1 / 23

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate. Jens Groth, University College London Aggelos Kiayias, University of Athens Helger Lipmaa, Cybernetica AS and Tallinn University. TexPoint fonts used in EMF.

june
Download Presentation

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-Query Computationally-PrivateInformation Retrieval with ConstantCommunication Rate Jens Groth, University College London Aggelos Kiayias, University of Athens Helger Lipmaa, Cybernetica AS and Tallinn University TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

  2. Information retrieval Client Server xi i x1,...,xn

  3. Privacy Index i ? Client Server i

  4. Example of a trivial PIR protocol Perfectly private:Client reveals nothing x1,...,xn xi i x1,...,xn Communication: nℓ bits with ℓ-bit records

  5. Communication bits nℓ Trivial protocol O(nk1/-1ℓ) Kushilevitz-Ostrovsky 97 O(kℓ) Cachin-Micali-Stadler 99 O(k log2n+ℓlog n) Lipmaa 05 O(k+ℓ) Gentry-Ramzan 05 Database size: nrecords Record size: ℓ bitsSecurity parameter: k bits (size of RSA modulus)

  6. Multi-query information retrieval Client Server xi1,...,xim i1,...,im x1,...,xn

  7. Privacy i1,...,im? Client Server i1,...,im

  8. Our contribution • Lower bound (information theoretic):(mℓ+m log(n/m)) bits • Upper bound (CPIR protocol): O(mℓ+m log(n/m)+k) bits

  9. Lower bound (mℓ+m log(n/m)) bits Client Server xi1,...,xim i1,...,im x1,...,xn Client and server have unlimited computational power We do not require protocol to be private We assume perfect correctnessWe assume worst case indices and records

  10. Lower bound for 2-move CPIR Client Server xi1,...,xim i1,...,im x1,...,xn Query: possible indices (m log(n/m)) Response: m records (mℓ)

  11. Lower bound for many-move CPIR Client Server xi1,...,xim i1,...,im x1,...,xn Proof overview:At loss of factor 2 assume 1-bit messages exhangedView function as tree with client at leaf choosing an outputWe will prove the tree has at least (leaf, output) pairs

  12. Input to the tree-function: I=(i1,...,im) and X=(x1,...,xn) C(i1,...,im) 0 1 S(x1,...,xn,0) S(x1,...,xn,1) 0 1 0 1 C(i1,...,im,0,0) C(i1,...,im,0,1)C(i1,...,im,1,0) C(i1,...,im,1,1) xi1,...,xim Observation: If (I,X) and (I´,X´) lead to same leaf and output, then also (I,X´) lead to this leaf and output

  13. Define F = { (I,X)=(i1,...,im,x1,...,xn) | xi=1ℓ if iI and else xi=0ℓ} If (I,X) F and (I´,X´)  F then (I,X´)  F This means each (I,X) F leads to different (leaf,output) pair For each (I,X) F the output is 1ℓ,...,1ℓ There are pairs in F, so the tree must have leaves This means the height is at least log ≥ m log(n/m) So the client and server risk sending ½m log(n/m) bits For the general case we then get a lower bound of max(mℓ, ½m log(n/m)) = (mℓ+m log(n/m)) bits

  14. Four cases Trivial PIR (nℓ bits) 2 4 1 ℓ=log(n/m) 3 m=k2/3 m=n/9

  15. Tool: Restricted CPIR protocol • Perfect correctness • Constant >0 (e.g. =1/25) so CPIR with k bits of communication for parameters satisfying • m = poly(k), n = poly(k), ℓ = poly(k) mℓ+m log n  k

  16. Example: Gentry-Ramzan CPIR Primes: p1,…,pn |pi| = O(log n) Prime powers: 1,…,n |i| > ℓ • Query: N, g i1…im | ord(g) • Response: c = gx mod N x = xi mod i • Extract: (cord(g)/i1…im) = (gord(g)/i1…im)x compute x mod i1…im extract xi1,…,xim

  17. Three remaining cases Restricted CPIR mℓ+m log n  k ℓm/k CPIRs with record size k/m in parallel 2 4 ℓ=log(n/m) 3 m=k2/3 m=n/9

  18. Two remaining cases mℓ/log(n/m)-out of-n CPIR with record sizelog(n/m) 4 ℓ=log(n/m) 3 m=k2/3 m=n/9

  19. One remaining case Restricted CPIR mℓ+m log n  k ℓ=log(n/m) 3 m=k2/3 m=n/9

  20. Parallel extraction Res-CPIR Res-CPIR Res-CPIR Res-CPIR

  21. The problem • If ℓ = (log n) we could use parallel repetition of the restricted CPIR for mℓ+m log n  k on blocks of the database to get a constant rate • But if ℓ is small and m is large, we may loose a multiplicative factor (mℓ+m log n)/(mℓ+m log(n/m)) = 1+log m/(ℓ+log(n/m)) by parallel repetition of the restricted CPIR

  22. Solution aℓ-bit records x1,x2,x3 (x1,x2)(x1,x3)(x2,x3) x4,x5,x6 (x4,x5)(x4,x6)(x5,x6) x7,x8,x9 (x7,x8)(x7,x9)(x8,x9) ℓ’=aℓ, m’=m/a, n’= n/a Restricted CPIR mℓ+m log n  k

  23. Summary Client Server • Lower bound: (mℓ+m log(n/m)) bits • CPIR protocol: O(mℓ+m log(n/m)+k) bits xi1,...,xim i1,...,im x1,...,xn

More Related