Quantum Private Information Retrieval

Klaas Ruben Brokkelkamp

June 11, 2013

Bachelor’s thesisMathematics and Computer Science

Supervisor: Prof. Ronald de Wolf

Faculteit der Natuurwetenschappen, Wiskunde en Informatica

Universiteit van Amsterdam

ii

Abstract

Locally Decodable Codes are error-correcting codes which make it possible torecover entries from the original string by only looking at a certain number ofentries from the codeword.

In Private Information Retrieval a user wants to get data from a database with-out giving any information about the data she is interested in. The goal is tominimise the amount of communication which takes place between the user andthe database. For a database on a single server the trivial protocol of sending thewhole database is optimal [8], but when the database is replicated over a numberof non-communicating servers much better schemes exist.

There is a connection between Locally Decodable Codes and Private InformationRetrieval in the sense that they can be converted into each other. The best knownPrivate Information Retrieval Schemes are derived from Locally Decodable Codes.

Allowing quantum bits as communication yields better Private Information Re-trieval Schemes.

Title: Quantum Private Information RetrievalAuthor: Klaas Ruben Brokkelkamp, rubenbrokkelkamp@gmail.com, 6282628Supervisor: Prof. Ronald de WolfDate: June 11, 2013

The cover image is taken from Bianca Kramer, Information retrieval and lit-erature searching in today’s information landscape, http://journals.sfu.ca/

hypot/index.php/main/article/view/182.

Universiteit van AmsterdamScience Park 904, 1098 XH Amsterdam

iii

iv

Acknowledgements

I am very grateful to my supervisor Ronald de Wolf, for suggesting the subject andhis numerous comments and helpful remarks. Also, his course Quantum Computingwas informative and inspiring.

v

vi

Contents

1 Introduction 11.1 Locally Decodable Codes . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Private Information Retrieval . . . . . . . . . . . . . . . . . . . . . 21.3 Quantum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.4 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Locally Decodable Codes 52.1 Definition and First Example . . . . . . . . . . . . . . . . . . . . . 52.2 Smooth Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3 Efremenko’s Locally Decodable Codes . . . . . . . . . . . . . . . . . 8

2.3.1 Matching Sets of Vectors and S-decoding Polynomials . . . . 92.3.2 The Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3.3 Binary Case . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4 Matching Vector Codes . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Classical Private Information Retrieval 193.1 Definition and First Example . . . . . . . . . . . . . . . . . . . . . 193.2 Better Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3 Connection between Smooth Codes and PIR . . . . . . . . . . . . . 24

4 Quantum Private Information Retrieval 264.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.1.1 Qubits and Quantum States . . . . . . . . . . . . . . . . . . 264.1.2 Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . 274.1.3 Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284.1.4 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.2 Locally Decodable Quantum Codes and Quantum Private Informa-tion Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.3 Classical to Quantum . . . . . . . . . . . . . . . . . . . . . . . . . . 304.4 Multiple Bit Answers . . . . . . . . . . . . . . . . . . . . . . . . . . 344.5 Quantum Private Information Retrieval Schemes . . . . . . . . . . . 37

5 Populaire Samenvatting 38

vii

1 Introduction

An error-correcting code encodes an n-bit string x into some N -bit codeword C(x)such that the original string x can be recovered from C(x) even though part ofC(x) is corrupted or maybe destroyed. This can be very useful when sendinginformation over a channel with a lot of noise. Typically, when the codeword islonger, more redundancy is possible and therefore a larger part of the codewordmay be corrupted before it is impossible to retrieve the original string. The trickis to find a good tradeoff between the amount of redundancy and the length of thecodeword. What counts as a good tradeoff depends on the applications that it isgoing to be used for.

Error-correcting codes are closely related to the field of information theory, whichis concerned with the quantification of information and how efficiently it can betransmitted. Already in the late 1940s Shannon, the father of information theory,gave a maximum on the number of symbols that can be sent through a channelwith random noise [25]. In the early 1950s Hamming presented important error-correcting codes [16] which are now known as Hamming codes. Since those twohighly influential publications the field of error-correcting code has grown into abroad field of research [22] and numerous codes have been designed. There arefor example the Reed–Solomon codes [24]. A variation on these codes is widelyused for encoding information on CDs, DVDs and Blu-ray Discs to protect themagainst noise. Without error-correcting codes the concept of compact discs wouldhave been completely useless due to unavoidable noise from small scratches andthe decoding process.

1.1 Locally Decodable Codes

Traditional error-correcting codes require the decoding procedure to read the entirecodeword C(x) even when one is only interested in a small part of the originalstring x. You could for example think of a hard disk which is encoded to improvethe resistance against noise. If the hard disk is encoded into one codeword andwe only need a single file, it is not very efficient to decode the entire hard diskand then look for the file we desire. A possibility is to divide the hard disk intoparts and encode each part separately. A disadvantage of this procedure is thatif the part of the hard disk where the codeword from the file we need is stored, iscorrupted or destroyed, we are not able to retrieve the file and it is gone forever.

1

We would like an error-correcting code which protects the data against worst-case noise and is able to efficiently recover parts of the original string. A class oferror-correcting codes which enables us to efficiently recover parts of the originalstring while protecting us against worst-case noise is the class of Locally DecodableCodes. They encode a string x into a codeword C(x) and allow us to retrieve anentry from the original string by only reading a few of entries from the codeword.Locally Decodable Codes were already used in literature about ProbabilisticallyCheckable Proofs in the 1990s [2]. The first formal definition was given by Katzand Trevisan [18] in 2000. Since then, Locally Decodable Codes has grown into arather broad field of research.

1.2 Private Information Retrieval

In [8] Chor et al. proposed the idea of Private Information Retrieval. In PrivateInformation Retrieval a user wants some information from a database, but shedoes not want to give any information at all about the thing she is interested in.A situation where this is useful, is, for example, the stock market. Suppose somelarge trader is interested in buying a stock and she wants to know the price. Ifsomeone found out the large trader is interested in some stock, he would buy thestock, which could drive up the price. Thus the large trader likes to keep to herselfwhich information she is interested in. Another situation is when someone likes toaccess her medical records. For some persons it is not desirable if someone foundout they are not completely healthy.

The scarce resource in this setting is communication, where computing poweris assumed to be unlimited, although there are variants which also consider theamount of computing power [27]. If the database is stored on a single server youcannot do better than using the trivial protocol of requesting the whole database[8]. In their article Chor et al. considered the situation where the database is storedover k non-communicating servers. They presented a scheme for k servers withcommunication complexity O(n

1k ) for n being the number of bits in the database.

For 2 servers they presented a protocol with communication complexity O(n13 )

which still has not been improved. There have been a number of improvementsfor k ≥ 3 servers starting with Ambainis [1] who presented a scheme with com-

munication complexity O(n

12k−1

). Beimel et al. [3] improved this to nO( log log k

k log k )

and the currently best known upper bounds of nO(r√

( log lognlogn

)r−1)

for k = 2r servers

and nO(√

log lognlogn

)for 3 servers are achieved by Efremenko [11]. We will present his

construction in this thesis.There are many variations on Private Information Retrieval. In [20] computa-

tional Private Information Retrieval is introduced. In traditional Private Informa-tion Retrieval, we consider information theoretic privacy whereas computational

2

Private Information Retrieval only guarantees computationally bounded privacy.The scheme from [20] gives a 1-server scheme with communication complexityO(nc) for every c > 0, assuming the hardness of deciding quadratic residuosity.This was improved in [7] where a scheme with communication complexity polylog-arithmic in n was presented.

Traditional Private Information Retrieval requires there is no communication atall between the different servers. The setting where this assumption is droppedand coalitions up to t > 1 servers are allowed was already addressed in [8] and thecurrently best known schemes are presented in [29].

Another variation is that of Symmetric Private Information Retrieval, whichgives the extra restriction that the user may only learn the bit in which she isinterested in and nothing else. This notion was introduced by Gertner et al. [13]and in their article they showed it is impossible in the traditional model of PrivateInformation Retrieval. To overcome this problem they presented schemes in whichthe user and database share a random string.

Locally Decodable Codes and Private Information Retrieval are closely related.Intuitively one can think of each query to a codeword as a query to a differentserver which acts as if the database is encoded using the Locally Decodable Code.The currently best known Private Information Retrieval schemes from Efremenko[11] are based on Locally Decodable Codes.

1.3 Quantum

Another variant of Private Information Retrieval is one where we allow quantumbits as communication. The computers found in every household nowadays arebased on classical physics. For a bit this implies it is either 0 or 1. From quantumphysics we know that if we look at particles at microscopic scales they behavedifferently than described in classical physics. A quantum bit (or in short qubit)can be in a superposition of 0 and 1. Intuitively one can think the qubit is both0 and 1 at the same time. In the classical world we have two states, but inthe quantum world we have uncountably many states at our disposal. A minormisfortune is that when we “look” (measure) at such a state it collapses to one oftwo basis states and all the information which was contained in the superpositionis gone. It has not been proven that quantum computers are faster than classicalcomputers. Still for some problems the best known quantum algorithms are muchfaster than the best known classical algorithms. The most famous example is primefactorisation. Using Shor’s algorithm [26] this can be done in polynomial time ona quantum computer while the best known algorithm for a classical computerneeds exponential time. In the setting of Private Information Retrieval we will seethat in some cases using quantum bits will result in a much lower communicationcomplexity.

3

1.4 Notation

In this thesis we will use the following notation without further reference.

• [n] = {1, 2, . . . , n}.

• 〈x, y〉 =∑n

i=1 xiyi, with x, y vectors of length n. In Sections 2.3 and 2.4 theinner products will be calculated modulo m.

• x · y =∑n

i=1 xiyi modulo 2, for bitstrings x, y ∈ {0, 1}n.

• x⊕ y = (x+ y) mod 2 for x, y ∈ {0, 1}, i.e., XOR of x and y. If x and y arebitstrings, the XOR is taken entry-wise.

• d(x, y) is the Hamming distance between x and y, i.e., the number of entrieswhere they differ.

• For a bitstring a ∈ {0, 1}n, |a| is the Hamming weight, i.e., the number ofentries that are 1.

• δij is the Kronecker delta, i.e., δij =

{1 if i = j

0 if i 6= j.

• Fq is the finite field consisting of q elements.

• Zm is the cyclic group consisting of m elements.

• ei is the zero string or zero vector, depending on the context, with a one atposition i.

• 0t or 1t is used to indicate the string of t 0s or 1s.

• For a subset Q ⊆ S = [|S|], the indicator string is a string q ∈ {0, 1}|S| suchthat qi = 1 ⇐⇒ i ∈ Q.

• exp(x) = 2x.

• Logarithms are taken base 2.

4

2 Locally Decodable Codes

2.1 Definition and First Example

Informally, a (q, δ, ε)-Locally Decodable Code is an error-correcting code such thatan entry from the original string (often referred to as message) can be recoveredwith probability at least 1

2+ε by looking at q entries from the codeword even though

at most a δ-fraction of the codeword is corrupted. Here, an entry is corrupted whenit has a different value then the corresponding entry in the correct codeword. Thecorrupted fraction can be anywhere in the codeword, in our model we want toprotect ourselves against the worst-case. More formally:

Definition 1 (Locally Decodable Code (LDC)). A (q, δ, ε)-Locally Decodable Codeis a map C : Γn → ΣN together with a classical randomised decoding algorithm Asuch that

• A makes at most q non-adaptive queries to a string y ∈ ΣN .

• For all x ∈ Γn, y ∈ ΣN with Hamming distance d(C(x), y) ≤ δN it holds that

P[Ay(i) = xi] ≥1

2+ ε for all i ∈ [n],

where the probability is taken over the randomness of A.

The decoding algorithm A is called a (q, δ, ε)-decoding algorithm.

We use the notation Ay(i) to denote the difference between input i and y. Forinput i we got full access, while for y we only have query access.

In our definition we only consider non-adaptive queries. This means that everyquery is based solely on i. They are all generated in advance and can be executed inparallel. If we consider adaptive queries, the second query may also depend on theanswer to the first query and the third query may depend on the answers to the firstand the second query and so on. In [18] it is shown that one can convert an adaptive

(q, δ, ε)-local decoding algorithm into a non-adaptive ( |Σ|q−1

|Σ|−1, δ, ε)-local decoding

algorithm and also to a non-adaptive (q, δ, ε|Σ|q−1 )-local decoding algorithm. For a

small number of queries and/or a small alphabet, on which we mainly focus, the

5

loss in the parameters is not very significant and therefore we will focus only onnon-adaptive queries.

The sets Γ and Σ are usually finite fields and we are most interested in thebinary case, i.e., Γ = Σ = F2. Then we can identify F2 with {0, 1} and think inthe setting of bits. In this chapter we describe the Locally Decodable Codes fromEfremenko, which are first defined for finite fields and later converted into binaryLDCs. But we will also see codes where Σ = {0, 1}a for some positive integer a, inwhich case the “answers” to the queries consist not only of one bit, but of blocksof a bits.

It depends on the setting which of the parameters are more important thanothers. For example in data storage and transmission, one would like to have alarge δ and small length of the codeword whereas the number of queries is lessimportant, as long as it is still much smaller than the size of the encoded string.Also the value of ε does not need to be extremely close to 1

2, since we can just

run the procedure several times, to get a larger successrate. In cryptography(for example Private Information Retrieval) a small number of queries and smallcodewords is more desirable.

The simplest example of an LDC is the Hadamard code.

Example 2 (Hadamard Code). For q = 2 the first example is the Hadamard code.Given some x ∈ {0, 1}n the codeword of length 2n consists of the concatenation ofbits x · z mod 2, for every z ∈ {0, 1}n. The decoding procedure for bit xi consistsof picking a random z and querying the values x · z mod 2 and x · z ⊕ ei mod 2. Ifneither one of the bits is corrupted we will find the desired bit

C(x)z ⊕ C(x)z⊕ei = (x · z)⊕ (x · (z ⊕ ei)) = x · ei = xi.

The subscript z is used here as an index where C(x)z points to the entry x · z mod2. If at most a δ-fraction of the codeword is corrupted, by the union bound, theprobability that we get a wrong answer is at most

P[C(x)z or C(x)z⊕ei is corrupted] ≤ P[C(x)z is corrupted] + P[C(x)z⊕ei is corrupted]

≤ δ + δ

= 2δ.

Thus the Hadamard code is a (2, δ, 12− 2δ)-Locally Decodable Code C : {0, 1}n →

{0, 1}2n for δ ∈ [0, 14].

If we use the Hadamard code and 10 percent of the codeword is corrupted, theprobability of recovering a bit is 0.8. One can think that this is not very good,since if we do not use any encoding and 10 percent of the entries are corrupted, wehave a probability of 0.9 of reading the correct bit. The subtle difference here is

6

that in the latter case querying a corrupted index will always give the wrong value,while using the Hadamard code, every bit can be recovered with probability 0.8,no matter which 10 percent of the codeword is corrupted. As mentioned before,we protect ourselves against the worst-case.

2.2 Smooth Codes

There is a close relation between Locally Decodable Codes and so-called SmoothCodes. Smooth Codes are codes where no entry is queried more often than acertain threshold. Later we will establish a connection between Smooth Codesand Private Information Retrieval.

Definition 3 (Smooth Code). A (q, c, ε)-Smooth Code is a map C : Γn → ΣN

together with a probabilistic algorithm A such that for any x ∈ Γn:

• A makes at most q queries to the codeword C(x).

• For all j ∈ [N ], C(x)j is queried with probability at most cN

.

• For all i ∈ [n], P[AC(x)(i) = xi] ≥ 12

+ ε,

where the probability is taken over the randomness of A.The decoding algorithm is called a (q, c, ε)-smooth decoder. If c = q we call the

decoder perfectly smooth and for ε = 12

we have perfect recovery.

Note that the decoding algorithm does not need to work for corrupted code-words.

To convert a Locally Decodable Code into a Smooth Code we have the followingtheorem due to [18].

Theorem 4. Let C : Γn → ΣN be a (q, δ, ε)-Locally Decodable Code. Then C isalso a (q, q

δ, ε)-Smooth Code.

Proof. Let L be the (q, δ, ε)-local decoding algorithm for C and let x ∈ Γn. Fori ∈ [n] let Qi be the set of j ∈ [N ] such that P[LC(x)(i) queries j] > q

δN. Note

that |Qi| < δN , because L queries no more than q indices. Now, we are going todefine the smooth decoder S. The smooth decoder S will be the same as L exceptif an index from Qi is queried we simply return 0. We define the string y ∈ ΣN asfollows

yk =

{0 if k ∈ Qi

C(x)k if k /∈ Qi

.

7

Because |Qi| < δN the string y has Hamming distance d(C(x), y) < δN . So weget

P[SC(x)(i) = xi] = P[Ly(i) = xi] ≥1

2+ ε

Since the indices which are queried with probability greater than qδN

are ignored,we can conclude that using the smooth decoding algorithm S the code C is also a(q, q

δ, ε)-Smooth Code.

=)

We can also convert a Smooth Code into a Locally Decodable Code.

Theorem 5. Let C : Γn → ΣN be a (q, c, ε)-Smooth Code. Then C is also a(q, δ, ε− cδ)-Locally Decodable Code for any δ.

Proof. Let S be the smooth decoding algorithm. The probability that an indexis queried is at most c

N. So, by the union bound, the probability that there

is a corrupted index among the queried indices, if at most δN of the indices iscorrupted, is

P[S queries a corrupted index] ≤ (δN)c

N= cδ.

Thus, if y is a codeword of x which is corrupted up to δN places, the probabilityof recovering xi is

P[Sy(i) = xi] ≥ P[SC(x)(i) = xi]− cδ

≥ 1

2+ ε− cδ

=)

2.3 Efremenko’s Locally Decodable Codes

In this section we describe the currently best known construction for Locally De-codable Codes. They are constructed by Efremenko in [11] and are inpired bythe work done by Yekhanin in [30]. In his work Yekhanin showed, using the as-sumption that there are infinitely many Mersenne prime numbers1, the existence

of 3-query LDCs with subexponential codeword length exp(

exp(O(

lognlog logn

))).

The assumption of infinitely many prime numbers is not needed in the constructionfrom Efremenko. The length of the codeword he achieves for 3 queries is

exp(

exp(O(√

log n log log n)))

,

1A Mersenne prime number is a prime which can be written as 2t − 1 for some integer t.

8

and for 2r queries a shorter codeword length is achieved, namely

exp(

exp(O( r√

log n(log log n)r−1)))

.

In this section we will present the LDCs in the same way Efremenko presentedthem in [11].

2.3.1 Matching Sets of Vectors and S-decodingPolynomials

All the inner products in the following two sections are done modulo m. Toconstruct the LDCs we need a family of vectors with some special properties.

Definition 6. For any S ⊂ Zm a family of vectors {u[i]}ni=1 ⊆ (Zm)h is said to beS-matching if

• 〈u[i], u[i]〉 = 0 for every i ∈ [n],

• 〈u[i], u[j]〉 ∈ S for every i, j ∈ [n] such that i 6= j.

We fill first assume the existence of such families and present the code. Whenthe code is clear, a result from Grolmusz in [15] is given to show the existence ofsuch families. But first some more facts and definitions.

Fact 7. For every odd m, there exists a finite field F2t, with t ≤ m, and an elementγ ∈ F2t which is a generator of the multiplicative group of size m, i.e., γm = 1 andγi 6= 1 for i ∈ {1, 2, . . . ,m− 1}.

Proof. First, note that 2 ∈ Z∗m, since m is odd. Thus there is some t < m suchthat 2t ≡ 1 mod m. So m divides 2t − 1. For F2t we see |F∗2t | = 2t − 1. If g is the

generator of F∗2t we can take γ = g2t−1m .

=)

Fix m odd. From the previous fact there exist t, F = F2t and γ ∈ F, such thatγ is the generator of the multiplicative subgroup of F of order m.

Definition 8. A polynomial P ∈ F[x] is called an S-decoding polynomial if

• P (γs) = 0, ∀s ∈ S,

• P (γ0) = P (1) = 1.

An easy way to find such a polynomial is presented in the following claim.

Claim 9. For any S such that 0 /∈ S there exists an S-decoding polynomial P withat most |S|+ 1 monomials

Proof. Define P (x) =∏

s∈S(x − γs). Then P (x) = P (x)/P (1) is an S-decodingpolynomial. Since the degree of P is |S|, this polynomial consists of at most |S|+1monomials.

=)

9

2.3.2 The Code

Suppose we have some odd m and fix t and γ as above. Suppose we have some setS with S-matching vectors {u[i]}ni=1, u[i] ∈ (Zm)h and an S-decoding polynomialP with q monomials.

Encoding: We can define the encoding C : Fn → Fmh by defining C(ei) fori ∈ [n] and use the linearity of C to extend it to Fn, i.e., for a message x =(x1, x2, . . . , xn), C(

∑ni=1 xiei) =

∑ni=1 xiC(ei). The encoding of ei is given by

C(ei) = (γ〈u[i],y〉)y∈(Zm)h

(Concatenation of γ〈u[i],y〉 for all possible values of y into one vector). For afixed x one can think of the codeword as a homomorphism from (Zm)h to F∗ (fora possibly corrupted codeword w of x the notation w(y) is used to indicate theentry of w at the same position as

∑ni=1 xiγ

〈u[i],y〉 in the correct codeword). Thusthe encoding is given by

C(x) =

(n∑i=1

xiγ〈u[i],y〉

)y∈(Zm)h

.

The decoder: First, write P (x) = a0 + a1xb1 + a2x

b2 + . . .+ aq−1xbq−1 . Suppose

w ∈ Fmh is a corrupted version of the codeword of x ∈ Fn which is corrupted upto a δ-fraction. If we want to recover entry i we use the following procedure D.

• Pick ν ∈ (Zm)h at random.

• Query w(ν), w(ν + b1u[i]), . . . , w(ν + bq−1u[i]).

• Output xi = γ−〈u[i],ν〉(a0w(ν) + a1w(ν + b1u[i]) + . . .+ aq−1w(ν + bq−1u[i])).

Lemma 10. The decoding procedure D is a perfectly smooth decoder for C withperfect recovery.

Proof. Since ν is chosen uniformly at random, each query ν, ν + b1u[i], . . . , ν +bq−1u[i] is distributed uniformly.

To show that D is a perfectly smooth decoder we only have to show that itdecodes correctly, i.e., DC(x)(i) = xi. Because the code is linear it is enough toprove that DC(ei)(j) = δij.

First DC(ei)(i), then

DC(ei)(i) = γ−〈u[i],ν〉(a0γ〈u[i],ν〉 + a1γ

〈u[i],ν+b1u[i]〉 + . . .+ aq−1γ〈u[i],ν+bq−1u[i]〉).

10

By definition of the matching vectors 〈u[i], ν + cu[i]〉 = 〈u[i], ν〉 + c〈u[i], u[i]〉 =〈u[i], ν〉. And so

DC(ei)(i) = γ−〈u[i],ν〉(a0γ〈u[i],ν〉 + a1γ

〈u[i],ν〉 + . . .+ aq−1γ〈u[i],ν〉)

= a0 + a1 + . . .+ aq−1

= P (1)

= 1.

Now the case where DC(ei)(j), with i 6= j, then

DC(ei)(j) = γ−〈u[i],ν〉(a0γ〈u[i],ν〉 + a1γ

〈u[i],ν+b1u[j]〉 + . . .+ aq−1γ〈u[i],ν+bq−1u[j]〉)

= a0 + a1γb1〈u[i],u[j]〉 + . . .+ aq−1γ

bq−1〈u[i],u[j]〉

= P (γ〈u[i],u[j]〉)

= 0

=)

Combining Lemma 10 and Theorem 5 gives the following corollary.

Corollary 11. For any S-matching vectors {u[i]}ni=1 ⊆ (Zm)h and S-decodingpolynomial with q monomials there exists a (q, δ, 1

2− qδ)-Locally Decodable Code

C : Fn → Fmh.

Until now, we have assumed there is some set S with S-matching vectors. Butif these do not exist the whole construction is useless. Fortunately there is thefollowing result from Grolmusz [15].

Lemma 12. Let m = p1p2 · · · pr be a product of r distinct primes. Then thereexists c = c(m) > 0, such that for every integer h > 0, there exists an explicitlyconstructible set-system H over the universe of h elements (i.e., H is a set ofsubsets of [h]) and there is a set S ⊂ Zm \ {0} such that:

1. |H| ≥ exp(c (log h)r

(log log h)r−1

).

2. The size of every set H in set-system H is divisible by m, i.e., |H| ≡ 0 modm.

3. Let G,H be any two different sets in set-system H. Then the size of inter-section of G,H modulo m is restricted to be in S, i.e., ∀G,H ∈ H such thatG 6= H it holds that |G ∩H| ∈ S mod m.

4. S is a set of size 2r − 1.

11

5. ∀s ∈ S it holds that s (mod pi) is 0 or 1 for all i ∈ [r].

This result has the following useful corollary.

Corollary 13. For every integer h, r and integer m = p1p2 · · · pr, which is aproduct of distinct primes, there exists a set S of size 2r − 1 and a family of

S-matching vectors {u[i]}ni=1 ⊆ (Zm)h such that n ≥ exp(c (log h)r

(log log h)r−1

).

Proof. Take the set system H as in the previous lemma. For H ∈ H defineuH ∈ (Zm)h to be the indicator vector of H ∈ H. Then for every G,H ∈ H itholds that 〈uH , uH〉 = |H| ≡ 0 mod m and 〈uH , uG〉 = |H ∩G| ∈ S mod m.

=)

Corollary 13 enables us to prove the existence of LDCs with 2r queries.

Theorem 14. For any positive integer r there exists a (q, δ, 12−qδ)-Locally Decod-

able Code C : Fn → FN , with codeword length N = exp(exp(O( r√

log n(log log n)r−1)))and q ≤ 2r.

Proof. Fix m = p1p2 · · · pr with pi prime for i ∈ [r] and pi 6= pj for i 6= j. And fix

some h = exp(O( r√

log n(log log n)r−1))

. From the previous corollary we know

that there exists a set S of size 2r − 1 and n = exp(c (log h)r

(log log h)r−1

)S-matching

vectors. Claim 9 gives us an S-decoding polynomial with at most 2r monomials.Now we know from Theorem 11 that there exists a (2r, δ, 2rδ)-Locally DecodableCode with codeword length mh. For m constant we have mh = exp(O(h)). So,

mh = exp(O(h)) = exp(

exp(O(

r√

log n(log log n)r−1)))

concludes the proof.

=)

For a code with 3 queries we need an S-decoding polynomial consisting of 3monomials, instead of the 2r which are given by Claim 9. Efremenko was able tofind an S-decoding polynomial with 3 monomials by exhaustive search.

Example 15. Let m = 511 = 7 · 73 and let S = {1, 365, 147}. By Corollary 13

there exist S-matching vectors {u[i]}ni=1, u[i] ∈ (Zm)h, where n ≥ exp(c (log h)2

log log h). Set

F = F29∼= F2[X]/(X9 +X4 + 1).

Let γ be the generator of F∗. Then it can be verified that the polynomial P (x) =γ423 ·X65 + γ257 ·X12 + γ342 is an S-decoding polynomial with 3 monomials.

This example together with Corollary 11 proves the main result from [11].

Theorem 16. There exists a (3, δ, 12− 3δ)-Locally Decodable Code C : Fn2t → FN2t

of length N = exp(exp(O(√

log n log log n))) for some t.

12

2.3.3 Binary Case

The construction in the previous section only allows binary codes with at most2 queries (This means t = 1, but then m = 1 and also r = 1). In this sectionwe present a binary code for any number of queries, for which there exists an S-decoding polynomial with the same number of monomials. The previous sectiongave S-decoding polynomials with 3 and 2r monomials for any positive integer r.

Let x = (x1, x2, . . . , xn) ∈ Fn2 be the message. We can also view it as amessage in Fn2t . Let C be the encoding as obtained in the previous section, so

w = C(x) ∈ (F2t)mh . Let P (x) = a0 + a1x

b1 + a2xb2 + · · · + aq−1x

bq−1 be theS-decoding polynomial. Set the codeword to be

w = w0 ◦ w1 ◦ · · · ◦ wq−1 = a0w ◦ a1w ◦ · · · ◦ aq−1w,

the concatenation of aiw for i ∈ {0, 1, . . . , q−1} where aiw is the coordinate-wisescalar multiplication. Here we implicitly define wi to be aiw for i ∈ {0, 1, . . . , q−1}.Note that the codeword length is increased by a factor q, but this is negligible inour parameters.

This codeword is still in F2t and we need one in F2. The previous section showedus we can recover xi using

xiγ〈u[i],ν〉 = w0(ν) + w1(ν + b1u[i]) + · · ·+ wq−1(ν + bq−1u[i]).

We can apply some linear functional L : F2t → F2 on every coordinate of thecodeword. Then we still see

L(xiγ〈u[i],ν〉) = L(w0(ν)) + L(w1(ν + b1u[i])) + · · ·+ L(wq−1(ν + bq−1u[i])).

Of course we want L(xiγ〈u[i],ν〉) = xi and for xi = 0 this holds, because then

L(xiγ〈u[i],ν〉) = L(0) = 0. For xi = 1 it is possible that L

(xiγ〈u[i],ν〉) = L

(γ〈u[i],ν〉) =

0. We need to find a ν such that L(γ〈u[i],ν〉) = 1. A restriction on ν affects the

smoothness of the decoder, since we cannot pick ν uniformly at random anymore.To restrain this, we choose L such that P[L(γ〈u[i],ν〉) = 1] ≥ 1

2for all i ∈ [n].

Lemma 17. There exists a linear functional L : F2t → F2 such that

∀i ∈ [n] Pν∈(Zm)h [L(γ〈u[i],ν〉) = 1] ≥ 1

2

Proof. Note that for a random ν, 〈u[i], ν〉 is a random number in Zm, since u[i] 6= 0∀i ∈ [n]. Therefore it is sufficient to find an L such that

Pj∈Zm [L(γj) = 1] ≥ 1

2.

13

For fixed j and random L, P[L(γj) = 1] = 12, so

EL[Pj∈Zm [L(γj) = 1]] =1

2

But then there exists an L such that

Pj∈Zm [L(γj) = 1] ≥ 1

2

=)

We can now give step by step instructions for the code.

The Code: Choose a linear functional L : F2t → F2, such that Pj∈Zm [L(γj) =1] ≥ 1

2.

1. Let x = (x1, x2, . . . , xn) ∈ Fn2 be the message.

2. Let C be the code obtained from working in F2t .

3. Define C(x) = w0 ◦w1 ◦ · · · ◦wq−1 = L(a0C(x)◦a1C(x)◦ · · · ◦aq−1C(x)). Weapply L to every coordinate of a0C(x) ◦ a1C(x) ◦ · · · ◦ aq−1C(x).

The Decoder D:

1. Pick ν ∈ (Zm)h at random conditioned on L(γ〈u[i],ν〉) = 1.

2. Query w0(ν), w1(ν + b1u[i]), . . . , wq−1(ν + bq−1u[i]).

3. Output xi = w0(ν)⊕ w1(ν + b1u[i])⊕ · · · ⊕ wq−1(ν + bq−1u[i]).

Theorem 18. The binary code C defined above is a (q, δ, 12−2qδ)-Locally Decodable

Code.

Proof. First, we will show the decoder decodes correctly. As before, by linearity,we only have to show DC(ei)(j) = δij.

We start with the case DC(ei)(i),

DC(ei)(i) = L(a0γ〈u[i],ν〉)⊕ L(a1γ

〈u[i],ν+b1u[i]〉)⊕ · · · ⊕ L(aq−1γ〈u[i],ν+bq−1u[i]〉)

By definition of the matching vectors 〈u[i], ν + cu[i]〉 = 〈u[i], ν〉 + c〈u[i], u[i]〉 =〈u[i], ν〉. And so

DC(ei)(i) = L(a0γ〈u[i],ν〉)⊕ L(a1γ

〈u[i],ν〉)⊕ · · · ⊕ L(aq−1γ〈u[i],ν〉)

= L(a0γ〈u[i],ν〉 ⊕ a1γ

〈u[i],ν〉 ⊕ · · · ⊕ aq−1γ〈u[i],ν〉)

= L(P (1)γ〈u[i],ν〉)

= L(γ〈u[i],ν〉)

= 1.

14

For DC(ei)(j) with i 6= j we see

DC(ei)(i) = L(a0γ〈u[j],ν〉)⊕ L(a1γ

〈u[j],ν+b1u[i]〉)⊕ · · · ⊕ L(aq−1γ〈u[j],ν+bq−1u[i]〉)

= L(γ〈u[j],ν〉 (a0 ⊕ a1γ

b1〈u[j],u[i]〉 ⊕ · · · ⊕ aq−1γbq−1〈u[j],u[i]〉))

= L(γ〈u[i],ν〉P (γ〈u[j],u[i]〉))

= L(0)

= 0.

Secondly, we prove that if at most a δ-fraction of a corrupted codeword

w = w0 ◦ w1 ◦ · · · ◦ wq−1

is corrupted, the probability of querying a corrupted index is at most 2qδ. Let δjbe the fraction of corrupted bits in wj, then 1

q

∑q−1j=0 δj = δ. Because L was chosen

such that ν could be picked uniformly from at least half of all possible values, theprobability that query j will be corrupted is at most 2δj. The probability that oneof the queries is corrupted is at most

∑q−1j=0 2δj = 2qδ.

For w = C(x) we have perfect recovery. Hence, for w a corrupted codewordwhich is corrupted up to a δ-fraction, it holds that

P[Dw(i) = xi] ≥ 1− 2qδ.

=)

2.4 Matching Vector Codes

One could say there are three families of Locally Decodable Codes, separated bythe technical ideas that underlie them. The first family of codes is based on Reed–Muller codes [23].

The second family of Locally Decodable Codes are based on Private InformationRetrieval Schemes. As already mentioned there is a close connection betweenPrivate Information Retrieval and Locally Decodable Codes. It is possible toconvert one into the other and vice versa. More details about the conversion canbe found in Section 3.3.

The third and youngest family of Locally Decodable Codes is the family ofMatching Vector Codes. The framework was initiated by Yekhanin in [30]. Thecode consists of evaluating a certain polynomial in Fq[x1, . . . , xn] in all points ofFnq for some finite field Fq. The decoding procedure is based on shooting a linein a certain direction and decoding along it. The polynomials used depend onthe chosen matching family of vectors. The LDCs of Efremenko [11] as described

15

in the previous section can also be viewed in the Matching Vectors framework.Since the introduction there have been some improvements in the decoder, suchthat it can tolerate larger fractions of errors [4, 10]. The currently used matchingfamilies of vectors are based on a result by Grolmusz [15] which is given in theprevious section, but if matching families of vectors with better parameters arediscovered, they can easily be plugged in the Matching Vectors framework to yieldbetter Locally Decodable Codes. Unfortunately, there is a very recent result fromBohwmick et al. [5] which gives an upper bound on the size of matching families.This upper bound is fairly close to the size of the currently used matching familiesand implies that Matching Vector Codes cannot be improved very much.

In this section we will only briefly touch the basic encoding and decoding proce-dures for Matching Vector Codes. For more details, improved decoding proceduresand the construction of matching families, we refer to [31].

In the rest of this section we will follow the beginning of Chapter 3 in [31]. Asmentioned before, the code evolves around matching families of vectors.

Definition 19. Let S ⊆ Zm \ {0}. Two families U = {u[i]}ni=1 and V = {v[i]}ni=1

of vectors in (Zm)h form an S-matching family if

• 〈u[i], v[i]〉 = 0 ∀i ∈ [n],

• 〈u[i], v[j]〉 ∈ S ∀i, j ∈ [n], such that i 6= j.

If we have a set S and two S-matching families U and V in (Zm)h we are ableto construct a Locally Decodable Code. To do this we first need some notation.

• Let q be a prime power such that m divides q − 1. Denote the subgroup ofF∗q of order m by Cm.

• Let γ be a generator of Cm.

• For w ∈ (Zm)h and γ ∈ Zm define γw by (γw1 , γw2 , . . . , γwh).

• For w, v ∈ (Zm)h define the multiplicative line Mw,v by

Mw,v = {γw+λv | λ ∈ Zm}.

• For u ∈ (Zm)h define the monomial monu ∈ Fq[z1, z2, . . . , zh] by

monu(z1, z2, . . . , zh) =∏i∈[h]

zuii .

16

Note that for u, v, w ∈ (Zm)h and λ ∈ Zm it holds that

monu(γw+λv) =

∏i∈[h]

γ(wi+λvi)ui

=∏i∈[h]

γwiuiγλviui

= γ〈w,u〉(γλ)〈v,u〉

.

So evaluating monu in Mw,v is the same as evaluating

γ〈w,u〉z〈v,u〉 (2.1)

for z = γλ ∈ Cm. We can use this observation to our advantage as will becomeclear in the decoding algorithms.

Theorem 20. Let the families U = {u[i]}ni=1V = {v[i]}ni=1 be an S-matchingfamily in (Zm)h, where |S| = s. Then there exists an (s+ 1, δ, 1

2− (s+ 1)δ)-Locally

Decodable Code C : Fnq → Fmhq .

Proof. First we show how the encoding works.Encoding: Let x ∈ Fnq be a message. We encode x by

C(x) =

(n∑j=1

xj ·monu[j](y)

)y∈(Cm)h

(Concatenation of∑n

j=1 xj ·monu[j](y) for all possible values of y into one vector).Just like in the LDC of Efremenko, we can view the codeword for a fixed x as ahomomorphism which maps y to

∑nj=1 xj ·monu[j](y).

Now let w be a corrupted version of the codeword C(x) which is corrupted upto a δ-fraction. Suppose we want to recover xi.

Basic Decoding:

• Pick a random ν ∈ (Zm)h.

• Query w(γν+λv[i]) for all λ ∈ {0, 1, . . . , s}.

• Recover the sparse univariate polynomial p(z) ∈ Fq[z] such that supp(p)2

⊆ S ∪ {0} and p(γλ) = w(γν+λv[i]) for λ ∈ {0, 1, . . . , s}.

• Return xi = p(0)

γ〈u[i],ν〉.

2For p ∈ Fq[z], supp(p) is the set of powers of the monomials in p with non-zero coefficients,i.e., for a monomial 6ze in p, e ∈ supp(p).

17

To show that this decoding procedure works, we first assume w is the non-corrupted codeword C(x) of x. Then by (2.1),

w(γν+λv[i]) =n∑j=1

xj ·monuj(γν+λv[i])

=n∑j=1

xj · γ〈u[j],ν〉z〈u[j],v[i]〉

for z = γλ ∈ Cm. We can use the properties of the S-matching family to see that

n∑j=1

xj · γ〈u[j],ν〉z〈u[j],v[i]〉 = xi · γ〈u[i],ν〉 +∑

j∈[n]\{i}

xj · γ〈u[j],ν〉z〈u[j],v[i]〉

= xi · γ〈u[i],ν〉 +∑s∈S

∑j∈[n]:〈u[j],v[i]〉=s

xj · γ〈u[j],ν〉

zs.

(2.2)

Denote the function from 2.2 by f(z), then it is clear that supp(f) ⊆ S ∪ {0}.Since p the sparse univariate polynomial that is chosen such that for every λ ∈{0, 1, . . . , s}, p(γλ) = w(γν+λv[i]) = f(γλ) and supp(p) ⊆ S ∪ {0}, we see that

p(0) = f(0) = xi · γ〈u[i],ν〉.

Note that p is unique due to standard properties of Vandermonde matrices [21].The decoding procedure returns the correct xi when the codeword is not corrupted.

Suppose a δ-fraction of the codeword is corrupted. Since ν is picked uniformlyat random, each query goes to a random location. The probability that one querypicks a corrupted entry is δ. Applying the union bound yields the desired result.

=)

The decoding procedure above is essentially the same as the one used in the LDCfrom Efremenko [11]. What happens in the proof above is that we interpolate thepolynomial p(y) to obtain the free coefficient. For m and S with special properties,it is sometimes possible to recover the free coefficient with a smaller number ofqueries. This is what Efremenko did to obtain better parameters for 3 queries.

The decoding procedure can be improved in terms of tolerating a larger fractionof errors. The procedure above can tolerate up to a 1

2s-fraction of errors for s

the number of queries. In [10], using the assumption that the elements of S arebounded for some positive real, a decoding procedure is given which can tolerateup to a 1

4-fraction of errors, independent from the number of queries.

For more details, better decoding procedures and information about the con-struction of matching families we refer to [31].

18

3 Classical Private InformationRetrieval

3.1 Definition and First Example

We start this chapter by giving the formal definition of a Private InformationRetrieval scheme.

Definition 21 (Private Information Retrieval scheme). A one-round (1−δ)-securek-server Private Information Retrieval scheme with recovery probability 1

2+ε, query

size t, answer size a for an n-bit database x, consists of a randomized algorithm(the user), and k deterministic algorithms S1, S2, . . . , Sk (the servers), such that

• For some input i ∈ [n], the user generates k t-bit strings q1, q2, . . . , qk (called“queries”) and sends these to the respective servers S1, S2, . . . Sk. Everyserver Sj sends back an answer aj = Sj(x, qj).

• The user outputs a guess b for xi based on a1, a2, . . . , ak and i. The probabilitythat b = xi is at least 1

2+ ε for all x, i.

• For all x and j, the distributions on qj are δ-close (in total variation dis-tance1) for different i.

In this thesis we only consider schemes with δ = 0 (The servers get no informa-tion at all about i, informally one could say the odds of guessing i correctly afterexecuting the scheme are the same as before) and ε = 1

2(perfect recovery).

We will illustrate a PIR scheme with O(√n) communication complexity for 2

servers.

Example 22. First we arrange the n-bit database in a√n ×√n square (if n is

not a square just add 0s until it is). Each bit xi from the database is uniquelydetermined by coordinates (i1, i2). The user generates some random string q1 ∈{0, 1}

√n. She sends q1 to server 1 and q2 = q1⊕ ei1 to server 2. Let C` be the `-th

column of the database. Server s answers with the string qs· C1, qs· C2, . . . , qs· C√n.

1For two probability distributions p, q the total variation distance is given by 12

∑x |p(x)−q(x)|,

where x runs over all possible inputs.

19

The user selects q1 · Ci2 and q2 · Ci2 and calculates

(q1 · Ci2)⊕ (q2 · Ci2) = (q1 · Ci2)⊕ ((q1 ⊕ ei1) · Ci2) = ei1 · Ci2 = xi.

3.2 Better Schemes

Already when Chor et al. introduced PIR in [8] they presented schemes with

lower communication complexity. For the 2-server case they achieved O(n13 ) bits

of communication and for the general case of k servers O(n1k ) bits were used.

The scheme with O(n13 ) bits of communication is nowadays still the best known

and we will present it here. To do this we will first give the following scheme whichserves as a basis for the best known 2-server scheme.

Example 23 (Private Information Retrieval scheme with communication com-

plexity O(n1d ) for k = 2d servers.). The n-bit database x is replicated over k = 2d

non-communicating servers S1, S2, . . . , S2d. First, we assume without loss of gen-erality that n = `d. We embed x in the d-dimensional (hyper)cube such that everyindex j is associated with a d-tuple (j1, j2, . . . , jd) and so xi is uniquely determinedby a d-tuple (i1, i2, . . . , id). The scheme consists of three steps.

1. The user selects d random subsets Q01, Q

02, . . . , Q

0d ⊆ [`]. We write q0

1, q02, . . . q

0d ∈

{0, 1}` for the corresponding indicator strings.

She defines q11 = q0

1 ⊕ ei1, q12 = q0

2 ⊕ ei2, . . ., q1d = q0

d ⊕ eid. From theseindicator strings we can construct sets Q1

1, Q12, . . . , Q

1d.

We can convert every number of a server into binary such that every serveris identified by a string σ1σ2 . . . σd ∈ {0, 1}d. The user sends the stringsqσ11 , q

σ22 , . . . , q

σdd to server Sσ1σ2...σd.

2. Server Sσ1σ2...σd receives qσ11 , qσ22 , . . . , q

σdd and then also knows the correspond-

ing sets Qσ11 , Q

σ22 , . . . , Q

σdd . The server replies with the bit

Aσ1σ2...σd =⊕

j1∈Qσ11 ,j2∈Q

σ22 ,...,jd∈Q

σdd

xj1,j2,...,jd

3. The user calculates the exclusive-or from the k bits she has received.

xi =⊕

σ1σ2...σd∈{0,1}dAσ1σ2...σd

20

The scheme works since the bit xi1,i2,...,id is only added to the exclusive-or onceand all other entries are added an even number of times, which can be seen asfollows. The bit xi1,i2,...,id is added only by server S0d, while if we consider anotherbit xj1,j2,...,jd which differs from xi1,i2,...,id by at least coordinate jt 6= it we see

(j1, j2, . . . , jd) ∈ Qσ11 × · · · ×Q

σt−1

t−1 ×Q0t ×Q

σt+1

t+1 × · · · ×Qσdd

if and only if

(j1, j2, . . . , jd) ∈ Qσ11 × · · · ×Q

σt−1

t−1 ×Q1t ×Q

σt+1

t+1 × · · · ×Qσdd .

So, if we calculate the exclusive-or, the entries which are added an even number oftimes cancel and the only value that remains is xi1,i2,...,id.

The privacy is guaranteed since from the point of the server it gets d randomstrings and it receives either S0

j or S1j for j ∈ [n] but never both. So no information

about the index i is leaked.As far as the communication is concerning, the user sends d strings of ` bits to

each server and each server replies with one bit resulting in a total communicationof k · (d · `+ 1) = 2d · (d · n 1

d + 1) = O(n1d ).

To improve the scheme we make use of so-called covering codes.

Definition 24 (Covering Codes). Consider the set {0, 1}d. A Covering Code Cdwith radius r is a collection Cd = {c1, c2, . . . , ck} ⊆ {0, 1}d such that the balls ofradius r, where the distance is given by the Hamming distance, around the elementsin the set Cd cover the whole set {0, 1}d i.e.,

{0, 1}d ⊆ ∪cj∈CdB(cj, r)

where B(cj, r) is the set of all strings {0, 1}d which differ in at most r positionsfrom cj.

An easy example is the following.

Example 25. Consider the set C1 = {000, 111}. Then

B(000, 1) = {000, 001, 010, 100},B(111, 1) = {111, 110, 101, 011},

and so B(000, 1) ∪B(111, 1) = {0, 1}3.

We can use this example to give the 2-server PIR scheme with communicationcomplexity O(n

13 ).

21

Example 26. Consider the scheme from Example 23 for 8 = 23 servers.Server S000 gets the queries q0

1, q02, q

03. Server S001 also gets q0

1 and q02, but the

third query will be of the form q03 ⊕ ej for j ∈ [ 3

√n]. We let S000 emulate S001 by

sending the 3√n bits corresponding to the 3

√n replies which could have been sent by

S001. In the same way it also emulates S010 and S100.Server S111 emulates S110, S101 and S011 in the same fashion and so we get a

2-server scheme with a total communication of 2 · (3 · 3√n + 1) = O(n

13 ) bits of

communication.

It is an open question if there exist 2-server PIR schemes with lower communi-cation complexity. The best known lower bound for 2-server PIR is (5−o(1)) log n[28]. So there is a huge gap between this lower bound and the best known upper

bound of O(n13 ).

The cover codes trick does not only work for the 2-server scheme, but for coveringcodes with radius 1 in general.

Theorem 27. Let d and k be integers such that there exists a k-word CoveringCode of radius 1 for {0, 1}d. Then there exists a Private Information Retrievalscheme for k servers holding an n-bit database with communication complexityO(k + (2d + (d− 1) · k) · n 1

d ).

Proof. We embed the n-bit database into the d-dimensional (hyper)cube. Supposethe user is interested in xi which corresponds to position (i1, i2, . . . , id). Just like

in the scheme in Example 23 she randomly selects Q01, Q

02, . . . , Q

0d ⊆ [n

1d ] with

corresponding indicator strings q01, q

02, . . . q

0d ∈ {0, 1}l. She sets q1

1 = q01 ⊕ ei1 , . . .,

q1d = q0

d ⊕ eid and to the servers Sc with σ1 . . . σd = c ∈ Cd she sends the stringsqσ11 , . . . , q

σdd . These servers send their own 1-bit answer (see Example 23) and the

n1d possible answers (n

1d -bits) from the servers corresponding to the words covered

by the codeword c. The user receives the information she needs to retrieve xi andthe privacy is guaranteed, since the servers get the same information as in example23, only their answer functions are different. The users send d ·n 1

d bits to k servers,for these k servers only 1-bit answers are needed and for the other 2d − k servers(note that it suffices to emulate a a server only once2) n

1d bits are sent as reply.

This sums up to k + (2d + (d− 1) · k) · n 1d bits.

=)

Another case where this result is interesting is the case of {0, 1}4 where we havethe covering code C4 = {0000, 1111, 1000, 0111}. Applying the theorem above

results in a PIR scheme for 4 servers with communication complexity O(n14 ). For

{0, 1}d with d ≥ 5 there do not exist Cover Codes which improve previously knownresults.

2Formally, we consider an exact cover of {0, 1}d by sets Scj ⊆ B(cj , 1) for j ∈ [k].

22

The scheme from Chor et al. with O(n1k ) communication complexity was first

improved by Ambainis [1].

Theorem 28. There exists a k server Private Information Retrieval scheme with

communication complexity O(n1

2k−1 ).

For more than 5 years this was the best know construction, but in 2002 it wasimproved to the best known PIR scheme which does not use LDCs and is due toBeimel et al. [3]. In their article they presented a scheme which gave the followingtheorem.

Theorem 29. There exists a Private Information Retrieval scheme for k ≥ 3

server with communication complexity nO( log log kk log k

)

Finally, we present a way to balance the number of bits sent by the user and thenumber of bits send by the server. Often schemes are unbalanced in the sense thatthe user sends more bits to the server than the server to the user or vice versa.The following example illustrates a way to use this to our advantage and lower thecommunication complexity of such schemes.

Example 30. Suppose we have a Private Information Retrieval scheme for ann-bit database, then we can derive a scheme for an m · n-bit database as follows.

1. The user views the m · n-bit database as an m× n matrix.

2. To retrieve the bit at position (i1, i2), the user sends the same query it wouldhave sent to retrieve the i2th bit from an n bit database.

3. The servers send m answers each. Each answer is the answer it would havegiven if it was executing the scheme for an n-bit database with one of the mrows (from the matrix) as database.

4. From the answers to the i1th row, the user can compute the desired bit.

An application of this method is the scheme from Example 22. It is constructedfrom the following basic 2-server scheme.

Example 31.

1. The user selects an n-bit string q1 at random.

2. Define q2 = q1 ⊕ ei and send q1 to server 1 and q2 to server 2.

3. The servers reply with the inner product modulo 2 between the query qj,j ∈ {1, 2} and the n-bit database.

4. The user exclusive-ors the 2 bits she receives.

23

3.3 Connection between Smooth Codes and PIR

We already saw a link between Smooth Codes and Locally Decodable Codes. Thissection will give a connection between Smooth Codes and PIR. There has been atime where the best known constructions of LDCs came from PIR schemes. Thisis due to the following theorem from [17] which is a generalisation of the 1-securecase of Lemma 7.1 in [14].

Theorem 32. Assume we have a one-round, 1-secure, k-server Private Infor-mation Retrieval scheme with recovery probability 1

2+ ε, query size t and answer

size a for an n-bit database x. Then there exists a (k, k + 1, ε)-Smooth CodeC : {0, 1}n → ({0, 1}a)N , with N ≤ (k2 + k)2t.

Proof. We enumerate all possible answers from each server. The PIR system can

be viewed as an encoding of the database x ∈ {0, 1}n as PIR(x) ∈ ({0, 1}a)k2t .The user can reconstruct xi using k queries (the ones which are generated duringthe PIR scheme). These queries all correspond to an a-bit block of PIR(x), namelythe answer the corresponding server would give. This is already a correct decoder,except it is not smooth yet.

Let PIR(x)j denote the j-th block of a bits from PIR(x) and let pj denotethe probability that PIR(x)j is queries while decoding some bit xi. This pj isindependent of i since we have a 1-secure PIR scheme. Note that

∑j pj − k.

The smooth code C encodes x as PIR(x) where each entry PIR(x)j is copieddpjk2te times.

The decoding algorithm first selects k queries q1, . . . , qk in the same way thedecoding algorithm for PIR(x) selects the queries. The queries q1, . . . , qk all cor-respond to an entry of PIR(x). Additionally one of the dpjk2te copies is selecteduniformly at random. Thus every entry is queried with probability

pj ·1

dpjk2te≤ pjpjk2t

≤ 1

k2t.

The code consists of the following number of a-bit blocks

N =k2t∑j=1

dpjk2te ≤k2t∑j=1

1 + pjk2t = k2t +k2t∑j=1

pjk2t = (k + 1)k2t.

The probability that an entry is queried is at most k+1N

.

=)

Nowadays the best PIR schemes come from LDCs. The following theorem isnot really needed for this conversion, since the best known LDCs already possessa perfectly smooth decoder with perfect recovery. But suppose we have an LDCwhich had to be converted into a Smooth Code using Theorem 4, then we can usethe following theorem from [6] to make it perfectly smooth.

24

Theorem 33. Let C : {0, 1}n → {0, 1}N be a (q, c, ε)-Smooth Code, then C is alsoa (q, q, ε

2

2c)-Smooth Code.

Each query is distributed uniformly, which gives us the tools to create a PIRscheme.

Theorem 34. Let C : {0, 1}n → ({0, 1}a)N be a (q, q, ε)-Smooth Code. Thenwe can construct a one-round, 1-secure, q-server Private Information Retrievalscheme with recovery probability 1

2+ ε, query size log(N) and answer size a.

Proof. Both the user and the servers act like the database x is encoded in C(x).Suppose the user wants to retrieve xi. The user generates queries using the smoothdecoder. These are all indices from C(x). The user sends each query to a differentserver. Each server responds with the bit corresponding to the received index.From these answers the user can retrieve the desired bit using the smooth decoder.

The privacy is guaranteed since every index is queried with probability qm

.

=)

The following corollary is immediate from the previous theorem and the LocallyDecodable Codes from Efremenko.

Corollary 35. For every positive integer r there exists a one-round, 1-secure, 2r-server Private Information Retrieval scheme with recovery probability 1, query size

nO(r

√( log logn

logn )r−1

)and answer size 1.

Proof. From Theorems 14 and 18 we obtain a binary (2r, 0, 12)-Locally Decodable

Code of length

exp(

exp(O(

r√

log n(log log n)r−1)))

= exp

nO(r

√( log logn

logn )r−1

) .

Due to Lemma 10 the code is perfectly smooth with perfect recovery. UsingTheorem 34 yields the desired PIR scheme.

=)

Theorem 16 gives us a (3, 0, 12)-Locally Decodable Code with codeword length

exp

(nO(√

log lognlogn

)). Converting this into a PIR scheme using Theorem 34 yields

the currently best-known PIR scheme for 3 servers.

Corollary 36. There exists a one-round, 1-secure, 3-server Private Information

Retrieval scheme with recovery probability 1, query size nO(√

log lognlogn

)and answer

size 1.

25

4 Quantum Private InformationRetrieval

4.1 Preliminaries

4.1.1 Qubits and Quantum States

Consider the vector space C2. We can choose an orthonormal basis |0〉 and |1〉 and

identify these with the vectors

(10

)and

(01

). This is called Dirac (or Bra–Ket)

notation. The conjugate transpose |φ〉∗ of vector |φ〉 is written as 〈φ|. The innerproduct of two vectors |φ〉 and |ψ〉 is given by 〈φ| |ψ〉 or 〈φ |ψ〉 and the Euclideannorm of a vector |φ〉 is ‖ |φ〉 ‖ =

√〈φ |φ〉.

A qubit is a unit-length vector in this space, and we can write it as a linearcombination of the basis states

α0 |0〉+ α1 |1〉 =

(α0

α1

),

where |α0|2 + |α1|2 = 1. The complex numbers α0 and α1 are called amplitudes.One can think of the qubit as being in both basis states at the same time, thequbit is in a superposition of basis states |0〉 and |1〉.

One qubit “lives” in the vector space C2, but an n-qubit system “lives” in the2n-dimensional tensor space V = C2 ⊗ · · · ⊗ C2. For example, a 2-qubit systemhas 4 basis states: |0〉 ⊗ |0〉 , |0〉 ⊗ |1〉 , |1〉 ⊗ |0〉 and |1〉 ⊗ |1〉. If the system is instate |1〉 ⊗ |0〉, the first qubit is in state |1〉 and the second qubit is in state |0〉.This is often abbreviated as |1〉 |0〉, |1, 0〉 or even |10〉.

An n-qubit quantum register can be in any state of the form∑i∈{0,1}n

αi |i〉 where∑

i∈{0,1}n|αi|2 = 1.

Note that i is a bitstring which is also used as an index. We will often viewbitstrings as decimal numbers. This can also happen with basis states. A basisstate is of the form |b1b2 . . . bn〉 with bi ∈ {0, 1}. We can also write the basis states

26

as |0〉 , |1〉 , |2〉 , . . . , |2n − 1〉. The sum above is therefore the same as

2n−1∑i=0

αi |i〉 .

A mixed state {pi, |φi〉} is a classical probability distribution over pure quan-tum states. The system is in state |φi〉 with probability pi. We can represent amixed quantum state with a density matrix ρ =

∑i pi |φi〉 〈φi|. This ρ is a posi-

tive semidefinite operator with trace 1 (the sum of the diagonal entries is 1). Inparticular the density matrix of a pure state |φ〉 is ρ = |φ〉 〈φ|.

Sometimes we have a state where Alice has some of the qubits and Bob holdsthe rest. For this total state we can write down the density matrix, but we wouldalso like to write down the density matrix to describe Alice’s local state. We cando this by tracing out Bob’s part. For a matrix A⊗B, TrB(A⊗B) = A · Tr(B).This can be extended linearly to all matrices that are not of product form. Now,for a bipartite state ρAB Alice’s local density matrix is given by ρA = TrB(ρAB).

4.1.2 Measurements

One thing we can do with a quantum state is measuring it. Consider an n-qubitsystem. The most basic form of measurement we can do is measuring in thestandard basis. For a quantum state

2n−1∑i=0

αi |i〉

this means that if we observe the state we will “see” a basis states |i〉 with proba-bility |αi|2. If we measure a state the superposition will collapse to some observedstate |j〉. All the information that was contained in the state is gone and only |j〉is left.

A little more general type of measurement is a projective measurement. Wejust measured in the standard basis, but we can measure in any orthogonal basis.A projective measurement is described by projectors P1, . . . , Pm(m ≤ 2n) with∑m

j=1 Pj = I and PiPj = 0 for i 6= j. Every projector Pj projects on some subspaceVj of our total space V . These spaces are pairwise orthogonal and every state |φ〉can be decomposed in a unique way as sum of orthogonal states |φ〉 =

∑mj=1 |φj〉

where |φj〉 = P |φ〉 ∈ Vj. When we apply this measurement to the state |φ〉 we willmeasure Pj |φ〉 with probability ‖Pj |φ〉 ‖2 = tr(Pj |φ〉 〈φ|). The state will then also

collapse toPj |φ〉‖Pj |φ〉‖ (the normalisation is needed to make sure we end up with a unit-

length vector). Note that the measurement in the standard basis is a projectivemeasurement consisting of the 2n matrices Pj = |j〉 〈j|.

27

The most general type of measurement we can do, is instead of using pairwiseorthogonal projectors, using positive semidefinite matrices which sum up to theidentity matrix. For a mixed quantum state given by the density matrix ρ andpositive semidefinite operators Ei = M∗

iMi (i ≤ n) subject to∑

iEi = I thismeans that the probability of observing the ith outcome is given by pi = tr(Eiρ) =

tr(MiρM∗i ). If the measurement yields outcome i the state collapses to

MiρM∗i

tr(MiρM∗i ).

An important property of qubits or quantum mechanics in general is entangle-ment. This refers to correlations between different qubits. Multiple qubits areentangled if their state cannot be written as a tensor product of seperate qubits.There is, for example, the EPR-pair1

1√2

(|00〉+ |11〉) .

Suppose we measure the first qubit in the standard basis and we end up with a |0〉the whole state collapses to |00〉. We have also collapsed the second qubit withoutobserving it.

4.1.3 Evolution

Besides measuring a quantum state we can also apply some operation to it.

|φ〉 = α0 |0〉+α1 |1〉+. . .+α2n−1 |2n − 1〉 7→ β0 |0〉+β1 |1〉+. . .+β2n−1 |2n − 1〉 = |ψ〉

In quantum mechanics we are only able to apply linear operations. This implies

that if we view a state |φ〉 as a 2n-dimensional vector(α1 α2 . . . αn

)Tan op-

eration corresponds to some 2n × 2n-dimensional matrix U .

U

α0...

α2n−1

=

β0...

β2n−1

.

Note that |ψ〉 = U |φ〉 = U(∑2n−1

i=0 αi |i〉) =∑2n−1

i=0 αiU |i〉 by linearity.After applying the operation we need to end up with a unit vector. This means

the operation U must preserve the norm of vectors and therefore is a unitary trans-formation. Since every unitary is invertible (the inverse is the conjugate transpose)every operation has an “undo” operation. This as opposed to a measurement whichis non-reversible.

1Named after Einstein, Podolsky and Rosen who where the first to examine this phenomenonand the paradoxical properties [12].

28

An example of such an operation on one qubit is the Hadamard transform, givenby the matrix

1√2

(1 11 −1

).

On the basis states this results in

H |0〉 =1√2|0〉+

1√2|1〉

H |1〉 =1√2|0〉 − 1√

2|1〉 .

Something worth mentioning here is that if we apply the Hadamard transform onthe state 1√

2|0〉+ 1√

2|1〉 we get

H

(1√2|0〉+

1√2|1〉)

=1√2H |0〉+

1√2H |1〉

=1

2|0〉+

1

2|1〉+

1

2|0〉 − 1

2|1〉

= |0〉 .

The positive and negative amplitude of |1〉 cancel each other out. This phenomenonis called interference.

4.1.4 Queries

A query to an m-bit string y is the following unitary transformation, where j ∈ [m]and b ∈ {0, 1} is the target bit:

|j〉 |b〉 7→ |j〉 |b⊕ yj〉 .

By setting the target bit to 1√2(|0〉+ |1〉) we get a so-called phase query

|j〉 7→ (−1)yj |j〉 .

It is also possible to add an extra control bit c, which controls whether the phaseis added or not.

|c〉 |j〉 7→ (−1)c·yj |j〉 .

4.2 Locally Decodable Quantum Codes and

Quantum Private Information Retrieval

The definitions of Locally Decodable Quantum Codes (LDQCs) and QuantumPrivate Information Retrieval (QPIR) are basically the same as in the classicalsetting. The only difference is that now, qubits are allowed as communication.

29

Definition 37 (Locally Decodable Quantum Code (LDQC)). A (q, δ, ε)-LocallyDecodable Code is a map C : Γn → ΣN together with a randomised quantumdecoding algorithm A such that

• A makes at most q queries to a string y ∈ ΣN .

• For all x ∈ Γn with Hamming distance d(C(x), y) ≤ δN it holds that

P[Ay(i) = xi] ≥1

2+ ε for all i ∈ [n],

where the probability is taken over the randomness of A, including the ran-domness generated by its measurements.

Definition 38 (Quantum Private Information Retrieval scheme). A one-round1-secure k-server Quantum Private Information Retrieval scheme with recoveryprobability 1

2+ ε, query size t, answer size a, for an n-bit database x, consists

of a randomized quantum algorithm (the user), and k deterministic algorithmsS1, S2, . . . , Sk (the servers), such that

• For some input i ∈ [n], the user generates k t-qubit strings q1, q2, . . . , qk(called “queries”) and sends these to the respective servers S1, S2, . . . Sk. Ev-ery server Sj sends back an answer aj = Sj(x, qj).

• The user outputs a guess b for xi based on a1, a2, . . . , ak and i. The probabilitythat b = xi is at least 1

2+ ε for all x, i.

• The local density matrix of the state received by each server is independentof i.

4.3 Classical to Quantum

In this section we present a way to convert classical LDCs and PIRs into LDQCsand QPIRs. Especially in the PIR setting this results in a great improvement overthe classical case.

For the conversion we need the following lemma due to Kerenidis and de Wolf[19].

Lemma 39. Let f : {0, 1}2 → {0, 1} and suppose we can make queries to the bitsof the input a = a0a1. Then there exists a quantum algorithm that makes only onequery (independent from f) and outputs f(a) with probability exactly 11

14.

30

Proof. Suppose we could construct the state

|ψa〉 =1

2((−1)a0+a1 |00〉+ |01〉+ (−1)a0 |10〉+ (−1)a1 |11〉)

with one quantum query. Then we would be able to determine a with certaintysince the states φb with b ∈ {0, 1}2 form an orthonormal basis. Since this is notpossible with one query, we will approximate the state by

|φ〉 =1√3

(|01〉+ (−1)a0 |10〉+ (−1)a1 |11〉).

This is done by querying a using

1√3

(|01〉+ |10〉+ |11〉)

where the first bit is the control bit, and the phase (−1)aj is put in front of thesecond register |j〉 if the control bit is 1.

We can measure the resulting state in the basis consisting of the four states|φb〉. The probability that we measure |ψa〉 is | 〈φ |ψa〉 |2 = 3

4and the other three

outcomes all have probability 112

.Based on f and b ∈ {0, 1}2, which we have obtained from our measurement |ψb〉,

the algorithm gives some output. There are four cases for f :

1. |f(a)−1| = 1 i.e., the number of inputs which are mapped to 1 by f is 1.If f(b) = 1 the algorithm outputs 1 with probability 1. If f(b) = 0 thealgorithm outputs 0 with probability 6

7and 1 with probability 1

7.

Now, if f(a) = 1 the probability that the algorithm also outputs 1 is

P[f(b) = 1] · 1 + P[f(b) = 0] · 1

7=

3

4+

1

4· 1

7=

11

14

and if f(a) = 0 the probability that the algorithm outputs 0 is

P[f(b) = 0] · 6

7=

11

12· 6

7=

11

14

2. The case |f(1)−1| = 3 is analogous to the case |f(1)−1| = 1 except 0 and 1are reversed

3. |f(1)−1| = 2. Then P[f(a) = f(b)] = 34

+ 112

= 56. If we let the algorithm

output f(b) with probability 1314

and output 1−f(b) with probability 114

thenthe probability of outputting f(a) is 11

14.

31

4. f is constant. In this case the algorithm outputs that value with probability1114

.

Using this algorithm the probability of outputting f(a) is always equal to 1114

.

=)

We can use this lemma if we know nothing about the function f . In case weknow f is de XOR-function we get a better result.

Lemma 40. Let f : {0, 1}2 → {0, 1} be the function which outputs the XOR of itsinput a = a0a1 i.e., f(a0a1) = a0 ⊕ a1. Suppose we have query access to the inputa, then we can determine f(a) with certainty making only 1 query to the inputa = a0a1.

Proof. We use the query1√2

(|0〉+ |1〉) ,

which results in1√2

((−1)a0 |0〉+ (−1)a1 |1〉) .

Applying a Hadamard transform gives

1

2(((−1)a0 + (−1)a1) |0〉+ ((−1)a0 − (−1)a1) |1〉).

If we measure in the standard basis, we measure |0〉 if a0 = a1 and |1〉 if a0 6= a1.

=)

Note that this is the Deutsch-Jozsa algorithm [9] for the case n = 2.We can use Lemma 39 to the prove the following theorem [19].

Theorem 41. A (2, δ, ε)-Locally Decodable Code C : {0, 1}n → {0, 1}N is also a(1, δ, 4

7ε)-Locally Decodable Quantum Code.

Proof. Consider some x, y such that the Hamming distance d(C(x), y) ≤ δN andfix some i ∈ [n]. From the classical decoder we obtain 2 indices j, k ∈ [N ] andsome f : {0, 1}2 → {0, 1} such that

P[f(yj, yk) = xi] = p ≥ 1

2+ ε.

Here we take the probability over the randomness of the decoder. By Lemma 39we have a 1-query quantum decoder that outputs some bit b such that

P[b = f(yj, yk)] =11

14.

32

The probability that our decoder outputs the correct bit is2

P[b = xi] = P[b = f(yj, yk)] · P[f(yj, yk) = xi]+

P[b 6= f(yj, yk)] · P[f(yj, yk) 6= xi]

=11

14p+

3

14(1− p)

=3

14+

4

7p

≥ 1

2+

4

7ε.

=)

In case the decoder of a (2, δ, ε)-LDC outputs the XOR of its two queried bitswe can give a better reduction using Lemma 40.

Theorem 42. A (2, δ, ε)-Locally Decodable Code where the decoder outputs theXOR of the 2 queried bits is also a (1, δ, ε)-Locally Decodable Quantum Code.

For classical PIR schemes where the answers of the servers consist of 1 bit wecan use the following theorem [19] to reduce the amount of servers needed.

Theorem 43. If there exists a classical one-round 1-secure 2-server PIR schemewith t-bit queries, 1-bit answers and recovery probability 1

2+ ε, then there exists

a quantum one-round 1-secure 1-server PIR scheme with (t + 2)-qubit queries,(t+ 2)-qubit answers, and recovery probability 1

2+ 4

7ε.

Proof. Since the two answers a0 and a1 are 1 bit, the user computes f(a0, a1) forsome function f to retrieve the desired bit. Let q0 and q1 be the queries sent bythe user. The user sets up the (4 + t)-qubit state

1√3

(|01〉∣∣00, 0t

⟩+ |10〉 |10, q0〉+ |11〉 |11, q1〉).

The users keeps the first 2 bits and sends the rest to the server. Since |10, q0〉 doesnot contain any information about i and the same holds for |11, q2〉 the privacy isguaranteed.

2Note that it is important that the algorithm from Lemma 39 computes f(a) with probability‘exactly’ 11

14 . Suppose the classical decoder outputs AND(y1, y2) = xi with probability 35

and XOR(y3, y4) = 1 − xi with probability 25 . Then it outputs xi with probability 3

5 . Butif the quantum algorithm computes AND(y1, y2) with probability 11

14 and XOR(y3, y4) withprobability 1, then its recovery probability is 3

5 ·1114 < 1

2 .

33

Next, the server puts the phase (−1)aj in front of |1j, qj〉, j ∈ {0, 1} and leaves|00, 0t〉 alone. The server can use the first bit as control bit and from the secondbit it knows as which classical server it has to act.

Finally the server sends everything back to the user, who can remove the lastt+ 2 qubits and compute f(a0, a1) with probability 11

14from

1√3

(|01〉+ (−1)a0 |10〉+ (−1)a1 |11〉)

just like in Theorem 41, which gives us an overall recovery probability of 12+ 4

7ε.

=)

Again if the desired bit is the XOR of the 2 queried bits, we can use Theorem42 to obtain a PIR scheme with better recovery.

Theorem 44. If there exists a classical one-round 1-secure 2-server PIR schemewith t-bit queries, 1-bit answers and recovery probability 1

2+ ε where the desired bit

is the XOR of the 2 queried bits, then there exists a quantum one-round 1-secure1-server PIR scheme with (t+ 1)-qubit queries, (t+ 1)-qubit answers, and recoveryprobability 1

2+ ε.

4.4 Multiple Bit Answers

Theorems 43 and 44 only give conversions for classical PIR schemes where theanswers consist of 1 bit. If we consider PIR schemes where the answers consist ofa bits, we cannot use a trivial conversion. Wehner and de Wolf [28] show in theirarticle that given a state 1√

2(|0, a0〉+ |1, a1〉), with a0 and a1 a-bit strings, we can

compute any boolean function f(a0, a1) with success probability 12

+ 12a+1 and that

this is optimal for the XOR function.To show that we can compute f(a0, a1) with probability 1

2+ 1

2a+1 for any Booleanfunction Wehner and de Wolf [28] first prove the following lemma.

Lemma 45. For every f : {0, 1}2a → {0, 1} there exist non-normalized states |φb〉for all b ∈ {0, 1}a such that U : |b〉 |0〉 → 1

2a

∑w∈{0,1}a(−1)f(w,b) |w〉 |0〉+ |φb〉 |1〉 is

unitary.

Theorem 46. Let f : {0, 1}2a → {0, 1} be a Boolean function. Then there existsa quantum algorithm to compute f(a0, a1) with success probability exactly 1

2+ 1

2a+1

from |Ψa0a1〉 = 1√2(|0, a0〉+ |1, a1〉), for a0, a1 ∈ {0, 1}a.

Proof. First we add an extra |0〉 to |Ψa0a1〉 to obtain

1√2

(|0〉 |a0〉 |0〉+ |1〉 |a1〉 |0〉).

34

Let U be as in the previous lemma. We can apply the transform |0〉 〈0| ⊗ I⊗a+1 +|1〉 〈1| ⊗ U , which yields

1√2

|0〉 |a0〉 |0〉+ |1〉

1

2a

∑w∈{0,1}a

(−1)f(w,a1) |w〉 |0〉+ |φa1 |1〉〉

. (4.1)

Define the states |Γ〉 = |a0〉 |0〉 and |Λ〉 = 12a

∑w∈{0,1}a(−1)f(w,a1) |w〉 |0〉+ |φa1〉 |1〉.

We can rewrite the state from 4.1 as 1√2(|0〉 |Γ〉 + |1〉 |Λ〉). Applying a Hadamard

transform to the first qubit results in 12(|0〉 (|Γ〉+ |Λ〉) + |1〉 (|Γ〉 − |Λ〉)). From

〈Γ |Λ〉 =1

2a

∑w∈{0,1}a

(−1)f(w,a1) 〈0| 〈a0| |w〉 |0〉+ 〈0| 〈a0| |φa1〉 |1〉

=1

2a

∑w∈{0,1}a

(−1)f(w,a1) 〈a0| |w〉 〈0| |0〉+ 〈a0| |φa1〉 〈0| |1〉

=1

2a(−1)f(a0,a1),

we see that the probability that the first qubit is a 0 is

1

4〈Γ + Λ |Γ + Λ〉 =

1

2+

1

2〈Γ |Λ〉 =

1

2+

(−1)f(a0,a1)

2a+1.

Thus the probability that we measure f(a0, a1) is always 12

+ 12a+1 .

=)

We will now show that this probability is optimal for the XOR function. Forthis proof the following lemma is needed [28]. For a square matrix A, let ‖A‖trdenote the trace norm of the matrix A, i.e., the sum of its singular values. Thetrace norm of a matrix is invariant under unitary transforms.

Lemma 47. Two density matrices ρ0 and ρ1 cannot be distinguished with proba-bility better than 1

2+ ‖ρ0−ρ1‖tr

4.

Theorem 48. Let f : {0, 1}2a → {0, 1} be the XOR function on 2a bits. Then anyquantum algorithm for computing f from one copy of |Ψa0a1〉 = 1√

2(|0, a0〉+ |1, a1〉)

has success probability at most 12

+ 12a+1 .

Proof. Let ρi = 122a−1

∑a0a1∈f−1(i) |Ψa0a1〉 〈Ψa0a1| for i ∈ {0, 1}. If a quantum

algorithm can compute the XOR of a0a1 with probability 12

+ ε then it can also beused to distinguish between ρ0 and ρ1. From the previous lemma we know thatε ≤ ‖ρ1−ρ0‖tr

4.

35

Let A = ρ0 − ρ1. Then

A =1

22b

∑a0a1∈f−1(0)

|0, a0〉 〈0, a0|+ |1, a1〉 〈0, a0|+ |0, a0〉 〈1, a1|+ |1, a1〉 〈1, a1| −

1

22b

∑a0a1∈f−1(1)

|0, a0〉 〈0, a0|+ |1, a1〉 〈0, a0|+ |0, a0〉 〈1, a1|+ |1, a1〉 〈1, a1|

Every |0, a0〉 〈0, a0|-entry is the same for ρ0 and ρ1, because for some a0 exactlyhalf of the possibilities of a1 will result in f(a0a1) = 0 and the other half resultsin f(a0a1) = 1. The same arguments holds for the entries |1, a1〉 〈1, a1|. Thusthe diagonal of A consists of 0s. For every off-diagonal entry |0, a0〉 〈1, a1| or|0, a0〉 〈1, a1| we see that if the XOR of a0a1 is 0, the entry has value 1

22ain ρ0 and

0 in ρ1. If the XOR of a0a1 is 1, the entry has value 0 in ρ0 and value 122a

in ρ1.

Thus in A the entry has a value of (−1)|a0|+|a1|

22a.

Let |φ〉 = 1√2a

∑w∈{0,1}a(−1)|w| |w〉 then

|φ〉 〈φ| = 1

2a

∑a0,a1∈{0,1}a

(−1)|a0|+|a1| |a0〉 〈a1|

and so we can write

A =1

2a(|0〉 |φ〉 〈1| 〈φ|+ |1〉 |φ〉 〈0| 〈φ|).

Define the unitary transform U and V by

U |0〉 |φ〉 = |0〉 |0a〉 , U |1〉 |φ〉 = |1〉 |0a〉 ,V |0〉 |φ〉 = |1〉 |0a〉 , V |1〉 |φ〉 = |0〉 |0a〉 .

We see

UAV ∗ =1

2a(U |0〉 |φ〉 〈1| 〈φ|V ∗ + U |1〉 |φ〉 〈0| 〈φ|V ∗)

=1

2a(|0〉 |0a〉 〈0| 〈0a|+ |1〉 |0a〉 〈1| 〈0a|).

So,

‖ρ0 − ρ1‖tr = ‖A‖tr = ‖UAV ∗‖tr =2

2a,

which implies

ε ≤ ‖ρ0 − ρ1‖tr4

=1

2a+1.

=)

36

4.5 Quantum Private Information Retrieval

Schemes

The Private Information Retrieval schemes we have obtained from the LocallyDecodable Codes from Efremenko have answer size 1 and the desired bit is obtainedby computing the XOR of the received bits. When allowing quantum bits, Theorem44 enables us to use only half the number of servers needed in the classical case.

Corollary 49. For any positive integer r there exists a one-round 1-secure 2r−1-server Quantum Private Information Retrieval scheme with query size

nO(r

√( log logn

logn )r−1

), answer size n

O(r

√( log logn

logn )r−1

)and recovery probability 1.

Proof. Corollary 35 gives us a 2r-server classical PIR scheme with recovery prob-

ability 1, query size nO(r

√( log logn

logn )r−1

), answer size 1. We make pairs of 2 servers,

each pair can be converted into 1 quantum server which gives the XOR of the2 bits which should have been sent by the 2 classical servers, using Theorem 44.

Each server receives a query of size nO(r

√( log logn

logn )r−1

)and sends back an answer

of size nO(r

√( log logn

logn )r−1

). Computing the XOR of the 2r−1 received bits, yields

the desired bit. Since we only have to calculate the XOR, we can make sure therecovery probability of 1 is maintained.

=)

In Section 3.2 we saw the best known classical 2-server Private Information Re-trieval scheme which has communication complexity of O(n

13 ). There are a lot

of schemes which achieve the same communication complexity, but none of themimprove the scheme. The case r = 2 from the previous corollary does achievea much lower communication complexity for a quantum Private Information Re-trieval scheme. This result gives a large separation between the case where weallow classical bits and the case where we allow quantum bits as communication.

Corollary 50. There exists a one-round 1-secure 2-server Quantum Private In-

formation Retrieval scheme with query size nO(√

log lognlogn

), answer size n

O(√

log lognlogn

)and recovery probability 1.

37

5 Populaire Samenvatting

In de informatica heb je op allerlei momenten te maken met ruis en fouten. Omje hier tegen te wapenen kun je de informatie die overgebracht moet worden,verpakken in een codewoord, zodat als het codewoord een beetje verstoord wordt,je de informatie toch nog kunt terughalen. Soms ben je geınteresseerd in slechtseen deel van de informatie. Bij de standaard coderingstechnieken zal het helecodewoord moeten worden gelezen om de informatie terug te halen en vervolgensmoet je nog gaan zoeken naar het deel wat je nodig hebt. Een oplossing zou zijnom de informatie op te delen en ieder deel apart de coderen. Een nadeel hiervan isdat als precies het codewoord, waar het deel van de informatie die jij wilt weten instaat, verstoord is, je de informatie niet meer kunt terughalen. Je kunt dan LocallyDecodable Codes gebruiken. Ze staan je toe om alle informatie als een codewoordop te slaan en delen van de informatie terug te halen door slechts naar een paarplekken van het codewoord te bekijken.

In Private Information Retrieval wil een gebruiker iets uit een database weten.Ze wil er alleen voor zorgen dat de database niets te weten komt over wat zij wilweten. Het doel is om dit te doen met zo min mogelijk communicatie. In hetgeval dat de database op een server staat, is de enige mogelijkheid om de geheledatabase op te vragen en vervolgens te zoeken daar het ding wat je wil weten.Als de database nu wordt gerepliceerd over meerdere servers die verder niet metelkaar communiceren zijn er protocollen waardoor je het met een stuk mindercommunicatie kan doen.

Locally Decodable Codes en Private Information Retrieval zijn nauw met elkaarverwant. Dit komt door het feit dat je een Locally Decodable Code kan omzettenin een Private Information Retrieval protocol en vice versa. Als je een LocallyDecodable Code hebt, kan de server net doen alsof de database gecodeerd is.Simpel gezegd komt het er nu op neer dat je iedere plek, die je volgens de LocallyDecodable Code nodig hebt om jouw stukje informatie op te halen, kunt opvragenbij een andere server. Hierbij zijn dan nog wat restricties nodig om de privacy tegaranderen.

We kunnen niet alleen kijken naar het geval waar we klassieke computers ge-bruiken, maar we kunnen ook kijken wat er gebeurt als we quantum computerstoestaan. Een klassieke computer maakt gebruikt van bits, deze zijn 0 of 1, aan ofuit. Een quantum computer maakt gebruik van quantum bits of qubits, deze kun-nen in een superpositie van 0 en 1 zijn, waar je over kunt nadenken als een beetje

38

0 maar ook een beetje 1. Dit geeft veel meer mogelijkheden qua berekeningen diewe kunnen doen. Een nadeel van quantum rekenen is dat we zo’n superpositie nietkunnen “zien”. Op het moment dat we de qubit observeren zal de qubit vervallenin een 0 of een 1. Het is niet bewezen dat quantum computers sneller zijn danklassieke computers. Toch zijn er toepassingen waar de best bekende quantumalgoritmes een stuk efficienter zijn dan de best bekende klassieke algoritmes. Inhet geval van Private Information Retrieval zullen we zien dat als we qubits toes-taan als communicatie dit er in sommige gevallen voor zorgt dat we met mindercommunicatie toe kunnen.

39

Bibliography

[1] A. Ambainis. Upper bound on communication complexity of private infor-mation retrieval. In Proceedings of the 24th ICALP, volume 1256 of LectureNotes in Computer Science, pages 401–407, 1997.

[2] S. Arora and S. Safra. Probabilistic checking of proofs: A new characterizationof np. In Journal of the ACM, pages 2–13, 1992.

[3] A. Beimel, Y. Ishai, E. Kushilevitz, and J. Raymond. Breaking theO(n1/(2k−1)) barrier for information-theoretic Private Information Retrieval.In Proceedings of 43rd IEEE FOCS, pages 261–270, 2002.

[4] A. Ben-Aroya, K. Efremenko, and A. Ta-Shma. Local list decoding with aconstant number of queries. In FOCS, pages 715–722, 2010.

[5] A. Bhowmick, Z. Dvir, and S. Lovett. New bounds for matching vector fam-ilies. In Proceedings of 45th ACM STOC, 2013. To appear.

[6] J. Briet and R. de Wolf. Locally decodable quantum codes. In Proceed-ings of 26th Annual Symposium on Theoretical Aspects of Computer Science(STACS’09), pages 219–230, 2009. quant-ph/0806.2101.

[7] C. Cachin, S. Micali, and M. Stadler. Computationally private informationretrieval with polylogarithmic communication. In Proceedings of Eurocrypt’99,volume 1592 of Lecture Notes in Computer Science, pages 402–414. Springer,1999.

[8] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan. Private information re-trieval. Journal of the ACM, 45(6):965–981, 1998. Earlier version in FOCS’95.

[9] D. Deutsch and R. Jozsa. Rapid solution of problems by quantum compu-tation. In Proceedings of the Royal Society of London, volume A439, pages553–558, 1992.

[10] Z. Dvir, P. Gopalan, and S. Yekhanin. Matching vector codes. SIAM J.Comput., 40(4):1154–1178, 2011.

40

[11] K. Efremenko. 3-query locally decodable codes of subexponential length. InProceedings of 41st ACM STOC, pages 39–44, 2009.

[12] A. Einstein, B. Podolsky, and N. Rosen. Can quantum-mechanical descriptionof physical reality be considered complete? Physical Review, 47:777–780,1935.

[13] Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin. Protecting data privacyin private information retrieval schemes. Journal of Computer and SystemSciences, 60(3):592–629, 2000. Earlier version in STOC 98.

[14] O. Goldreich, H. Karloff, L. Schulman, and L. Trevisan. Lower bounds for lin-ear locally decodable codes and private information retrieval. ComputationalComplexity, 15(3):263–296, 2006. Earlier version in Complexity’02. Also onECCC.

[15] V. Grolmusz. Superpolynomial size set-systems with restricted intersectionsmod 6 and explicit ramsey graphs. Combinatorica, 20:71–86, 2000.

[16] R. W. Hamming. Error Detecting and Error Correcting Codes. Bell SystemTechnical Journal, 26(2):147–160, 1950.

[17] E. M. Hielscher. A survey of locally decodable codes and private informationretrieval schemes. 2007.

[18] J. Katz and L. Trevisan. On the efficiency of local decoding procedures forerror-correcting codes. In Proceedings of 32nd ACM STOC, pages 80–86,2000.

[19] I. Kerenidis and R. de Wolf. Exponential lower bound for 2-query locally de-codable codes via a quantum argument. Journal of Computer and System Sci-ences, 69(3):395–420, 2004. Earlier version in STOC’03. quant-ph/0208062.

[20] E. Kushilevitz and R. Ostrovsky. Single-database computationally privateinformation retrieval. In Proceedings of 38th IEEE FOCS, pages 364–373,1997.

[21] R. Lidl and H. Niederreiter. Finite fields. Cambridge University Press, 1983.

[22] J. Lint. Introduction to Coding Theory. Springer, third edition, 1998.

[23] F. MacWilliams and N. Sloane. The Theory of Error-Correcting Codes. North-Holland, 1977.

41

[24] I. S. Reed and G. Solomon. Polynomial Codes Over Certain Finite Fields.Journal of the Society for Industrial and Applied Mathematics, 8(2):300–304,1960.

[25] C. E. Shannon. A mathematical theory of communication. Bell System Tech-nical Journal, 27:379–423, 623–656, 1948.

[26] P. W. Shor. Polynomial-time algorithms for prime factorization and dis-crete logarithms on a quantum computer. SIAM Journal on Computing,26(5):1484–1509, 1997. Earlier version in FOCS’94. quant-ph/9508027.

[27] R. Sion and B. Carbunar. On the computational practicality of private in-formation retrieval. In Proceedings of the Network and Distributed SystemsSecurity Symposium, pages 2006–06, 2007.

[28] S. Wehner and R. de Wolf. Improved lower bounds for locally decodable codesand private information retrieval. In Proceedings of 32nd ICALP, volume3580 of Lecture Notes in Computer Science, pages 1424–1436, 2005. quant-ph/0403140.

[29] D. Woodruff and S. Yekhanin. A geometric approach to information-theoreticprivate information retrieval. SIAM J. Comput., 37(4):1046–1056, Oct. 2007.

[30] S. Yekhanin. Towards 3-query locally decodable codes of subexponentiallength. Journal of the ACM, 55(1), 2008. Earlier version in STOC’07.

[31] S. Yekhanin. Locally decodable codes. Foundations and Trends in TheoreticalComputer Science, 2011.

42