A Linear Lower Bound on the Communication Complexity of
Download
1 / 16

A Linear Lower Bound on the Communication Complexity of Single-Server PIR - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on

A Linear Lower Bound on the Communication Complexity of Single-Server PIR. Jonathan Hoch. Iftach Haitner. Gil Segev. Weizmann Institute of Science Israel. Private Information Retrieval. x i. Server. Receiver. Receiver. x = x 1  x n. i 2 {1,...,n}. i 2 {1,...,n}. ¼.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Linear Lower Bound on the Communication Complexity of Single-Server PIR' - kamin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
A linear lower bound on the communication complexity of single server pir

A Linear Lower Bound on the Communication Complexity of Single-Server PIR

Jonathan Hoch

Iftach Haitner

Gil Segev

Weizmann Institute of ScienceIsrael


Private information retrieval
Private Information Retrieval

xi

Server

Receiver

Receiver

x = x1 xn

i 2 {1,...,n}

i 2 {1,...,n}

¼

j 2 {1,...,n}

  • Functionality: Receiver retrieves xi

  • Privacy: Server does not learn i


The trivial solution
The Trivial Solution

Not information theoretically [CGKS]

Can we do better than trivial?

x1 xn

Server

Receiver

Receiver

x = x1 xn

i 2 {1,...,n}

i 2 {1,...,n}

  • Inefficient -- x may be very large


Two approaches
Two Approaches

  • Multiple-server PIR

    • Information theoretic privacy

    • Many exciting results, but not the focus of this talk

[CGKS95,...,Yek07,...]

  • Single-server PIR

    • Computational privacy

    • Implies Oblivious Transfer

    • 2-message PIR implies collision-resistant hash functions and public-key encryption

    • Many applications...

[CG97, KO97, CMS99, ...]


Current status
Current Status

  • Specific number-theoretic assumptions

    • Communication polylog(n)

[KO97, CMS99, ...]

  • General assumptions

    • Communication n - o(n)

    • Black-box construction based on TDPs

[KO00]

Question:

Can we base single-server PIR with sublinear communication on general assumptions?


Main result
Main Result

In any fully black-box construction of single-server PIR for an n-bit database from trapdoor permutations over (n) bits, the server sends (n) bits.

  • Two restrictions

    • Fully black-box

    • Tight security reduction: permutations over (n) bits

[KO ‘00]: (n²) bits

  • Previous results

    • [Fis02]: Similar result for 2-message protocols (less restrictions)

    • [HHRS07]: (n/logn) lower bound (same restrictions)

      (n²) lower bound for “not so tight” reductions


Fully black box reductions
Fully Black-Box Reductions

A fully black-box reduction from B to A:

Black-box construction

  • Any implementation of A implies an implementation of B

  • Only care about the functionality of A

Black-box proof of security

  • Any adversary for B implies an adversary for A

  • Only care about functionality of the adversary for B

Adversary for A

B

Adversary for B

A

A


Our approach
Our Approach

  • Fully black-box reductions relativize

  • We present an oracle O relative to which:

1. There exists a collection of TDPs over {0,1}n

  • A random function is hard to invert even with access to O

2. There is no single-server PIR protocol for an n-bit database in which the server sends o(n) bits

  • There exists an efficient server that uses O to break any such protocol


The oracle hhrs 07
The Oracle [HHRS ‘07]

  • O= (Sam, )

  •  is a random collection of TDPs over {0,1}n

  • Sam is an interactive collision-finding oracle

    • Samples random collisions

    • Extends the non-interactive oracle of [Simon ‘98]

A

Sam

v0

v0Ã {0,1}n

C1

C1(v1) = C1(v0)

v1

C2(v2) = C2(v1)

C2

v2


The oracle hhrs 071
The Oracle [HHRS ‘07]

  • O= (Sam, )

  •  is a random collection of TDPs over {0,1}n

  • Sam is an interactive collision-finding oracle

    • Samples random collisions

    • Extends the non-interactive oracle of [Simon ‘98]

A

Sam

v0

Theorem:

A random TDPis one-way as long as Sam answers queries of depth · n/log(n)

C1

v1

n/log(n)

  • The proof requires additional restrictions(Ci+1 refines Ci, commit to Ci+1 at depth i, ...)

  • ...but this suffices for the purpose of this talk

C2

v2


A linear lower bound on the communication complexity of single server pir

Breaking 2-Message PIR

a(i)

b(a,x)

x = x1 xn

i 2 {1,...,n}


A linear lower bound on the communication complexity of single server pir

Breaking 2-Message PIR

a

b(a,x0)

=

b(a,x1)

i 2 {1,...,n}

1. Receive x0 from Sam

2. Send the circuit b(a,¢) to Sam

x0i =x1i and x0x1

3. Receive x1 from Sam

4. Output a random index j for which x0j=x1j

Claim: The malicious server guesses i w.p. ¸1/(n-1)


A linear lower bound on the communication complexity of single server pir

Breaking Any Sublinear PIR

a1

b1

...

ao(n)

bo(n)

i 2 {1,...,n}

Communication vs. Rounds:Server sends o(n) bits )o(n) rounds, server sends one bit each round


A linear lower bound on the communication complexity of single server pir

Breaking Any Sublinear PIR

a1

b1

..

alog(n)

blog(n)

..

i 2 {1,...,n}

ao(n)

bo(n)

Key observation: The malicious server can invoke Sam every log(n) rounds


A linear lower bound on the communication complexity of single server pir

Breaking Any Sublinear PIR

a1

b1

..

alog(n)

blog(n)

i 2 {1,...,n}

1. Receive x0 from Sam

2. Simulate the honest server for log(n) rounds

3. Send b1(a1,¢) to Sam until receiving xlog(n)which is consistent with all log(n) rounds (rewind Sam if inconsistent)

Claim: The malicious server guesses i w.p. ¸1/(n-1)


A linear lower bound on the communication complexity of single server pir

Summary

  • Communication lower bound for single-server PIR

    • Fully black-box constructions from (enhanced) TDPs

    • The trivial solution is optimal up to constant factors

Matches the upper bound of [NOVY]

  • In the paper:

    • Communication lower bound for statistically-hiding bit-commitment

    • The sender must send (n) bits

    • Communication preserving reduction to single-server PIR

  • Open problem:

    • A linear lower bound for “not so tight” reductions?

    • [KO ‘00]: TDPs over (n²) bits

Thank you!