[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Next Article in Journal
Low-Complexity Iterative Approximated Water-Filling Based Power Allocation in an Ultra-Dense Network
Previous Article in Journal
Scaling-Up Quantum Heat Engines Efficiently via Shortcuts to Adiabaticity
Previous Article in Special Issue
The Effect of Spin Squeezing on the Entanglement Entropy of Kicked Tops
You seem to have javascript disabled. Please note that many of the page functionalities won't work as expected without javascript enabled.
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Quantum Private Query Protocol Based on Two Non-Orthogonal States

College of Information Security Engineering, Chengdu University of Information Technology, Chengdu 610225, China
*
Author to whom correspondence should be addressed.
Entropy 2016, 18(5), 163; https://doi.org/10.3390/e18050163
Submission received: 15 December 2015 / Revised: 14 April 2016 / Accepted: 20 April 2016 / Published: 3 May 2016
(This article belongs to the Special Issue Entanglement Entropy)
Figure 1
<p>When <span class="html-italic">N</span> = 10,000, <math display="inline"> <semantics> <mrow> <mover accent="true"> <mi>n</mi> <mo stretchy="true">¯</mo> </mover> </mrow> </semantics> </math> <span class="html-italic">&lt;&lt;</span> <span class="html-italic">N</span> can be achieved.</p> ">
Figure 2
<p>The probabilities that Eve1 and Eve2 know Alice’s bits for different θ in our protocol, G-protocol and Y-protocol. The solid line represents the probabilities for G-protocol (<span class="html-italic">P<sub>T</sub><sup>G</sup></span>) and Y-protocol (<span class="html-italic">P<sub>T</sub><sup>Y</sup></span>); the star line represents the probability for our protocol (<span class="html-italic">P<sub>T</sub></span>).</p> ">
Figure 3
<p>Comparison of probability with which Alice correctly guesses the bit of Bob for different θ between our protocol and G-protocol when <span class="html-italic">k</span> = 2. The solid line represents <span class="html-italic">P</span><sub>guess</sub> for G-protocol; the dotted line represents <span class="html-italic">P</span><sub>guess</sub> for our protocol.</p> ">
Figure 4
<p>Comparisons of probability with which Bob knowing Alice’s bits for different θ between our protocol and G-protocol. The star line represents <span class="html-italic">P</span><sub>b</sub> for G-protocol; the dotted line represents the upper bound of <span class="html-italic">P</span><sub>b</sub> for our protocol; the solid line represents the lower bound of <span class="html-italic">P</span><sub>b</sub> for our protocol.</p> ">
Versions Notes

Abstract

:
We propose a loss tolerant quantum private query (QPQ) protocol based on two non-orthogonal states and unambiguous state discrimination (USD) measurement. By analyzing a two-point attack by a third party, we find that our protocol has a stronger ability to resist external attacks than G-protocol and Y-protocol. Our protocol requires a smaller number of compressions than that in G-protocol (Gao et al., Opt. Exp. 2012, 20, 17411–17420) and Y-protocol (Yan et al. Quant. Inf. Process. 2014, 13, 805–813), which means less post-processing. Our protocol shows better database security and user privacy compared with G-protocol.

1. Introduction

Nowadays, communications are omnipresent. The problems of security and privacy have come to assume an unprecedented importance. Cryptography is an effective way to ensure data security in communication. Both classical and quantum cryptography can be used to ensure security. However, a higher advantage in security has been shown for quantum physical principles. Therefore, in recent years, more and more scholars have been paying attention to quantum cryptography.
In communications, the safety of common privacy is usually considered. However, in communications among distrustful users, both common privacy and individual privacy need to be protected. Private information retrieval (PIR) [1] is an application in such research areas, which guarantees the security of private database query. Another similar application is called symmetrically private information retrieval (SPIR) [2], which finishes the following task: user (Alice) obtains a record in a database that she has paid for it, however, the database provider (Bob) should not know which record Alice obtains. On the other hand, Alice should not know about other records that she does not pay for. That is, SPIR protects both Alice’s privacy and Bob’s database privacy. However, classical cryptosystems and using physical principles cannot ideally realize the task of SPIR [3].
Quantum Private Query (QPQ) is the quantum scheme for the SPIR problem. Bennett [4] and Brassard [5] proposed quantum protocols to solve the similar tasks of SPIR, and it was found to be difficult to offer complete protection for both sides. In 2008, the pioneer QPQ scheme (GLM protocol, where GML denotes the first letter of the name of the three authors) has been put forward by Giovannetti et al. [6]. In the scheme, oracle operations are used to denote records in the database and are operated on the incoming query states. Query state and decoy state are needed in the protocol. The query state is used to obtain the needed record from the database. While possible attacks from Bob are checked with the decoy state, in the GLM scheme, Alice’s privacy is protected by the non-signaling principle, which means that the spiteful behavior of Bob may lead to wrong answers to Alice. The behavior of Bob will be found by Alice later which will destroy her trust in him, that is called being cheat sensitive for user privacy. On the other hand, GLM protocol shows good database privacy. That is, no more than two records are obtained through dishonest queries. GLM protocol displays better performance in communication complexity and computational complexity compared with existing schemes. After that, the proof-of-principle experimental realization and the security analysis of GLM protocol were done in Refs. [7,8], respectively. Similar with GLM protocol, Olejnik et al. put forward O-protocol [9] (another QPQ protocol) based on oracle operation. O-protocol reduces communication complexity further by using only one query state to obtain the needed record from the database and detect eavesdropping from Bob.
Although the existing schemes show high quality theoretically, they are hard to realize for large databases because of the difficulty of high-dimensional oracle operation. Jakobi et al. provides a new way for solving the difficulty, in which Alice and Bob share an oblivious key based on SARG04 QKD, which is proposed by Scarani et al. in 2004 [10]. This scheme is a pioneer practical QPQ protocol (J-protocol) [11]. In this practical scheme, Bob knows the whole key, which is for encrypting the whole database, and Alice knows only limited bits of the key, which safeguards the database privacy. Oracle operations and other complex operations are not included in J-protocol; therefore, it is easy to realize for a large database.
In 2012, Gao et al. put forward a flexible QPQ scheme (G-protocol) [12] based on J-protocol. G-protocol shows better performance in flexibility, communication complexity and security than J-protocol. In G-protocol, non-orthogonal states {|0 >,|1 >,|0′ >,|1′ >} are selected as carrier states. (Here, |0′ > = cosθ|0 > + sinθ|1 >, |1′ > = sinθ|0 > − cosθ|1 >, and θ is polarization angle). By adjusting the value of θ, the length of Alice’s key bits is limited to a certain reasonable value. When θ < π/4, G-protocol displays better database security, but poor user privacy.
In 2013, Yang et al. put forward another QPQ scheme (Y-protocol) [13] based on a two-particle entangled state and non-orthogonal projective measurements. Y-protocol has all the features of G-protocol, such as being flexible, loss tolerant and practical. What’s more, it displays a better user privacy.
In this paper, we presents another QPQ scheme based on two non-orthogonal states and unambiguous state discrimination (USD) measurement. Our protocol can resist two-point attacks by a third party. In our protocol, a smaller number of compressions is required than G-protocol and Y-protocol under similar conditions, which means that less post-processing is needed in our protocol. Our protocol shows better database security and user privacy compared with G-protocol. Furthermore, our protocol requires a bigger polarization angle to achieve similar conditions (the number of compressions, the average bits that Alice will know in the final key, the probability that Alice can not know any bits at all and the length of Bob’s final key) than G-protocol, which means that our protocol is easier to realize technically compared with Gao’s protocol.

2. The QPQ Protocol Based on Two Non-Orthogonal States

On assumption that N records are included in Bob’s database, one of them is bought by Alice, and Alice intends to obtain it in secret. The scheme is to help them to complete the task safely. Our idea is to distribute a pair of oblivious secret keys between Alice and Bob which is known completely to Bob and partly to Alice, through a series of steps. To try to reduce the bits Alice knows in the raw key, Bob generates a raw key with length kN, where k is a natural number.
(1)
Bob randomly prepares some non-orthogonal states | φ 0 or | φ 1 forming quantum sequence S, where
| φ 0 = cos θ 2 | 0 + sin θ 2 | 1 , | φ 1 = cos θ 2 | 0 sin θ 2 | 1 .
The range of parameter θ is between 0 and π/2. Bob inserts some decoy states |+ >,|− >,|0 > or|1 > in sequence S randomly, which forms new sequence S’. Bob tells Alice the length of sequence S’ through an authenticated channel. Then, Bob sends new sequence S’ to Alice.
(2)
When Alice receives each particle that Bob sends to her, she stores it in quantum memory firstly. After Alice has received the whole sequence S’, Alice informs Bob about this. Then, Bob tells Alice which particles are used as decoy states and the basis of the corresponding decoy state. Alice extracts decoy states and measures them. Alice tells Bob the measurement results. Bob determines whether there is eavesdropping by comparing the information Alice reports and the decoy states Bob prepares. If there is eavesdropping, Bob stops the protocol.
(3)
Alice measures the rest particles with unambiguous state discrimination (USD) method [14] to distinguish which state the qubit is in. The success probability of this USD measurement is bounded (from above) by p = 1 − F ( | φ 0 φ 0 | , | φ 1 φ 1 | ) =1 − | φ 0 | φ 1 | = 1 − cosθ, where F ( | φ 0 φ 0 | , | φ 1 φ 1 | ) = T r ( | φ 0 φ 0 | | φ 1 φ 1 | | φ 0 φ 0 | ) is the fidelity between the two states to be discriminated. That is, Alice obtains the state of the qubit she measures with probability p = 1 − cosθ. Thus, Alice knows the corresponding bit that the qubit is carrying with a certain probability p = 1 − cosθ. For Bob, he doesn’t know which particle Alice measures successfully. Alice represents | φ 0 as “0” and | φ 1 as “1”. Alice publishes which qubits in sequence S she has successfully received.
(4)
Bob also obtains a binary sequence according to the quantum sequence S that Bob prepares and the rule: | φ 0 denotes “0” and | φ 1 denotes “1”.
(5)
For the lost particles Alice publishes, Bob flips his corresponding bits randomly. Then Bob randomly adds a bit “0” or “1” behind his data; by doing so, Bob doubles his key. Obviously, Bob’s bits corresponding to lost particles are all used as parts of the raw key. Therefore, Alice will not falsely declare lost particles, because Alice will not benefit from reporting a lost particle for any unsuccessful USD measurement, such as increasing the probability of conclusive measurements and knowing a larger fraction of bits that are expected for a giving θ. On the contrary, Bob will obtain more information about Alice’s bits if Alice reports a lost particle for any unsuccessful USD measurement. In addition, by flipping Bob’s bits corresponding to lost particles randomly, Eve can not obtain database information by measuring some lost particles.
Table 1 and Table 2 are examples of sharing oblivious raw keys between Alice and Bob by using all particles in sequence S (the lost particles and received particles). Table 1 shows the case that Alice honestly reports all lost particles. Table 2 shows the case that Alice dishonestly reports the lost particles; that is, Alice will report some measuring failure particles as lost particles. In Table 1 and Table 2, “#” denotes the honest reporting of lost particle, “?” denotes measurement failure of Alice , “$” denotes measurement failure of Alice but reporting particles as lost particles, “*” denotes knowing nothing about the bit. In Table 1 and Table 2, the bits in Bob’s final bits corresponding to reporting as lost particles (including the honest reporting of lost particles and measurement failure by Alice, but reporting particles as lost particles) are the results of flipping the original Bob’s bits randomly.
In Table 1, Alice honestly reports all lost particles (1,9) and measurement failure of particles (4,5,7,8). In Table 2, Alice dishonestly reports the lost particles (1,4,7–9), where particles 4,7,8 are the case of measurement failure by Alice but reporting particles as lost particles. By comparing Alice’s bits and Bob’s final bits in Table 1 and Table 2, we find that the dishonest reporting of lost particles will not impact Alice’s bits. In addition, we still find that the bits corresponding to dishonest reporting of lost particles in Bob’s final bits are the results of flipping Bob’s corresponding original bits randomly; however, Alice knows nothing about these bits. From Table 1 and Table 2, we find that if Alice honestly reports lost particles, Bob knows that Alice may successfully measure particles 2–8; if Alice reports failure measurements as lost particles, Bob knows that Alice may successfully measure particles 2,3,5,6. That is, the probability that Bob knows Alice’s bits increases. Therefore, dishonest reporting of lost particles will make Bob know more information of Alice’s bits; however, Alice can not know more information about Bob’s final bits.
For Alice, with the exception of those two-bit-groups corresponding to lost particles, she owns the first bit of each of Bob’s two-bit-groups corresponding to received photons, but nothing about the second bit. Whatever the measurement result of Alice, the second bit is 0 or 1 with equal probability. Therefore, Alice knows the first bit of Bob’s each two-bit-group corresponding to received photons with probability p = 1 − cosθ.
In this way, Alice and Bob have shared a raw key Kr known completely to Bob and partly to Alice. Obviously, for each two-bit-group corresponding to received photons, Alice should know only one bit with probability 1 − cosθ. Therefore, Alice knows only p ≤ (1 − cosθ)/2 of the raw key Kr on average. That is, (1 − cosθ)/2 is the upper bound of the bits that Alice knows of the raw key Kr.
(6)
To reduce the bits by Alice known in the raw key they shared in the above steps, Alice and Bob execute post-processing on the raw key. Because the length of Kr is kN, where k is a natural number, Alice and Bob break Kr up into k parts, thus the length of each parts is N. By adding the k parts bitwise, the raw key becomes a final key with length N. Bob knows the whole key, while Alice only knows several bits. For example, Bob’s bits are “011011100000” and Alice's bits are “**1*1***0***”, where “*” denotes that Alice knows nothing about the bit. If k = 2, Bob and Alice divide their bits into two parts, respectively: Bob's bits: “011011, 100000”; Alice's bits: “**1*1*, **0***”. Then, Bob and Alice perform bitwise exclusive-OR (XOR) operation on the top six bits and the post six bits, respectively: Bob: 011011 XOR 100000 = 111011; Alice: **1*1* XOR **0*** = **1***. Therefore, Bob’s and Alice’s key is 111011 and **1***, respectively. The process is similar to that in J-protocol, G-protocol and Y-protocol. If Alice knows nothing of the final key after this post-processing, the protocol should be restarted. However, this condition can be avoided by choosing appropriate parameters, which will be analyzed later.
(7)
Bob encrypts the database and Alice obtains the record that she needs. The detailed procedure is as follows: if Alice owns the jth bit Kj of Bob’s key K, and she needs to obtain the ith record Xi in Bob’s database. Then, Alice tells Bob the value s = ji. If s is a negative number, Bob shifts K right circularly with |s| bits; otherwise, Bob shifts K left circularly with s bits, by doing so Bob can obtain a new key K′. Bob encrypts the database with K′ in the way of a one-time pad. Alice decrypts the ith record with her key Kj.

3. Analysis

After step (6) (Alice and Bob add k substrings bitwise), Alice obtains n ¯ = N R k bits of the final key K on average, where R = 1 cos θ 2 . The probability that Alice can not know any bits at all is P 0 = ( 1 R k ) N = ( 1 n ¯ N ) N . When N n ¯ is satisfied, P 0 e n ¯ is obtained and n ¯ follows a Poisson distribution approximately. When n ¯ 2 is satisfied, we have P 0 0.135 ; when n ¯ 3 is satisfied, we have P 0 0.05 . In order to make Alice get less bits, at the same time, the failure rate is very small, obviously, n ¯ = 3 is an optimal value. We have P 4 = 1 P 3 P 2 P 1 P 0 = 1 13 e 3 = 0.35 and P 5 = 1 P 4 P 3 P 2 P 1 P 0 = 0.18 , where P 4 denotes the probability that Alice knows more than four bits in a distribution and P 5 denotes the probability that Alice knows more than five bits in a distribution when the average value of n ¯ is three. That is to say, the success probability of Alice to learn more bits by cheating is very small. The distribution of n ¯ in G-protocol and Y-protocol also follows a Poisson distribution approximately.
Figure 1 (locating N = 10,000) indicates that a different n ¯ is reached by adjusting θ and k when N is fixed. Compared with G-protocol (see Figure 2 in [12]), we find that, to achieve similar N and n ¯ , the value of k ranges from 2 to 5 in our protocol, while from 5 to 10 in G-protocol. This means that we need smaller k compared with G-protocol under similar conditions ( n ¯ , θ and N). That is, less post-processing is required in our protocol.

3.1. Loss Tolerant

The following two reasons can show that our protocol is loss tolerance. Firstly, Bob’s bits corresponding to lost particles are all used as parts of the raw key. Therefore, Alice will not falsely declare lost particles, because Alice will not benefit from reporting a lost photon for any unsuccessful USD measurement, such as increasing the probability of conclusive measurements and knowing a larger fraction of bits than expected for a giving θ. On the contrary, Bob will obtain more information about Alice’s bits if Alice reports a lost particle for any unsuccessful USD measurement. Secondly, by flipping Bob’s bits corresponding to lost particles randomly and post-processing on the raw key, Eve can not obtain database information by measuring some lost photons.

3.2. The Third-Party Attacks

The intercept resend attack and Trojan Horse attack are two common attack strategies in quantum secure communication. In our protocol, the particles are one-way transmission, and there is no loop (circuit); therefore, there is no Trojan Horse attack. Two-point attack [15] is a specific intercept resend attack strategy aiming to attack the QKD system based on two non-orthogonal states [16]. In two-point attacks, there are two third-party eavesdroppers Eve1 and Eve2. Eve1 is located at a point near Alice’s security domain, and Eve2 at a point near Bob’s security domain. Eve1 and Eve2 can communicate with each other through a classical channel. Eve1 intercepts the quantum channel and measures every quantum state. Eve2 resends the quantum state according to the measurement result Eve1 tells him. Next, we analyze the influence of two-point attacks on user privacy and database privacy in our protocol.
(1)
The influence of two-point attacks on user privacy
In our protocol, if Eve1 intercepts a particle and successfully measures it with a USD method, after Eve1 tells the result to Eve2, Eve2 resends the particle to Alice. Then, Eve1 and Eve2 will know the bit of Alice. That is, user privacy is threat. However, because Bob inserts decoy particles with x-basis and z-basis randomly in quantum sequence S, Eve1 and Eve2 has 1/3 probability or less to select correct basis (USD, x-basis or z-basis) to measure the intercepted particles successfully. In addition, the eavesdropping of Eve1 and Eve2 will be easily found with probability 2/3. They only have the probability
P T = 1 cos θ 3
to know the corresponding bit of Alice. While in G-protocol and Y-protocol, the probability that Eve1 and Eve2 are found is 0, and the probability that Eve1 and Eve2 know the corresponding bit of Alice is
P T G = P T Y = sin 2 θ 2 .
From Figure 2, we find that the probability that Eve1 and Eve2 know Alice’s bits for different θ in our protocol is much lower than that in G-protocol and Y-protocol.
(2)
The influence of two-point attacks on database privacy
In our protocol, Bob’s bits corresponding to particles that are intercepted by Eve1 without being resend by Eve2 are flipped randomly; therefore, Eve1 and Eve2 know nothing about these bits. For the particles that Eve1 intercepts and Eve2 resends, according to analysis in the influence of two-point attacks on user privacy, we know that Eve1 and Eve2 will be easily found with probability 2/3, and they only have the probability (1 − cosθ)/3 to know the corresponding bit. Therefore, it is difficult to obtain database information for Eve1 and Eve2, and their eavesdropping will be found easily.

3.3. Qubit Efficiency Comparison

To estimate the efficiency of QPQ, we define the qubit efficiency as η = N n ¯ ( M + l ) , where N denotes the final classical bits that can be generated for Bob, n ¯ denotes the final classical bits that can be generated for Alice, M denotes the total coding particles in each communication, and l denotes the decoy photons to check the presence of eavesdropping in each communication.
Because n ¯ = NRk, we have N n ¯ = 1 R k , then
η = 1 R k ( M + l )
For G-protocol, R = sin 2 θ 2 , M = k N and there is no eavesdropping detecting, thus
η G = 1 ( sin 2 θ 2 ) k k N .
For Y-protocol, R = sin 2 θ 2 , M = 2 k N and there is no eavesdropping detecting, thus
η Y = 1 ( sin 2 θ 2 ) k 2 k N .
For our protocol, R = 1 cos θ 2 , M = k N , thus
η O u r = 1 ( 1 cos θ 2 ) k ( k N + l ) .
In Table 3, we compare the qubit efficiency of G-protocol [12], Y-protocol [13] and our protocol when N = 10,000.
From Table 3, we find that our protocol has better qubit efficiency than G-protocol [12] and Y-protocol [13].

3.4. Database Security

Database security means that Alice can not get extra records in Bob’s database no matter the methods she uses. Suppose that, to obtain extra records, Alice performs more efficient measurements on particles that Bob sends to her.
As analyzed in Ref. [11], there is a measurement called minimal error probability measurement [17], which distinguishes two equally likely qubits. If Alice measures the k qubits forming an element of the final key K with the efficient measurement, she obtains the bits of K directly. By using minimal error probability measurement, the maximal chance of distinguishing the two states ρ0 and ρ1 correctly is Pguess = 1/2 + D(ρ0, ρ1)/2, where D(ρ0, ρ1) denotes trace distance between ρ0 and ρ1. In our protocol, the probability is Pguess = ( 1 2 + 1 2 sin k θ ) at most. However, even though Alice guesses | φ 0 and | φ 1 correctly, (the probability is Pguess/3), she can infer correctly the corresponding two-bit group of Bob with 50% chance, that is, on average, Alice can infer correctly each bit of Bob with a 75% chance. Therefore, Alice can correctly guess the bit of Bob with probability
P g u e s s = 1 4 ( 1 2 + 1 2 sin k θ )
at most. Obviously the probability is much less than that in G-protocol ( P g u e s s G = 1 2 + 1 2 sin k θ ), which means better database security than that in G-protocol. Figure 3 shows that Pguess in our protocol is much less than that in G-protocol for a giving k = 2.

3.5. User Security

We suppose that Bob transmits a false qubit |Θ> to Alice, where |Θ> = cosβ|+> + sinβ|->. Alice obtains the conclusive result with probability (1 − cos(θ ± β))/2. By sending a fake state, Bob biases the probability of measurement results of Alice between ((1 − cos(θ + β))/2, (1 − cos(θ − β))/2) unless β = 0. Let Y = cos(θ − β) − cos(θ + β), by deducing d Y d β = 0 and d 2 Y d 2 β , we can get β = π/2 when d 2 Y d 2 β < 0 . We construe this result as that optimal probability with which Bob knows Alice’s bits is between ((1 − cos(θ + π/2))/2, (1 − cos(θ − π/2))/2). That is, the bounds on Pb (the probability with which Bob knows Alice’s bits) is:
(1 − cos(θ + π/2))/2 < Pb < (1 − cos(θ − π/2))/2.
Figure 4 shows that when θ ∈ (0,π/2), the low bound of Pb for our protocol is smaller than that in G-protocol. The upper bound of Pb for our protocol is smaller than that in G-protocol when 0 < θ < π/4, and bigger than that in G-protocol when π/4 < θ < π/2. That is, when 0 < θ < π/4, we can achieve a better user privacy compared with G-protocol.

4. Discussion

In the above section, we have analyzed the advantages of our protocol in the aspect of less post-processing (smaller k) compared with G-protocol under similar conditions ( n ¯ , θ and N), in the aspect of qubit efficiency compared with G-protocol and Y-protocol for fixed N, and θ and k, in the aspect of database security and user security compared with G-protocol. In this section, we give a more comprehensive discussion focusing on security and resources for specific, optimal sets of parameters.
From Table 4, we find that when n ¯ is fixed, G-protocol, Y-protocol and our protocol have the same P0. When N and n ¯ are given , for a specific k, Pb in our protocol is much lower than that in G-protocol and is close to that in Y-protocol, which means that our protocol shows much higher user security than G-protocol and the user security of our protocol is close to Y-protocol. Furthermore, in the same condition, our protocol always needs bigger θ than that in G-protocol and Y-protocol. Because a very small θ might make its realization technically difficult [12], our protocol is easier to realize technically than G-protocol and Y-protocol.
Table 5 shows that, for a given N and n ¯ , when three protocols (Y-protocol, G-protocol and our protocol) achieve similar θ, our protocol shows higher qubit efficiency than Y-protocol and better user privacy than G-protocol.
In a practical condition, channel noise is inevitable, which will cause errors in the obvious key shared between Alice and Bob. Therefore, error correction is necessary. We can use the method proposed in Ref. [18] to correct errors. Suppose the kN-bit raw oblivious key is denoted as O R = O 1 R O 2 R ... O k N R , the final obvious key after dilution is denoted as . O F = . O 1 F O 2 F ... O N F . Here, O i F = j = 0 k 1 O i + j N R , 1 i N , and denotes the addition module 2. Alice and Bob select a [k, s] error-correcting code [19] which uses k bits codeword to encode s bits word using generator matrix G and can correct one codeword error bits with error-correcting function. Bob chooses a bits word M = (m1, m2, …, ms) and obtains the corresponding bits codeword W = (w1, w2, …, wk) by calculating W = M·G. Then, Bob encrypts W with { O i + j N R } as the key, by using a one-time pad, and sends the ciphertext c to Alice. If Alice knows all the k bits { O i + j N R }, Alice decrypts c with { O i + j N R } and obtains a k-bit codeword W’. Alice corrects the error in W’ and obtains W. By adding the k bits in W bitwise, Alice knows O i F . If Alice does not know all the k bits in { O i + j N R }, she labels O i F = ?. Bob also adds the k bits in W bitwise to obtain his corresponding bit O i F .

5. Conclusions

We put forward a novel QPQ protocol based on two non-orthogonal states and unambiguous state discrimination (USD) measurement. Our protocol is loss tolerant. Compared with existing QPQ protocols, we have the following differences:
(1)
We analyze the influence of two-point attacks by a third party on user privacy and database privacy in our protocol. By comparing, we find that the probability that Eve1 and Eve2 know Alice’s bits for different θ in our protocol is much lower than that in G-protocol and Y-protocol, which means that our protocol has a stronger ability to resist external attacks than G-protocol and Y-protocol.
(2)
Smaller k is required to achieve similar conditions (n, θ and N) than G-protocol and Y-protocol, which means less post-processing and higher qubit efficiency.
(3)
For a given N and n ¯ , our protocol shows much higher user security than G-protocol and the user security of our protocol is close to Y-protocol. However, in the same condition, our protocol always needs bigger θ than that in G-protocol and Y-protocol. Because a very small θ might make its realization technically difficult [12], our protocol is easier to realize technically than G-protocol and Y-protocol.
However, because of eavesdropping detection in Step (2), our protocol requires quantum memory on the Alice side. The use of quantum memory will bring our protocol difficulties in practicality and realizability using current technology.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (Grant Nos. 61402058, 61572086), the Fund for Middle and Young Academic Leaders of Chengdu University of Information Technology (Grant No. J201511), the Science and Technology Support Project of Sichuan Province of China (Grant No. 2013GZX0137), and the Fund for Young Persons Project of Sichuan Province of China (Grant No. 12ZB017).

Author Contributions

All of the authors read and approved the final manuscript. Yan Chang and Shibin Zhang conceived and designed the protocol; Yan Chang and Guihua Han performed the experiments; Yan Chang analyzed the data; Yan Chang, Zhiwei Sheng, Lili Yan and Jinxin Xiong contributed modification of paper; Yan Chang wrote the paper.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Chor, B.; Goldreich, O.; Kushilevitz, E.; Sudan, M. Private Information Retrieval. J. ACM 1998, 45, 965–981. [Google Scholar] [CrossRef]
  2. Gertner, Y.; Ishai, Y.; Kushilevitz, E.; Malkin, T. Protecting data privacy in private information retrieval schemes. J. Comput. Syst. Sci. 2000, 60, 592–629. [Google Scholar] [CrossRef]
  3. Lo, H.-K. Insecurity of quantum secure. Phys. Rev. A 1997, 56, 1154–1162. [Google Scholar] [CrossRef]
  4. Bennett, C.-H.; Brassard, G.; Crlpeau, C.; Skubiszewska, M.H. Practical quantum oblivious transfer. Adv. Cryptol. 1992, 576, 351–366. [Google Scholar]
  5. Brassard, G.; Crepeau, C.; Jozsa, R.; Langlois, D. A quantum bit commitment scheme provably unbreakable by both parties. In Proceedings of the 34th Annual Symposium on Foundations of Computer Science, Palo Alto, CA, USA, 3–5 November 1993; Volume 362.
  6. Giovannetti, V.; Lloyd, S.; Maccone, L. Quantum private queries. Phys. Rev. Lett. 2008, 100, 230502. [Google Scholar] [CrossRef]
  7. Martini, F.D.; Giovannetti, V.; Lloyd, S.; Maccone, L.; Nagali, E.; Sansoni, L.; Sciarrino, F. Experimental quantum private queries with linear optics. Phys. Rev. A 2009, 80, 010302. [Google Scholar] [CrossRef]
  8. Giovannetti, V.; Lloyd, S.; Maccone, L. Quantum private queries: Security analysis. IEEE Trans. Inf. Theory 2010, 7, 3465–3477. [Google Scholar] [CrossRef]
  9. Olejnik, L. Secure quantum private information retrieval using phase-encoded queries. Phys. Rev. A 2011, 84, 022313. [Google Scholar] [CrossRef]
  10. Scarani, V.; Acin, A.; Ribordy, G.; Gisin, N. Quantum cryptography protocols robust against photon number splitting attacks for weak laser pulse implementations. Phys. Rev. Lett. 2004, 92, 057901. [Google Scholar] [CrossRef] [PubMed]
  11. Jakobi, M.; Simon, C.; Gisin, N.; Bancal, J.D.; Branciard, C.; Walenta, N.; Zbinden, H. Practical private database queries based on a quantum-key-distribution protocol. Phys. Rev. A 2011, 83, 022301. [Google Scholar] [CrossRef]
  12. Gao, F.; Liu, B.; Wen, Q.Y. Flexible quantum private queries based on quantum key distribution. Opt. Exp. 2012, 20, 17411–17420. [Google Scholar] [CrossRef] [PubMed]
  13. Yang, Y.-G.; Sun, S.J.; Xu, P.; Tian, J. Flexible protocol for quantum private query based on B92 protocol. Quant. Inf. Process. 2014, 13, 805–813. [Google Scholar] [CrossRef]
  14. Raynal, P. Unambiguous State Discrimination of two density matrices in Quantum Information Theory. 2006; arXiv: quant-ph/0611133. [Google Scholar]
  15. Yang, L.; Wu, L.-A. Two-point attack on the two nonorthogonal states QKD protocol over a fiber optic channel. 2005; arXiv: quant-ph/0310080. [Google Scholar]
  16. Bennett, C.-H. Quantum Cryptography Using Any Two Nonorthogonal States. Phys. Rev. Lett. 1992, 68. [Google Scholar] [CrossRef]
  17. Helstrom, C.W. Quantum Detection and Estimation Theory; Academic Press: New York, NY, USA, 1976. [Google Scholar]
  18. Gao, F.; Liu, B.; Huang, W.; Wen, Q.-Y. Postprocessing of the oblivious key in Quantum Private Query. IEEE J. Sel. Top. Quant. Electron. 2014, 21, 6600111. [Google Scholar]
  19. MacWilliams, F.J.; Sloane, N.J.A. The Theory of Error-Correcting Codes; North-Holland Publishing Company: Amsterdam, The Netherlands, 1977. [Google Scholar]
Figure 1. When N = 10,000, n ¯ << N can be achieved.
Figure 1. When N = 10,000, n ¯ << N can be achieved.
Entropy 18 00163 g001
Figure 2. The probabilities that Eve1 and Eve2 know Alice’s bits for different θ in our protocol, G-protocol and Y-protocol. The solid line represents the probabilities for G-protocol (PTG) and Y-protocol (PTY); the star line represents the probability for our protocol (PT).
Figure 2. The probabilities that Eve1 and Eve2 know Alice’s bits for different θ in our protocol, G-protocol and Y-protocol. The solid line represents the probabilities for G-protocol (PTG) and Y-protocol (PTY); the star line represents the probability for our protocol (PT).
Entropy 18 00163 g002
Figure 3. Comparison of probability with which Alice correctly guesses the bit of Bob for different θ between our protocol and G-protocol when k = 2. The solid line represents Pguess for G-protocol; the dotted line represents Pguess for our protocol.
Figure 3. Comparison of probability with which Alice correctly guesses the bit of Bob for different θ between our protocol and G-protocol when k = 2. The solid line represents Pguess for G-protocol; the dotted line represents Pguess for our protocol.
Entropy 18 00163 g003
Figure 4. Comparisons of probability with which Bob knowing Alice’s bits for different θ between our protocol and G-protocol. The star line represents Pb for G-protocol; the dotted line represents the upper bound of Pb for our protocol; the solid line represents the lower bound of Pb for our protocol.
Figure 4. Comparisons of probability with which Bob knowing Alice’s bits for different θ between our protocol and G-protocol. The star line represents Pb for G-protocol; the dotted line represents the upper bound of Pb for our protocol; the solid line represents the lower bound of Pb for our protocol.
Entropy 18 00163 g004
Table 1. The case that Alice honestly reports all lost particles.
Table 1. The case that Alice honestly reports all lost particles.
Order Number123456789
The states Bob prepares | φ 0 | φ 1 | φ 1 | φ 1 | φ 0 | φ 0 | φ 0 | φ 0 | φ 0
Bob’s original bits011011100101000101
Lost particles and Alice’s measuring result#* | φ 1 * | φ 1 *?*?* | φ 0 *?*?*#*
Alice’s bits 1 1 0
Bob’s final bits011011100101000111
Notes: | φ 0 and | φ 1 denotes non-orthogonal states in Equation (1).
Table 2. The case that Alice dishonestly reports the lost particles.
Table 2. The case that Alice dishonestly reports the lost particles.
Order Number123456789
The states Bob prepares | φ 0 | φ 1 | φ 1 | φ 1 | φ 0 | φ 0 | φ 0 | φ 0 | φ 0
Bob’s original bits011011100101000101
Lost particles and Alice’s measuring result#* | φ 1 * | φ 1 *$*?* | φ 0 *$*$*#*
Alice’s bits 1 1 0
Bob’s final bits011011000101100111
Table 3. Examples of qubit efficiency comparison of G-protocol, Y-protocol and our protocol when N = 10,000 and l = 15,000.
Table 3. Examples of qubit efficiency comparison of G-protocol, Y-protocol and our protocol when N = 10,000 and l = 15,000.
θ, kθ = 0.15, k = 2θ = 0.25, k = 2θ = 0.36, k = 3θ = 0.4, k = 3θ = 0.57, k = 4θ = 0.62, k = 4
G-protocol0.40100.05340.13950.07650.05560.0308
Y-protocol0.20050.02670.06980.03820.02780.0154
Our protocol0.90640.11830.67490.36140.46560.2424
Table 4. Examples of P0, Pb, θ and M + l comparison of G-protocol, Y-protocol and our protocol for a given N and n ¯ .
Table 4. Examples of P0, Pb, θ and M + l comparison of G-protocol, Y-protocol and our protocol for a given N and n ¯ .
a. N = 104, n ¯ = 3 and k = 3
ProtocolP0PbθM + l
Y-protocol0.050.32~0.680.3756 × 104
G-protocol0.050.980.3753 × 104
Our-protocol0.050.25~0.750.52344.5 × 104
b. N = 105, n ¯ = 3 and k = 3
ProtocolP0PbθM + l
Y-protocol0.050.38~0.620.2526 × 105
G-protocol0.050.980.2523 × 105
Our-protocol0.050.33~0.670.35444.5 × 105
c. N = 105, n ¯ = 3 and k = 4
ProtocolP0PbθM + l
Y-protocol0.050.31~0.690.3958 × 105
G-protocol0.050.960.3954 × 105
Our-protocol0.050.24~0.760.55105.5 × 105
Table 5. Examples of P0, Pb, θ and M + l comparison of G-protocol, Y-protocol and our protocol for N = 104 and a given n ¯ .
Table 5. Examples of P0, Pb, θ and M + l comparison of G-protocol, Y-protocol and our protocol for N = 104 and a given n ¯ .
a. n ¯ = 3
ProtocolP0PbθkM + l
Y-protocol0.050.24~0.760.53948 × 104
G-protocol0.050.930.53944 × 104
Our-protocol0.050.25~0.750.523434.5 × 104
b. n ¯ = 5
ProtocolP0PbθkM + l
Y-protocol0.00670.23~0.770.57948 × 104
G-protocol0.00670.920.57944 × 104
Our-protocol0.00670.23~0.770.571234.5 × 104

Share and Cite

MDPI and ACS Style

Chang, Y.; Zhang, S.; Han, G.; Sheng, Z.; Yan, L.; Xiong, J. Quantum Private Query Protocol Based on Two Non-Orthogonal States. Entropy 2016, 18, 163. https://doi.org/10.3390/e18050163

AMA Style

Chang Y, Zhang S, Han G, Sheng Z, Yan L, Xiong J. Quantum Private Query Protocol Based on Two Non-Orthogonal States. Entropy. 2016; 18(5):163. https://doi.org/10.3390/e18050163

Chicago/Turabian Style

Chang, Yan, Shibin Zhang, Guihua Han, Zhiwei Sheng, Lili Yan, and Jinxin Xiong. 2016. "Quantum Private Query Protocol Based on Two Non-Orthogonal States" Entropy 18, no. 5: 163. https://doi.org/10.3390/e18050163

APA Style

Chang, Y., Zhang, S., Han, G., Sheng, Z., Yan, L., & Xiong, J. (2016). Quantum Private Query Protocol Based on Two Non-Orthogonal States. Entropy, 18(5), 163. https://doi.org/10.3390/e18050163

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop