Download presentation

Presentation is loading. Please wait.

Published byLucas Padilla Modified over 3 years ago

1
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis

2
Outline Introduction Element rank protocol Other protocols Equivalence to one-round PIR Open problems

3
Succinct Computation y Client Server x q = Q(x) a = A(q,y) Dec(a) = f(x,y) Computing f(x,y) One round of interaction Communication Complexity |q| +|a| = O(poly(log(|x|), log(|y|), |f(x,y)|, s)) Or linear in |f(x,y)|

4
Privacy Computational setting Client side For any x, x, Q(x) and Q(x) are indistinguishable Server side Simulator S, simulates A(x,y) given x and f(x,y) Semi-honest adversaries

5
Private Database Queries Servers input is a database Clients input is a query Private information retrieval (PIR) f(i, (x 1,x 2,…,x n )) = x i Private Keyword search (PKS) f(w, {(x 1,v 1 ),…,(x n,v n )}) = v a if there is x a = w otherwise

6
Existing Solutions PIR / SPIR [KO97], [Lipmaa05], … One-round, sublinear communication PKS [FIPR05] One-round, polylog(n) communication PIR and homomorphic encryption How about more general queries?

7
More General Queries General MPC Not efficient Circuits with look-up tables [NN01] Communication efficient High round complexity One-round secure computation [CCKM00] Round efficient High comm. Computing BP on encrypted data [IP07] Independent work Round and communication efficient Strong assumption

8
Private Element Rank Interval Labeling f(b, (x 1,x 2,…,x n,v 1,…,v n )) = v i such that b є (x i, x i+1 ] Element Rank Add x 0 = - and x n+1 =+ v i = i Applications Ranking in auctions Online testing services Use to design other protocols

9
Interval Labeling Protocol b, x 1,x 2,…,x n є {0,1} k Run a PKS for every prefix of b j th query = j-bit prefix of b Create and use a database D

10
Interval Labeling Protocol v1v1 v2v2 v4v4 v0v0 v1v1 v2v2 v2v2 v3v3 x2x2 x1x1 x3x3 x4x4 01 0 1 01 01010 1 0 1 D = {(000,v 0 ),(001,v 1 ),(0100,v 1 ), (0101,v 2 ),(011,v 2 ),(100,v 2 ),(101,v 3 ),(11,v 4 )}

11
Interval Labeling Protocol v1v1 v2v2 v4v4 v0v0 v1v1 v2v2 v2v2 v3v3 x2x2 x1x1 x3x3 x4x4 01 0 1 01 01010 1 0 1 D = {(000,v 0 ),(001,v 1 ),(0100,v 1 ), (0101,v 2 ),(011,v 2 ),(100,v 2 ),(101,v 3 ),(11,v 4 )} b = 1000 b 1 = 1 b 2 =10 b 3 =100 b 4 =1000

12
Interval Labeling Protocol w is w with last bit flipped Database D, where |D| 2kn For every 1 j k, let w be j-bit prefix of x i : 1. Add (w,v i ) to D if: [w||0 k-j, w||1 k-j ] [x i,x i+1 ], but not true for w 2. Add (w,v i ) to D if: [w||0 k-j, w||1 k-j ] [x t,x t+1 ], but not true for w Prefixes of x i s and/or their siblings

13
Interval Labeling r i = PKS A (b i,D) for 1 i k Randomly permute (r 1, r 2, …,r k ) and send Decode; retrieve the only r i in the list One round, polylog(n) communication Reduced to PKS

14
Other Protocols Private Rectangle Labeling Which rectangle is query point in? Extension to higher dimensions One round Private Range Queries Retrieve all the points in the range On a line or in a plane Constant round Comm. proportional to number of retrieved points

15
Other Protocols m th ranked element Alice holds database A Bob holds database B Find m th ranked element in (A U B) [AMP04], O(log(m)) rounds, and sublinear comm. We use our rank protocol as subprotocol O(log(log(m))) rounds Still sublinear comm.

16
PKS to PIR [FIPR05] Database Hash function h : {0,1} n {0,1} n/log(n) Hash keywords (x i s) to n/log(n) bins Create degree log(n) polynomials for each bin Client Compute h(w) Send E(h(w)), E(h(w) 2 ), …, E(h(w) log(n) ) Database evaluates all polynomials at h(w) Client gets one result via PIR v a if there is x a = w otherwise f(w, {(x 1,v 1 ),…,(x n,v n )}) =

17
PKS to PIR Assumption: One-round PIR Replace polynomials with Yaos garbled circuit Circuit of size O(polylog(n)) size Yaos protocol Pseudorandom function, OT Can be reduced to one-round PIR [CMO00], [BIKM99] One-round PKS one-round PIR One-round Rank one-round PKS

18
Open Problems Succinct Computation of Branching programs (not length-bounded) General circuits Reduction to one-round PIR Any special functionality Decision trees Branching programs

19
Thank you!

Similar presentations

OK

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google