1 / 19

# Constant-Round Private Database Queries - PowerPoint PPT Presentation

Constant-Round Private Database Queries. Nenad Dedic and Payman Mohassel. Boston University. UC Davis. Outline. Introduction Element rank protocol Other protocols Equivalence to one-round PIR Open problems. q = Q(x). y. x. Server. Client. Dec(a) = f(x,y). a = A(q,y).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Constant-Round Private Database Queries' - khuong

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Constant-Round Private Database Queries

Boston University

UC Davis

• Introduction

• Element rank protocol

• Other protocols

• Equivalence to one-round PIR

• Open problems

y

x

Server

Client

Dec(a) = f(x,y)

a = A(q,y)

Succinct Computation

• Computing f(x,y)

• One round of interaction

• Communication Complexity

• |q| +|a| = O(poly(log(|x|), log(|y|), |f(x,y)|, s))

• Or linear in |f(x,y)|

• Computational setting

• Client side

• For any x, x’, Q(x) and Q(x’) are indistinguishable

• Server side

• Simulator S, simulates A(x,y) given x and f(x,y)

• Server’s input is a database

• Client’s input is a query

• Private information retrieval (PIR)

• f(i, (x1,x2,…,xn)) = xi

• Private Keyword search (PKS)

f(w, {(x1,v1),…,(xn,vn)}) =

va if there is xa= w

otherwise

• PIR / SPIR

• [KO97], [Lipmaa05], …

• One-round, sublinear communication

• PKS

• [FIPR05]

• One-round, polylog(n) communication

• PIR and homomorphic encryption

• General MPC

• Not efficient

• Circuits with look-up tables [NN01]

• Communication efficient

• High round complexity

• One-round secure computation [CCKM00]

• Round efficient

• High comm.

• Computing BP on encrypted data [IP07]

• Independent work

• Round and communication efficient

• Strong assumption

• Interval Labeling

• f(b, (x1,x2,…,xn,v1,…,vn)) =

vi such that b є (xi, xi+1]

• Element Rank

• Add x0 = -∞ and xn+1=+∞

• vi = i

• Applications

• Ranking in auctions

• Online testing services

• Use to design other protocols

• b, x1,x2,…,xnє {0,1}k

• Run a PKS for every prefix of b

• jth query = j-bit prefix of b

• Create and use a database D

1

0

1

1

0

v4

0

0

1

0

1

0

1

1

v0

v1

v2

v2

v3

v1

v2

x1

x2

x3

x4

Interval Labeling Protocol

D = {(000,v0),(001,v1),(0100,v1) , (0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)}

1

0

1

1

0

v4

0

0

1

0

1

0

1

1

v0

v1

v2

v2

v3

v1

v2

x1

x2

x3

x4

Interval Labeling Protocol

b = 1000

b1 = 1

b2 =10

b3 =100

b4 =1000

D = {(000,v0),(001,v1),(0100,v1) , (0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)}

• w’ is w with last bit flipped

• Database D, where |D| ≤ 2kn

• For every 1≤ j ≤ k, let w be j-bit prefix of xi:

• Add (w,vi) to D if:

[w||0k-j, w||1k-j] [xi,xi+1] , but not true for w’

• Add (w’,vi) to D if:

[w’||0k-j, w’||1k-j] [xt ,xt+1] , but not true for w

• Prefixes of xi’sand/or their siblings

• ri = PKSA(bi ,D) for 1 ≤ i ≤ k

• Randomly permute (r1, r2, … ,rk) and send

• Decode; retrieve the only ri ≠ ┴ in the list

• One round, polylog(n) communication

• Reduced to PKS

• Private Rectangle Labeling

• Which rectangle is query point in?

• Extension to higher dimensions

• One round

• Private Range Queries

• Retrieve all the points in the range

• On a line or in a plane

• Constant round

• Comm. proportional to number of retrieved points

• mth ranked element

• Alice holds database A

• Bob holds database B

• Find mth ranked element in (A U B)

• [AMP04], O(log(m)) rounds, and sublinear comm.

• We use our rank protocol as subprotocol

• O(log(log(m))) rounds

• Still sublinear comm.

va if there is xa= w

otherwise

PKS to PIR

• [FIPR05]

• Database

• Hash function h : {0,1}n {0,1}n/log(n)

• Hash keywords (xi’s) to n/log(n) bins

• Create degree log(n) polynomials for each bin

• Client

• Compute h(w)

• Send E(h(w)) , E(h(w)2), …, E(h(w)log(n))

• Database evaluates all polynomials at h(w)

• Client gets one result via PIR

f(w, {(x1 ,v1),…,(xn ,vn )}) =

• Assumption: One-round PIR

• Replace polynomials with Yao’s garbled circuit

• Circuit of size O(polylog(n)) size

• Yao’s protocol

• Pseudorandom function, OT

• Can be reduced to one-round PIR

• [CMO00], [BIKM99]

• One-round PKS one-round PIR

• One-round Rank one-round PKS

• Succinct Computation of

• Branching programs (not length-bounded)

• General circuits

• Reduction to one-round PIR

• Any special functionality

• Decision trees

• Branching programs