Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin
Outline Introduction Common approaches Information-theoretical Computational Summary
Private Information Retrieval (PIR):assumptions Semi-honest assumption on servers Server is trustable in terms of honestly following the protocol Server knows every bit of the data Server may record client’s requests/queries Malicious servers Drop messages Change messages Collude with other parties
Private Information Retrieval (PIR): intro Goal: allow user to query database while hiding the identity of the data-items she is after. Note: hides identity of data-items; not the existence of interaction with the user. Motivation: patent databases; stock quotes; web access; many more.... Paradox(?): imagine buying in a store without the seller knowing what you buy. (Encrypting requests is useful against third parties; not against the owner of data.)
Modeling Server: holds n-bit string x n should be thought of as very large User: wishes to retrieve x i and to keep i private Remark: it is the most basic version; the building block for involved retrieval.
Server sends entire database x to User. Information theoretic privacy. Communication: n SERVER xixi USER x =x 1,x 2,..., x n x 1,x 2,..., x n Trivial Private Protocol Is this optimal?
Obstacle Theorem [CGKS]: In any 1-server PIR with information theoretic privacy the communication is at least n. Information theoretic privacy/security: The ciphertext gives no information about the plaintext
More “solutions” User asks for additional random indices. Pick a few random indices to hide the real one Drawback: can be estimated Employ general crypto protocols to compute x i privately. 1-out-N Oblivious Transfer Drawback: highly inefficient (polynomial in n ). Anonymity (e.g., via Anonymizers). Note: address different problems: hides identity of user; not the fact that x i is retrieved.
Two Approaches Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers. servers do collude. Computational PIR [CG97,KO97,CMS99,...] Computational privacy, based on cryptographic assumptions – NP hard to break the approach
Known Communication Upper Bounds Multiple servers, information-theoretic PIR: 2 servers, comm. n 1/3 [CGKS95] k servers, comm. n 1/(k) [CGKS95, Amb96,…,BIKR02] log n servers, comm. Poly( log(n) ) [BF90, CGKS95] Single server, computational PIR: Comm. Poly( log(n) ), n is the # of items Under appropriate computational assumptions [KO97,CMS99]
Approach I: k-Server PIR Correctness: User obtains x i Privacy: No single server gets information about i U S1S1 x {0,1} n S2S2 i SkSk
Information-Theoretic 2-Server PIR Best Known Protocol: comm. n 1/3 Let’s look at an example with comm. cost n 1/2 Two protocols: Protocol I: n bit queries, 1 bit answers Protocol II: n 1/2 bit queries, n 1/2 bit answers
Protocol I: 2-server O(n) PIR S2S2 i U i n Q 1 {1,…,n} S1S1 Q 2 =Q 1 i *User sent O(n) bits = = = 1 Meaning of Q 2 =Q 1 i Q 1 is a random subset
Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,…,n} S1S1 Q 2 =Q 1 i *Server replies 1 bit
Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,…,n} S1S1 a1a2=xia1a2=xi Q 2 =Q 1 i
Protocol II: PIR with O(n 1/2 ) Communication S2S2 j,i U i X m=n 1/2 Q 1 {1,…,m} S1S1 Q 2 =Q 1 i j a 1,j a 2,j =x j,i Make the n-bit vector as a n 1/2 * n 1/2 matrix Apply ex-or sum to each row
Computational PIR with O(n 1/2 ) Comm. Based on encryption Quadratic Residue (QR) N = p*q, p,q are primes. Q(y, N) = 0 iff exists w such that w^2 = y (mod N) 1 otherwise Security: if p, q is unknown, it is computationally impossible to determine Q(y,N). If p,q is known, Q(y,N) can be determined in O(|N|^3) Understanding modulo: w^2 = y+k*N, k can be any integer Example: 2^2 = 4 (mod 10), 4^2 = 6 (mod 10)
Example Quadratic Residue: E(0) QR N E(1) NQR N Properties: QR QR = QR NQR QR = NQR For any y, y^2 is QR.
Computational PIR with O(n 1/2 ) Comm n 1/2 b Goal: user wants to know entry M(a,b) 1.User picks N=pq and sends N to server 2.User picks uniformly at random s= n 1/2 numbers, from the set Z={x|1<=x<=N, gcd(N, x)=1}, such that y b is NQR and y j (j!=b) is QR, and sends them to server 3. For each row r, server calculate W(r,j) = y j 2 if M(r,j) =0, y j if M(r,j)=1 a 5. Zr is a QR iff M(r,b) =0 4. Server sends Z1,…,Zs To User, and User checks with Za is QR
Related work Can be a building block for high-level security protocols Has connection with “Locally Decodable Codes” (LDC) It was proved that the three problems: PIR, LDC, and Circuit- based SMC are equivalent.
Summary Focus so far: communication complexity Obstacle: time complexity All existing protocols require high computation by the servers (linear computation per query). Are there methods to reduce server cost?