Practical quantum private query of blocks based on unbalanced-state Bennett-Brassard-1984 quantum-key-distribution protocol

Until now, the only kind of practical quantum private query (QPQ), quantum-key-distribution (QKD)-based QPQ, focuses on the retrieval of a single bit. In fact, meaningful message is generally composed of multiple adjacent bits (i.e., a multi-bit block). To obtain a message from database, the user Alice has to query l times to get each ai. In this condition, the server Bob could gain Alice's privacy once he obtains the address she queried in any of the l queries, since each ai contributes to the message Alice retrieves. Apparently, the longer the retrieved message is, the worse the user privacy becomes. To solve this problem, via an unbalanced-state technique and based on a variant of multi-level BB84 protocol, we present a protocol for QPQ of blocks, which allows the user to retrieve a multi-bit block from database in one query. Our protocol is somewhat like the high-dimension version of the first QKD-based QPQ protocol proposed by Jacobi et al., but some nontrivial modifications are necessary.

simplicity, the database X is partitioned into entries (blocks) with the same length l. Concretely, X~X 1 ,X 2 , Á Á Á ,X N ð Þ , and each entry X k (1 # k # N) is an l-bit message. Here, N is the number of entries in database, and k is the address of the entry X k .
It is worth noting that, the idea of ''QPQ of blocks'' is natural but nontrivial, since the security of single-bit QPQ cannot be achieved as ideally as that of QKD with the composable security definition 15,16 (e.g., Bob always has a nonzero probability to reveal Alice's retrieval address). Concretely, suppose the database stores blocks of information with the same length of 100 bits and the total number of blocks is 100, then there are 10, 000 bits information in total. If Alice wants the information of the 14th block which contains the bits from 1401st to 1500th, then she has to make 100 queries to obtain these bits in the single-bit QPQ scenario. While as we know, Bob always has a nonzero probability p (though it might be very small) to reveal the retrieval address in each bit query. Obviously, once Bob obtains the address of the queried bit in any one of the 100 queries, he can infer which block Alice is retrieving. That is, the probability with which user privacy keeps secret is only (1 2 p) 100 in this condition. Apparently, the security degrades very fast with the size of blocks, which is a significant problem for QPQ in real-world applications. Luckily in QPQ of blocks, Alice can obtain the entire block in one query, and as to user privacy, it only needs to hide the address of the block instead of the addresses of its bits. Hence, similar to that pointed out by Chor et al. 17 , remarkable saving is possible by utilizing the block structure, and the research on QPQB may be an interesting and worthwhile work.
To fulfill the task of QPQB, we first review the idea for realizing QKD-based QPQ of single bit. As we know, distributing an oblivious key is of vital importance to achieve it 10 . That is, Alice and Bob should share a raw key K r in the way that (1) Bob knows K r entirely, (2) Alice knows only part of its bits, and (3) Bob does not know which bits are known to Alice. After some classical postprocessing on the raw key, Alice only knows roughly one bit in the final key K f and Bob still does not know which bit is known to Alice. Then, the final key is used to encrypt database so that (1) Alice can subsequently recover the bit she queries from the encrypted database with her known bit in K f , and (2) both user privacy and database security are well protected.
Following the above idea, each l-bit entry in QPQB needs to be encrypted by an l-bit string (i.e., l adjacent bits) which should be (1) completely known or unknown to Alice, and (2) completely known to Bob while he does not know whether it is known to Alice. Intuitively, we need to design a d(5 2 l )-level oblivious QKD protocol in which transmitting one qudit can provide l adjacent bits satisfying the above two requirements. Naturally, we expect that it can be achieved by generalizing the SARG04 protocol 11 on which J-protocol 10 is based to its d-level version. However, it is scarcely possible. Concretely in the SARG04 protocol, the fact that (1) each key bit is encoded on the basis of the qubit (that is, j0ae and j1ae represent bit 0, while j1ae and j2ae represent bit 1), and (2) only two complementary bases can be exploited owing to its decipher method, makes it can only generate one bit in the raw key by transmitting one carrier state of any dimension. That is, SARG04 protocol which can be used to generate an oblivious key, cannot be generalized to the high-dimension version. Oppositely, as we know, BB84 protocol 18 can be generalized to the high-dimension versions 19,20,21 , but they cannot be used to distribute oblivious key since they are vulnerable to the quantum memory attack 10 . Then, how to overcome this barrier?
In this paper, via an unbalanced-state technique, we design a new QKD scheme which is indeed an intermediate of BB84 and SARG04 protocols. It can not only be used to generate oblivious key, but also be generalized to its high-dimension version (detailed analysis is shown in Methods). On this basis, we propose a quantum protocol for QPQ of blocks, in which the database security is guarded by the impossibility of reliably distinguishing non-orthogonal states, while user privacy is protected by the fact that the states with identical support cannot be unambiguously discriminated. Moreover, our protocol is cheat-sensitive and loss-tolerant.

Results
Here, we give a quantum protocol for QPQ of blocks, which allows the user to retrieve an l-bit entry from database in one query. Our protocol is based on a variant of multi-level BB84 protocol in which the carrier states are transmitted with different probabilities.
Proposed protocol for QPQ of blocks. Let d 5 2 l , then are two complementary orthogonal bases for d-level quantum system, where v~e 2pi d . The carrier states adopted in our protocol are chosen from the bases B 1 and B 2 , and j j i j j i ð Þ represents an l-bit string, i.e., the binary representation of j. A detailed description of the protocol is as follows: (R1) Alice sends Bob a long sequence of qudits which are chosen from basis B 1 or B 2 , and among them, each state in (R2) Bob measures each received qudit in basis B 1 or B 2 randomly. (R3) Bob announces in which instances he has successfully detected the qudits; the ones which are not detected are discarded.
(R4) Bob chooses some positions randomly and requires Alice to announce the states of the transmitted qudits there. Then he discards his outputs which are obtained by measuring qudits in incompatible bases, and compares the remaining ones with Alice's announcement. If the error rate is higher than a certain threshold value, or the proportions of the states j j i j j i ð Þ 0ƒjƒd{1 ð Þ do not coincide with the corresponding probabilities with which they should be prepared in step (R1), the protocol terminates.
(R5) Bob announces all measurement bases he chose in step (R2). (R6) After dropping the checking qudits, Alice and Bob share an oblivious raw key K r successfully. Concretely, each element in K r is corresponding to one measurement result of Bob and hence is an l-bit string entirely known to Bob. Apparently, Alice would know half of the elements in K r by checking the measurement bases announced by Bob. It is worth noting that the raw key is determined by the receiver Bob's measurement outputs rather than Alice's state preparation, which is quite different from previous protocols.
(R7) Enough qudits should be transmitted so that the number of elements in K r equals to kN (k is a security parameter, and we will discuss its value later). The raw key is cut into k substrings in the way that each substring has N elements. These substrings are added bitwise (see Fig. 1) to obtain the final key K f , and Alice's information on K f is reduced to roughly one element after that. This process is similar to that in Ref. 10.
(R8) If Alice does not know any element in K f finally, the protocol fails.
(R9) Suppose that Alice knows the mth element K f m in K f and wants the nth entry X n in database, she announces the number s 5 m 2 n. Then Bob encrypts the database by bitwise adding K f , shifted by s elements, and sends the encrypted database to Alice. Obviously, X n is encrypted by K f m and consequently can be correctly recovered by Alice.
Features of our protocol. Our protocol is somewhat like the highdimension version of J-protocol, but some nontrivial modifications are necessary. On one hand, the oblivious raw key in J-protocol is www.nature.com/scientificreports SCIENTIFIC REPORTS | 4 : 7537 | DOI: 10.1038/srep07537 determined by the qudit sender's state preparation, but in our protocol it is determined by the receiver Bob's measurement results (see step (R6)) and hence is entirely known to Bob. On the other hand, the raw key bits are encoded onto the states of the qudits in our protocol while they are encoded onto the bases of the qudits in J-protocol. For these reasons, our protocol can not only resist the quantum memory attack by Bob, but also distribute l adjacent bits in K r by transmitting one qudit, which ensures the realization of ''QPQ of blocks''.
Our protocol is loss-tolerant. Note that the qudits in B 1 |B 2 are linearly dependent and cannot be unambiguously discriminated by Bob 22,23 . Furthermore, Alice never declares the correct measurement bases in our protocol. It means that Bob cannot make sure the state (or basis) of the qudit by any method. Therefore even in the shield of channel loss, the information Bob could obtain is inconclusive and it would be subsequently compressed in the bitwise-adding phase. Hence, Bob cannot cheat by lying in step (R3) (i.e., announcing that a qudit is lost when he gets an unwanted result) to obtain virtual benefit.
Following the protocol, Alice will know on average n~N 1 2 k elements in K f after step (R7). And P 0 , the probability that she does not know any element at all and the protocol fails, is 1{ 1 2 choosing an appropriate value of k, we can ensure both n=N and small P 0 (see Table 1), which implies a successful execution of the protocol. For example, for a database with 10 5 entries, k 5 15 is an appropriate choice which provides Alice with n~3:05 known elements in the final key on average, whereas the probability of failure is only about 4.7%. On the other hand, even if Alice knows nw1 elements in K f , she can only obtain one chosen entry of the database, because the other n-1 entries known to her will be at random positions in the database. Now, we study some general attacks and analyze the security of our protocol.
Database security. To elicit more entries from database, Alice has to know more elements (i.e., Bob's measurement outputs) in the raw key K r . For this purpose, Alice generally prepares bipartite entangled states jYae AB , keeps systems A by herself, and sends systems B to Bob in step (R1). Then after Bob announces the measurement bases, Alice infers Bob's measurement results by measuring corresponding systems A. Without loss of generality, we assume thatjYae AB can be expressed as where jjae g B 1 and k [ B 2 . Let's discuss the conditions for Alice to pass Bob's checking. When being requested to declare the state of one qudit in step (R4), Alice first measure corresponding system A, i.e., discriminating b j E n o d j~1 or c k j i f g d k~1 randomly. If the measurement result is jb j ae (jc k ae), she announces j j i k À Á to Bob. To give correct qudit state, system A need to be discriminated perfectly no matter which basis Bob chooses, that is, the following conditions must hold.
(ii) AEc j jc k ae 5 d jk , for j,k~0,1, Á Á Á ,d{1. Meanwhile, to satisfy the required proportions of the qudits, the following conditions must hold. (2) can be written as If conditions (ii) and (iv) hold, by comparing equation (1) with equation (3), we have It is clearly contradict with condition (iii). In other words, entangled state which satisfies the above four conditions simultaneously is nonexistent. To avoid being detected, at least two entangled states are needed. One satisfies conditions (i) and (iii) (corresponding to the situation that the carrier states are chosen from B 1 ), the other satisfies conditions (ii) and (iv). Therefore, Alice can prepare a long sequence of entangled states which are randomly in state or where AEw j jw k ae 5 d jk , and sends systems B to Bob in step (R1) while keeping systems A by herself. To announce the state of one qudit correctly in step (R4), she first measures corresponding system A in . If the measurement result is jw j ae and she prepares jY 1 ae (jY 2 ae) in this position, she announces j j i j j i ð Þ to Bob. Clearly, this kind of attack cannot be detected by Bob.  Clearly, Alice's information on the sum string is lower than that on the initial strings. Question marks symbolize Alice's unknown bits. Now, we discuss the maximal information Alice could gain by this attack. Without loss of generality, we suppose that Alice prepares jY 2 ae in some position. Then, she can select different strategies to obtain Bob's measurement result after step (R5). If the basis Bob announced in step (R5) is B 2 (which appears with probability 1 2 ), and hence gets Bob's output completely (see equation (6)). If the basis announced by Bob is B 1 (which also appears with probability where  Table 2). Take a 5 0.1, N 5 10 5 for example, dishonest user can get at most 40 entries which occupy only 0.05% of the total entries. It is very little relation to database security for such a complex attack. Now, we consider a more general attack. For those positions where Alice prepares jY 1 ae ( jY 2 ae) while Bob's measurement basis is B 2 (B 1 ), Alice can postpone the measurement on corresponding systems A held by herself until the very end of the protocol, so that she can know which of them contribute to an element in the final key K f . Then she can perform a joint measurement on them to guess the final added value in K f in the way similar to that in Refs. 10, 12. The maximal success probability of Alice's joint unambiguous state discrimination (USD) measurement on m systems declines rapidly with the increase of m even in the simplest situation when d 5 2 (see Fig. 2), which means a high security degree for the database security under this kind of attack.
User privacy. If Bob is dishonest and wants to reveal the address Alice is retrieving, he has to make clear the question whether the measurement basis announced by himself is coincide with the basis of the qudit (i.e., whether the corresponding element in K r is conclusive in Alice's view) for each received qudit. Therefore, he has to devote himself to judging which basis the qudit is chosen from, i.e., discriminating two equally likely mixed states and r 1 and r 2 cannot be unambiguously discriminated because they have the same support 22,23,25 . However, the protocol is not perfectly concealing because r 1 ? r 2 . Bob can make a minimal error discrimination (MED) on them, with the minimal error probability P E 26 being By simple computation, we find that q st , the element in the sth row and tth column of matrix r 2 -r 1 , satisfies for s,t~0,1, Á Á Á ,d{1. To keep things straightforward, we depict the relationship between P E and a, l in Fig. 3. Obviously, the minimal error probability P E increases with the growth of l and a. Even in the most favorable situation to Bob where l 5 1 and a is very close to zero, he would make a mistake in the MED measurement on each received qudit with a probability no less than 14.64%. Obviously, it is very difficult for Bob to get Alice's privacy after the bitwise adding phase in step (R7), thus assuring the user privacy in our protocol. It is worth noting that Bob's attack would be discovered by Alice, because the qudit would be disturbed inevitably in the MED measurement and subsequently Bob could not always output correct value in K r . Take d 5 2 for example, the carrier states are chosen from {j0ae, j1ae, j1ae, j2ae}. Here, both j0ae and j2ae are prepared with probability a 2 , while both j1ae and j1ae are prepared with probability 1{a 2 . Hence, r 1 5 aj0aeAE0j 1 (1 2 a)j1aeAE1j, r 2 5 (1 2 a)j1aeAE 1 j 1 aj2aeAE2j. The minimal error probability P E is 2{ , which is larger than 14.64% for all a [ 0, 1 2 , and the MED measurement operators 26 are P 1 5 jj 1 aeAEj 1 j, P 2 5 jj 2 aeAEj 2 j, where Therefore, the minimal error discrimination of r 1 and r 2 is equivalent to measuring the received qubit in basis {jj 1 ae, jj 2 ae}. Without loss of generality, we suppose that the qubit sent by Alice is j0ae and corresponding measurement basis announced by Bob is {j0ae, j1ae}, then Bob should output 0 in the generation of raw key to avoid being detected. However, since both j0ae and j1ae can collapse to jj 1 ae or jj 2 ae in the MED measurement (see equations (12,13)), Bob could not output correct result all the time after making the MED measurement on it. His attack would be discovered afterwards when offering false entry to Alice. It indicates that our protocol is also cheat-sensitive.

Discussion
Compared to QPQ of single bit, QPQ of blocks is not only a more realistic model for application but also a nontrivial idea in security. In this paper, based on a variant of high-dimension BB84 scheme, we propose a protocol to realize QPQ of blocks. Our protocol is cheatsensitive and loss-tolerant. Besides, the security of our protocol is well protected and the advantages of both sides are strictly limited by a. Furthermore, parameter a can be changed to balance the advantage between user privacy and database security to satisfy different application requirements. Concretely, in the scenario where the user privacy is emphasized, a should be given a larger value; if the database security is more concerned, a should be assigned a smaller one. Moreover, in the situation where ''fairness to both sides'' is pursued, by making a trade-off between user privacy and database security, we can roughly estimate a proper value for a (see Supplementary information). From an experimental viewpoint, the d-dimension carrier state in our protocol can be prepared with current technology, e.g., a single photon distributed over d orthogonal modes as considered in Refs. 27, 28. Recently, some high-dimension BB84-like quantum key distribution protocol has been demonstrated 29 , which also provides fundamental assurance to the application of our protocol.  Table 3). Similar to BB84 protocol, the key bit in US-BB84 protocol is encoded on the state rather than the basis of the qubit. Obviously, the US-BB84 protocol can be generalized to its high-dimension version in the same way as BB84 does 19,20,21 . Now, we show that it can also be used to distribute an oblivious key as follows:

Methods
. (S1) Alice sends Bob a long sequence of qubits, in which both j0ae and j2ae are prepared with probability a 2 , while both j1ae and j1ae are prepared with probability   Here, P E is the minimal error probability of Bob's minimal error discrimination on each qudit. oblivious key K r , which is composed of Bob's measurement outputs and hence is entirely known to Bob. Obviously, Alice would know half of the bits in K r by checking the measurement bases announced by Bob.