A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev
2 Private Information Retrieval Functionality : Receiver retrieves x i Privacy : Server does not learn i x = x 1 x n i 2 {1,...,n} ReceiverServer i 2 {1,...,n} Receiver j 2 {1,...,n} ¼ xixi
3 The Trivial Solution x = x 1 x n i 2 {1,...,n} ReceiverServer i 2 {1,...,n} Receiver x1 xnx1 xn Inefficient -- x may be very large Can we do better than trivial? Not information theoretically [CGKS]
4 Two Approaches Multiple-server PIR Information theoretic privacy Many exciting results, but not the focus of this talk [CGKS95,...,Yek07,...] Single-server PIR Computational privacy Implies Oblivious Transfer 2-message PIR implies collision-resistant hash functions and public-key encryption Many applications... [CG97, KO97, CMS99,...]
5 Current Status Specific number-theoretic assumptions Communication polylog(n) [KO97, CMS99,...] General assumptions Communication n - o(n) Black-box construction based on TDPs [KO00] Question: Can we base single-server PIR with sublinear communication on general assumptions?
6 Main Result In any fully black-box construction of single-server PIR for an n -bit database from trapdoor permutations over (n) bits, the server sends (n) bits. Previous results [Fis02]: Similar result for 2-message protocols (less restrictions) [HHRS07]: (n/logn) lower bound (same restrictions) (n ² ) lower bound for “not so tight” reductions Two restrictions Fully black-box Tight security reduction: permutations over (n) bits [KO ‘00]: (n ² ) bits
7 Fully Black-Box Reductions Black-box proof of security Any adversary for B implies an adversary for A Only care about functionality of the adversary for B A fully black-box reduction from B to A : Black-box construction Any implementation of A implies an implementation of B Only care about the functionality of A Adversary for A Adversary for B A B A
8 Our Approach We present an oracle O relative to which: 1. There exists a collection of TDPs over {0,1} n 2. There is no single-server PIR protocol for an n -bit database in which the server sends o(n) bits A random function is hard to invert even with access to O There exists an efficient server that uses O to break any such protocol Fully black-box reductions relativize
9 The Oracle [HHRS ‘07] O = (Sam, ) is a random collection of TDPs over {0,1} n Sam is an interactive collision-finding oracle Sam ples random collisions Extends the non-interactive oracle of [Simon ‘98] C 1 (v 1 ) = C 1 (v 0 ) v 0 Ã {0,1} n C 2 (v 2 ) = C 2 (v 1 ) AA Sam v0v0 C1C1 v1v1 C2C2 v2v2
10 The Oracle [HHRS ‘07] AA Sam v0v0 C1C1 v1v1 C2C2 v2v2 Theorem: A random TDP is one-way as long as Sam answers queries of depth · n/log(n) The proof requires additional restrictions ( C i+1 refines C i, commit to C i+1 at depth i,...)...but this suffices for the purpose of this talk O = (Sam, ) is a random collection of TDPs over {0,1} n Sam is an interactive collision-finding oracle Sam ples random collisions Extends the non-interactive oracle of [Simon ‘98] n/log(n)
11 Breaking 2-Message PIR x = x 1 x n i 2 {1,...,n} a(i) b(a,x)
12 Breaking 2-Message PIR i 2 {1,...,n} a b(a,x 0 ) 1. Receive x 0 from Sam 2. Send the circuit b(a, ¢ ) to Sam 3. Receive x 1 from Sam 4. Output a random index j for which x 0 j x 1 j Claim : The malicious server guesses i w.p. ¸ 1/(n-1) x 0 i x 1 i and x 0 x 1 b(a,x 1 ) =
13 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a o(n) b o(n)... Communication vs. Rounds: Server sends o(n) bits ) o(n) rounds, server sends one bit each round
14 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a log(n) b log(n) a o(n) b o(n).. Key observation : The malicious server can invoke Sam every log(n) rounds
15 Breaking Any Sublinear PIR i 2 {1,...,n} a1a1 b1b1 a log(n) b log(n).. 1. Receive x 0 from Sam 2. Simulate the honest server for log(n) rounds 3. Send b 1 (a 1, ¢ ) to Sam until receiving x log(n) which is consistent with all log(n) rounds (rewind Sam if inconsistent) Claim : The malicious server guesses i w.p. ¸ 1/(n-1)
16 Summary Communication lower bound for single-server PIR Fully black-box constructions from (enhanced) TDPs The trivial solution is optimal up to constant factors In the paper: Communication lower bound for statistically-hiding bit-commitment The sender must send (n) bits Communication preserving reduction to single-server PIR Open problem: A linear lower bound for “not so tight” reductions? [KO ‘00]: TDPs over (n ² ) bits Thank you! Matches the upper bound of [NOVY]