slide1
Download
Skip this Video
Download Presentation
A Linear Lower Bound on the Communication Complexity of Single-Server PIR

Loading in 2 Seconds...

play fullscreen
1 / 16

A Linear Lower Bound on the Communication Complexity of Single-Server PIR - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on

A Linear Lower Bound on the Communication Complexity of Single-Server PIR. Jonathan Hoch. Iftach Haitner. Gil Segev. Weizmann Institute of Science Israel. Private Information Retrieval. x i. Server. Receiver. Receiver. x = x 1  x n. i 2 {1,...,n}. i 2 {1,...,n}. ¼.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' A Linear Lower Bound on the Communication Complexity of Single-Server PIR' - kamin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

A Linear Lower Bound on the Communication Complexity of Single-Server PIR

Jonathan Hoch

Iftach Haitner

Gil Segev

Weizmann Institute of ScienceIsrael

private information retrieval
Private Information Retrieval

xi

Server

Receiver

Receiver

x = x1 xn

i 2 {1,...,n}

i 2 {1,...,n}

¼

j 2 {1,...,n}

  • Functionality: Receiver retrieves xi
  • Privacy: Server does not learn i
the trivial solution
The Trivial Solution

Not information theoretically [CGKS]

Can we do better than trivial?

x1 xn

Server

Receiver

Receiver

x = x1 xn

i 2 {1,...,n}

i 2 {1,...,n}

  • Inefficient -- x may be very large
two approaches
Two Approaches
  • Multiple-server PIR
    • Information theoretic privacy
    • Many exciting results, but not the focus of this talk

[CGKS95,...,Yek07,...]

  • Single-server PIR
    • Computational privacy
    • Implies Oblivious Transfer
    • 2-message PIR implies collision-resistant hash functions and public-key encryption
    • Many applications...

[CG97, KO97, CMS99, ...]

current status
Current Status
  • Specific number-theoretic assumptions
    • Communication polylog(n)

[KO97, CMS99, ...]

  • General assumptions
    • Communication n - o(n)
    • Black-box construction based on TDPs

[KO00]

Question:

Can we base single-server PIR with sublinear communication on general assumptions?

main result
Main Result

In any fully black-box construction of single-server PIR for an n-bit database from trapdoor permutations over (n) bits, the server sends (n) bits.

  • Two restrictions
    • Fully black-box
    • Tight security reduction: permutations over (n) bits

[KO ‘00]: (n²) bits

  • Previous results
    • [Fis02]: Similar result for 2-message protocols (less restrictions)
    • [HHRS07]: (n/logn) lower bound (same restrictions)

(n²) lower bound for “not so tight” reductions

fully black box reductions
Fully Black-Box Reductions

A fully black-box reduction from B to A:

Black-box construction

  • Any implementation of A implies an implementation of B
  • Only care about the functionality of A

Black-box proof of security

  • Any adversary for B implies an adversary for A
  • Only care about functionality of the adversary for B

Adversary for A

B

Adversary for B

A

A

our approach
Our Approach
  • Fully black-box reductions relativize
  • We present an oracle O relative to which:

1. There exists a collection of TDPs over {0,1}n

  • A random function is hard to invert even with access to O

2. There is no single-server PIR protocol for an n-bit database in which the server sends o(n) bits

  • There exists an efficient server that uses O to break any such protocol
the oracle hhrs 07
The Oracle [HHRS ‘07]
  • O= (Sam, )
  •  is a random collection of TDPs over {0,1}n
  • Sam is an interactive collision-finding oracle
    • Samples random collisions
    • Extends the non-interactive oracle of [Simon ‘98]

A

Sam

v0

v0Ã {0,1}n

C1

C1(v1) = C1(v0)

v1

C2(v2) = C2(v1)

C2

v2

the oracle hhrs 071
The Oracle [HHRS ‘07]
  • O= (Sam, )
  •  is a random collection of TDPs over {0,1}n
  • Sam is an interactive collision-finding oracle
    • Samples random collisions
    • Extends the non-interactive oracle of [Simon ‘98]

A

Sam

v0

Theorem:

A random TDPis one-way as long as Sam answers queries of depth · n/log(n)

C1

v1

n/log(n)

  • The proof requires additional restrictions(Ci+1 refines Ci, commit to Ci+1 at depth i, ...)
  • ...but this suffices for the purpose of this talk

C2

v2

slide11

Breaking 2-Message PIR

a(i)

b(a,x)

x = x1 xn

i 2 {1,...,n}

slide12

Breaking 2-Message PIR

a

b(a,x0)

=

b(a,x1)

i 2 {1,...,n}

1. Receive x0 from Sam

2. Send the circuit b(a,¢) to Sam

x0i =x1i and x0x1

3. Receive x1 from Sam

4. Output a random index j for which x0j=x1j

Claim: The malicious server guesses i w.p. ¸1/(n-1)

slide13

Breaking Any Sublinear PIR

a1

b1

...

ao(n)

bo(n)

i 2 {1,...,n}

Communication vs. Rounds:Server sends o(n) bits )o(n) rounds, server sends one bit each round

slide14

Breaking Any Sublinear PIR

a1

b1

..

alog(n)

blog(n)

..

i 2 {1,...,n}

ao(n)

bo(n)

Key observation: The malicious server can invoke Sam every log(n) rounds

slide15

Breaking Any Sublinear PIR

a1

b1

..

alog(n)

blog(n)

i 2 {1,...,n}

1. Receive x0 from Sam

2. Simulate the honest server for log(n) rounds

3. Send b1(a1,¢) to Sam until receiving xlog(n)which is consistent with all log(n) rounds (rewind Sam if inconsistent)

Claim: The malicious server guesses i w.p. ¸1/(n-1)

slide16

Summary

  • Communication lower bound for single-server PIR
    • Fully black-box constructions from (enhanced) TDPs
    • The trivial solution is optimal up to constant factors

Matches the upper bound of [NOVY]

  • In the paper:
    • Communication lower bound for statistically-hiding bit-commitment
    • The sender must send (n) bits
    • Communication preserving reduction to single-server PIR
  • Open problem:
    • A linear lower bound for “not so tight” reductions?
    • [KO ‘00]: TDPs over (n²) bits

Thank you!

ad