 through the magic of wireless technology. I'm going to stand here. So I'm going to talk about quantum advantage in single server information theoretic peer, and this is joined to work with Dorita Aronov, Kaiming Chang, Ayal Green, Ching Hilei, and Orsetat. So we're going to talk about single server private information retrieval. So let's sort of recall the setup even though I believe that most of you have seen this before. So what we have is a server that holds a database, and this database is big. It contains capital and entries, and we have a client that has some index, and the client wants to recover the jth element from this from this database. And what we want is a protocol that will allow the client to recover the jth element in the database in a private way. So in such a way that the server does not learn any information about J. At least this is sort of the intuitive notion of private information retrieval. This is the notion of privacy. So we want to get such a protocol, and so we have correctness and privacy requirements, and in this talk I'm just going to talk about perfect correctness and perfect privacy. This can of course be relaxed, but it adds like orders of magnitudes of complexity. So we're talking about perfect security, so no information about Js being leaked, and perfect correctness, so the correct value is always being learned. And the question is, how much communication do you need in order to perform this task? So of course, one trivial strategy is for the server to send the entire database, like capital N bits of or elements of information, and the question is whether it's possible to do it with less communication. Optimally, you would want something like log in bits of communication because, well, just information theoretically specifying the index J takes something like log n bits, or takes log n bits exactly. So this would be sort of the optimal goal, and the question is one question, the first question that you would ask is whether this is possible to achieve information theoretically. So in our case, even perfectly, with perfect privacy and perfect correctness, and once you think about it for a second, you realize that this should be impossible, at least sort of in the more well-studied model of classical communication. And the reason is because the transcript does not reveal any information about the index J, then this means that we can essentially sample J after the fact. So the client does not actually commit to the value J. So after executing with a server, you can decide, well, actually, the value J that I want is, well, J equals one, J equals two, J equals three, and because of the correctness, he's actually going to be able to recover the entire database without any additional communication, just based on executing the protocol once. So this is not possible with classical communication, so the next question that you would ask, well, at least in this session, is whether it's possible to use quantum communication to help. So what do I mean by a quantum communication protocol? Well, now, instead of just exchanging classical bits, the client and the server can also exchange Q bits or quantum information, and they're also allowed quantum communication, quantum computation, sorry. I should say that even though we're talking about an information theoretic setting, whenever I will talk about algorithms, I will present efficient algorithms, and whenever I will talk about impossibility results, the impossibility results will also hold against unbounded entities. So the fact that we're talking about information theoretic setting does not actually sort of take away anything. So why would you hope, even, that quantum communication can help in this setting? So when you think about quantum information or Q bits, then you realize that unlike classical information, quantum information in general cannot be copied, so this means that this sort of notion of I'm going to keep this transcript on the side and use it many times, well, you need to think a little bit about how to actually sort of generalize this argument. In addition, the process of measurement actually allows you to destroy information in the quantum setting. So this is, again, something that could be useful when you talk about privacy, the ability to sort of destroy information in a way that is not recoverable information theoretically. So you would think that perhaps quantum communication can help in this setting, but sort of when you think about a little more, you actually realize that for a reasonable model, this should not be doable, and this is a long sequence of works actually starting with low in 97, and we'll talk a little bit more about it. So you can actually think about this generalization of the classical argument that I described before, but the way that I will present it is actually sort of in a slightly different way that will be more useful for our purposes. But let's not give up just yet. So there are some restricted models where you can actually show some quantum advantage. So for example, you can assume some structure on the database, but this is not the setting that we're going to talk about today. What I do want to mention is at least two works by Legale and Byker and Nidesedal that do give some protocol that has non-trivial communication complexity, but the privacy model is actually not very clear in these works, and the tension between these two things sort of made us sort of try to think whether it is possible to define a meaningful model where these positive results actually do make sense and do imply some notion of privacy, or whether you can just sort of put it in the trash. I think sort of the way that Legale at least presents his work is he shows this protocol and analyzes this protocol and then says, well, here's the reason why this protocol is useless. So we're saying, you know, let's wait a second and think for a bit more before like putting these things away. So let me talk a little bit about the attack, the superposition attack. And as I said, this method was used in many variants to sort of show impossibility for many cryptographic applications in the information theoretic setting. So starting with commitments, I think the first work that considered, to some extent, private information retrieval is by Nyak, the same work that where he showed impossibility of random access codes. And the last work that I know of is by Baumeler and Broadbent in 2015. So let's consider a quantum protocol. And our protocol, I'm going to talk about peer specifically, it has classical functionality. So we can think about a classical database as input and classical index as the input for the client. And the functionality is that for any classical database, we're guaranteed that the client should learn the jth element of the database. So what is the attack? So rather than executing the protocol on a classical database, you're actually executing it on a superposition of databases. And the first thing is that you might think that this might not be well defined. However, because the original protocol is well defined for classical inputs, then you can actually sort of extend it. You can think about it as sort of a classically controlled quantum circuit and extend it to a unitary that actually applies also to a superposition. So this is a minor technicality. This can be done. And what you get when you apply it, when you apply the protocol and superposition is sort of superposition of executions of the protocol. How does this help? Well, or how does this help in showing something bad? So one thing that you can say is that in this execution over superposition, in the end, we're required that the client actually learns some value. It learns the jth entry of the database. And this actually means that the jth entry of the superposition will actually collapse to a classical value, because the client actually learns some value, and this value needs to be consistent with the database array that the server holds. So we know that jth entry is going to collapse. On the other hand, since the communication complexity is low, then in a sense, we know that the superposition of databases behaves like a superposition that doesn't collapse much. And through the magic of quantum Fourier transform, you can actually sort of translate these two statements into the following things. So the fact that most entries do not collapse means that after you perform Fourier transform, almost the entire array is going to be zero. And the fact that the jth entry did collapse means that actually, in the jth entry, you're going to get a random value. So putting these two together, it means that the server can actually learn the value j, and the parameter sort of depends on what you assume on the communication complexity and correctness and security. So this is the superposition attack, and it shows sort of a pretty strong privacy, pretty strong privacy violation. So we know that this is not this. So this is why we think that, why people think that quantum communication has no advantage in this setting. But let's try to sort of, try to think about the model of privacy that we, a reasonable model of privacy or the weakest possible model of privacy that we can think of that actually makes sense and see what happens when we try to apply this attack. So let's talk about sort of, I guess, honesty and curiosity in the quantum, in the quantum setting. So as I said, we do know of these non-trivial protocols. So Legal presented a protocol with square root of n communication complexity between the client and the server. And Karenini said, they showed a protocol with actually like almost perfect communication complexity up to a constant, so only O of log n. But they did not do it in the sort of standard model that I described here. They require some setup. So they require that the server and client pre-share some quantum correlation or entanglement between them. And in particular, this entanglement needs to be pretty big. So you need capital N of these so called EPR pairs in order to execute their protocol. However, these EPR pairs, of course, do not depend on the input. And actually, as we show in our paper, they can also be reused. So after you're done executing the protocol, you can actually recover the setup, at least if the server and client cooperate, and re-run the protocol. So this is a slightly stronger model to require a setup, but you get a much stronger result in terms of communication complexity. So what can you show about these protocols? So what was shown, at least in Legal's paper, so the data is used there. It talks about quantum information cost and the privacy is only a tool that is used there. They're talking about mutual information. So I think this specific analysis does not appear there, but it can be done. And what at least Legal shows is that for any database and any index J, after any message, after any sort of message that is exchanged in this protocol, the local state of the server is independent of the value J. Or if you want to be fancy, the density matrix of the sort of marginal state of the server is independent of the value J that the client holds. And this is true for any database, for any classical database and any classical index J. So this is one notion of security that you can think of, but it's actually kind of weak because, well, it allows, at least it gives rise to some notion that I'll call the honest model. So normally, in cryptography, we try to talk about honest but curious, but let's try to think about a purely honest model in this context. And in the purely honest model, we just assume that the server plays by the rules completely. And we want to argue that even in this case, the information that is learned about J is zero. So you don't get any information. You don't get any information about J. And let me emphasize that it's actually important to require that this holds after any message that's exchanged in the protocol because, well, as I said, quantum information can be destroyed. So you can say, like, even trivially, the client could just send J to the server. The server is going to send back the value of the database in J, and then afterwards, measure in the Hadamard basis, which essentially means that you eliminate all the information about J. So in the end of the execution, the server does not have any information about J, but still, we don't view this as sort of even, this is not even honest privacy, I would say. So we want to require that, at any point in time, the server does not have information about J. So this is what I call honest privacy. And actually, you can think about a slightly stronger version because I told you that the server can destroy information in the end of the protocol, but perhaps it's also not fair to ask of it to destroy information during the protocol. So you can think about a purified honest model where we just assume that the server cannot perform any measurement. So this is sort of the honest model. However, the standard model that people normally consider for quantum protocols is called specious privacy, and this is a somewhat stronger model. There, you sort of assume that the server is allowed to have, in our case, this is defined for general protocols, but I'm going to talk about peer, the server is allowed to have a secret drawer where he can sort of hide information. And what we're going to say, we're going to require that the server is allowed to have a secret drawer, but at any point in time, we can sort of call up the server and say we're coming to do an inspection, and then the server can sort of tidy up the lab and put whatever he wants in the drawer, but then we come to the server's lab and take the server state and also take the client state, take the joint state together and compare it to what was supposed to have happened in the honest protocol. And at any point, the server is allowed to have a secret drawer, so this is the specious model, and again, this is sort of quantified over all possible inputs. So this is clearly a stronger model, and for example, if you want to talk about the superposition attack that we described before, well, again, you could say, well, when we come to the server's lab, we're going to check whether the state of the database register is in superposition or not. However, if you think about what's a purifying register, so you can think about generating a state, and this is actually what happens if you just think about an EPR pair. So if you think about an EPR pair, if you look at the marginal distribution of each bit, then it looks completely uniform. So if I take an EPR pair and put one of the bits in the drawer and just show you one of them, then you will think that I just generate the classical random bit. However, the superposition attack can actually be executed in the specious model, and this is sort of why in this sort of reasonable model you cannot get any quantum advantage for private information retrieval. I should say that sometimes people refer to specious privacy as the quantum analog of honest by curious or semi-honest. Maybe it's the closest analog that exists, but actually specious privacy is defined specious privacy also in the classical setting, and there is a very simple example that's in this Dupuay Dal paper that shows that specious privacy even in the classical setting is stronger than semi-honest. So this is just sort of pedagogical remark. So let's try to think in the context of these definitions that we discussed, what can we say, how can we sort of relate the notion that we get, the privacy notion that we get from these non-trivial protocols to these notions that we just discussed, and one thing that we can see is that here I said that in the non-trivial protocols I said that this condition holds for any database and for any value J, and by that I mean every classical database and every value J, whereas both in the honest case and definitely in the specious case, the honest case, I don't think it's defined in literature, but definitely in the specious case you are allowing the input to be in superposition and you allow auxiliary input which effectively allows the input to be in superposition. So there is some gap here which sort of leads to our attempt to define a model that is both as close as possible to this specious model and also captures non-trivial non-trivial properties of the quantum setting. So the first result that we show is this new weak privacy model and we call this anchored privacy and the point in this model is just to not allow the input of the server to be in superposition. So this is essentially the definition of the model. I'm going to talk about it a bit more in the next slide. And what we show is that the previous protocols you can show that they're anchored honest and proof. So this anchored thing just essentially means that the input of the server must be classical. So you can sort of adapt it to the honest setting and also to the specious setting and hopefully in the future for more settings. And what you can see is that well just by observing the analysis that was done before or redoing the analysis for the second algorithm you can show that if the if the protocol keeps the server pure so if the server does not perform any measurements in the protocol which is indeed the case in those protocols that I discussed then you can sort of prove that it's going to be secure in this anchored honest model. We then show that if you have a protocol that is secure in this model so this anchored honest model is actually does actually imply privacy also in the anchored specious model. So actually if you're preventing the superposition attack so the only thing you're not allowing to put your input in superposition then in fact the honest model actually converges with the specious model. So maybe this sort of the anchored honest seems kind of weak but anchored specious well hopefully it seems slightly less weak. So this actually means that in a sense the superposition attack is the only thing that stops you from getting protocols with perfect communication complexity because we know that we have there exist protocols in this model with logarithmic communication complexity although with this little star that you need the pre-shared entanglement. The last thing we show is a lower bound for one-sided communication which essentially helps us to show that this pre-shared entanglement actually doesn't help much in the reason why we are able to get stronger results is not because the pre-shared entanglement. So let me talk a little bit more about anchored specious privacy. So we put an anchor on the database entry we force the database to be a classical value not in superposition and in terms of making it a formal definition it's actually not very hard to take the definition of specious and add an additional requirement that the state of the register that holds the database has to be some classical value specific classical value and again what we showed is that if the server is pure so it does not perform any measurements then anchored honest privacy also implies anchored specious privacy so just having this hidden drawer is not actually going to help you and let me briefly explain why but before I do that let me say that as I said before this could be some indication that the superposition attack is very strong but it's perhaps the only strong tool that prevents us from getting so whenever this attack does not apply you can hope to get very good communication complexity for pure so the proof idea uses at least I like to think about is a variant of this notion of monogamy of entanglement so what we're saying is that if the server is pure we can does not perform or does not perform any measurement and the client and the client is also can also always be made pure because we don't have any privacy requirement from the client then the joint client server state is also going to always be a pure state and we know that if you have a pure state then even if you have an additional register in the drawer then these two registers have to be tens of products of each other so the additional information that you have in the drawer is not actually going to be correlated at all with the information that you need to show for the inspection so you might as well not put anything in the drawer or the convergence of the notions of species and honest privacy in this case so this is the definition and this is what we can do with it but let's take a step back and ask well does it even make sense to make this definition I don't have super strong argument but let me try to convince you anyway so first of all at least it's not trivial to write down I mean you can write it and stare at it and it doesn't immediately seem trivial but moreover I don't think it's completely contrived so does it make sense with foreseeable quantum technology I don't know what is foreseeable quantum technology I'm sure other people are more qualified to answer than me but one could imagine a state of affairs where you are forced to store the servers forced to store their database on some media that cannot be easily placed in superposition I don't know think about taking your database and just writing it on a piece of paper it's going to be pretty hard for an adversary to put a piece of paper in superposition between all possible values so you could maybe think that in some settings this is actually something that you can enforce also as a sort of just for in terms of scientific inquiry right we want to understand the state of the art this was the motivation for this for this entire study we want to understand this tension between the strong negative results and these weird positive results and this is one formal way of making it sort of formalizing this connection and hopefully this is going to be a stepping stone for a stronger notion I'm going to talk about it in my last slide about open problems so I'm skipping the slide about the lower bound on one side of the communication complexity you can see that in the paper so we think about this just again just as a first step you can think of trying to find out that we have a model of security can you come up with better quantum peer in this model in the honest model and the anchored model so can you get log in communication without entanglement again in this weak model and these protocols actually require multiple rounds of communication whereas sort of the protocols that we like are just two rounds message from the client to the server and then a message back can you get the single round protocol with non-trivial properties I should say that the Karenidis et al paper actually has a protocol that we don't analyze that gives polylog communication complexity without entanglement but again they work in a different model and one should check whether it holds in this anchored species model as well I would guess that yes but this is just a guess extending this anchored notion to the malicious setting so we have some ideas but we don't have any results in these models and perhaps once you have this notion you can think about other applications other than peer for example fully home like information theoretic fully homomorphic encryption is something that comes to mind can you come up with a weak yet meaningful model where this is possible thank you we have time for one question hi admittedly I haven't read your paper so I should check the details first but the model kind of reminds me a little bit of quantum oblivious rams if you have ever heard of it so where logarithmic communication complexity is also possible so I was wondering if you can tell us something about the difference or if you have looked at it so I don't know about quantum oblivious RAM so there you want to say that the access pattern so I guess the my answer is that the connection should be the same as the connection of classical private information retrieval and and ORAM so one thing is that in ORAM the all the all the server sees the physical access pattern and you want to hide the logical access pattern I hear the server also sees the the internals of the database this is sort of what comes to mind but these models are different and I imagine they are different in the quantum setting as well so I would need to think of the definition for a second before I can say sure thank you let's thank the speaker again