High-Rate Quantum Private Information Retrieval with Weakly Self-Dual Star Product Codes
Matteo Allaix, Lukas Holzbaur, Tefjol Pllaha, Camilla Hollanti
aa r X i v : . [ c s . I T ] F e b High-Rate Quantum Private Information Retrievalwith Weakly Self-Dual Star Product Codes
Matteo Allaix ∗ , Lukas Holzbaur † , Tefjol Pllaha ∗ , Camilla Hollanti ∗∗ Aalto University, Finland. E-mails: {matteo.allaix, tefjol.pllaha, camilla.hollanti}@aalto.fi † Technical University of Munich, Germany. E-mail: [email protected]
Abstract —In the classical private information retrieval (PIR)setup, a user wants to retrieve a file from a database or adistributed storage system (DSS) without revealing the file identityto the servers holding the data. In the quantum PIR (QPIR)setting, a user privately retrieves a classical file by receivingquantum information from the servers. The QPIR problem hasbeen treated by Song et al. in the case of replicated servers, bothwith and without collusion. QPIR over [ n, k ] maximum distanceseparable (MDS) coded servers was recently considered by Allaix et al. , but the collusion was essentially restricted to t = n − k servers. In this paper, the QPIR setting is extended to accountfor more flexible collusion of servers satisfying t < n − k + 1 .Similarly to the previous cases, the rates achieved are betterthan those known or conjectured in the classical counterparts, aswell as those of the previously proposed coded and colludingQPIR schemes. This is enabled by considering the stabilizerformalism and weakly self-dual generalized Reed–Solomon (GRS)star product codes. I. I
NTRODUCTION
Private information retrieval (PIR) [1] enables a user todownload a data item from a database without revealing theidentity of the retrieved item to the database owner (userprivacy). If additionally the user is supposed to obtain noinformation about any file other than the requested file (serverprivacy), the problem is referred to as symmetric
PIR (SPIR).In recent years, PIR has gained renewed interest in the settingof distributed storage systems (DSSs), where the servers arestoring possibly large files and may collude , i.e. , exchange theirobtained queries. To protect from data loss in the case of thefailure of some number of servers, such systems commonlyemploy erasure-correcting codes, e.g. , maximum distance sep-arable (MDS) codes [2].The capacity of PIR is known in a variety of settings [3], [4],[5], [6], [7], but is still open in its full generality for coded andcolluding servers [8], [9]. Progress towards the general codedcolluded PIR capacity was recently made in [10], [11].The problem of PIR has also been considered in the quantumcommunication setting [18], [19], [20], where the problem isreferred to as quantum PIR (QPIR). More recently, Song et al. [13], [15], [16] introduced a scheme for a replicated storagesystem with classical files, where the servers respond to user’s(classical) queries by sending quantum systems. The user isthen able to privately retrieve the file by measuring the quan-tum systems. The servers are assumed to share some entangledstates, while the user and the servers are not entangled. Thenon-colluding case was considered in [13], and was shown to
L. Holzbaur was supported by TU Munich – Institute for AdvancedStudy, funded by the German Excellence Initiative and EU 7th Frame-work Programme under Grant Agreement No. 291763 and the GermanResearch Foundation (Deutsche Forschungsgemeinschaft, DFG) under GrantNo. WA / − .C. Hollanti and M. Allaix were supported by the Academy of Finland, underGrants No. 318937 and 336005. have capacity equal to one. This is in stark contrast to theclassical replicated (asymptotic) PIR capacity of − n for n servers. The case of QPIR for all but one servers colluding, i.e. , t = n − , was considered in [15], again achievinghigher capacity than the classical counterpart. In this case, theQPIR capacity is n , while classically (and asymptotically) itis n . This work was extended to [ n, k ] MDS-coded data forcollusion of up to t = n − k servers in [17], and an analogousrate improvement was achieved. In [16], the authors extendtheir work [13], [15] by considering symmetric QPIR that canresist any t servers colluding. They prove that the t -privateQPIR capacity is for ≤ t ≤ n/ and n − t ) /n for n/ < t < n and they use the stabilizer formalism [21]to construct a capacity-achieving protocol. For the reader’sconvenience, we report some known results on the capacityin Table I. Contributions.
We consider a Generalized Reed–Solomon(GRS) coded storage system with (classical) files, where theservers respond to user’s (classical) queries by sending quan-tum systems. The user is then able to privately retrieve the fileby measuring the quantum systems. The servers are assumedto share some entangled state, while the user and the serversshare no entanglement. We generalize the QPIR protocol forreplicated storage systems protecting against collusion [16] tothe case of [ n, k ] -GRS coded servers and arbitrary t -collusionby applying the star product scheme [8]. Hence, the protocolof [16] is the special case of k = 1 in our protocol. Thiscan be seen as trading off collusion protection for reducedstorage overhead. The achieved rate ∼ min n , n − k − t +1) n o (cf. Theorem 1) is higher than the conjectured asymptotic rate − k + t − n in the classical coded and colluding PIR [8].II. B ASICS ON
PIR
AND Q UANTUM C OMPUTATION
Notation.
We denote by [ n ] the set { , , . . . , n } , n ∈ N ,and by F q the finite field of q elements. For a linear code oflength n and dimension k over F q we write [ n, k ] . For a matrix A we write A ⊤ for its transpose and A † for its conjugatetranspose. We will frequently deal with mβ × n matrices,where sub-blocks of β rows and the pair of columns s and n + s semantically belong together. We therefore index sucha matrix Y by two pairs of indices ( i, b ) , i ∈ [ m ] , b ∈ [ β ] and ( p, s ) , p ∈ [2] , s ∈ [ n ] , where Y i,bp,s denotes the symbol in row ( i − β + b and column ( p − n + s , i.e. , the symbol in the b -th row of the i -th sub-block of rows and the s -th column ofthe p -th sub-block of columns. Omitting of an index impliesthat we take all positions, i.e. , Y i denotes the i -th subblock of β columns, Y i,b the row ( i − β + b , Y p the p -th subblock The quantum PIR schemes in [13], [15], [16] and in this work aresymmetric.For the comparison of our rates to the classical setting we will focus on theasymptotic non-symmetric rates for the latter, which also coincide with theSPIR rates, cf. Table I. able I.
Known capacity results with n servers. For the classical PIR capacities, we report the asymptotic results with respect to the number of files. The result in red is aconjectured result, but a protocol achieving that rate was proposed in [8]. The QPIR results in blue were proved for n = 2 , n = t + 1 , and n = k + t servers, respectively, with2-dimensional quantum systems. The other two QPIR results were proved with q -dimensional quantum systems. The result in green is proved in this paper. C APACITIES
PIR ref. SPIR ref. QPIR ref.Replicated storage, − n [12] − n [4] 1 [13]no collusionReplicated storage, − tn [3] − tn [14] ≥ t +2 [15] t -collusion min n , n − t ) n o [16] [ n, k ] -MDS coded − k + t − n [8] − k + t − n [6] ≥ k + t +1 [17]storage, t -collusion ≥ min n , n − k − t +1) n o –of n columns, and Y p,s the column ( p − n + s . For thereader’s convenience, we sometimes imply the separation ofthe subblocks of columns by a horizontal bar in the following.We denote by e λγ the standard basis column vector of length λ in F λq with a 1 in position γ ∈ [ λ ] . Given a ∈ [ α ] , b ∈ [ β ] ,it will help our notation to call coordinate ( a, b ) the position β ( a −
1) + b in a vector of length αβ . For instance, e · , = e = (0 , , , , , . The function δ i,j is the Kronecker deltaand I ν is the ν × ν identity matrix. For a µ × ν zero matrix µ × ν and matrices M , M ∈ F µ × νq diag( M , M ) = (cid:18) M µ × ν µ × ν M (cid:19) ∈ F µ × νq . For two vectors c, d ∈ F n we define the (Hadamard-) star-product as c ⋆ d = ( c d , c d , . . . , c n d n ) . For two codes C , D ⊆ F n we denote C ⋆ D = h{ c ⋆ d | c ∈ C , d ∈ D}i .Observe that, as the star-product is an element-wise operation,we have ( C × C ) ⋆ ( D × D ) = ( C ⋆ D ) × ( C ⋆ D ) . (1) Linear codes and Distributed Data Storage.
We considera distributed storage system employing error/erasure correctingcodes to protect against data loss (for an illustration seeFigure 1). To this end, let X be an mβ × k matrix containing m files X i , i ∈ [ m ] , each consisting of βk symbols of F q .This matrix is encoded with a linear code C of length n and dimension k , which is the Cartesian product of an [ n, k ] code over F q with itself , i.e., C = C ′ × C ′ . It therefore hasa generator matrix G C = diag( G C ′ , G C ′ ) , where G C ′ is agenerator matrix of C ′ . The mβ × n matrix of encoded filesis given by Y = X · G C . Server s ∈ [ n ] stores columns s and n + s of Y , i.e. , it stores Y ,s and Y ,s .In this work we consider systems encoded with (the Carte-sian product of) generalized Reed-Solomon (GRS) codes(cf. [2, Ch. 10]), a popular class of MDS codes. Among codedstorage systems, these have proven to be particularly well-suited for PIR and general schemes exist for a wide range ofparameters [22], [8], [23]. The key idea is to design the queriessuch that the retrieved symbols are the sum of a codeword ofanother GRS code (of higher dimension), which we refer toas the star-product code , plus a vector depending only on thedesired file. To obtain the desired file, the codeword part isprojected to zero, leaving only desired part of the responses. Inthe QPIR system we consider in the following, this projectionis part of the quantum measurement. This imposes a constrainton this star-product code, namely, that the code is (weakly)self-dual. In the following, we collect/establish the requiredtheoretical results on GRS codes and their star-products. We choose this description of the storage code because this structure isrequired for the quantum PIR scheme. However, note that the system canequivalently be viewed as being encoded with an [ n, k ] over F q , where eachof the servers stores one column of the resulting codeword matrix. Definition 1 (Weakly self-dual code) . We say that an [ n, k ] code C is weakly self-dual if C ⊥ ⊆ C and self-dual if C ⊥ = C .It is easy to see that any such code with parity-check matrix H has a generator matrix of the form G = ( H ⊤ F ⊤ ) ⊤ forsome (2 k − n ) × n matrix F . Lemma 1 (Follows from [24, Theorem 3]) . For q = 2 m thereexist self-dual GRS [2 k, k ] codes over F q for any k ∈ [2 m − ] and code locators L . Lemma 2.
Let q and n be even. Then there exists a weaklyself-dual [ n, k ] GRS code C for any k ≥ n and code locators L .Proof. Let C [ n,n/ be an [ n, n/ self-dual GRS code withcode locators L , as shown to exist in [24, Theorem 3] (seeLemma 1). It is easy to see that this code is a subcode of the [ n, k ] GRS code C [ n,k ] with the same column multipliers. Theproperty C ⊥ [ n,k ] ⊂ C [ n,k ] follows directly from observing that C ⊥ [ n,k ] ⊂ C ⊥ [ n,n/ = C [ n,n/ ⊂ C [ n,k ] . Lemma 3.
For any [ n, k ] GRS code C there exists an [ n, t ] GRS code D such that their star-product S = C ⋆ D is an [ n, k + t − weakly self-dual GRS code.Proof. By [25] the star product between an [ n, k ] GRS code C with column multipliers V C and an [ n, t ] GRS code D withcolumn multipliers V D , both with the same locators L , is the [ n, k + t − GRS code with column multipliers V C ⋆ V D andcode locators L . Denote by V S the column multipliers of aweakly-self dual [ n, k + t − GRS code with code locators L , which exists due to Lemma 1. Then, the lemma statementfollows from setting V D = ( V C ) − ⋆ V S , where we denote by ( V C ) − the element-wise inverse of V C . Quantum Computation.
In this section we collect somenotions from non-binary stabilizer formalism [26], [27]. Forgeneral notions in quantum computation we refer the readerto [28].Let q = p k be a prime power and fix n ∈ N . A quantumsystem is a q -dimensional Hilbert space H along with acomputational basis, that is, a prespecified orthonormal basis B = {| i , | i , . . . , | q − i} . One typically takes H = C q . Wewill identify the field F q with F kp in the usual way. Denote tr : F q → F p , x P k − i =0 x q i the corresponding trace function.Let ω = exp(2 πi/p ) be a p -th primitive root of unity. For a, b ∈ F q , the maps X ( a ) | x i = | x + a i and Z ( b ) | x i = ω tr( bx ) | x i are unitary operations on the Hilbert space H . For c = ( c , . . . , c n ) ∈ F nq , we extend these maps to unitarytransformations of C q n ∼ = ( C q ) ⊗ n = H ⊗ n as X ( c ) = X ( c ) ⊗ · · · ⊗ X ( c n ) and Z ( c ) = Z ( c ) ⊗ · · · ⊗ Z ( c n ) . A Weyl operator is then defined as W ( a, b ) = X ( a ) Z ( b ) ,and the Heisenberg-Weyl group HW q n is the subgroup of theunitary group U ( q n ) generated by these operators. A stabilizer X , , · · · X , ,k X , , · · · X , ,k ... ... ... ... ... ... X ,β , · · · X ,β ,k X ,β , · · · X ,β ,k ... ... ... ... ... ... X m, , · · · X m, ,k X m, , · · · X m, ,k ... ... ... ... ... ... X m,β , · · · X m,β ,k X m,β , · · · X m,β ,k · G C = Y , , · · · Y , ,n Y , , · · · Y , ,n ... ... ... ... ... ... Y ,β , · · · Y ,β ,n Y ,β , · · · Y ,β ,n ... ... ... ... ... ... Y m, , · · · Y m, ,n Y m, , · · · Y m, ,n ... ... ... ... ... ... Y m,β , · · · Y m,β ,n Y m,β , · · · Y m,β ,n file 1file m SERVER SERVER n SERVER SERVER n Figure 1.
Illustration of a DSS storing m files, each consisting of βk symbols. The matrix G C is a generator matrix of a [2 n, k ] code C . group is an abelian subgroup S ≤ HW q n such that − I q n / ∈ S .There is a well-known one-to-one correspondence betweenstabilizer groups and weakly self-dual subspaces of F nq withrespect to the symplectic inner product h ( a, b ) | ( c, d ) i J := tr (cid:0) ( a, b ) J ( c, d ) ⊤ (cid:1) , (2)where J = (cid:18) n × n − I n I n n × n (cid:19) ∈ F n × nq , a, b, c, d ∈ F nq . Wewill denote the dual with respect to (2) of a subspace V ≤ F nq by V ⊥ J . Based on the above mentioned correspondence, wewill identify a stabilizer group S as S ( V ) for some uniqueV ≤ F nq with V ⊆ V ⊥ J .Given a stabilizer group S = S ( V ) , we have that ω tr( v · w ) isan eigenvalue of E ( v ) ∈ S , for any w ∈ V, and all its eigen-values are of this form. Let H w be the common eigenspace ofthe operators E ( v ) corresponding to the eigenvalue associatedto w , and let P w : C q n → H w be the correspond projector. Itis shown in [16, Sec. III.A] that B V = { P v | v ∈ V } is a PVM,which we will measure with. We point out here isomorphishmsV ∼ = Hom( V , F q ) ∼ = F nq / V ⊥ J and for us it will be beneficialto index the projections with cosets w ∈ F nq / V ⊥ J . Private Information Retrieval.
Consider a storage systemstoring m files X i , i ∈ [ m ] , as described above.In a PIR protocol a user desiring the K -th file X K chooses aquery Q K = { Q K , . . . , Q Kn } from a query space Q and trans-mits Q Ks to the s -th servers. In the non-quantum PIR setting theresponse A Ks from the s -th server is a deterministic functionof the received query Q Ks and the shares of the (encoded)files it stores. We denote by A K = { A K , . . . , A Kn } the set ofresponses from all servers. In this work, we consider an ex-tended setting where the user and the servers are also allowedto communicate quantum systems. Briefly, in this QPIR setting,we have n servers each possessing a q -dimensional quantumsystem. Their composite quantum system is initialized in aspecific entangled state. Each server applies some standardquantum operations to its quantum systems ( e.g. , applying aWeyl operator on a quantum system) depending on (a functionof) the received query and the shares of the (encoded) filesit stores, and responds by sending the remaining quantumsystems to the user. The total number of quantum systems thatthe servers prepare at the beginning of the protocol is denotedby q in , while the total number of quantum systems that aretransmitted from the servers to the user is denoted by q out . Inthis work, we have q in = q out . Definition 2 (Correctness) . A QPIR protocol is said to be correct if the user can retrieve the desired file X K , K ∈ [ m ] from the responses of the servers. As usual, we assume honest-but-curious servers who followthe assigned protocol, but might try to determine the index K of the file desired by the user. Definition 3 (Privacy with t -Collusion) . User privacy:
Any setof at most t colluding servers learns no information about theindex K of the desired file. Server privacy:
The user does not learn any information aboutthe files other than the requested one.
Symmetric scheme:
A scheme with both user and serverprivacy is called symmetric . Formally, the QPIR rate in this setting is defined in thefollowing. As customary, we assume that the size of the queryvectors is negligible compared to the size of the files. This iswell justified if the files are assumed to be large, as the uploadcost is independent of the size of the files. For simplicity,we only consider files of sizes βk log ( q ) in the following.However, note that repeatedly applying the scheme with thesame queries allows for the download of files that are anymultiple of βk log ( q ) in size at the same rate and withoutadditional upload cost. Definition 4 (QPIR Rate) . For a QPIR scheme, i.e. , a PIRscheme with classical files, classical queries from user toservers and quantum responses from servers to user, the rate is the number of retrieved information bits of the requested fileover the binary logarithm of the dimension of the compositequantum system, i.e. , R QPIR = log (dim ( H ⊗ n )) . For comparison, we also informally define the PIR rate inthe non-quantum setting as the number of retrieved informationbits of the requested file per downloaded response bit, i.e. , R PIR = . The PIR capacity is the supremum of PIR rates of all possiblePIR schemes, for a fixed parameter setting.
Remark 1.
In this setting we assume that the user does notshare any entanglement with the servers. Hence, the maximalnumber of information bits obtained when receiving a quantumsystem, i.e. , the number of bits that can be communicatedby transmitting a quantum system from a server to the userwithout privacy considerations, is the binary logarithm of thedimension of the corresponding Hilbert space [29].
We would also like to point out that higher-dimensionalquantum systems are mainly of theoretical interest. If werestrict to two-dimensional systems while still wishing toprotect against collusion, the MDS property should be relaxedin order to allow for binary storage codes. This will likelylower the achievable QPIR rate but make the scheme otherwisemore practical.II. [ n, k ] - CODED STORAGE WITH t - COLLUSION
Storage.
We consider a storage system as described inSection II (see Figure 1). The code C ′ is chosen to be an [ n, k ] GRS code and for a given integer c , which will bedefined in the next paragraph, the parameter β is fixed to β = lcm( c, k ) /k . Codes.
Let t be the collusion parameter with n ≤ k + t − < n .By Lemma 3 there exists an [ n, t ] GRS code D ′ such that S ′ = C ′ ⋆ D ′ is an [ n, k + t − weakly self-dual GRS code. Wedefine the query code as the Cartesian product D = D ′ × D ′ .Thus, for a generator matrix G D ′ of D ′ , the matrix G D =diag( G D ′ , G D ′ ) ∈ F t × nq is a generator matrix of D .Define S = C ⋆ D and S ′ = C ′ ⋆ D ′ . By (1) we have S = C ⋆ D = S ′ × S ′ , so S is the Cartesian product of two starproduct codes. Define c = d S ′ − , where d S ′ = n − k − t + 2 is the minimum distance of S ′ .Let H S ′ ∈ F ( n − k − t +1) × nq be a parity-check matrix of S ′ .By Definition 1, the code S ′ has a generator matrix of the form G S ′ = ( H ⊤S ′ F ⊤S ′ ) ⊤ for some F S ′ ∈ F k + t − − n ) × nq . Hence, S has a generator matrix of form G S = (cid:18) diag( H S ′ , H S ′ )diag( F S ′ , F S ′ ) (cid:19) ∈ F k + t − × nq . (3) Lemma 4.
Let G S be the matrix defined in Eq. (3) and let H S be the submatrix of G S containing its first n − k − t + 1) rows. Let w , . . . , w n be the column vectors of G S . Then, theysatisfy conditions (a) and (b) of [16, , Lemma 2], i.e. , (a) w π (1) , . . . , w π ( k + t − , w π (1)+ n , . . . , w π ( k + t − n arelinearly independent for any permutation π ∈ S n . (b) H S J ⊤ G ⊤S = 0 .Proof. It is well-known that any subset of k + t − columns ofthe generator matrix of an [ n, k + t − MDS code are linearlyindependent. Hence, the columns w π (1) , . . . , w π ( k + t − arelinearly independent, as the first n columns of G S generate S .The same holds for w π (1)+ n , . . . , w π ( k + t − n . Trivially, anynon-zero columns of a diagonal matrix are linearly independentand property (a) follows.Property (b) follows directly from observing that, by defi-nition, HG ⊤ = 0 for any linear code with generator matrix G and parity-check matrix H . Targeting servers.
Suppose the desired file is X K . Wedefine the indexing such that the file can be obtained in ρ = lcm( c, k ) /c rounds. During each of these rounds, theuser can download c/β = 2 k/ρ symbols from each of the β rows of Y K , where the factor 2 is achieved by utilizing theproperties of superdense coding [28] in quantum computation.Fix J = { , . . . , max { c, k }} to be the set of server indicesfrom which the user obtains the symbols of Y K . We define J br ⊆ J with |J br | = c/β as in [8, Eq. (22)], where r ∈ [ ρ ] and b ∈ [ β ] , and denote J r = J r ∪ . . . ∪ J βr . This definition ensures that during the r -th iteration the user obtains the symbols ( Y K,b ,a , Y K,b ,a ) forevery a ∈ J br and b ∈ [ β ] .We define N ( r ) = (cid:0) e na (cid:1) ⊤ a ∈J r ∈ F c × nq . (4)Then, the matrix ( G ⊤S ( M ( r ) ) ⊤ ) ⊤ , with M ( r ) =diag (cid:0) N ( r ) , N ( r ) (cid:1) ∈ F c × nq , is a basis for F nq . To see thatthis is in fact a basis observe that the row span of N ( r ) , bydefinition, contains vectors of weight at most c . The span of G S ′ contains vectors of weight at least d S ′ = c + 1 . It follows that the spans of N ( r ) and G S ′ intersect trivially, which impliesthat their ranks add up. A. A coded QPIR scheme
Let V be the space spanned by the first n − k − t +1) rowsof G S and F nq / V ⊥ J = (cid:8) w = w + V ⊥ J : w ∈ h M ( r ) i row (cid:9) ,where h M ( r ) i row is the space spanned by the rows of M ( r ) .By Lemma 4, the rows of G S span the space V ⊥ J .We now describe the five steps of our QPIR scheme. Thefirst four steps are repeated in each round r ∈ [ ρ ] . Distribution of entangled state.
Let H , . . . , H n be q -dimensional quantum systems and σ mix = q n − k + t − · I q k + t − − n .By [16, Eq. (18)] the composite quantum system H = H ⊗· · · ⊗ H n is decomposed as H = W ⊗ C q k + t − − n , where W = span (cid:8) | w i | w ∈ F nq / V ⊥ J (cid:9) . The state of H is initializedas | ih |⊗ σ mix and distributed such that server s ∈ [ n ] obtains H s . Query.
The user chooses a matrix Z ( r ) ∈ F mβ × tq uniformlyat random.We define E ( K ) ∈ F mβ × cq with E ( K ) ,p,a = e mβ ( K,a ) , p ∈ [2] , a ∈ [ c ] .Notice that the row in coordinate ( i, b ) of the product E ( K ) · M ( r ) is P p =1 P a ∈J br δ i,K ( e n ( p,a ) ) ⊤ . We denote by Q ( r ) ∈ F mβ × nq the matrix of all the queries, which are computed as Q ( r ) = (cid:0) Z ( r ) E K (cid:1) · (cid:18) G D M ( r ) (cid:19) = Z ( r ) · G D + E K · M ( r ) . (5)Each server s ∈ [ n ] receives two vectors Q ( r )1 ,s , Q ( r )2 ,s ∈ F mβq . Response.
The servers compute the dot product of eachcolumn of their stored symbols and the respective column ofthe queries received, i.e. , they compute the response A ( r ) p,s = Y ⊤ p,s · Q ( r ) p,s , s ∈ [ n ] , p ∈ [2] . Each A ( r ) p,s is a symbol in F q .Server s applies X ( A ( r )1 ,s ) and Z ( A ( r )2 ,s ) to its quantum systemand sends it to the user. Measurement.
The user applies the PVM B V = (cid:8) P w | w ∈ F nq / V ⊥ J (cid:9) on H and obtains the output o ( r ) ∈ F cq . Retrieval.
Finally, after ρ rounds the user has retrieved ρc = 2 βk symbols of F q from which he can recover thedesired file X K . B. Properties of the coded QPIR scheme
Lemma 5.
The scheme of Section III-A is correct, i.e. , fulfillsDefinition 2.Proof.
Let us fix r ∈ [ ρ ] . By [16, Lemma 1] the state after theservers’ encoding is W ( A ( r ) )( | ih | ⊗ σ mix ) W ( A ( r ) ) † = | A ( r ) ih A ( r ) | ⊗ σ mix . We observe that V ⊥ J = S since both spaces are spannedby the rows of G S . By definition of the star product scheme,he response vector is A ( r ) = (cid:16) A ( r )1 A ( r )2 (cid:17) = m X i =1 β X b =1 Y i,b ⋆ Q ( r ) ,i,b = m X i =1 β X b =1 (cid:0) X i,b · G C (cid:1) ⋆ (cid:16) Z ( r ) ,i,b · G D (cid:17) + m X i =1 β X b =1 Y i,b ⋆ (cid:16) X a ∈J br δ i,K (cid:0) e n (1 ,a ) + e n (2 ,a ) (cid:1) ⊤ (cid:17) ∈ S + β X b =1 X a ∈J br (cid:0) Y K,b ,a e n (1 ,a ) + Y K,b ,a e n (2 ,a ) (cid:1) ⊤ = V ⊥ J + (cid:16) Y K,b ,a Y K,b ,a (cid:17) a ∈J br ,b ∈ [ β ] · M ( r ) . (6)The random part is encoded into a vector in V ⊥ J while thevector (cid:0) Y K,b ,a | Y K,b ,a (cid:1) a ∈J br ,b ∈ [ β ] ∈ F cq is encoded with M ( r ) and hence independent of the representative of o ( r ) . Therefore,the user obtains the latter without error after measuring thequantum systems with the PVM B V . After ρ rounds the userretrieved the symbols (cid:0) Y K,b ,κ | Y K,b ,κ (cid:1) κ ∈ [ k ] ∈ F kq for each b ∈ [ β ] and can recover the desired file X K by solving a systemof linear equations. Lemma 6.
The scheme of Section III-A is symmetric andprotects against t -collusion in the sense of Definition 3.Proof. Privacy in the quantum part of the protocol followsdirectly from the privacy of the protocol with all but oneservers colluding. For details, we refer the reader to [16].User privacy is achieved since, for each subset of t servers,the corresponding joint distribution of queries is the uniformdistribution over F mβ × tq . For each r ∈ [ ρ ] , server secrecy isachieved because in every round the received state of the useris independent of Y i with i = K .Unlike in the classical setting, the servers in the quantumsetting do not need access to a source of shared randomnessthat is hidden from the user to achieve server secrecy. However,this should not be viewed as an inherent advantage since theservers instead share entanglement. Theorem 1.
The QPIR rate of the scheme in Section III-A is R QPIR = 2( n − k − t + 1) n Proof.
The user downloads ρn quantum systems while retriev-ing kβ log ( q ) bits of information, thus the rate is given by R QPIR = 2 kβ log ( q )log ( q ρn )= 2 ρc log ( q ) ρn log ( q ) = 2( n − k − t + 1) n . Remark 2.
If the collusion parameter t is such that ≤ k + t − < n/ , the presented scheme for t = n/ − k + 1 foreven n has rate 1. Since the rate cannot be greater than 1,it is capacity achieving. If n is odd, we just consider n − servers and t = ( n + 1) / − k in order to achieve rate 1. IV. [6 , - CODED STORAGE EXAMPLE WITH - COLLUSION
Let us choose q = 7 , n = 6 and k = 3 . We considera [6 , primitive Reed-Solomon (PRS) code [2, Ch. 10.2] C ′ with generator matrix G C ′ = . We have 6 servers containing m files stored according to theCartesian product C = C ′ × C ′ with generator matrix G C =diag( G C ′ , G C ′ ) ∈ F × . Let t = 2 and let D ′ be a [6 , PRScode D ′ with generator matrix G D ′ = (cid:18) (cid:19) . The query code is the Cartesian product D = D ′ × D ′ withgenerator matrix G D = diag( G D ′ , G D ′ ) ∈ F × .The star product code S = C ⋆ D has distance d S = 3 .Thus, from each server the user can download at most c = 2 blocks of information per round. By Eq. (1), since both C and D are Cartesian products of PRS codes, also S is the Cartesianproduct of two PRS codes generated by S ′ = C ′ ⋆ D ′ . Let G S ′ = = (cid:18) H S ′ F S ′ (cid:19) ∈ F × be the generator matrix of the star product code S ′ , where H S ′ ∈ F × is the standard parity-check matrix of S ′ and F S ′ ∈ F × . One can check that S ′ is indeed a weakly self-dual PRS code. Then the generator matrix of S is given by G S = (cid:18) diag( H S ′ , H S ′ )diag( F S ′ , F S ′ ) (cid:19) ∈ F × . Each file is divided into pairs of k = 3 pieces and β = 2 blocks. The user will need a total of ρ = 3 rounds in orderto download the necessary information and reconstruct thedesired file. Each server contains a matrix of symbols in F m × . For example, server 2 stores Y i,bp, = X i,bp, + 3 X i,bp, + 2 X i,bp, for i ∈ [ m ] , b ∈ [2] , p ∈ [2] .We fix J = [3] , so J = [2] and J = { } , J = { } .Thus, according to Eq. (4), we set N (1) = ( I × ) .Hence, M (1) = diag (cid:0) N (1) , N (1) (cid:1) ∈ F × is such that therow vectors of the matrix ( G ⊤S ( M (1) ) ⊤ ) ⊤ form a basis for F .First, the quantum systems are prepared and distributed tothe servers according to the first step of the scheme.The user samples uniformly at random Z (1) ∈ F m × . Let E ( K ) = (cid:0) e m ( K, e m ( K, e m ( K, e m ( K, (cid:1) ∈ F m × . Notice that the row in coordinate ( i, b ) of the product E ( K ) · M (1) is δ i,K (cid:16) δ b, (cid:0) e , + e , (cid:1) + δ b, (cid:0) e , + e , (cid:1)(cid:17) ⊤ . Then, with this choice, the user will retrieve the first block(with δ b, ) of the symbols stored in server 1 (with e p, ) andthe second block (with δ b, ) of the symbols stored in server 2(with e p, ) with the desired position K (with δ i,K ). The usergenerates the queries according to Eq. (5) and sends them tothe servers. For example, the query to server 2 has symbols Q (1) ,i,bp, = Z (1) ,i,bp, + 3 Z (1) ,i,bp, + δ i,K δ b, for i ∈ [ m ] , b ∈ [2] , p ∈ [2] .he servers compute the responses A (1) p,s = Y ⊤ p,s · Q (1) p,s ∈ F , p ∈ [2] , s ∈ [6] . Server s applies X ( A (1)1 ,s ) and Z ( A (1)2 ,s ) to itsquantum system and sends it to the user.By Eq. (6), the response vector is A (1) ∈ V ⊥ J + (cid:16) Y K, , Y K, , Y K, , Y K, , (cid:17) · M (1) . Then, the user obtains (cid:16) Y K, , , Y K, , , Y K, , , Y K, , (cid:17) ∈ F asoutput without error.The other two rounds are analogous by choosing J = { } , J = { } and J = { } , J = { } .Finally, after 3 rounds the user recovers the symbols ( Y K,b ,κ | Y K,b ,κ ) ∈ F for each b ∈ [2] , κ ∈ [3] . From thesesymbols the user can easily recover the desired file X K bysolving a system of linear equations. The user downloaded atotal of 18 -dimensional quantum systems and gathered 12symbols of F , thus the rate is given by R QPIR = = .A CKNOWLEDGMENTS
The authors would like to thank Prof. M. Hayashi andS. Song for helpful discussions. R
EFERENCES[1] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private infor-mation retrieval,” in
Proceedings of IEEE 36th Annual Foundations ofComputer Science . IEEE, 1995, pp. 41–50.[2] F. J. MacWilliams and N. J. A. Sloane,
The theory of error-correctingcodes , ser. North-Holland Mathematical Library. Elsevier, 1977, vol. 16.[3] H. Sun and S. A. Jafar, “The capacity of robust private informationretrieval with colluding databases,”
IEEE Transactions on InformationTheory , vol. 64, no. 4, pp. 2361–2370, 2017.[4] ——, “The capacity of symmetric private information retrieval,”
IEEETransactions on Information Theory , vol. 65, no. 1, pp. 322–329, 2018.[5] K. Banawan and S. Ulukus, “The capacity of private information retrievalfrom coded databases,”
IEEE Transactions on Information Theory ,vol. 64, no. 3, pp. 1945–1956, 2018.[6] Q. Wang and M. Skoglund, “Symmetric private information retrievalfrom MDS coded distributed storage with non-colluding and colludingservers,”
IEEE Transactions on Information Theory , vol. 65, no. 8, pp.5160–5175, 2019.[7] K. Banawan and S. Ulukus, “The capacity of private informationretrieval from Byzantine and colluding databases,”
IEEE Transactionson Information Theory , vol. 65, no. 2, pp. 1206–1219, Feb 2019.[8] R. Freij-Hollanti, O. W. Gnilke, C. Hollanti, and D. A. Karpuk, “Privateinformation retrieval from coded databases with colluding servers,”
SIAMJournal on Applied Algebra and Geometry , vol. 1, no. 1, pp. 647–664,2017.[9] H. Sun and S. A. Jafar, “Private information retrieval from MDS codeddata with colluding servers: Settling a conjecture by Freij-Hollanti et al.”
IEEE Transactions on Information Theory , vol. 64, no. 2, pp. 1000–1022,Feb 2018.[10] L. Holzbaur, R. Freij-Hollanti, and C. Hollanti, “On the capacity ofprivate information retrieval from coded, colluding, and adversarialservers,” in . IEEE,2019, pp. 1–5.[11] L. Holzbaur, R. Freij-Hollanti, J. Li, and C. Hollanti, “Towards thecapacity of private information retrieval from coded and colludingservers,” arXiv preprint arXiv:1903.12552v6 , 2021.[12] H. Sun and S. A. Jafar, “The capacity of private information retrieval,”
IEEE Transactions on Information Theory , vol. 63, no. 7, pp. 4075–4088,2017.[13] S. Song and M. Hayashi, “Capacity of quantum private informationretrieval with multiple servers,”
IEEE Transactions on InformationTheory , vol. 67, no. 1, pp. 452–463, 2020.[14] Q. Wang and M. Skoglund, “Secure symmetric private informationretrieval from colluding databases with adversaries,” in , 2017, pp. 1083–1090.[15] S. Song and M. Hayashi, “Capacity of quantum private informationretrieval with collusion of all but one of servers,” in . IEEE, 2019, pp. 1–5.[16] ——, “Capacity of quantum private information retrieval with colludingservers,” in . IEEE, 2020, pp. 1077–1082.[17] M. Allaix, L. Holzbaur, T. Pllaha, and C. Hollanti, “Quantum privateinformation retrieval from coded and colluding servers,”
IEEE Journalon Selected Areas in Information Theory , vol. 1, no. 2, pp. 599–610,2020.[18] I. Kerenidis and R. De Wolf, “Quantum symmetrically-private informa-tion retrieval,”
Information Processing Letters , vol. 90, no. 3, pp. 109–114, 2004.[19] F. Le Gall, “Quantum private information retrieval with sublinear com-munication complexity,”
Theory of Computing , vol. 8, no. 16, pp. 369–374, 2012.[20] V. Giovannetti, S. Lloyd, and L. Maccone, “Quantum private queries,”
Physical review letters , vol. 100, no. 23, p. 230502, 2008.[21] D. Gottesman, “Stabilizer codes and quantum error correction,” 1997,PhD thesis, California Institute of Technology.[22] R. Tajeddine, O. W. Gnilke, and S. El Rouayheb, “Private informationretrieval from MDS coded data in distributed storage systems,”
IEEETransactions on Information Theory , vol. 64, no. 11, pp. 7081–7093,2018.[23] R. Tajeddine, O. W. Gnilke, D. Karpuk, R. Freij-Hollanti, and C. Hol-lanti, “Private information retrieval from coded storage systems withcolluding, Byzantine, and unresponsive servers,”
IEEE Transactions onInformation Theory , vol. 65, no. 6, pp. 3898–3906, 2019.[24] M. Grass and T. A. Gulliver, “On self-dual MDS codes,” in . IEEE, 2008, pp. 1954–1957.[25] D. Mirandola and G. Zémor, “Critical pairs for the product Singletonbound,”
IEEE Transactions on Information Theory , vol. 61, no. 9, pp.4928–4937, 2015.[26] A. Ashikhmin and E. Knill, “Nonbinary quantum stabilizer codes,”
IEEETransactions on Information Theory , vol. 47, no. 7, pp. 3065–3072, 2001.27] A. Ketkar, A. Klappenecker, S. Kumar, and P. K. Sarvepalli, “Nonbinarystabilizer codes over finite fields,”
IEEE Transactions on InformationTheory , vol. 52, no. 11, pp. 4892–4914, 2006.[28] M. A. Nielsen and I. L. Chuang,
Quantum computation and quantuminformation . Cambridge University Press, Cambridge, 2000.[29] A. S. Holevo, “Bounds for the quantity of information transmitted bya quantum communication channel,”