public key encryption that allows pir queries
DESCRIPTION
Public Key Encryption that Allows PIR Queries. Dan Boneh 、 Eyal Kushilevitz 、 Rafail Ostrovsky and William E. Skeith Crypto 2007. Private Information Retrieval (PIR). n. ?. 4. 3. 7. i. j. i {1,… n }. x i. x = x 1 , x 2 , . . ., x n { 0,1} n. USER. SERVER. PIR. - PowerPoint PPT PresentationTRANSCRIPT
Public Key Encryption that Allows PIR Queries
Dan Boneh 、 Eyal Kushilevitz 、Rafail Ostrovsky and William E. Skeith
Crypto 2007
Private Information Retrieval (PIR)
x=x1,x2 , . . ., xn {0,1}n
SERVER
i {1,…n}
xi
USER
i j
?
7
43
n
PIR
• allows a user to retrieve an item from a server in possession of a database without revealing which item she is retrieving.
• existing PIR solutions– retrieving a (plain or encrypted) record of
the database by address– search by keyword in a non-encrypted data
Query
Answer
Outline
• Introduction
• Tools: – Bloom Filter– Modifying Encrypted Data in a
Communication Efficient Way
• Definition
• Main Construction
Introduction
• Interesting in:– communication-efficient– complete privacy.
• Technique:– Receiver: creates a public key .– Sender: message M is accompanied by an
“encoded” list of keywords .
Bloom Filters
• Basic idea:
Sa
mhi *1,0:
h1(a)
h2(a)
h3(a)
hk(a)
T 0111
1
…
…
…
…
…
2 3 4 5 6 m…
0 1 1
Suppose Sa
Bloom Filters (cont.)
• What to store :– certain element is in a set– value which are associated to the element
in the set.
• Definition. As same to above. But together with a collection of sets, ,where . Then to insert a pair (a, v) into this structure, v is added to for all . The set of values associated with is simply .
Vv
mijB
1 VB j
][ki
Sa)(ahi
B
ki ahiB
)(
h1(a1)
h2(a2)
hk(ak)
Insert (a1, v1) then (a2, v2) … check
V1
V1
V1
B1
B2
B3
Bm
…….
…….
V1 ,V2
V1
V2
V3
V2 ,V3
V1 ,V3
h1(a1)
h2(a2)
hk(ak)
…….
{V1 ,V2}
{V1}
{V1 ,V3}
∩
∩
||
V1
Modifying Encrypted Data in a Communication Efficient Way• Based on group homomorphic encryption with
communication O(√n).• Technique :
– : database (not encrypted)– (i*,j*): the position of particular element – α: the value we want to add.– v , w: two vector of length √n where
– Here δkl = 1 when k=l and 0 otherwise– Then
n
jiijx 1,
*iiiv *jjjw
otherwise
jjiiifwv ji
0
)( **
Modifying Encrypted Data in a Communication Efficient Way (cont.)• Parameters:
– (K, E, D): a CPA-secure public-key encryption
– : an array of ciphertexts which is held by a party S.
– Define F(X, Y, Z)=X+YZ. By our assumption, there exists some such that
ulll xEc 1)(
F~
),,()))(),(),((~
( zyxFzEyExEFD
Modifying Encrypted Data in a Communication Efficient Way (cont.)• Protocol: ModifyU,S(l, α) where l and α are p
rivate input to U.1. U compute i*, j* as the coordinates of l (i.e., i* and
j* are quotient and remainder of l/n, respectively)
2. U sends to S where all values are encrypted under Apublic.
3. S computes for all , and replaces each cij with the corresponding resulting ciphertext.
n
jjjj
n
iiii EwEv11
)(,)( **
),,(~
jiij wvcF nji ,
Definition
• Parameters:– X: message sending parties.
– Y: message receiving party.
– S: server/storage provider.
• Definition 1:probabilistic polynomial time algorithms and protocols:– KeyGen(1S)
– SendX,S(M, K, Apublic)
– RetrieveY,S(w, Aprivate)
Main Construction
• S maintains in its storage space encryptions of the buffers, denote these encryptions
• For , we defined
• KeyGen(k) :Run K(1s), generate Apublic and Aprivate.
mjjB
1
*1,0w kiwhH iw )(
SendX,S(M, K, Apublic)
KMME publicA )(
)(MEStorage ProviderSender
MessageBuffer
wHjjB
Bloom FilterBuffer
ρ
ρ
)(ME
γ copies of the address ρ
ρ
ρ
ρ
ρ
ModifyX,S(x, α)
RetrieveY,S(w, Aprivate)
wHjjB
ww
HjjDec
Hjj BB
Receiver
Storage Provider
PIR Query
ww Hjj
compute
Hj j BBL
wHjjB
MessageBuffer
Bloom FilterBuffer
PIR Query
LMEpo
int)(
)(ME
))(( MEDM privateA
Modifyy,S(x, α)