multi-query computationally-private information retrieval with constant communication rate
DESCRIPTION
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate. Jens Groth, University College London Aggelos Kiayias, University of Athens Helger Lipmaa, Cybernetica AS and Tallinn University. TexPoint fonts used in EMF. - PowerPoint PPT PresentationTRANSCRIPT
Multi-Query Computationally-PrivateInformation Retrieval with ConstantCommunication Rate
Jens Groth, University College LondonAggelos Kiayias, University of AthensHelger Lipmaa, Cybernetica AS and Tallinn University
Information retrieval
Client Server
i x1,...,xn
xi
Privacy
Client Server
i
Index i ?
Example of a trivial PIR protocol
i x1,...,xn
xi
x1,...,xn
Perfectly private:Client reveals nothing
Communication: nℓ bits with ℓ-bit records
Communicationbits nℓ Trivial protocolO(nk1/-1ℓ) Kushilevitz-Ostrovsky 97O(kℓ) Cachin-Micali-Stadler 99O(k log2n+ℓlog n) Lipmaa 05O(k+ℓ) Gentry-Ramzan 05
Database size: n records Record size: ℓ bitsSecurity parameter: k bits (size of RSA modulus)
Multi-query information retrieval
Client Server
i1,...,im x1,...,xn
xi1,...,xim
Privacy
Client Server
i1,...,im
i1,...,im?
Our contributionLower bound (information theoretic):
(mℓ+m log(n/m)) bitsUpper bound (CPIR protocol):
O(mℓ+m log(n/m)+k) bits
Lower bound (mℓ+m log(n/m)) bitsClient Server
i1,...,im x1,...,xn
xi1,...,xim
Client and server have unlimited computational power We do not require protocol to be private
We assume perfect correctnessWe assume worst case indices and records
Lower bound for 2-move CPIR
Client Server
i1,...,im x1,...,xn
xi1,...,xim
Query: possible indices (m log(n/m))Response: m records (mℓ)
Lower bound for many-move CPIR
Client Server
i1,...,im x1,...,xn
xi1,...,xim
Proof overview:At loss of factor 2 assume 1-bit messages exhangedView function as tree with client at leaf choosing an outputWe will prove the tree has at least (leaf, output) pairs
C(i1,...,im)
S(x1,...,xn,0) S(x1,...,xn,1)
C(i1,...,im,0,0) C(i1,...,im,0,1) C(i1,...,im,1,0) C(i1,...,im,1,1)
0 1 0 1
0 1
xi1,...,xim
Input to the tree-function: I=(i1,...,im) and X=(x1,...,xn)
Observation: If (I,X) and (I´,X´) lead to same leaf and output, then also (I,X´) lead to this leaf and output
Define F = { (I,X)=(i1,...,im,x1,...,xn) | xi=1ℓ if i I and else xi=0ℓ}If (I,X) F and (I´,X´) F then (I,X´) F
This means each (I,X) F leads to different (leaf,output) pair
For each (I,X) F the output is 1ℓ,...,1ℓThere are pairs in F, so the tree must have leaves
This means the height is at least log ≥ m log(n/m)
So the client and server risk sending ½m log(n/m) bits
For the general case we then get a lower bound of max(mℓ, ½m log(n/m)) = (mℓ+m log(n/m)) bits
Four cases
23
41ℓ=log(n/m)
m=n/9m=k2/3
Trivial PIR (nℓ bits)
Tool: Restricted CPIR protocol
Perfect correctnessConstant >0 (e.g. =1/25) so CPIR with k bits of communication for parameters satisfying
m = poly(k), n = poly(k), ℓ = poly(k)
mℓ+m log n k
Example: Gentry-Ramzan CPIR
Primes: p1,…,pn |pi| = O(log n)
Prime powers: 1,…,n |i| > ℓQuery: select N, g such that i1
…im | ord(g)
Response: c = gx mod N where x = xi mod i for i=1,…,n
Extract: (cord(g)/i1…im) = (gord(g)/i1…im)x
compute x mod i1…im
extract xi1,…,xim
Three remaining cases
23
4ℓ=log(n/m)
m=n/9m=k2/3
Restricted CPIR mℓ+m log n k θ(ℓm/k) m-n CPIR with record size θ(k/m) in parallel
Two remaining cases
3
4ℓ=log(n/m)
m=n/9m=k2/3
mℓ’-out of-nℓ’ CPIR with record sizelog(n/m)ℓ’ = ℓ/log(n/m)
One remaining case
3ℓ=log(n/m)
m=n/9m=k2/3
Restricted CPIR mℓ+m log n k
Block-wise extraction
Res-CPIR Res-CPIR Res-CPIR Res-CPIR
The problemUniform distribution of queries?
solvable through database permutation based on client seed.
If ℓ = (log n) we could use block-wise repetition of the restricted CPIR on size w blocks of the database for mℓ+m log n kw resulting in total communication kw which is optimal.But if ℓ is small (& m is large), we may loose a multiplicative factor (mℓ+m log n)/(mℓ+m log(n/m)) = 1+log m/(ℓ+log(n/m)) by block-wise repetition of the restricted CPIR
Solution
x1,x2,x3 x4,x5,x6 x7,x8,x9
Restricted CPIR mℓ+m log n k
(x1,x2)(x1,x3)(x2,x3)
(x4,x5)(x4,x6)(x5,x6)
(x7,x8)(x7,x9)(x8,x9)
aℓ-bit records
ℓ’=aℓ, m’=m/a, n’= n/a
Summary
Lower bound: (mℓ+m log(n/m)) bitsCPIR protocol: O(mℓ+m log(n/m)+k) bits
Client Server
i1,...,im x1,...,xn
xi1,...,xim
Multi-Query Computationally-PrivateInformation Retrieval with ConstantCommunication Rate
Jens Groth, University College LondonAggelos Kiayias, University of AthensHelger Lipmaa, Cybernetica AS and Tallinn University