Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.

Published bySilvester Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev."— Presentation transcript:

1 A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev

2 2 Private Information Retrieval Functionality : Receiver retrieves x i Privacy : Server does not learn i x = x 1  x n i 2 {1,...,n} ReceiverServer i 2 {1,...,n} Receiver j 2 {1,...,n} ¼ xixi

3 3 The Trivial Solution x = x 1  x n i 2 {1,...,n} ReceiverServer i 2 {1,...,n} Receiver x1  xnx1  xn Inefficient -- x may be very large Can we do better than trivial? Not information theoretically [CGKS]

4 4 Two Approaches Multiple-server PIR Information theoretic privacy Many exciting results, but not the focus of this talk [CGKS95,...,Yek07,...] Single-server PIR Computational privacy Implies Oblivious Transfer 2-message PIR implies collision-resistant hash functions and public-key encryption Many applications... [CG97, KO97, CMS99,...]

5 5 Current Status Specific number-theoretic assumptions Communication polylog(n) [KO97, CMS99,...] General assumptions Communication n - o(n) Black-box construction based on TDPs [KO00] Question: Can we base single-server PIR with sublinear communication on general assumptions?

6 6 Main Result In any fully black-box construction of single-server PIR for an n -bit database from trapdoor permutations over  (n) bits, the server sends  (n) bits. Previous results [Fis02]: Similar result for 2-message protocols (less restrictions) [HHRS07]:  (n/logn) lower bound (same restrictions)  (n ² ) lower bound for “not so tight” reductions Two restrictions Fully black-box Tight security reduction: permutations over  (n) bits [KO ‘00]:  (n ² ) bits

7 7 Fully Black-Box Reductions Black-box proof of security Any adversary for B implies an adversary for A Only care about functionality of the adversary for B A fully black-box reduction from B to A : Black-box construction Any implementation of A implies an implementation of B Only care about the functionality of A Adversary for A Adversary for B A B A

8 8 Our Approach We present an oracle O relative to which: 1. There exists a collection of TDPs over {0,1} n 2. There is no single-server PIR protocol for an n -bit database in which the server sends o(n) bits A random function is hard to invert even with access to O There exists an efficient server that uses O to break any such protocol Fully black-box reductions relativize

9 9 The Oracle [HHRS ‘07] O = (Sam,  )  is a random collection of TDPs over {0,1} n Sam is an interactive collision-finding oracle Sam ples random collisions Extends the non-interactive oracle of [Simon ‘98] C 1 (v 1 ) = C 1 (v 0 ) v 0 Ã {0,1} n C 2 (v 2 ) = C 2 (v 1 ) AA Sam  v0v0 C1C1 v1v1 C2C2 v2v2

10 10 The Oracle [HHRS ‘07] AA Sam  v0v0 C1C1 v1v1 C2C2 v2v2 Theorem: A random TDP is one-way as long as Sam answers queries of depth · n/log(n) The proof requires additional restrictions ( C i+1 refines C i, commit to C i+1 at depth i,...)...but this suffices for the purpose of this talk O = (Sam,  )  is a random collection of TDPs over {0,1} n Sam is an interactive collision-finding oracle Sam ples random collisions Extends the non-interactive oracle of [Simon ‘98] n/log(n)

11 11 Breaking 2-Message PIR x = x 1  x n i 2 {1,...,n} a(i) b(a,x)

12 12 Breaking 2-Message PIR i 2 {1,...,n} a b(a,x 0 ) 1. Receive x 0 from Sam 2. Send the circuit b(a, ¢ ) to Sam 3. Receive x 1 from Sam 4. Output a random index j for which x 0 j  x 1 j Claim : The malicious server guesses i w.p. ¸ 1/(n-1) x 0 i  x 1 i and x 0  x 1 b(a,x 1 ) =

13 13 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a o(n) b o(n)... Communication vs. Rounds: Server sends o(n) bits ) o(n) rounds, server sends one bit each round

14 14 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a log(n) b log(n) a o(n) b o(n).. Key observation : The malicious server can invoke Sam every log(n) rounds

15 15 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a log(n) b log(n).. 1. Receive x 0 from Sam 2. Simulate the honest server for log(n) rounds 3. Send b 1 (a 1, ¢ ) to Sam until receiving x log(n) which is consistent with all log(n) rounds (rewind Sam if inconsistent) Claim : The malicious server guesses i w.p. ¸ 1/(n-1)

16 16 Summary Communication lower bound for single-server PIR Fully black-box constructions from (enhanced) TDPs The trivial solution is optimal up to constant factors In the paper: Communication lower bound for statistically-hiding bit-commitment The sender must send  (n) bits Communication preserving reduction to single-server PIR Open problem: A linear lower bound for “not so tight” reductions? [KO ‘00]: TDPs over  (n ² ) bits Thank you! Matches the upper bound of [NOVY]

Download ppt "A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.

Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Similar presentations

Ads by Google