Public Key Encryption that Allows PIR Queries Dan Boneh 、 Eyal Kushilevitz 、 Rafail Ostrovsky and William E. Skeith Crypto 2007

Private Information Retrieval (PIR) x=x 1,x 2,..., x n {0,1} n SERVER i {1,…n} xixi USER ij ? n

PIR allows a user to retrieve an item from a server in possession of a database without revealing which item she is retrieving. existing PIR solutions –retrieving a (plain or encrypted) record of the database by address –search by keyword in a non-encrypted data

Query Answer

Outline Introduction Tools: –Bloom Filter –Modifying Encrypted Data in a Communication Efficient Way Definition Main Construction

Introduction Interesting in: –communication-efficient –complete privacy. Technique: –Receiver: creates a public key. –Sender: message M is accompanied by an “encoded” list of keywords.

Bloom Filters Basic idea: h 1 (a) h 2 (a) h 3 (a) h k (a) T … … … … … 23456m … 011 Suppose

Bloom Filters (cont.) What to store : –certain element is in a set – value which are associated to the element in the set. Definition. As same to above. But together with a collection of sets,,where. Then to insert a pair (a, v) into this structure, v is added to for all. The set of values associated with is simply.

h 1 (a 1 ) h 2 (a 2 ) h k (a k ) Insert (a 1, v 1 ) then (a 2, v 2 ) … check V1V1 V1 B1B1 B2B2 B3B3 BmBm ……. V 1, V 2 V1V1 V2V2 V3V3 V 2, V 3 V 1, V 3 h 1 (a 1 ) h 2 (a 2 ) h k (a k ) ……. {V 1, V 2 } {V 1 } {V 1, V 3 } ∩ ∩ || V1V1

Modifying Encrypted Data in a Communication Efficient Way Based on group homomorphic encryption with communication O(√n). Technique : – : database (not encrypted) –(i*,j*): the position of particular element –α: the value we want to add. –v, w: two vector of length √n where –Here δ kl = 1 when k=l and 0 otherwise –Then

Modifying Encrypted Data in a Communication Efficient Way (cont.) Parameters: –(K, E, D): a CPA-secure public-key encryption – : an array of ciphertexts which is held by a party S. –Define F(X, Y, Z)=X+YZ. By our assumption, there exists some such that

Modifying Encrypted Data in a Communication Efficient Way (cont.) Protocol: Modify U,S (l, α) where l and α are private input to U. 1.U compute i *, j * as the coordinates of l (i.e., i * and j * are quotient and remainder of l/n, respectively) 2.U sends to S where all values are encrypted under A public. 3.S computes for all, and replaces each c ij with the corresponding resulting ciphertext.

Definition Parameters: –X: message sending parties. –Y: message receiving party. –S: server/storage provider. Definition 1:probabilistic polynomial time algorithms and protocols: –KeyGen(1 S ) –Send X,S (M, K, A public ) –Retrieve Y,S (w, A private )

Main Construction S maintains in its storage space encryptions of the buffers, denote these encryptions For, we defined KeyGen(k) :Run K(1 s ), generate A public and A private.

Send X,S (M, K, A public ) Storage ProviderSender Message Buffer Bloom Filter Buffer ρ ρ γ copies of the address ρ ρ ρ ρ ρ Modify X,S (x, α)

Retrieve Y,S (w, A private ) ReceiverStorage Provider PIR Query Message Buffer Bloom Filter Buffer PIR Query Modify y,S (x, α)