A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
Secure Computation of Linear Algebraic Functions
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Improved Efficiency for Private Stable Matching Matthew Franklin, Mark Gondree, and Payman Mohassel University of California, Davis 02/07/07 - Session.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Lattice-Based Cryptography. Cryptographic Hardness Assumptions Factoring is hard Discrete Log Problem is hard  Diffie-Hellman problem is hard  Decisional.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Sketching in Adversarial Environments Or Sublinearity and Cryptography 1 Moni Naor Joint work with: Ilya Mironov and Gil Segev.
Private Information Retrieval Amos Beimel – Ben-Gurion University Tel-Hai, June 4, 2003 This talk is based on talks by:
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.
Public Key Encryption that Allows PIR Queries Dan Boneh 、 Eyal Kushilevitz 、 Rafail Ostrovsky and William E. Skeith Crypto 2007.
1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.
How to play ANY mental game
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Communication vs. Computation S Venkatesh Univ. Victoria Presentation by Piotr Indyk (MIT) Kobbi Nissim Microsoft SVC Prahladh Harsha MIT Joe Kilian NEC.
1 Private codes or Succinct random codes that are (almost) perfect Michael Langberg California Institute of Technology.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)
The Cost of Fault Tolerance in Multi-Party Communication Complexity Binbin Chen Advanced Digital Sciences Center Haifeng Yu National University of Singapore.
On Locally Decodable Codes Self Correctable Codes t-private PIR and Omer Barkol, Yuval Ishai and Enav Weinreb Technion, Israel.
CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
Efficient Private Matching and Set Intersection Mike Freedman, NYU Kobbi Nissim, MSR Benny Pinkas, HP Labs EUROCRYPT 2004.
CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.
Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Round-Efficient Broadcast Authentication Protocols for Fixed Topology Classes Haowen Chan, Adrian Perrig Carnegie Mellon University 1.
The Cost of Fault Tolerance in Multi-Party Communication Complexity Haifeng Yu National University of Singapore Joint work with Binbin Chen, Yuda Zhao,
Lower bounds for Unconditionally Secure MPC Ivan Damgård Jesper Buus Nielsen Antigoni Polychroniadou Aarhus University.
Topic 36: Zero-Knowledge Proofs
Carmit Hazay (Bar-Ilan University, Israel)
Fast Actively Secure OT Extension For Short Secrets
TCC 2016-B Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity Carmit Hazay Bar-Ilan University, Israel Antigoni Ourania.
Jens Groth, University College London
Verifiable Oblivious Storage
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Fiat-Shamir for Highly Sound Protocols is Instantiable
Oded Goldreich Weizmann Institute of Science
Presentation transcript:

A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev

2 Private Information Retrieval Functionality : Receiver retrieves x i Privacy : Server does not learn i x = x 1  x n i 2 {1,...,n} ReceiverServer i 2 {1,...,n} Receiver j 2 {1,...,n} ¼ xixi

3 The Trivial Solution x = x 1  x n i 2 {1,...,n} ReceiverServer i 2 {1,...,n} Receiver x1  xnx1  xn Inefficient -- x may be very large Can we do better than trivial? Not information theoretically [CGKS]

4 Two Approaches Multiple-server PIR Information theoretic privacy Many exciting results, but not the focus of this talk [CGKS95,...,Yek07,...] Single-server PIR Computational privacy Implies Oblivious Transfer 2-message PIR implies collision-resistant hash functions and public-key encryption Many applications... [CG97, KO97, CMS99,...]

5 Current Status Specific number-theoretic assumptions Communication polylog(n) [KO97, CMS99,...] General assumptions Communication n - o(n) Black-box construction based on TDPs [KO00] Question: Can we base single-server PIR with sublinear communication on general assumptions?

6 Main Result In any fully black-box construction of single-server PIR for an n -bit database from trapdoor permutations over  (n) bits, the server sends  (n) bits. Previous results [Fis02]: Similar result for 2-message protocols (less restrictions) [HHRS07]:  (n/logn) lower bound (same restrictions)  (n ² ) lower bound for “not so tight” reductions Two restrictions Fully black-box Tight security reduction: permutations over  (n) bits [KO ‘00]:  (n ² ) bits

7 Fully Black-Box Reductions Black-box proof of security Any adversary for B implies an adversary for A Only care about functionality of the adversary for B A fully black-box reduction from B to A : Black-box construction Any implementation of A implies an implementation of B Only care about the functionality of A Adversary for A Adversary for B A B A

8 Our Approach We present an oracle O relative to which: 1. There exists a collection of TDPs over {0,1} n 2. There is no single-server PIR protocol for an n -bit database in which the server sends o(n) bits A random function is hard to invert even with access to O There exists an efficient server that uses O to break any such protocol Fully black-box reductions relativize

9 The Oracle [HHRS ‘07] O = (Sam,  )  is a random collection of TDPs over {0,1} n Sam is an interactive collision-finding oracle Sam ples random collisions Extends the non-interactive oracle of [Simon ‘98] C 1 (v 1 ) = C 1 (v 0 ) v 0 Ã {0,1} n C 2 (v 2 ) = C 2 (v 1 ) AA Sam  v0v0 C1C1 v1v1 C2C2 v2v2

10 The Oracle [HHRS ‘07] AA Sam  v0v0 C1C1 v1v1 C2C2 v2v2 Theorem: A random TDP is one-way as long as Sam answers queries of depth · n/log(n) The proof requires additional restrictions ( C i+1 refines C i, commit to C i+1 at depth i,...)...but this suffices for the purpose of this talk O = (Sam,  )  is a random collection of TDPs over {0,1} n Sam is an interactive collision-finding oracle Sam ples random collisions Extends the non-interactive oracle of [Simon ‘98] n/log(n)

11 Breaking 2-Message PIR x = x 1  x n i 2 {1,...,n} a(i) b(a,x)

12 Breaking 2-Message PIR i 2 {1,...,n} a b(a,x 0 ) 1. Receive x 0 from Sam 2. Send the circuit b(a, ¢ ) to Sam 3. Receive x 1 from Sam 4. Output a random index j for which x 0 j  x 1 j Claim : The malicious server guesses i w.p. ¸ 1/(n-1) x 0 i  x 1 i and x 0  x 1 b(a,x 1 ) =

13 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a o(n) b o(n)... Communication vs. Rounds: Server sends o(n) bits ) o(n) rounds, server sends one bit each round

14 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a log(n) b log(n) a o(n) b o(n).. Key observation : The malicious server can invoke Sam every log(n) rounds

15 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a log(n) b log(n).. 1. Receive x 0 from Sam 2. Simulate the honest server for log(n) rounds 3. Send b 1 (a 1, ¢ ) to Sam until receiving x log(n) which is consistent with all log(n) rounds (rewind Sam if inconsistent) Claim : The malicious server guesses i w.p. ¸ 1/(n-1)

16 Summary Communication lower bound for single-server PIR Fully black-box constructions from (enhanced) TDPs The trivial solution is optimal up to constant factors In the paper: Communication lower bound for statistically-hiding bit-commitment The sender must send  (n) bits Communication preserving reduction to single-server PIR Open problem: A linear lower bound for “not so tight” reductions? [KO ‘00]: TDPs over  (n ² ) bits Thank you! Matches the upper bound of [NOVY]