Download presentation

Presentation is loading. Please wait.

Published byAngel Power Modified over 3 years ago

1
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University of Athens Helger Lipmaa, Cybernetica AS and Tallinn University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAAA A A A A A A

2
Information retrieval ClientServer ix 1,...,x n xixi

3
Privacy ClientServer i Index i ?

4
Example of a trivial PIR protocol ix 1,...,x n xixi x 1,...,x n Perfectly private: Client reveals nothing Communication: n bits with -bit records

5
Communication bits n Trivial protocol O(n k 1/ -1 ) Kushilevitz-Ostrovsky 97 O(k) Cachin-Micali-Stadler 99 O(k log 2 n+log n) Lipmaa 05 O(k+) Gentry-Ramzan 05 Database size: n records Record size: bits Security parameter: k bits (size of RSA modulus)

6
Multi-query information retrieval ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m

7
Privacy ClientServer i 1,...,i m i 1,...,i m ?

8
Our contribution Lower bound (information theoretic): ( m+m log(n/m) ) bits Upper bound (CPIR protocol): O ( m+m log(n/m)+k ) bits

9
Lower bound ( m+m log(n/m) ) bits ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m Client and server have unlimited computational power We do not require protocol to be private We assume perfect correctness We assume worst case indices and records

10
Lower bound for 2-move CPIR ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m Query: possible indices ( m log(n/m)) Response:m records ( m)

11
Lower bound for many-move CPIR ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m Proof overview: At loss of factor 2 assume 1-bit messages exhanged View function as tree with client at leaf choosing an output We will prove the tree has at least (leaf, output) pairs

12
C(i 1,...,i m ) S(x 1,...,x n,0) S(x 1,...,x n,1) C(i 1,...,i m,0,0) C(i 1,...,i m,0,1) C(i 1,...,i m,1,0) C(i 1,...,i m,1,1) 0 1 0 1 0 1 x i 1,...,x i m Input to the tree-function: I=(i 1,...,i m ) and X=(x 1,...,x n ) Observation: If (I,X) and (I´,X´) lead to same leaf and output, then also (I,X´) lead to this leaf and output

13
Define F = { (I,X)=(i 1,...,i m,x 1,...,x n ) | x i =1 if i I and else x i =0 } If (I,X) F and (I´,X´) F then (I,X´) F This means each (I,X) F leads to different (leaf,output) pair For each (I,X) F the output is 1,...,1 There are pairs in F, so the tree must have leaves This means the height is at least log m log(n/m) So the client and server risk sending ½ m log(n/m) bits For the general case we then get a lower bound of m ax( m, ½ m log(n/m) ) = ( m+m log(n/m) ) bits

14
Four cases 2 3 4 1 =log(n/m) m=n/9m=k 2/3 Trivial PIR (n bits)

15
Tool: Restricted CPIR protocol Perfect correctness Constant >0 (e.g. =1/25) so CPIR with k bits of communication for parameters satisfying m = poly(k), n = poly(k), = poly(k) m+m log n k

16
Example: Gentry-Ramzan CPIR Primes:p 1,…,p n |p i | = O(log n) Prime powers: 1,…, n | i | > Query: N, g i 1 … i m | ord(g) Response:c = g x mod Nx = x i mod i Extract:(c ord(g)/ i1 … im ) = (g ord(g)/ i1 … im ) x compute x mod i 1 … i m extract x i 1,…,x i m

17
Three remaining cases 2 3 4 =log(n/m) m=n/9m=k 2/3 Restricted CPIR m+m log n k m/ k CPIRs with record size k/m in parallel

18
Two remaining cases 3 4 =log(n/m) m=n/9m=k 2/3 m/log(n/m)- out of -n CPIR with record size log(n/m)

19
One remaining case 3 =log(n/m) m=n/9m=k 2/3 Restricted CPIR m+m log n k

20
Parallel extraction Res-CPIRRes-CPIR Res-CPIR Res-CPIR

21
The problem If = (log n) we could use parallel repetition of the restricted CPIR for m+m log n k on blocks of the database to get a constant rate But if is small and m is large, we may loose a multiplicative factor (m+m log n)/(m+m log(n/m)) = 1+log m/(+log(n/m)) by parallel repetition of the restricted CPIR

22
Solution x 1,x 2,x 3 x 4,x 5,x 6 x 7,x 8,x 9 Restricted CPIR m+m log n k (x 1,x 2 ) (x 1,x 3 ) (x 2,x 3 ) (x 4,x 5 ) (x 4,x 6 ) (x 5,x 6 ) (x 7,x 8 ) (x 7,x 9 ) (x 8,x 9 ) a -bit records =a, m=m/a, n= n/a

23
Summary Lower bound: ( m+m log(n/m) ) bits CPIR protocol: O ( m+m log(n/m)+k ) bits ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google