1. Introduction
The advent of quantum technology has brought about a paradigm shift in the way that we approach cryptography and secure communication. As quantum computers threaten the security of the widely used classical encryption schemes, new cryptographic protocols including ones utilizing quantum technology are emerging that promise to maintain privacy even against quantum adversaries. Among these, the quantum private query (QPQ) stands out for its potential to protect both user privacy and database security in database queries.
The need for private query protocols is well-recognized in the field of computer science, as they enable users to retrieve information from a database without revealing their queries or any sensitive information about the database itself. Traditional private query protocols, such as those based on oblivious transfer and homomorphic encryption, provide computational security against classical attackers [1–4]. However, with the advent of quantum computing [5–7], there is a need for secure private query protocols that can provide information-theoretic security against quantum adversaries.
The QPQ addresses this need by leveraging the principles of quantum mechanics, such as superposition and entanglement, to ensure that the user can retrieve information from the database while revealing virtually no information about the query or the database itself. The protocol has gained significant attention due to its potential applications in secure data retrieval, anonymous authentication, and privacy-preserving data mining [8–10].
Several studies have explored the theoretical foundations and practical implementations of QPQ. For instance, Gao et al [11] demonstrated the security against a malicious quantum database; Francesco et al [12] proposed an efficient implementation of using linear optics. Additionally, many new QPQ protocols [13–15] were proposed. These works have laid the groundwork for understanding and developing secure private query protocols, which are expected to play a vital role in the future of privacy-preserving information retrieval.
In order to solve the problem of lacking support for a large database, the first QPQ protocol based on Quantum Key Distribution (QKD) was proposed by Jakobi et al [16]. From then on, more and more research focuses on QKD-based QPQ and many new protocols are proposed [17–24]. In 2018, Zhou et al proposed such a protocol [25], denoted as the ZBLSY protocol, where Alice prepares and sends quantum states to improve the user privacy. Additionally, it also employs the specific two-way communication approach where Bob returns the measured photons by Ctrl or Shift mode instead of declaring two non-orthogonal qubits, which may leak half of the correct qubits. Therefore, the database security is also strengthened. However, we found the advantages that the dishonest user can gain are significantly greater than which was initially analyzed in the ZBLSY protocol.
The rest of this paper is organized as follows. The ZBLSY protocol is briefly reviewed in section 2 . In section 3 , we describe the attack against the ZBLSY protocol. Section 4 presents the improvements of the ZBLSY protocol and the security is analyzed in section 5 . Finally, we make a conclusion according to our analysis in section 6 .
2. Brief review of the ZBLSY protocol
In this section, we briefly review the ZBLSY protocol.
Step 1 Alice prepares a lengthy series of photons in one of the four states, $\left|0\right\rangle $, $\left|1\right\rangle $, $\left|+\right\rangle $ or $\left|-\right\rangle $, and transmits them to Bob.
Step 2 Bob generates a random string $a\in {\left\{0,1\right\}}^{n}$ as the key Kr. In the cases where Bob has successfully received the photons, he measures the i-th photon in Z basis $\left|0\right\rangle $, $\left|1\right\rangle $ if ai = 0 or X basis $\left|+\right\rangle $, $\left|-\right\rangle $ if ai = 1. Then, Bob randomly selects one of the following modes to apply to his photons.
In Ctrl mode, Bob returns the measured photon directly to Alice.
In Shift mode, Bob makes the measured photon pass the X gate if the measurement result is $\left|0\right\rangle $ or $\left|1\right\rangle $, and the Z gate if the measurement result is $\left|+\right\rangle $ or $\left|-\right\rangle $. Therefore, after the operation, $\left|0\right\rangle $ is converted into $\left|1\right\rangle $, while $\left|1\right\rangle $ is converted into $\left|0\right\rangle $; $\left|+\right\rangle $ is altered to $\left|-\right\rangle $ while $\left|-\right\rangle $ is altered to $\left|+\right\rangle $. Then, Bob sends back the converted photon to Alice.
Step 3 Alice announces which instances she has successfully detected. For each photon, Bob announces the mode he has selected.
Suppose Bob selects Ctrl mode. Alice measures the detected photon in Z basis if the sent state is $\left|0\right\rangle $ or $\left|1\right\rangle $, and in X basis if the sent state is $\left|+\right\rangle $ or $\left|-\right\rangle $. If the measurement result is different from the state of the sent photon, this indicates that the measurement basis used by Alice is different from the one used by Bob. If the measurement result is the same as the state of the sent photon, Alice cannot infer the measurement basis which Bob uses. Therefore, Alice can get the value of ${K}_{i}^{r}$ only when the measurement result is different from the state of the sent photon.
For example, suppose that the state of the photon which Alice sends to Bob is $\left|1\right\rangle $ in Step 1. Then, Bob uses Z basis or X basis to measures it in Step 2. If Bob uses Z basis, the measurement result must be $\left|1\right\rangle $; if Bob uses X basis, the measurement result is $\left|+\right\rangle $ or $\left|-\right\rangle $ randomly. When Alice receives the returned photon from Bob, she uses Z basis to measure it. If the measurement result is $\left|0\right\rangle $, Alice can infer that Bob uses X basis while Alice cannot obtain any information if the measurement result is $\left|1\right\rangle $. Therefore, Alice can get Bob's encoded bit only when the measurement result is $\left|0\right\rangle $ with the probability 1/4. That is, Alice can obtain a quarter of Kr.
When Bob selects Shift mode, the approach is similar to Ctrl mode.
Step 4 Alice randomly selects half of Kr and requires Bob to announce his corresponding measurement results in Step 2. Then, Alice can detect the honesty of Bob based on the outcome states of Bob, her initial states and outcome states. If Alice finds Bob cheating her, she would abort the protocol; otherwise, they will continue to Step 5.
Step 5 At this point, Alice and Bob obtain half of Kr, denoted as KM. Then, Bob and Alice carry out the classical post-processing step which is similar to Yang's protocol [26]. They transform KM into
$\begin{eqnarray}{\boldsymbol{S}}=\left[\begin{array}{cccc}{q}_{1} & {q}_{2} & \ldots \, & {q}_{N}\\ {q}_{N+1} & {q}_{N+2} & \ldots \, & {q}_{2N}\\ \vdots & \vdots & \vdots & \vdots \\ {q}_{N(k-1)+1} & {q}_{N(k-1)+2} & \ldots \, & {q}_{kN}\\ \end{array}\right].\end{eqnarray}$
Here, qi is ${K}_{i}^{M}$ and k is a security parameter.T is a row vector selected randomly by Bob,
$\begin{eqnarray}{\boldsymbol{T}}=\left[\begin{array}{cccc}{t}_{1} & {t}_{2} & \ldots \, & {t}_{k}\end{array}\right].\end{eqnarray}$
Here, tj is a positive integer, j = 1, 2, …, k.Bob and Alice multiply T by S, and obtain the matrix Q,
$\begin{eqnarray}\begin{array}{rcl}{\boldsymbol{Q}} & = & {\boldsymbol{T}}{\boldsymbol{S}}=\left[\begin{array}{cccc}{t}_{1} & {t}_{2} & \ldots \, & {t}_{k}\end{array}\right]\\ & & \times \,\left[\begin{array}{cccc}{q}_{1} & {q}_{2} & \ldots \, & {q}_{N}\\ {q}_{N+1} & {q}_{N+2} & \ldots \, & {q}_{2N}\\ \vdots & \vdots & \vdots & \vdots \\ {q}_{N(k-1)+1} & {q}_{N(k-1)+2} & \ldots \, & {q}_{kN}\\ \end{array}\right]\\ & = & \left[\begin{array}{cccc}{Q}_{1} & {Q}_{2} & \ldots \, & {Q}_{N}\end{array}\right],\end{array}\end{eqnarray}$
where ${Q}_{j}={\sum }_{i=1}^{k}{t}_{i}{q}_{N(i-1)+j}$.Then, they perform a piecewise function to obtain the N-bit final key O,
$\begin{eqnarray}{O}_{j}=\left\{\begin{array}{ccc}0, & & {Q}_{j}\leqslant t,\\ 1, & & {Q}_{j}\gt t,\end{array}\right.\end{eqnarray}$
where the threshold should be set to $t=\left[{\sum }_{i=1}^{k}{t}_{i}/2\right]$. In the function, the value k and t should be set appropriately so that Alice can obtain about one bit of the final key O.Step 6 Suppose Alice knows the j-th key bit Oj and tries to retrieve the i-th item Xi. She declares the number s = j − i. Then, Bob shifts O by s and encrypts his database with using the new key O'. Thus, Alice can decrypt Xi correctly with the key bit Oj.
In the ZBLSY protocol, after Alice prepares the initial state, the threat of Bob's spoofing is greatly reduced because Bob could not get the information of initial state accurately.
3. An unambiguous state discrimination attack to the ZBLSY protocol
Although the ZBLSY protocol has the advantage of strong user privacy, unfortunately, we found that the advantages to the user are significantly greater than which is initially analyzed in the ZBLSY protocol. In this section, we present an attack method aimed at the ZBLSY protocol. This method enables Alice to increase the probability of obtaining every key bit beyond the stated probability in the ZBLSY protocol. The detailed analysis is described as follows.
We assume that Alice is dishonest. She prepares a fake entangled state $\left(\left|00\right\rangle +\left|11\right\rangle \right)/\sqrt{2}$, and sends one photon of the entangled state to Bob. Then, Bob uses Z basis $\left|0\right\rangle $, $\left|1\right\rangle $ or X basis $\left|+\right\rangle $, $\left|-\right\rangle $ to measure it.
Here, the transformation formulas for Bell states are given, which is necessary preparation for the following discussion,
$\begin{eqnarray}\frac{\left|00\right\rangle +\left|11\right\rangle }{\sqrt{2}}=\frac{\left|++\right\rangle +\left|--\right\rangle }{\sqrt{2}},\end{eqnarray}$
$\begin{eqnarray}\frac{\left|00\right\rangle -\left|11\right\rangle }{\sqrt{2}}=\frac{\left|+-\right\rangle +\left|-+\right\rangle }{\sqrt{2}},\end{eqnarray}$
$\begin{eqnarray}\frac{\left|01\right\rangle +\left|10\right\rangle }{\sqrt{2}}=\frac{\left|++\right\rangle -\left|--\right\rangle }{\sqrt{2}},\end{eqnarray}$
$\begin{eqnarray}\frac{\left|01\right\rangle -\left|10\right\rangle }{\sqrt{2}}=\frac{\left|+-\right\rangle -\left|-+\right\rangle }{\sqrt{2}}.\end{eqnarray}$
Next, we will discuss the basis that Bob uses in different scenarios.
Scenario 1 Assume that Bob uses the Z basis. After the measurement, the system state retained by Alice will collapse to $\left|0\right\rangle $ if the result of the measurement is $\left|0\right\rangle $ and $\left|1\right\rangle $ if the result of the measurement is $\left|1\right\rangle $. As the probabilities that the result is $\left|0\right\rangle $ or $\left|1\right\rangle $ are both 1/2 and Bob will send back the state corresponding to the measurement result to Alice in the subsequent steps, the system state retained by Alice will become either $\left|00\right\rangle $ or $\left|11\right\rangle $ randomly. Thus, the density operator becomes ${\rho }_{0}=\left(\left|00\right\rangle \left\langle 00\right|+\left|11\right\rangle \left\langle 11\right|\right)/2$.
Alice chooses Bell bases to measure ρ0. The result of the measurement is
$\begin{eqnarray}\begin{array}{l}P\left(\,\rm{result}\,\,=\,\displaystyle \frac{\left|00\right\rangle +\left|11\right\rangle }{\sqrt{2}}\right)\\ =\,P\,\left(\,\rm{result}\,\,=\,\displaystyle \frac{\left|00\right\rangle -\left|11\right\rangle }{\sqrt{2}}\right)=\displaystyle \frac{1}{2}.\end{array}\end{eqnarray}$
Scenario 2 Assume that Bob uses the X basis. After the measurement, the system state retained by Alice will collapse to $\left|+\right\rangle $ if the result of the measurement is $\left|+\right\rangle $ and $\left|-\right\rangle $ if the result of the measurement is $\left|-\right\rangle $. As the probabilities that the result is $\left|+\right\rangle $ or $\left|-\right\rangle $ are both 1/2 and Bob will send back the state corresponding to the measurement result to Alice in the subsequent steps, the system state retained by Alice will become either $\left|++\right\rangle $ or $\left|--\right\rangle $ randomly. Thus, the density operator is ${\rho }_{1}=\left(\left|++\right\rangle \left\langle ++\right|+\left|--\right\rangle \left\langle --\right|\right)/2$.
Alice chooses transformed Bell bases to measure the state ρ1. The result of the measurement is
$\begin{eqnarray}\begin{array}{l}P\left(\,\rm{result}\,=\displaystyle \frac{\left|++\right\rangle +\left|\,--\,\right\rangle }{\sqrt{2}}\right)\\ =P\left(\,\rm{result}\,=\displaystyle \frac{\left|++\right\rangle -\left|\,--\,\right\rangle }{\sqrt{2}}\right)=\displaystyle \frac{1}{2}.\end{array}\end{eqnarray}$
According to equation (5 ), by comparing formula 9 and formula 10, we can draw the following conclusions. If the final result is $\left(\left|00\right\rangle -\left|11\right\rangle \right)/\sqrt{2}$, we can infer that Bob uses the Z basis; if the final is $\left(\left|++\right\rangle -\left|--\right\rangle \right)/\sqrt{2}$, we can infer that Bob uses the X basis. During our calculations, we designate the following events: event A occurs when the final outcome is $\left(\left|00\right\rangle -\left|11\right\rangle \right)/\sqrt{2}$; event B happens when the end result is $\left(\left|++\right\rangle -\left|--\right\rangle \right)/\sqrt{2}$; event C transpires when Bob employs the Z basis; and event D takes place when Bob opts for the X basis. Thus, the probability that Alice gets the key bit is
$\begin{eqnarray}\begin{array}{rcl}P\left(A\cup B\right) & = & P\left(A\right)+P\left(B\right)-P\left(AB\right)\\ & = & P\left(AC\right)+P\left(BD\right)-P\left(AB\right)\\ & = & P\left(A\left|\right.C\right)\times P\left(C\right)+P\left(B\left|\right.D\right)\times P\left(D\right)-P\left(AB\right)\\ & = & \displaystyle \frac{P\left(C\right)+P\left(D\right)}{2}-0\\ & = & \displaystyle \frac{1}{2}.\end{array}\end{eqnarray}$
The simulation comparison of attack and non-attack scenarios can be seen in table 1.
Table 1. The simulation comparison of attack and non-attack scenarios. |
| Attack? | The photon sent by Alice | The measure basis chosen by Bob | The measurement result of Alice | The probability |
|---|---|---|---|---|
| No | $\left|0\right\rangle $ | Z | $\left|1\right\rangle $ | $\frac{1}{4}$ |
| X | $\left|0\right\rangle $ or $\left|1\right\rangle $ | |||
| Yes | one photon of $\frac{\left|00\right\rangle +\left|11\right\rangle }{\sqrt{2}}$ | Z | $\frac{\left|00\right\rangle +\left|11\right\rangle }{\sqrt{2}}$ or $\frac{\left|00\right\rangle -\left|11\right\rangle }{\sqrt{2}}$ | $\frac{1}{2}$ |
| X | $\frac{\left|++\right\rangle +\left|--\right\rangle }{\sqrt{2}}$ or $\frac{\left|++\right\rangle -\left|--\right\rangle }{\sqrt{2}}$ |
Obviously, 1/2 in the attacked circumstance is greater than 1/4 in the normal circumstance. Therefore, the dishonest user can get more information by an unambiguous state discrimination attack. Additionally, the analysis results here are different from the results in 3.1.2 EPR Attacks in Zhou's paper [25] because of overlooking the application of unambiguous state discrimination. Table 2 demonstrates the expected number of keys ${\overline{n}}_{1}$ and ${\overline{n}}_{2}$ that Alice can infer with different data size N and different K in normal and attacked circumstances.
Table 2. The expected number of keys ${\overline{n}}_{1}$ and ${\overline{n}}_{2}$ with different data size N and different K in normal and attacked circumstances. |
| N | 103 | 5 × 103 | 104 | 5 × 104 | 105 | 106 |
|---|---|---|---|---|---|---|
| K | 4 | 5 | 6 | 7 | 7 | 9 |
| ${\overline{n}}_{1}$ | 3.91 | 4.88 | 2.44 | 3.05 | 6.10 | 3.81 |
| ${\overline{n}}_{2}$ | 62.50 | 156.25 | 156.25 | 390.63 | 781.25 | 1953.12 |
By analysis, the user can obtain 2K times the amount of database information than which is normally allowed by launching our attack. Therefore, the attack we propose here poses a significant threat to database security.
For the ZBLSY protocol, there may be other attack methods, but the attack method we are using here is quite effective. Therefore, in this paper, we will only analyze the unambiguous state discrimination attack.
4. Improvement to the ZBLSY protocol
As analyzed in the previous section, the security of the database in the ZBLSY protocol is severely threatened. The main reason is that when a dishonest user employs an entanglement attack, the state of the system returned by the database and the state of the system retained by the user can be distinguished with a higher probability by unambiguous state discrimination. The key to improving this is to prevent the user from using similar methods to distinguish between the states. Three improvement methods are given below. The primary enhancements focus on the second and third steps. In addition, the fourth step has been removed in all the improvements below to prevent a recently proposed attack in [27].
4.1. The first improved version of ZBLSY protocol
Step 2 Bob generates a random string $a\in {\left\{0,1\right\}}^{n}$ as the key Kr. In the cases where Bob has successfully received the photons, he measures the i-th photon in Z basis $\left|0\right\rangle $, $\left|1\right\rangle $ if ai = 0 or X basis $\left|+\right\rangle $, $\left|-\right\rangle $ if ai = 1.
Step 3 If the measurement result is $\left\{\left|0\right\rangle ,\left|-\right\rangle \right\}$, Bob announces bit 0; if the measurement result is $\left\{\left|1\right\rangle ,\left|+\right\rangle \right\}$, he announces bit 1.
Suppose Alice sends $\left|0\right\rangle $ to Bob in Step 1. Then, Bob will choose the X basis or Z basis to measure the photon in Step 2. If Bob uses the Z basis, the measurement result is definitely $\left|0\right\rangle $ and Bob definitely announces bit 0. If Bob uses the X basis, the measurement result is $\left|+\right\rangle $ or $\left|-\right\rangle $ randomly, and Bob will announce bit 0 or 1 with the probability 1/2 respectively. In summary, Bob will announce bit 0 with the probability 3/4, and bit 1 with the probability 1/4. Alice can get Bob's encoded bit only when the announced bit is 1. That is, the probability of Alice getting the key bit is 1/4.
In fact, the main process of this improved version is similar to the protocol in [28]. Nevertheless, the step for the user checking the honesty of the database is omitted in the improved version, which makes the proposed improvement provide better protection for the security of the database.
4.2. The second improved version of the ZBLSY protocol
Step 2 Bob generates a random string $a\in {\left\{0,1\right\}}^{n}$ as the key Kr. In the cases where Bob has successfully received the photons, he measures the i-th photon in the Z basis $\left|0\right\rangle $, $\left|1\right\rangle $ if ai = 0 or X basis $\left|+\right\rangle $, $\left|-\right\rangle $ if ai = 1.
Step 3 For each photon that Bob successfully measures, he announces a pair of two states. One is the measurement result and the other is a random state from the other basis. For example, if the measurement result is $\left|0\right\rangle $, Bob would announce $\left\{\left|0\right\rangle ,\left|+\right\rangle \right\}$ or $\left\{\left|0\right\rangle ,\left|-\right\rangle \right\}$. Alice could infer the basis Bob has used based on his announcement. The probability of success is 1/4.
Suppose Alice sends $\left|0\right\rangle $ to Bob in Step 1. Then, Bob will choose the X basis or Z basis to measure the photon in Step 2. If Bob uses the Z basis, the measurement result is definitely $\left|0\right\rangle $ and Bob announces $\left\{\left|0\right\rangle ,\left|+\right\rangle \right\}$ or $\left\{\left|0\right\rangle ,\left|-\right\rangle \right\}$ with the probability 1/2 respectively. If Bob uses the X basis, the measurement result is $\left|+\right\rangle $ or $\left|-\right\rangle $ randomly, and Bob will announce $\left\{\left|0\right\rangle ,\left|+\right\rangle \right\}$, $\left\{\left|1\right\rangle ,\left|+\right\rangle \right\}$, $\left\{\left|0\right\rangle ,\left|-\right\rangle \right\}$ or $\left\{\left|1\right\rangle ,\left|-\right\rangle \right\}$ with the probability 1/4 respectively. In summary, Bob will announce $\left\{\left|0\right\rangle ,\left|+\right\rangle \right\}$ with the probability 3/8, $\left\{\left|0\right\rangle ,\left|-\right\rangle \right\}$ with the probability 3/8, $\left\{\left|1\right\rangle ,\left|+\right\rangle \right\}$ with the probability 1/8 and $\left\{\left|1\right\rangle ,\left|-\right\rangle \right\}$ with the probability 1/8. Alice can get Bob's encoded bit only when the announcement is $\left\{\left|1\right\rangle ,\left|+\right\rangle \right\}$ or $\left\{\left|1\right\rangle ,\left|-\right\rangle \right\}$. Therefore, the probability that Alice can get the key bit is 1/4.
The improved version is roughly the inverse process of the J protocol [16]. In this improved version, Alice infers which basis Bob used by sending photons and receiving Bob's announcements, thereby obtaining the key bits. While in the J protocol [16], Alice measures the photons sent by Bob and receives Bob's announcements to infer which photon Bob sent, thus obtaining the key bits.
4.3. The third improved version of the ZBLSY protocol
Step 2 Bob generates a random string $a\in {\left\{0,1\right\}}^{n}$ as the key Kr. For the instances that Bob has successfully received, he measures the i-th photon in Z basis $\left|0\right\rangle $, $\left|1\right\rangle $ if ai = 0 or X basis $\left|+\right\rangle $, $\left|-\right\rangle $ if ai = 1. If the measurement result is $\left\{\left|0\right\rangle ,\left|-\right\rangle \right\}\left(\left\{\left|1\right\rangle ,\left|+\right\rangle \right\}\right)$, he sends back $\left|0\right\rangle \left(\left|+\right\rangle \right)$.
Step 3 Alice measures the photon Bob returns in the Z basis if she sends $\left|0\right\rangle $ or $\left|-\right\rangle $ and in the X basis if she sends $\left|1\right\rangle $ or $\left|+\right\rangle $. Alice could infer which basis Bob uses in Step 2 with success probability 1/8.
Suppose Alice sends $\left|1\right\rangle $ to Bob in Step 1. Then Bob will choose the X basis or Z basis to measure the photon in Step 2. If Bob uses the Z basis, the measurement result is definitely $\left|1\right\rangle $ and Bob will send back $\left|+\right\rangle $. If Bob uses the X basis, the measurement result is $\left|+\right\rangle $ or $\left|-\right\rangle $ randomly, and Bob will send back $\left|+\right\rangle $ or $\left|0\right\rangle $ with the probability 1/2 respectively. Thus, Bob will send back $\left|+\right\rangle $ with the probability 3/4, and $\left|0\right\rangle $ with the probability 1/4. After Alice receives the photon, she will measure it in the X basis. Alice can get Bob's encoded bit only when the measurement result is $\left|-\right\rangle $ with the probability 1/8.
5. Security analysis to the improved versions
After analysis, we found that the third improved version can enhance the security of the database compared to the original protocol, but it is not as effective as the other improved versions. Therefore, next we will mainly analyze and demonstrate the security of the first and second improved versions. Due to the vulnerability in the original protocol being related to the database security, we focused on analyzing the performance of the improved protocols in terms of the database security.
5.1. Security analysis to the first improved version
As mentioned before, the main process of the first improved version is similar to the protocol in [28]. In fact, the security analysis in [28] only focuses on some specific attacks. And here we will make generalized assumptions about the attack patterns, and prove the security of the improved protocol based on these assumptions. Since Bob performs a single-qubit measurement, the state Alice initially prepared can be represented as
$\begin{eqnarray}\left|\psi \right\rangle ={\left|{\phi }_{0}\right\rangle }_{a}{\left|0\right\rangle }_{b}+{\left|{\phi }_{1}\right\rangle }_{a}{\left|1\right\rangle }_{b},\end{eqnarray}$
where the system a is reserved by Alice and the system b is sent to Bob. Here $\left|{\phi }_{0}\right\rangle $ and $\left|{\phi }_{1}\right\rangle $ are non-normalized and satisfy $\begin{eqnarray}\left\langle {\phi }_{0}| {\phi }_{0}\right\rangle +\left\langle {\phi }_{1}| {\phi }_{1}\right\rangle =1.\end{eqnarray}$
We assume that $\left\langle {\phi }_{0}| {\phi }_{0}\right\rangle ={k}_{0}$, $\left\langle {\phi }_{1}| {\phi }_{1}\right\rangle ={k}_{1}$, $\left\langle {\phi }_{0}| {\phi }_{1}\right\rangle =\lambda $ and $\left\langle {\phi }_{1}| {\phi }_{0}\right\rangle ={\lambda }^{* }$.When Bob receives the system b, he measures it with the Z basis or X basis. When Bob chooses the Z basis, the state of system a will become $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ if the result of measurement is $\left|0\right\rangle $ and the state of system a will become $\left|{\phi }_{1}\right\rangle /\sqrt{{k}_{1}}$ if the result of measurement is $\left|1\right\rangle $. Due to
$\begin{eqnarray}\left|\psi \right\rangle =\frac{\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle }{\sqrt{2}}\left|+\right\rangle +\frac{\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle }{\sqrt{2}}\left|-\right\rangle ,\end{eqnarray}$
when Bob chooses the X basis, the state of system a will become $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$ if the result of measurement is $\left|+\right\rangle $ and $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$ if the result of statement is $\left|-\right\rangle $. The probabilities of various results are as below $\begin{eqnarray}P\left(\left|0\right\rangle \right)=\frac{{k}_{0}}{2},\end{eqnarray}$
$\begin{eqnarray}P\left(\left|1\right\rangle \right)=\frac{{k}_{1}}{2},\end{eqnarray}$
$\begin{eqnarray}P\left(\left|+\right\rangle \right)=\frac{1+\lambda +{\lambda }^{* }}{4},\end{eqnarray}$
$\begin{eqnarray}P\left(\left|-\right\rangle \right)=\frac{1-\lambda -{\lambda }^{* }}{4}.\end{eqnarray}$
Then, if Bob announces 0, this indicates that Bob's measurement result is either $\left|0\right\rangle $ or $\left|-\right\rangle $, then the state of system a is $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ or $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$. Therefore, Alice can get Bob's encoded bit by distinguishing between $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ and $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$. If Bob announces 1, Alice needs to distinguish between $\left|{\phi }_{1}\right\rangle /\sqrt{{k}_{1}}$ and $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$.
When Bob announces 0, the prior probability of $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ is ${P}_{1}=2{k}_{0}/\left(2{k}_{0}+1-\lambda -{\lambda }^{* }\right)$ and the prior probability of $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$ is ${P}_{2}=\left(1-\lambda -{\lambda }^{* }\right)/\left(2{k}_{0}+1-\lambda -{\lambda }^{* }\right)$. Thus, the process of Alice determining Bob's encoded bit is transformed into a problem of distinguishing between two states with prior probabilities. The highest probability that Alice can distinguish between $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ and $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$ is
$\begin{eqnarray}\begin{array}{rcl}{P}_{3} & = & 1-2\sqrt{{P}_{1}{P}_{2}}\left|\displaystyle \frac{\left\langle {\phi }_{0}\right|}{\sqrt{{k}_{0}}}\displaystyle \frac{\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle }{\sqrt{1-\lambda -{\lambda }^{* }}}\right|\\ & = & 1-\displaystyle \frac{2\sqrt{2}}{2{k}_{0}+1-\lambda -{\lambda }^{* }}\left|\,\left\langle {\phi }_{0}| {\phi }_{0}\right\rangle -\left\langle {\phi }_{1}| {\phi }_{1}\right\rangle \right|\\ & = & 1-\displaystyle \frac{2\sqrt{2}}{2{k}_{0}+1-\lambda -{\lambda }^{* }}\left|{k}_{0}-\lambda \right|.\end{array}\end{eqnarray}$
By the same token, when Bob announces 1, the highest probability that Alice can distinguish between $\left|{\phi }_{1}\right\rangle /\sqrt{{k}_{1}}$ and $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$ is
$\begin{eqnarray}{P}_{4}=1-\displaystyle \frac{2\sqrt{2}}{2{k}_{1}+1+\lambda +{\lambda }^{* }}\left|{k}_{1}+{\lambda }^{* }\right|.\end{eqnarray}$
Thus, combining the probabilities of the two cases mentioned above, we can infer that the probability that Alice can infer one of the correct bits of the key is
$\begin{eqnarray}\begin{array}{rcl}{P}_{5} & = & \left(P\left(\left|0\right\rangle \right)+P\left(\left|-\right\rangle \right)\right)\\ & & \times {P}_{3}+\left(P\left(\left|1\right\rangle \right)+P\left(\left|+\right\rangle \right)\right)\times {P}_{4}\\ & = & \left(\displaystyle \frac{{k}_{0}}{2}+\displaystyle \frac{1-\lambda -{\lambda }^{* }}{4}\right)\times \left(1-\displaystyle \frac{2\sqrt{2}}{2{k}_{0}+1-\lambda -{\lambda }^{* }}\left|{k}_{0}-\lambda \right|\right)\\ & & +\left(\displaystyle \frac{{k}_{1}}{2}+\displaystyle \frac{1+\lambda +{\lambda }^{* }}{4}\right)\times \left(1-\displaystyle \frac{2\sqrt{2}}{2{k}_{1}+1+\lambda +{\lambda }^{* }}\left|{k}_{1}+{\lambda }^{* }\right|\right)\\ & = & 1-\displaystyle \frac{1}{\sqrt{2}}\left(\left|{k}_{0}-\lambda \right|+\left|{k}_{1}+{\lambda }^{* }\right|\right)\\ & \leqslant & 1-\displaystyle \frac{1}{\sqrt{2}}\left|{k}_{0}-\lambda +{k}_{1}+{\lambda }^{* }\right|\\ & = & 1-\displaystyle \frac{1}{\sqrt{2}}\approx 0.29.\end{array}\end{eqnarray}$
That is, Alice can infer one of the bits of the key with a probability of less than 0.29, which is similar to that in the J protocol [16]. Obviously, the improved protocol has a higher database security than the original protocol. The probabilities of Alice inferring one of the correct bits of the key under various circumstances are depicted in figure 1.
Figure 1. The probabilities that Alice can infer one of the correct bits of the key under different circumstances. |
Circumstance 1 represents the normal operating condition in the original protocol; circumstance 2 depicts the scenario under attack in the original protocol; circumstance 3 represents the normal operating condition in the improved protocol; and circumstance 4 depicts the scenario under attack in the improved protocol.
The analysis of user privacy is the same as the original protocol, so it will not be repeated here.
5.2. Security analysis to the second improved version
The preliminary preparations and the probabilities of Bob's different measurement results are the same as in the security analysis to the first improved version, so they will not be repeated here.
If Bob announces$\left\{\left|0\right\rangle ,\left|+\right\rangle \right\}$, this indicates that Bob's measurement result is either $\left|0\right\rangle $ or $\left|+\right\rangle $, then the state of system a is $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ or $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$. Therefore, Alice can get Bob's encoded bit by distinguishing between $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ and $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$. If Bob announces $\left\{\left|0\right\rangle ,\left|-\right\rangle \right\}$, Alice needs to distinguish between $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ and $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$. If Bob announces $\left\{\left|1\right\rangle ,\left|+\right\rangle \right\}$, Alice needs to distinguish between $\left|{\phi }_{1}\right\rangle /\sqrt{{k}_{1}}$ and $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$. If Bob announces $\left\{\left|1\right\rangle ,\left|-\right\rangle \right\}$, Alice needs to distinguish between $\left|{\phi }_{1}\right\rangle /\sqrt{{k}_{1}}$ and $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$.
Based on the security analysis above, we can know that the highest probability that Alice can distinguish between $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ and $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$ is P3 and the highest probability that Alice can distinguish between $\left|{\phi }_{1}\right\rangle /\sqrt{{k}_{1}}$ and $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$ is P4.
When Bob announces $\left\{\left|0\right\rangle ,\left|+\right\rangle \right\}$, the prior probability of $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ is
$\begin{eqnarray}{P}_{6}=\displaystyle \frac{2{k}_{0}}{\left(2{k}_{0}+1+\lambda +{\lambda }^{* }\right)},\end{eqnarray}$
and the prior probability of $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$ is $\begin{eqnarray}{P}_{7}=\displaystyle \frac{\left(1+\lambda +{\lambda }^{* }\right)}{\left(2{k}_{0}+1+\lambda +{\lambda }^{* }\right)}.\end{eqnarray}$
Therefore, the highest probability that Alice can distinguish between $\left|{\phi }_{0}\right\rangle /\sqrt{{k}_{0}}$ and $\left(\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle \right)/\sqrt{1+\lambda +{\lambda }^{* }}$ is
$\begin{eqnarray}\begin{array}{rcl}{P}_{8} & = & 1-2\sqrt{{P}_{6}{P}_{7}}\left|\displaystyle \frac{\left\langle {\phi }_{0}\right|}{\sqrt{{k}_{0}}}\displaystyle \frac{\left|{\phi }_{0}\right\rangle +\left|{\phi }_{1}\right\rangle }{\sqrt{1+\lambda +{\lambda }^{* }}}\right|\\ & = & 1-\displaystyle \frac{2\sqrt{2}}{2{k}_{0}+1+\lambda +{\lambda }^{* }}\left|\,,\left\langle {\phi }_{0}| {\phi }_{0}\right\rangle +\left\langle {\phi }_{1}| {\phi }_{1}\right\rangle \right|\\ & = & 1-\displaystyle \frac{2\sqrt{2}}{2{k}_{0}+1+\lambda +{\lambda }^{* }}\left|{k}_{0}+\lambda \right|.\end{array}\end{eqnarray}$
By the same token, when Bob announces $\left\{\left|1\right\rangle ,\left|-\right\rangle \right\}$, the highest probability that Alice can distinguish between $\left|{\phi }_{1}\right\rangle /\sqrt{{k}_{1}}$ and $\left(\left|{\phi }_{0}\right\rangle -\left|{\phi }_{1}\right\rangle \right)/\sqrt{1-\lambda -{\lambda }^{* }}$ is
$\begin{eqnarray}{P}_{9}=1-\displaystyle \frac{2\sqrt{2}}{2{k}_{1}+1-\lambda -{\lambda }^{* }}\left|{k}_{1}-{\lambda }^{* }\right|.\end{eqnarray}$
Thus, combining the probabilities of the four cases mentioned above, we can infer that the probability that Alice can infer one of the correct bits of the key is
$\begin{eqnarray}\begin{array}{rcl}{P}_{10} & = & \frac{1}{2}[(P(| 0\rangle )+P(| -\rangle ))\\ & & \times \,{P}_{3}+(P(| 1\rangle )+P(| +\rangle ))\times {P}_{4}\\ & & +(P(| 0\rangle )+P(| +\rangle ))\\ & & \times \,{P}_{8}+(P(| 1\rangle )+P(| -\rangle ))\times {P}_{9}]\\ & & =\frac{1}{2}\left[\left(\frac{{k}_{0}}{2}+\frac{1-\lambda -{\lambda }^{* }}{4}\right)\times \left(1-\frac{2\sqrt{2}}{2{k}_{0}+1-\lambda -{\lambda }^{* }}\left|{k}_{0}-\lambda \right|\right)\right.\\ & & +\left(\frac{{k}_{1}}{2}+\frac{1+\lambda +{\lambda }^{* }}{4}\right)\times \left(1-\frac{2\sqrt{2}}{2{k}_{1}+1+\lambda +{\lambda }^{* }}\left|{k}_{1}+{\lambda }^{* }\right|\right)\\ & & +\left(\frac{{k}_{0}}{2}+\frac{1+\lambda +{\lambda }^{* }}{4}\right)\times \left(1-\frac{2\sqrt{2}}{2{k}_{1}+1+\lambda +{\lambda }^{* }}\left|{k}_{0}+\lambda \right|\right)\\ & & +\left.\left(\frac{{k}_{1}}{2}+\frac{1-\lambda -{\lambda }^{* }}{4}\right)\times \left(1-\frac{2\sqrt{2}}{2{k}_{1}+1-\lambda -{\lambda }^{* }}\left|{k}_{1}-{\lambda }^{* }\right|\right)\right]\\ & & =1-\frac{1}{2\sqrt{2}}\left(\left|{k}_{0}-\lambda \right|+\left|{k}_{1}+{\lambda }^{* }\right|+\left|{k}_{0}+\lambda \right|+\left|{k}_{1}-{\lambda }^{* }\right|\right)\\ & & \leqslant 1-\frac{1}{2\sqrt{2}}\left|{k}_{0}-\lambda +{k}_{1}+{\lambda }^{* }+{k}_{0}+\lambda +{k}_{1}-{\lambda }^{* }\right|\\ & & =1-\frac{1}{\sqrt{2}}\approx 0.29\,,\end{array}\end{eqnarray}$
which is the same as P5.Thus, the second improved version has the same level of the database security as the first improved version.
6. Conclusion
In this paper, we presented an unambiguous state discrimination attack method to the ZBLSY protocol, utilizing which Alice could infer one of the correct bits of the key with successful probability 1/2 in the ZBLSY protocol. It suggests that the advantage of the user is greater in the ZBLSY protocol. To solve this problem, we proposed three improved protocols. Based on our analysis, the probability that the dishonest user could obtain the key bit decreased to approximately 0.29 in the first and second improved versions. This results in stronger database security, making the protocol more robust against potential attacks.
The improved protocols' resistance to internal attacks from the database and its ability to ensure user privacy even in the presence of entanglement attacks demonstrate its practicality and potential for real-world applications. It offers a promising solution for secure data retrieval and privacy-preserving information access, particularly in scenarios where classical encryption schemes are susceptible to quantum attacks.