Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk and Qiang Tang Estonian Theory Days, Oct 2, 2015

I am boooored I want to watch a movie Bob sells them!

Yo, send me “Teletubbies” 0x ABCDEF… Accompanied with a payment But Bob thinks I am a cool guy, I don’t want him to know I watch “Teletubbies”

Encrypt pk (index) Encrypt pk (movie[index]) Generates pk, sk Uses sk to decrypt, obtains movie[index] n movies, each ℓ bits

Encrypt pk (index) Encrypt pk (movie[index]) Correctness: Alice obtains movie[index] Bob’s privacy: Alice obtains only movie[index] Alice’s privacy: Bob obtains no information about index Efficiency: It should be communication-wise and computation-wise efficient

= log 2 n + ℓ bits

 Achieve optimal rate 1 – o (1)  As close to 1 as possible  So we get a good rate for practically relevant values of ℓ  Some loss due to added privacy

Focus was on minimizing communication as a function of n Rate [Lipmaa, 2005]1 / (log 2 n + 1) – o (1) [Gentry, Ramzan 2005]1 / 4 – o (1) [Lipmaa, 2009]1 / 2 – o (1)

Rate [Lipmaa, 2005]1 / (log 2 n + 1) – o (1) [Gentry, Ramzan 2005]1 / 4 – o (1) [Lipmaa, 2009]1 / 2 – o (1) This work1 – o (1) Focus was on minimizing communication as a function of n Focus on minimizing communication as a function of ℓ

 We use (w, ℓ )CPIR from [Lipmaa 2005]  For any ℓ  Alice transfers w – 1 ciphertexts, (w – 1) ( ℓ + k) bits  Bob transfers one ciphertext, ℓ + k bits  Rate (approx.): ℓ / (w ℓ ) – o (1) = 1 / w – o (1)  Best rate (w = 2): 1 / 2 – o (1)  Recursive construction relies on Bob’s message being short k – security parameter (key length) Requires rate-optimal additively homomorphic PKC (Damgård-Jurik)

x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 ……

x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 2CPIR(x 1,)( ) D0D0 D1D1 D2D2 D3D3 D4D4 D5D5 Dx1Dx1 D 2+x 1 D 4+x 1 D 6+x 1 2CPIR(x 2, ) ) ( D x 1 +2x 2 D 4+x 1 +2x 2 2CPIR(x 3, ) D x 1 +2x 2 +4x 3 Generalization: use w-ary tree instead of binary

 Communication of [Lip05]: rec5 (w, n, ℓ, k) = ( ℓ + (log w n + 1)k/2) (w – 1) log w n sen5 (w, n, ℓ, k) = ( ℓ / k + log w n) k = ℓ + k log w n  Rate of [Lip05]:  ( ℓ + log 2 n) / (rec5 + sen5) = 1 / ((w – 1) log w n + 1) – o (1)  Optimal when w = 2: 1 / (log 2 n + 1) – o (1) Alice Bob

 For some t, execute in parallel t copies of (w, ℓ /t)CPIR rec9 (w, n, ℓ, k) = rec5 (w, n, ℓ / t, k) = ( ℓ / t + (log w n + 1) k / 2) (w – 1) log w n sen9 (w, n, ℓ, k) = t sen5 (w, n, ℓ / t, k) = ℓ + kt log w n  Rate: ( ℓ + log 2 n) / (rec + sen) = t / ((w – 1) log w n + t) – o (1)  t must be independent of ℓ  [Lip09] recommendation: if w = 2, t = log 2 n, then rate = 1 / 2 – o (1) Alice Bob

x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 …… D0D0 D1D1 D2D2 D3D3 D4D4 D5D5 ℓ =s 1 k bits t 1 pieces, Each s 1 k / t 1 bits t 1 pieces, each (s 1 +1)k/t 1 bits t 2 pieces, each s 2 k/t 2 bits (s 1 +1)k bits t 2 pieces, each (s 2 +1)k/t 2 bits t 3 pieces, each s 3 k/t 3 bits …. (s 1 +1)k bits

 Communication for m = log w n: com (w, m, s, k, ℓ ) =(w - 1) k (∑ i=1…m s i + m) + ℓ ∏ i=1...m (1 + 1/s i )  Using multivariate optimization:  Optimal choice s 1 = … = s m =: s com (w, m, s, k, ℓ ) = (w - 1) k (s + 1) m + ℓ (1 + 1/s) m  Optimal s:  When ∂com / ∂s = (w – 1) mk – m (s + 1) m-1 / s m+1 ℓ = 0

 Alternatively: f m (s, σ ) = 0 where  f m (x, y) := yx m+1 – (x + 1) m-1  σ = (w – 1) k / ℓ  Optimal s: root of a degree-(m+1) polynomial  Abel-Ruffini: cannot find roots for m > 3  In practice m < 15 but still… Abel-Ruffini: cannot solve degree-(m+1) polynomials in general. We use Galois theory to show that we cannot even do it for f 4 (x, 1)

σ = (w – 1) k / ℓ

m = log w n Quinary decision trees?!

 In practice:  Suffices to find an integer approximation of s  We show σ -1/2 < s < σ -1/2 + (m – 1) / 2  We find optimal integer s by using Boolean search  ≈ log 2 m ≈ log 2 log 2 n steps  … in practice up to 3 steps

ℓ Integer srate 200 k = KB k = MB k = MB * 10 4 k = 142.3MB k = MB k = GB k = GB k = 2048 w = 5 n= 5 7 =78125

 Getting an asymptotically good rate is important  Getting o in 1 – o (1) as small as possible is more important  Rate > 0.9 for realistic movie sizes!  Nice math is also important

(w, ℓ )CPIR with rate-optimal output Rate-optimal (w m, ℓ )CPIR Rate-optimal additively homomorphic PKC Rate-optimal homomorphic PKC for poly-size decision diagrams Decision tree Decision diagram