Measurement-device-independent quantum private queries by rotation-invariant twisted photons

Quantum private query is an important cryptography protocol aiming to protect both user’s and database’s privacy. However, to execute even the simplest quantum private queries, one must establish and maintain a shared reference frame. Here we propose a rotation-invariant Measurementdevice-independent quantum private queries with hybrid encoding approach, combined polarization and transverse spatial modes to overcome the polarization misalignment associated with random rotations in long-distance transmission. The initial encoding and final decoding of information in our protocol can be conveniently performed in the polarization space. Furthermore, our hybrid encoding approach only needs to insert four q-plates in practical experiment and to overcome the polarization misalignment problem.


Introduction
A symmetrically private information retrieval protocol (SPIR) [1] allows a user say Alice to retrieve an element of a database held by a database provider, Bob, but does not want him to learn anything about the item Alice is interested in.Meanwhile, Alice cannot get other items except the one she wanted.A SPIR problem is a 1-out-of-N oblivious transfer (OT) [2]protocol essentially.
Classical solutions to the SPIR problem are generally based on some computational complexity theoretic assumption, which might be susceptible to the strong ability of quantum computation.The SPIR problem also has solutions in the quantum scenarios, like the quantum symmetrically private information retrieval (QSPIR), namely quantum private queries (QPQ) [3].Unfortunately, Lo has proven that quantum mechanics alone cannot provide unconditionally secure perfect quantum oblivious transfer [4], this implies the impossibility of perfect quantum SPIR.It can be concluded from Lo's proof that if a quantum SPIR has perfect user privacy, then Alice can perform an attack to access the entire database without being detected.
A feasible workaround is to require that Alice can elicit sufficiently little content of the database, or at least cannot get the whole database in any way, meanwhile, Bob would be detected with nonzero probability if he tries to know Alice's retrieval address.
Giovannetti et al. proposed a novel cheat-sensitive QPQ protocol (GLM-protocol) [6], where the database is represented by a unitary operation and it is performed on the two coming query states.GLM protocol can guarantee perfect database security because Alice can obtain at most two elements even if she performs dishonest queries.Compared with previous schemes, GLM-protocol shows an exponential reduction in both communication and computational complexity.Furthermore, the security analysis and proof-of-principle experimental realization of GLM-protocol were done in refs.[7][8].
Though the GLM-protocol exhibit significant advantages in theory, it is difficult to implement because when large database is concerned the dimension of the oracle operation will be very high.To solve this problem, Jakobi et al. proposed an interesting strategy (J-protocol) [9]based on SARG04 protocol [10].Using SARG04 protocol, an asymmetric key can be distributed between Alice and Bob, which is used to encrypt the whole database.Alice only knows few bits of the key, which ensures the database privacy.J-protocol can be easily generalized to large database.
Though the security of QKD has been rigorously proven based on the laws of quantum mechanics, owing to the imperfections in real-life implementations, a large amount of quantum hacking like detector side channel attacks [11] have been proposed.The QKD-based QPQ also suffer this attack.
Recently, measurement-device-independent quantum key distribution (MDI-QKD) that removes all detector side channel attacks has been proposed by Lo et al. [12].In the protocol, Alice and Bob send signal pulses to a third party, who is supposed to perform local Bell state measurement and announce the results public, so that Alice and Bob can distill secret keys according to measurement results by operating their bits.Zhao et al. proposed measurement-device-independent QPQ which remove all the known and unknown detector side channels [13].
Practical QKD protocol proposed have in common the need for a shared reference frame between Alice and Bob, which requires the transmission of an infinite amount of information.A possible solution is encoding logical qubits in multi-qubit states with appropriate symmetry properties, so that the states are rotationally invariant [14].However, detection and production multi-photon state is a technological challenge.A more efficient way to circumvent misalignments is provided by exploiting multiple degrees of freedom of single photons.
In this paper, we show that it is possible to encode logical qubits into single photons using polarization and transverse spatial modes.Just as the circular polarization states are eigenstates of the spin angular momentum(SAM), the helical-wavefront Laguerre-Gaussian modes eigenstates of the spin angular momentum(SAM), the helical-wavefront Laguerre-Gaussian modes are eigenmode of its orbital angular momentum(OAM).The SAM and first order OAM are defined with respect to the same reference frame, they suffer exactly the same transformation under coordinate rotation.Therefore, they constituting an ideal pair to carry rotationally invariant hybrid qubits.Inspired by the work of Zhao et al [13], we propose a rotation-invariant MDI-QPQ protocol, which do not need shared reference frame, overcome serious obstacles in the particular situations where the users are very far apart from each other.In particular, our method only needs to insert q-plates in transmittance procedure.This in turn means that encoding and decoding procedure in our protocol can be convenient performed in the polarization space, while the transmission is done in the rotation invariant hybrid space.

Rotation-invariant MDI-QPQ
In this section, we focus on the rotation-invariant MDI-QPQ system and primarily analyze logical qubits encoding technique.The schematic of our protocol is shown in Fig. 1.

Logical qubit encoding
As circular polarization states are eigenstates of the spin angular momentum(SAM), the helical-wavefront Laguerre-Gaussian modes are eigenmodes of its orbital angular momentum(OAM).The SAM and first order OAM eigenstates suffer exactly the same transformation under coordinate rotation.Therefore, our logical qubit basis is defined by hybrid polarization-OAM single-photon states.
subscript  denotes the polarization Hilbert space, subscript o denotes the OAM bidimensional subspace, arbitrary rotations around the propagation direction by any angel  , circular polarization states and OAM eigenmodes acquire equivalent phase factors As our logical qubit combinations with opposite handedness, the phase term cancel each other and the composite states remain intact.So our scheme is immune to all possible reference frame misalignments.

State encoder/decoder
After determining logical qubits, the next question is how to prepare them.A nature choice is q-plate [11] that can maps polarization qubit into qubits encoded in hybrid polarization-OAM states of the same photon.When a circularly polarized light beam traverses the q-plate, an 2q  amount of OAM is transferred into the beam ( ) (3) | L   and | R   are eigenstates of SAM with eigenvalues and − , since the subspace spanned by our logical qubit has zero total angular momentum along the propagation axis, the amount of OAM per photon should equal to and 0.5 q = , therefore light beam traverses the q-plate gives rise to the following transformations | o l and | o r are eigenstates of OAM with eigenvalues and − .Before performing a partial BSM on the received pulses, a second q-plate transformed the rotation invariant hybrid states back in the original polarization states The superposition state transforms ( (6) length N , and add these substrings bitwise, obtaining the final key K with length N .
(7) Now, a raw key string with length kN  are shared between Bob and Alice, where Bob knows every bit value and Alice knows partially.Then, cuts the raw key into k substrings of length N , and add these substrings bitwise, obtaining the final key K with length N .
(8) Bob encrypts his database Alice obtains the item she wanted with one of her known bits in K .In particular, suppose Alice knows the j th bit j K and wants the i th bit of the database i X .She declares the number s j i =− , then, Bob shifts K by s , and using the obtained key ' K to encrypt his database in the manner of one-time pad.Thus i X is encrypted by j K and consequently can be correctly obtained by Alice when she gets the encrypted database.

Discussion
To make the protocol work correctly, it can be seen from As Alice selects the four states randomly, in the absence of noise, the probability that BSM yields the above conclusive raw key is , it implies that the correctness of our protocol is the same with refs.[4] in the noiseless channel.We can choose suitable k for different database size to keep both n and 0 P in a suitable level.

Security analysis
Now we consider the security of our protocol.To realize a secure QPQ protocol, two security requirements should be satisfied, that is, the database privacy and user privacy.

Database security
If Alice is dishonest and she wants to obtain more items in Bob's database, she has to try to obtain more key bits in the raw key.To attain this aim Alice can storing the received photons in quantum and performing the USD measurements after step (3) to distinguish which state Bob really sent.The success probability this USD measurement is bounded by  .So the more substrings are added to generate the final key, the harder it is for her to guess the bit value.To sum up, when 4 b    and a large k is chosen in our protocol it exhibits a better performance in terms of the database security.

User security
In the following we briefly discuss the probability with which Bob can obtain the conclusiveness of any of Alice's bits in the raw key.Similar to the analysis in Ref. [10],instead of transmitting the honest states to Alice in step ( 1   Bob can increase or decrease the conclusiveness of Alice's raw key in the middle-state attack.Once Bob tries to gather more information on Alice's query item than the honest protocol, it will make him loss the information on the raw key bit value, Bob's final key is still not exactly the same with Alice's corresponding query key at last, which means that he may provide wrong answers.And it can be detected by Alice at a later time with a probability.

Conclusions
We present a practical QKD-based QPQ system with hybrid qubits.A hybrid encoding approach combined polarization qubit with orbital angular momentum qubit is adopted to overcome the polarization misalignment associated with random rotations in long-distance quantum private queries.The initial encoding and final decoding of information in our MDI-QPQ implementation protocol can be conveniently performed in the polarization space, while the transmission is done in the rotation invariant hybrid space.Furthermore, our hybrid encoding approach only needs to insert four q-plates in practical experiment.

Fig. 1 .
Fig. 1.Schematic diagram of rotation-invariant MDI-QPQ for the honest parties.The BS represents 50:50 beam splitter, and PBS stands for polarization beam splitter.

.3 The protocol ( 1 )
Bob prepares one of the four polarized states | L , | R and | can be adjusted to make the protocol have different degree of security.The basis firstly pass through a q-plate, then sends to Alice.The basis | 0 , |1 XX bb  corresponds to the raw key bit, and the basis | , | LR  encodes the raw key bit 0.

2 
.After adding the substrings in step(5), Alice will on average know () USD p are shown in Fig.1, it can be seen that Bob will obtain better database privacy when

Fig. 2 . 1 
Fig. 2. The probabilities of Alice acquiring a conclusive raw key in the honest protocol and in the USD attack in different for different b  .Dishonest Alice can also perform joint measurement on the k qubits which contribute to an element of the final key.By this means she wants to obtain the bit value of the final key directly without distinguishing the individual bit values of the raw key.An example for this is minimal errorprobability measurement, i.e., the measurement that distinguishes two quantum states with the highest information gain.To distinguish two equally likely quantum state 0  and 1  , the probability to guess the state correctly is bounded by 01 0.5 0.5 ( , ) ),Bob can get the conclusiveness of Alice's one bit with the optimal probability by sending the middle state | for the middle states and Alice's honest states being projected into Bell state | − are shown in Table 2. Take the example that Bob sends state | 0' X b  and announces bit 1.From wants Alice to obtain an inconclusive raw key, he sends state | 0' X b  (

Table 1 .
Repeat steps (1) and (2) until kN  successful BSMs are made, where k is a natural number determined by the security analysis and N is the number of database's bits.L according to Table1, both the conclusive and inconclusive raw key are retained.

Table 1
b  , after Alice records the measurement result, Bob announced bit 0, according to Table 1, Alice can identify Bob's state is |0 X b  , only if she has prepared state | L , and thus the raw key 0 Table 2 and 1, it can be seen that Alice will obtain a conclusive raw key if she prepares states |1 X a  or | R .Because Alice prepares the states randomly, as shown in Table 2, the probability of obtaining a conclusive raw key in both cases is

Table 2 .
Theoretical probability of obtaining | − with Bob's middle-state attack