduction in the communication complexity when comparing with the best classical SPIR protocols proposed so far Chor95 ; BIKR02 ; Ambainis97 . While these protocols can achieve their querying goals with the lowest possible level of communication complexity (considering that has a coding of length), that is with communication complexity, these protocols are secure only when the parties are honest Bro15
. A dishonest database may acquire a significant amount of information about queries, via easy-to-implement such an operation as a single-qubit computational basis measurement (with two basis statesand ). Therefore, any improvement on security of such protocols, especially concerning the user privacy, is an interesting and important challenge.
The QPQ protocol GLM08 has been the first private query protocol with communication complexity. It uses a qRAM algorithm GLM08qram to provide answers to queries. The other two private query protocols with communication complexity, namely Ole12 ; Yu14 , complete the query task via a method which encodes item’s values in the phase of the transmitted state. This encoding is performed either by an oracle Ole12 , which is assumed to be able to recognize solutions to the search problem, or by a unitary operator the form of which is given explicitly Yu14 .
All three protocols GLM08 ; Ole12 ; Yu14 rely on setting a unique, so-called rhetoric, query 111In GLM08 , the query is chosen to be rhetoric if it has a known standard answer , say . In our protocols, there is no need for a rhetoric query to have such a standard answer. That is to say, any query different from the true query can serve as a rhetoric query. to secure the true query . The way is to let the user always prepare his/her queries by coherently mixing the true query with the rhetoric query. Due to such a superposition the database can not learn immediately but needs to perform some cheating operations on the state in order to obtain information. However, the operations can cause deviation on the state and thus could be detected by the user after he/she received the state returned from the database. In terms of this approach, the QPQ protocol GLM08 can obtain a cheat-sensitive property, i.e. the user can have a non-zero probability to detect dishonesty of the database. (Cheat sensitive cryptographic protocols between mistrustful parties, are in literature HK04 defined as protocols which guarantee that, when either of them cheats, the other has a nonzero probability to detect such a cheating.) In addition, setting a rhetoric query with a standard answer can guarantee the success of the query (by getting the correct value) not only in the QPQ protocol GLM08 , but also in phase-encoded private query protocols Ole12 ; Yu14 . Therefore, such a setting is essential for both protocols.
Both protocols have significant deficiencies concerning security, even in the case of an attack via a simple computational basis measurement. The QPQ protocol will inevitably leak to a dishonest database performing such an attack, despite of the fact that it would be cheat-sensitive. In contrast, the phase-encoded private query protocols Ole12 ; Yu14 could leak at most half amount of the user privacy to such a database, but they are not cheat-sensitive. That means that such a database can prevent exposure to detections, even if the attack results in a significant information leakage. Such an attack can even ruin the protocol because it can lead to an unsuccessful query (by returning only a random answer). Papers Ole12 ; Yu14 propose variants of the above protocols that aim to enhance security. However, none of them can deal successfully with such easy-to-implement attacks.
In this paper, we propose a new scheme for private query protocols which is also of communication complexity. In this scheme, the database retrieves requested items using a special data retrieving algorithm that is running locally at the side of the database, for example, the qRAM algorithm used in the QPQ protocol GLM08 , and the user extracts the target item using a method which is developed from one that was used in the phase-encoded private query protocols Ole12 ; Yu14 . This method allows the user to make a superposition of the true query with several rhetoric queries, without having answers to these rhetoric queries known to the user beforehand. Despite lacking a preliminary knowledge about answers to rhetoric queries (or even rhetoric queries themselves in a randomized variant of the protocol), the user can still get the correct answer to his/her real query.
A use of multiple rhetoric queries can enhance security concerning user privacy in private query protocols. In the basic form of the proposed protocol, all queries but can be rhetoric queries, which is an assumption known to the database. This form of our new protocol is not cheat-sensitive, but can be easily modified to a variant which has a cheat-sensitive property. In such a variant, the user is allowed to select rhetoric queries randomly. This makes it difficult for the database to conceal its cheating activities due to the lack of knowledge about rhetoric queries and hence enhance security in preserving user privacy in a phase-encoded private query protocol. In addition, the setting of multiple rhetoric queries may lead to a much smaller amount of information leakage about the query in private query protocols that use a special data retrieving algorithm to provide answers to queries. Therefore, the proposed schemes can be regarded as generalizations of known private query protocols with communication complexity in the sense that they not only maintain their advantages in communication complexity, but also achieve an improvement in security, especially in preserving user privacy.
The rest of the paper is organized as follows. Section 2 starts with a brief review of related papers. A detailed description of the basic form of our protocol, as well as an illustration of the protocol actions by a figure is given in this section. In Section 3, the security of our new protocol is analyzed. After that, a variant of our new protocol is presented in Section 4 in which the number of rhetoric queries is introduced as a variable. Security improvements are then analyzed with respect to that variable. In particular, the case of an easy-to-implement, but destructive, computational basis measurement through which the database steals user privacy is addressed in details. Conclusions are given in Section 5.
2 Related Papers and New Protocol
2.1 Related Papers
In the QPQ protocol GLM08 , the user prepares at the beginning two states and , where is the computational basis of the quantum space the user works within. The user then sends randomly one of the two states to the database and waits for a response from the database before sending the next one. The database runs the qRAM algorithm GLM08qram , with two prepared states, returning as the output states and , respectively. The user gets by measuring the state in the computational basis and then uses with the standard value of to construct a measurement to test whether the second state is in the expected form .
In one of the phase-encoded private query protocols from Ole12 , the user prepares initially the state . The database is then expected to return the state , with the answer being encoded in the phase of the query element. The encoding process is realized by an oracle, which is assumed to be able to recognize the correct solutions for the search problem. The user then can get the value of by discriminating , and can then figure out the value of with respect to the standard . The entangled state is actually used to enhance security in the other phase-encoded private query protocol Yu14 .
From the above descriptions we can see that in both protocols, only one rhetoric query, namely “0”, is used. It masks the true query so that the private is unlikely to leak to an honest database and can only be learned by a dishonest database in a non-deterministic manner. The fact that the rhetoric query has a standard answer guarantees not only a successful query (by extracting the correct answer to the query ) in the phase-encoded private query protocols, but also the cheat-sensitivity of the QPQ protocol.
However, it is important to observe that using a rhetoric query known to the database may cause serious security problem in the above private query protocols with communication complexity. Indeed, when measuring the received state in the computational basis, the database can learn (in case of a nonzero outcome) with high probability, which is in the case of the QPQ protocol and for the phase-encoded private query protocols. Moreover, in the phase-encoded private query protocols, the database can conceal itself easily by merely sending back the measurement outcome states or , because no unexpected outcome could be measured later by the user. This suggests that the database can make a large gain at a low cost in the known protocols by means of such an action.
In terms of the data privacy preservation, the phase-encoded private query protocols exhibit better performance than the QPQ protocol. A dishonest user can learn at most bit of information from the database in the phase-encoded private query protocols whilst in the QPQ protocol, by making use of one extra round of the communication designed specifically for the honesty detection, user can obtain one additional bit.
2.2 Our New Protocol - Basic Form
The user starts the protocol by preparing the state and then sends it to the database. In order to store answers to queries, the database prepares an answering qubit initially in the state . After receiving the state , the database applies the special data retrieving algorithm to convert into
As the next step, the database sends the state back to the user, who then applies on it the controlled addition modulo 2 operation with one ancillary qubit being initially in the state . The corresponding action of the operation is
i.e. is flipped when control qubits are in the state , and remains unchanged otherwise. Afterwards the state evolves into the state
As the next step, the user keeps the state and sends back to the database, which reverses the state of the answering qubit into the state by querying the data retrieving algorithm again. Then the state evolves into the state
For convenience, we denote by and by , corresponding to the or value of , respectively. Note also that the states are orthogonal. Therefore, the user can perform a discriminating measurement after receiving a state from the database, which keeps the answering qubit, and then interprets that
The whole procedure is briefly illustrated in Fig.1.
In the above protocol, two rounds of communications are needed to get an answer to a single query. During such communications, qubits, which store queries, are transmitted four times. In addition, qubit for storing answers to queries is transmitted twice. In total, qubits need to be transmitted, i.e. the communication complexity of the protocol is asymptotically , which is an exponential reduction comparing with the classical and quantum private query protocols known so far. Note that the data retrieving algorithm runs simply locally at the side of the database. Therefore, its time cost has no contribution for the computational complexity.
In the protocol, all item’s indexes, except , are used as rhetoric queries to create the initial superposed state. From the above procedure we can see that the user will obtain the correct answer to his/her query deterministically, without having to know answers to rhetoric queries beforehand. Moreover, the setting of the multiple rhetoric queries provides better security, especially a better user privacy, than previously mentioned protocols. Security of the protocol, with respect to such a setting, is considered in the following two sections.
3 Security Issues
Similarly to all already known communication-efficient private query protocols, our new protocol is secure with respect to honest parties. Indeed, on one side, data privacy can be seen as being preserved because there is only one database item retrieved by a user that follows protocol steps. On the other side, due to the masking effect of rhetoric queries an honest database can not learn the true query from the received superposed states. Therefore, the user privacy is preserved when honest adversaries communicate. However, a dishonest adversary can have a chance to acquire some information that is prohibited to be leaked out. In the following paragraphs, we are going to discuss some possible attacks from the adversaries, especially from the database, that could affect security of the protocol.
Data Privacy As already discussed above, our protocol performs two rounds of communications to accomplish the querying task. However, a dishonest user can retrieve at most one item. This is guaranteed by the fact that only one (answering) qubit contains information on the item values and is transmitted exactly once during the protocol. Indeed, by the Holevo bound NL00 , at most one bit of classical information can be retrieved from one qubit, in general. Therefore, the user will get exactly if he/she follows the protocol honestly. A dishonest user, however, may get information about other items but, no more than one bit of information on the data items in total. In comparison, with one extra round of communication designed specifically for the honesty detection, the QPQ protocol could leak at most two items/bits to a dishonest user.
If some small probability of error is accepted, a dishonest user may try to get some information about more data items. Indeed, using a special quantum interrogation procedure from Van98 , Theorem 4 presented in the Appendix A demonstrates that, given the initial state , it is possible to get some nontrivial information about items of the database in total. The same amount of information can be obtained when random guesses are used. Therefore, data privacy is well preserved in our protocol. It is worth to observe that no similar claims were given so far either when analyzing the QPQ protocol GLM08 or the phase-encoded private query protocols Ole12 ; Yu14 . In the Appendix A, we show that given the initial state that was used both in the QPQ protocol GLM08 , and in one phase-encoded private query protocol Ole12
, an extra half of a bit of information on the database can be estimated, regardless of those obtained from a random guess, using the quantum interrogation procedureVan98 .
User Privacy In any attempt to extract information about , which is the user privacy, the database may try to distinguish different choices of among all possible forms of the initial state . However, it can not obtain much information via this approach because there are potential states with a mutual overlap 222For any two different choices of such potential states, for example, , where , their overlap is defined to be . that is close to for large . A better approach for a dishonest database to learn the query is to apply a measurement directly on the received state, say, using the computational basis measurement (). This approach is easy-to-implement and may lead to a significant loss of information about the user privacy. The loss may be even bits in the QPQ protocol case and half of bits in the phase-encoded private query protocols cases. To make it even worse, the database in the phase-encoded private query protocols can conceal itself easily by merely sending back the outcome states or .
As far as our new protocol is concerned, using the same approach to measure the received state in the computational basis, the cheating database may have outcomes distributed from to , each with probability , except for - in this case the probability is one-half. Due to the lack of knowledge about which index is the true query and which indexes are serving as rhetoric queries, the database can no longer simply identify a nonzero outcome (corresponding to an item index) as the true query , even if has been measured. However, the database can make use of the second round of communication to tell whether or not it has indeed measured . We explain the method as follows. Suppose that it has a measurement outcome at the first round of communication, the database can then use this and any index (different from ) to produce a fake state
and returns it to the user. Consequently, if the user keeps to follow the agreed steps, the user will return the state if , and otherwise. These two states are orthogonal and therefore the database can perform a discriminating measurement on the received state to determine whether or not . Using such a strategy, the database can get bits of information on during the protocol execution. Note that the information that the database has obtained on is bits before and remains the same after the discriminating measurement is applied. What the database can gain via such a discriminating measurement is actually a bit of information on whether or not .
The question is now, which state ought to be returned at the second round of communication in order to conceal the cheat? The database would most probably choose to return those states which can conceal its cheat successfully in any circumstance. Such a state, in the phase-encoded private query protocols Ole12 ; Yu14 , is the measurement outcome state ( or ). In the basic form of our proposed protocol, it is the uniform state because such a state will not result in unexpected outcomes in user’s measurement, i.e. when the user applies his/her measurement on such a state, the measurement outcome state can only be either or . (We have that equals , by replacing into it both and .) Since it can be created independently of the measurement outcomes of the database, the uniform state can, and only it can 333The proof is omitted here. It can be done using ideas contained in the proof of Theorem 1. help the database to evade the user’s detection perfectly in the basic form of our proposed protocol. Furthermore, returning such a fake state will result in a nearly random answer being extracted by the user, as that by returning the measurement outcome state ( or ) in the phase-encoded private query protocols.
Security analysis results of our new protocol, as well as its comparison with both the QPQ protocol and the phase-encoded private query protocols discussed above, are summarized in the Table 1. Data presented in that table show the difference between the known communication-efficient private query protocols and our protocol concerning preservation of data privacy, user privacy and the cheat-sensitivity. Data in the column 2 in Table 1 tell that a dishonest database can learn deterministically at most one item in both protocols - ours and the phase-encoded private query protocols, and two items in the QPQ protocol. Data in the column 3 implies that given the initial state in our protocol, a dishonest database can estimate, even if a small probability of an error is allowed, no more items than those obtained from a random guess. Such an analysis has been given neither for the QPQ protocol nor for the phase-encoded private query protocols. However, a proof sketch, given in the Appendix A below, indicates that an extra half of a bit of information can be estimated by a dishonest user both in the QPQ protocol and in one of the phase-encoded private query protocols using quantum interrogation procedure, regardless of those bits obtained from a random guess.
Data in the column 4 of the table show that the QPQ protocol is cheat-sensitive while both phase-encoded private query protocols and the basic form of our protocol are not. But our protocol is extendable to be cheat-sensitive. We will present and explore one randomized form of our protocol in the next section along with a theorem showing its cheat-sensitivity. We have compared possible maximum leakages of user privacy among protocols in the column 5 in Table 1 when the database performs a computational basis measurement. There one can see that bits of information on could leak out in both protocols, ours and the phase-encoded private query protocols. In the QPQ protocol, the entire bits of information on would leak out inevitably.
4 Randomization of Our New Protocol
Let us now consider the case that the user randomly selected () rhetoric queries different from the true query , which constitute a rhetoric query set , and use them to prepare the initial state, i.e. . As in the basic form of our protocol presented above, the new (randomized) protocol proceeds with the state to return the correct answer to the user 444One of the two states is then supposed to be returned to the user.. However, the database can no longer evade detection by simply returning the uniform state because that would make it to be detected with a probability , which, by replacing into it both and , equals . Unless , such a probability is nonzero. Now it is quite natural to ask whether there is any other state that can help the database to conceal its cheat in any circumstance in this randomized form of our protocol? If no such state can be found, then, we would say that the protocol is cheat-sensitive, because whichever state the database chooses to return, the user would have a non-zero probability to detect the cheat.
In our randomized protocol, the database is assumed to perform an arbitrary projective measurement on at the first round of communications. Through performing such measurements on database can gain some information on user privacy, , and can then, in the next step, create a fake state and return it to the user in order to explore how much information it has actually obtained on . At the second round of communication, the database creates another fake state and return it to the user for the purpose of concealing the cheat.
Now, we can prove the cheat-sensitivity of our protocol.
The randomized form of our new protocol is cheat-sensitive.
Proof. Suppose that the database has performed a projective measurement on the state at the first round of communication for the purpose of stealing information and has returned a fake state at the second round of communication for the purpose of concealing the cheat. In order to derive a cheat-sensitive property for the randomized form of our protocol, regardless of the measurement basis being used by the database at the first round, is assumed to be with a general form (). The user can then apply a discriminating measurement (with two basis states ) on . Probabilities of user’s outcomes are for , for , and for neither of , respectively. Then, the probability that the database is detected as cheating can be calculated as
The inequality (2) has been derived using the Cauchy-Schwarz inequality 555The Cauchy-Schwarz inequality states that for complex numbers , , (where the bar notation is used for complex conjugation). By setting we obtain that . and the equality holds if and only if all () are equal. That equality in (3) requires that all () have a zero value, which means that if it is not a special case in the basic form of our protocol that , the database must know precisely both the true query and rhetoric queries in for every query in order to create a fake state satisfying the equality in (3). Otherwise, the database would be detected as cheating with a nonzero probability. However, that is impossible because a real query is encoded as a superposed state which is made from both the true query and a randomly selected nonempty set of rhetoric queries, and the database can never learn full knowledge on such a state simply through applying projective measurements on it. .
Actually, due to the lack of knowledge about both and , the database can hardly recover the initial state , after performing projective measurements on it. In particular, assuming that the database has obtained as an outcome of a computational basis measurement, the probability of recovering correctly is:
where and are probabilities that the database has measured or has not measured , respectively. Both of them equal to . It is now easy to see that is close to 0 for large N.
As the next, it is natural to ask, which state is useful for the database to conceal its cheat, i.e. without knowing , which state ought to be returned by the database to minimize the probability of its cheating being detected? For the sake of simplicity of our discussions, we consider only the case of the computational basis measurement. To deal with this question we have the following theorem.
Let be the initial state of our new protocol without being known to the database. Suppose that a dishonest database has performed a computational basis measurement and has obtained . Then the database will return the state . Suppose that it has obtained a different from , the database would most probably return the fake state .
Proof. Firstly, it is safe for the database, if has been obtained by a computational basis measurement, to return the measurement outcome state in order to conceal its cheat. The probability that the database is detected cheating is in such a case. Secondly, in case that has not been obtained by a computational basis measurement, but some other , what the database can do to minimize the probability of being detected in user’s measurement is, according to the inequality (2), to create a fake state of the form , where, without loss of generality, and are real numbers satisfying the equality . Then, for each , , and , the probability of the database being detected is
Then, the expected values of for all is , where is the number of candidate initial states. Using the equalities and , we get that
Using one equality from Tb65 , we have for , We therefore have for ,
By using the equality , we get , which has a minimum value approximately at and . That means that in case of outcomes different from , returning can minimize the probability of the database being revealed to approximately . Therefore, the overall probability that the database has a minimum chance to be detected cheating is approximately . .
The next natural question is: how many rhetoric queries are optimal for the user to reveal a database cheating via the computational basis measurement, i.e. which value of will maximize the probability of detecting such a cheat? We start with the following theorem:
is the optimal number of rhetoric queries for the user to be defended against a cheating via the computational basis measurement.
Proof. Suppose that a dishonest database has performed a computational basis measurement and obtained as an outcome. Then, in case that , no matter what the value of is, the database can return at no risk of being detected as cheating. In other cases, namely when , according to the inequality (2), the database would return a fake state of the form with in order to minimize the probability of being detected in user’s measurement. We rewrite in the equation (4) to , by setting that and (). Then, the expected values of for all is
The equality in (5) holds if and only if . Therefore, rhetoric queries are the optimal number of rhetoric queries for the user to reveal such a cheating activity in the randomized variant of our protocol. .
The maximum of probability that the user will detect a computational basis measurement cheating activity is .
Proof. The user will detect a cheat with a zero probability when the database has obtained from a computational basis measurement, and by Theorem 3, with a maximum of probability at when the database has not obtained . Therefore, the maximum of probability that the user will detect a dishonest database cheating via a computational basis measurement is by using rhetoric queries. .
The advantage of using an (flexible) initial state over (the fixed) in preserving user privacy comes mainly from those cases that the database has not obtained from the measurement. In such cases, the database can recover the initial state only when guessing correctly both and all rhetorical queries.
is approximately for large . In the basic form of the protocol, the database performing projective measurements would evade detection by returning the uniform state, regardless of the measurement basis being used. Therefore, the user privacy is significantly enhanced by using randomness on rhetoric queries in our new protocol.
In this paper we have described and analyzed a new quantum private database query protocol which is a generalization of the known communication-efficient protocols, namely, the QPQ protocol and the phase-encoded private query protocols. The proposed protocol has more than one item (index) to serve as rhetoric queries, with no need for the user to know answers to such rhetoric queries beforehand in order to guarantee a successful query. The database answers queries via a special data retrieving algorithm. The user can retrieve the answer to the query through an encoding-decoding process.
By exchanging only of data to accomplish a query task, our new protocol maintains the advantage of the current protocols GLM08 ; Ole12 ; Yu14 for the same task with respect to communication complexity. It also achieves an improvement in security, especially in a protection of the user privacy. Comparing with the QPQ protocol GLM08 , in which the entire amount of user privacy would inevitably leak to a dishonest database performing a computational basis measurement, at most half amount of user privacy could leak out with respect to the same attack when our new protocol is used. Comparing with the phase-encoded private query protocols, one randomized form of our new protocol has been proved cheat-sensitive. A dishonest user would be able to retrieve at most one item deterministically, which is the same as in the phase-encoded private query protocols, but one less than in the QPQ protocol. It is also proved in the Appendix A that even if a small probability of an error is allowed, no one can estimate extra item, via the quantum interrogation procedure, than that can be obtained from a random guess. A similar evaluation has not been yet provided either for the QPQ protocol or for phase-encoded private query protocols. It is shown in Appendix A that, by using a quantum interrogation procedure, an extra half of a bit of information on database can be estimated for both protocols, regardless of those obtained from a random guess.
In the basic form of the proposed protocol, all item indexes but serve as rhetoric queries. A dishonest database performing projective measurements can return a fake uniform state to evade detection, regardless of measurement basis being used. By introducing randomness on rhetoric queries, our protocol gains a cheat-sensitive property, as demonstrated by Theorem 1. In the mean while, the user will reveal a database performing a computational basis measurement with a maximum probability approximately by using rhetoric queries for large , which are demonstrated by Theorem 3 and Corollary 1.
Appendix A Estimation of a Leakage of Data Privacy
The user may estimate a number of database items, if a small probability of error is allowed, by using a quantum interrogation procedure from Section 4.2 in Van98 , given the initial state . Indeed, we can prove the following theorem:
Let be the initial state of the above mentioned quantum interrogation procedure. A user can use this procedure to estimate no more than expected number of database items, which is equal to that obtained using random guesses.
Proof. By attaching an appropriate number of ancillary qubits, the state can be mapped into the state , where has a at the th position. The proof is based on the method from the page 11 in Van98 . As the first step, using one auxiliary qubit in the state attached, a special data retrieving algorithm or an oracle maps into the state
where denotes an unknown database string. By assuming that consists of zeros only, the initial state will not change after being applied by the oracle . Therefore, we have:
where and are the th bit and the number of zeros of the -bit binary string , respectively. Let us denote coefficients of those with and in the above last equation as and , respectively. They depend solely on the number of zeros of . The expected number of correct bits of equals therefore the expected number of zeros of the string , which is
where denotes the Hadamard operator. Using the following equalities
a straightforward but cumbersome calculation shows that the quantity is , which is equal to that obtained from a random guess. .
It is worth to note that with the initial state , about correct bits of can be estimated in total, as shown in the Section 4.3 in Van98 . As next we show, by a similar proof, for the QPQ protocol GLM08 and also for one of the phase-encoded private query protocols Ole12 that with the initial state (for which the transformed initial state is ), the expected number of correct bits of is
Dedication and Acknowledgments
The authors would like to thank the anonymous reviewers’ comments and suggestions that help to improve the quality of the manuscript. The paper is dedicated to a great man of theoretical computer science, to Maurice Nivat, especially for his understanding that the field should be taken very broadly and steps should be taken to incorporate in its development an enormous research potential of the communities also outside of Europe and North America.
This work was supported in part by the National Natural Science Foundation (Grant Nos. 61572532, 61876195, 61472452, 61772565), the Fundamental Research Funds for the Central Universities of China (Nos. 21617402, 83216003023), the Joint Funds of the National Natural Science Foundation of China and China General Technology Research Institute (Grant No. U1736113), the Natural Science Foundation of Guangdong Province of China (Grant Nos. 2017B030311011, 2017A030313378). It has also been supported by the Faculty of Informatics of the Masaryk university in Brno, Czech Republic.
- (1) B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, Private information retrieval, in: Proceedings of the 36rd IEEE Symposium on Foundations of Computer Science, 1995, pp. 41-50.
- (2) Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin, Protecting data privacy in private information retrieval schemes, Journal of Computer and Systems Sciences 60(3) (2000) 592-629.
- (3) H. K. Lo, Insecurity of quantum secure computations, Phys. Rev. A. 56 (1997) 1154.
- (4) I. Kerenidis and R. de Wolf, Quantum symmetrically-private information retrieval, Information Processing Letters 90(3) (2004) 109-114.
- (5) V. Giovannetti, S. Lloyd, L. Maccone, Quantum private queries, Phys. Rev. Lett. 100(23) (2008) 230502.
- (6) L. Olejnik, Secure quantum private information retrieval using phase-encoded queries, Phys. Rev. A. 84 (2011) 022313.
- (7) F. Yu and D.W. Qiu, Coding-based quantum private database query using entanglement, Quantum Information & Computation 14 (1&2) (2014) 0091-0106.
- (8) A. Beimel, Y. Ishai, E. Kushilevitz, and J. Raymond, Breaking the O() barrier for information-theoretic Private Information Retrieval, in: Proceedings of 43rd IEEE FOCS, 2002, pp. 261-270.
- (9) A. Ambainis, Upper bound on the communication complexity of private information retrieval, in: 24th ICALP, LNCS 1256, 1997, pp. 401-407.
- (10) . Baumeler, A. Broadbent, Quantum private information retrieval has linear communication complexity, Journal of Cryptology 28 (1) (2015) 161-175.
- (11) V. Giovannetti, S. Lloyd, L. Maccone, Quantum random access memory, Phys. Rev. Lett. 100 (16) (2008) 160501.
- (12) L. Hardy, A. Kent, Cheat sensitive quantum bit commitment, Phys. Rev. Lett. 92 (15) (2004) 157901.
- (13) M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information, Cambridge University Press, Cambridge, 2000, pp. 531-536.
- (14) W. Van Dam, Quantum oracle interrogation: Getting all information for almost half the price, Foundations of Computer Science. in: Proceedings of 39th Annual Symposium on. IEEE, 1998, pp. 362-367.
- (15) I. Gradshteyn and I. Ryzhik, Table of Integrals, Series, and Products, Academic Press, corrected and enlarged edition, 1965.