Provably Secure Symmetric Private Information Retrieval with Quantum Cryptography

Abstract

Private information retrieval (PIR) is a database query protocol that provides user privacy in that the user can learn a particular entry of the database of his interest but his query would be hidden from the data centre. Symmetric private information retrieval (SPIR) takes PIR further by additionally offering database privacy, where the user cannot learn any additional entries of the database. Unconditionally secure SPIR solutions with multiple databases are known classically, but are unrealistic because they require long shared secret keys between the parties for secure communication and shared randomness in the protocol. Here, we propose using quantum key distribution (QKD) instead for a practical implementation, which can realise both the secure communication and shared randomness requirements. We prove that QKD maintains the security of the SPIR protocol and that it is also secure against any external eavesdropper. We also show how such a classical-quantum system could be implemented practically, using the example of a two-database SPIR protocol with keys generated by measurement device-independent QKD. Through key rate calculations, we show that such an implementation is feasible at the metropolitan level with current QKD technology.

1. Introduction

With the rising concern of personal data privacy, users of digital services may not want their preferences or selections to be revealed to service providers. This can be achieved with private information retrieval (PIR), where users can access specific entries of a database held by the service provider at a data centre without revealing his or her entry selection [1]. This cryptographic technique has found application in areas such as anonymous communication [2] and protecting user location privacy in location-based services [3].

However, in some occasions, the service provider or data centre may not want to reveal more information about the database than what is necessary, i.e., than what should have been given to the user. Such a setting is common in pay-per-access platforms such as iTunes and Google Play, or in more sensitive environments where the service provider has to secure the information of other database entries, like in the case for medical records retrieval and biometrics authentication [4]. To provide for this additional security requirement (i.e., database privacy), one may employ symmetric private information retrieval (SPIR), a sort of two-way secure retrieval scheme first introduced by Gertner et al. [5].

In the literature, both PIR and SPIR have been extensively studied in the case where the user only communicates with one data centre. Here in the former, unconditional security (or information-theoretic security) can only be achieved by communicating the entire database from the data centre to the user. This implies that information-theoretic single database SPIR is not achievable [1]. To overcome this impasse, researchers have looked to weaker security frameworks, for instance, those based on computational security [6,7,8,9].

On the quantum front, there is also a similar conclusion for single database SPIR [10], i.e., it is not possible to achieve information-theoretic security even in the quantum setting. In light of these negative results, protocols for SPIR have largely evolved to cheat-sensitive protocols, also known as quantum private query [11]. Examples of these protocols include those based on quantum oblivious key distribution [12,13,14,15,16], those based on sending states to a database oracle [17,18], and those based on round-robin QKD protocol [19]. In these protocols, the parties are averse to being caught cheating, so cheat-detection strategies allows one to construct protocols with more relaxed conditions as compared to those of SPIR [20]. However, parties can stand to gain information by cheating in these protocols and thus the protocols would not satisfy the original security requirements of SPIR proposed by Ref. [5]. Other attempts at avoiding the no-go results include using special relativity [21,22].

One way to achieve information-theoretic security for SPIR is to communicate with multiple data centres, each of which holds a copy of the database. In fact, in their seminal work, Gertner et al. introduced a k-database classical SPIR protocol that is information-theoretically secure, with the assumption that the data centres cannot communicate (during and after the protocol), and how one can build these from k-database PIR protocols [5]. Since then, researchers have studied multi-database SPIR in the context of compromised and byzantine data centres [23]. With multiple databases, the communication complexity of PIR and SPIR protocol can also be reduced to $O(n^{\frac{1}{2k-1}})$ based on Gertner’s original protocol [5], and even further to $O(n^{{10}^{-7}})$ by Yekhanin [24], where n is the number of entries in the database. There have also been several studies on the quantum version of multi-database SPIR. Kerenidis et al. focuses on how SPIR can be performed without shared randomness if the user is honest [25]. Song et al. proposed a quantum multi-database SPIR, but requires shared entanglement between the data centres and assumes secure classical and quantum channels [26].

The classical multi-database SPIR protocols proposed require secure channels, which are not achievable without some pre-shared secret keys between the parties in the protocol. In principle, the secret keys should be as long as the messages to be exchanged, but this would be costly and impractical for applications that work with large databases or require multiple uses of the SPIR protocol, e.g., medical records query where each doctor has to query for the files of multiple patients. In practice, the standard approach is to use public-key cryptography (e.g., using the Diffie–Hellman key distribution protocol [27]) to expand the initial pre-shared secret key to a longer key. However, taking this approach could be risky, for it has been demonstrated that most known key distribution schemes based on public-key cryptography are insecure against quantum computing based attacks (an emerging technology). Evidently, this can be a huge problem for applications which require long-term security, like in the case of electronic health records which typically requires decades of information confidentiality.

Quantum key distribution (QKD), a relatively mature technology with already multiple companies selling commercial QKD devices, offers a solid and promising solution to the above as it provides an information-theoretic method to expand pre-shared secret keys [28,29]. As such, the expanded keys can withstand the threats of quantum computing based attacks, and any other yet-to-be-discovered algorithmic advancements. Moreover, the expansion of keys need not be performed in real-time, i.e., expanded keys can be used for future SPIR runs. It is important to emphasise here that QKD cannot lead to a perfectly secure channel in practice, for it involves some statistical and entropy estimation procedures which carry overhead penalties in the security. Fortunately, these penalties can be made arbitrarily small with a proper security analysis, and subsequently the resulting secure channel can be made arbitrarily close to a perfect one. It is the goal of our work to incorporate these technical subtleties into the original security definition of SPIR so that we can add QKD as a supporting base layer. Here, we see the QKD layer as one that provides the necessary secret keys and secure channels (using one-time pad encryption) for SPIR. We note that Quantum Secure Direct Communication, which transmits messages directly using quantum states, could also serve as a secure communication channel [30,31,32].

A widely studied QKD network configuration is the star topology, where multiple QKD users are connected to a (possibly untrusted) central node, and any two users can achieve secure communication by performing measurement device-independent (MDI) QKD [33,34,35,36] via the measurement device held by the central node. This choice of QKD network has the additional benefit that the number of quantum channels scales linearly in the number of users, which is an important consideration for practical deployments. To illustrate how SPIR can be implemented on this network, we turn to the example of accessing electronic health records on a database [37]. In this situation, we assume that the data centres (holding onto the health records) belongs to the health ministry, the user is a doctor in a government hospital wanting to query the medical records of a patient, and they are connected via a network service provider. As shown in Figure 1, the network service provider holds the central node that connects to two data centres and the user in a star topology with optical fibre connections labelled by solid lines. Using MDI-QKD, any two parties can establish a secure QKD link via the central node, and these are labelled by dotted lines. The keys generated from these QKD links can then be used to establish secure communication for the classical SPIR protocol using one-time pad encryption. The doctors would thus be able to protect their patients’ privacy when querying, and the health records of other patients held by the health ministry would remain private from both the querying doctor and the network service provider.

In this work, we describe how QKD can be used to relax the requirement of perfectly secure channels in classical multi-database SPIR, and examine the resources required for such a protocol. In Section 2, we introduce the mathematical notations required to describe the protocol and security analysis. In Section 3, we introduce the basic elements of a generic SPIR protocol and the original SPIR security definition. In Section 4, we introduce QKD channels and its security definitions, generalise the SPIR definition to a quantum one, and show how QKD can be incorporated into SPIR as the communication channel. In Section 5, we prove the security for a multi-database SPIR protocol with QKD channels based on the revised SPIR definitions. In Section 6, we introduce MDI-QKD and perform numerical analysis to determine the resources required for MDI-QKD to obtain the desired SPIR protocol.

2. Preliminaries

2.1. Quantum and Classical Systems

The state of a generic quantum system living in Hilbert space A is represented by a density operator ${\rho }_A$, a positive semi-definite matrix with trace one. Classical systems are modelled by quantum systems whose state is diagonal in a given orthonormal basis. For a random variable Y that takes on values $y\in \mathcal{Y}$ with probability $P_Y(y)=Pr[Y=y]$, the corresponding state of the classical random variable is

$${\rho }_Y=\sum _{y\in \mathcal{Y}}{P}_Y(y)|y\rangle \langle y|,$$

(1)

where ${\{|y\rangle \}}_{y\in \mathcal{Y}}$ forms an orthonormal basis. To keep the above notation compact for multiple variables, we will sometimes use ${\Pi }_{XYZ}(xyz)$ to represent the tensor product of classical states, i.e., $|x\rangle \langle x\otimes |y\rangle \langle y|\otimes |z\rangle \langle z|$.

A bipartite system on $YA$ is called classical-quantum if its state admits the form

$${\rho }_{YA}=\sum _{y\in \mathcal{Y}}{p}_y|y\rangle \langle y|\otimes {\rho }_A^y,$$

(2)

where ${\rho }_A^y$ is the state of A conditioned on the event $Y=y$.

2.2. Trace Distance and Distinguishability

To measure the distinguishability of two quantum systems, we use the trace distance measure, which for any two states $\rho$ and $\sigma$, is defined as

$$\Delta (\rho ,\sigma )=\frac{1}{2}||{\rho -\sigma ||}_1,$$

(3)

where ${||\rho -\sigma ||}_1$ is the trace norm of $\rho -\sigma$. Notice that the trace distance is bounded between 0 and 1, with identical states giving 0 and completely orthogonal states giving 1. With this, two systems are said to be $\epsilon$-close if their states, $\rho$ and $\sigma$, satisfy $\Delta (\rho ,\sigma )\le ϵ$. The trace distance measure admits a few properties: (1) it satisfies triangle inequality, i.e., for any $\rho$, $\sigma$, and $\tau$, it satisfies $\Delta (\rho ,\sigma )\le \Delta (\rho ,\tau )+\Delta (\tau ,\sigma )$, (2) it is jointly convex in its inputs, i.e., $\Delta ({\sum }_i{\lambda }_i{\rho }_i,{\sum }_i{\lambda }_i{\sigma }_i)\le {\sum }_i{\lambda }_i\Delta ({\rho }_i,{\sigma }_i)$, where ${\lambda }_i\ge 0$ and ${\sum }_i{\lambda }_i=1$, (3) it is non-increasing under completely positive and trace preserving (CPTP) maps $\mathcal{E}$, i.e., $\Delta (\mathcal{E}(\rho ),\mathcal{E}(\sigma ))\le \Delta (\rho ,\sigma )$. For classical random variables $Y_1$ and $Y_2$ that takes on values $y\in \mathcal{Y}$ with probability distribution $P_{Y_1}$ and $P_{Y_2}$, the trace distance of their probability distributions reduces to the classical definition,

$$\Delta (Y_1,Y_2)=\frac{1}{2}\sum _{y\in \mathcal{Y}}\left|Pr[Y_1=y]-Pr[Y_2=y]\right|.$$

(4)

If the random variables $Y_1$ and $Y_2$ correspond to the measurement outcome when performing a POVM measurement ${\left\{{\Gamma }_y\right\}}_{y\in \mathcal{Y}}$ on states $\rho$ and $\sigma$ respectively, the trace distance of the probability distribution of $Y_1$ and $Y_2$ would be upper bounded by the trace distance of the original quantum states [38], i.e.,

$$\Delta (Y_1,Y_2)\le \Delta (\rho ,\sigma ).$$

(5)

3. SPIR

3.1. Generic One-Round SPIR Protocol

In this section, we introduce some additional notations and the essential elements of a generic SPIR protocol. A multi-database SPIR protocol has a user $\mathsf{U}$, who interacts with $k\ge 2$ data centres ${\mathsf{D}}_j$, $j\in \{1,\cdots ,k\}$, each having a copy of the database, represented by W with n entries. For simplicity, we focus on databases with single bit entries, i.e., $W=(W_1,W_2,\dots ,W_n)\in {\{0,1\}}^n$; our analysis can be easily extended to multi-bit entries.

We also assume that all parties are equipped with a secure random number generator, which they may use for cryptography purposes. For our analysis, we denote the user’s local randomness by R.

Here, we focus on one-round SPIR protocols, where there is only one round of query from the user to the data centres, and a single round of reply from the data centres to the user. In the case of multi-round SPIR protocols, there can be multiple successive rounds of queries and answers. A one-round SPIR protocol for two data centres can thus be defined by a pair of query functions, $f_{\mathrm{query},1}$ and $f_{\mathrm{query},2}$, to generate the user queries for data centre 1 and data centre 2, respectively, answer functions $f_{\mathrm{ans},1}$ and $f_{\mathrm{ans},2}$ for the data centres to generate their responses to the queries received, and the decoding function $f_{\mathrm{dec}}$ for the user to retrieve the desired database entry, $W_X$. These are functions of random variables and hence their outputs are random variables as well.

A generic one-round two-database SPIR protocol typically performs the following steps (summarised in

Table 1. Generic one-round two-database SPIR protocol.

Step	${\mathsf{D}}_1$		$\mathsf{U}$		${\mathsf{D}}_2$
Input:	w		R, x		w
Key pair (${\mathsf{D}}_1\leftrightarrow {\mathsf{D}}_2$):	$K_5$	$\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftrightarrow }$			$K_6$
Key pair ($\mathsf{U}\leftrightarrow {\mathsf{D}}_1$):	$K_1$	$\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftrightarrow }$	$K_2$
Key pair ($\mathsf{U}\leftrightarrow {\mathsf{D}}_2$):			$K_4$	$\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftrightarrow }$	$K_3$
Query:			$Q_1=f_{\mathrm{query},1}(x,R)$, $Q_2=f_{\mathrm{query},2}(x,R)$
OTP ($\mathsf{U}\to {\mathsf{D}}_1$):	${\tilde{Q}}_1=C_{Q_1}\oplus K_1^{\mathrm{dec}}$	$\stackrel{{\mathcal{C}}_{U1}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftarrow }}$	$C_{Q_1}=Q_1\oplus K_2^{\mathrm{enc}}$
OTP ($\mathsf{U}\to {\mathsf{D}}_2$):			$C_{Q_2}=Q_2\oplus K_4^{\mathrm{enc}}$	$\stackrel{{\mathcal{C}}_{U2}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\to }}$	${\tilde{Q}}_2=C_{Q_2}\oplus K_3^{\mathrm{dec}}$
Answer:	$A_1=f_{\mathrm{ans},1}({\tilde{Q}}_1,w,K_5)$				$A_2=f_{\mathrm{ans},2}({\tilde{Q}}_2,w,K_6)$
OTP (${\mathsf{D}}_1\to \mathsf{U}$):	$C_{A_1}=A_1\oplus K_1^{\mathrm{enc}}$	$\stackrel{{\mathcal{C}}_{U1}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\to }}$	${\tilde{A}}_1=C_{A_1}\oplus K_2^{\mathrm{dec}}$
OTP (${\mathsf{D}}_2\to \mathsf{U}$):			${\tilde{A}}_2=C_{A_2}\oplus K_4^{\mathrm{dec}}$	$\stackrel{{\mathcal{C}}_{U2}}{\overleftarrow{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}}$	$C_{A_2}=A_2\oplus K_3^{\mathrm{enc}}$
Decoding:			${\widehat{w}}_x=f_{\mathrm{dec}}({\tilde{A}}_1,{\tilde{A}}_2,Q_1,Q_2,x,R)$

) for a given input $X=x$ and database $W=w$:

• Establishing secure channels: Using pre-established secret keys, perfectly secure channels are established between the user and data centres using one-time pad (OTP) encryption. We use $(K_1,K_2)$, $(K_3,K_4)$, $(K_5,K_6)$ to represent the secret key pair between data centre 1 and user, between data centre 2 and user, and between the data centres, respectively. For example, with this arrangement, the user holds $K_2$ and $K_4$ and data centre 1 holds $K_1$ and $K_5$. Secure channels connecting the user and data centres are denoted by ${\mathcal{C}}_{U1}$ and ${\mathcal{C}}_{U2}$, respectively. Note that the data centres are not allowed to communicate and hence we do not need to define any channel for them. To allow for two-way secure communication with a single secret key, we split $K=(K^{\mathrm{enc}},K^{\mathrm{dec}})$ into two halves, namely $K^{\mathrm{enc}}$ (for encryption) and $K^{\mathrm{dec}}$ (for decryption).
• Query: The user generates queries for data centres 1 and 2, with $Q_1=f_{\mathrm{query},1}(x,R)$ and $Q_2=f_{\mathrm{query},2}(x,R)$, respectively, and sends them to the data centres using the secure channels ${\mathcal{C}}_{U1}$ and ${\mathcal{C}}_{U2}$.
• Answer: Upon receiving the query ${\tilde{Q}}_1$ (which could be different from $Q_1$), ${\mathsf{D}}_1$ (resp. ${\mathsf{D}}_2$) determines a reply $A_1=f_{\mathrm{ans},1}({\tilde{Q}}_1,w,K_5)$ (resp. $A_2=f_{\mathrm{ans},2}({\tilde{Q}}_2,w,K_6)$ and sends it to the user via the secure channels.
• Retrieval: The user retrieves the desired database entry value using ${\widehat{w}}_x=f_{\mathrm{dec}}({\tilde{A}}_1,{\tilde{A}}_2,$$Q_1,Q_2,x,R)$.

SPIR is designed to resolve situations where the user or data centres deviate from their expected (honest) behaviour. For instance, a dishonest user could communicate bad queries in an attempt to learn additional entries in w, and dishonest data centres could provide replies other than the expected answer $A_j$ to learn about x. That is, a dishonest user can replace $Q_j$ in step 2 of the protocol by an adversarial query ${\overline{Q}}_j$, and dishonest data centres can provide adversarial answers ${\overline{A}}_j$ in step 3 of the protocol.

Therefore, a secure SPIR protocol has to address both forms of attacks. At the heart of multi-database SPIR is the availability of pre-shared secret keys, which are pre-distributed between the users and the data centres. With these pairwise secret keys, the user can securely send his/her queries, $Q_1$ and $Q_2$, to the respective data centres, such that neither of the data centres can get both queries at the same time. Then, by also not allowing the data centres to communicate, one can enforce that neither of them can guess correctly x. Crucially, the use of secure channels also guarantees that no eavesdropper can get both $Q_1$ and $Q_2$ and hence x. These arguments collectively imply user privacy.

In the answer phase, it is important that the data centres do not reveal more than what is supposed to be given to the user. To achieve this, Gertner et al. [5] introduced the task of conditional disclosure of secrets (CDS). This is broadly described by a three-party task, where Alice and Bob, each with inputs y and z, are supposed to reveal a common secret s to Charlie, if and only if y and z satisfy a certain public predicate $f(y,z)$. Indeed, using this task, one could then draw immediate connections and see that $Q_1$ and $Q_2$ correspond to y and z, respectively, and the common secret is the desired database entry $w_x$. Hence, for CDS to work, some private shared randomness between the data centres is necessary and this is exactly given by the secret key pair $(K_5,K_6)$. These arguments thus imply that the user cannot get the correct secret if the queries are not the expected ones, which in turn provides the required database privacy.

3.2. Original SPIR Security Definition

At this point, it is useful to recap the original security definitions introduced by Gertner et al. [5]. A SPIR protocol is said to be secure if it satisfies the correctness, user privacy, and database privacy conditions. Since the setting here is purely classical, we assume that the output views are simply represented by random variables. More concretely, the view of the user is modelled by random variable $V_{\mathsf{U}}^w$, and the view of the data centre j is modelled by $V_{{\mathsf{D}}_j}^x$, for $j=1,2$, where the dependence of $V_{\mathsf{U}}$ (resp. $V_{{\mathsf{D}}_j}$) on w (resp. x) is explicitly labelled. Evidently, $V_{\mathsf{U}}$ also contains query information, $Q_1$ and $Q_2$, and communicated answers ${\tilde{A}}_1$ and ${\tilde{A}}_2$, while $V_{{\mathsf{D}}_j}$ contains ${\tilde{Q}}_j$ and $A_j$, for example.

Definition 1 (Correctness).

When all the parties in the protocol are honest, then for any database query x and database w, the protocol outputs ${\widehat{w}}_x=w_x$.

Definition 2 (User Privacy).

When the user is honest, then for any w and $k_5$ (or $k_6$), and for all x and $x^{\prime }$, each data centre’s view satisfies $\Delta (V_{{\mathsf{D}}_j}^x,V_{{\mathsf{D}}_j}^{x^{\prime }})=0$.

Definition 3 (Database Privacy).

When the data centres are honest, then for any x and r, there exist an $x^{\prime }$ such that for all w and $w^{\prime }$ with $w_{x^{\prime }}=w_{x^{\prime }}^{\prime }$, the view of the user satisfies $\Delta (V_{\mathsf{U}}^w,V_{\mathsf{U}}^{w^{\prime }})=0$.

The definition of correctness ensures that the protocol yields the desired result $w_x$ for the user. For user privacy, the trace distance measure is used as a distance metric for measuring the distinguishability of the views. To see this, suppose a hypothetical experiment where the data centre is randomly given two views, $V_{{\mathsf{D}}_j}^x$ and $V_{{\mathsf{D}}_j}^{x^{\prime }}$, and has to determine which of the views is given to him. His maximum probability of guessing correctly the identity is directly linked to the trace distance, i.e., $1/2+\Delta (V_{{\mathsf{D}}_j}^x,V_{{\mathsf{D}}_j}^{x^{\prime }})/2$. From this expression, it is then clear that the trace distance quantifies the advantage the data centre has in distinguishing between $V_{{\mathsf{D}}_j}^x$ and $V_{{\mathsf{D}}_j}^{x^{\prime }}$. Hence, having zero advantage in distinguishing between a system with x and one with $x^{\prime }$ indicates that the data centre can gain no information about X. For database privacy, a dishonest user can input any x, since the adversarial queries ${\overline{Q}}_1$ and ${\overline{Q}}_2$ may not depend on this particular choice of x. For instance, a dishonest user can use his local randomness R to choose queries ${\overline{Q}}_1$ and ${\overline{Q}}_2$ that corresponds to queries for different x. For each r (i.e., each possible choice of queries), the information to which the user truly intends to learn would be implicitly carried by ${\overline{Q}}_1$ and ${\overline{Q}}_2$. Therefore, the existence of an $x^{\prime }$ such that the user cannot distinguish between w and $w^{\prime }$ satisfying $w_{x^{\prime }}=w_{x^{\prime }}^{\prime }$ for each r means that the user is unable to obtain any information beyond a single entry of the database, $w_{x^{\prime }}$, for whichever queries that is randomly selected for that run.

4. SPIR with QKD

4.1. QKD Channel

As mentioned above, our goal is to replace the perfectly secure communication channels assumed in multi-database SPIR with QKD channels. Before going into more details, it is useful to first recap the essential features of QKD and its security definitions.

The goal of QKD is to generate a pair of secure keys which are identical, uniform and secret from any eavesdropper. In this setting, we assume that the underlying QKD devices are honest and they each have a trusted local source of randomness. Below, we use random variable S instead of K to represent QKD keys.

A generic QKD between party A and party B can either succeed in producing a pair of keys, $S_A,S_B\in \mathcal{S}$ (with probability $1-p_{\perp }$), or abort and output an abort flag, $S_A=S_B=\perp$ (with probability $p_{\perp }$). The average output state of a QKD protocol is hence given by

$${\rho }_{S_A{S}_{B}E}^{\mathrm{real}}=p_{\perp }{\Pi }_{S_A{S}_B}(\perp \perp )\otimes {\sigma }_E^{\perp }+\sum _{s,s^{\prime }\in \mathcal{S}}{P}_{S_A{S}_B}(s,s^{\prime }){\Pi }_{S_A{S}_B}(s{s}^{\prime })\otimes {\sigma }_E^{s,s^{\prime }},$$

(6)

where $p_{\perp }=P_{S_A{S}_B}(\perp ,\perp )$ is the abort probability and ${\sigma }_E^{s,s^{\prime }}$ is the quantum state conditioned on the outcome $(s,s^{\prime })$ held by an eavesdropper at the end of the protocol. For brevity, we shall use ⊥ to label a normalised state that is conditioned on protocol aborting, and ⊤ to label a normalised state that is conditioned on the protocol not aborting. For instance, in the above equation, the first term corresponds to $p_{\perp }{\rho }_{S_A{S}_{B}E}^{\mathrm{real},\perp }$, and the second term corresponds to $(1-p_{\perp }){\rho }_{S_A{S}_{B}E}^{\mathrm{real},\top }$.

4.2. QKD Security Definition

Keys generated from QKD may not be perfectly uniform and secret from the eavesdropper, but one can ensure that the keys are asymptotically close (in trace distance) to an ideal key by choosing the right security parameter. This security parameter is defined by the distinguishability of QKD keys from an ideal key. The ideal key described here is related, but slightly different from the secret key utilised for a secure classical channel. Since QKD channels can abort, the ideal key used for comparison has probability $p_{\perp }$ of returning an abort flag, whereas the process of sharing secret keys for secure channels are typically assumed not to fail. This introduces a loss in the robustness of the channel (i.e., it can sometime fail), but does not compromise channel security since protocol aborting does not provide Eve with any information on the message. The ideal output state of a QKD is given as

$${\rho }_{S^{AB}E}^{\mathrm{ideal}}=p_{\perp }{\Pi }_{S_A{S}_B}(\perp \perp )\otimes {\sigma }_E^{\perp }+\frac{1}{\left|\mathcal{S}\right|}\sum _{s,s^{\prime }\in \mathcal{S}:s=s^{\prime }}{\Pi }_{S_A{S}_B}(s{s}^{\prime })\otimes {\sigma }_E,$$

(7)

where ${\sigma }_E={\sum }_{s^{″},s^{‴}\in \mathcal{S}}{P}_{S_A{S}_B}(s^{″},s^{‴}){\sigma }_E^{s^{″},s^{‴}}$ is the marginal state of Eve.

Following Ref. [39], a QKD protocol is said to be $\epsilon$-secure if the actual QKD and ideal output states satisfy

$$\Delta ({\rho }_{S_A{S}_{B}E}^{\mathrm{real}},{\rho }_{S_A{S}_{B}E}^{\mathrm{ideal}})\le \epsilon .$$

(8)

The security of QKD can, in fact, be seen as the sum of two security criteria, namely correctness and secrecy. More specifically, it can be shown that,

$$\Delta ({\rho }_{S_A{S}_{B}E}^{\mathrm{real}},{\rho }_{S_A{S}_{B}E}^{\mathrm{ideal}})\le Pr[S_A\ne S_B]+(1-p_{\perp })\Delta ({\rho }_{S_{A}E}^{\mathrm{real}},{\rho }_{S_{A}E}^{\mathrm{ideal}}),$$

(9)

where the terms on the R.H.S. are the correctness and secrecy conditions, respectively, and they satisfy

$$\begin{array}{c}\hfill Pr[S_A\ne S_B]\le {\epsilon }_{\mathrm{cor}},\\ \hfill (1-p_{\perp })\Delta ({\rho }_{S_{A}E}^{\mathrm{real}},{\rho }_{S_{A}E}^{\mathrm{ideal}})\le {\epsilon }_{\sec }.\end{array}$$

(10)

These criteria imply that $\epsilon ={\epsilon }_{\mathrm{cor}}+{\epsilon }_{\sec }$.

The correctness criterion, in practice, is typically enforced by using hashing, which guarantees that the two keys are identical except with some small error probability, ${\epsilon }_{\mathrm{cor}}/(1-p_{\perp })$. That is, given the protocol does not abort, the maximum probability that the generated keys are different is given by $(1-p_{\perp })Pr[S_A\ne S_B|\mathrm{pass}]\le {\epsilon }_{\mathrm{cor}}$. The secrecy criterion looks at how distinguishable the output state of either $S_A$ or $S_B$ is from the ideal output, after passing through the privacy amplification step using a quantum-proof randomness extractor. For more details of these criteria, we refer the interested reader to Ref. [39]. In the following, for simplicity, we assume that all QKD channels use the same security parameters, i.e., ${\epsilon }_{\mathrm{cor}}$ and ${\epsilon }_{\sec }$, for these can be enforced in practice with the right error verification and privacy amplification schemes. The robustness probability is however harder to enforce as it depends on the quantum channel behaviour which can be different between channels. To that end, we will write $p_{\perp ,U1}$, $p_{\perp ,U2}$, and $p_{\perp ,12}$ to represent the abort probabilities for QKD pairings $(\mathsf{U},{\mathsf{D}}_1)$, $(\mathsf{U},{\mathsf{D}}_2)$, and $({\mathsf{D}}_1,{\mathsf{D}}_2)$, respectively.

4.3. SPIR with QKD Security Definition

In order to analyse SPIR protocols that utilise QKD keys, it is necessary to generalise the original SPIR security definition. These changes will have to accommodate aspects of a QKD channel that are not normally present in a perfectly secure channel. More specifically, we need to consider the possibility that the QKD protocol can abort, and that it has a non-zero probability of outputting an imperfect secret key pair.

In the original SPIR setting, a two-party protocol between the data centres and user is considered. Here, no external eavesdropper is included, for secure channels are used and hence no external party can obtain any information from the communication. However, in the case of practical QKD systems, there is a small possibility that the eavesdropper could learn something about the secret keys. To allow for such bad events, we look at SPIR as a three-party protocol with an eavesdropper called Eve, and introduce a fourth condition which we term as protocol secrecy. Similar to the other security conditions, the protocol secrecy condition requires that the view of any eavesdropper E be independent of both X and W, assuming both the user and data centres are honest. In the following, we first highlight four considerations when extending the original SPIR security definition to one that appropriately captures all possible bad events that may be caused by imperfect QKD keys.

Firstly, in analysing user privacy (resp. database privacy), the possibility of getting imperfect secret keys provides a new avenue for data centres (resp. the user) to gain more information on X (resp. W). For instance, when the key pair $(S_3,S_4)$ is insecure, data centre 1 can gain information on $Q_2$ and $A_2$, which can be utilised to determine x. To suitably address these threats, we treat such situations as a collusion between the data centre and Eve (whose view contains the ciphertext). In other words, in analysing user privacy (resp. database privacy), we always assume that the dishonest party is colluding with the external eavesdropper, Eve.

Secondly, a feature of the current security definition of QKD is that the security error (the probability that the generated secret keys are imperfect/insecure) can be made arbitrarily small in the limit of infinitely long keys. To allow for this feature as well in the extended setting, we introduce compatible definitions by adding security parameters to each of the condition, all of which should be possible to make asymptotically small. For instance, the security parameter for correctness, ${\eta }_{\mathrm{cor}}$, would bound the probability of error in recovering $w_x$, the security parameters for user privacy, database privacy and protocol secrecy, ${\eta }_{\mathrm{UP}}$, ${\eta }_{\mathrm{DP}}$ and ${\eta }_{PS}$, would bound the difference between the two views given in the condition.

Thirdly, the possibility of having a mismatch of QKD keys for various communication channels would lead to inaccuracies when the classical SPIR definition is used. For user privacy, the classical definition requires the data centre’s view to be independent of X for any $k_5$, the shared random string between the databases. The definition also requires the same to be true for any $k_6$, but this need not be included since $K_5=K_6$ is assumed. Since QKD keys could be mismatched, $S_5\ne S_6$, $S_6$ has to be explicitly included in the adjusted definition. A similar problem is present for database privacy. The classical definition fixes x and r, thereby fixing the adversarial queries ${\overline{q}}_1$ and ${\overline{q}}_2$ while analysing the user’s view. This allows one to address any probabilistic strategy a dishonest user can perform by analysing each possible pair of query ${\overline{q}}_1$ and ${\overline{q}}_2$ that the user includes in his probabilistic strategy. If the user is unable to obtain more than $w_{x^{\prime }}$ for some $x^{\prime }$ for each pair of query, his probabilistic strategy would not yield more than a single entry of the database. Using QKD keys ($S_1^{dec}$,$S_2^{enc}$,$S_3^{dec}$,$S_4^{enc}$) can result in the queries ${\tilde{\overline{Q}}}_1$ and ${\tilde{\overline{Q}}}_2$ arriving at the databases being probabilistic, since there is a small probability that the keys do not match. For instance, ${\overline{Q}}_1$ and ${\overline{Q}}_2$ can be queries for $w_1$, but there is a small probability that the QKD keys are mismatched such that ${\tilde{\overline{Q}}}_1$ and ${\tilde{\overline{Q}}}_2$ queries for $w_2$, which means that there would not be an $x^{\prime }$ for which the user’s view is identical for any w and $w^{\prime }$ with $w_{x^{\prime }}=w_{x^{\prime }}^{\prime }$. However, for each fixed set of QKD keys ($s_1^{dec}$,$s_2^{enc}$,$s_3^{dec}$,$s_4^{enc}$), the queries do indeed reveal at most a single $w_{x^{\prime }}$ to the user. Therefore, the definition has to be adjusted to analyse the user’s view with fixed keys ($s_1^{dec}$,$s_2^{enc}$,$s_3^{dec}$,$s_4^{enc}$).

Lastly, unlike secure communication channels, QKD protocols can fail due to reasons like high channel noise or failure to have matching hash values in the error verification step. In fact, even in the classical case, it is not inconceivable that an external party can perform denial of service attack on the channel, e.g., by physically cutting the optical channel. In such a situation, $w_x$ cannot be recovered and the correctness condition will not be met. To accommodate for such bad events, we modify the definition to condition out failure events (i.e., only consider ‘pass’ cases), which has probability

$$p_{fail}=1-(1-p_{\perp ,U1})(1-p_{\perp ,U2})(1-p_{\perp ,12}).$$

(11)

This conditioning can be performed in practice since an abort flag, ⊥, is sent in the case of protocol failure. This is different from having an error in the decoded bit ${\widehat{w}}_x$, which would be undetectable. Typically, once a QKD protocol aborts, the users will run the protocol again. However, for simplicity, we do not include this consideration in our analysis. Nevertheless, we remark that one should make $p_{fail}$ as small as possible in practice.

The extended security definitions are as follow:

Definition 4 (${\eta }_{\mathrm{cor}}$-correctness).

Assuming the user and the data centres are honest, then for any x and w, the protocol must fulfil $(1-p_{\mathrm{fail}})Pr[{\widehat{w}}_x\ne w_x|\mathrm{pass}]\le {\eta }_{\mathrm{cor}}$.

Definition 5 (${\eta }_{\mathrm{UP}}$-user privacy).

Assuming the user is honest, then for any w and shared keys between the databases ($s_5$,$s_6$), the total view of each data centre and the eavesdropper (Eve) has to fulfil $\Delta ({\rho }_{{\mathsf{D}}_j\mathsf{E}}^x,{\rho }_{{\mathsf{D}}_j\mathsf{E}}^{x^{\prime }})\le {\eta }_{\mathrm{UP}}$ for all x and $x^{\prime }$.

Definition 6 (${\eta }_{\mathrm{DP}}$-database privacy).

Assuming the data centres are honest, then for any x, r and keys $(s_1^{dec},s_2^{enc},s_3^{dec},s_4^{enc})$, there exist an $x^{\prime }$ such that for all w and $w^{\prime }$ with $w_{x^{\prime }}=w_{x^{\prime }}^{\prime }$, the total view of the user and eavesdropper (Eve) has to fulfil $\Delta ({\rho }_{\mathsf{U}\mathsf{E}}^w,{\rho }_{\mathsf{U}\mathsf{E}}^{w^{\prime }})\le {\eta }_{\mathrm{DP}}$.

Definition 7 (${\eta }_{\mathrm{PS}}$-protocol secrecy).

Assuming the user and the data centres are honest, then for all $(x,w)$ and $(x^{\prime },w^{\prime })$, the view of the eavesdropper (Eve) has to fulfil $\Delta ({\rho }_{\mathsf{E}}^{x,w},{\rho }_{\mathsf{E}}^{x^{\prime },w^{\prime }})\le {\eta }_{\mathrm{PS}}$.

We call any SPIR protocol that satisfies the above four conditions as (${\eta }_{\mathrm{cor}}$,${\eta }_{\mathrm{UP}}$,${\eta }_{\mathrm{DP}}$,${\eta }_{\mathrm{PS}}$)-secure. Note that the original SPIR definition can be recovered by taking (0,0,0,0)-security and assuming that there is no protocol failure $p_{\mathrm{fail}}=0$, that the shared random key between the databases are correct ($S_5=S_6$), and the user queries are communicated without errors ($S_1^{dec}=S_2^{enc}$ and $S_3^{dec}=S_4^{enc}$). More concretely, Definition 1 is obtained since ${\eta }_{\mathrm{cor}}=0$ and $p_{\mathrm{fail}}=0$ implies $Pr[{\widehat{w}}_x\ne w_x]=0$, Definitions 2 and 3 are obtained by noting that the trace distance measure is contractive under partial trace operations.

4.4. Quantum View Modelling

In Ref. [5], the authors proved that there exist a family of (0,0,0,0)-secure SPIR protocols assuming secure classical channels. However, establishing these secure channels require that the user and data centres have pre-shared keys that are at least as long as the messages to be sent. Pre-shared keys between the data centres are also required to perform CDS. This would be impractical for large databases or situations that require multiple uses of the SPIR protocol. Therefore, we can capitalise on QKD, which is a key expansion protocol. Starting with a small shared key between two parties, QKD can generate a much longer secret key for use. Hence, we establish QKD links between the parties to generate keys for both communication (between the user and data centres) and as shared randomness (between the data centres).

To analyse the security of the SPIR protocol with QKD, we need to first examine the view of various parties in the quantum setting. The protocol follows the generic one-round SPIR protocol described in Section 3.1, except that the keys used in key pairing steps are given by QKD keys instead. More specifically, we replace $(K_1,K_2)$, $(K_3,K_4)$, and $(K_5,K_6)$ by QKD generated keys $(S_1,S_2)$, $(S_3,S_4)$, and $(S_5,S_6)$, respectively. We also take that each set of QKD keys shared between two parties is generated by a single round of QKD. If any of the three QKD protocols aborts, i.e., if any of $(S_1,S_2)$, $(S_3,S_4)$ or $(S_5,S_6)$ returns ⊥ after the first step of establishing secure channels, then the SPIR protocol will abort. For simplicity, we take that all random variables that are generated in the latter steps, including queries, answers and ciphertext, are set to ⊥. The overall protocol is summarised in

Table 2. Generic one-Round two-database SPIR protocol with QKD.

Step	${\mathsf{D}}_1$		$\mathsf{U}$		${\mathsf{D}}_2$	$\mathsf{E}$
Input:	w		R, x		w
QKD (${\mathsf{D}}_1\leftrightarrow {\mathsf{D}}_2$):	$S_5$	$\stackrel{{\rho }_{S_5{S}_{6}E}^{\mathrm{real}}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftrightarrow }}$			$S_6$	${\sigma }_{\mathsf{E}}^{S_5{S}_6}$
QKD ($\mathsf{U}\leftrightarrow {\mathsf{D}}_1$):	$S_1$	$\stackrel{{\rho }_{S_1{S}_{2}E}^{\mathrm{real}}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftrightarrow }}$	$S_2$			${\sigma }_E^{S_1{S}_2}$
QKD ($\mathsf{U}\leftrightarrow {\mathsf{D}}_2$):			$S_4$	$\stackrel{{\rho }_{S_3{S}_4}^{\mathrm{real}}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftrightarrow }}$	$S_3$	${\sigma }_E^{S_3{S}_4}$
Query:			$Q_1=f_{\mathrm{query},1}(x,R)$
			$Q_2=f_{\mathrm{query},2}(x,R)$
OTP ($\mathsf{U}\to {\mathsf{D}}_1$):	${\tilde{Q}}_1=C_{Q_1}\oplus S_1^{\mathrm{dec}}$	$\stackrel{{\mathcal{C}}_{U1}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{Ȑ}}$	$C_{Q_1}=Q_1\oplus S_2^{\mathrm{enc}}$			$C_{Q_1}$
OTP ($\mathsf{U}\to {\mathsf{D}}_2$):			$C_{Q_2}=Q_2\oplus S_4^{\mathrm{enc}}$	$\stackrel{{\mathcal{C}}_{U2}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\to }}$	${\tilde{Q}}_2=C_{Q_2}\oplus S_3^{\mathrm{dec}}$	$C_{Q_2}$
Answer:	$A_1=f_{\mathrm{ans},1}({\tilde{Q}}_1,w,S_5)$				$A_2=f_{\mathrm{ans},2}({\tilde{Q}}_2,w,S_6)$
OTP (${\mathsf{D}}_1\to \mathsf{U}$):	$C_{A_1}=A_1\oplus S_1^{\mathrm{enc}}$	$\stackrel{{\mathcal{C}}_{U1}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\to }}$	${\tilde{A}}_1=C_{A_1}\oplus S_2^{\mathrm{dec}}$			$C_{A_1}$
OTP (${\mathsf{D}}_2\to \mathsf{U}$):			${\tilde{A}}_2=C_{A_2}\oplus S_4^{\mathrm{dec}}$	$\stackrel{{\mathcal{C}}_{U2}}{\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftarrow }}$	$C_{A_2}=A_2\oplus S_3^{\mathrm{enc}}$	$C_{A_2}$
Decoding:			${\widehat{w}}_x=f_{\mathrm{dec}}({\tilde{A}}_1,{\tilde{A}}_2,Q_1,Q_2,x,R)$

.

By expressing the inputs as quantum states and steps in the protocol as maps, we can obtain the final state for all four parties, and determine each of their view by performing a partial trace. Here, we introduce four relevant views that are used in the SPIR security definition. The total view of the user and Eve (used in database privacy) is

$${\rho }_{\mathsf{U}\mathsf{E}}^w={\rho }_{XR{Q}_1{Q}_2{\tilde{A}}_1{\tilde{A}}_2{S}_2{S}_4{C}_{Q_1}{C}_{Q_2}{C}_{A_1}{C}_{A_2}E}^w,$$

(12)

the total view of Eve and data centre 1, and that of Eve and data centre 2 (used in user privacy) are

$$\begin{array}{ccc}\hfill {\rho }_{{\mathsf{D}}_1\mathsf{E}}^x& =& {\rho }_{W{\tilde{Q}}_1{A}_1{S}_1{S}_5{C}_{Q_1}{C}_{Q_2}{C}_{A_1}{C}_{A_2}E}^x,\hfill \end{array}$$

(13)

$$\begin{array}{ccc}\hfill {\rho }_{{\mathsf{D}}_2\mathsf{E}}^x& =& {\rho }_{W{\tilde{Q}}_2{A}_2{S}_3{S}_6{C}_{Q_1}{C}_{Q_2}{C}_{A_1}{C}_{A_2}E}^x,\hfill \end{array}$$

(14)

respectively, and the view of Eve (used in protocol secrecy) is

$${\rho }_{\mathsf{E}}^{x,w}={\sigma }_{C_{Q_1}{C}_{Q_2}{C}_{A_1}{C}_{A_2}E}^{x,w}.$$

(15)

Here, we note that E is the side-information of Eve gathered up the OTP steps. As such, E contains all of the quantum information exchanged over the QKD channels and all of the classical information exchanged due to error correction, verification, and privacy amplification.

5. Security Analysis

Here, we show that the security parameters of the associated QKD protocols can be used to bound the generalised SPIR security parameters defined above.

Theorem 1.

A two-database one-round $(0,0,0,0)$-secure SPIR protocol that uses ε-secure QKD keys in place of ideal keys, where $\epsilon ={\epsilon }_{\mathrm{cor}}+{\epsilon }_{\sec }$, is $\left(3{\epsilon }_{\mathrm{cor}},2\epsilon ,2\epsilon ,4\epsilon \right)$-secure.

Proof sketch.— For the correctness condition, if the all of the QKD key pairs are correct and conditioned on not aborting, then the 0-correctness of the SPIR protocol guarantees that the decoding will be correct. Moreover, since there may be key pair events other than the correct ones that can yield ${\widehat{w}}_x=w_x$, we have that

$$Pr[{\widehat{w}}_x=w_x|\mathrm{pass}]\ge Pr\left[\{S_1=S_2\}\right.\cap \{S_3=S_4\}\left.\cap \{S_5=S_6\}|\mathrm{pass}\right],$$

(16)

where the conditioning is that all of the QKD protocols do not abort. Then, by using the union bound, it is straightforward to show that the probability of error is upper bounded by the sum of the probability of each QKD key being wrong, and thus

$$(1-p_{\mathrm{fail}})Pr[{\widehat{w}}_x\ne w_x|\mathrm{pass}]\le 3{\epsilon }_{\mathrm{cor}}.$$

(17)

For user privacy, we look at the total view of one data centre (say ${\mathsf{D}}_1$) together with the eavesdropper, $\mathsf{E}$. However, it is not straightforward to compare the views for different x. Hence, we introduce an hypothetical scenario which uses an ideal QKD protocol instead of a real QKD protocol to generate keys for OTP encryption through ${\mathcal{C}}_{U2}$ as an intermediate step. This state, ${\xi }_{{\mathsf{D}}_1\mathsf{E}}^x={\xi }_{{\tilde{Q}}_1{\overline{A}}_1{S}_1{S}_{5}W{C}_{Q_1}{C}_{Q_2}{C}_{{\overline{A}}_1}{C}_{{\overline{A}}_2}E}^x$ has the same set of variables as ${\rho }_{{\mathsf{D}}_1\mathsf{E}}^x$ in Equation (13), with the only difference being that QKD keys $S_3{S}_4$ are ideal. With this intermediate state, we can split the trace distance into three parts by using triangle inequality, $\Delta ({\rho }_{{\mathsf{D}}_1\mathsf{E}}^x,{\xi }_{{\mathsf{D}}_1\mathsf{E}}^x)$, $\Delta ({\xi }_{{\mathsf{D}}_1\mathsf{E}}^x,{\xi }_{{\mathsf{D}}_1\mathsf{E}}^{x^{\prime }})$, and $\Delta ({\xi }_{{\mathsf{D}}_1\mathsf{E}}^{x^{\prime }},{\rho }_{{\mathsf{D}}_1\mathsf{E}}^{x^{\prime }})$.

We first examine the second part, $\Delta ({\xi }_{{\mathsf{D}}_1\mathsf{E}}^x,{\xi }_{{\mathsf{D}}_1\mathsf{E}}^{x^{\prime }})$. When the protocol aborts, the two views are clearly identical (i.e., zero trace distance) since all variables have value ⊥, except the keys $S_1{S}_{5}E$, which are common for both states. In fact, for all trace distances we examine in this sketch proof, the two states in the trace distance are identical when the protocol aborts, and thus we ignore the protocol abort situation. When the protocol does not abort, we can simplify by using the fact that any trace-preserving map cannot increase trace distance, and noting that there are trace-preserving maps from $Q_1{S}_1{S}_2{S}_{5}W$ to ${\tilde{Q}}_1{\overline{A}}_1{C}_{Q_1}{C}_{{\overline{A}}_1}$. Moreover, since the ciphertext $C_{Q_2}{C}_{{\overline{A}}_2}$ is obtained from encryption using ideal QKD keys $S_3{S}_4$, they are uniformly distributed over ${\mathcal{C}}_{Q_2}{\mathcal{C}}_{A_2}$, and thus are independent of x and common to both states. After simplification, the only remaining variable in the trace distance possibly dependent on x is $Q_1$ (the other remaining variables are $S_1{S}_2{S}_{5}WE$). However, by 0-user privacy of the SPIR protocol, $Q_1$ is independent of x and thus $\Delta ({\xi }_{{\mathsf{D}}_1\mathsf{E}}^x,{\xi }_{{\mathsf{D}}_1\mathsf{E}}^{x^{\prime }})=0$.

The second step is to look at the trace distance $\Delta ({\rho }_{{\mathsf{D}}_1\mathsf{E}}^x,{\xi }_{{\mathsf{D}}_1\mathsf{E}}^x)$. Conditioned on protocol not aborting, we can simplify by noting that there are trace-preserving maps that can map $Q_1{Q}_2{S}_1{S}_2{S}_3{S}_4{S}_5{S}_{6}W$ to ${\tilde{Q}}_1{\overline{A}}_1{C}_{Q_1}{C}_{Q_2}{C}_{Q_2}{C}_{{\overline{A}}_2}$. Since $Q_1{Q}_2$ are independent of the QKD keys, and $S_1{S}_2{S}_5{S}_6$ are generated by same QKD protocol, we are left with the trace distance

$$\Delta ({\rho }_{{\mathsf{D}}_1\mathsf{E}}^x,{\xi }_{{\mathsf{D}}_1\mathsf{E}}^x)\le (1-p_{\mathrm{fail}})\Delta ({\rho }_{S_3{S}_4{E}^{\prime }}^{\top },{\xi }_{S_3{S}_4{E}^{\prime }}^{\top }).$$

(18)

where ⊤ labels the conditioning on the protocol not aborting. In the R.H.S. of the equation, the first state (resp. second state) corresponds to real QKD keys (resp. ideal QKD keys) $S_3{S}_4$ with side information $E^{\prime }=S_1{S}_2{S}_5{S}_{6}E$ conditioned on the protocol not aborting. Therefore, from the security definition, the trace distance is bounded by ${\epsilon }_{\mathrm{cor}}+{\epsilon }_{\sec }$. Combining the above results, one can show that

$$\Delta ({\rho }_{{\mathsf{D}}_1\mathsf{E}}^x,{\rho }_{{\mathsf{D}}_1\mathsf{E}}^{x^{\prime }})\le 2({\epsilon }_{\mathrm{cor}}+{\epsilon }_{\sec }).$$

(19)

This also holds for the total view of ${\mathsf{D}}_2\mathsf{E}$.

For database privacy, we examine the total view of the user, $\mathsf{U}$, together with the eavesdropper Eve, $\mathsf{E}$. We then introduce a hypothetical scenario where ideal QKD keys are used instead of real QKD keys as the shared random string between the data centres. The corresponding state, ${\xi }_{\mathsf{U}\mathsf{E}}^w={\xi }_{XR{\overline{Q}}_1{\overline{Q}}_2{\tilde{A}}_1{\tilde{A}}_2{S}_2{S}_4{C}_{{\overline{Q}}_1}{C}_{{\overline{Q}}_2}{C}_{A_1}{C}_{A_2}E}^w$, contains the same variables as ${\rho }_{\mathsf{U}\mathsf{E}}$ in Equation (12), except that $S_5{S}_6$ are ideal QKD keys. Therefore, we can use triangle inequality to split the trace distance into three parts, $\Delta ({\rho }_{\mathsf{U}\mathsf{E}}^w,{\xi }_{\mathsf{U}\mathsf{E}}^w)$, $\Delta ({\xi }_{\mathsf{U}\mathsf{E}}^w,{\xi }_{\mathsf{U}\mathsf{E}}^{w^{\prime }})$, and $\Delta ({\xi }_{\mathsf{U}\mathsf{E}}^{w^{\prime }},{\rho }_{\mathsf{U}\mathsf{E}}^{w^{\prime }})$.

We first examine the second part, $\Delta ({\xi }_{\mathsf{U}\mathsf{E}}^w,{\xi }_{\mathsf{U}\mathsf{E}}^{w^{\prime }})$ for an arbitrary x, r and ($s_1^{dec}$,$s_2^{enc}$,$s_3^{dec}$,$s_4^{enc}$). This can be simplified by noting that there is a trace-preserving map from ${\overline{Q}}_1{\overline{Q}}_2{A}_1{A}_2{S}_1{S}_2$$S_3{S}_4$ to ${\tilde{A}}_1{\tilde{A}}_2{C}_{{\overline{Q}}_1}{C}_{{\overline{Q}}_2}{C}_{A_1}{C}_{A_2}$. Since a fixed r and x fixes ${\overline{q}}_1$ and ${\overline{q}}_2$ and having fixed keys ($s_1^{dec}$,$s_2^{enc}$,$s_3^{dec}$,$s_4^{enc}$) further fixes the query received by the database, ${\tilde{\overline{q}}}_1$ and ${\tilde{\overline{q}}}_2$, we can express the state as two subsystems $XR{\overline{Q}}_1{\overline{Q}}_2{S}_1{S}_2{S}_3{S}_{4}E$ and ${\tilde{\overline{Q}}}_1{\tilde{\overline{Q}}}_2{A}_1{A}_2$. The former subsystem is independent of W, and thus we can remove it using the fact that $\Delta (A\otimes B,A\otimes B)\le \Delta (B,C)$. The probability distribution of ${\tilde{\overline{Q}}}_1{\tilde{\overline{Q}}}_2{A}_1{A}_2$ here is the same as a hypothetical scenario where all QKD keys are ideal, and the user sends the queries ${\tilde{\overline{Q}}}_1$ and ${\tilde{\overline{Q}}}_2$ instead. For this scenario, we can invoke 0-database privacy, which states there exists an $x^{\prime }$ such that for w and $w^{\prime }$ with $w_{x^{\prime }}=w_{x^{\prime }}^{\prime }$, $A_1$ and $A_2$ are independent on W (i.e., trace distance is zero). This is true for any adversarial user queries, and in particular it is true for queries ${\tilde{\overline{Q}}}_1$ and ${\tilde{\overline{Q}}}_2$.

The next step is to examine the trace distance $\Delta ({\rho }_{\mathsf{U}\mathsf{E}}^w,{\xi }_{\mathsf{U}\mathsf{E}}^w)$. We note that there are trace-preserving maps that can be applied to ${\overline{Q}}_1{\overline{Q}}_2{S}_1{S}_2{S}_3{S}_4{S}_5{S}_{6}W$ to obtain $A_1{A}_2{C}_{{\overline{Q}}_1}{C}_{{\overline{Q}}_2}{C}_{A_1}{C}_{A_2}$. This simplification, together with removal of common terms $XR{\overline{Q}}_1{\overline{Q}}_{2}W$, and noting that $S_1{S}_2{S}_3{S}_4$ is generated by the same QKD protocol for both terms, we arrive at

$$\Delta ({\rho }_{\mathsf{U}\mathsf{E}}^w,{\xi }_{\mathsf{U}\mathsf{E}}^w)\le (1-p_{fail})\Delta ({\rho }_{S_5{S}_6{E}^{\prime }}^{\top },{\xi }_{S_5{S}_6{E}^{\prime }}^{\top }),$$

(20)

where the side-information is $E^{\prime }=S_1{S}_2{S}_3{S}_{4}E$. The terms in the trace distance corresponds to the output state of a real and ideal QKD protocol respectively conditioned on not aborting. Therefore, from the security definition, this is bounded by ${\epsilon }_{\mathrm{cor}}+{\epsilon }_{\sec }$. Combining the above results, we conclude that there exist a $x^{\prime }$ such that for $w_{x^{\prime }}=w_{x^{\prime }}^{\prime }$,

$$\Delta ({\rho }_{\mathsf{U}\mathsf{E}}^w,{\rho }_{\mathsf{U}\mathsf{E}}^{w^{\prime }})\le 2({\epsilon }_{\mathrm{cor}}+{\epsilon }_{\sec }).$$

(21)

The final condition of protocol secrecy requires the introduction of the view of the eavesdropper for two different scenarios. ${\xi }_{\mathsf{E}}^{x,w,1}$ is Eve’s view in a setup where $S_1{S}_2$ are ideal QKD keys, and ${\xi }_{\mathsf{E}}^{x,w,2}$ is Eve’s view where $S_1{S}_2{S}_3{S}_4$ are ideal QKD keys. Using similar arguments from the sketch proof of user privacy, one can show that each change from ${\rho }_{\mathsf{E}}^{x,w}\to {\xi }_{\mathsf{E}}^{x,w,1}\to {\xi }_{\mathsf{E}}^{x,w,2}$ incurs an error of $\epsilon$, resulting in trace distance $\Delta ({\rho }_{\mathsf{E}}^{x,w},{\xi }_{\mathsf{E}}^{x,w,2})\le 2({\epsilon }_{\mathrm{cor}}+{\epsilon }_{\sec })$.

The next step is to examine the trace distance $\Delta ({\xi }_{\mathsf{E}}^{x,w,2},{\xi }_{\mathsf{E}}^{x^{\prime },w^{\prime },2})$. We note that ${\xi }_{\mathsf{E}}^{x,w,2}={\xi }_{C_{Q_1}{C}_{Q_2}{C}_{A_1}{C}_{A_2}E}^{x,w,2}$ is similar to ${\rho }_{\mathsf{E}}^{x,w}$ in Equation (15), except that $S_1{S}_2{S}_3{S}_4$ are ideal QKD keys. Since $C_{Q_1}{C}_{Q_2}{C}_{A_1}{C}_{A_2}$ are ciphertext generated using ideal QKD keys $S_1{S}_2{S}_3{S}_4$, they are distributed uniformly over ${\mathcal{C}}_{Q_1}{\mathcal{C}}_{Q_2}{\mathcal{C}}_{A_1}{\mathcal{C}}_{A_2}$. Therefore, they are not dependent on x or w (neither is E), and the trace distance is $\Delta ({\xi }_{\mathsf{E}}^{x,w,2},{\xi }_{\mathsf{E}}^{x^{\prime },w^{\prime },2})=0$. Using triangle inequality to combine the result, we have

$$\Delta ({\rho }_{\mathsf{E}}^{x,w},{\rho }_{\mathsf{E}}^{x^{\prime },w^{\prime }})\le 4({\epsilon }_{\mathrm{cor}}+{\epsilon }_{\sec }).$$

(22)

The detailed proof is provided in Appendix A.

6. Numerical Simulation

6.1. MDI-QKD

For simulation purposes, we look at MDI-QKD with decoy states [40] as the protocol of choice to generate the keys used in SPIR. In MDI-QKD, the security of the QKD key generated is guaranteed even if the eavesdropper is the one performing the measurement and announcing the result, as shown in Figure 2. Hence, in the setup depicted in Figure 1, the central node would hold the measurement device and the other parties would hold the QKD source. In this case, the MDI nature of the protocol ensures that the central node cannot gain any information about the messages communicated between the user and data centres.

The MDI-QKD protocol we use is detailed in Ref. [40], and we provide a summary here. We start with the communicating parties, Alice and Bob, each choosing a basis from $\{X,Z\}$, an intensity from $\{a_s,a_1,\cdots ,a_n\}$ and $\{b_s,b_1,\cdots ,b_m\}$ respectively, and a random bit $\{0,1\}$. They then prepare the corresponding quantum state and send it to the central node. If the central node is honest, it will perform a Bell state measurement and report the result, t. Alice and Bob can then reveal their basis and intensity settings and only select rounds where they use the same basis states. This sifted key can then be used for parameter estimation, error correction and privacy amplification. The final key rate obtained is given by the sum of key rates for different results reported by the central node, $l={\sum }_t{l}_t$,

$$\begin{array}{cc}\hfill l_t\le & n_{t,0}+n_{t,1}[1-h(e_{t,1})]-{\mathrm{leak}}_{\mathrm{EC},\mathrm{t}}\hfill \\ \hfill & -log\frac{8}{{\epsilon }_{\mathrm{cor}}}-2log\frac{2}{{\epsilon }_t^{\prime }{\widehat{\epsilon }}_t}-2log\frac{1}{2{\epsilon }_{t,\mathrm{PA}}},\hfill \end{array}$$

(23)

where $h(x)$ is the binary entropy of x, $n_{t,0}$ is the number of events where either party sends zero photons, $n_{t,1}$ is the number of events where both parties send one photon each, $e_{t,1}$ is the error rate for these one-photon events, ${\mathrm{leak}}_{\mathrm{EC},\mathrm{t}}$ is the number of leaked bits from error-correction, and the $\epsilon$ values are various security and parameter estimation parameters.

6.2. SPIR Resource

We examine the performance of the SPIR protocol based on the type of database it can send for a fixed number of signals sent to establish the QKD key, N, and for fixed distances, d. A database is characterised by the number of entry it has, n, and the size of each entry, L. We use the two-database SPIR protocol ${\mathcal{B}}_2^{″}$ [5] (see Appendix B for protocol description), which requires communication of $[7L+3log(n^{1/3})+(3+3L)n^{1/3}]$ bits between the user and each data centre, and $(9L{n}^{1/3}+10L)$ bits of shared key between the data centres for CDS. In a typical implementation, it is likely that the two data centres would be close together, thus the limiting factor would be from the user-data centre communication since the user would tend to be far from the data centre itself. Hence, we will only focus on the the key rate from MDI-QKD between the user and data centres.

In the analysis, we use similar parameters as in Ref. [40], with a fibre channel loss of 0.2 dB km⁻¹, detection efficiency of 14.5%, and background count of $6.02\times {10}^{-6}$. We assume that the central node uses the measurement device shown in Figure 3, which allows it to perform Bell state measurements of states $|{\psi }^{-}\rangle$ and $|{\psi }^{+}\rangle$. The polarisation misalignment error of this setup is modelled following Ref. [41], by introducing unitary rotations in the channels connecting Alice and Bob to the central node, and a unitary rotation in one arm of the measurement device after the beam splitter. The value of the total polarisation misalignment error is set at 1.5%. For simplicity, the protocol uses only two decoy states, with the weaker one having intensity $5\times {10}^{-4}$. We also assume that the error correction leakage is given by ${\mathrm{leak}}_{\mathrm{EC},\mathrm{t}}=1.16n_{t}h(e_t^{a_s{b}_s})$, where $n_k$ is the number of bits of the sifted key (runs that both Alice and Bob prepares in the Z-basis and using the signal intensity) that is not used for error estimation, and $e_t^{a_s{b}_s}$ is the corresponding error rate of this sifted key.

We fix the QKD security parameters ${\epsilon }_{corr}={10}^{-15}$ and $\epsilon ={10}^{-10}$, which makes the SPIR ($3\times {10}^{-15}$, $2\times {10}^{-10}$, $2\times {10}^{-10}$, $4\times {10}^{-10}$)-secure. The key rate $l/N$ is optimised for a given number of signals sent in the QKD key generation, N, over all free parameters. These include the intensities, probability distributions of intensity and basis choices, number of bits used for error estimation, and the security parameters implicit in $\epsilon$. We plot the database parameters for a few setups, with the number of signal sent, N, being ${10}^{12}$, ${10}^{13}$, and ${10}^{14}$, which corresponds to 16.7 min, 2.8 h, and 28 h respectively for a 1 GHz signal rate. The distances used are metropolitan, at 5 km (fits Singapore’s downtown core), 10 km (fits Geneva, London inner ring road), and 20 km (fits Washington DC). We also included four scenarios of database query usage,

• iTunes: A consumer wants to purchase a song from the iTunes catalogue, which contains 60 million songs. (Assume each music file is 10 MB) [$n=6\times {10}^7$, $L=8\times {10}^7$]
• Electronic Health Records (EHR): A doctor in Singapore wants to retrieve his patient’s medical chart from the national health records database. (The average medical chart file size of a healthy patient is about 5 MB [42], and Singapore’s population is 5.7 million [43]) [$n=5.7\times {10}^6$, $L=4\times {10}^7$]
• Fingerprint Data: Border control wants to retrieve the fingerprint data of a visitor to verify his identity. (Fingerprint minutiae data size is about 500 bytes [44], and the world population is 7.7 billion [45]) [$n=7.7\times {10}^9$, $L=4000$]
• Genetic Data: A doctor requests for a gene in a patient’s genome data to analyse disease risk. (Human genome contains 19,116 protein-coding genes, with the maximum size of a single gene being 2.47 million base pairs [46]. Since humans have two alleles for most genes and there are 4 possible bases, each gene entry can be encoded as 9.88 million bits). [$n$ = 19,116, $L=9.88\times {10}^6$]

The results are shown in Figure 4.

The ${\mathcal{B}}_2^{″}$ protocol with QKD has a scaling of $O(n^{1/3}L)$, which is reflected in the numerical analysis by the significantly higher number of database entries that one can perform SPIR for compared to the database entry size, which scales linearly with N. This means that the ${\mathcal{B}}_2^{″}$ protocol is especially useful for databases with small file sizes and large number of entries, such as querying the fingerprint of one person from a database containing the fingerprint of everyone in the world, which takes about 16.7 min of key generation for 10 km distances. For much larger database entries, such as video files, and uncompressed music files, the use of the ${\mathcal{B}}_2^{″}$ protocol with QKD channels does not appear feasible.

7. Discussion

Having a multi-database SPIR protocol with QKD provides information theoretic security, but a drawback in the setup is that the result obtained by the user, ${\widehat{w}}_x$, cannot be verified. This allows malicious data centres to send false information to the user simply by changing the answers sent to the user. This, however, does not affect the validity of the SPIR protocol. At the practical level, this act could be detectable for certain applications, such as music streaming, but could remain undetected for other applications such as medical test reports, where information cannot be independently verified by the user. One could overcome this by providing additional information, such as a hash of the desired entry, for the user to perform verification, but this requires a further analysis which is beyond the scope of the current work.

In place of ideal keys, we have introduced the use of QKD keys for use in SPIR, but we require a few addition assumptions on the parties. In particular, we assume that (1) the data centres do not intentionally leak the QKD keys to other parties including Eve, (2) that all messages sent through the channels ${\mathcal{C}}_{Uj}$ must be encrypted with OTP, and that (3) data centres do not have access to the classical channels used to establish the QKD keys after the key exchange step. These additional assumptions are necessary to prevent the misuse of QKD, which assumes that both communicating parties act honestly. These assumptions can be enforced in practice via methods like supervisory programs or a trusted third party authority.

In our numerical analysis, we used the ${\mathcal{B}}_2^{″}$ protocol, but there are other SPIR protocol that one could use. ${\mathcal{B}}_k^{″}$ protocol is a generalisation of the ${\mathcal{B}}_2^{″}$ protocol that requires k databases instead of a two, with a scaling of $O(n^{1/(2k-1)}L)$. This means that it outperforms the ${\mathcal{B}}_2^{″}$ for applications with a large number of database entries, but the user would have to communicate with more data centres.

Alternatively, one could relax the SPIR definition to allow for other protocols to be used. In the current SPIR definition, the user is not allowed to learn the values of the XOR of database entries such as $w_x\oplus w_{x^{\prime }}$. However, in certain scenarios the data centre might not mind the user learning such values, as long as the user only gains one bit of information, e.g., either $w_x$ or some ${⨁}_x{w}_x$. Such a change would require further modification of Definition 6, for instance, to one that reads “there exist an $i^{(n)}=(i_1,\cdots ,i_n)$ such that for all w and $w^{\prime }$ with ${⨁}_x{i}_x{w}_x={⨁}_x{i}_x{w}_x^{\prime }$”, where $i_x=1$ indicates that the user includes $w_x$ in the XOR the user learns and $i_x=0$ otherwise.

The relaxation made to the SPIR definition would allow us to use another protocol used as the foundation for Song et al.’s quantum SPIR protocol [26]. In this protocol, we label the user’s desired bit as $w_{i^{(n)}}={⨁}_{x=1}^n{i}_x{w}_x$. The user then generates a random string $R^{(n)}\in {\{0,1\}}^n$ and sends his queries $Q_1^{(n)}=R^{(n)}$, $Q_2^{(n)}=R^{(n)}\oplus i^{(n)}$. The data centres then reply with answers $A_1=\left({⨁}_{x=1}^n{Q}_{1,x}{w}_x\right)\oplus K$ and $A_2=\left({⨁}_{x=1}^n{Q}_{2,x}{w}_x\right)\oplus K$, where K is a shared random bit between the data centres. The user would then decode by applying $A_1\oplus A_2$, and K ensures that the user can only obtain at most a single bit. In this setup, the number of bits of communication between the user and data centre is $n+L$, and the plot is shown in Figure 4, for $N={10}^{13}$ at 10 km. This protocol can be utilised for iTunes and EHR, which is not feasible for the ${\mathcal{B}}_2^{″}$ protocol. The protocol can also achieve close to the communication limit of $L=l$ for small databases. This limit is that of the secure communication of a single string (entry) of length L, which requires one QKD secure key bit for each bit of the string. However, the number of entries that the database can have is limited in this case, and it can no longer be used for the fingerprint database which has 7.7 billion entries. Therefore, it can be useful to examine other protocols of SPIR or relaxed versions of SPIR.

Here, we have shown how multi-database SPIR can work with QKD channels in place of secure channels. An interesting extension would be to demonstrate it experimentally, which would pave the way for practical implementation of the protocol in the future. For practical implementation, it is also useful to explore reasonable relaxations of the QKD protocol, such as the one described above, and other SPIR or relaxed SPIR protocols. By optimising the protocol choice for different applications of SPIR based on the number of entries and database entry size of the database, one could obtain better performance for the particular application of interest.

Another interesting extension would be to examine the performance of SPIR in the situation of a byzantine adversary who may corrupt transmission for some of the communication channels, and the scenario where this adversary can collude with some data centres. This situation results in communication between the data centres, which could compromise user privacy, and inaccurate answers being sent to the user due to corrupted transmission, which could affect the correctness of the protocol. The classical case was examined by Wang et al. [23], where they also looked at the scenario where an eavesdropper that can tap into the communication channels, but this problem has been addressed in this paper with QKD. It is thus interesting to explore if the quantum nature of the byzantine adversary and the colluding data centres could have an impact on SPIR implementation with QKD channels. The SPIR solution to this scenario would provide additional security for the user.

8. Conclusions

We have introduced the use of QKD in place of secure channels in SPIR, since classical secure channels are difficult to achieve in practice. To show that replacing the classical secure channel with QKD channels does not compromise security, we extended the original SPIR definition to include aspects of QKD that are not normally present in a secure channel. These include the presence of an external eavesdropper who may tap into classical communication and eavesdrop on the quantum channel, having security parameters due to the possibility of having an imperfect secret key and considering that the QKD protocol may abort. Using the extended SPIR definition, we then show that the SPIR security parameters are related to the QKD security parameters, ${\epsilon }_{\sec }$ and ${\epsilon }_{\mathrm{cor}}$, which can be set arbitrarily close to zero. This implies that one could have a SPIR protocol using QKD keys with arbitrarily good security. Using MDI-QKD and ${\mathcal{B}}_2^{″}$ protocol as an example, we also show how such a SPIR protocol, specifically ${\mathcal{B}}_2^{″}$, can be feasible by numerically simulating the QKD key rates.