Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Post on 28-Mar-2015
214 Views
Preview:
Transcript
Multi-Query Computationally-PrivateInformation Retrieval with ConstantCommunication Rate
Jens Groth, University College London
Aggelos Kiayias, University of Athens
Helger Lipmaa, Cybernetica AS and Tallinn University
Information retrieval
Client Server
i x1,...,xn
xi
Privacy
Client Server
i
Index i ?
Example of a trivial PIR protocol
i x1,...,xn
xi
x1,...,xn
Perfectly private:Client reveals nothing
Communication: nℓ bits with ℓ-bit records
Communication
bits nℓ Trivial protocolO(nk1/-1ℓ) Kushilevitz-Ostrovsky 97O(kℓ) Cachin-Micali-Stadler 99O(k log2n+ℓlog n) Lipmaa 05O(k+ℓ) Gentry-Ramzan 05
Database size: n records Record size: ℓ bitsSecurity parameter: k bits (size of RSA modulus)
Multi-query information retrieval
Client Server
i1,...,im x1,...,xn
xi1,...,xim
Privacy
Client Server
i1,...,im
i1,...,im?
Our contribution
• Lower bound (information theoretic):
(mℓ+m log(n/m)) bits• Upper bound (CPIR protocol):
O(mℓ+m log(n/m)+k) bits
Lower bound (mℓ+m log(n/m)) bitsClient Server
i1,...,im x1,...,xn
xi1,...,xim
Client and server have unlimited computational power We do not require protocol to be private
We assume perfect correctnessWe assume worst case indices and records
Lower bound for 2-move CPIR
Client Server
i1,...,im x1,...,xn
xi1,...,xim
Query: possible indices (m log(n/m))Response: m records (mℓ)
Lower bound for many-move CPIR
Client Server
i1,...,im x1,...,xn
xi1,...,xim
Proof overview:At loss of factor 2 assume 1-bit messages exhangedView function as tree with client at leaf choosing an outputWe will prove the tree has at least (leaf, output) pairs
C(i1,...,im)
S(x1,...,xn,0) S(x1,...,xn,1)
C(i1,...,im,0,0) C(i1,...,im,0,1) C(i1,...,im,1,0) C(i1,...,im,1,1)
0 1 0 1
0 1
xi1,...,xim
Input to the tree-function: I=(i1,...,im) and X=(x1,...,xn)
Observation: If (I,X) and (I´,X´) lead to same leaf and output, then also (I,X´) lead to this leaf and output
Define F = { (I,X)=(i1,...,im,x1,...,xn) | xi=1ℓ if i I and else xi=0ℓ}If (I,X) F and (I´,X´) F then (I,X´) F
This means each (I,X) F leads to different (leaf,output) pair
For each (I,X) F the output is 1ℓ,...,1ℓThere are pairs in F, so the tree must have leaves
This means the height is at least log ≥ m log(n/m)
So the client and server risk sending ½m log(n/m) bits
For the general case we then get a lower bound of max(mℓ, ½m log(n/m)) = (mℓ+m log(n/m)) bits
Four cases
2
3
4
1ℓ=log(n/m)
m=n/9m=k2/3
Trivial PIR (nℓ bits)
Tool: Restricted CPIR protocol
• Perfect correctness• Constant >0 (e.g. =1/25) so CPIR with k bits of
communication for parameters satisfying
• m = poly(k), n = poly(k), ℓ = poly(k)
mℓ+m log n k
Example: Gentry-Ramzan CPIR
Primes: p1,…,pn |pi| = O(log n)
Prime powers: 1,…,n |i| > ℓ• Query: N, g i1
…im | ord(g)
• Response: c = gx mod N x = xi mod i
• Extract: (cord(g)/i1…im) = (gord(g)/i1…im)x
compute x mod i1…im
extract xi1,…,xim
Three remaining cases
2
3
4ℓ=log(n/m)
m=n/9m=k2/3
Restricted CPIR mℓ+m log n k ℓm/k CPIRs with record size k/m in parallel
Two remaining cases
3
4ℓ=log(n/m)
m=n/9m=k2/3
mℓ/log(n/m)-out of-n CPIR with record sizelog(n/m)
One remaining case
3
ℓ=log(n/m)
m=n/9m=k2/3
Restricted CPIR mℓ+m log n k
Parallel extraction
Res-CPIR Res-CPIR Res-CPIR Res-CPIR
The problem
• If ℓ = (log n) we could use parallel repetition of the restricted CPIR for mℓ+m log n k on blocks of the database to get a constant rate
• But if ℓ is small and m is large, we may loose a multiplicative factor (mℓ+m log n)/(mℓ+m log(n/m)) = 1+log m/(ℓ+log(n/m)) by parallel repetition of the restricted CPIR
Solution
x1,x2,x3 x4,x5,x6 x7,x8,x9
Restricted CPIR mℓ+m log n k
(x1,x2)(x1,x3)(x2,x3)
(x4,x5)(x4,x6)(x5,x6)
(x7,x8)(x7,x9)(x8,x9)
aℓ-bit records
ℓ’=aℓ, m’=m/a, n’= n/a
Summary
• Lower bound: (mℓ+m log(n/m)) bits• CPIR protocol: O(mℓ+m log(n/m)+k) bits
Client Server
i1,...,im x1,...,xn
xi1,...,xim
top related