Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University of Athens Helger Lipmaa, Cybernetica AS and Tallinn University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAAA A A A A A A

Information retrieval ClientServer ix 1,...,x n xixi

Privacy ClientServer i Index i ?

Example of a trivial PIR protocol ix 1,...,x n xixi x 1,...,x n Perfectly private: Client reveals nothing Communication: n bits with -bit records

Communication bits n Trivial protocol O(n k 1/ -1 ) Kushilevitz-Ostrovsky 97 O(k) Cachin-Micali-Stadler 99 O(k log 2 n+log n) Lipmaa 05 O(k+) Gentry-Ramzan 05 Database size: n records Record size: bits Security parameter: k bits (size of RSA modulus)

Multi-query information retrieval ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m

Privacy ClientServer i 1,...,i m i 1,...,i m ?

Our contribution Lower bound (information theoretic): ( m+m log(n/m) ) bits Upper bound (CPIR protocol): O ( m+m log(n/m)+k ) bits

Lower bound ( m+m log(n/m) ) bits ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m Client and server have unlimited computational power We do not require protocol to be private We assume perfect correctness We assume worst case indices and records

Lower bound for 2-move CPIR ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m Query: possible indices ( m log(n/m)) Response:m records ( m)

Lower bound for many-move CPIR ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m Proof overview: At loss of factor 2 assume 1-bit messages exhanged View function as tree with client at leaf choosing an output We will prove the tree has at least (leaf, output) pairs

C(i 1,...,i m ) S(x 1,...,x n,0) S(x 1,...,x n,1) C(i 1,...,i m,0,0) C(i 1,...,i m,0,1) C(i 1,...,i m,1,0) C(i 1,...,i m,1,1) x i 1,...,x i m Input to the tree-function: I=(i 1,...,i m ) and X=(x 1,...,x n ) Observation: If (I,X) and (I´,X´) lead to same leaf and output, then also (I,X´) lead to this leaf and output

Define F = { (I,X)=(i 1,...,i m,x 1,...,x n ) | x i =1 if i I and else x i =0 } If (I,X) F and (I´,X´) F then (I,X´) F This means each (I,X) F leads to different (leaf,output) pair For each (I,X) F the output is 1,...,1 There are pairs in F, so the tree must have leaves This means the height is at least log m log(n/m) So the client and server risk sending ½ m log(n/m) bits For the general case we then get a lower bound of m ax( m, ½ m log(n/m) ) = ( m+m log(n/m) ) bits

Four cases =log(n/m) m=n/9m=k 2/3 Trivial PIR (n bits)

Tool: Restricted CPIR protocol Perfect correctness Constant >0 (e.g. =1/25) so CPIR with k bits of communication for parameters satisfying m = poly(k), n = poly(k), = poly(k) m+m log n k

Example: Gentry-Ramzan CPIR Primes:p 1,…,p n |p i | = O(log n) Prime powers: 1,…, n | i | > Query: N, g i 1 … i m | ord(g) Response:c = g x mod Nx = x i mod i Extract:(c ord(g)/ i1 … im ) = (g ord(g)/ i1 … im ) x compute x mod i 1 … i m extract x i 1,…,x i m

Three remaining cases =log(n/m) m=n/9m=k 2/3 Restricted CPIR m+m log n k m/ k CPIRs with record size k/m in parallel

Two remaining cases 3 4 =log(n/m) m=n/9m=k 2/3 m/log(n/m)- out of -n CPIR with record size log(n/m)

One remaining case 3 =log(n/m) m=n/9m=k 2/3 Restricted CPIR m+m log n k

Parallel extraction Res-CPIRRes-CPIR Res-CPIR Res-CPIR

The problem If = (log n) we could use parallel repetition of the restricted CPIR for m+m log n k on blocks of the database to get a constant rate But if is small and m is large, we may loose a multiplicative factor (m+m log n)/(m+m log(n/m)) = 1+log m/(+log(n/m)) by parallel repetition of the restricted CPIR

Solution x 1,x 2,x 3 x 4,x 5,x 6 x 7,x 8,x 9 Restricted CPIR m+m log n k (x 1,x 2 ) (x 1,x 3 ) (x 2,x 3 ) (x 4,x 5 ) (x 4,x 6 ) (x 5,x 6 ) (x 7,x 8 ) (x 7,x 9 ) (x 8,x 9 ) a -bit records =a, m=m/a, n= n/a

Summary Lower bound: ( m+m log(n/m) ) bits CPIR protocol: O ( m+m log(n/m)+k ) bits ClientServer i 1,...,i m x 1,...,x n x i 1,...,x i m