an Ω(n 1/3 ) lower bound for bilinear group based private information retrieval alexander razborov...
TRANSCRIPT
An An ΩΩ(n(n1/31/3) Lower Bound for ) Lower Bound for Bilinear Group Based Bilinear Group Based
Private Information RetrievalPrivate Information Retrieval
Alexander Razborov Sergey YekhaninAlexander Razborov Sergey Yekhanin
Private Information Retrieval [CGKS]Private Information Retrieval [CGKS]
1 ≤ i ≤ n
• D is a binary string of length n.• k non-communicating servers hold the same database D.• User holds index i and wants to retrieve Di.• Each individual server should get no information about i.• Goal: Minimize communication complexity!
D
D::
PIR: progressPIR: progress
kk Lower boundLower bound Upper boundUpper bound
11 ΘΘ(n) [CGKS](n) [CGKS]
22 5 log n [WdW]5 log n [WdW] O(nO(n1/31/3) [CGKS,BI+IK,WY]) [CGKS,BI+IK,WY]
33 • O(nO(n1/31/3) [CGKS]) [CGKS]
• O(nO(n1/51/5) [A]) [A]
• O(nO(n1/5.251/5.25) [BIKR]) [BIKR]
• O(nO(n1/32,582,6581/32,582,658) [Y]) [Y]
• nnO(1/log log n)O(1/log log n) [Y] [Y]
2 server case: restricted lower bounds2 server case: restricted lower bounds
[Itoh][Itoh] ΩΩ(n(n1/41/4)) Servers return affine Servers return affine functions of the queriesfunctions of the queries
[GKST][GKST][WdW][WdW]
ΩΩ((nn1/(s+1)1/(s+1))) User reads at most s bits User reads at most s bits from servers’ responsesfrom servers’ responses
This This workwork
ΩΩ(n(n1/31/3)) Bilinear group based PIR Bilinear group based PIR schemesschemes
• Models are incomparable• Each model captures all known PIR schemes
Plan of the talkPlan of the talk
• An example PIR scheme [WY]An example PIR scheme [WY]
• Statement of our lower boundStatement of our lower bound
• Our techniqueOur technique
Example PIR: algebraizationExample PIR: algebraization
11 00 11 …… 00 11 11
PFwantsFP mq ,
1 ≤ i ≤ n, wants Di. D=
• Database D[n] is represented by a cubic multivariate polynomial F(x1,…, xm) over a finite field Fq
• Polynomial is in m=n1/3 variables
• For every i there is a point Pi such that Di=F(Pi)
],...,[),...,( 11 mqm xxFxxF
Example PIRExample PIR
PVP 1
VP 4
}|{ qFVPL
.: randomatuniformlyVPicksUser
VPSU hh :
)(: VPFSU hh
• Privacy, O(n1/3) communication, correctness
• The scheme requires at least 4 servers
• Note: the communication is unbalanced
Example PIRExample PIR
VPmVP
hh
hhx
F
x
FVPFSU
,...,),(:1
PVP 1
VP 2
}|{ qFVPL
.: randomatuniformlyVPicksUser
VPSU hh :
Privacy, O(n1/3) communication, correctness …
Example PIRExample PIR
)()0( PFf
).(),(),(),( 2'
2'
21 ffff
Correctness:
User reconstructs values of derivatives of
from the values of partial derivatives of
User learns: Reconstructs:
)()( fVPF
),...,( 1 mxxF
m
ii
VPi
Vx
FVPFf
hhh 1
.)(
Key properties of example PIRKey properties of example PIR
Servers represent database D by a Servers represent database D by a function on a groupfunction on a group, , and user can retrieve the function value at any group and user can retrieve the function value at any group element (including elements that do not correspond to element (including elements that do not correspond to database bits).database bits).
User computes the User computes the dot product of servers’ responsesdot product of servers’ responses to to obtain Dobtain Dii..
These properties are common to all known PIR These properties are common to all known PIR schemes.schemes.
Our resultOur result
Theorem: Every bilinear group based PIR Theorem: Every bilinear group based PIR protocol requires protocol requires ΩΩ(n(n1/31/3) communication) communication
– Bilinear: user outputs dot product of servers’ Bilinear: user outputs dot product of servers’ responsesresponses
– Servers represent database by a function on a finite Servers represent database by a function on a finite group G and user can retrieve function values at group G and user can retrieve function values at arbitrary group elements using the natural secret arbitrary group elements using the natural secret sharing based on G.sharing based on G.
Our techniqueOur technique
• Combinatorial view of PIRCombinatorial view of PIR
• Specialization to bilinear PIRSpecialization to bilinear PIR
• Specialization to bilinear group based PIRSpecialization to bilinear group based PIR
• Algebraic problemAlgebraic problem
Combinatorial view of PIRCombinatorial view of PIR
Notion – Generalized Latin Square S[n, T]:Notion – Generalized Latin Square S[n, T]:
xx11 xx22 xx33
xx11 xx22 xx33
xx22 xx33 xx11
xx33 xx11 xx22
xx33 xx11 xx22
• Square of size T by TSquare of size T by T
• n variablesn variables
• Every variable appears Every variable appears once in every row/columnonce in every row/column
Combinatorial view of PIRCombinatorial view of PIR
Notion – Embedding of matrices:Notion – Embedding of matrices:
Let SLet S∈∈{0,1}{0,1}T T ╳╳ TT A∈ A∈{0,1}{0,1}L L ╳ ╳ LL. S embeds into A if there exist two . S embeds into A if there exist two embedding mapsembedding maps r,c :[T]→[L] such that for all j,k [T]: ∈ r,c :[T]→[L] such that for all j,k [T]: ∈SSjkjk=A=Ar(j)c(k)r(j)c(k)
11 00
11 11
00 00 00 00 11
00 00 11 11 11
00 00 11 00 11
11 11 00 11 00
11 11 11 11 11
Combinatorial view of PIRCombinatorial view of PIR
Theorem: PIR schemes with Theorem: PIR schemes with tt long long queries and queries and rr long answers are long answers are equivalentequivalent** to pairs of matrices to pairs of matrices SSAA such that:such that:– SS is Generalized Latin Square [ is Generalized Latin Square [nn, , 22tt]]
– AA is a binary square matrix of size is a binary square matrix of size 22rr
– For every {0,1} assignment to variables For every {0,1} assignment to variables xxii SS can be completed to a {0,1} matrix can be completed to a {0,1} matrix
that embeds intothat embeds into A A..
xx11 xx22 xx33
xx11 xx22 xx33
xx22 xx33 xx11
xx33 xx11 xx22
xx33 xx11 xx22
00 11 00 00 11 00
11 11 00 00 11 00
11 00 00 00 11 11
00 11 00 11 00 00
11 00 00 00 11 11
11 00 11 11 00 00
Combinatorial view of PIR: Proof Combinatorial view of PIR: Proof
Given SGiven SA we construct a PIR protocol: A we construct a PIR protocol:
Servers obtain the embedding maps r,c:Servers obtain the embedding maps r,c:[T]→[L] [T]→[L] • U : Randomly picks j,kU : Randomly picks j,k [T] such that S∈[T] such that S∈ jkjk=i =i • U→SU→S1 1 : j: j• U→SU→S2 2 : k: k• SS11→U : r(j)→U : r(j)• SS11→U : c(k)→U : c(k)• U: Outputs AU: Outputs Ar(j)c(k)r(j)c(k)
Communication complexity, correctness, privacyCommunication complexity, correctness, privacy
Combinatorial view of bilinear PIRCombinatorial view of bilinear PIR
Theorem: Bilinear PIR schemes with Theorem: Bilinear PIR schemes with tt long queries and long queries and rr long answers are long answers are equivalentequivalent** to to 22tt by by 22tt matrices S matrices S that are:that are:– Generalized Latin Squares [Generalized Latin Squares [nn, , 22tt]]
– For every {0,1} assignment to For every {0,1} assignment to variables xvariables xii can be completed to F can be completed to F22
rank ≤ rank ≤ rr..
xx11 xx22 xx33
xx11 xx22 xx33
xx22 xx33 xx11
xx33 xx11 xx22
xx33 xx11 xx22
Bilinear PIR schemes SSAA have A=Hr
Specialization to group based PIRSpecialization to group based PIR
Notion - Matrix S respects the structure of a finite group GNotion - Matrix S respects the structure of a finite group G
Example: G=ZExample: G=Z5 5 (circulant matrices)(circulant matrices)
00 11 22 33 44
00 00 11 00 00 11
11 11 00 00 11 00
22 00 00 11 00 11
33 00 11 00 11 00
44 11 00 11 00 00
00 11 22 33 44
00 11 00 00 11 11
11 00 00 11 11 11
22 00 11 11 11 00
33 11 11 11 00 00
44 11 11 00 00 11
Specialization to group based PIRSpecialization to group based PIR
22nn different databases yield 2 different databases yield 2nn different low different low rank completions of a GLS S[n, 2rank completions of a GLS S[n, 2tt].].
In group based PIR over a group G schemes In group based PIR over a group G schemes all such completions respect the structure all such completions respect the structure of Gof G
We use representation theory to count the We use representation theory to count the total number A(G,r) of rank total number A(G,r) of rank ≤ ≤ r matrices r matrices respecting the group structurerespecting the group structure
00 xx11 xx22 11 xx33
xx11 xx22 11 xx33 00
xx22 11 xx33 00 xx11
11 xx33 00 xx11 xx22
xx33 00 xx11 xx22 11
Algebraic problemAlgebraic problem
A(G,r) can be defined in algebraic terms:A(G,r) can be defined in algebraic terms:
The upper bound proof requires modular (i.e. non-The upper bound proof requires modular (i.e. non-semisimlpe) representation theory and yields:semisimlpe) representation theory and yields:
A(G,r) ≤ 2A(G,r) ≤ 2(log G)*r(log G)*r22
n ≤ (log G) * rn ≤ (log G) * r22
})dim(|][{),( 2 rGFrGA
Open problemsOpen problems
• Can our technique be extended to a lower Can our technique be extended to a lower bound for bilinear PIR?bound for bilinear PIR?
• Can our technique be used to establish a Can our technique be used to establish a connection to matrix rigidity?connection to matrix rigidity?