Presentation is loading. Please wait.

Presentation is loading. Please wait.

Private Information Retrieval Yuval Ishai Computer Science Department Technion.

Published byMeagan Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "Private Information Retrieval Yuval Ishai Computer Science Department Technion."— Presentation transcript:

1 Private Information Retrieval Yuval Ishai Computer Science Department Technion

2 Talk Overview Intro to PIR –Motivation and problem definition –Toy examples –State of the art Relation with other primitives –Locally Decodable Codes –(Oblivious Transfer, CRHF) Constructions Open problems

3 Private Information Retrieval (PIR) [CGKS95] Goal: allow a user to access a database while hiding what she is after. Motivation: patent databases, web searches, etc. Paradox(?): imagine buying in a store without the seller knowing what you buy. Note: Encrypting requests is useful against third parties; not against server holding the data.

4 Modeling Database: n-bit string x User: wishes to –retrieve x i and –keep i private

5 Server User xixi ?? ? Modeling

6 Some “solutions” 1.User downloads entire database. Drawback: n communication bits (vs. logn+1 w/o privacy). Main research goal: minimize communication complexity. 2. User masks i with additional random indices. Drawback: gives a lot of information about i. 3. Enable anonymous access to database. Addresses a different concern: hides identity of user, not the fact that x i is retrieved. Fact: PIR as described so far requires  (n) communication bits.

7 Two Approaches Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers. Unconditional privacy against t servers. Default: t=1 Computational PIR [KO97,CMS99,...] Computational privacy, based on cryptographic assumptions.

8 Model for I.T. PIR S1S1 User X i S2S2 X SkSk xixi ?? ? X 

9 Information-Theoretic PIR for Dummies S2S2 i U i X n 1/2 q2 q2 q1 q1 a 2 =X·q 2 a 1 =X·q 1 S1S1 q 1 + q 2 = e i  2-server PIR with O(n 1/2 ) communication a 1 +a 2 =X·e i

10 0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 1 Computational PIR for Dummies Tool: homomorphic encryption Protocol: a b a+b =  n 1/2 i X= User sends E(e i ) E(0) E(0) E(1) E(0) (=c 1 c 2 c 3 c 4 ) Server replies with E(X·e i ) c2c3c2c3 c1 c2c3c1 c2c3 c1c2c1c2 c4c4 User recovers ith column of X  PIR with ~ O(n 1/2 ) communication

11 Bounds for Computational PIR serverscomm. assumption [CG97] 2 O(n  ) one-way function [KO97] 1 O(n  ) QRA / [CMS99] 1 polylog(n)  -hiding … DCRA [Lipmaa] [KO00] 1 n-o(n) trapdoor permutation homomorphic encryption

12 Bounds for I.T. PIR Upper bounds: –O(log n / loglog n) servers, polylog(n) [BF90,BFKR91,CGKS95] –2 servers, O(n 1/3 ); k servers, O(n 1/k ) [CGKS95] –k servers, O(n 1/(2k-1) ) [Amb97,Ito99, IK99, BI01,WY05] t-private, O(n t /(2k-1) ) [BI01,WY05] –k servers, O(n cloglogk /(klogk) ) [BIKR02]. Lower bounds: –log n +1 (no privacy) –2 servers, ~5log n ; k servers, c k log n [Man98,WdW04] –Better for restricted 2-server protocols [CGKS95, GKST02, BFG02, KdW03, WdW04] CGKS AMB IK BI BIKR efficient “ clean ” “ dirty ” inefficient WY

13 Why Information-Theoretic PIR? Cons: Requires multiple servers Privacy against limited collusions Worse asymptotic complexity (with const. k): O(n c ) vs. polylog(n) Pros: Neat question Unconditional privacy Better “real-life” efficiency Allows very short queries or very short answers (+apps [DIO98,BIM99] ) Closely related to a natural coding problem [KT00]

14 Locally Decodable Codes [KT00] Requirements: High fault-tolerance Local decoding xy i Question: how large should m(n) be in a k-query LDC?   k=2: 2  (n) k=3: 2 O(n^ 0.5)  (n 2 ) Recover from  m faults … … with ½ +  probability

15 From I.T. PIR to LDC k-server PIR with  -bit queries and  -bit answers k-query LDC of length 2  over  ={0,1}  Converse relation also holds. Binary LDC  PIR with one answer bit per server Best known LDC are obtained from PIR protocols. –const. q: m=exp(n c loglogq / qlogq ) y[q]=Answer(x,q)

16 A Question about MPC Beaver, Micali, Rogaway, 1990 B., Feigenbaum, Kilian, R., 1990 Can k computationally unbounded players compute an arbitrary f with communication = poly(input-length)? Open question: … or with work = poly(formula-size) and constant rounds [BB89,…] Can this be done using a constant number of rounds? Ben-Or, Goldwasser, Wigderson, 1988 Chaum, Crépeau, Damgård, 1988 k  3 players can compute any function f of their inputs with total work = poly(circuit-size) Information-theoretic MPC is feasible!

17 Question Reformulated Is the communication complexity of MPC strongly correlated with the computational complexity of the function being computed? efficiently computable functions All functions = communication-efficient MPC = no communication-efficient MPC

18 Connecting MPC and LDC [KT00] 1990 1995 2000 The three problems are “essentially equivalent” –up to considerable deterioration of parameters [IK04]

19 cPIR and the Crypto World cPIR CRHF*OTSecure Computation NI UH Commitment KA Homomorphic Encryption Trapdoor Permutation*

20 From PIR to OT [DMO00] Rabin’s OT –Sender holds a secret b. –Following interaction with Receiver: w/prob ½, Receiver outputs b w/prob ½, Receiver outputs ? and cannot learn b Sender cannot tell which is the case –Enough to consider “honest-but-curious” parties [GMW87] PIR SenderReceiver b x i xixi i bxibxi b SenderReceiver b PIR x i xixi i’i’ bxi’bxi’ ?

21 From PIR to OT [DMO00] PIR SenderReceiver b x i xixi i bxibxi b SenderReceiver b PIR x i xixi i’i’ bxi’bxi’ ? Analysis –Privacy of PIR  Sender can’t distinguish between two cases –Sublinear comm.  in Case 2, Receiver cannot learn b Privacy amplified using XOR lemma (cf. [Haitner]) Interesting corollary: –Homomorphic symmetric encryption  PKE

22 From PIR to CRHF [IKO05] Def. {h q } is a CRHF if: –h q shrinks its input –Given q  Gen(1 n ), hard to find distinct x,x’ s.t. h q (x)=h q (x’) CRHF from 1-round PIR: –i  [n]; q  Query(i) –h q (x)=Answer(x,q) Analysis: –Sublinear communication  shrinks input –Collision resistance: h q (x)=h q (x’)  x i =x’ i  i  diff(x,x’) Gives noticeable advantage in guessing i from q Interesting corollary: –HE  CRHF

23 PIR as a Building Block Private storage [OS98] Sublinear-communication secure computation –1-out-of-n Oblivious Transfer (SPIR) [GIKM98,NP99,…] –Keyword search [CGN99,FIPR05] –Statistical queries [CIKRRW01] –Approximate distance [FIMNSW01, IW04] –Communication-preserving secure function evaluation [NN01]

24 Time Complexity of PIR Focus so far: communication complexity Obstacle: time complexity Server/s must spend at least linear time. Workarounds: Preprocessing [BIM00] Amortization [BIM00, IKOS04] Single user Multiple users AdaptiveNon-adaptive ?? ?

25 Protocols

26 High level structure of all known protocols –User maps i into a point z  F m –User secret-shares z between servers using some t-threshold LSSS over F –Server j responds with a linear function of x determined by its share of z. Two types of protocols: –Polynomial-based [BF90,BFKR91,CGKS95,…,WY05] LSSS = Shamir Scale well with k,t –Replication-based [IK99,BI01,BIKR02] LSSS = CNF Do not scale well with k,t - involve (k choose t) replication overhead However, dominate over polynomial-based up to (k choose t) factor [CDI05] Best known protocols for constant k

27 Polynomial-Based Protocols Step 1: Arithmetization –Fix a degree parameter d (will be determined by k) Goal: Communication = O(n 1/d ) –User maps i  [n] into a weight-d vector z of length m=O(n 1/d ). 1  11100….0 2  11010…0 n  00…0111 –Servers view x as a degree-d m-variate polynomial P(Z 1,…,Z m )= x 1 Z 1 Z 2 Z 3 + x 2 Z 1 Z 2 Z 4 + … + x n Z m-2 Z m-1 Z m –Privately retrieving i-th bit of x  privately evaluating P on z.

28 Basic Protocol: t=1 Goal: user learns P(z) without revealing z. Step 2: Secret Sharing of z FmFm z+  z+2  z+3  z+4  z t =1 t=1: Pick random “ direction ”  F m z j = z+j  goes to S j Step 3: S j responds with P(z j ) –User can extrapolate P(z) from P(z 1 ),…,p(z k ) if k>d. Define deg-d univariate poly Q(W)=P( z+W  ) Q(0)=P(z) can be extrapolated from d+1 distinct values Q(j)=P(z j )  Query length m=O(n 1/d ), answer length 1  Using k servers, O(n 1/k-1 ) communication

29 Basic Protocol: General t Goal: user learns P(z) without revealing z. Step 2: Secret Sharing of z Step 3: S j responds with P(z j ) –User can extrapolate P(z) from P(z 1 ),…,P(z k ) if k>dt. Define deg-dt univariate poly Q(W)=P( z+W  1 +W 2  2 + … +W t  t ) P(z)=Q(0) can be extrapolated from dt+1 distinct values q(j)  O(n 1/d ) communication using k=dt+1 servers. General t: z j = z+j  1 +j 2  2 + … +j t  t FmFm z

30 Improved Variant [WY05] Goal: user learns P(z) without revealing z. Step 2: Secret Sharing of z Step 3: S j responds with P(z j ) along with all m partial derivatives of P evaluated at z j –User can extrapolate P(z) if k>dt/2. Define deg-dt univariate poly Q(W)=P( z+W  1 +W 2  2 + … +W t  t ) P(z)=Q(0) can be extrapolated from 2k>dt distinct values Q(j),Q’(j) Complexity: O(m) communication both ways  Same communication using half as many servers! General t: z j = z+j  1 +j 2  2 + … +j t  t

31 Breaking the O(n 1/(2k-1) ) Barrier [BIKR02] k = 2 k = 3 k = 4 k = 5 k = 6

32 Arithmetization As before, except that now F=GF(2) –Fix a degree parameter d (will be determined by k) Goal: Communication = O(n 1/d ) –User maps i  [n] into a weight-d vector z of length m=O(n 1/d ). 1  11100….0 2  11010…0 n  00…0111 –Servers view x as a degree-d m-variate polynomial P(Z 1,…,Z m )= x 1 Z 1 Z 2 Z 3 + x 2 Z 1 Z 2 Z 4 + … + x n Z m-2 Z m-1 Z m –Privately retrieving i-th bit of x  privately evaluating P on z.

33 Effect of Degree Reduction degree d, m variables size n degree d/c, m variables size O(n 1/c )

34 Degree Reduction Using Partial Information [BKL95,BI01] Each entry of y is known to all but one server. S1S1 UserQ y S2S2 SkSk Q  Q(y)Q(y) S1S1 P z S2S2 SkSk P  P(z)P(z) z is hidden from servers

35 Q = + + S 1 S 2 S 3 + + k=3,d=6 S1S1 S3S3 S1S1 S2S2 S3S3 Q(y)=Q 1 (y)+Q 2 (y)+Q 3 (y) degQ j  d/k = 2 Q1Q1 Q3Q3 Q2Q2

36 Back to PIR Each entry of y is known to all but one server. O(n 1/k ) comm. bits S1S1 User Q y S2S2 SkSk Q  Q(y)Q(y) S1S1 User P z S2S2 SkSk P  P(z)P(z) z is hidden from servers n comm. bits Let z=y 1 + … + y k, where the y j are otherwise random Q(Y 1,…,Y k )= P(Y 1 +… +Y k )

37 Initial Protocol User picks random y 1,…, y k s.t. y 1 +…+ y k = z, and sends to S j all y’s except y j. Servers define an mk-variate degree-d polynomial Q(Y 1,…,Y k )= P(Y 1 +… +Y k ). Each S j computes degree-(d/k) poly. Q j, such that Q(y)= Q 1 (y)+…+Q k (y). S j sends a description of Q j to User. User computes  Q j (y)=x i. O(m) = O(n 1/d ) O(n 1/k )

38  M  S j missing at most d/k variables. A Closer Look Useful parameters: d=k-1  query length O(n 1/(k-1) )  d/k  =0  answer length 1 d=2k-1  query length O(n 1/(2k-1) )  d/k  =1  answer length O(n 1/(2k-1) ) Best previous binary PIR Best previous PIR  deg Q j  d/k  

39 Boosting the Integer Truncation Effect Idea: apply multiple “ partial ” degree reduction steps. Generalized degree reduction: Assign each monomial to the k ’ servers V which jointly miss the least number of variables. Q = + + S 1 S 2 S 3 + + k=3,d=6, k ’ =2    '|| )()( kV V QQyy S1S2S1S2 S2S3S2S3 S1S2S1S2 S1S2S1S2 S1S3S1S3

40 replication degree size k d n k ’ d ’ n ’ =O(n d ’ /d ) k ” d ” n ” =O(n ’ d ” /d ’ ) … … … reduction 1  d/k  n  d/k  /d k d n k d ’ n The missing operator: #vars m m ’ =O(m d/d ’ ) conversion Additional cost: re-distribute new point y ’

41 QueriesAnswers  O(n 4/21 ) communication replication degree #vars size 3 7 O(n 1/7 ) n Example: k=3 reduction 2 4 O(n 1/7 ) O(n 4/7 ) conversion 2 3 O(n 4/21 ) O(n 4/7 ) reduction 1 1 O(n 4/21 ) O(n 4/21 )

42 In Search of the Missing Operator Must have m ’ =  (m d/d ’ ). Question: For which d ’ <d can get m ’ =O(m d/d ’ )? Possible when d ’ |d. Open otherwise. Positive result  Better PIR Simplest open case: d=3, d ’ =2, m ’ =O(m 3/2 ) d, m d ’, m ’ P(y)=P ’ (y ’ ) PP’P’ yy’y’

43 A Workaround Can ’ t solve the polynomial conversion problem in general. … but easy to solve given the promise weight(y)=const. Stronger degree reduction: Main technical lemma: good parameters for strong degree reduction.

44 An Abstract Framework L = linear space of polynomials in Y j,h, j  [k], h  [d], spanned by the k d monomials Let Z h =  j Y j,h. Block = poly in L expressible as a product of Y ’ s and Z ’ s. Y 1,1 Y 1,2 Y 1,3 Y 1,4 Y 1,5 Y 2,1 Y 2,2 Y 2,3 Y 2,4 Y 2,5 Y 3,1 Y 3,2 Y 3,3 Y 3,4 Y 3,5 Y 1,1 Y 1,2 Y 1,3 Y 1,4 Y 1,5 Y 2,1 Y 2,2 Y 2,3 Y 2,4 Y 2,5 Y 3,1 Y 3,2 Y 3,3 Y 3,4 Y 3,5 Y 3,1 Y 3,2 Y 1,3 Y 2,4 Y 1,5  (3,3,1,2,1) Z 1 Z 2 Y 3,1 Z 4 Y 5,1  (*,*,1,*,1)

45 For each block b, define: V(b) = set of servers j  [k] not occurring in b  (b) = # of *’s in b. Ex. k=3, b = Z 1 Z 2 Y 3,1 Z 4 Y 5,1  (*,*,1,*,1) V(b) = {2,3}  (b) = 3 Want: V(b) large,  (b) small. Cost Measures for Blocks

46 A block set B is said to be spanning if it spans Z 1 Z 2 …Z d. For any spanning B, can write: where Q b is a deg-  (b) polynomial known to all servers in V(b). Retrieve each Q b (z) from servers in V(b) using 2 d PIRs  For every k, d=d(k) and spanning set B=B(k), Back to PIR

47 Necessary condition for spanning: Blocks in B cover all k d monomials in Z 1 Z 2 …Z d. Observation: The following conditions are sufficient. (I) Above covering condition (II) Closure under intersection: Any nonempty intersection of b 1,b 2  B is in B.  In fact, (II) may be relaxed to: (II’) Any intersection of b 1,b 2  B is spanned by B. Spanning vs. Covering

48 Naive strategy: C = “optimal” covering block set (e. g., all b with |V(b)|  k’,  (b)  d’), B = closure of C under intersections. Problem: Intersection can make things worse. (1,1,1,1,2,*,*,*,*) (1,1,1,1,*,3,*,*,*) (1,1,1,1,2,3,*,*,*) Finding Good Spanning Sets

49 B = intersections of blocks b such that |V(b)|=2,  (b)=4, e.g., (1,1,1,*,*,*,*). Case 1:(1,1,1,*,*,*,*) Case 2:(1,1,1,*,*,*,*) (*,*,1,1,1,*,*) (*,*,*,2,2,2,*) (1,1,1,1,1,*,*) (1,1,1,2,2,2,*) Example: k =3, d =7

50 Let,k’<k be parameters and d  ( +1)k-( -1)k’+( -2). Then the following B is spanning: –All b such that  (b)  1 and |V(b)|>0 –All b such that: (1) |V(b)|  k’ (2) Each server index in b occurs there more than times (3)  (b)  |V(b)| The General Case

51 Open Problems Better upper bounds –Known: O(n cloglogk /(klogk) ) –What is the true limit of our technique? Generalize best upper bound to t>1 Tight bounds for polynomial conversion Lower bounds –Known: clogn –Simplest cases: k=2 k=3, single answer bit per server

Download ppt "Private Information Retrieval Yuval Ishai Computer Science Department Technion."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.

The Complexity of Information-Theoretic Secure Computation Yuval Ishai Technion 2014 European School of Information Theory.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Locally Decodable Codes

Locally Decodable Codes
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.

Similar presentations

Ads by Google