A Quantum Private Query Protocol for Enhancing both User and Database Privacy

Cite this Article

Zhou Yi-Hua, Bai Xue-Wei, Li Lei-Lei, Shi Wei-Min, Yang Yu-Guang. A Quantum Private Query Protocol for Enhancing both User and Database Privacy. Communications in Theoretical Physics, 2018, 69(1): 31 Copy to clipboard

Permissions

A Quantum Private Query Protocol for Enhancing both User and Database Privacy

Zhou Yi-Hua¹, Bai Xue-Wei^{1, †}, Li Lei-Lei², Shi Wei-Min¹, Yang Yu-Guang¹

1 Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China

2 School of Computer, Beijing University of Posts and Telecommunications, Beijing 100876, China

† Corresponding author. E-mail: 429262553@qq.com

Abstract

In order to protect the privacy of query user and database, some QKD-based quantum private query (QPQ) protocols were proposed. Unfortunately some of them cannot resist internal attack from database perfectly; some others can ensure better user privacy but require a reduction of database privacy. In this paper, a novel two-way QPQ protocol is proposed to ensure the privacy of both sides of communication. In our protocol, user makes initial quantum states and derives the key bit by comparing initial quantum state and outcome state returned from database by ctrl or shift mode instead of announcing two non-orthogonal qubits as others which may leak part secret information. In this way, not only the privacy of database be ensured but also user privacy is strengthened. Furthermore, our protocol can also realize the security of loss-tolerance, cheat-sensitive, and resisting JM attack etc.

PACS: ;03.67.Dd;;03.65.Ud;

Keyword:quantum private query;quantum key distribution;JM attack;quantum cryptography

Show Figures

1 Introduction

SPIR (symmetrically private information retrieval) is proposed to solve the problem in which user queries certain item of N items owned by database. In addition, it is also required that user cannot get other items and database cannot know which item user wants to get. While the two sides without trust are communicating, they want to not only prevent the common privacy from being eavesdropped but also protect the personal privacy.

The security of most traditional SPIR schemes is based on unproven assumptions of mathematical difficulty. However, with the rapid development of quantum computation, they are facing with more and more severe challenges.

QPQ protocol is the quantum solution of SPIR problem and the security is ensured by unconditional security theoretically in terms of physical principles. In QPQ protocols, an asymmetric key is generated between the user and database. The database knows the key all while the user only knows a little fraction. But the database has no idea about which part of the key the user knows. Using the asymmetric key, SPIR problem can be solved. Jakobi et al. proposed the first QKD-based QPQ protocol (J protocol).^[1] It was based on SARG04 scheme,^[2] and solved the problem of lacking support for large database. From then on, more and more researches focus on QKD-based QPQ protocols. Meanwhile, many improved protocols have been proposed.^[3–23]

The factors that influence security of QPQ protocols are divided into external factors and internal factors. The attack from participants is usually more crucial than that from external part for a protocol. Thus a protocol needs to make sure that the common privacy is invulnerable to external factors, more importantly, it needs to ensure the personal privacy even if both sides of communication are dishonest, because they may cheat each other by sending a faked internal state or make a fake announcement to invade data privacy of the other side.

However, there is not any protocol could ensure the privacy of both user and database in previous QKD-based QPQ protocols. According to the one who prepares initial qubits, previous protocols can be divided into two categories. One is database Bob prepares initial qubits, while the other is user Alice prepares initial qubits.

Most of previous QKD-based QPQ protocols^[1,4–21] use approach that Bob prepares and sends initial qubits thus with relative lower user privacy. Take J protocol^[1] as an example. In this protocol, Database Bob sends qubits firstly and makes correlative classical announcement after Alice has received. As a result, this protocol has shortage of internal attack from database.^[22] Bob can have higher probability to know the information about the bit locations of Alice by easily preparing a fake state. Thus the user privacy is threatened. Yang et al.^[9] also proposed a protocol in which Bob prepares and sends initial photons in state . In this protocol, Bob even could 100% know the bit locations of Alice by sending certain fake states and announcing certain announcement,^[22] therefore the user privacy is worse than J protocol.

In addition, Wei et al.^[18] proposed a protocol in which Bob makes quantum state to resist JM attack. In her protocol, user could not control the manipulations which Bob does on the signal. The reason is that individual attack of Bob may threaten user privacy and the protocol does not detect his cheating behavior. This also shows Wei’s protocol has some defects for user privacy. Thus, it can be inferred that, in the protocols which Bob makes initial state, it is very likely for Bob to launch internal attack because Bob knows the information about initial state accurately. In this paper we take J protocol as the representative of this kind of protocols to compare with our protocol.

Others ensure user privacy by using approach that Alice prepares initial quantum qubits, but there are some defects for, database security. For example, Yu et al.^[22] proposed an improved J protocol against internal attack from database Bob and can enhance user privacy. In their protocol, the initial qubits are sent by Alice instead of Bob. So the database cannot know any information of initial quantum states. By this way, if Bob wants to implement internal attack, he can only infer initial quantum state according to outcome state and further make a fake announcement to get the bit locations of Alice. The user privacy has been greatly enhanced and then the threat of Bob’s attack is reduced. Moreover, together with honesty checking, the cheats of Bob can be detected and then be well resisted. However, this modification was at the cost of losing part of database privacy. By preparing fake states, Alice can get more final keys than normal condition after post-processing. In addition, there is no detection for cheating of Alice. Thus the database privacy will be threatened. Another protocol in which Alice prepares initial qubits is Yang’s protocol. It adds detection of database and cancels detection of user. Yang’s protocol^[23] has discussed that the user privacy could be enhanced if the initial quantum states are made by Alice. Yang thinks the user privacy of their protocol is perfect, because the initial quantum states are made and transmitted by Alice. And according to Heisenberg uncertainty principle, Bob cannot get any information about the state.

In fact, however, although Bob cannot get any information about the state and thus improve the user privacy, user privacy is not perfect. This is because Bob will measure the quantum state after received it, he can infer initial state with certain probability, launch an internal attack and gain benefit. What is more, it costs nothing for Bob to do so because there is no detection for his cheating, which influences protocol’s user privacy. Therefore, the detection for cheating from database is added to our protocol. Thus we could not only provide a better user privacy but also detect external attack. In this paper, when comparing protocols in which Alice prepares initial qubits, we primarily discuss representative protocol, Yu’s protocol.

To enhance the privacy of both sides, we proposed a two-way-four-state-QKD-based QPQ protocol. In our protocol, the fake state attacking of Alice is useless thus it can ensure database security. Because the initial state is made by Alice, the user privacy is similar to Yu’s protocol^[22] (the protocol with best user privacy of present four-state-QKD-based QPQ protocols), together with the detection for cheating from database, it can ensure high user privacy.

The rest of this paper is organized as follows. In Sec. 2, we describe our proposed protocol in detail. In Sec. 3, we analyze the security of our protocol compared with other typical QPQ protocols. Finally, we make a conclusion according to our analysis in Sec. 4.

2 The Proposed Private Query Protocol

3 Security Analysis

This protocol meets loss tolerance. Bob operates the two modes in this protocol in order to meet loss tolerance. When Alice received photon from Bob, she could not realize which results are necessary before she received announcement of Bob. For example, Alice prepares initial qubit and sends to Bob, then Bob implements Step 2 to return measured qubit. Finally, Alice uses Z base to measure the qubit and the outcome state might be or . When Bob chooses Ctrl mode, the bit can be obtained by Alice if the outcome state is ; when Bob chooses Shift mode, the bit can be obtained by Alice if the outcome state is . Because the two modes that Bob has chosen are completely random and Alice cannot get any information about it. So Alice cannot judge which bit Bob can get according to the outcome states. Thus, Alice totally need not to cheat Bob for which photon she has lost.

In addition, our protocol is also cheat-sensitive. Bob’s cheating behavior will also be found by Alice in Step 4. The reason is described as follows. Suppose that the outcome state of Bob is , if Bob announces instead of , then Alice will detect the cheating with probability of in the condition of that Alice’s initial state of is . Here, we give a detailed describe of calculating detected cheat probability while Bob announcing fake state. For example, if Bob announces state , Alice will detect the cheating when the initial state or the outcome state of Alice is . In our calculating, we set event A when Bob announces state and set event B while initial state of Alice is . Then we can calculate the probability that Alice detects cheating when Bob announces state is:

Similarly, if Bob announces , Alice will also detect the cheating with probability of 3/8.

Bob will state or to avoid being detected, but the probability is very low. There is still a probability of 3/8 for each bit of being detected. The probability attains that Alice will detect the cheating in the detection for n bit. This probability can reach at 99.994% when n = 10 while n is usually more than 10 in the real application, so the cheating behavior of Bob may be detected with extremely high probability and this protocol is cheat-sensitive.

For Yu’s protocol,^[22] the lowest probability that Bob’s cheating will be detected by Alice is 1/4 which is lower than ours. The reason is that Bob announces outcome state while the value of bit in our protocol. Thus our protocol is super to Yu’s protocol^[22] in cheat-sensitive.

The protocol uses the post-processing similar as Yang’s protocol,^[23] which can make the protocol resist joint-measurement attack.

3.1 Database Security

3.1.1 Fake single state attacks

In present protocols that Alice sends initial states, Alice can threat the security of database by preparing fake states. But in our protocol, Alice derives the key bit by comparing initial quantum state and outcome state of quantum returned by database, Alice’s fake states are useless and fake state attack is avoided. The detailed analysis is described as follows:

Assume that Alice is dishonest, she can prepare a fake quantum state , and send it to Bob. When Bob measures the qubit in Z base or X base, the result could be one of the following states: , , , and . Since Bob is lack of the information of the photon being measured at this moment, he could not choose a measure base, which can bring more benefit to him. Thus, we affirm that the probabilities of Bob’s choice for two bases are same (i.e., 1/2). We can calculate the four possibilities of Bob’s results: the possibility of getting is , for , for , and for , respectively. Since Bob chooses any one of the two modes in order to meet loss tolerance, the mode itself has no influence on the results of Alice after Bob announced his choice of mode. Thus we assume that Bob uses Ctrl mode.

Assuming that Alice uses Z base to measure her qubit after she received from Bob, the results could be or . When the result is , Alice could infer the probability which Bob uses Z base is:

Obviously, the value reached maximum when θ = 0, and the probability that Bob uses X base is . The value reached minimum when , , and at this time. When the result is , Alice could infer the probability which Bob uses Z base is:

Obviously, the value reached maximum when , , and the probability that Bob uses X base is ; the value reached minimum when θ = 0, , and at this time.

In conclusion, in order to get more items of qubits, Alice needs to get maximum probability of Bob’s measuring base. That is, she will use or θ = 0 (i.e. is or ), and this is one of the four states, which Alice needs to send in our protocol.

Similarly, if Alice uses X base to measure, maximum probability of Bob’s measuring base she could obtain only when she sends or , which is exactly one of the four states that Alice needs to send. That is, Alice does not have to send fake state to attack because the probability that she gets the key is definitely less than the four state (, , , ) no matter which cheat state she sends.

Compared with J protocol, if state received by Alice is while Bob announces (, ), then Alice could infer that the probability P_j that initial state of this bit is is 2/3. That is, when Alice does not get the result accurately, he could infer it with a correct rate of 2/3, which is the same as our protocol. That is, the database security in our protocol is similar to that in J protocol. Compared with Yu’s protocol,^[22] when Alice makes fake state , If Bob announces 0, then the probability that Bob uses X base to measure is:

And if Bob announces 1, then the probability that Bob uses Z base to measure is:

It means that Alice can greatly improve the possibility of getting bits by preparing fake states, so Alice can get more bit of final key. Obviously, our protocol has higher database security comparing to Yu’s protocol.^[22]

3.1.2 EPR Attacks

Alice is likely to use the strategy of faking EPR-pair in order to get more items. She could prepare state ), and send the first particle to Bob. If Alice measures her particle before Bob finished his measurement, the whole process will be the same as the original protocol. Thus there will be no sense for Alice to do so. We infer that Alice measures her particle after Bob finished measurement.

If Bob chooses Ctrl mode, Alice will have two photons with same state after Bob returning his photon. At this moment, if Alice uses Z base to measure a photon and the outcome state is , then the probability that the state of another photon is 1/4 for , for , and 1/2 for . This is similar to the situation in the original protocol. The probability that Alice gets the key is 1/4, so Alice needs not to fake EPR.

For Shift mode, Alice transfers the outcome state of the returned photon. Thus the Shift mode will be consistent with Ctrl mode, the same security can be ensured.

3.2 User Privacy

In our protocol, if the outcome state which Bob has got was , Bob could know the qubit probability sent by Alice was is , for and 1/4 for . Suppose Bob is dishonest, and he wants to obtain the address queried by Alice. Bob can prepare a fake state, , then return to Alice. After Alice’s measurement, Bob could infer the probability of Alice to a conclusive result is:

It reaches maximum () when and minimum () when θ = 0 which is the same as Yu’s protocol.^[22] That is to say, user privacy in our protocol is similar to Yu’s protocol. For J protocol, if Bob tries to obtain the address queried by Alice, he can send fake states and improve the probability of Alice to a conclusive result of 85.36% or decrease to approximately 14.64%.^[1] Obviously, by comparing the data it can be showed that our protocol has better user privacy compared with J protocol.

It also proves that, after Alice prepared initial state, the threat of Bob’s spoofing is greatly reduced because Bob could not get the information of initial state accurately.

4 Conclusion

We propose a new QPQ protocol in this paper which Alice prepares and sends quantum states to improve user privacy. What is more, it also uses specific two-way communication approach in which Bob returns measured quantum state by Ctrl or Shift mode instead of announcing two non-orthogonal qubits, which may leak half of the correct qubit, so the database security of ours is also strengthened. By comparing our protocol with some protocols in which Bob prepares initial qubits and protocols in which Alice prepares initial qubits, it can be showed that our protocol is better for both user privacy and database security.

(i) It has high database security compared with other QPQ protocols in which Alice initializes qubits. In our protocol, it is useless to get more key bits for Alice by sending fake qubits. So the database security has been significantly improved.

(ii) The initial quantum states are generated by Alice while Bob cannot know the exact information, thus user privacy of this protocol is improved as well. What is more, the user privacy is strengthened by checking process of internal attacking behavior of Bob.

(iii) It can resist JM attack because of the post-processing methods proposed by Yang’s protocol.^[23]

As a two way QPQ protocol, of course, it has a little more complicated compared with its counterparts of one way protocols, while enhancing the security of both parts of communications. Similar to many present QPQ protocols which based on QKD protocol, our protocol also has not solved the problem that Alice always obtains more than one bit of the final key. We will continue to the research in the future.

Reference

[1]	Jakobi M. Simon C. Gisin N. et al. Phys. Rev. A 83 2011 022301
[2]	Scarani V. Acin A. Ribordy G. Gisin N. Phys. Rev. Lett. 92 2004 057901
[3]	Gao F. Liu B. Wen Q. Y. Chen H. Opt. Express. 20 2012 17411
[4]	Zhang J. L. Guo F. Z. Gao F. et al. Phys. Rev. A 88 2013 022334
[5]	Yang Y. G. Sun S. J. Xu P. Tian J. Quantum. Inf. Process. 13 2014 805
[6]	Yang Y. G. Sun S. J. Tian J. Xu P. Optik. 125 2014 5538
[7]	Wang C. Hao L. Zhao L. J. Chin. Phys. Lett. 28 2011 080302
[8]	Chan P. Lucio I. Martinez et al. Sci. Rep. 4 2014 05233
[9]	Yang Y. G. Zhang M. O. Yang R. Quantum. Inf. Process. 14 2015 1017
[10]	Sun S. J. Yang Y. G. Zhang M. O. Quantum. Inf. Process. 14 2015 1443
[11]	Yu F. Qiu D. W. Quantum. Inf. Comput. 14 2014 91
[12]	Shen D. S. Zhu X. C. Ma W. P. et al. J. Optoelectron Adv. M 14 2012 504
[13]	Lai H. Orgun M. A. Pieprzyk J. et al. Phys. Lett. A 379 2015 2561
[14]	Liu B. Gao F. Huang W. Wen Q. Y. Sci. China. Phys. Mech. 58 2015 100301
[15]	Hogg T. Zhang L. Int. J. Quantum. Inf. 7 2009 459
[16]	Wei C. Y. Gao F. Wen Q. Y. Wang T. Y. Sci. Rep. 4 2014 7537
[17]	Shi W. X. Liu X. T. Wang J. Tang C. J. Commun. Theor. Phys. 64 2015 299
[18]	Wei C. Y. Wang T. Y. Gao F. Phys. Rev. A 93 2016 042318
[19]	Sun Z. W. Yu J. P. Wang P. Xu L. L. Phys. Rev. A 91 2015 052303
[20]	Xu S. W. Sun Y. Lin S. Quantum. Inf. Process. 15 2016 3301
[21]	Wang T. Y. Wang S. Y. Ma J. F. Int. J. Theor. Phys. 55 2016 3309
[22]	Yu F. Qiu D. W. Situ H. Z. et al. Quantum. Inf. Process. 14 2015 4201
[23]	Yang Y. G. Liu Z. C. Li J. et al. Phys. Lett. A 380 2016 4033