Presentation is loading. Please wait.

Presentation is loading. Please wait.

Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.

Published byLester Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin."— Presentation transcript:

1 Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin

2 Outline  Introduction  Common approaches Information-theoretical Computational  Summary

3 Private Information Retrieval (PIR):assumptions  Semi-honest assumption on servers Server is trustable in terms of honestly following the protocol Server knows every bit of the data Server may record client’s requests/queries  Malicious servers Drop messages Change messages Collude with other parties

4 Private Information Retrieval (PIR): intro  Goal: allow user to query database while hiding the identity of the data-items she is after.  Note: hides identity of data-items; not the existence of interaction with the user.  Motivation: patent databases; stock quotes; web access; many more....  Paradox(?): imagine buying in a store without the seller knowing what you buy. (Encrypting requests is useful against third parties; not against the owner of data.)

5 Modeling  Server: holds n-bit string x n should be thought of as very large  User: wishes to retrieve x i and to keep i private  Remark: it is the most basic version; the building block for involved retrieval.

6 Server sends entire database x to User. Information theoretic privacy. Communication: n SERVER xixi USER x =x 1,x 2,..., x n x 1,x 2,..., x n Trivial Private Protocol Is this optimal?

7 Obstacle Theorem [CGKS]: In any 1-server PIR with information theoretic privacy the communication is at least n. Information theoretic privacy/security: The ciphertext gives no information about the plaintext

8 More “solutions”  User asks for additional random indices. Pick a few random indices to hide the real one Drawback: can be estimated  Employ general crypto protocols to compute x i privately. 1-out-N Oblivious Transfer Drawback: highly inefficient (polynomial in n ).  Anonymity (e.g., via Anonymizers). Note: address different problems: hides identity of user; not the fact that x i is retrieved.

9 Two Approaches Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers. servers do collude. Computational PIR [CG97,KO97,CMS99,...] Computational privacy, based on cryptographic assumptions – NP hard to break the approach

10 Known Communication Upper Bounds Multiple servers, information-theoretic PIR:  2 servers, comm. n 1/3 [CGKS95]  k servers, comm. n 1/(k) [CGKS95, Amb96,…,BIKR02]  log n servers, comm. Poly( log(n) ) [BF90, CGKS95] Single server, computational PIR: Comm. Poly( log(n) ), n is the # of items Under appropriate computational assumptions [KO97,CMS99]

11 Approach I: k-Server PIR Correctness: User obtains x i Privacy: No single server gets information about i U S1S1 x {0,1} n S2S2 i SkSk

12 Information-Theoretic 2-Server PIR  Best Known Protocol: comm. n 1/3  Let’s look at an example with comm. cost n 1/2 Two protocols: Protocol I: n bit queries, 1 bit answers Protocol II: n 1/2 bit queries, n 1/2 bit answers

13 Protocol I: 2-server O(n) PIR S2S2 i U i n Q 1  {1,…,n} S1S1 Q 2 =Q 1  i 001100111000 *User sent O(n) bits 1 + 1 = 0 0 + 0 = 0 1 + 0 = 1 Meaning of Q 2 =Q 1  i Q 1 is a random subset

14 Protocol I: 2-server PIR S2S2 i U i n Q 1  {1,…,n} S1S1 Q 2 =Q 1  i 0 1 0 0 11 01 0 0 010 *Server replies 1 bit

15 Protocol I: 2-server PIR S2S2 i U i n Q 1  {1,…,n} S1S1 a1a2=xia1a2=xi Q 2 =Q 1  i 0 1 0 0 1 01 0 0 011 1 0

16 Protocol II: PIR with O(n 1/2 ) Communication S2S2 j,i U i X m=n 1/2 Q 1  {1,…,m} S1S1 Q 2 =Q 1  i j a 1,j  a 2,j =x j,i Make the n-bit vector as a n 1/2 * n 1/2 matrix Apply ex-or sum to each row

17 Computational PIR with O(n 1/2 ) Comm.  Based on encryption Quadratic Residue (QR) N = p*q, p,q are primes. Q(y, N) = 0 iff exists w such that w^2 = y (mod N) 1 otherwise Security: if p, q is unknown, it is computationally impossible to determine Q(y,N). If p,q is known, Q(y,N) can be determined in O(|N|^3) Understanding modulo: w^2 = y+k*N, k can be any integer Example: 2^2 = 4 (mod 10), 4^2 = 6 (mod 10)

18 Example Quadratic Residue: E(0)  QR N E(1)  NQR N Properties: QR QR = QR NQR QR = NQR For any y, y^2 is QR.

19 Computational PIR with O(n 1/2 ) Comm. 0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 1 n 1/2 b Goal: user wants to know entry M(a,b) 1.User picks N=pq and sends N to server 2.User picks uniformly at random s= n 1/2 numbers, from the set Z={x|1<=x<=N, gcd(N, x)=1}, such that y b is NQR and y j (j!=b) is QR, and sends them to server 3. For each row r, server calculate W(r,j) = y j 2 if M(r,j) =0, y j if M(r,j)=1 a 5.  Zr is a QR iff M(r,b) =0 4. Server sends Z1,…,Zs To User, and User checks with Za is QR

20 Related work  Can be a building block for high-level security protocols  Has connection with “Locally Decodable Codes” (LDC)  It was proved that the three problems: PIR, LDC, and Circuit- based SMC are equivalent.

21 Summary Focus so far: communication complexity Obstacle: time complexity All existing protocols require high computation by the servers (linear computation per query). Are there methods to reduce server cost?

Download ppt "Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Lecture 15 Private Information Retrieval Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0.

Lecture 15 Private Information Retrieval Stefan Dziembowski MIM UW ver 1.0.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
7. Asymmetric encryption-

7. Asymmetric encryption-
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Similar presentations

Ads by Google