Quantum Private Query Protocol Based on Two Non-Orthogonal States

: We propose a loss tolerant quantum private query (QPQ) protocol based on two non-orthogonal states and unambiguous state discrimination (USD) measurement. By analyzing a two-point attack by a third party, we ﬁnd that our protocol has a stronger ability to resist external attacks than G-protocol and Y-protocol. Our protocol requires a smaller number of compressions than that in G-protocol (Gao et al. , Opt. Exp. 2012, 20, 17411–17420) and Y-protocol (Yan et al. Quant. Inf. Process. 2014, 13, 805–813), which means less post-processing. Our protocol shows better database security and user privacy compared with G-protocol.


Introduction
Nowadays, communications are omnipresent.The problems of security and privacy have come to assume an unprecedented importance.Cryptography is an effective way to ensure data security in communication.Both classical and quantum cryptography can be used to ensure security.However, a higher advantage in security has been shown for quantum physical principles.Therefore, in recent years, more and more scholars have been paying attention to quantum cryptography.
In communications, the safety of common privacy is usually considered.However, in communications among distrustful users, both common privacy and individual privacy need to be protected.Private information retrieval (PIR) [1] is an application in such research areas, which guarantees the security of private database query.Another similar application is called symmetrically private information retrieval (SPIR) [2], which finishes the following task: user (Alice) obtains a record in a database that she has paid for it, however, the database provider (Bob) should not know which record Alice obtains.On the other hand, Alice should not know about other records that she does not pay for.That is, SPIR protects both Alice's privacy and Bob's database privacy.However, classical cryptosystems and using physical principles cannot ideally realize the task of SPIR [3].
Quantum Private Query (QPQ) is the quantum scheme for the SPIR problem.Bennett [4] and Brassard [5] proposed quantum protocols to solve the similar tasks of SPIR, and it was found to be difficult to offer complete protection for both sides.In 2008, the pioneer QPQ scheme (GLM protocol, where GML denotes the first letter of the name of the three authors) has been put forward by Giovannetti et al. [6].In the scheme, oracle operations are used to denote records in the database and are operated on the incoming query states.Query state and decoy state are needed in the protocol.The query state is used to obtain the needed record from the database.While possible attacks from Bob are checked with the decoy state, in the GLM scheme, Alice's privacy is protected by the non-signaling principle, which means that the spiteful behavior of Bob may lead to wrong answers to Alice.The behavior of Bob will be found by Alice later which will destroy her trust in him, that is called being cheat sensitive for user privacy.On the other hand, GLM protocol shows good database privacy.That is, no more than two records are obtained through dishonest queries.GLM protocol displays better performance in communication complexity and computational complexity compared with existing schemes.After that, the proof-of-principle experimental realization and the security analysis of GLM protocol were done in Refs.[7,8], respectively.Similar with GLM protocol, Olejnik et al. put forward O-protocol [9] (another QPQ protocol) based on oracle operation.O-protocol reduces communication complexity further by using only one query state to obtain the needed record from the database and detect eavesdropping from Bob.
Although the existing schemes show high quality theoretically, they are hard to realize for large databases because of the difficulty of high-dimensional oracle operation.Jakobi et al. provides a new way for solving the difficulty, in which Alice and Bob share an oblivious key based on SARG04 QKD, which is proposed by Scarani et al. in 2004 [10].This scheme is a pioneer practical QPQ protocol (J-protocol) [11].In this practical scheme, Bob knows the whole key, which is for encrypting the whole database, and Alice knows only limited bits of the key, which safeguards the database privacy.Oracle operations and other complex operations are not included in J-protocol; therefore, it is easy to realize for a large database.
In 2013, Yang et al. put forward another QPQ scheme (Y-protocol) [13] based on a two-particle entangled state and non-orthogonal projective measurements.Y-protocol has all the features of G-protocol, such as being flexible, loss tolerant and practical.What's more, it displays a better user privacy.
In this paper, we presents another QPQ scheme based on two non-orthogonal states and unambiguous state discrimination (USD) measurement.Our protocol can resist two-point attacks by a third party.In our protocol, a smaller number of compressions is required than G-protocol and Y-protocol under similar conditions, which means that less post-processing is needed in our protocol.Our protocol shows better database security and user privacy compared with G-protocol.Furthermore, our protocol requires a bigger polarization angle to achieve similar conditions (the number of compressions, the average bits that Alice will know in the final key, the probability that Alice can not know any bits at all and the length of Bob's final key) than G-protocol, which means that our protocol is easier to realize technically compared with Gao's protocol.

The QPQ Protocol Based on Two Non-Orthogonal States
On assumption that N records are included in Bob's database, one of them is bought by Alice, and Alice intends to obtain it in secret.The scheme is to help them to complete the task safely.Our idea is to distribute a pair of oblivious secret keys between Alice and Bob which is known completely to Bob and partly to Alice, through a series of steps.To try to reduce the bits Alice knows in the raw key, Bob generates a raw key with length kN, where k is a natural number.
After Alice has received the whole sequence S', Alice informs Bob about this.Then, Bob tells Alice which particles are used as decoy states and the basis of the corresponding decoy state.Alice extracts decoy states and measures them.Alice tells Bob the measurement results.Bob determines whether there is eavesdropping by comparing the information Alice reports and the decoy states Bob prepares.If there is eavesdropping, Bob stops the protocol.(3) Alice measures the rest particles with unambiguous state discrimination (USD) method [14] to distinguish which state the qubit is in. is the fidelity between the two states to be discriminated.That is, Alice obtains the state of the qubit she measures with probability p = 1 ´cosθ.Thus, Alice knows the corresponding bit that the qubit is carrying with a certain probability p = 1 ´cosθ.For Bob, he doesn't know which particle Alice measures successfully.Alice represents |ϕ 0 y as "0" and |ϕ 1 y as "1".Alice publishes which qubits in sequence S she has successfully received.(4) Bob also obtains a binary sequence according to the quantum sequence S that Bob prepares and the rule: |ϕ 0 y denotes "0" and |ϕ 1 y denotes "1".(5) For the lost particles Alice publishes, Bob flips his corresponding bits randomly.Then Bob randomly adds a bit "0" or "1" behind his data; by doing so, Bob doubles his key.Obviously, Bob's bits corresponding to lost particles are all used as parts of the raw key.Therefore, Alice will not falsely declare lost particles, because Alice will not benefit from reporting a lost particle for any unsuccessful USD measurement, such as increasing the probability of conclusive measurements and knowing a larger fraction of bits that are expected for a giving θ.On the contrary, Bob will obtain more information about Alice's bits if Alice reports a lost particle for any unsuccessful USD measurement.In addition, by flipping Bob's bits corresponding to lost particles randomly, Eve can not obtain database information by measuring some lost particles.
Tables 1 and 2 are examples of sharing oblivious raw keys between Alice and Bob by using all particles in sequence S (the lost particles and received particles).Table 1 shows the case that Alice honestly reports all lost particles.Table 2 shows the case that Alice dishonestly reports the lost particles; that is, Alice will report some measuring failure particles as lost particles.In Tables 1 and 2 "#" denotes the honest reporting of lost particle, "?" denotes measurement failure of Alice , "$" denotes measurement failure of Alice but reporting particles as lost particles, "*" denotes knowing nothing about the bit.In Tables 1 and 2 the bits in Bob's final bits corresponding to reporting as lost particles (including the honest reporting of lost particles and measurement failure by Alice, but reporting particles as lost particles) are the results of flipping the original Bob's bits randomly.Bob's final bits 0 In Table 1, Alice honestly reports all lost particles (1,9) and measurement failure of particles (4,5,7,8).In Table 2, Alice dishonestly reports the lost particles (1,4,(7)(8)(9), where particles 4,7,8 are the case of measurement failure by Alice but reporting particles as lost particles.By comparing Alice's bits and Bob's final bits in Tables 1 and 2 we find that the dishonest reporting of lost particles will not impact Alice's bits.In addition, we still find that the bits corresponding to dishonest reporting of lost particles in Bob's final bits are the results of flipping Bob's corresponding original bits randomly; however, Alice knows nothing about these bits.From Tables 1 and 2 we find that if Alice honestly reports lost particles, Bob knows that Alice may successfully measure particles 2-8; if Alice reports failure measurements as lost particles, Bob knows that Alice may successfully measure particles 2,3,5,6.That is, the probability that Bob knows Alice's bits increases.Therefore, dishonest reporting of lost particles will make Bob know more information of Alice's bits; however, Alice can not know more information about Bob's final bits.
For Alice, with the exception of those two-bit-groups corresponding to lost particles, she owns the first bit of each of Bob's two-bit-groups corresponding to received photons, but nothing about the second bit.Whatever the measurement result of Alice, the second bit is 0 or 1 with equal probability.Therefore, Alice knows the first bit of Bob's each two-bit-group corresponding to received photons with probability p = 1 ´cosθ.
In this way, Alice and Bob have shared a raw key K r known completely to Bob and partly to Alice.Obviously, for each two-bit-group corresponding to received photons, Alice should know only one bit with probability 1 ´cosθ.Therefore, Alice knows only p ď (1 ´cosθ)/2 of the raw key K r on average.That is, (1 ´cosθ)/2 is the upper bound of the bits that Alice knows of the raw key K r .(6) To reduce the bits by Alice known in the raw key they shared in the above steps, Alice and Bob execute post-processing on the raw key.Because the length of K r is kN, where k is a natural number, Alice and Bob break K r up into k parts, thus the length of each parts is N.By adding the k parts bitwise, the raw key becomes a final key with length N. Bob knows the whole key, while Alice only knows several bits.For example, Bob's bits are "011011100000" and Alice's bits are "** Therefore, Bob's and Alice's key is 111011 and **1***, respectively.The process is similar to that in J-protocol, G-protocol and Y-protocol.If Alice knows nothing of the final key after this post-processing, the protocol should be restarted.However, this condition can be avoided by choosing appropriate parameters, which will be analyzed later.(7) Bob encrypts the database and Alice obtains the record that she needs.The detailed procedure is as follows: if Alice owns the jth bit K j of Bob's key K, and she needs to obtain the ith record X i in Bob's database.Then, Alice tells Bob the value s = j ´i.If s is a negative number, Bob shifts K right circularly with |s| bits; otherwise, Bob shifts K left circularly with s bits, by doing so Bob can obtain a new key K 1 .Bob encrypts the database with K 1 in the way of a one-time pad.Alice decrypts the ith record with her key K j .

Analysis
After step (6) (Alice and Bob add k substrings bitwise), Alice obtains n " NR k bits of the final key K on average, where R = 1´cosθ 2 .The probability that Alice can not know any bits at all is P 0 " p1 ´Rk q N " p1 ´n N q N .When N " n is satisfied, P 0 « e ´n is obtained and n follows a Poisson distribution approximately.When n ď 2 is satisfied, we have P 0 ě 0.135; when n ě 3 is satisfied, we have P 0 ď 0.05.In order to make Alice get less bits, at the same time, the failure rate is very small, obviously, n " 3 is an optimal value.We have P ě4 " 1 ´P3 ´P2 ´P1 ´P0 " 1 ´13e ´3 " 0.35 and P ě5 " 1 ´P4 ´P3 ´P2 ´P1 ´P0 " 0.18, where P ě4 denotes the probability that Alice knows more than four bits in a distribution and P ě5 denotes the probability that Alice knows more than five bits in a distribution when the average value of n is three.That is to say, the success probability of Alice to learn more bits by cheating is very small.The distribution of n in G-protocol and Y-protocol also follows a Poisson distribution approximately.Figure 1 (locating N = 10,000) indicates that a different n is reached by adjusting θ and k when N is fixed.Compared with G-protocol (see Figure 2 in [12]), we find that, to achieve similar N and n, the value of k ranges from 2 to 5 in our protocol, while from 5 to 10 in G-protocol.This means that we need smaller k compared with G-protocol under similar conditions (n, θ and N).That is, less post-processing is required in our protocol.
in Bob's database.Then, Alice tells Bob the value s = j − i.If s is a negative number, Bob shifts K right circularly with |s| bits; otherwise, Bob shifts K left circularly with s bits, by doing so Bob can obtain a new key K′. Bob encrypts the database with K′ in the way of a one-time pad.Alice decrypts the ith record with her key Kj.

Analysis
After step (6)  .In order to make Alice get less bits, at the same time, the failure rate is very small, obviously, 3 n  is an optimal value.We have Figure 1 (locating N = 10,000) indicates that a different n is reached by adjusting θ and k when N is fixed.Compared with G-protocol (see Figure 2 in [12]), we find that, to achieve similar N and n , the value of k ranges from 2 to 5 in our protocol, while from 5 to 10 in G-protocol.This means that we need smaller k compared with G-protocol under similar conditions ( n , θ and N).That is, less post-processing is required in our protocol.

Loss Tolerant
The following two reasons can show that our protocol is loss tolerance.Firstly, Bob's bits corresponding to lost particles are all used as parts of the raw key.Therefore, Alice will not falsely declare lost particles, because Alice will not benefit from reporting a lost photon for any unsuccessful USD measurement, such as increasing the probability of conclusive measurements and knowing a larger fraction of bits than expected for a giving θ.On the contrary, Bob will obtain more information about Alice's bits if Alice reports a lost particle for any unsuccessful USD measurement.Secondly, by flipping Bob's bits corresponding to lost particles randomly and post-processing on the raw key, Eve can not obtain database information by measuring some lost photons.

The Third-Party Attacks
The intercept resend attack and Trojan Horse attack are two common attack strategies in quantum secure communication.In our protocol, the particles are one-way transmission, and there is no loop (circuit); therefore, there is no Trojan Horse attack.Two-point attack [15] is a specific intercept resend attack strategy aiming to attack the QKD system based on two non-orthogonal states [16].In two-point attacks, there are two third-party eavesdroppers Eve1 and Eve2.Eve1 is located at a point near Alice's security domain, and Eve2 at a point near Bob's security domain.Eve1 and Eve2 can communicate with each other through a classical channel.Eve1 intercepts the quantum channel and measures every quantum state.Eve2 resends the quantum state according to the measurement result Eve1 tells him.Next, we analyze the influence of two-point attacks on user privacy and database privacy in our protocol.
(1) The influence of two-point attacks on user privacy In our protocol, if Eve1 intercepts a particle and successfully measures it with a USD method, after Eve1 tells the result to Eve2, Eve2 resends the particle to Alice.Then, Eve1 and Eve2 will know the bit of Alice.That is, user privacy is threat.However, because Bob inserts decoy particles with x-basis and z-basis randomly in sequence S, Eve1 and Eve2 has 1/3 probability or less to select correct basis (USD, x-basis or z-basis) measure the intercepted particles successfully.In addition, the eavesdropping of Eve1 and Eve2 will be easily found with probability 2/3.They only have the probability to know the corresponding bit of Alice.While in G-protocol and Y-protocol, the probability that Eve1 and Eve2 are found is 0, and the probability that Eve1 and Eve2 know the corresponding bit of Alice is From Figure 2, we find that the probability that Eve1 and Eve2 know Alice's bits for different θ in our protocol is much lower than that in G-protocol and Y-protocol.(2) The influence of two-point attacks on database privacy In our protocol, Bob's bits corresponding to particles that are intercepted by Eve1 without being resend by Eve2 are flipped randomly; therefore, Eve1 and Eve2 know nothing about these bits.For the particles that Eve1 intercepts and Eve2 resends, according to analysis in the influence of two-point attacks on user privacy, we know that Eve1 and Eve2 will be easily found with probability 2/3, and they only have the probability (1 − cosθ)/3 to know the corresponding bit.(2) The influence of two-point attacks on database privacy In our protocol, Bob's bits corresponding to particles that are intercepted by Eve1 without being resend by Eve2 are flipped randomly; therefore, Eve1 and Eve2 know nothing about these bits.For the particles that Eve1 intercepts and Eve2 resends, according to analysis in the influence of two-point attacks on user privacy, we know that Eve1 and Eve2 will be easily found with probability 2/3, and they only have the probability (1 ´cosθ)/3 to know the corresponding bit.Therefore, it is difficult to obtain database information for Eve1 and Eve2, and their eavesdropping will be found easily.

Qubit Efficiency Comparison
To estimate the efficiency of QPQ, we define the qubit efficiency as η " N npM`lq , where N denotes the final classical bits that can be generated for Bob, n denotes the final classical bits that can be generated for Alice, M denotes the total coding particles in each communication, and l denotes the decoy photons to check the presence of eavesdropping in each communication. Because For G-protocol, R " sin 2 θ 2 , M " kN and there is no eavesdropping detecting, thus For Y-protocol, R " sin 2 θ 2 , M " 2kN and there is no eavesdropping detecting, thus For our protocol, R " 1´cosθ 2 , M " kN, thus In Table 3, we compare the qubit efficiency of G-protocol [12], Y-protocol [13] and our protocol when N = 10,000.From Table 3, we find that our protocol has better qubit efficiency than G-protocol [12] and Y-protocol [13].

Database Security
Database security means that Alice can not get extra records in Bob's database no matter the methods she uses.Suppose that, to obtain extra records, Alice performs more efficient measurements on particles that Bob sends to her.
As analyzed in Ref. [11], there is a measurement called minimal error probability measurement [17], which distinguishes two equally likely qubits.If Alice measures the k qubits forming an element of the final key K with the efficient measurement, she obtains the bits of K directly.By using minimal error probability measurement, the maximal chance of distinguishing the two states ρ 0 and ρ 1 correctly is P guess = 1/2 + D(ρ 0 , ρ 1 )/2, where D(ρ 0 , ρ 1 ) denotes trace distance between ρ 0 and ρ 1 .In our protocol, the probability is P guess = ( 12 `1 2 sin k θ) at most.However, even though Alice guesses |ϕ 0 y and |ϕ 1 y correctly, (the probability is P guess /3), she can infer correctly the corresponding two-bit group of Bob with 50% chance, that is, on average, Alice can infer correctly each bit of Bob with a 75% chance.Therefore, Alice can correctly guess the bit of Bob with probability at most.Obviously the probability is much less than that in G-protocol (P G guess " 1 2 `1 2 sin k θ), which means better database security than that in G-protocol. Figure 3 shows that P guess in our protocol is much less than that in G-protocol for a giving k = 2.  .We construe this result as that optimal probability with which Bob knows Alice's bits is between ((1 − cos(θ + π/2))/2, (1 − cos(θ − π/2))/2).That is, the bounds on Pb (the probability with which Bob knows Alice's bits) is: Figure 4 shows that when θ ∈ (0,π/2), the low bound of Pb for our protocol is smaller than that in G-protocol.The upper bound of Pb for our protocol is smaller than that in G-protocol when 0 < θ < π/4, and bigger than that in G-protocol when π/4 < θ < π/2.That is, when 0 < θ < π/4, we can achieve  Figure 4 shows that when θ P (0,π/2), the low bound of P b for our protocol is smaller than that in G-protocol.The upper bound of P b for our protocol is smaller than that in G-protocol when 0 < θ < π/4, and bigger than that in G-protocol when π/4 < θ < π/2.That is, when 0 < θ < π/4, we can achieve a better user privacy compared with G-protocol. .We construe this result as that optimal probability with which Bob knows Alice's bits is between ((1 − cos(θ + π/2))/2, (1 − cos(θ − π/2))/2).That is, the bounds on Pb (the probability with which Bob knows Alice's bits) is: Figure 4 shows that when θ ∈ (0,π/2), the low bound of Pb for our protocol is smaller than that in G-protocol.The upper bound of Pb for our protocol is smaller than that in G-protocol when 0 < θ < π/4, and bigger than that in G-protocol when π/4 < θ < π/2.That is, when 0 < θ < π/4, we can achieve a better user privacy compared with G-protocol.

Discussion
In the above section, we have analyzed the advantages of our protocol in the aspect of less post-processing (smaller k) compared with G-protocol under similar conditions (n, θ and N), in the aspect of qubit efficiency compared with G-protocol and Y-protocol for fixed N, and θ and k, in the aspect of database security and user security compared with G-protocol.In this section, we give a more comprehensive discussion focusing on security and resources for specific, optimal sets of parameters.
From Table 4, we find that when n is fixed, G-protocol, Y-protocol and our protocol have the same P 0 .When N and n are given , for a specific k, P b in our protocol is much lower than that in G-protocol and is close to that in Y-protocol, which means that our protocol shows much higher user security than G-protocol and the user security of our protocol is close to Y-protocol.Furthermore, in the same condition, our protocol always needs bigger θ than that in G-protocol and Y-protocol.Because a very small θ might make its realization technically difficult [12], our protocol is easier to realize technically than G-protocol and Y-protocol.Table 5 shows that, for a given N and n, when three protocols (Y-protocol, G-protocol and our protocol) achieve similar θ, our protocol shows higher qubit efficiency than Y-protocol and better user privacy than G-protocol.In a practical condition, channel noise is inevitable, which will cause errors in the obvious key shared between Alice and Bob.Therefore, error correction is necessary.We can use the method proposed in Ref. [18]  O R i`jN , 1 ď i ď N, and ' denotes the addition module 2. Alice and Bob select a [k, s] error-correcting code [19] which uses k bits codeword to encode s bits word using generator matrix G and can correct one codeword error bits with error-correcting function.Bob chooses a bits word M = (m 1 , m 2 , . . ., m s ) and obtains the corresponding bits codeword W = (w 1 , w 2 , . . ., w k ) by calculating W = M¨G.Then, Bob encrypts W with {O R i`jN } as the key, by using a one-time pad, and sends the ciphertext c to Alice.If Alice knows all the k bits {O R i`jN }, Alice decrypts c with {O R i`jN } and obtains a k-bit codeword W'.Alice corrects the error in W' and obtains W. By adding the k bits in W bitwise, Alice knows O F i .If Alice does not know all the k bits in {O R i`jN }, she labels O F i = ?. Bob also adds the k bits in W bitwise to obtain his corresponding bit O F i .

Conclusions
We put forward a novel QPQ protocol based on two non-orthogonal states and unambiguous state discrimination (USD) measurement.Our protocol is loss tolerant.Compared with existing QPQ protocols, we have the following differences: (1) We analyze the influence of two-point attacks by a third party on user privacy and database privacy in our protocol.By comparing, we find that the probability that Eve1 and Eve2 know Alice's bits for different θ in our protocol is much lower than that in G-protocol and Y-protocol, which means that our protocol has a stronger ability to resist external attacks than G-protocol and Y-protocol.(2) Smaller k is required to achieve similar conditions (n, θ and N) than G-protocol and Y-protocol, which means less post-processing and higher qubit efficiency.(3) For a given N and n, our protocol shows much higher user security than G-protocol and the user security of our protocol is close to Y-protocol.However, in the same condition, our protocol always needs bigger θ than that in G-protocol and Y-protocol.Because a very small θ might make its realization technically difficult [12], our protocol is easier to realize technically than G-protocol and Y-protocol.However, because of eavesdropping detection in Step (2), our protocol requires quantum memory on the Alice side.The use of quantum memory will bring our protocol difficulties in practicality and realizability using current technology.

4 P 5 P
 denotes the probability that Alice knows more than four bits in a distribution and  denotes the probability that Alice knows more than five bits in a distribution when the average value of n is three.That is to say, the success probability of Alice to learn more bits by cheating is very small.The distribution of n in G-protocol and Y-protocol also follows a Poisson distribution approximately.

Entropy 2016, 18 , 163 7 of 12 Figure 2 .
Figure 2. The probabilities that Eve1 and Eve2 know Alice's bits for different θ in our protocol, G-protocol and Y-protocol.The solid line represents the probabilities for G-protocol (PT G ) and Y-protocol (PT Y ); the star line represents the probability for our protocol (PT).

Figure 2 .
Figure 2. The probabilities that Eve1 and Eve2 know Alice's bits for different θ in our protocol, G-protocol and Y-protocol.The solid line represents the probabilities for G-protocol (P T G ) and Y-protocol (P T Y ); the star line represents the probability for our protocol (P T ).

Table 3 .
Examples of qubit efficiency comparison of G-protocol, Y-protocol and our protocol when N = 10,000 and l = 15,000.

Figure 3 .
Figure 3.Comparison of probability with which Alice correctly guesses the bit of Bob for different θ between our protocol and G-protocol when k = 2.The solid line represents Pguess for G-protocol; the dotted line represents Pguess for our protocol.

Figure 3 .
Figure 3.Comparison of probability with which Alice correctly guesses the bit of Bob for different θ between our protocol and G-protocol when k = 2.The solid line represents P guess for G-protocol; the dotted line represents P guess for our protocol.

Figure 4 .
Figure 4. Comparisons of probability with which Bob knowing Alice's bits for different θ between our protocol and G-protocol.The star line represents Pb for G-protocol; the dotted line represents the upper bound of Pb for our protocol; the solid line represents the lower bound of Pb for our protocol.

Figure 4 .
Figure 4. Comparisons of probability with which Bob knowing Alice's bits for different θ between our protocol and G-protocol.The star line represents P b for G-protocol; the dotted line represents the upper bound of P b for our protocol; the solid line represents the lower bound of P b for our protocol.

Table 1 .
The case that Alice honestly reports all lost particles.

Table 2 .
The case that Alice dishonestly reports the lost particles.
(Alice and Bob add k substrings bitwise), Alice obtains

Table 4 .
Examples of P 0 , P b , θ and M + l comparison of G-protocol, Y-protocol and our protocol for a given N and n. a.

Table 5 .
Examples of P 0 , P b , θ and M + l comparison of G-protocol, Y-protocol and our protocol for N = 10 4 and a given n.
to correct errors.Suppose the kN-bit raw oblivious key is denoted asO R " O R 1 O R 2 ...O kN , the final obvious key after dilution is denoted as .O F ".O F k´1 ' j"0