Prior entanglement exponentially improves one-server quantum private information retrieval for quantum messages

Abstract

Quantum private information retrieval (QPIR) for quantum messages is a quantum communication task, in which a user retrieves one of the multiple quantum states from the server without revealing which state is retrieved. In the one-server setting, we find an exponential gap in the communication complexities between the presence and absence of prior entanglement in this problem with the one-server setting. To achieve this aim, as the first step, we prove that the trivial solution of downloading all messages is optimal under QPIR for quantum messages, which is a similar result to that of classical PIR but different from QPIR for classical messages. As the second step, we propose an efficient one-server one-round QPIR protocol with prior entanglement by constructing a reduction from a QPIR protocol for classical messages to a QPIR protocol for quantum messages in the presence of prior entanglement.

1 Introduction

1.1 Private information retrieval (PIR)

Entanglement is a valuable resource for quantum information processing, enabling various tasks including quantum teleportation [1] and dense coding, also known as entanglement-assisted communication [2]. Although entanglement-assisted communication enhances the speed not only for conventional communication but also for secret communication, their improvements are limited to constant times [3, 4]. In addition, it is often assumed in theoretical investigations of distributed quantum protocols that prior entanglement is available as a free resource because prior entanglement can be seen as a quantum counterpart of prior shared randomness [5, 6]. That is, one of great advantages of quantum system is to use prior entanglement instead of prior randomness. For further development of entanglement-assisted communication, we need to find significant improvement by entanglement-assisted communication.

For this aim, we focus on private information retrieval (PIR) as Fig. 1, a task in which a user retrieves a message from a server without revealing which message has been retrieved, when the server possesses multiple messages. Hence, PIR is a key technology for keeping the privacy because it enables a person to hide his/her demand even with making his/her request. Therefore, it is a crucial issue for quantum information whether the use of entanglement enhances the performance of PIR.

Figure 1

One-server QPIR protocol with quantum messages. At round i, the user uploads a query \(Q^{(i)}\) and downloads an answer \(A^{(i)}\)

Many papers [7–21] studied Quantum PIR (QPIR), i.e., PIR using quantum states, when the intended messages are given as the classical messages. This problem setting is simplified to C-QPIR. On the other hand, since various types of quantum information processings require the transmission of quantum states, i.e., the quantum messages [22–26], it is needed to develop QPIR for quantum messages, which is simplified to Q-QPIR, while no preceding paper studied this topic. In addition, in the multi-party quantum computing [27, 28], we often need to transmit quantum messages, i.e., quantum input states, instead of classical messages since it requires the protection of the coherence during the process of quantum computation. Therefore, for further development of quantum computer science, it is important to study various communication with quantum messages in addition to classical messages.

In this paper, to enhance quantum information technology, we study private information retrieval for quantum messages with one server, and present an exponential speedup through the use of prior entanglement as a significant improvement. Although there have been mainly two approaches: PIR with computational assumptions [29, 30] and PIR with multiple servers [31–33], recent attention has focused on information-theoretic aspects of PIR [34–48]. In this paper, we solely consider one-server QPIR without computational assumptions.

1.2 QPIR for classical messages

PIR has also been studied when quantum communication is allowed between the user and the server [7–21]. These papers consider the case when the total number of bits in the messages is \(\mathsf{m}\). For the secrecy in C-QPIR, we often focus on the potential information leakage in all rounds, which is called the all-round criterion in this paper and has been studied under several security models. One is the honest-server model, in which, we discuss the user’s secrecy only when the server is honest, i.e., the server does not deviate from the protocol. The other is the specious-server model, in which, we discuss the user’s secrecy even when the server deviates from the protocol as far as its dishonest operations are not revealed to the user, which is called specious adversary. The secrecy under the specious-server model has a stronger requirement than the secrecy under the honest-server model. Interestingly, under the honest-server model, Le Gall [11] proposed a C-QPIR protocol with communication complexity \(O(\sqrt{\mathsf{m}})\) in the all-round criterion, and Kerenidis et al. [12] improved this result to \(O(\mathrm{poly}\log \mathsf{m})\) in another criterion, where the communication complexity in the quantum case is the total number of communicated qubits. Baumeler and Broadbent [10] considered the case when the specious-server model is adopted and the possible input states are extended to arbitrary superposition states. Then, they proved that the communication complexity is at least \(\Theta (\mathsf{m})\), i.e., the trivial solution of downloading all messages is optimal also for this case. While indeed less realistic than the fully dishonest server model, investigating the honest model and the specious model is very often a fundamental (and necessary) step in cryptographic applications. Such investigations receive significant attention from the quantum cryptography community. For instance, the key paper [13] also focused on QPIR in the honest server model and the specious server model. These facts show that this problem setting has sufficient impact in the area of quantum computer science. In this paper, when arbitrary superposition states are allowed as input states, we consider the following; The user is required to recover the correct classical information only when the input state is a classical state. In other words, when the input state is a superposition state, any output is considered as a correct outcome.

Even when prior entanglement is allowed between the user and the server, the communication complexity is also lower bounded by \(\Theta (\mathsf{m})\) under the specious-server model with the above extended possible input states [13]. Therefore, the advantage of prior entanglement is limited under the specious-server model with the above extended possible input states. In contrast, prior entanglement might potentially have polynomial improvement under the honest-server model, but it is still unclear how much prior entanglement improves communication complexity under the honest-server model.

When the server truly follows the protocol, the information obtained by the server is limited to the server’s final state. Hence, the information leakage in the server’s final state can be considered as another criterion, which is called the final-state criterion. While the final-state criterion under the honest-server model is a too weak setting, it is reasonable to consider the final-state criterion under the specious-server model, which is essentially equivalent to the cheat-sensitive setting studied in [49].

1.3 Our contributions

In this paper, for Q-QPIR protocols and the total number \(\mathsf{m}\) of qubits, we show that the communication complexity is at least \(\Theta (\mathsf{m})\), i.e., the trivial solution of downloading all messages is optimal for one-server Q-QPIR even in the final-state criterion and even with the honest-server model if prior entanglement is not allowed between the server and the user. This fact shows that prior entanglement between the server and the user is necessary for further improvement under the one-server model even for Q-QPIR under the honest-server model, the weakest secrecy requirement. To overcome this problem, we propose a one-server Q-QPIR protocol with prior entanglement between the server and the user, which achieves the communication complexity \(O(\log \mathsf{m})\). That is, prior entanglement has exponential improvement for Q-QPIR under the honest-server model.

1.4 Organization of this paper

The remainder of the paper is organized as follows. Section 2 gives the definitions of several concepts and the outline of our results including the comparison with existing results. Section 3 is the technical preliminaries of the paper. Section 4 presents our results for C-QPIR protocol with communication complexity \(O( \log \mathsf{m})\). Section 5 derives the lower bound of the communication complexity for Q-QPIR in the final-state criterion under the honest-server model when prior entanglement is not shared. Section 6 proposes an efficient Q-QPIR protocol with prior entanglement under various settings. Section 7 is the conclusion of the paper.

2 Definitions and outline of our results

2.1 Definitions of various concepts

To briefly explain our results, we prepare the definitions of various concepts to cover C-QPIR protocols and Q-QPIR protocols in a common framework.

2.1.1 Correctness, complexity, and unitary-type

To discuss the properties of our QPIR protocols, we prepare several concepts. First, we define the set \(\mathcal{S}\) of possible quantum states as a subset of the set \({\mathcal{S}}({\mathcal{H}}_{d})\) of states on \(\mathbb{C}^{d} \). A QPIR protocol is called a QPIR protocol with \(\mathbb{C}^{d} \) over the set \(\mathcal{S}\) when it works when the set \(\mathcal{S}\) is the set of possible quantum states. For example, when \(\mathcal{S}\) is the set \({\mathcal{C}}\) of orthogonal pure states \(\{ |j\rangle \}_{j=0}^{d-1}\), a QPIR protocol is a C-QPIR protocol discussed in [10]. In contrast, when \(\mathcal{S}\) is the set \({\mathcal{Q}}\) of all pure states on the system \(\mathbb{C}^{d} \), a QPIR protocol is a Q-QPIR protocol. When we do not identify the set \(\mathcal{S}\), we consider that it is given as the above case. We denote the number of messages by \(\mathsf{f}\). A QPIR protocol Φ has two types of inputs. The first input is composed of \(\mathsf{f}\) messages, whose systems are written as \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\). Their state is written as \(\mathsf{f}\) states \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \mathcal{S}^{\mathsf{f}}\). The second input is the choice of the label of the message intended by the user, which is written as the random variable K. The quantum system to describe the variable K is denoted by \({\mathcal{K}}\). We denote the remaining initial user’s and server’s systems by \({\mathcal{R}}_{u}\) and \({\mathcal{R}}_{s}\), respectively. The output of the protocol is a state \(\rho _{out}\) on \({\mathcal{H}}_{d}\).

A QPIR protocol Φ has bilateral communication. The communication from the user to the servers is the upload communication, and the communication from the servers to the users is the download communication. The communication complexity is composed of the upload complexity and the download complexity. The upload complexity is the sum of the communication sizes of all upload communications, and the download complexity is the sum of the communication sizes of all download communications. The sum of the upload and download complexity is called the communication complexity. We adopt the communication complexity as the optimality criterion under various security conditions.

A QPIR protocol Φ is called a deterministic protocol when the following two conditions hold. The upload complexity and the download complexity are determined only by the protocol Φ. When the user and the servers are honest, the output is determined only by \((\rho _{1}, \ldots , \rho _{\mathsf{f}})\) and K. When Φ is a deterministic protocol, we denote the output state by \(\Phi _{out}(\rho _{1}, \ldots , \rho _{\mathsf{f}},K)= \rho _{out}\). The upload complexity, the download complexity, and the communication complexity are denoted by \(UC(\Phi )\), \(DC(\Phi )\), and \(CC(\Phi )\), respectively. Hence, the communication complexity \(CC(\Phi )\) is calculated as \(UC(\Phi )+DC(\Phi )\). A protocol Φ is called correct when the protocol is a deterministic protocol and the relation \(\Phi _{out}(\rho _{1}, \ldots , \rho _{\mathsf{f}},k)=\rho _{k}\) holds for any elements \(k \in [\mathsf{f}]\) and \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \mathcal{S}^{\mathsf{f}}\).

Another important class of QPIR protocols is unitary-type protocols. When a QPIR protocol Φ satisfies the following conditions, it is called unitary-type.

• The initial states \(\rho _{{\mathcal{R}}_{s}}\) on \({\mathcal{R}}_{s}\) and \(\rho _{{\mathcal{R}}_{u}}\) on \({\mathcal{R}}_{u}\) are pure.

• At each round, both the user and the server apply only unitary operations to the systems under their control.

• A measurement is done only when the user reads out the message as the outcome of the protocol.

The reference [13] refers to the above property as measurement-free due to the third condition while it assumes the first and second conditions implicitly. Since the first and second conditions are more essential, we call it unitary-type.

2.1.2 Secrecy

In this paper, we address only the secrecy of the user’s choice. There are two security criteria. One is the final-state criterion, in which, it is required that the server’s final state does not depend on the user’s choice K. The other is the all-round criterion, in which, it is required that the server’s state in any round does not depend on the user’s choice K. When we consider the secrecy, we may extend the set of possible inputs to \(\tilde{\mathcal{S}}\) that includes the set \({\mathcal{S}}\). For example, in the case of C-QPIR, the set \({\mathcal{S}}\) is given as the set \({\mathcal{C}}\). Then, we can choose \(\tilde{\mathcal{S}}\) as the set \({\mathcal{C}}\) or \({\mathcal{Q}}\). The case with \(\tilde{\mathcal{S}}={\mathcal{C}}\) is called the classical input case, and the case with \(\tilde{\mathcal{S}}={\mathcal{Q}}\) is called the superposition input case. Instead, in the case of Q-QPIR, the set \({\mathcal{S}}\) is given as the set \({\mathcal{Q}}\). Hence, the set \(\tilde{\mathcal{S}}\) is chosen as the same set \({\mathcal{Q}}\).

Even when we fix the security criterion and the sets \({\mathcal{S}}\) and \(\tilde{\mathcal{S}}\), there still exist three models for the secrecy for a QPIR protocol Φ. The first one is the honest-server model, which assumes that the servers are honest. We say that a QPIR protocol Φ satisfies the secrecy in the final-state criterion under the honest-server model with input states \(\tilde{\mathcal{S}}\) when the following condition holds. When the user and the servers are honest, the server has no information for K in the final state, i.e., the relation

$$\begin{aligned} \rho _{S,F}(\rho _{1}, \ldots , \rho _{\mathsf{f}},k)=\rho _{S,F}( \rho _{1}, \ldots , \rho _{\mathsf{f}},k') \end{aligned}$$

(1)

holds for any \(k,k' \in [\mathsf{f}]\) and \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \tilde{\mathcal{S}}^{ \mathsf{f}}\), where \(\rho _{S,F} (\rho _{1}, \ldots , \rho _{\mathsf{f}},K)\) is the final state on the server dependent of the variable K. In the condition (1), the states \(\rho _{k}\) is chosen from \(\tilde{\mathcal{S}}\), not from \({\mathcal{S}}\). We say that a QPIR protocol Φ satisfies the secrecy in the all-round criterion under the honest-server model with input states \(\tilde{\mathcal{S}}\) when the following condition holds, the server has no information for K in all rounds, i.e., the relation

$$\begin{aligned} \rho _{S,j}(\rho _{1}, \ldots , \rho _{\mathsf{f}},k)=\rho _{S,j}( \rho _{1}, \ldots , \rho _{\mathsf{f}},k') \end{aligned}$$

(2)

holds for any \(k,k' \in [\mathsf{f}]\) and \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \tilde{\mathcal{S}}^{ \mathsf{f}}\), where \(\rho _{S,j} (\rho _{1}, \ldots , \rho _{\mathsf{f}},K)\) is the state on the server dependent of the variable K when the server receives the query in the j-th round. The following is the meaning of the secrecy in the all-round criterion under the honest-server model. Assume that the user and the server are honest. Even when the server stops the protocol at the j-th round for any j, the server cannot obtain any information for K.

The second model is called the specious-server model introduced in [50]. When the server applies other operations that deviate from the original protocol, such an operation is called an attack. An attack of the server is called a specious attack when the attack satisfies the following conditions. The server sends the answer at the time specified by the protocol, but the contents of the answer do not follow the protocol. Also, the server does not access the information under the control of the user. In addition, the attack is not revealed to the user under the condition that the user is honest, i.e., there exists the server’s operation \({\mathcal{F}}_{S,j}\) such that the relation

$$\begin{aligned} ({\mathcal{F}}_{S,j}\otimes \iota ) \tilde{\rho}_{j}(\rho _{1}, \ldots , \rho _{\mathsf{f}},k)= \rho _{j}(\rho _{1}, \ldots , \rho _{ \mathsf{f}},k) \end{aligned}$$

(3)

holds for any \(k\in [\mathsf{f}]\) and \((\rho _{1}, \ldots , \rho _{\mathsf{f}}) \in \tilde{\mathcal{S}}^{ \mathsf{f}}\), where \(\rho _{j}(\rho _{1}, \ldots , \rho _{\mathsf{f}},K)\) (\(\tilde{\rho}_{j}( \rho _{1}, \ldots , \rho _{\mathsf{f}},K)\)) is the state on the whole system dependently of the variable K when the user receives the answer in the j-th round under the assumption that the user is honest and the server is honest (the server makes the attack). Notice that the definition of a specious attack depends on the choice of the set \(\tilde{\mathcal{S}}\). The meaning of (3) is the following. When the user decides to stop the protocol to check whether the server follows the protocol after the user receives the answer in the j-th round, the user asks the server to submit the evidence that the server follows the protocol. Then, the server sends his system after applying the operation \({\mathcal{F}}_{S,j}\). When \(\tilde{\mathcal{S}} \) is chosen to be the set \({\mathcal{Q}}\) of pure states, a specious attack coincides with a so-called 0-specious adversary, which is introduced in [13, Definition 2.4] because it is sufficient to check the case with even t in [13, Definition 2.4]. Also, when \(\tilde{\mathcal{S}} \) is chosen to be the set \({\mathcal{C}}\), the secrecy in the all-round criterion under the specious server model coincides with the anchored 0-privacy under 0-specious servers [13].

We say that a QPIR protocol Φ satisfies the secrecy in the final-state criterion (the all-round criterion) under the specious-server model with input states \(\tilde{\mathcal{S}}\) when the following condition holds. When a server performs a specious attack and the user is honest, the server obtains no information about the user’s request K in all rounds, i.e., the condition (1) (the condition (2)) holds. In fact, the secrecy condition in the final-state criterion is weaker than the secrecy condition in the all-round criterion even under the specious-server model. The secrecy condition in the final-state criterion under the specious-server model is essentially equivalent to the cheat-sensitive secrecy condition considered in [49].

The third model is called the dishonest-server model. We say that a QPIR protocol Φ satisfies the secrecy under the dishonest-server model when the following condition holds. When the server applies an attack and the user is honest, the server obtains no information of the user’s request K, i.e., the condition (1) holds. In the dishonest-server model, the server is allowed to make any attack under the following conditions. The server sends the answer at the time specified by the protocol, but the contents of the answer do not follow the protocol. Also, the server does not access the information under the control of the user. Thus, the server can send any information on each round under this condition. Hence, the ability of the attack does not depend on the set \(\tilde{\mathcal{S}}\). Also, the server can store the state received in any round. Hence, the server can obtain the same information in the final state as the information in the j-th round.

Further, when the protocol has only one round and we adopt the all-round criterion, there is no difference among the honest-server model, the specious-server model, and the dishonest-server model because all information obtained by the server is reduced to the state on the server when the server received the query in the first round. As a result, the information obtained by the server does not depend on the server’s operation, i.e., the server’s attack model.

Remark 1

In the papers [10, 13], the security against specious adversaries means the secrecy in the all-round criterion under the specious-server model with input states \({\mathcal{Q}}\) for C-QPIR in our definition. Instead, in the paper [13], the anchored specious security means the secrecy in the all-round criterion under the specious-server model with input states \({\mathcal{C}}\) for C-QPIR in our definition. The papers [10, 13] did not consider the final-state criterion.

2.2 Outline of results and comparison

2.2.1 Optimality of trivial solution for one-server Q-QPIR

First, we discuss our result for one-server Q-QPIR for the honest-server model without prior entanglement, and its relation to existing results. The result by the reference [10] is summarized as follows. The C-QPIR protocol discussed in [10] is considered as a QPIR protocol over the set \({\mathcal{C}}\). The reference [10] showed that the trivial protocol over the set \({\mathcal{C}}\) is optimal in the all-round criterion under the specious-server model with input states \({\mathcal{Q}}\), i.e., when the secrecy in the all-round criterion is imposed under the specious-server model with input states \({\mathcal{Q}}\). Since the set \({\mathcal{C}}=\{ |j\rangle \}_{j=0}^{d-1}\) is included in the set \({\mathcal{Q}}\), a Q-QPIR protocol over the set \(\mathcal{Q}\) works a QPIR protocol over the set \({\mathcal{C}}\). Hence, the result by [10] implies the optimality of the trivial protocol over the set \({\mathcal{Q}}\) in the all-round criterion under the specious-server model. In addition, such an impossibility result was extended to the case with prior entanglement by the paper [13].

However, the secrecy in the all-round criterion under the specious-server model is a stronger condition than the secrecy in the final-state criterion under the honest-server model because the secrecy in the all-round criterion is a stronger condition the secrecy in the final-state criterion and the specious-server model allows the server to have a larger choice than the honest-server model.

To seek further possibility for C-QPIR protocols, in Sects. 4.1 and 4.2, inspired by the idea presented in [49], we propose more efficient one-round C-QPIR protocols in the final-state criterion under the honest-server and specious-server models with input states \({\mathcal{C}}\) or \({\mathcal{Q}}\) whose communication complexities are at most \(4\log \mathsf{m}\). In addition, the reference [11] proposed a C-QPIR protocol in the all-round criterion under the honest one-server model that has communication complexity \(O(\sqrt{\mathsf{m}})\). The reference [12] also proposed a C-QPIR protocol with communication complexity \(O(\mathrm{poly} \log \mathsf{m})\) without prior entanglement and a C-QPIR protocol with communication complexity \(O( \log \mathsf{m})\) with prior entanglement. In Sect. 4.3, we show that these two protocols satisfy the secrecy in the all-round criterion under the honest-server model with input states \({\mathcal{C}}\). In addition, using a conversion result [13], we show that these two protocols satisfy the secrecy in the all-round criterion under the specious-server model with input states \({\mathcal{C}}\).

Hence, we cannot exclude the possibility of more efficient one-server Q-QPIR protocols than the trivial solution in the final-state criterion or under the honest one-server model. Furthermore, while the trivial solution is optimal under the honest-server model of classical PIR [51], its optimality proof uses the communication transcript between the server and the user, which is based on classical communication. Unfortunately, we cannot apply the same technique under the honest one-server model of Q-QPIR because quantum states cannot be copied because of the no-cloning theorem. Therefore, we have a question of whether there exists a Q-QPIR protocol over pure states that satisfies the secrecy in the final-state criterion under the honest-server model, and improves the communication complexity over the trivial protocol.

As its solution, we show that the trivial solution is optimal for one-server Q-QPIR in the final-state criterion for the honest-server model. In Tables 1 and 2, we summarize the comparison of our results with previous results for the one-server case. In our proof, the entropic inequalities are the key instruments for the proof. Since the pair of the final-state criterion and the honest-server model is the weakest attack model, this result implies that the trivial solution is also optimal for any attack model.

Table 1 Optimal communication complexity of one-server C-QPIR

Table 2 Optimal communication complexity of one-server Q-QPIR

2.2.2 One-server Q-QPIR protocol with prior entanglement

However, the above discussion assumes that there is no prior entanglement shared between the sender and the user. Hence, secondly, with prior entanglement between the user and the server, we prove that there exists an efficient Q-QPIR protocol on the honest-server model or on the final-state criterion. To be precise, we propose a method to construct a Q-QPIR protocol of communication complexity \(O(f(\mathsf{m}))\) with prior entanglement from a C-QPIR protocol of communication complexity \(O(f(\mathsf{m}))\) with prior entanglement. This method is based on the combination of C-QPIR and quantum teleportation [1]. The proposed Q-QPIR protocol inherits the security of the C-QPIR protocol. With this property, we show three types of Q-QPIR protocols of communication complexity \(O(\log \mathsf{m})\) with prior entanglement. One is the secrecy in the final-state criterion under the honest-server model. The second is the secrecy in the final-state criterion under the specious-server model. The third is the secrecy in the all-round criterion under the honest-server model. Combining this result with the above result, we find that prior entanglement realizes an exponential speedup for one-server Q-QPIR in the final-state criterion or under the honest-server model. Therefore, the obtained results are summarized as Table 1 in terms of the communication complexity \(\mathsf{m}\).

3 Preliminaries

We define \([a:b] = \{a,a+1, \ldots , b\}\) and \([a] = \{1,\ldots , a\}\). The dimension of a quantum system X is denoted by \(|X|\). The von Neumann entropy is defined as \(H(X) = H(\rho _{X}) = \operatorname{Tr}\rho _{X}\log \rho _{X}\), where \(\rho _{X}\) is the state on the quantum system X.

Proposition 1

The von Neumann entropy satisfies the following properties.

\((a)\) \(H(X) = H(Y)\) if the state on \(X\otimes Y\) is a pure state.

\((b)\) The inequality \(H(XY) \le H(X) + H(Y)\) holds, and the equality holds for product states on \(X\otimes Y\).

\((c)\) Entropy does not change by unitary operations.

\((d)\) \(H(XY) + H(X) \geq H(Y)\).

\((e)\) \(H(\sum _{s} p_{s} \rho _{s}) = \sum _{s} p_{s} (H( \rho _{s}) - \log p_{s})\) if \(\operatorname{Tr}\rho _{s} \rho _{t} = 0\) for any \(s\neq t\).

The property \((d)\) is proved as follows. Since other properties can be easily shown, we omit their proofs. For example, see the book [52, Sects. 3.1 and 8.1]. Let Z be the reference system in which the state on \(XYZ\) is pure. Then, \(H(XY)+H(X)=H(Z)+H(X)\ge H(XZ)=H(Y)\). Throughout the paper, we use the symbols \((a)\), \((b)\), \((c)\), \((d)\), \((e)\) to denote which property is used, e.g., \(\stackrel{{(\mathrm{a})}}{=}\) means that the equality holds from the property \((a)\).

Next, for a TP-CP map from the system \({\mathcal{H}}_{X}\) to the system \({\mathcal{H}}_{Y}\) and a state ρ on \({\mathcal{H}}_{X}\), we define the transmission information \(I (\rho ,\Gamma )\). We choose a purification \(|\psi \rangle \) of ρ with the environment \({\mathcal{H}}_{Z}\). Then, the transmission information \(I (\rho ,\Gamma )\) is defined as

$$\begin{aligned} I (\rho ,\Gamma ):= H(\rho )+ H(\Gamma (\rho ))-H( (\iota _{Z} \otimes \Gamma )(|\psi \rangle \langle \psi |) ), \end{aligned}$$

(4)

where \(\iota _{Z}\) is the identity operation on \({\mathcal{H}}_{Z}\). When Γ is the identity operator,

$$\begin{aligned} I (\rho ,\Gamma )=2H(\rho ). \end{aligned}$$

(5)

Throughout this paper, \(\mathbb{C}^{d}\) expresses the d-dimensional Hilbert space spanned by the orthogonal basis \(\{|s\rangle \}_{s=0}^{d-1}\). For a \(d_{1}\times d_{2}\) matrix

$$\begin{aligned} \mathsf{M}= \sum _{s=0}^{d_{1}-1} \sum _{t=0}^{d_{2}-1} m_{st} |s \rangle \langle t| \in \mathbb{C}^{d_{1}\times d_{2}}, \end{aligned}$$

(6)

we define

$$|\mathsf{M}》=\frac{1}{\sqrt{d}}\sum _{s=0}^{d_1-1}\sum _{t=0}^{d_2-1}{m}_{st}|s〉|t〉\in {\mathbb{C}}^{d_1}\otimes {\mathbb{C}}^{d_2}.$$

(7)

For \(\mathsf{A}\in \mathbb{C}^{d_{1}\times d_{2}}\), \(\mathsf{B}\in \mathbb{C}^{d_{1} \times d_{1}}\), and \(\mathsf{C}\in \mathbb{C}^{d_{2} \times d_{2}}\), we have the relation

$$(\mathsf{B}\otimes {\mathsf{C}}^{\mathrm{\top }})|\mathsf{A}》=|\mathsf{B}\mathsf{A}\mathsf{C}》.$$

(8)

We call a d-dimensional system \(\mathbb{C}^{d}\) a qudit. Define generalized Pauli matrices and the maximally entangled state on qudits as

$$\begin{aligned} \mathsf{X}_{d} &= \sum _{s=0}^{d-1} |s+1\rangle \langle s|, \end{aligned}$$

(9)

$$\begin{aligned} \mathsf{Z}_{d} &= \sum _{s=0}^{d-1} \omega ^{s} |s\rangle \langle s|, \end{aligned}$$

(10)

$$|{\mathsf{I}}_d》=\frac{1}{\sqrt{d}}\sum _{s=0}^{d-1}|s,s〉,$$

(11)

where \(\omega = \exp (2\pi \iota / d)\) and \(\iota = \sqrt{-1}\). We define the generalized Bell measurements

$${\mathbf{M}}_{\mathsf{X}\mathsf{Z},d}=\{|{\mathsf{X}}^a{\mathsf{Z}}^b》\mid a,b\in [0:d-1]\}.$$

(12)

If there is no confusion, we denote \(\mathsf{X}_{d}\), \(\mathsf{Z}_{d}\), \(\mathsf{I}_{d}\), \(\mathbf{M}_{ \mathsf{X}\mathsf{Z},d}\) by \(\mathsf{X}\), \(\mathsf{Z}\), \(\mathsf{I}\), \(\mathbf{M}_{\mathsf{X}\mathsf{Z}}\). Let A, \(A'\), B, \(B'\) be qudits. If the state on \(A\otimes A' \otimes B \otimes B'\) is $|\mathsf{A}》\otimes |\mathsf{B}》$ and the measurement \(\mathbf{M}_{\mathsf{X}\mathsf{Z}}\) is performed on \(A' \otimes B'\) with outcome \((a,b) \in [0:d-1]^{2}\), the resultant state is

$$|\mathsf{A}{\mathsf{X}}^a{\mathsf{Z}}^{-b}{\mathsf{B}}^{\mathrm{\top }}》\in A\otimes B.$$

(13)

We also define the dual basis

$$\begin{aligned} |u_{j}\rangle :=\sum _{k=0}^{d-1}\frac{1}{\sqrt{d}}e^{ \frac{2\pi kj i}{d}}|k\rangle . \end{aligned}$$

(14)

4 Protocols for C-QPIR

4.1 One-round C-QPIR of the final-state criterion under honest-server model

This section presents a protocol that satisfies the secrecy in the final-state criterion under the honest-server model with the input states \({\mathcal{C}}\). We assume that the ℓ-th message \(X_{\ell}\) is an element of \(\mathbb{Z}_{d_{\ell}}\) for \(\ell \in [\mathsf{f}]\). We define d as the maximum \(\max _{\ell \in [\mathsf{f}]}d_{\ell}\).

Protocol 1

The following protocol is denoted by \(\Phi _{\mathsf{f},d}\).

1. 0)

   Preparation: The server prepares \(\mathsf{f}+1\) quantum systems \({\mathcal{H}}_{0},{\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\), where \({\mathcal{H}}_{0}\) is spanned by \(\{|j\rangle \}_{j=0}^{d-1} \), and \({\mathcal{H}}_{\ell}\) is spanned by \(\{|j\rangle \}_{j=0}^{d_{\ell}-1} \). When the ℓ-th message is \(X_{\ell}\), the state on the quantum system \({\mathcal{H}}_{\ell}\) is set to be \(|X_{\ell}\rangle \). Also, the state on the quantum system \({\mathcal{H}}_{0}\) is set to be \(|0 \rangle \). The user prepares the system \({\mathcal{K}}\) spanned by \(\{ |\ell \rangle \}_{\ell =1}^{\mathsf{f}}\).

2. 1)

   Query (upload): The user sets the state on the system \({\mathcal{K}}\) to be \(|K\rangle \). The user sends the system \({\mathcal{K}}\) to the server.

3. 2)

   Answer (download): The server applies the measurement based on the computation basis \(\{ |j\rangle \}\) on the systems \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\) with the projective state reduction. The server applies the controlled unitary \(U:= \sum _{\ell =1}^{\mathsf{f}} |\ell \rangle \langle \ell | \otimes U_{\ell}\) on \({\mathcal{K}}\otimes {\mathcal{H}}_{0}\otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\), where \(U_{\ell}\) acts only on \({\mathcal{H}}_{0}\otimes {\mathcal{H}}_{\ell}\) and is defined as

   $$\begin{aligned} U_{\ell}:=\sum _{j'=0}^{d-1}\sum _{j=0}^{d_{\ell}-1} |j+j'\rangle \langle j'|\otimes |j\rangle \langle j|. \end{aligned}$$

   (15)

   The server sends the system \({\mathcal{K}}\otimes {\mathcal{H}}_{0}\) to the user.

4. 3)

   Reconstruction: The user measures \({\mathcal{H}}_{0}\), and obtains the message \(X_{K}\).

Lemma 1

Protocol 1is correct and satisfies the secrecy in the final-state criterion under the honest-server model with the input states \({\mathcal{C}}\).

Its upload and download complexities are \(UC(\Phi _{\mathsf{f},d})=\log \mathsf{f}\) and \(DC(\Phi _{\mathsf{f},d})=\log \mathsf{f}+ \log d\). The communication complexity is \(CC(\Phi _{\mathsf{f},d})=2 \log \mathsf{f}+ \log d\). When d is fixed, \(CC(\Phi _{\mathsf{f},d})=2\log \mathsf{m}+o(\mathsf{m})\).

Proof

The correctness of Protocol 1 can be checked as follows. Since \(U_{\ell }|0\rangle \otimes |X_{\ell}\rangle =|X_{\ell}\rangle \otimes |X_{\ell}\rangle \), we have

$$\begin{aligned} U|K\rangle |0\rangle |X_{1}\rangle \cdots |X_{\mathsf{f}}\rangle =|K \rangle |X_{K}\rangle |X_{1}\rangle \cdots |X_{\mathsf{f}}\rangle . \end{aligned}$$

(16)

Hence, the user gets the state \(|K\rangle |X_{K}\rangle \), which contains the correct information \(X_{K}\).

As shown in the following; Protocol 1 satisfies the secrecy in the final-state criterion under the honest-server model with the input states \({\mathcal{C}}\). We assume that the server and the user are honest. Since the server follows the protocol, the server has only the \(\mathsf{f}\) systems \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\). The final state on the composite system \({\mathcal{H}}_{1}\otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) is \(|X_{1}\rangle \cdots |X_{\mathsf{f}}\rangle \), which does not depend on the user’s choice K. Hence, the above secrecy holds. □

Lemma 1 can be strengthened as follows.

Lemma 2

When we add the measurement with the computational basis on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) in Step 2) in Protocol 1before the unitary U is applied, the protocol is correct and satisfies the secrecy in the final-state criterion under the honest-server model even with the input states \({\mathcal{Q}}\).

Proof

Even when the initial states in \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\) prepared as quantum states, due to the measurement, the initial states in \({\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{\mathsf{f}}\) are convex mixtures of states \(\{|j\rangle \langle j|\}\). Hence, the final state on the composite system \({\mathcal{H}}_{1}\otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) is the same as the state after the measurement, which does not depend on user’s choice K. Hence, the above secrecy holds. □

The following lemma shows the importance of measurement in Lemma 2.

Lemma 3

Protocol 1does not satisfy the secrecy in the final-state criterion under the honest-server model even with the input states \({\mathcal{Q}}\).

Proof

Assume that the server set initial state in \({\mathcal{H}}_{\ell} \) to be \(\sum _{j=1}^{d_{\ell}}\frac{1}{\sqrt{d_{\ell}}}|j\rangle \). Also, we assume that the server and the user follow Steps 1), 2), 3). Then, the final state on \({\mathcal{H}}_{K} \otimes {\mathcal{H}}_{0}\) is \(\sum _{j=1}^{d_{\ell}}\frac{1}{\sqrt{d_{\ell}}}|j\rangle |j\rangle \). That is, the final state on \({\mathcal{H}}_{K}\) is the completely mixed state. In contrast, the final state on \({\mathcal{H}}_{\ell}\) is the same as the initial state for \(\ell \neq K\). Hence, the secrecy condition (1) does not hold. □

Also, we have the following lemma. That is, we need to modify Protocol 1 for the specious-server model.

Lemma 4

Protocol 1does not satisfy the secrecy in the final-state criterion under the specious-server model even with the input states \({\mathcal{Q}}\).

Proof

A specious server is allowed to make a measurement if the measurement does not destroy the quantum state. Since the state on the composite system \({\mathcal{K}}\otimes {\mathcal{H}}_{0}\otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) is one of the computation basis, it is not destroyed by the measurement of the computation basis. Hence, the server can obtain the user’s choice K without state demolition. This fact shows that the specious-server model is needed in order to forbid such an insecure protocol. However, as shown in Sect. 5, even under the honest-server model, a protocol similar to Protocol 1 does not work when the messages are given as quantum states. □

4.2 One-round C-QPIR of the final-state criterion under specious-server model

Protocol 1 presented in the previous subsection does not work under the specious-server model. To resolve this problem, this section presents a protocol that satisfies the secrecy in the final-state criterion under the specious-server model with the input states \({\mathcal{C}}\). We assume that each message \(X_{\ell}\) is an element of \(\mathbb{Z}_{d_{\ell}}\). We define d as the maximum \(\max _{\ell}d_{\ell}\).

Protocol 2

The following protocol is denoted by \(\Phi _{\mathsf{f},d}\).

1. 0)

   Preparation: The server prepares \(\mathsf{f}+2\) quantum systems \({\mathcal{H}}_{0}',{\mathcal{H}}_{1}',{\mathcal{H}}_{1}, \ldots , {\mathcal{H}}_{ \mathsf{f}}\), where \({\mathcal{H}}_{0}'\), \({\mathcal{H}}_{1}'\) is spanned by \(\{|j\rangle \}_{j=0}^{d-1} \), and \({\mathcal{H}}_{\ell}\) is spanned by \(\{|j\rangle \}_{j=0}^{d_{\ell}-1} \). When the ℓ-th message is \(X_{\ell}\), the state on the quantum system \({\mathcal{H}}_{\ell}\) is set to be \(|X_{\ell}\rangle \). Also, the state on the quantum system \({\mathcal{H}}_{0}'\), \({\mathcal{H}}_{1}'\) is set to be \(|0 \rangle \). The user prepares the systems \({\mathcal{K}}_{0}\),\({\mathcal{K}}_{1}\) spanned by \(\{ |\ell \rangle \}_{\ell =1}^{\mathsf{f}}\).

2. 1)

   Query (upload): The user generates the binary random variable A and the variable \(B \in [\mathsf{f}]\) subject to the uniform distribution. The user sets the state on the system \({\mathcal{K}}_{A}\) to be \(|K\rangle \), and the state on the system \({\mathcal{K}}_{A\oplus 1}\) to be \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}} \mathsf{Z}_{ \mathsf{f}}^{B} |\ell \rangle \). The user sends the systems \({\mathcal{K}}_{0}\), \({\mathcal{K}}_{1}\) to the server.

3. 2)

   Answer (download): The server applies the controlled unitary \(U:= \sum _{\ell =1}^{\mathsf{f}} |\ell \rangle \langle \ell | \otimes U_{\ell}\) on \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}'\otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\), where \(U_{\ell}\) acts only on \({\mathcal{H}}_{0}'\otimes {\mathcal{H}}_{\ell}(={\mathcal{H}}_{1}'\otimes {\mathcal{H}}_{ \ell}) \) and is defined as

   $$\begin{aligned} U_{\ell}:=\sum _{j'=0}^{d-1}\sum _{j=0}^{d_{\ell}-1} |j+j'\rangle \langle j'|\otimes |j\rangle \langle j|. \end{aligned}$$

   (17)

   Then, the server applies the controlled unitary U on \({\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}'\otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\). The server sends the systems \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}'\), \({\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}'\) to the user.

4. 3)

   Reconstruction: The user measures \({\mathcal{H}}_{A}'\), and obtains the message \(X_{K}\).

Lemma 5

Protocol 2is correct and satisfies the secrecy in the final-state criterion under the specious-server model with the input states \({\mathcal{C}}\).

Its upload and download complexities are \(UC(\Phi _{\mathsf{f},d})=2 \log \mathsf{f}\) and \(DC(\Phi _{\mathsf{f},d})=2\log \mathsf{f}+ 2 \log d\). The communication complexity is \(CC(\Phi _{\mathsf{f},d})=4 \log \mathsf{f}+ 2 \log d\). When d is fixed, \(CC(\Phi _{\mathsf{f},d})=4\log \mathsf{m}+o(\mathsf{m})\).

Proof

The correctness of Protocol 2 can be checked as follows. Due to the relation (16), when \(A=0\), the state on the whole system \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}' \otimes {\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}' \otimes {\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) before the server sends back the system is \(|K\rangle |X_{K}\rangle \frac{1}{\sqrt{\mathsf{f}}} \sum _{\ell =1}^{ \mathsf{f}}\mathsf{Z}_{\mathsf{f}}^{B}|\ell \rangle |X_{\ell}\rangle |X_{1} \rangle \cdots |X_{\mathsf{f}}\rangle \). Hence, the user receives the state \(|K\rangle |X_{K}\rangle \frac{1}{\sqrt{\mathsf{f}}} \sum _{\ell =1}^{ \mathsf{f}}\mathsf{Z}_{\mathsf{f}}^{B}|\ell \rangle |X_{\ell}\rangle \), which contains the correct information \(X_{K}\). Similarly, when \(A=1\), the user receives a state containing the correct information \(X_{K}\).

Next, we show that Protocol 2 satisfies the secrecy in the final-state criterion under the specious-server model with the input states \({\mathcal{C}}\). Assume that the server and the user follow the protocol. Then, the resultant state in the server’s system \({\mathcal{H}}_{1}\otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) is the product state \(|X_{1}\rangle \ldots |X_{\mathsf{f}}\rangle \). The resultant state in \({\mathcal{K}}_{A}\otimes {\mathcal{H}}_{A}'\) is \(|K\rangle |X_{K}\rangle \). The resultant state in \({\mathcal{K}}_{A\oplus 1}\otimes {\mathcal{H}}_{A\oplus 1}'\) is \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}|\ell \rangle |X_{\ell}\rangle \).

Hence, when \(A=0\), the specious server needs to generate the state \(|K\rangle |X_{K}\rangle \frac{1}{\sqrt{\mathsf{f}}} \sum _{\ell =1}^{ \mathsf{f}}\mathsf{Z}_{\mathsf{f}}^{B}|\ell \rangle |X_{\ell}\rangle \) from the state \(|K\rangle \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}} \mathsf{Z}_{\mathsf{f}}^{B}|\ell \rangle \). Also, when \(A=1\), the specious server needs to generate the state \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}|\ell \rangle |X_{\ell}\rangle |K\rangle |X_{K} \rangle \) from the state \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}|\ell \rangle |K\rangle \).

Since the resultant states \(|K\rangle |X_{K}\rangle \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{ \mathsf{f}} \mathsf{Z}_{\mathsf{f}}^{B}|\ell \rangle |X_{\ell} \rangle \) and \(\frac{1}{\sqrt{\mathsf{f}}} \sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}|\ell \rangle |X_{\ell}\rangle |K\rangle |X_{K} \rangle \) are unitarily equivalent to the states \(|K\rangle \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}} \mathsf{Z}_{\mathsf{f}}^{B}|\ell \rangle \) and \(\frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{B}|\ell \rangle |K\rangle \), it is sufficient to discuss whether the server can get certain information from the state family \({\mathcal{F}}:= \{ |k\rangle \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{ \mathsf{f}} \mathsf{Z}_{\mathsf{f}}^{b}|\ell \rangle , \frac{1}{\sqrt{\mathsf{f}}}\sum _{\ell =1}^{\mathsf{f}}\mathsf{Z}_{ \mathsf{f}}^{b}|\ell \rangle |k\rangle \}_{k,b=1}^{\mathsf{f}}\) without disturbance.

However, due to Koashi-Imoto [53, 54] theory (Proposition 3 in the Appendix), any measurement obtains no information for K. When the states need to be recovered because the state family \({\mathcal{F}}\) satisfies the condition (A) in the Appendix. Therefore, when the server keeps the condition for the specious server, the server cannot obtain any information for K. □

Unfortunately, adding the measurement in Step 2) cannot guarantee that the protocol satisfies the secrecy in the final-state criterion under the specious-server model with the input states \({\mathcal{Q}}\). That is, we have the following lemma.

Lemma 6

Even when we add the measurement with the computational basis on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) in Step 2) before the unitary U is applied, the protocol does not satisfy the secrecy in the final-state criterion under the specious-server model with the input states \({\mathcal{Q}}\).

Proof

Assume that the server sets a general initial pure state on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\), which is potentially a superposition state. When the server applies the measurement with the computational basis on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) in Step 2) after the unitary U is applied, the state on \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}' \otimes {\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}'\) is not changed. Further, even when the order of the above measurement and the unitary U is exchanged, the state on \({\mathcal{K}}_{0}\otimes {\mathcal{H}}_{0}' \otimes {\mathcal{K}}_{1}\otimes {\mathcal{H}}_{1}'\) is not changed. Therefore, even when the server does not make the measurement with the computational basis on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) in Step 2) before the unitary U is applied, the state sent to the user is not changed.

Now, we assume that the server sets the initial state in \({\mathcal{H}}_{\ell} \) to be \(|\Psi _{\ell}\rangle := \sum _{j=1}^{d_{\ell}} \frac{1}{\sqrt{d_{\ell}}}|j\rangle \). When \(U_{\ell}\) is applied, the resultant state on \({\mathcal{H}}_{\ell} \) is the completely mixed state \(\rho _{mix,\ell}\). Otherwise, it is \(|\Psi _{\ell}\rangle \). The resultant state on \({\mathcal{H}}_{1} \otimes \cdots \otimes {\mathcal{H}}_{\mathsf{f}}\) does not depend on whether the measurement on the computational basis on \({\mathcal{K}}_{0}\otimes {\mathcal{K}}_{1}\) is done before the unitary U. Hence, we can consider the following. When \(K=\ell \), \(U_{\ell}\) is applied with probability 1. Otherwise, \(U_{\ell}\) is applied with probability \(\frac{1}{\mathsf{f}}\). Therefore, when \(K=\ell \), the resultant state on \({\mathcal{H}}_{\ell}\) is the completely mixed state \(\rho _{mix,\ell}\). Otherwise, the resultant state on \({\mathcal{H}}_{\ell}\) is \(\frac{1}{\mathsf{f}}\rho _{mix,\ell}+(1-\frac{1}{\mathsf{f}}) |\Psi _{ \ell}\rangle \langle \Psi _{\ell}|\). Hence, the server obtains a certain information for the value K in the final state. □

4.3 C-QPIR in all-round criterion

In this section, we discuss the secrecy in the all-round criterion of the C-QPIR protocol with communication complexity \(O(\mathrm{poly} \log \mathsf{m})\) under the fixed message size \(d=2\) from [12, Sect. 5], which does not use any prior entanglement, and the C-QPIR protocol with communication \(O( \log \mathsf{m})\) under the fixed message size \(d=2\) from [12, Sect. 6], which uses \(\Theta (\mathsf{m})\) ebits of prior entanglement. Although these protocols fix the message size d to be 2, they can be generalized to protocols whose message sizes are fixed to an arbitrary d by treating \(\lceil \log _{2} d \rceil \) messages as one message.

4.3.1 Secrecy of the protocol from [12, Sect. 5] under the honest server model

The protocol from [12, Sect. 5] works for the case \(d=2\). The server’s input is thus \((a_{1},\ldots ,a_{\mathsf{f}})\) for \(a_{1},\ldots ,a_{\mathsf{f}}\in \{0,1\}\). The user’s input is an index \(K\in \{1,\ldots ,\mathsf{f}\}\).

The main idea is to simulate a classical multi-server PIR protocol with \(s=O(\log \mathsf{m})\) servers that has total communication complexity \(O(\mathrm{poly} \log \mathsf{m})\). Such protocols are known to exist (see, e.g., [51]) and can be described generically as follows. The user picks a uniform random variable G from \(\{1,\ldots ,\mathsf{g}\}\), computes an s-tuple of queries \(\{q_{1}(G,K),\ldots ,q_{s}(G,K)\}\) from \((G,K)\) by using a function \(q_{t}\), and asks query \(q_{t}(G,K)\) to the t-th server. Here, for each \(t\in \{1,\ldots , s\}\), the function \(q_{t}\) satisfies the condition that the distribution of query \(q_{t}(G,K)\) is independent of K. Each server t then sends its answer \(\mathsf{ans}_{t}(q_{t}(G,K))\) to the user, who recovers \(a_{K}\) from \(\{\mathsf{ans}_{1}(q_{1}(G,K)),\ldots ,\mathsf{ans}_{s}(q_{s}(G,K)) \}\).

The protocol from [12, Sect. 5] simulates this protocol using only one server. The protocol uses \(2s+1\) quantum registers denoted \(Q,Q_{1},\ldots , Q_{s}, \mathop{Ans}_{1},\ldots , \mathop{Ans}_{s}\). For each \(t\in \{1,\ldots , s\}\), let us define the following quantum state:

Note that we have in particular

The protocol from [12, Sect. 5] consists of the following interaction between the user and the server (some details of the manipulations of the states are omitted since they are irrelevant to the secrecy proof):

1. 1.

   The user prepares the state .

2. 2.

   The user and the server iterate the following for \(t=1\) to s:

   1. 2.1

      The user sends Registers \(Q_{t}\), \(\mathop{Ans}_{t}\) to the server;

   2. 2.2

      The server applies a controlled unitary, where the controlling system is \(Q_{t}\) and the controlled system is \(\mathop{Ans}_{t}\). Then, the server sends back Registers \(Q_{t}\), \(\mathop{Ans}_{t}\) to the user.

3. 3.

   The user measures the joint system composed of Registers \(Q,Q_{1},\ldots , Q_{s}, \mathop{Ans}_{1},\ldots , \mathop{Ans}_{s}\) to obtain the outcome \(a_{K}\) after certain unitary operations.

We now show the secrecy of this protocol under the honest server model.

Lemma 7

The protocol from [12, Sect. 5] is unitary-type and satisfies the secrecy in the all-round criterion under the honest server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({\mathcal{C}}\).

Proof

The protocol is clearly unitary-type. The remaining task is then to show the secrecy of this protocol in the all-round criterion under the honest server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({ \mathcal{C}}\). Observe that at each iteration there is only a message sent to the server, at Step 2.1. We thus only need to show that for each t, this message does not reveal any information about K. The state of the whole system at the end of Step 2.1 of the t-th iteration is . The state of the server, obtained by tracing out all registers except \(Q_{t}\), \(\mathop{Ans}_{t}\) of is

(18)

Since the distribution of query \(q_{t}(G,K)\) is independent of K, we conclude that the whole state of the server at the end of Step 2.1 is independent of K, for each t. □

4.3.2 Secrecy of the protocol from [12, Sect. 6] under the honest server model

The protocol from [12, Sect. 6] works for the case \(d=2\) and \(\mathsf{f}=2^{\mathsf{h}}\), for \(\mathsf{h}\ge 1\). The server’s input is thus \((a_{1},\ldots ,a_{\mathsf{f}})\) for \(a_{1},\ldots ,a_{\mathsf{f}}\in \{0,1\}\). The user’s input is an index \(K\in \{1,\ldots ,\mathsf{f}\}\).

The protocol uses \(2\mathsf{h}+2\) quantum registers denoted \(R_{1},\ldots , R_{\mathsf{h}}, \mathsf{R'}_{1},\ldots , \mathsf{R'}_{ \mathsf{h}}, Q_{0},Q_{1}\). For each \(p\in \{1,\ldots , \mathsf{h}\}\), let us define the following quantum state over the two registers \(R_{t}\), \(R'_{p}\):

For any binary string \(z\in \{0,1\}^{s}\) with s even, we denote \(z[0]\) the first half of z, and \(z[1]\) the second half of z. For any binary strings \(z, z'\in \{0,1\}^{s}\), we write \(z\oplus z'\in \{0,1\}^{s}\) the string obtained by taking the bitwise parity of z and \(z'\).

The protocol from [12, Sect. 6] assumes that the server and the user initially share the state

where \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) are owned by the server and \(R'_{1},\ldots , R'_{\mathsf{h}}\) are owned by the user. The protocol consists of the following interaction between the user and the server (some details of the manipulations of the states are omitted since they are irrelevant to the secrecy proof):

1. 1.

   For p from 1 to \(\mathsf{h}\) the server and the user do the following:

   1. 1.1

      The server applies a unitary \(V_{p}\) (defined in [12, Eq. (27)]) on Registers \(R_{p-1}\), \(R_{p}\), \(Q_{0}\), \(Q_{1}\) and then sends Registers \(Q_{0}\), \(Q_{1}\) to the user;

   2. 1.2

      If the p-th bit of its input K is 0, the user applies the Pauli gate Z on Register \(Q_{0}\). If the p-th bit of K is 1, the user applies Z on Register \(Q_{1}\). The user then sends back Registers \(Q_{0}\), \(Q_{1}\) to the server.

   3. 1.3

      The server applies again the unitary \(V_{p}\) on Registers \(R_{p-1}\), \(R_{p}\), \(Q_{0}\), \(Q_{1}\), and then applies a Hadamard transform on each qubit in Register \(R_{p}\).

   4. 1.4

      The user applies a Hadamard transform on each qubit in Register \(R'_{p}\).

2. 2.

   The server sends Register \(R_{\mathsf{h}}\) to the user. The user measures the joint system composed of Registers \(R'_{1},\ldots , \mathsf{R'}_{\mathsf{h}}\) and Register \(R_{\mathsf{h}}\), and performs some classical post-processing on the outcome to obtain \(a_{K}\)

The following lemma from [12] will be useful for our secrecy proof: Lemma 2 in [12] shows that the state of the whole system at the end of Step 1.3 is

with

where the sum is over all strings \(y^{1}\in \{0,1\}^{2^{\mathsf{h}-1}},\ldots ,y^{p}\in \{0,1\}^{2^{ \mathsf{h}-p}}\) and we use the convention that \(y^{0}\) is the server’s input \((a_{1},\ldots ,a_{\mathsf{f}})\).¹ Here the server owns Registers \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) while the user owns Registers \(R'_{1},\ldots , R'_{\mathsf{h}}\).

We now show the secrecy of this protocol under the honest server model (see also Appendix B in [13]).

Lemma 8

The protocol from [12, Sect. 6] is unitary-type and satisfies the secrecy in the all-round criterion under the honest server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({\mathcal{C}}\).

Proof

The protocol is clearly unitary-type. The remaining task is then to show the secrecy of this protocol in the all-round criterion under the honest server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({ \mathcal{C}}\). Since the initial state does not depend on K, it is sufficient to show that the whole state on Register \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) at the end of Step 1.2 of the p-th round is independent of K.

Observing that tracing out Registers \(R'_{1},\ldots ,R'_{j}\) from gives the state

which is independent of K, we find that the whole state on Register \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) at the end of Step 1.3 of the p-th round is independent of K, for each p. Since the unitaries applied in Step 1.3 by the server are independent of K, we conclude that the whole state on Register \(R_{1},\ldots , R_{\mathsf{h}},Q_{0}, Q_{1}\) at the end of Step 1.2 of the p-th round is independent of K. □

4.3.3 Secrecy under the specious server model

Finally, we discuss the secrecy under the specious server model. We will rely on the following theorem from [13] for unitary-type QPIR protocols.

Proposition 2

(Theorem 3.2 in [13])

When a unitary-type QPIR protocol satisfies the secrecy in the all-round criterion under the honest server model with the set \(\tilde{\mathcal{S}}=\mathcal{C}\), it satisfies the secrecy in the all-round criterion under the specious server model with the same set \(\tilde{\mathcal{S}}=\mathcal{C}\).

We thus obtain the following corollary of Lemmas 7 and 8.

Corollary 1

The protocols from [12, Sect. 5] and [12, Sect. 6] satisfy the secrecy in the all-round criterion under the specious server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({\mathcal{C}}\).

Therefore, when the message size d is fixed to a constant, there exists a C-QPIR protocol with communication complexity \(O(\mathrm{poly} \log \mathsf{m})\) (\(O( \log \mathsf{m})\)) and without any prior entanglement (with prior entanglement) that satisfies the secrecy in the all-round criterion under the specious server model when the set \(\tilde{\mathcal{S}}\) of possible inputs is \({\mathcal{C}}\).

5 Optimality of trivial protocol in final-state criterion for Q-QPIR under honest server model

In this section, we prove that the trivial solution of downloading all messages is optimal for Q-QPIR. In particular, this section, unlike the references [10, 13], we show the optimality in the final-state criterion under the honest-server model. Since our setting is discussed under the honest-server model, the secrecy in the final-state criterion is required only when the server follows the determined state preparation process and determined quantum operations. In the formal description of our protocols, we consider that the user and the server apply CPTP maps but we describe the CPTP maps by the equivalent representation with the unitary maps and the local quantum memories.

To be precise, we define the \(\mathsf{r}\)-round Q-QPIR protocol as follows. A 2-round protocol is depicted in Fig. 2, and the symbols are summarized as Table 3. The message states are given as arbitrary \(\mathsf{f}\) states \(\rho _{[\mathsf{f}]}:=\rho _{1}\otimes \cdots \otimes \rho _{ \mathsf{f}}\) on \(S^{(0)} = X_{1}\otimes \cdots \otimes X_{\mathsf{f}}\), where each of \(\rho _{\ell}\) is purified in \(X_{\ell}\otimes R_{\ell}\). We use the notation \(R_{[\mathsf{f}]}:=R_{1}\otimes \cdots \otimes R_{\mathsf{f}}\). The server contains the system \(S^{(0)}\). The user chooses the index of the targeted message \(K\in [\mathsf{f}]\), i.e., \(\rho _{k}\) is the targeted quantum state when \(K=k\). When \(K=k\), the user prepares the initial state as \(|k\rangle \otimes |0\rangle \in A^{(0)} \otimes T^{(0)}\). Although we consider the model in which the user and the server apply CPTP maps, we describe it by the equivalent representation with the unitary maps and the local quantum memories. A Q-QPIR protocol Φ is described by unitary maps \(\mathcal{D}^{(0)},\ldots ,\mathcal{D}^{(\mathsf{r})}, \mathcal{E}^{(1)}, \ldots ,\mathcal{E}^{(\mathsf{r})}\) in the following steps.

Figure 2

2-round QPIR protocol. The user sends the systems \(Q^{(1)}\) and \(Q^{(2)}\) to the server. The server sends the systems \(A^{(1)}\) and \(A^{(2)}\) to the user. The initial state \(\rho _{[\mathsf{f}]}\) on \(S^{(0)}\) is arbitrary chosen. \(R_{[\mathsf{f}]}\) is the reference of the system \(S^{(0)}\)

Table 3 Definition of symbols

1. 1.

   Query (upload): For all \(i \in [\mathsf{r}]\), the user applies a unitary map \(\mathcal{D}^{(i-1)}\) from \(A^{(i-1)}\otimes T^{(i-1)}\) to \(Q^{(i)} \otimes T^{(i)}\), and sends \(Q^{(i)}\) to the sender. Here, \(T^{(i)}\) are the user’s local quantum systems for describing the CPTP maps applied by the user.

2. 2.

   Answer (download): For all \(i \in [\mathsf{r}]\), the server applies a unitary map \(\mathcal{E}^{(i)}\) from \(Q^{(i)} \otimes S^{(i-1)}\) to \(A^{(i)}\otimes S^{(i)} \) and sends \(A^{(i)}\) to the user. Here, \(S^{(i)}\) are the server’s local quantum systems for describing the CPTP maps applied by the server.

3. 3.

   Reconstruction: The user applies \(\mathcal{D}^{(\mathsf{r})}\) from \(A^{(\mathsf{r})}\otimes T^{(\mathsf{r})}\) to \(Y \otimes E\), and outputs the state on Y as the protocol output.

The input-output relation \(\Lambda _{\Phi}\) of the protocol Φ is written with a CPTP \(\Gamma _{\Phi ,k}\) from \(S^{(0)}\) to Y as

$$\begin{aligned} &\Lambda _{\Phi} (k,\rho _{1},\ldots ,\rho _{\mathsf{f}}) = \Gamma _{ \Phi ,k} (\rho _{[\mathsf{f}]}) = \operatorname{Tr}_{S^{(\mathsf{r})},E} \mathcal{D}\ast \mathcal{E}( \rho _{[ \mathsf{f}]} \otimes \mathcal{D}^{(0)} (|k\rangle \langle k| \otimes |0 \rangle \langle 0|) ), \end{aligned}$$

where \(\mathcal{D}\ast \mathcal{E}= ( \mathcal{D}^{(\mathsf{r})} \circ \mathcal{E}^{(\mathsf{r})} )\circ \cdots \circ ( \mathcal{D}^{(1)} \circ \mathcal{E}^{(1)} ) \). The QPIR protocol Φ should satisfy the following conditions.

• Correctness: When \(|\psi _{k}\rangle \langle \psi _{k} |\) denotes a purification of \(\rho _{k}\) with the reference system \(R_{k}\), the correctness is

  $$\begin{aligned} \Gamma _{\Phi ,k}\otimes \operatorname{id}_{R_{k}}(\rho _{[\mathsf{f}]\setminus \{k \}} \otimes |\psi _{k}\rangle \langle \psi _{k} |) = |\psi _{k} \rangle \langle \psi _{k} | \end{aligned}$$

  (19)

  for any \(K=k\) and any state \(\rho _{[\mathsf{f}]}\).

• Secrecy: When the final state on \(S^{(\mathsf{r})} \otimes R_{[\mathsf{f}]}\) with the target index \(K=k\) is denoted by \(\rho _{S^{(\mathsf{r})} R_{[\mathsf{f}]}}^{k}\), the secrecy is

  $$\begin{aligned} \rho _{S^{(\mathsf{r})} R_{[\mathsf{f}]}}^{k} &= \rho _{S^{( \mathsf{r})} R_{[\mathsf{f}]}}^{k'} \end{aligned}$$

  (20)

  for any k, \(k'\).

The communication complexity of the one-server multi-round Q-QPIR is written as \(\mathrm{CC}(\Phi )= \sum _{i=1}^{\mathsf{r}} \log |Q^{(i)}| + \log |A^{(i)}|\).

Theorem 1

For any multi-round Q-QPIR protocol Φ, the communication complexity \(\mathrm{CC}(\Phi )\) is lower bounded by \(\sum _{\ell =1}^{\mathsf{f}} \log |X_{\ell}|\), where \(X_{\ell}\) is the system of the ℓ-th message \(\rho _{\ell}\).

For the proof of Theorem 1, we prepare the following lemmas.

Lemma 9

\(H(A^{(i)}) + H(Q^{(i+1)}) \geq H(T^{(i+1)} ) - H(T^{(i)})\).

Proof

Lemma 9 is shown by the relation

$$\begin{aligned} &H(A^{(i)}) + H(T^{(i)}) + H(Q^{(i+1)}) \\ &\stackrel{{(\mathrm{b})}}{\geq} H(A^{(i)} T^{(i)} ) + H(Q^{(i+1)}) \\ &\stackrel{{(\mathrm{c})}}{=} H(Q^{(i+1)} T^{(i+1)} ) + H(Q^{(i+1)}) \\ &\stackrel{{(\mathrm{d})}}{\ge} H(T^{(i+1)} ). \end{aligned}$$

Here, \((b)\), \((c)\), and \((d)\) express the respective properties presented in Proposition 1. □

Lemma 10

The relation \(H( R_{[\mathsf{f}]} S^{(\mathsf{r})}) \ge \sum _{\ell =1}^{ \mathsf{f}}H( R_{\ell})\) holds.

Proof

Given the user’s input k, Correctness (19) guarantees that the final state on \(R_{k}\otimes Y\) is a pure state, and therefore, \(R_{k}\) is independent of any system except for Y. Thus, \(R_{k}\) is independent of \(R_{[\mathsf{f}]\setminus \{k\} } S^{(\mathsf{r})}\). The secrecy condition (20) guarantees that the final state on \(R_{[\mathsf{f}]} \otimes S^{(\mathsf{r})}\) does not depend on k. Hence, \(R_{1}, \ldots , R_{\mathsf{f}}\), and \(S^{(\mathsf{r})}\) are independent of each other. Therefore, we have

$$ H( R_{[\mathsf{f}]} S^{(\mathsf{r})} ) = H(S^{(\mathsf{r})})+ \sum _{ \ell =1}^{\mathsf{f}}H( R_{\ell}) \ge \sum _{\ell =1}^{\mathsf{f}}H( R_{ \ell}). $$

(21)

 □

Proof of Theorem 1

We choose the initial state on \(R_{\ell}\otimes X_{\ell}\) to be the maximally entangled state for \(\ell =1, \ldots , \mathsf{f}\). From Lemmas 9 and 10, we derive the following inequalities:

$$\begin{aligned} &\mathrm{CC}(\Phi )\geq \sum _{i=1}^{\mathsf{r}} \big(H(A^{(i)}) + H(Q^{(i)}) \big) \\ &= H(A^{(\mathsf{r})}) + H(Q^{(1)}) + \sum _{i=1}^{\mathsf{r}-1} \big(H(A^{(i)}) + H(Q^{(i+1)}) \big) \\ &\geq H(A^{(\mathsf{r})}) + H(Q^{(1)}) + H(T^{(\mathsf{r})}) - H(T^{(1)}) \end{aligned}$$

(22)

$$\begin{aligned} &= H(A^{(\mathsf{r})}) + H(T^{(\mathsf{r})}) \end{aligned}$$

(23)

$$\begin{aligned} &\stackrel{{(\mathrm{b})}}{\geq} H(A^{(\mathsf{r})} T^{(\mathsf{r})}) \stackrel{{(\mathrm{a})}}{=} H(R_{[\mathsf{f}]} S^{(\mathsf{r})}) \\ &\geq \sum _{\ell =1}^{\mathsf{f}}H( R_{\ell})=\sum _{\ell =1}^{ \mathsf{f}} \log |X_{\ell}| , \end{aligned}$$

(24)

where (a) and (b) express the respective properties presented in Proposition 1. In addition, (22) is obtained by applying Lemma 9 for all \(i=1,\ldots , \mathsf{r}-1\). The step (23) follows from \(H(Q^{(1)}) = H(T^{(1)})\) which holds due to the property (a) in Proposition 1, because the state on \(Q^{(1)} T^{(1)}\) is the pure state as the state on \(Q^{(0)} T^{(0)}\) is the pure state. The step (24) follows from Lemma 10. □

6 Q-QPIR protocol with prior entanglement under honest-server model

In the previous section, we proved that the trivial solution is optimal even in the final-state criterion under the honest one-server model of Q-QPIR. In this section, we construct a Q-QPIR protocol with lower communication complexity under various secrecy models than the trivial solution when we allow shared entanglement between the user and the server.

Let \(\mathsf{m}= \sum _{\ell =1}^{\mathsf{f}} \log |X_{\ell}|\) be the size of all messages. To measure the amount of the prior entanglement, we count sharing one copy of $|{\mathsf{I}}_2》=(1/\sqrt{2})(|00〉+|11〉)$ as an ebit. Accordingly, we count sharing the state $|{\mathsf{I}}_d》\in {\mathbb{C}}^d\otimes {\mathbb{C}}^d$ as logd ebits.

Theorem 2

Suppose there exists a C-QPIR protocol under a certain secrecy model with communication complexity \(f(d_{1}, \ldots , d_{\mathsf{f}})\) when \(g(d_{1}, \ldots , d_{\mathsf{f}})\)-ebit prior entanglement is shared between the user and the server. Then, there exists a Q-QPIR protocol under the same secrecy model with communication complexity \(f(d_{1}^{2}, \ldots , d_{\mathsf{f}}^{2})\) when \(\mathsf{m}+g(d_{1}, \ldots , d_{\mathsf{f}})\)-ebit prior entanglement is shared between the user and the server.

The protocol satisfying Theorem 2 is a simple combination of quantum teleportation [1] and any C-QPIR protocol. For the description of the protocol, we use the generalized Pauli operators and maximally entangled state for d-dimensional systems defined in (11). Hence, the type of guaranteed secrecy in the original C-QPIR protocol is inherited to the converted QPIR protocol. We construct the Q-QPIR protocol satisfying Theorem 2 as follows.

Protocol 3

Let \(\Phi _{\mathrm{cl}}\) be a C-QPIR protocol and \(d_{1},\ldots , d_{\mathsf{f}}\) be the size of the \(\mathsf{f}\) classical messages. From this protocol, we construct a Q-QPIR protocol as follows.

Let \(X_{1},\ldots , X_{\mathsf{f}}\) be the quantum systems with dimensions \(d_{1},\ldots , d_{\mathsf{f}}\), respectively, and \(\rho _{1},\ldots , \rho _{\mathsf{f}}\) be the quantum message states on systems \(X_{1},\ldots , X_{\mathsf{f}}\). The user and the server share the maximally entangled states $|{\mathsf{I}}_{d_{\ell }}》$, defined in (11), on \({Y_{\ell}\otimes Y_{\ell}'}\) for all \(\ell \in [\mathsf{f}]\), where \(Y_{[\mathsf{f}]}\) and \(Y_{[\mathsf{f}]}'\) are possessed by the user and the server, respectively.

The user and the server perform the following steps.

1. 1)

   Preparation: For all \(\ell \in [\mathsf{f}]\), the server performs the generalized Bell measurement \(\mathbf{M}_{\mathsf{X}\mathsf{Z},d_{\ell}}\), defined in (12), on \(X_{\ell}\otimes Y_{\ell}'\), where the measurement outcome is written as \(m_{\ell }= (a_{\ell}, b_{\ell})\in [0: d_{\ell}-1]^{2}\).

2. 2)

   Use of C-QPIR protocol: The user and the server perform the C-QPIR protocol \(\Phi _{\mathrm{cl}}\) to retrieve \(m_{k} = (a_{k},b_{k})\).

3. 3)

   Reconstruction: The user recovers the k-th message \(\rho _{k}\) by applying \(\mathsf{X}_{d_{k}}^{-a_{k}}\mathsf{Z}_{d_{k}}^{b_{k}} \) on \(Y_{k}\).

The correctness of the protocol is guaranteed by the correctness of the teleportation protocol and the C-QPIR protocol \(\Phi _{\mathrm{cl}}\). When the ℓ-th message state is prepared as \(\rho _{\ell}\) and its purification \(|\phi _{\ell}\rangle \) is denoted with the reference system \(R_{\ell}\), after Step 1, the states on \(R_{\ell}\otimes Y_{\ell}\) is

$$\begin{aligned} ( \mathsf{I}\otimes \mathsf{X}_{d_{\ell}}^{a_{\ell}} \mathsf{Z}_{d_{ \ell}}^{-b_{\ell}}) |\phi _{\ell}\rangle \end{aligned}$$

(25)

for all \(\ell \in [\mathsf{f}]\). Thus after Step 3, the targeted state \(|{\phi _{k}}\rangle \) is recovered in \(R_{k}\otimes Y_{k}\).

To analyze the secrecy of Protocol 3, note that only Step 2 has the communication between the user and the server. Thus the secrecy of Protocol 3 is guaranteed by the secrecy of the underlying protocol \(\Phi _{\mathrm{cl}}\).

Protocol 1 (Protocol 2) is a one-round C-QPIR protocol in the final-state criterion under the honest-server model (the specious-server model) with input states \({\mathcal{C}}\) with communication complexity \(2 \log \mathsf{f}+\log d\) (\(4 \log \mathsf{f}+2 \log d\)). Therefore, the combination of Protocols 1 and 3 and the combination of Protocols 2 and 3 yield the following corollary.

Corollary 2

There exists a Q-QPIR protocol with communication complexity \(2 \log \mathsf{f}+\log d^{2}=2\log \mathsf{f}d \) (\(4 \log \mathsf{f}+2 \log d^{2}=4\log \mathsf{f}d \)) and prior entanglement \(\mathsf{m}\) that satisfies the secrecy in the final-state criterion under the honest-server model (the specious-server model). When d is a constant, the communication complexity is \(2 \log \mathsf{m}+o(\mathsf{m})\) (\(4 \log \mathsf{m}+o( \mathsf{m})\)).

Proof

The case under the honest-server model is trivial. Hence, we show the desired statement under the specious-server model.

Assume that the server makes a specious attack. The user’s state at the end of Step 2) of Protocol 3 is the pair of entanglement halves \(\sigma _{1}\) and the state transmitted at Step 2) of Protocol 2\(\sigma _{2}\). Due to the specious condition, the state \(\sigma _{1}\) needs to be one of the states \(\{\mathsf{X}^{a}\mathsf{Z}^{b} \rho _{K}(\mathsf{X}^{a}\mathsf{Z}^{b})^{ \dagger}\}_{(a,b) \in [0:d-1]^{2}}\) with equal probability. That is, using the random variable \((a,b) \in [0:d-1]^{2}\) under the uniform distribution, the state \(\sigma _{1}\) is written as \(\mathsf{X}^{a}\mathsf{Z}^{b} \rho _{K}(\mathsf{X}^{a}\mathsf{Z}^{b})^{ \dagger}\). Hence, the state \(\sigma _{2}\) needs to be decided according to the random variable \((a,b)\) in the same way as the honest case. That is, the state \(\sigma _{2}\) satisfies the condition for the state transmitted by a specious server of Protocol 2 at Step 2). Since Protocol 2 satisfies the secrecy under the final-state criterion under the specious-server model with input states \({\mathcal{C}}\), the specious server obtains no information in the final state. That is, the combined Q-QPIR protocol with prior entanglement satisfies the secrecy under the final-state criterion under the specious-server model. □

Combining Theorem 2 and Corollary 1, we obtain the following corollary.

Corollary 3

There exists a Q-QPIR protocol with communication complexity \(O( \log \mathsf{m})\) and prior entanglement of \(\Theta (\mathsf{m})\) ebits that satisfies the secrecy in the all-round criterion under the honest-server model when the message size d is fixed to a constant.

One property of Protocol 3 is that all other states in the server are destroyed at Step 1. This is a disadvantage for the server but an advantage for the user since the user can retrieve other states \(\rho _{\ell}\) if the user could retrieve classical information \(m_{\ell }\in [0:d_{\ell}-1]^{2}\) corresponding to the state \(\rho _{\ell}\).

7 Conclusion

We have shown an exponential gap for the communication complexity of one-server Q-QPIR in the final-state criterion or under the honest-server model between the existence and the non-existence of prior entanglement. For this aim, as the first step, we have proposed an efficient one-server one-round C-QPIR protocol in the final-state criterion. Also, we have shown that the protocols proposed in [12] satisfies the secrecy in the all-round criterion under the honest server model. Then, as the second step, we have proved that the trivial solution of downloading all messages is optimal even in the final-state criterion for honest one-server Q-QPIR, which is a similar result to that of classical PIR but different from C-QPIR. As the third step, we have developed a conversion from any C-QPIR protocol to a Q-QPIR protocol, which yields an efficient Q-QPIR protocol with prior entanglement from a C-QPIR protocol. The proposed protocols exhibit an exponential improvement over the Q-QPIR’s trivial solution.

In fact, Protocols 1 and 2 work as one-server one-round C-QPIR protocol in the final-state criterion under the honest-server model or the specious-server model. However, Theorem 1 shows that no analogy of Protocol 1 nor 2 works for Q-QPIR protocol under similar settings without prior entanglement. This impossibility is caused by the non-cloning property of the quantum system, i.e., the property that the noiseless channel has no information leakage to the third party, because the proof of Theorem 1 relies on the fact that noiseless quantum communication ensures that the entropy of the final state on the third party is equal to the entropy of the final state on the composite system comprising the output system and the reference system. This impossibility is one of the reasons for our obtained exponential gap.

The above exponential gap has been established under three problem settings. The first and the second are the final-state criterion under the honest-server model and under the specious-server model. The third is the all-round criterion under the honest-server model. In other words, other problem settings do not have such an exponential improvement by using prior entanglement. This exponential improvement is much larger than the improvement achieved through the use of dense coding [2]. This exponential improvement can be considered as a useful application of prior entanglement. It is an interesting open problem to find similar exponential improvement by using prior entanglement.

Appendix:  Koashi-Imoto theory

Here, we discuss Koashi-Imoto theory [53] under the following assumption. We assume a state family \({\mathcal{S}}=\{ \rho _{x}\}_{x \in {\mathcal{X}}}\) on \({\mathcal{H}}\) satisfies the following condition.

(A):

When a subspace \({\mathcal{K}} \subset {\mathcal{H}}\) satisfies the condition \(P_{\mathcal{K}} \rho _{x} = \rho _{x} P_{\mathcal{K}}\) for any element \(x \in {\mathcal{X}}\), the \({\mathcal{K}}\) is \(\{0\}\) or \({\mathcal{H}}\), where \(P_{\mathcal{K}}\) is the projection to \({\mathcal{K}}\),

Under the above assumption, we have the following proposition.

Proposition 3

Assume the assumption (A). We consider a POVM \(\{M_{y}\}_{y\in {\mathcal{Y}}}\) on \({\mathcal{H}}\). When there exists a TP-CP map \(\Gamma _{y}\) for any element \(y\in {\mathcal{Y}}\) such that the relation \(\sum _{y}\Gamma _{y} (\sqrt{M}_{y} \rho _{x} \sqrt{M}_{y})=\rho _{x}\) holds for any element \(x \in {\mathcal{X}}\), then \(M_{y}\) is a constant times of the identity operator.

To prove Proposition 3, we rewrite Theorem 9 of [54] under the assumption (A).

Proposition 4

([54, Theorem 9], [53])

Assume the assumption (A). When a TP-CP map Γ satisfies the relation \(\Gamma (\rho _{x} )=\rho _{x}\) holds for any element \(x \in {\mathcal{X}}\), then Γ is the identity operator.

Proof

We choose the TP-CP map \(\Gamma (\rho ):=\sum _{y}\Gamma _{y} (\sqrt{M}_{y} \rho \sqrt{M}_{y})\). The TP-CP map Γ satisfies the condition for Proposition 4. We choose Steinspring representation of \(\Gamma _{y}\) as an ancilla system \({\mathcal{R}}\), an initial pure state \(\rho _{0}\) on \({\mathcal{R}}\), and a unitary \(U_{y}\) on \({\mathcal{H}}\otimes {\mathcal{R}}\) such that \(\Gamma _{y}(\rho )= \operatorname{Tr}_{R} U_{y} (\rho \otimes \rho _{0})U_{y}^{ \dagger}\), where we can choose \({\mathcal{R}}\) and \(\rho _{0}\) commonly for \(\Gamma _{y}\). Here, we assume that \({\mathcal{R}}\) is spanned by \(\{|1\rangle _{R}, \ldots , |d_{R}\rangle _{R}\}\) and \(\rho _{0}\) is .

Therefore, we have \(\sum _{y} \operatorname{Tr}_{R} U_{y} (\sqrt{M}_{y} \rho \sqrt{M}_{y}\otimes \rho _{0})U_{y}^{\dagger}= \rho \). Since the above relation holds for any pure state ρ, \(\operatorname{Tr}_{R} U_{y} (\sqrt{M}_{y} \rho \sqrt{M}_{y}\otimes \rho _{0})U_{y}^{ \dagger}\) is a constant times of ρ for any x. Further, since \(\operatorname{Tr}_{R} U_{y} (\sqrt{M}_{y} \rho \sqrt{M}_{y}\otimes \rho _{0})U_{y}^{ \dagger}\) is a pure state for any pure state ρ, \(~_{R}\langle j| U_{y}| 1\rangle _{R}\) is a constant times of \(~_{R}\langle 1| U_{y}| 1\rangle _{R}\) for \(j=2, \ldots , d_{R}\). Since \(U_{y}\) is a unitary, \(~_{R}\langle j| U_{y}| 1\rangle _{R}\) is also a unitary. Thus, \(~_{R}\langle j| U_{y}| 1\rangle _{R} \sqrt{M}_{y} \rho \sqrt{M}_{y} (~_{R} \langle j| U_{y}| 1\rangle _{R})^{\dagger}\) is a constant times of ρ. Thus, \(\sqrt{M}_{y}\) is a constant times of a unitary. That is, \(\sqrt{M}_{y}\) is a constant times of the identity operator. □