Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk, and Qiang Tang FIT 2016, February 6, 2016

 Construct optimal rate cryptographic protocol to privately retrieve a database element  Construction:  recursive, starts from a ”semi-good” construction  We use complicated techniques from algebra / analysis  Galois theory, Newton-Puiseux algorithm  Not really much crypto…  Getting good rate important in other areas of (T)(CS)  but our techniques seem to be unique

I am boooored I want to watch a movie Bob sells them!

Yo, send me “Teletubbies” 0x ABCDEF… Accompanied with a payment But Bob thinks I am a cool guy, I don’t want him to know I watch “Teletubbies”

Encrypt pk (index) Encrypt pk (movie[index]) index Generates pk, sk Uses sk to decrypt, obtains movie[index] n movies, each ℓ bits

Encrypt pk (index) Encrypt pk (movie[index]) Correctness: Alice obtains movie[index] Bob’s privacy: Alice obtains only movie[index] Alice’s privacy: Bob obtains no information about index Efficiency: It should be communication- wise and computation-wise efficient index ∈ {1,…,n} movie[1]…movie[n]

= log 2 n + ℓ bits

 Achieve optimal rate 1 – o (1)  As close to 1 as possible  So we get a good rate for practically relevant values of ℓ  Some communication overhead inherent due to privacy

Focus was on minimizing communication as a function of n Rate [Lipmaa, 2005]1 / (log 2 n + 1) – o (1) [Gentry, Ramzan 2005]1 / 4 – o (1) [Lipmaa, 2009]1 / 2 – o (1)

Rate [Lipmaa, 2005]1 / (log 2 n + 1) – o (1) [Gentry, Ramzan 2005]1 / 4 – o (1) [Lipmaa, 2009]1 / 2 – o (1) This work1 – o (1) Focus was on minimizing communication as a function of n Focus on minimizing communication as a function of ℓ

 Cryptosystem: encrypts messages…  Additively homomorphic:  Enc s (m 1 ) Enc s (m 2 ) = Enc s (m 1 + m 2 )  Optimal rate:  For any m, |Enc s (m)| = |m| + k, where s = ℓ / k  k = log N – security parameter (key length) - needed for privacy Enc s (m mod N s ; r) =(1+N) m r n^s mod N s+1

 Only known optimal rate AH cryptosystems are DJ01, DJ03  Optimal rate non-homomorphic, homomorphic non-optimal rate: many candidates  IND-CPA Security:  Enc s (m 0 ) and Enc s (m 1 ) are computationally indistinguishable  DJ01 is IND-CPA secure under the DCRA assumption  Tautological but well-known assumption DJ01: Enc s (m mod N s ; r) =(1+N) m r N^s mod N s+1 DJ03: Enc s (m mod N s ; r) =(g r mod N,(1+N) m (h r mod N) N^s mod N s+1 )

 Alice transfers  C i = Enc s ([index = i]), i = 1 … w – 1  Bob does:  C w = Enc s (1) / Π i<w C i = Enc s ([index = w])  Return D = Π i C i movie[i] ... = Enc s ( Σ i [index = i] movie[i]) ... = Enc s (movie[index]) Computationally private: index is hidden iff Enc is secure |C i | = |D| = ℓ +k

 Alice transfers w – 1 ciphertexts, (w – 1) ( ℓ + k) bits  Bob transfers one ciphertext, ℓ + k bits  ”Semi-good” rate: 1 / w – O ( ℓ -1 )  Best rate (w = 2): 1 / 2 – O ( ℓ -1 )  We need good (1 – o (1)) rate CPIR for large w  Recursive construction  relies on Bob’s message being short

x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 ……

x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 2CPIR(x 1,)( ) D0D0 D1D1 D2D2 D3D3 D4D4 D5D5 Dx1Dx1 D 2+x 1 D 4+x 1 D 6+x 1 2CPIR(x 2, ) ) ( D x 1 +2x 2 D 4+x 1 +2x 2 2CPIR(x 3, ) D x 1 +2x 2 +4x 3 Generalization: use w-ary tree instead of binary

 Let m = log w n // tree depth  Alice sends:  Enc s + m ([x i = j]), for i = 1.. m, j = 0.. w – 1  Appr. (w - 1) m ( ℓ + mk) bits  Small optimizations possible  Bob sends:  Enc s+m (… (Enc s+1 (Enc s (movie[index]))))  m times encryption  Appr. ℓ + mk bits

 Communication of [Lip05] (N, ℓ )CPIR: rec5 (w, n, ℓ, k) = ( ℓ + (log w n + 1)k/2) (w – 1) log w n sen5 (w, n, ℓ, k) = ( ℓ / k + log w n) k = ℓ + k log w n  Rate of [Lip05]:  ( ℓ + log 2 n) / (rec5 + sen5) = 1 / ((w – 1) log w n + 1) – O ( ℓ -1 )  Optimal when w = 2: 1 / (log 2 n + 1) – O ( ℓ -1 ) Alice Bob

 For some t, parallel-execute t copies of (w, ℓ /t)CPIR rec9 (w, n, ℓ, k) = rec5 (w, n, ℓ / t, k) = ( ℓ / t + (log w n + 1) k / 2) (w – 1) log w n sen9 (w, n, ℓ, k) = t sen5 (w, n, ℓ / t, k) = ℓ + kt log w n  Rate: ( ℓ + log 2 n) / (rec + sen) = t / ((w – 1) log w n + t) – O ( ℓ -1 )  t must be independent of ℓ [Lip09] recommendation: if w = 2, t = log 2 n, then rate = 1 / 2 – O ( ℓ -1 ) Alice Bob

x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 …… D0D0 D1D1 D2D2 D3D3 D4D4 D5D5 ℓ =s 1 k bits t 1 pieces, Each s 1 k / t 1 bits t 1 pieces, each (s 1 +1)k/t 1 bits t 2 pieces, each s 2 k/t 2 bits (s 2 +1)k bits t 2 pieces, each (s 2 +1)k/t 2 bits t 3 pieces, each s 3 k/t 3 bits …. (s 1 +1)k bits s 2 k bits

 Communication for m = log w n: com (w, m, s, k, ℓ ) =(w - 1) k (∑ i=1…m s i + m) + ℓ ∏ i=1...m (1 + 1/s i )  Using multivariate optimization, ∂com / ∂s i = 0:  Optimal choice s 1 = … = s m =: s com (w, m, s, k, ℓ ) = (w - 1) k (s + 1) m + ℓ (1 + 1/s) m  Optimal s:  When ∂com / ∂s = (w – 1) mk – m (s + 1) m-1 / s m+1 ℓ = 0

 Alternatively: f m (s, σ ) = 0 where  f m (x, y) := yx m+1 – (x + 1) m-1  σ = (w – 1) k / ℓ  Optimal s: root of a degree-(m+1) polynomial  Abel-Ruffini: cannot find roots for m > 3  In practice m < 15 but still… Abel-Ruffini: cannot solve degree-(m+1) polynomials in general. We use Galois theory to show that we cannot even do it for f 4 (x, 1)

 Analysis to the rescue!  Newton-Puiseux series: ∑ i ≥ k c i X i/n for integer n  Newton-Puiseux theorem: the solution in x, viewed as function of y, of any polynomial equation f (x, y) =0 can be expanded as Puiseux series that are convergent in some neighborhood of the origin  Newton-Puiseux algorithm:  given polynomial f (x, y), finds such series  First finds c k, then c k+1, …

σ = (w – 1) k / ℓ

m = log w n Quinary decision trees?!

 In practice:  Suffices to find an integer approximation of s  Recall s = σ -1/2 + (m – 1) / 2 + …  We show σ -1/2 < s < σ -1/2 + (m – 1) / 2  We find optimal integer s by using Boolean search  ≈ log 2 m ≈ log 2 log 2 n steps  … in practice up to 3 steps σ = (w – 1) k / ℓ

ℓ Integer srate 200 k = KB k = MB k = MB * 10 4 k = 142.3MB k = MB k = GB k = GB k = 2048 w = 5 n= 5 7 =78125

 Getting an asymptotically good rate is important  Getting o o o o o in 1 – o (1) as small as possible is more important  Rate > 0.9 for realistic movie sizes!  Nice math is also important

(w, ℓ )CPIR with rate-optimal output Rate-optimal (w m, ℓ )CPIR Rate-optimal additively homomorphic PKC Rate-optimal homomorphic PKC for poly-size decision diagrams Decision tree Decision diagram

Horrible-rate general functionalities (FHE) Rate-1 linear functionalities New: Rate-1 poly-size decision diagram functionalities

 Simpler analysis?  Even smaller o?  Computation?  Yet another million-dollar question in cryptography:  Construct computationally efficient optimal rate (additively) homomorphic cryptosystem  For at least the same complexity class