While QKD allows one to secure the communication between two trustfull parties, many more cryptographic tasks can be considered. Here we consider a situation in which Alice wants to learn about an element of a database held by Bob, without letting Bob know which element she’s interested in.
This task is also known as 1 out of N oblivious transfer (for a database of N ele-ments) [75]. The security of the database querries consists of two parts:
• Database security: Bob wants to bound the information that Alice can access on his database. Ideally he would like this information to be restricted to 1 bit per querry.
• User privacy: Alice wants to bound the probability that Bob can learn which item of his database she is interested in. Ideally, he should get no information about it.
Even though it was proved that both aspects of the security cannot be fully satisfied at the same time [76, 77], Giovannetti, Lloyd and Maccone [78] recently proposed a quantum protocol that could provide a reasonable level of security for both the user and the database provider.
However, in lossy situations the security of their protocol is compromised: since it requires Alice to send her question to Bob before knowing whether her system will come back with an answer or not, Bob can take advantage of the losses by requiring Alice to send her question several times, and thus learning what her question is with high probability.
Here we propose a protocol for private database queries based on the SARG QKD protocol [79], which is fundamentally noise-resistant. After presenting the main ideas of our protocol, we argue about the partial security it provides to both the database provider, and the user.
4.2.1 Sketch of the protocol
The protocol for private database queries presented here is based on the SARG04 QKD protocol [79], and only differs in the classical processing. We summarize here the main steps of the protocol.
Distribution : Bob uniformly chooses one of the four qubit-states | ↑i, | →i, | ↓i,
| ←i and sends it to Alice. Alice measures the quantum system she received from Bob either in theσx or in theσz basis and records the measured state.
Sifting : If Alice didn’t receive some systems from Bob, due to losses, she tells so to Bob which discards these runs. This allows the protocol to be loss resistant since at this stage, no information about the database, or about Alice’s question has been exchanged. For the systems that Alice received, Bob announces a pair of states within the following ones which contains the state he prepared: {| ↑i,| →i},{| →i,| ↓i},{| ↓i,| ←i}, {| ←i,| ↑i}.
Transcoding : Bob translates the state | ↑i and | ↓i to bits 0, and | ←i and | →i to bits 1. On her side, knowing her measurement results as well as the sifting sets, Alice
4.2 Private database queries
tries to guess the bit that Bob computed. This can be summarized in the following table if her measurement result is| ↑i:
Alice’s measurement result sifting set guess of Bob’s state guess of Bob’s bit
| ↑i {| ↑i,| →i} ? ?
| ↑i {| →i,| ↓i} | →i 1
| ↑i {| ↓i,| ←i} | ←i 1
| ↑i {| ←i,| ↑i} ? ?
Information reduction : The bit string of lengthk×N is divided intoksubstrings of lengthN. These substrings are added bitwise, yielding a string of lengthN. The bitwise addition is commutative and acts as +⊕+ =−⊕−= +, +⊕−=−, +⊕? =−⊕? =? (c.f.
Figure 4.3). If Alice is left with a string of question marks ?, the protocol is restarted.
If this happens too often, Bob aborts the protocol to avoid that Alice keeps only cases where she has few question marks.
Figure 4.3: Alice’s information on the key is reduced by xor-ing several keys together.
Database access : Alice announces the number s=j−iwhere j is the item of the database that she’s interested in and i is an item of the xor-ed key Kf that she knows.
Bob announces the N bits Ci = Xi⊕Ki+sf where Xn are the elements of his database.
Alice deduces the element she’s interested inXi =Ci⊕Kjf. 4.2.2 Discussion
As mention above, a private database query protocol must provide two kinds of security.
First, the database holder needs some guarantees that little information about his full database is revealed during the protocol. To see why this is the case here, we realize that the only way for Alice to know elements of Bob’s database is by guessing bits in the key Kf. But the states that Alice needs to discriminate for this, even after having learned the sifting sets, are not orthogonal to each other. An individual attack thus never allows her to learn Bob’s bit with certainty. There is thus a bound on how much information on the database Alice has access to in this case. In paper [H] we discuss in more details how the reduction step ensures that the key hold by Alice contains many question marks, so that she cannot learn many elements of Bob’s database.
Second, the user needs to make sure that the database holder has little chance of guessing the element of the database that she is interested in. In order to learn the item of the database that Alice is interested in, Bob needs to guessj, the item of Alice’s final key that is different from a question mark. He thus needs to learn about the conclusiveness of Alice’s transcoding. But the choice of Alice’s measurement bases is unknown to Bob, he can thus never be sure whether she translated her result to a question mark or not.
This remains partly true even in the case that Bob sends different states than the ones prescribed by the protocol (c.f. paper [H] for more details).
Quantum information put into practice
The above protocol for database queries thus provides some level of security for both the user and the database provider, while being resistant to losses. The exact amount of security provided is however not very clear yet. In particular, we only considered here specific individual attacks. It would thus be interesting on one side to study more general attacks, and on the other side to develop security proofs for given classes of attacks.
Chapter 5
Finite-speed hidden influences
The violation of a Bell inequality with space-like separated measurements precludes the explaination of nonlocal correlations in terms of causal influences propagating slower than light. Yet, these correlations can still be explained in a causal manner if one gives up Bell’s locality condition. Indeed, this is the explanation followed when one says something like
“A measurement on the singlet state |ψ−i = √1
2(|01i − |10i) yielding result ‘0’ in the computational basis of Alice prepares the state |1i for Bob”. With a slightly different taste, Bohmian mechanics also provides a causal explanation for quantum correlations, which does not rely on quantum steering or collapse of the wavefunction. However, both of these explanations are much more nonlocal than a simple violation of Bell’s local causality condition implies: not only do they involve faster-than-light influences at a distance, but these influences also have immediate effects on distant particles no matter how far away they are. Here we question whether such a strong violation of the notion of locality is necessary or not.
5.1 Finite-speed propagation and v -causal theories
One way of violating Bell’s local causality condition while still keeping a notion of “locality”
is to allow causal influences to propagate faster than light, but only up to some finite speed v < ∞. In this way, instantaneous influence at a distance is avoided, and causal influences can still be understood as propagating in spacetime, i.e. acting locally, “de proche en proche”.
Since the advent of special relativity, it might seem uncalled-for to consider faster-than-light propagations in space-time1. Indeed, it is well-known that faster-than-light in-formation transmission in a Lorentz-invariant theory can generate temporal paradoxes [9].
However, this needs not be the case if the theory describing the interaction with supra-luminal transmissions is not Lorentz-invariant. For instance, if the speed of every faster-than-light communication is defined in a unique reference frame, then a temporal order is restored.
Considering thus a preferred reference frame for definiteness, we can formalize the idea of finite-speed causal influences as follows: to every event K, a past and a future v-cone can be associated in the preferred frame (c.f. Figure 5.1a). What happens at K can only influence other events lying in the future v-cone of K, andK can only depend on what is contained within its pastv-cone. We denote byA < Bconfigurations in which
1As a matter of fact, the same remark applies to instantaneous influences of the kind we just mentioned, which is rarely mentioned.
Finite-speed hidden influences
time future
past
a) b) c)
K A A
B
B
space Figure 5.1: Space-time diagram in the preferred reference frame a) The past and future v-cones (hatched areas) define the sets of events that can influence, or that can be influenced by K within a v-causal theory. b) A < B: finite-speed influences can propagate from A toB. c) A ∼ B: no influence can be directly exchanged between two events which are not in each other’sv-cones.
Alies in the pastv-cone ofB, andA∼B those in whichAand B lie outside each-other’s v-cones (c.f. Figure 5.1b-c). Any theory satisfying these constraints is referred to as being v-causal. Note that Bell’s condition of local causality is recovered forv=c.
5.1.1 v-causal models and experimental limitations
Clearly, v-causal theories, just like locally causal ones, are fundamentally incompatible with quantum physics. Indeed, they don’t allow two parties to violate a Bell inequal-ity if their measurements are performed simultaneously in the preferred frame, whereas quantum physics predicts that such inequalities can be violated independently of the space-time location of the measurements. Provided that correlations in nature agree with the quantum predictions, one could thus expect to be able to rule out v-causal models experimentally.
However this is not directly possible. Indeed, due to the finite accuracy inherent to every experimental manipulation, a v-causal model with sufficiently large speed v can always explain the experimental violation of a Bell inequality. Moreover, since quantum correlations are no-signalling, they can always be reproduced with the aid of the one-way communication available tov-causal models. Thus, quite on the contrary, if all correlations that can be observed in Bell-like experiments agree with the quantum predictions, then they can also be explained by av-causal theory.
Experiments performed so far have thus only been able to put a lower bound on the speedvthat is needed for the viability of v-causality. For instance, Salart et al. [91] and Cocciaro et al. [92] have shown that, if the speed of the earth in the preferred frame is less than 10−3c, then v-causal theories must have a speedv larger than 10000 times the speed of lightc.
Given that experimental results cannot rule outv-causal models directly, we examine below in more details the potential physical consequences of these theories.
In the following we distinguish between several kinds of correlations. First, correla-tions are referred to aseasily accessible in an experiment if they don’t require very good synchronization between any measurements. All correlations that av-causal model can freely choose because influence was able to propagate through all parties are of this kind.
Second,hardly accessible correlations are those which require nearly perfect synchroniza-tion, the degree of synchronization required depending on the speedvof the model. Since some measurements are too simultaneous to allow influences to propagate between them in this case,v-causal models cannot produce all possible correlations of this kind. Finally,