private information retrieval amos beimel – ben-gurion university beimel tel-hai, june 4, 2003...
Post on 21-Dec-2015
216 views
TRANSCRIPT
Private Information Retrieval
Amos Beimel – Ben-Gurion University
http://www.cs.bgu.ac.il/~beimel
Tel-Hai, June 4, 2003
This talk is based on talks by:
Yuval Ishai, Eyal Kushilevitz, Tal Malkin
Private Information Retrieval (PIR) [CGKS95]
• Goal: allow user to query database while hiding the identity of the data-items she is after.
• Note: hides identity of data-items; not existence of interaction with the user.
• Motivation: patent databases; stock quotes; web access; many more....
• Paradox(?): imagine buying in a store without the seller knowing what you buy.
(Encrypting requests is useful against third parties; not against owner of data.)
Modeling
• Server: holds n-bit string x n should be thought of as very large
• User: wishes– to retrieve xi and– to keep i private
• Remark: most basic version; building block for involved retrieval.
NO privacy!!!
Communication: log n
SERVER USER
x =x1,x2 , . . ., xn
xi
Non-Private Protocol
i
i {1,…n}
Server sends entire database x to User.
Information theoretic privacy.
Communication: n
SERVER
xi
USER
x =x1,x2 , . . ., xn
x1,x2 , . . ., xn
Trivial Private Protocol
Is this optimal?
Obstacle
Theorem [CGKS]:
In any 1-server PIR with information
theoretic privacy the communication is at
least n.
More “solutions”• User asks for additional random indices.Drawback: reveals a lot of information • Employ general crypto protocols to
compute xi privately.Drawback: highly inefficient (polynomial in
n).• Anonymity (e.g., via Anonymizers).Note: different concern: hides identity of user;
not the fact that xi is retrieved.
Two Approaches
Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers.
Unconditional privacy against t servers.
Default: t=1
Computational PIR [CG97,KO97,CMS99,...] Computational privacy, based on cryptographic assumptions.
Known Comm. Upper Bounds
Multiple servers, information-theoretic PIR:• 2 servers, comm. n1/3 [CGKS95]
• k servers, comm. n1/(k) [CGKS95, Amb96,…,BIKR02]
• log n servers, comm. Poly( log(n) ) [BF90, CGKS95]
Single server, computational PIR:
Comm. Poly( log(n) ) Under appropriate computational assumptions [KO97,CMS99]
Approach I: k-Server PIR
Correctness: User obtains xi
Privacy: No single server gets information about i
U
S1
x {0,1}n
S2x {0,1}n
i
x {0,1}n Sk
Information-Theoretic 2-Server PIR
• Best Known Protocol: comm. n1/3 [CGKS95]• Open Question: Is this optimal?• This Talk: comm. n1/2
Two Stages:
1. Protocol I: n bit queries, 1 bit answers
2. Protocol II: n1/2 bit queries, n1/2 bit answers
Protocol I: 2-server PIR
S2
i
U
i
n
Q1{1,…,n}
S1
a1a2=xi
11
Qa x
2
2Q
a x
Q2=Q1 i
0 1 0 0 1 0 1 0 0 01 110
PIR with O(n1/2) Communication
S2
j,i
U
i
X
m=n1/2
m=n1/2
Q1{1,…,m}
S1
1,1 1,2 1,, ,..., ma a a
Q2=Q1 i
j
2,1 2,2 2,, ,..., ma a a
1, ja
1,2a1,1a
a1,ja2,j=xj,i
Computational PIR with O(n1/2) Comm.
Tool: (randomized) homomorphic encryption
b b’ b b’=
Example Quadratic Residue:
E(0) QRN
E(1) NQRN
QR QR = QR
NQR QR = NQR
Computational PIR with O(n1/2) Comm.
0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 1
n1/2
n1/2
i• User sends n1/2 encryptions
c1 =E(0), c2 =E(0), c3=E(1), c4 = E(0)
• For each row Server sends a “bit”c2c3
c1 c2c3
c1c2
c4
• User recovers ith column of x
j
PIR – Related Work
• Extensions:– Symmetric PIR [GIKM,NP]– t-privacy [CGKS,IK,BI]– Robust PIR [BS]
• More settings [OS,GGM,DIO,BIM,...]
• PIR as a building-block [NN,FIMNSW,...]
Current (& Future) Research
Focus so far: communication complexity
Obstacle: time complexity • All existing protocols require high computation by the
servers (linear computation per query).
Theorem [BIM]:
Expected computation of the servers is (n)
Major research goal:
Improving time complexity via
preprocessing / amortization / off-line computation( Preliminary results in [BIM,IKOS])