Private Information Retrieval Amos Beimel – Ben-Gurion University Tel-Hai, June 4, 2003 This talk is based on talks by: Yuval Ishai, Eyal Kushilevitz, Tal Malkin
Private Information Retrieval (PIR) [CGKS95] Goal: allow user to query database while hiding the identity of the data-items she is after. Note: hides identity of data-items; not existence of interaction with the user. Motivation: patent databases; stock quotes; web access; many more.... Paradox(?): imagine buying in a store without the seller knowing what you buy. (Encrypting requests is useful against third parties; not against owner of data.)
Modeling Server: holds n-bit string x n should be thought of as very large User: wishes –to retrieve x i and –to keep i private Remark: most basic version; building block for involved retrieval.
Private Information Retrieval (PIR) x=x 1,x 2,..., x n {0,1} n SERVER i {1,…n} xixi USER ij ? n
NO privacy!!! Communication: log n SERVER USER x =x 1,x 2,..., x n xixi Non-Private Protocol i i {1,…n}
Server sends entire database x to User. Information theoretic privacy. Communication: n SERVER xixi USER x =x 1,x 2,..., x n x 1,x 2,..., x n Trivial Private Protocol Is this optimal?
Obstacle Theorem [CGKS]: In any 1-server PIR with information theoretic privacy the communication is at least n.
More “solutions” User asks for additional random indices. Drawback: reveals a lot of information Employ general crypto protocols to compute x i privately. Drawback: highly inefficient (polynomial in n ). Anonymity (e.g., via Anonymizers). Note: different concern: hides identity of user; not the fact that x i is retrieved.
Two Approaches Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers. Unconditional privacy against t servers. Default: t=1 Computational PIR [CG97,KO97,CMS99,...] Computational privacy, based on cryptographic assumptions.
Known Comm. Upper Bounds Multiple servers, information-theoretic PIR: 2 servers, comm. n 1/3 [CGKS95] k servers, comm. n 1/ (k) [CGKS95, Amb96,…,BIKR02] log n servers, comm. Poly( log(n) ) [BF90, CGKS95] Single server, computational PIR: Comm. Poly( log(n) ) Under appropriate computational assumptions [KO97,CMS99]
Approach I: k-Server PIR Correctness: User obtains x i Privacy: No single server gets information about i U S1S1 x {0,1} n S2S2 i SkSk
Information-Theoretic 2-Server PIR Best Known Protocol: comm. n 1/3 [CGKS95] Open Question: Is this optimal? This Talk: comm. n 1/2 Two Stages: 1.Protocol I: n bit queries, 1 bit answers 2.Protocol II: n 1/2 bit queries, n 1/2 bit answers
Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,…,n} S1S1 Q 2 =Q 1 i
Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,…,m} S1S1 Q 2 =Q 1 i
Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,…,n} S1S1 a1a2=xia1a2=xi Q 2 =Q 1 i
PIR with O(n 1/2 ) Communication S2S2 j,i U i X m=n 1/2 Q 1 {1,…,m} S1S1 Q 2 =Q 1 i j a 1,j a 2,j =x j,i
Computational PIR with O(n 1/2 ) Comm. Tool: (randomized) homomorphic encryption b b’b’ b b’ = Example Quadratic Residue: E(0) QR N E(1) NQR N QR QR = QR NQR QR = NQR
Computational PIR with O(n 1/2 ) Comm n 1/2 i User sends n 1/2 encryptions c 1 =E(0), c 2 =E(0), c 3 =E(1), c 4 = E(0) For each row Server sends a “bit” c2c3c2c3 c1 c2c3c1 c2c3 c1c2c1c2 c4c4 User recovers ith column of x j
PIR – Related Work Extensions: –Symmetric PIR [GIKM,NP] –t-privacy [CGKS,IK,BI] –Robust PIR [BS] More settings [OS,GGM,DIO,BIM,...] PIR as a building-block [NN,FIMNSW,...]
Current (& Future) Research Focus so far: communication complexity Obstacle: time complexity All existing protocols require high computation by the servers (linear computation per query). Theorem [BIM]: Expected computation of the servers is (n) Major research goal: Improving time complexity via preprocessing / amortization / off-line computation ( Preliminary results in [BIM,IKOS])