Private Information Retrieval Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last slide for acknowledgements!
AOL search data scandal (2006) # : clothes for age single men best retirement city jarrett arnold jack t. arnold jaylene and jarrett arnold gwinnett county yellow pages rescue of older dogs movies for dogs sinus infection Thelma Arnold 62-year-old widow Lilburn, Georgia
Observation The owners of the database know a lot about the users! This poses a risk to users’ privacy. E.g. consider database with stock prices… Can we do something about it? Yes, we can: trust them that they will protect our secrecy, or use cryptography! Really?
How can crypto help? Note: this problem has nothing to do with side-channels, website fingerprinting, etc. user U database D
Threat Model user U database D A new primitive: Private Information Retrieval (PIR) secure link
Private Information Retrieval (PIR) [CGKS95] Goal: allow user to query database while hiding the identity of the data-items she is after. Note: hides identity of data-items; not existence of interaction with the user. Motivation: patient databases; stock quotes; web access; many more.... Paradox(?): imagine buying in a store without the seller knowing what you buy. (Encrypting requests is useful against third parties; not against owner of data.)
Model Server: holds n-bit string x n should be thought of as very large User: wishes – to retrieve x i and – to keep i private
Private Information Retrieval (PIR) x=x 1,x 2,..., x n {0,1} n SERVER i {1,…n} xixi USER ij ? n
NO privacy!!! Communication: 1 SERVER USER x =x 1,x 2,..., x n xixi Non-Private Protocol i i {1,…n}
Server sends entire database x to User. Information theoretic privacy. Communication: n SERVER xixi USER x =x 1,x 2,..., x n x 1,x 2,..., x n Trivial Private Protocol Not optimal !
Other solutions? User asks for additional random indices. Drawback: leaks information, reduces communication efficiency Employ general crypto protocols to compute x i privately. Drawback: highly inefficient (polynomial in n). Anonymity (e.g., via Anonymizers). Note: different concern: hides identity of user; not the fact that x i is retrieved.
Two Approaches for PIR Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers. User queries all the servers Computational PIR [CG97,KO97,CMS99,...] Computational privacy, based on cryptographic assumptions.
Known Comm. Upper Bounds Multiple servers, information-theoretic PIR: 2 servers, comm. n 1/3 [CGKS95] k servers, comm. n 1/ (k) [CGKS95, Amb96,…,BIKR02] log n servers, comm. Poly( log(n) ) [BF90, CGKS95] Single server, computational PIR: Comm. Poly( log(n) ) Under appropriate computational assumptions [KO97,CMS99] Sub-linear with n
Approach I: k-Server PIR Correctness: User obtains x i Privacy: No single server gets information about i U S1S1 x {0,1} n S2S2 i SkSk
A 2-server Information Theoretical PIR S2S2 i U i n S1S
S2S2 i U i n Q 1 subset {1,…,n} S1S
Protocol I: 2-server PIR S2S2 i U i n Q 1 subset {1,…,n} S1S
Protocol I: 2-server PIR S2S2 i U i n Q 1 subset {1,…,n} S1S1 Q 2 =Q 1 + {i}
Protocol I: 2-server PIR S2S2 i U i n Q 1 subset {1,…,n} S1S1 Q 2 =Q 1 + {i} Weakness: Servers should not collude!
Protocol I: 2-server PIR S2S2 i U i n Q 1 subset {1,…,n} S1S1 Q 2 =Q 1 + {i} Weakness: Servers should not collude!
Computation PIR Only one server, no need to trust Based on cryptographic assumptions Downside: Server has to run over the whole database, otherwise leaks information – High computation load on the server CS660 - Advanced Information Assurance - UMassAmherst 21
PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi Olumofin (U Waterloo) Carmela Troncoso (KU Leuven) Nikita Borisov (U Illinois) Ian Goldberg (U Waterloo) 22 Original slides from the authors USENIX Security 2011
Tor Background List of servers? 23 Trusted Directory Authority Guards Exit Middle 1. Load balancing 2. Exit policy Directory Servers Signed Server list (relay descriptors)
Performance Problem in Tor’s Architecture: Global View Global view – Not scalable Need solutions without global system view 24 List of servers? Directory Servers Torsk – CCS09
Current Solution: Peer-to-peer Paradigm Morphmix [WPES 04] – Broken [PETS 06] Salsa [CCS 06] – Broken [CCS 08, WPES 09] NISAN [CCS 09] – Broken [CCS 10] Torsk [CCS 09] – Broken [CCS 10] ShadowWalker [CCS 09] – Broken and fixed(??) [WPES 10] Very hard to argue security of a distributed, dynamic and complex P2P system. 25
Design Goals A scalable client-server architecture with easy to analyze security properties. – Avoid increasing the attack surface Equivalent security to Tor – Preserve Tor’s constraints Guard/middle/exit relays, Load balancing – Minimal changes Only relay selection algorithm 26
Key Observation Need only 18 random middle/exit relays in 3 hours – So don’t download all 2000! Naïve approach: download a few random relays from directory servers – Problem: malicious servers – Route fingerprinting attacks Download selected relay descriptors without letting directory servers know the information we asked for. Private Information Retrieval (PIR) Inference: User likely to be Bob Directory Server Relay # 10, 25 10: IP address, key 25: IP address, key Bob
Private Information Retrieval (PIR) Information theoretic PIR – Multi-server protocol – Threshold number of servers don’t collude Computational PIR – Single server protocol – Computational assumption on server Only ITPIR-Tor in this talk – See paper for CPIR-Tor 28 R C A B A Database C R B R A RARA
MiddleExit Guards Exit relay compromised: ITPIR-Tor: Database Locations Tor places significant trust in guard relays – 3 compromised guard relays suffice to undermine user anonymity in Tor. Choose client’s guard relays to be directory servers 29 MiddleExit Guards Exit relay honest End-to-end Timing Analysis Deny Service MiddleExit Guards At least one guard relay is honest ITPIR guarantees user privacy MiddleExit Guards All guard relays compromised ITPIR does not provide privacy But in this case, Tor anonymity broken Equivalent security to the current Tor network
ITPIR-Tor Database Organization and Formatting Middles, exits – Separate databases Exit policies – Standardized exit policies – Relays grouped by exit policies Load balancing – Relays sorted by bandwidth Relay Descriptors Exit Policy 1 Exit Policy 2 Non- standard Exit policies MiddlesExits e4 e3 e5 e6 e2 e1 e7 e8 m4 m3 m5 m6 m2 m1 m7 m8 Sort by Bandwidth 30
ITPIR-Tor Architecture 31 Trusted Directory Authority Guard relays/ PIR Directory servers 5.18 PIR Queries(1 middle/exit) 2. Initial connect 3. Signed meta-information 6. PIR Response 1. Download PIR database 4. Load balanced index selection middle,18 PIR Query(exit) MiddlesExits e4 e3 e5 e6 e2 e1 e7 e8 m4 m3 m5 m6 m2 m1 m7 m8
Performance Evaluation Percy [Goldberg, Oakland 2007] – Multi-server ITPIR scheme 2.5 GHz, Ubuntu Descriptor size 2100 bytes – Max size in the current database Exit database size – Half of middle database Methodology: Vary number of relays – Total communication – Server computation 32
Performance Evaluation: Communication Overhead 33 Current Tor network: 5x--100x improvement Advantage of PIR-Tor becomes larger due to its sublinear scaling: 100x--1000x improvement 1.1 MB 216 KB 12 KB
Performance Evaluation: Server Computational Overhead 34 Current Tor network: less than 0.5 sec 100,000 relays: about 10 seconds (does not impact user latency)
Performance Evaluation: Scaling Scenarios 35 Scenario Tor Communication (per client) ITPIR Communication (per client) ITPIR Core Utilization ExplanationRelayClients Current Tor 2,000250, MB0.2 MB0.425 % 10x relay/client 20,0002.5M11 MB0.5 MB4.25 % Clients turn relays 250, MB1.7 MB0.425 %
Conclusion PIR can be used to replace descriptor download in Tor. – Improves scalability 10x current network size: very feasible 100x current network size : plausible – Easy to understand security properties Side conclusion: Yes, PIR can have practical uses! Questions? 36
Acknowledgement Some of the slides, content, or pictures are borrowed from the following resources, and some pictures are obtained through Google search without being referenced below: Stefan Dziembowski, Private Information RetrievalPrivate Information Retrieval Amos Beimel, Private Information RetrievalPrivate Information Retrieval Prateek Mittal, PIR-TorPIR-Tor 37 CS660 - Advanced Information Assurance - UMassAmherst