Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 15 Private Information Retrieval Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0.

Published byIlene Mills Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 15 Private Information Retrieval Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0."— Presentation transcript:

1 Lecture 15 Private Information Retrieval Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0

2 Plan 1.Motivation and definition 2.Information-theoretic impossibility 3.A construction of Kushilevitz and Ostrovsky 4.Overview of some other related results

3 AOL search data scandal (2006) #4417749: clothes for age 60 60 single men best retirement city jarrett arnold jack t. arnold jaylene and jarrett arnold gwinnett county yellow pages rescue of older dogs movies for dogs sinus infection Thelma Arnold 62-year-old widow Lilburn, Georgia

4 Observation The owners of databases know a lot about the users! This poses a risk to users’ privacy. E.g. consider database with stock prices… Can we do something about it? We can: trust them that they will protect our secrecy, or use cryptography! problematic problematic!

5 How can crypto help? Note: this problem has nothing to do with secure communication! user U database D

6 Our settings user U database D A new primitive: Private Information Retrieval (PIR)

7 Plan 1.Definition of PIR 2.An ideal PIR doesn’t exist 3.Construction of a computational PIR 4.Open problems Literature: B. Chor, E. Kushilevitz, O. Goldreich and M. Sudan, Private Information Retrieval, Journal of ACM, 1998 E. Kushilevitz and R. Ostrovsky Replication Is NOT Needed: SINGLE Database, Computationally-Private Information Retrieval, FOCS 1997

8 Question How to protect privacy of queries? user U database D wants to retrieve some data from D shouldn’t learn what U retrieved

9 Let’s make things simple! B1B1 B2B2 …BwBw index i = 1,…,w the user should learn B i BiBi ? each B i є {0,1} database B: (he may also learn other B i ’s)

10 Trivial solution B1B1 B2B2 …BwBw The database simply sends everything to the user!

11 Non-triviality The previous solution has a drawback: the communication complexity is huge! Therefore we introduce the following requirement: “Non-triviality”: the number of bits communicated between U and D has to be smaller than w.

12 input: Private Information Retrieval (PIR) B1B1 B2B2 …BwBw input: index i = 1,…,w at the end the user learns B i the database does not learn i the total communication is < w Note: secrecy of the database is not required correctness secrecy (of the user) non-triviality This property needs to be defined more formally polynomial time randomized interactive algorithms

13 How to define secrecy of the user [1/2]? iB Def. T(i,B) – transcript of the conversation. query Q(i)reply A(Q(i),B) For fixed i and B T(i,B) is a random variable (since the parties are randomized) For fixed i and B T(i,B) is a random variable (since the parties are randomized)

14 multi-round case: it is impossible to distinguish between T(i,B) and T(j,B) even if the adversary is malicious multi-round case: it is impossible to distinguish between T(i,B) and T(j,B) even if the adversary is malicious How to define secrecy of the user [2/2]? Secrecy of the user: for every i,j є {0,1} single-round case: it is impossible to distinguish between Q(i) and Q(j) single-round case: it is impossible to distinguish between Q(i) and Q(j) ? For simplicity say that for any i and j the distributions of T(i,B) and T(j,B) have to be identical For simplicity say that for any i and j the distributions of T(i,B) and T(j,B) have to be identical

15 Plan 1.Motivation and definition 2.Information-theoretic impossibility 3.A construction of Kushilevitz and Ostrovsky 4.Overview of some other related results

16 PIR doesn’t exists [1/4] We now show that correctness, non-triviality and secrecy cannot be satisfied simultaneously. Def: A transcript T is possible for (i,B) if P(T(i,B) = T) > 0 Take some T’, and look where it is possible: T’ indices i databases B

17 PIR doesn’t exists [2/4] Observation: secrecy → if T’ is possible for some B and i then it is possible for B and all the other i’s T’ indices i databases B T’

18 PIR doesn’t exists [3/4] non-triviality → length(transcript) < length(database) ↓ # transcripts < #databases ↓ there has to exist T’ that is possible for two databases B 0 and B 1 T’ databases B ← B 0 ← B1 ← B1 indices i

19 PIR doesn’t exists [4/4] B 0 and B 1 differ on at least one index i’ So, if i’ is the input of the user then correctness → contradiction T’ databases B ← B 0 ← B1 ← B1 i’ ↓ indices i

20 So PIR doesn’t exist! How to bypass the impossibility result? Two ideas: – limit the computing power of a cheating database – use a larger number of “independent” databases we show this

21 Plan 1.Motivation and definition 2.Information-theoretic impossibility 3.A construction of Kushilevitz and Ostrovsky 4.Overview of some other related results

22 Computationally-secure PIR secrecy: For every i,j є {0,1} it is impossible to distinguish efficiently between T(i,B) and T(j,B) ? computational-secrecy: Formally: for every polynomial-time probabilistic algorithm A the value: | P(A(T(i,B)) = 0) – P(A(T(j,B))=0) | should be negligible.

23 Hardness assumptions? Kushilevitz and R. Ostrovsky Replication Is NOT Needed: SINGLE Database, Computationally-Private Information Retrieval, FOCS 1997 construct PIR based on the Quadratic Residuosity Assumption Kushilevitz and R. Ostrovsky Replication Is NOT Needed: SINGLE Database, Computationally-Private Information Retrieval, FOCS 1997 construct PIR based on the Quadratic Residuosity Assumption

24 Quadratic Residuosity Assumption (QRA) QR(p) QR(q) ZN+:ZN+: Quadratic Residuosity Assumption (QRA): For a random a є Z N + it is computationally hard to determine if a є QR(N). Formally: for every polynomial-time probabilistic algorithm G the value: |P(G(a) = Q(a)) – 0.5| (where a is random) is negligible. QNR(q) QNR(p) ? a є Z N + ↓ QR(N) N=pq

25 Homomorphism of QR(pq) Q(N,a) := Homomorphism: for all a,b є Z N + Q(N,ab) = Q(N,a) xor Q(N,b) 1 if a є QR(N) 0 otherwise

26 We are ready to construct PIR! Our PIR will work in the group Z N +, where N=pq. What’s so good about this group?: testing membership in Z N + is easy, testing membership in QR(N) is hard for random elements on Z N +, unless one knows p and q. homomorphism of Q!

27 First (wrong) idea i QR X 1 QR X 2... QR X i-1 NQR X i QR X i+1... QR X w-1 QR X w B1B1 B2B2...B i-1 BiBi B i+1...B w-1 BwBw for every j = 1,...,w the database sets Y j = X j 2 if B j = 0 X j otherwise { QR Y 1 QR Y 2... QR Y i-1 YiYi QR Y i+1... QR Y w-1 QR Y w i↓i↓ Y i is a QR iff B i =0 Set M = Y 1 · Y 2 ·... · Y w M M is a QR iff B i =0 the user checks if M is a QR

28 Problems! PIR from the previous slide: correctness √ security? To learn i the database would need to distinguish NQR from QR. √ QR X 1 QR X 2... QR X i-1 NQR X i QR X i+1... QR X w-1 QR X w non-triviality? doesn’t hold! communication: user → database: |B| · |Z* n | database → user: |Z* n | Call it: (|B|, 1) - PIR Call it: (|B|, 1) - PIR

29 How to fix it? Idea: Given: construct Suppose that |B| = v 2 and present B as a v×v-matrix: B13B14B15B16 B9B10B11B12B5B6B7B8 B1B2B3B4 consider each row as a separate database consider each row as a separate database

30 An improved idea B13B14B15B16 B9B10B11B12 B5B6B7B8 B1B2B3B4 v v Let j be the column where B i is. In every “row” the user asks for the jth element So, instead of sending v queries the user can send one! Observe: in this way the user learns all the elements in the jth column! BiBi j↓j↓ execute v (v,1) - PIRs in parallel execute v (v,1) - PIRs in parallel Looks even worse: communication: user → database: v 2 · |Z* n | database → user: v · |Z* n | The method

31 Putting things together B1B1...B j-1 BjBj B j+1...BvBv BiBi B vv i QR X 1... QR X j-1 NQR X j QR X j+1... QR X v X1X1...X j-1 XjXj X j+1...XvXv X1X1 X j-1 XjXj X j+1...XvXv Y1Y1 Y j-1 YjYj Y j+1...YvYv Y vv M1M1... MvMv multiply elements in each row kth row M1M1 MkMk MvMv B j =0 iff M k is QR for every j = 1,...,v set Y j = for every j = 1,...,v set Y j = X j 2 if B j = 0 X j otherwise { jth column here the same row is copied v times: only this counts

32 So we are done! PIR from the previous slide: correctness √ non-triviality: communication complexity = 2√|B| · |Z n | √ security? The to learn i the database would need to distinguish NQR from QR. Formally: from any adversary that breaks our scheme we can construct an algorithm that breaks QRA

33 Improvements user U database D (X 1,…,X v ) (M 1,…,M v ) the user is interested just in one M i. the user is interested just in one M i. Idea: apply PIR recursively!

34 Plan 1.Motivation and definition 2.Information-theoretic impossibility 3.A construction of Kushilevitz and Ostrovsky 4.Overview of some other related results

35 Complexity of PIRs – overview of the results Communication: “recursive” PIR of [KO97]: for every c: O(|B| c ) [Cachin, Micali, Stadler, 1999]: poly-logarithmic in |B| [Lipmaa, 2005]: O(log 2 |B|) For practical analysis see: [Sion, Carbunar] On the Computational Practicality of Private Information Retrieval. their conclusion: It is the time-complexity that matters. In real-life: it is still more practical to transmit the entire database.

36 Extensions Symmetric PIR (also protect privacy of the database). [Gertner, Ishai, Kushilevitz, Malkin. 1998] Searching by key-words [Chor, Gilboa, Naor, 1997] Public-key encryption with key-word search [Boneh, Di Crescenzo, Ostrovsky, Persiano]

37 © 2013 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Download ppt "Lecture 15 Private Information Retrieval Stefan Dziembowski www.dziembowski.net MIM UW 25.01.13ver 1.0."

Similar presentations

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Lecture 8 Public-Key Encryption I Stefan Dziembowski www.dziembowski.net MIM UW 23.11.12ver 1.0.

Lecture 8 Public-Key Encryption I Stefan Dziembowski MIM UW ver 1.0.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Machine Learning Week 2 Lecture 2.

Machine Learning Week 2 Lecture 2.
1 Lecture 14 Language class LFSA –Study limits of what can be done with FSA’s –Closure Properties –Comparing to other language classes.

1 Lecture 14 Language class LFSA –Study limits of what can be done with FSA’s –Closure Properties –Comparing to other language classes.
Private Information Retrieval Benny Chor, Oded Goldreich, Eyal Kushilevitz and Madhu Sudan Journal of ACM Vol.45 No6. 1998 Reporter : Chen, Chun-Hua Date.

Private Information Retrieval Benny Chor, Oded Goldreich, Eyal Kushilevitz and Madhu Sudan Journal of ACM Vol.45 No Reporter : Chen, Chun-Hua Date.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.

Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2.
1 Lecture 7 Halting Problem –Fundamental program behavior problem –A specific unsolvable problem –Diagonalization technique revisited Proof more complex.

1 Lecture 7 Halting Problem –Fundamental program behavior problem –A specific unsolvable problem –Diagonalization technique revisited Proof more complex.
Private Information Retrieval. What is Private Information retrieval (PIR) ? Reduction from Private Information Retrieval (PIR) to Smooth Codes Constructions.

Private Information Retrieval. What is Private Information retrieval (PIR) ? Reduction from Private Information Retrieval (PIR) to Smooth Codes Constructions.

Similar presentations

Ads by Google