A Linear Lower Bound on the Communication Complexity of
Download
1 / 16

A Linear Lower Bound on the Communication Complexity of Single-Server PIR - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on

A Linear Lower Bound on the Communication Complexity of Single-Server PIR. Jonathan Hoch. Iftach Haitner. Gil Segev. Weizmann Institute of Science Israel. Private Information Retrieval. x i. Server. Receiver. Receiver. x = x 1  x n. i 2 {1,...,n}. i 2 {1,...,n}. ¼.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' A Linear Lower Bound on the Communication Complexity of Single-Server PIR' - kamin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

A Linear Lower Bound on the Communication Complexity of Single-Server PIR

Jonathan Hoch

Iftach Haitner

Gil Segev

Weizmann Institute of ScienceIsrael


Private information retrieval
Private Information Retrieval

xi

Server

Receiver

Receiver

x = x1 xn

i 2 {1,...,n}

i 2 {1,...,n}

¼

j 2 {1,...,n}

  • Functionality: Receiver retrieves xi

  • Privacy: Server does not learn i


The trivial solution
The Trivial Solution

Not information theoretically [CGKS]

Can we do better than trivial?

x1 xn

Server

Receiver

Receiver

x = x1 xn

i 2 {1,...,n}

i 2 {1,...,n}

  • Inefficient -- x may be very large


Two approaches
Two Approaches

  • Multiple-server PIR

    • Information theoretic privacy

    • Many exciting results, but not the focus of this talk

[CGKS95,...,Yek07,...]

  • Single-server PIR

    • Computational privacy

    • Implies Oblivious Transfer

    • 2-message PIR implies collision-resistant hash functions and public-key encryption

    • Many applications...

[CG97, KO97, CMS99, ...]


Current status
Current Status

  • Specific number-theoretic assumptions

    • Communication polylog(n)

[KO97, CMS99, ...]

  • General assumptions

    • Communication n - o(n)

    • Black-box construction based on TDPs

[KO00]

Question:

Can we base single-server PIR with sublinear communication on general assumptions?


Main result
Main Result

In any fully black-box construction of single-server PIR for an n-bit database from trapdoor permutations over (n) bits, the server sends (n) bits.

  • Two restrictions

    • Fully black-box

    • Tight security reduction: permutations over (n) bits

[KO ‘00]: (n²) bits

  • Previous results

    • [Fis02]: Similar result for 2-message protocols (less restrictions)

    • [HHRS07]: (n/logn) lower bound (same restrictions)

      (n²) lower bound for “not so tight” reductions


Fully black box reductions
Fully Black-Box Reductions

A fully black-box reduction from B to A:

Black-box construction

  • Any implementation of A implies an implementation of B

  • Only care about the functionality of A

Black-box proof of security

  • Any adversary for B implies an adversary for A

  • Only care about functionality of the adversary for B

Adversary for A

B

Adversary for B

A

A


Our approach
Our Approach

  • Fully black-box reductions relativize

  • We present an oracle O relative to which:

1. There exists a collection of TDPs over {0,1}n

  • A random function is hard to invert even with access to O

2. There is no single-server PIR protocol for an n-bit database in which the server sends o(n) bits

  • There exists an efficient server that uses O to break any such protocol


The oracle hhrs 07
The Oracle [HHRS ‘07]

  • O= (Sam, )

  •  is a random collection of TDPs over {0,1}n

  • Sam is an interactive collision-finding oracle

    • Samples random collisions

    • Extends the non-interactive oracle of [Simon ‘98]

A

Sam

v0

v0Ã {0,1}n

C1

C1(v1) = C1(v0)

v1

C2(v2) = C2(v1)

C2

v2


The oracle hhrs 071
The Oracle [HHRS ‘07]

  • O= (Sam, )

  •  is a random collection of TDPs over {0,1}n

  • Sam is an interactive collision-finding oracle

    • Samples random collisions

    • Extends the non-interactive oracle of [Simon ‘98]

A

Sam

v0

Theorem:

A random TDPis one-way as long as Sam answers queries of depth · n/log(n)

C1

v1

n/log(n)

  • The proof requires additional restrictions(Ci+1 refines Ci, commit to Ci+1 at depth i, ...)

  • ...but this suffices for the purpose of this talk

C2

v2


Breaking 2-Message PIR

a(i)

b(a,x)

x = x1 xn

i 2 {1,...,n}


Breaking 2-Message PIR

a

b(a,x0)

=

b(a,x1)

i 2 {1,...,n}

1. Receive x0 from Sam

2. Send the circuit b(a,¢) to Sam

x0i =x1i and x0x1

3. Receive x1 from Sam

4. Output a random index j for which x0j=x1j

Claim: The malicious server guesses i w.p. ¸1/(n-1)


Breaking Any Sublinear PIR

a1

b1

...

ao(n)

bo(n)

i 2 {1,...,n}

Communication vs. Rounds:Server sends o(n) bits )o(n) rounds, server sends one bit each round


Breaking Any Sublinear PIR

a1

b1

..

alog(n)

blog(n)

..

i 2 {1,...,n}

ao(n)

bo(n)

Key observation: The malicious server can invoke Sam every log(n) rounds


Breaking Any Sublinear PIR

a1

b1

..

alog(n)

blog(n)

i 2 {1,...,n}

1. Receive x0 from Sam

2. Simulate the honest server for log(n) rounds

3. Send b1(a1,¢) to Sam until receiving xlog(n)which is consistent with all log(n) rounds (rewind Sam if inconsistent)

Claim: The malicious server guesses i w.p. ¸1/(n-1)


Summary

  • Communication lower bound for single-server PIR

    • Fully black-box constructions from (enhanced) TDPs

    • The trivial solution is optimal up to constant factors

Matches the upper bound of [NOVY]

  • In the paper:

    • Communication lower bound for statistically-hiding bit-commitment

    • The sender must send (n) bits

    • Communication preserving reduction to single-server PIR

  • Open problem:

    • A linear lower bound for “not so tight” reductions?

    • [KO ‘00]: TDPs over (n²) bits

Thank you!


ad