Multi-Query Computationally-PrivateInformation Retrieval with ConstantCommunication Rate

Jens Groth, University College LondonAggelos Kiayias, University of AthensHelger Lipmaa, Cybernetica AS and Tallinn University

Information retrieval

Client Server

i x1,...,xn

xi

Privacy

Client Server

i

Index i ?

Example of a trivial PIR protocol

i x1,...,xn

xi

x1,...,xn

Perfectly private:Client reveals nothing

Communication: nℓ bits with ℓ-bit records

Communicationbits nℓ Trivial protocolO(nk1/-1ℓ) Kushilevitz-Ostrovsky 97O(kℓ) Cachin-Micali-Stadler 99O(k log2n+ℓlog n) Lipmaa 05O(k+ℓ) Gentry-Ramzan 05

Database size: n records Record size: ℓ bitsSecurity parameter: k bits (size of RSA modulus)

Multi-query information retrieval

Client Server

i1,...,im x1,...,xn

xi1,...,xim

Privacy

Client Server

i1,...,im

i1,...,im?

Our contributionLower bound (information theoretic):

(mℓ+m log(n/m)) bitsUpper bound (CPIR protocol):

O(mℓ+m log(n/m)+k) bits

Lower bound (mℓ+m log(n/m)) bitsClient Server

i1,...,im x1,...,xn

xi1,...,xim

Client and server have unlimited computational power We do not require protocol to be private

We assume perfect correctnessWe assume worst case indices and records

Lower bound for 2-move CPIR

Client Server

i1,...,im x1,...,xn

xi1,...,xim

Query: possible indices (m log(n/m))Response: m records (mℓ)

Lower bound for many-move CPIR

Client Server

i1,...,im x1,...,xn

xi1,...,xim

Proof overview:At loss of factor 2 assume 1-bit messages exhangedView function as tree with client at leaf choosing an outputWe will prove the tree has at least (leaf, output) pairs

C(i1,...,im)

S(x1,...,xn,0) S(x1,...,xn,1)

C(i1,...,im,0,0) C(i1,...,im,0,1) C(i1,...,im,1,0) C(i1,...,im,1,1)

0 1 0 1

0 1

xi1,...,xim

Input to the tree-function: I=(i1,...,im) and X=(x1,...,xn)

Observation: If (I,X) and (I´,X´) lead to same leaf and output, then also (I,X´) lead to this leaf and output

Define F = { (I,X)=(i1,...,im,x1,...,xn) | xi=1ℓ if i I and else xi=0ℓ}If (I,X) F and (I´,X´) F then (I,X´) F

This means each (I,X) F leads to different (leaf,output) pair

For each (I,X) F the output is 1ℓ,...,1ℓThere are pairs in F, so the tree must have leaves

This means the height is at least log ≥ m log(n/m)

So the client and server risk sending ½m log(n/m) bits

For the general case we then get a lower bound of max(mℓ, ½m log(n/m)) = (mℓ+m log(n/m)) bits

Four cases

23

41ℓ=log(n/m)

m=n/9m=k2/3

Trivial PIR (nℓ bits)

Tool: Restricted CPIR protocol

Perfect correctnessConstant >0 (e.g. =1/25) so CPIR with k bits of communication for parameters satisfying

m = poly(k), n = poly(k), ℓ = poly(k)

mℓ+m log n k

Example: Gentry-Ramzan CPIR

Primes: p1,…,pn |pi| = O(log n)

Prime powers: 1,…,n |i| > ℓQuery: select N, g such that i1

…im | ord(g)

Response: c = gx mod N where x = xi mod i for i=1,…,n

Extract: (cord(g)/i1…im) = (gord(g)/i1…im)x

compute x mod i1…im

extract xi1,…,xim

Three remaining cases

23

4ℓ=log(n/m)

m=n/9m=k2/3

Restricted CPIR mℓ+m log n k θ(ℓm/k) m-n CPIR with record size θ(k/m) in parallel

Two remaining cases

3

4ℓ=log(n/m)

m=n/9m=k2/3

mℓ’-out of-nℓ’ CPIR with record sizelog(n/m)ℓ’ = ℓ/log(n/m)

One remaining case

3ℓ=log(n/m)

m=n/9m=k2/3

Restricted CPIR mℓ+m log n k

Block-wise extraction

Res-CPIR Res-CPIR Res-CPIR Res-CPIR

The problemUniform distribution of queries?

solvable through database permutation based on client seed.

If ℓ = (log n) we could use block-wise repetition of the restricted CPIR on size w blocks of the database for mℓ+m log n kw resulting in total communication kw which is optimal.But if ℓ is small (& m is large), we may loose a multiplicative factor (mℓ+m log n)/(mℓ+m log(n/m)) = 1+log m/(ℓ+log(n/m)) by block-wise repetition of the restricted CPIR

Solution

x1,x2,x3 x4,x5,x6 x7,x8,x9

Restricted CPIR mℓ+m log n k

(x1,x2)(x1,x3)(x2,x3)

(x4,x5)(x4,x6)(x5,x6)

(x7,x8)(x7,x9)(x8,x9)

aℓ-bit records

ℓ’=aℓ, m’=m/a, n’= n/a

Summary

Lower bound: (mℓ+m log(n/m)) bitsCPIR protocol: O(mℓ+m log(n/m)+k) bits

Client Server

i1,...,im x1,...,xn

xi1,...,xim

Multi-Query Computationally-PrivateInformation Retrieval with ConstantCommunication Rate

Jens Groth, University College LondonAggelos Kiayias, University of AthensHelger Lipmaa, Cybernetica AS and Tallinn University