1 / 16

A Linear Lower Bound on the Communication Complexity of Single-Server PIR

A Linear Lower Bound on the Communication Complexity of Single-Server PIR. Jonathan Hoch. Iftach Haitner. Gil Segev. Weizmann Institute of Science Israel. Private Information Retrieval. x i. Server. Receiver. Receiver. x = x 1  x n. i 2 {1,...,n}. i 2 {1,...,n}. ¼.

kamin
Download Presentation

A Linear Lower Bound on the Communication Complexity of Single-Server PIR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Linear Lower Bound on the Communication Complexity of Single-Server PIR Jonathan Hoch Iftach Haitner Gil Segev Weizmann Institute of ScienceIsrael

  2. Private Information Retrieval xi Server Receiver Receiver x = x1 xn i 2 {1,...,n} i 2 {1,...,n} ¼ j 2 {1,...,n} • Functionality: Receiver retrieves xi • Privacy: Server does not learn i

  3. The Trivial Solution Not information theoretically [CGKS] Can we do better than trivial? x1 xn Server Receiver Receiver x = x1 xn i 2 {1,...,n} i 2 {1,...,n} • Inefficient -- x may be very large

  4. Two Approaches • Multiple-server PIR • Information theoretic privacy • Many exciting results, but not the focus of this talk [CGKS95,...,Yek07,...] • Single-server PIR • Computational privacy • Implies Oblivious Transfer • 2-message PIR implies collision-resistant hash functions and public-key encryption • Many applications... [CG97, KO97, CMS99, ...]

  5. Current Status • Specific number-theoretic assumptions • Communication polylog(n) [KO97, CMS99, ...] • General assumptions • Communication n - o(n) • Black-box construction based on TDPs [KO00] Question: Can we base single-server PIR with sublinear communication on general assumptions?

  6. Main Result In any fully black-box construction of single-server PIR for an n-bit database from trapdoor permutations over (n) bits, the server sends (n) bits. • Two restrictions • Fully black-box • Tight security reduction: permutations over (n) bits [KO ‘00]: (n²) bits • Previous results • [Fis02]: Similar result for 2-message protocols (less restrictions) • [HHRS07]: (n/logn) lower bound (same restrictions) (n²) lower bound for “not so tight” reductions

  7. Fully Black-Box Reductions A fully black-box reduction from B to A: Black-box construction • Any implementation of A implies an implementation of B • Only care about the functionality of A Black-box proof of security • Any adversary for B implies an adversary for A • Only care about functionality of the adversary for B Adversary for A B Adversary for B A A

  8. Our Approach • Fully black-box reductions relativize • We present an oracle O relative to which: 1. There exists a collection of TDPs over {0,1}n • A random function is hard to invert even with access to O 2. There is no single-server PIR protocol for an n-bit database in which the server sends o(n) bits • There exists an efficient server that uses O to break any such protocol

  9. The Oracle [HHRS ‘07] • O= (Sam, ) •  is a random collection of TDPs over {0,1}n • Sam is an interactive collision-finding oracle • Samples random collisions • Extends the non-interactive oracle of [Simon ‘98] A Sam v0 v0Ã {0,1}n C1 C1(v1) = C1(v0) v1 C2(v2) = C2(v1) C2 v2

  10. The Oracle [HHRS ‘07] • O= (Sam, ) •  is a random collection of TDPs over {0,1}n • Sam is an interactive collision-finding oracle • Samples random collisions • Extends the non-interactive oracle of [Simon ‘98] A Sam v0 Theorem: A random TDPis one-way as long as Sam answers queries of depth · n/log(n) C1 v1 n/log(n) • The proof requires additional restrictions(Ci+1 refines Ci, commit to Ci+1 at depth i, ...) • ...but this suffices for the purpose of this talk C2 v2

  11. Breaking 2-Message PIR a(i) b(a,x) x = x1 xn i 2 {1,...,n}

  12. Breaking 2-Message PIR a b(a,x0) = b(a,x1) i 2 {1,...,n} 1. Receive x0 from Sam 2. Send the circuit b(a,¢) to Sam x0i =x1i and x0x1 3. Receive x1 from Sam 4. Output a random index j for which x0j=x1j Claim: The malicious server guesses i w.p. ¸1/(n-1)

  13. Breaking Any Sublinear PIR a1 b1 ... ao(n) bo(n) i 2 {1,...,n} Communication vs. Rounds:Server sends o(n) bits )o(n) rounds, server sends one bit each round

  14. Breaking Any Sublinear PIR a1 b1 .. alog(n) blog(n) .. i 2 {1,...,n} ao(n) bo(n) Key observation: The malicious server can invoke Sam every log(n) rounds

  15. Breaking Any Sublinear PIR a1 b1 .. alog(n) blog(n) i 2 {1,...,n} 1. Receive x0 from Sam 2. Simulate the honest server for log(n) rounds 3. Send b1(a1,¢) to Sam until receiving xlog(n)which is consistent with all log(n) rounds (rewind Sam if inconsistent) Claim: The malicious server guesses i w.p. ¸1/(n-1)

  16. Summary • Communication lower bound for single-server PIR • Fully black-box constructions from (enhanced) TDPs • The trivial solution is optimal up to constant factors Matches the upper bound of [NOVY] • In the paper: • Communication lower bound for statistically-hiding bit-commitment • The sender must send (n) bits • Communication preserving reduction to single-server PIR • Open problem: • A linear lower bound for “not so tight” reductions? • [KO ‘00]: TDPs over (n²) bits Thank you!

More Related