Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.

Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin Outline Introduction Common approaches Information-theoretical Computational Summary Private Information Retrieval (PIR):assumptions Semi-honest assumption on servers Server is trustable in terms of honestly following the protocol Server knows every bit of the data Server may record clients requests/queries Malicious servers Drop messages Change messages Collude with other parties Private Information Retrieval (PIR): intro Goal: allow user to query database while hiding the identity of the data-items she is after. Note: hides identity of data-items; not the existence of interaction with the user. Motivation: patent databases; stock quotes; web access; many more.... Paradox(?): imagine buying in a store without the seller knowing what you buy. (Encrypting requests is useful against third parties; not against the owner of data.) Modeling Server: holds n-bit string x n should be thought of as very large User: wishes to retrieve x i and to keep i private Remark: it is the most basic version; the building block for involved retrieval. Server sends entire database x to User. Information theoretic privacy. Communication: n SERVER xixi USER x =x 1,x 2,..., x n x 1,x 2,..., x n Trivial Private Protocol Is this optimal? Obstacle Theorem [CGKS]: In any 1-server PIR with information theoretic privacy the communication is at least n. Information theoretic privacy/security: The ciphertext gives no information about the plaintext More solutions User asks for additional random indices. Pick a few random indices to hide the real one Drawback: can be estimated Employ general crypto protocols to compute x i privately. 1-out-N Oblivious Transfer Drawback: highly inefficient (polynomial in n ). Anonymity (e.g., via Anonymizers). Note: address different problems: hides identity of user; not the fact that x i is retrieved. Two Approaches Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers. servers do collude. Computational PIR [CG97,KO97,CMS99,...] Computational privacy, based on cryptographic assumptions NP hard to break the approach Known Communication Upper Bounds Multiple servers, information-theoretic PIR: 2 servers, comm. n 1/3 [CGKS95] k servers, comm. n 1/(k) [CGKS95, Amb96,,BIKR02] log n servers, comm. Poly( log(n) ) [BF90, CGKS95] Single server, computational PIR: Comm. Poly( log(n) ), n is the # of items Under appropriate computational assumptions [KO97,CMS99] Approach I: k-Server PIR Correctness: User obtains x i Privacy: No single server gets information about i U S1S1 x {0,1} n S2S2 i SkSk Information-Theoretic 2-Server PIR Best Known Protocol: comm. n 1/3 Lets look at an example with comm. cost n 1/2 Two protocols: Protocol I: n bit queries, 1 bit answers Protocol II: n 1/2 bit queries, n 1/2 bit answers Protocol I: 2-server O(n) PIR S2S2 i U i n Q 1 {1,,n} S1S1 Q 2 =Q 1 i *User sent O(n) bits = = = 1 Meaning of Q 2 =Q 1 i Q 1 is a random subset Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,,n} S1S1 Q 2 =Q 1 i *Server replies 1 bit Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,,n} S1S1 a1a2=xia1a2=xi Q 2 =Q 1 i Protocol II: PIR with O(n 1/2 ) Communication S2S2 j,i U i X m=n 1/2 Q 1 {1,,m} S1S1 Q 2 =Q 1 i j a 1,j a 2,j =x j,i Make the n-bit vector as a n 1/2 * n 1/2 matrix Apply ex-or sum to each row Computational PIR with O(n 1/2 ) Comm. Based on encryption Quadratic Residue (QR) N = p*q, p,q are primes. Q(y, N) = 0 iff exists w such that w^2 = y (mod N) 1 otherwise Security: if p, q is unknown, it is computationally impossible to determine Q(y,N). If p,q is known, Q(y,N) can be determined in O(|N|^3) Understanding modulo: w^2 = y+k*N, k can be any integer Example: 2^2 = 4 (mod 10), 4^2 = 6 (mod 10) Example Quadratic Residue: E(0) QR N E(1) NQR N Properties: QR QR = QR NQR QR = NQR For any y, y^2 is QR. Computational PIR with O(n 1/2 ) Comm n 1/2 b Goal: user wants to know entry M(a,b) 1.User picks N=pq and sends N to server 2.User picks uniformly at random s= n 1/2 numbers, from the set Z={x|1