Presentation is loading. Please wait.

Presentation is loading. Please wait.

Private Information Retrieval. What is Private Information retrieval (PIR) ? Reduction from Private Information Retrieval (PIR) to Smooth Codes Constructions.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Private Information Retrieval. What is Private Information retrieval (PIR) ? Reduction from Private Information Retrieval (PIR) to Smooth Codes Constructions."— Presentation transcript:

1 Private Information Retrieval

2 What is Private Information retrieval (PIR) ? Reduction from Private Information Retrieval (PIR) to Smooth Codes Constructions (Achieving the Barrier) Construction (Breaking the Barrier) Contents

3 Private Information Retrieval (PIR) Query a public database, without revealing the queried record. Example: A broker needs to query NASDAQ database about a stock, but doesn’t want anyone to know he is interested.

4 PIR The Single Server Case Chor et all have shown in their 1995 paper that for a single server the it is necessary to send the whole content of the database.

5 PIR A k server PIR scheme of one round, for database length n consists of:

6 PIR – definition These functions should satisfy:

7 Simple Construction of PIR 2 servers, one round Each server holds bits x 1,…, x n. To request bit i, choose uniformly A subset of [n] Send A to the first server. Send the second server A+{i} (add i to A if it is not there, remove if it is there) Servers return the xor of the bits in the indices of the requests. Xor the answers.

8 Smoothly Decodable Code C:{0,1} n  m is a (q,c,  ) smoothly decodable code if there exists a prob. algorithm, A, such that:  x  {0,1} n and  i  {1,..,n}, Pr[ A(C(x),i)=x i ] > ½ +  A reads at most q indices of y (of its choice) The Probability is over the coin tosses of A Queries are not allowed to be adaptive A has access to a non corrupted codeword  i  {1,..,n} and  j  {1,..,m}, Pr[ A(·,i) reads j ] ≤ c/m

9 LDC is Smooth Claim: Every (q,δ,ε) LDC is a (q,q/ δ, ε) smooth code. Intuition – If the code is resilient against linear number of errors, then no bit of the output can be queried too often (or else adversary will choose it)

10 Smooth Code is LDC A bit can be reconstructed using q uniformly distributed queries, with ε advantage, when no errors With probability (1-qδ) all the queries are to non-corrupted indices. Remember: Adversary does not know decoding procedure’s random coins

11 Reduction from PIR to SDC [Gol,Ka,Sch,Tr 02] A codeword is a Concatenation of all possible answers from the servers A query procedure is made of k queries to the codeword corresponding to the answers of k servers on the requested bit (for queries generated as in the PIR) From the PIR properties it follows that the distribution of queries to the indices of the codeword are independent of the requested bit

12 Reduction from PIR to SDC Let a be the length of an answer from a server, k the number of servers and q the length of a query Let l= be the length of a codeword Let Pj be the probability of querying bit j. Note that Set. And duplicate bit j Nj times. When querying for bit j choose at random one of the Nj bits

13 Reduction from PIR to SDC The probability of accessing each bit is now less than 1/l The new length of the encoding is less than (k+1)l We have a (ka,k+1,1/2) LDC

14 Ingredients: X – the database string E : P x (Z 1,…,Z m ) – A polynomial in m=  (n^d) variables of degree d s.t. P x (E(i))=x i s.t. Achieving the Barrier

15 The user generates the Yj and sends all Y q q!=j to server j We can view Px as a polynomial in the km variables Y jl where the Y jl sum to Z j Each server knows the value of (k-1)m variables Let d=k-1, hence each monomial of Px has at most k-1 different variables Achieving the Barrier

16 Each variable is known to k-1 servers, hence there exists a server who knows the values of all the variables in the monomial. Assign each monomial to one of the servers who know all its variables. Achieving the Barrier

17 Each server calculates the xor of the monomials assigned to it and sends to the user The user calculates the xor of all the answers. Achieving the Barrier

18 Security - each server received k-1 vectors which are random independent strings of length m Communication Complexity – each server received k-1 vectors, each of length m=O(n^(1/d)) = O(n^(1/(k-1)) by choice of m and d. Achieving the Barrier

19 Now take d=1/(2k-1) Each monomial has a server who misses at most 1 variable, assign the monomial to that server Each server sends the 1-bit coefficients of the polynomial which is the sum of all monomials assigned to it The user evaluates the polynomial on the variables Y Achieving the Barrier

20 The query complexity is the same O(n^(1/d)) The answer complexity is (k^2)m=O(n^1/d) Total complexity : O(n^1/d)= O(n^(2k-1)) by choice of d Achieving the Barrier

21 The first idea that comes to mind is to try and increase the degree d even further. Unfortunately this does not work due to the increasing size of the polynomials the servers return. The novelty of the paper is how to go around this difficulty. Breaking the Barrier

22 Assume that each polynomial is known not to one server but to a group of servers. Now we do not need to receive the polynomials themselves but can use the PIR scheme (on those servers) to evaluate them on the required input. Breaking the Barrier

23 Suppose that we could write Px as a sum of Pv where v ranges over all subsets of the servers. The problem of evaluating Px reduces to evaluating each Pv which (we hope) is of lower degree. On the other hand, also the number of servers is smaller which is a disadvantage. The paper comes to find such Pv with good properties Breaking the Barrier

24 Define k’ to be a lower bound on the size of the sets V and the maximum number of variables a server misses in Pv. All together V misses at most |V| variables in Pv. Breaking the Barrier

25 We will choose an encoding E such that the hamming weight of E(i) (and therefore the number of monomials) will be bounded by d (the number of monomials is bounded by 2^d). If we had Pv as specified then we could apply the PIR recursively on all sets of size more than k’ with communication complexity: Breaking the Barrier

26 Let E be an encoding to all strings of length m and weight d. We can encode different values thus is sufficient to encode n values. Define it holds that Define V(M) to be all servers who miss at most variables in M Breaking the Barrier

27 Lemma: for,k’ =k’ Proof: Counting argument Breaking the Barrier

28 Claim: Let k,,k’ be as before then there are polynomials Pv,Pj for every V  [k] s.t. |V|>=k’ and j  [k] s.t. –Pv is of degree |V| and can be computed from Px and {Yj}j  V –Pj is of degree 1 and can be computed from Px and {Yj}j  i – Breaking the Barrier

29 Proof: It is sufficient to prove for P consisting of a single monomial, then we can sum over all monomials. Denote Define  (M) to be the number of variables in M for which Breaking the Barrier

30 WLOG take Define a polynomial in mk variables. Q has k^d monomials each of the form Breaking the Barrier

31 1.Set Q’=Q, for all V Pv=0 2.Find V=V(M) for some monomial M in Q’ s.t. V is of maximal size, if |V|<k’ stop. 3.While there is M’ s.t. V(M’)=V: Pick M’ from Q’ which maximizes  (M’) Pv=Pv+T(M’), Q’=Q’-T(M’) 4.Goto 2 Breaking the Barrier

32 If the algorithm halts then the Pv are of the desired degree and their sum is equal to P-Q’ for Q’ at the end of the execution. Likewise, for each M in Q’ there exists a server j who misses at most one variable, add M to Pj Breaking the Barrier

33 Define M  M’ if V(M)=V(M’) and for all q<=d either or If M’ is a monomial in T(M) then 1.V(M’)  V(M) 2.  (M’)<=  (M) 3.Equality in 1,2 implies M  M’ 4.M 1  M 2 implies either both are in T(M) of both aren’t Breaking the Barrier

34 Each time step 3 is applied we either add to Q’ monomials M’ with smaller V(M’) or  (M’) which will be dealt with later. Or M’  M so it already exists in Q’ and is removed. Breaking the Barrier

35 Lemma: For all i>0 and k>(i-1)! there exists a PIR protocol Pi with communication complexity O (n^2/ik) Corollary : there exists a PIR protocol with communication complexity Breaking the Barrier

36 For every PIR scheme we have a related smooth code Upper bound for PIR is raised to Likewise the upper bound for smooth codes is raised to Summary

37 T-collusion PIR, the protocol must maintain security against collusions of T servers. General results appear in “ Information- Theoretic Private Information Retrieval: A Unified Construction” [Beimel, Ishai] CPIR – Computational PIR in which the security definition is relaxed to a computational one. There exist polylog single server CPIR protocols [ Cachin, Micali, Stadler] Related Topics

Download ppt "Private Information Retrieval. What is Private Information retrieval (PIR) ? Reduction from Private Information Retrieval (PIR) to Smooth Codes Constructions."

Similar presentations

Optimal Lower Bounds for 2-Query Locally Decodable Linear Codes Kenji Obata.

Optimal Lower Bounds for 2-Query Locally Decodable Linear Codes Kenji Obata.
Estimating Distinct Elements, Optimally

Estimating Distinct Elements, Optimally
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Optimal Space Lower Bounds for all Frequency Moments David Woodruff Based on SODA 04 paper.

Optimal Space Lower Bounds for all Frequency Moments David Woodruff Based on SODA 04 paper.
The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.

The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Incremental Linear Programming Linear programming involves finding a solution to the constraints, one that maximizes the given linear function of variables.

Incremental Linear Programming Linear programming involves finding a solution to the constraints, one that maximizes the given linear function of variables.
The Communication Complexity of Approximate Set Packing and Covering

The Communication Complexity of Approximate Set Packing and Covering
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.

Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.
Approximation Algorithms Chapter 14: Rounding Applied to Set Cover.

Approximation Algorithms Chapter 14: Rounding Applied to Set Cover.
Lecture 22: April 18 Probabilistic Method. Why Randomness? Probabilistic method: Proving the existence of an object satisfying certain properties without.

Lecture 22: April 18 Probabilistic Method. Why Randomness? Probabilistic method: Proving the existence of an object satisfying certain properties without.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Similar presentations

Ads by Google