An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin

Private Information Retrieval [CGKS] 1 ≤ i ≤ n D is a binary string of length n. k non-communicating servers hold the same database D. User holds index i and wants to retrieve D i. Each individual server should get no information about i. Goal: Minimize communication complexity! D D : :

PIR: progress k Lower bound Upper bound 1 Θ(n) [CGKS] 2 5 log n [WdW] O(n 1/3 ) [CGKS,BI+IK,WY] O(n 1/3 ) [CGKS,BI+IK,WY] 3 O(n 1/3 ) [CGKS] O(n 1/3 ) [CGKS] O(n 1/5 ) [A] O(n 1/5 ) [A] O(n 1/5.25 ) [BIKR] O(n 1/5.25 ) [BIKR] O(n 1/32,582,658 ) [Y] O(n 1/32,582,658 ) [Y] n O(1/log log n) [Y] n O(1/log log n) [Y]

2 server case: restricted lower bounds [Itoh] Ω(n 1/4 ) Servers return affine functions of the queries [GKST] [WdW] Ω ( n 1/(s+1) ) User reads at most s bits from servers’ responses This work Ω(n 1/3 ) Bilinear group based PIR schemes Models are incomparable Each model captures all known PIR schemes

Plan of the talk An example PIR scheme [WY] An example PIR scheme [WY] Statement of our lower bound Statement of our lower bound Our technique Our technique

Example PIR: algebraization 101…011 1 ≤ i ≤ n, wants D i. D = Database D[n] is represented by a cubic multivariate polynomial F(x 1,…, x m ) over a finite field F q Polynomial is in m=n 1/3 variables For every i there is a point P i such that D i =F(P i )

Example PIR Privacy, O(n 1/3 ) communication, correctness The scheme requires at least 4 servers Note: the communication is unbalanced

Example PIR Privacy, O(n 1/3 ) communication, correctness …

Example PIR Correctness: User reconstructs values of derivatives of from the values of partial derivatives of User learns: Reconstructs:

Key properties of example PIR Servers represent database D by a function on a group, and user can retrieve the function value at any group element (including elements that do not correspond to database bits). User computes the dot product of servers’ responses to obtain D i. These properties are common to all known PIR schemes.

Our result Theorem: Every bilinear group based PIR protocol requires Ω(n 1/3 ) communication Theorem: Every bilinear group based PIR protocol requires Ω(n 1/3 ) communication – Bilinear: user outputs dot product of servers’ responses – Servers represent database by a function on a finite group G and user can retrieve function values at arbitrary group elements using the natural secret sharing based on G.

Our technique Combinatorial view of PIR Combinatorial view of PIR Specialization to bilinear PIR Specialization to bilinear PIR Specialization to bilinear group based PIR Specialization to bilinear group based PIR Algebraic problem Algebraic problem

Combinatorial view of PIR Notion – Generalized Latin Square S[n, T]: x1x1x1x1 x2x2x2x2 x3x3x3x3 x1x1x1x1 x2x2x2x2 x3x3x3x3 x2x2x2x2 x3x3x3x3 x1x1x1x1 x3x3x3x3 x1x1x1x1 x2x2x2x2 x3x3x3x3 x1x1x1x1 x2x2x2x2 Square of size T by T Square of size T by T n variables n variables Every variable appears once in every row/column Every variable appears once in every row/column

Combinatorial view of PIR Notion – Embedding of matrices: Let S ∈ {0,1} T ╳ T A ∈ {0,1} L ╳ L. S embeds into A if there exist two embedding maps r,c :[T]→[L] such that for all j,k ∈ [T]: S jk =A r(j)c(k)

Combinatorial view of PIR Theorem: PIR schemes with t long queries and r long answers are equivalent * to pairs of matrices S  A such that: – S is Generalized Latin Square [n, 2 t ] – A is a binary square matrix of size 2 r – For every {0,1} assignment to variables x i S can be completed to a {0,1} matrix that embeds into A. x1x1x1x1 x2x2x2x2 x3x3x3x3 x1x1x1x1 x2x2x2x2 x3x3x3x3 x2x2x2x2 x3x3x3x3 x1x1x1x1 x3x3x3x3 x1x1x1x1 x2x2x2x2 x3x3x3x3 x1x1x1x1 x2x2x2x

Combinatorial view of PIR: Proof Given S  A we construct a PIR protocol: Servers obtain the embedding maps r,c:[T]→[L] U : Randomly picks j,k ∈ [T] such that S jk =i U : Randomly picks j,k ∈ [T] such that S jk =i U→S 1 : j U→S 1 : j U→S 2 : k U→S 2 : k S 1 →U : r(j) S 1 →U : r(j) S 1 →U : c(k) S 1 →U : c(k) U: Outputs A r(j)c(k) U: Outputs A r(j)c(k) Communication complexity, correctness, privacy

Combinatorial view of bilinear PIR Theorem: Bilinear PIR schemes with t long queries and r long answers are equivalent * to 2 t by 2 t matrices S that are: – Generalized Latin Squares [n, 2 t ] – For every {0,1} assignment to variables x i can be completed to F 2 rank ≤ r. x1x1x1x1 x2x2x2x2 x3x3x3x3 x1x1x1x1 x2x2x2x2 x3x3x3x3 x2x2x2x2 x3x3x3x3 x1x1x1x1 x3x3x3x3 x1x1x1x1 x2x2x2x2 x3x3x3x3 x1x1x1x1 x2x2x2x2 S  A Bilinear PIR schemes S  A have A=H r

Specialization to group based PIR Notion - Matrix S respects the structure of a finite group G Example: G=Z 5 (circulant matrices)

Specialization to group based PIR 2 n different databases yield 2 n different low rank completions of a GLS S[n, 2 t ]. In group based PIR over a group G schemes all such completions respect the structure of G We use representation theory to count the total number A(G,r) of rank ≤ r matrices respecting the group structure 0 x1x1x1x1 x2x2x2x21 x3x3x3x3 x1x1x1x1 x2x2x2x21 x3x3x3x30 x2x2x2x21 x3x3x3x30 x1x1x1x1 1 x3x3x3x30 x1x1x1x1 x2x2x2x2 x3x3x3x30 x1x1x1x1 x2x2x2x21

Algebraic problem A(G,r) can be defined in algebraic terms: The upper bound proof requires modular (i.e. non- semisimlpe) representation theory and yields: A(G,r) ≤ 2 (log G)*r 2 n ≤ (log G) * r 2

Open problems Can our technique be extended to a lower bound for bilinear PIR? Can our technique be extended to a lower bound for bilinear PIR? Can our technique be used to establish a connection to matrix rigidity? Can our technique be used to establish a connection to matrix rigidity?