Loading in 2 Seconds...

A Linear Lower Bound on the Communication Complexity of Single-Server PIR

Loading in 2 Seconds...

- By
**kamin** - Follow User

- 90 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' A Linear Lower Bound on the Communication Complexity of Single-Server PIR' - kamin

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

A Linear Lower Bound on the Communication Complexity of Single-Server PIR

Jonathan Hoch

Iftach Haitner

Gil Segev

Weizmann Institute of ScienceIsrael

Private Information Retrieval

xi

Server

Receiver

Receiver

x = x1 xn

i 2 {1,...,n}

i 2 {1,...,n}

¼

j 2 {1,...,n}

- Functionality: Receiver retrieves xi

- Privacy: Server does not learn i

The Trivial Solution

Not information theoretically [CGKS]

Can we do better than trivial?

x1 xn

Server

Receiver

Receiver

x = x1 xn

i 2 {1,...,n}

i 2 {1,...,n}

- Inefficient -- x may be very large

Two Approaches

- Multiple-server PIR
- Information theoretic privacy
- Many exciting results, but not the focus of this talk

[CGKS95,...,Yek07,...]

- Single-server PIR
- Computational privacy
- Implies Oblivious Transfer
- 2-message PIR implies collision-resistant hash functions and public-key encryption
- Many applications...

[CG97, KO97, CMS99, ...]

Current Status

- Specific number-theoretic assumptions
- Communication polylog(n)

[KO97, CMS99, ...]

- General assumptions
- Communication n - o(n)
- Black-box construction based on TDPs

[KO00]

Question:

Can we base single-server PIR with sublinear communication on general assumptions?

Main Result

In any fully black-box construction of single-server PIR for an n-bit database from trapdoor permutations over (n) bits, the server sends (n) bits.

- Two restrictions
- Fully black-box
- Tight security reduction: permutations over (n) bits

[KO ‘00]: (n²) bits

- Previous results
- [Fis02]: Similar result for 2-message protocols (less restrictions)
- [HHRS07]: (n/logn) lower bound (same restrictions)

(n²) lower bound for “not so tight” reductions

Fully Black-Box Reductions

A fully black-box reduction from B to A:

Black-box construction

- Any implementation of A implies an implementation of B
- Only care about the functionality of A

Black-box proof of security

- Any adversary for B implies an adversary for A
- Only care about functionality of the adversary for B

Adversary for A

B

Adversary for B

A

A

Our Approach

- Fully black-box reductions relativize

- We present an oracle O relative to which:

1. There exists a collection of TDPs over {0,1}n

- A random function is hard to invert even with access to O

2. There is no single-server PIR protocol for an n-bit database in which the server sends o(n) bits

- There exists an efficient server that uses O to break any such protocol

The Oracle [HHRS ‘07]

- O= (Sam, )
- is a random collection of TDPs over {0,1}n
- Sam is an interactive collision-finding oracle
- Samples random collisions
- Extends the non-interactive oracle of [Simon ‘98]

A

Sam

v0

v0Ã {0,1}n

C1

C1(v1) = C1(v0)

v1

C2(v2) = C2(v1)

C2

v2

The Oracle [HHRS ‘07]

- O= (Sam, )
- is a random collection of TDPs over {0,1}n
- Sam is an interactive collision-finding oracle
- Samples random collisions
- Extends the non-interactive oracle of [Simon ‘98]

A

Sam

v0

Theorem:

A random TDPis one-way as long as Sam answers queries of depth · n/log(n)

C1

v1

n/log(n)

- The proof requires additional restrictions(Ci+1 refines Ci, commit to Ci+1 at depth i, ...)
- ...but this suffices for the purpose of this talk

C2

v2

a

b(a,x0)

=

b(a,x1)

i 2 {1,...,n}

1. Receive x0 from Sam

2. Send the circuit b(a,¢) to Sam

x0i =x1i and x0x1

3. Receive x1 from Sam

4. Output a random index j for which x0j=x1j

Claim: The malicious server guesses i w.p. ¸1/(n-1)

a1

b1

...

ao(n)

bo(n)

i 2 {1,...,n}

Communication vs. Rounds:Server sends o(n) bits )o(n) rounds, server sends one bit each round

a1

b1

..

alog(n)

blog(n)

..

i 2 {1,...,n}

ao(n)

bo(n)

Key observation: The malicious server can invoke Sam every log(n) rounds

a1

b1

..

alog(n)

blog(n)

i 2 {1,...,n}

1. Receive x0 from Sam

2. Simulate the honest server for log(n) rounds

3. Send b1(a1,¢) to Sam until receiving xlog(n)which is consistent with all log(n) rounds (rewind Sam if inconsistent)

Claim: The malicious server guesses i w.p. ¸1/(n-1)

- Communication lower bound for single-server PIR
- Fully black-box constructions from (enhanced) TDPs
- The trivial solution is optimal up to constant factors

Matches the upper bound of [NOVY]

- In the paper:
- Communication lower bound for statistically-hiding bit-commitment
- The sender must send (n) bits
- Communication preserving reduction to single-server PIR

- Open problem:
- A linear lower bound for “not so tight” reductions?
- [KO ‘00]: TDPs over (n²) bits

Thank you!

Download Presentation

Connecting to Server..