Constant round private database queries
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Constant-Round Private Database Queries PowerPoint PPT Presentation


  • 53 Views
  • Uploaded on
  • Presentation posted in: General

Constant-Round Private Database Queries. Nenad Dedic and Payman Mohassel. Boston University. UC Davis. Outline. Introduction Element rank protocol Other protocols Equivalence to one-round PIR Open problems. q = Q(x). y. x. Server. Client. Dec(a) = f(x,y). a = A(q,y).

Download Presentation

Constant-Round Private Database Queries

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Constant round private database queries

Constant-Round Private Database Queries

Nenad Dedic and Payman Mohassel

Boston University

UC Davis


Outline

Outline

  • Introduction

  • Element rank protocol

  • Other protocols

  • Equivalence to one-round PIR

  • Open problems


Succinct computation

q = Q(x)

y

x

Server

Client

Dec(a) = f(x,y)

a = A(q,y)

Succinct Computation

  • Computing f(x,y)

  • One round of interaction

  • Communication Complexity

    • |q| +|a| = O(poly(log(|x|), log(|y|), |f(x,y)|, s))

    • Or linear in |f(x,y)|


Privacy

Privacy

  • Computational setting

  • Client side

    • For any x, x’, Q(x) and Q(x’) are indistinguishable

  • Server side

    • Simulator S, simulates A(x,y) given x and f(x,y)

  • Semi-honest adversaries


Private database queries

Private Database Queries

  • Server’s input is a database

  • Client’s input is a query

  • Private information retrieval (PIR)

    • f(i, (x1,x2,…,xn)) = xi

  • Private Keyword search (PKS)

    f(w, {(x1,v1),…,(xn,vn)}) =

va if there is xa= w

otherwise


Existing solutions

Existing Solutions

  • PIR / SPIR

    • [KO97], [Lipmaa05], …

    • One-round, sublinear communication

  • PKS

    • [FIPR05]

    • One-round, polylog(n) communication

    • PIR and homomorphic encryption

      How about more general queries?


More general queries

More General Queries

  • General MPC

    • Not efficient

  • Circuits with look-up tables [NN01]

    • Communication efficient

    • High round complexity

  • One-round secure computation [CCKM00]

    • Round efficient

    • High comm.

  • Computing BP on encrypted data [IP07]

    • Independent work

    • Round and communication efficient

    • Strong assumption


Private element rank

Private Element Rank

  • Interval Labeling

    • f(b, (x1,x2,…,xn,v1,…,vn)) =

      vi such that b є (xi, xi+1]

  • Element Rank

    • Add x0 = -∞ and xn+1=+∞

    • vi = i

  • Applications

    • Ranking in auctions

    • Online testing services

    • Use to design other protocols


Interval labeling protocol

Interval Labeling Protocol

  • b, x1,x2,…,xnє {0,1}k

  • Run a PKS for every prefix of b

    • jth query = j-bit prefix of b

  • Create and use a database D


Interval labeling protocol1

0

1

0

1

1

0

v4

0

0

1

0

1

0

1

1

v0

v1

v2

v2

v3

v1

v2

x1

x2

x3

x4

Interval Labeling Protocol

D = {(000,v0),(001,v1),(0100,v1) , (0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)}


Interval labeling protocol2

0

1

0

1

1

0

v4

0

0

1

0

1

0

1

1

v0

v1

v2

v2

v3

v1

v2

x1

x2

x3

x4

Interval Labeling Protocol

b = 1000

b1 = 1

b2 =10

b3 =100

b4 =1000

D = {(000,v0),(001,v1),(0100,v1) , (0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)}


Interval labeling protocol3

Interval Labeling Protocol

  • w’ is w with last bit flipped

  • Database D, where |D| ≤ 2kn

    • For every 1≤ j ≤ k, let w be j-bit prefix of xi:

      • Add (w,vi) to D if:

        [w||0k-j, w||1k-j] [xi,xi+1] , but not true for w’

      • Add (w’,vi) to D if:

        [w’||0k-j, w’||1k-j] [xt ,xt+1] , but not true for w

  • Prefixes of xi’sand/or their siblings


Interval labeling

Interval Labeling

  • ri = PKSA(bi ,D) for 1 ≤ i ≤ k

  • Randomly permute (r1, r2, … ,rk) and send

  • Decode; retrieve the only ri ≠ ┴ in the list

  • One round, polylog(n) communication

  • Reduced to PKS


Other protocols

Other Protocols

  • Private Rectangle Labeling

    • Which rectangle is query point in?

    • Extension to higher dimensions

    • One round

  • Private Range Queries

    • Retrieve all the points in the range

    • On a line or in a plane

    • Constant round

    • Comm. proportional to number of retrieved points


Other protocols1

Other Protocols

  • mth ranked element

  • Alice holds database A

  • Bob holds database B

  • Find mth ranked element in (A U B)

    • [AMP04], O(log(m)) rounds, and sublinear comm.

    • We use our rank protocol as subprotocol

      • O(log(log(m))) rounds

      • Still sublinear comm.


Pks to pir

va if there is xa= w

otherwise

PKS to PIR

  • [FIPR05]

    • Database

      • Hash function h : {0,1}n {0,1}n/log(n)

      • Hash keywords (xi’s) to n/log(n) bins

      • Create degree log(n) polynomials for each bin

    • Client

      • Compute h(w)

      • Send E(h(w)) , E(h(w)2), …, E(h(w)log(n))

    • Database evaluates all polynomials at h(w)

    • Client gets one result via PIR

f(w, {(x1 ,v1),…,(xn ,vn )}) =


Pks to pir1

PKS to PIR

  • Assumption: One-round PIR

  • Replace polynomials with Yao’s garbled circuit

    • Circuit of size O(polylog(n)) size

  • Yao’s protocol

    • Pseudorandom function, OT

    • Can be reduced to one-round PIR

      • [CMO00], [BIKM99]

  • One-round PKS one-round PIR

  • One-round Rank one-round PKS


Open problems

Open Problems

  • Succinct Computation of

    • Branching programs (not length-bounded)

    • General circuits

  • Reduction to one-round PIR

    • Any special functionality

    • Decision trees

    • Branching programs


Constant round private database queries

Thank you!


  • Login