Loading in 5 sec....

Constant-Round Private Database QueriesPowerPoint Presentation

Constant-Round Private Database Queries

- 68 Views
- Uploaded on
- Presentation posted in: General

Constant-Round Private Database Queries

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Constant-Round Private Database Queries

Nenad Dedic and Payman Mohassel

Boston University

UC Davis

- Introduction
- Element rank protocol
- Other protocols
- Equivalence to one-round PIR
- Open problems

q = Q(x)

y

x

Server

Client

Dec(a) = f(x,y)

a = A(q,y)

- Computing f(x,y)
- One round of interaction

- Communication Complexity
- |q| +|a| = O(poly(log(|x|), log(|y|), |f(x,y)|, s))
- Or linear in |f(x,y)|

- Computational setting
- Client side
- For any x, x’, Q(x) and Q(x’) are indistinguishable

- Server side
- Simulator S, simulates A(x,y) given x and f(x,y)

- Semi-honest adversaries

- Server’s input is a database
- Client’s input is a query
- Private information retrieval (PIR)
- f(i, (x1,x2,…,xn)) = xi

- Private Keyword search (PKS)
f(w, {(x1,v1),…,(xn,vn)}) =

va if there is xa= w

otherwise

┴

- PIR / SPIR
- [KO97], [Lipmaa05], …
- One-round, sublinear communication

- PKS
- [FIPR05]
- One-round, polylog(n) communication
- PIR and homomorphic encryption
How about more general queries?

- General MPC
- Not efficient

- Circuits with look-up tables [NN01]
- Communication efficient
- High round complexity

- One-round secure computation [CCKM00]
- Round efficient
- High comm.

- Computing BP on encrypted data [IP07]
- Independent work
- Round and communication efficient
- Strong assumption

- Interval Labeling
- f(b, (x1,x2,…,xn,v1,…,vn)) =
vi such that b є (xi, xi+1]

- f(b, (x1,x2,…,xn,v1,…,vn)) =
- Element Rank
- Add x0 = -∞ and xn+1=+∞
- vi = i

- Applications
- Ranking in auctions
- Online testing services
- Use to design other protocols

- b, x1,x2,…,xnє {0,1}k
- Run a PKS for every prefix of b
- jth query = j-bit prefix of b

- Create and use a database D

0

1

0

1

1

0

v4

0

0

1

0

1

0

1

1

v0

v1

v2

v2

v3

v1

v2

x1

x2

x3

x4

D = {(000,v0),(001,v1),(0100,v1) , (0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)}

0

1

0

1

1

0

v4

0

0

1

0

1

0

1

1

v0

v1

v2

v2

v3

v1

v2

x1

x2

x3

x4

b = 1000

b1 = 1

b2 =10

b3 =100

b4 =1000

D = {(000,v0),(001,v1),(0100,v1) , (0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)}

- w’ is w with last bit flipped
- Database D, where |D| ≤ 2kn
- For every 1≤ j ≤ k, let w be j-bit prefix of xi:
- Add (w,vi) to D if:
[w||0k-j, w||1k-j] [xi,xi+1] , but not true for w’

- Add (w’,vi) to D if:
[w’||0k-j, w’||1k-j] [xt ,xt+1] , but not true for w

- Add (w,vi) to D if:

- For every 1≤ j ≤ k, let w be j-bit prefix of xi:
- Prefixes of xi’sand/or their siblings

- ri = PKSA(bi ,D) for 1 ≤ i ≤ k
- Randomly permute (r1, r2, … ,rk) and send
- Decode; retrieve the only ri ≠ ┴ in the list
- One round, polylog(n) communication
- Reduced to PKS

- Private Rectangle Labeling
- Which rectangle is query point in?
- Extension to higher dimensions
- One round

- Private Range Queries
- Retrieve all the points in the range
- On a line or in a plane
- Constant round
- Comm. proportional to number of retrieved points

- mth ranked element
- Alice holds database A
- Bob holds database B
- Find mth ranked element in (A U B)
- [AMP04], O(log(m)) rounds, and sublinear comm.
- We use our rank protocol as subprotocol
- O(log(log(m))) rounds
- Still sublinear comm.

va if there is xa= w

otherwise

┴

- [FIPR05]
- Database
- Hash function h : {0,1}n {0,1}n/log(n)
- Hash keywords (xi’s) to n/log(n) bins
- Create degree log(n) polynomials for each bin

- Client
- Compute h(w)
- Send E(h(w)) , E(h(w)2), …, E(h(w)log(n))

- Database evaluates all polynomials at h(w)
- Client gets one result via PIR

- Database

f(w, {(x1 ,v1),…,(xn ,vn )}) =

- Assumption: One-round PIR
- Replace polynomials with Yao’s garbled circuit
- Circuit of size O(polylog(n)) size

- Yao’s protocol
- Pseudorandom function, OT
- Can be reduced to one-round PIR
- [CMO00], [BIKM99]

- One-round PKS one-round PIR
- One-round Rank one-round PKS

- Succinct Computation of
- Branching programs (not length-bounded)
- General circuits

- Reduction to one-round PIR
- Any special functionality
- Decision trees
- Branching programs

Thank you!