Public Key Encryption that Allows PIR Queries

Public Key Encryption that Allows PIR Queries

Dan Boneh 、 Eyal Kushilevitz 、Rafail Ostrovsky and William E. Skeith

Crypto 2007

Private Information Retrieval (PIR)

x=x1,x2 , . . ., xn {0,1}n

SERVER

i {1,…n}

xi

USER

i j

?

7

43

n

PIR

• allows a user to retrieve an item from a server in possession of a database without revealing which item she is retrieving.

• existing PIR solutions– retrieving a (plain or encrypted) record of

the database by address– search by keyword in a non-encrypted data

Query

Answer

Outline

• Introduction

• Tools: – Bloom Filter– Modifying Encrypted Data in a

Communication Efficient Way

• Definition

• Main Construction

Introduction

• Interesting in:– communication-efficient– complete privacy.

• Technique:– Receiver: creates a public key .– Sender: message M is accompanied by an

“encoded” list of keywords .

Bloom Filters

• Basic idea:

Sa

mhi *1,0:

h1(a)

h2(a)

h3(a)

hk(a)

T 0111

1

…

…

…

…

…

2 3 4 5 6 m…

0 1 1

Suppose Sa

Bloom Filters (cont.)

• What to store :– certain element is in a set– value which are associated to the element

in the set.

• Definition. As same to above. But together with a collection of sets, ,where . Then to insert a pair (a, v) into this structure, v is added to for all . The set of values associated with is simply .

Vv

mijB

1 VB j

][ki

Sa)(ahi

B

ki ahiB

)(

h1(a1)

h2(a2)

hk(ak)

Insert (a1, v1) then (a2, v2) … check

V1

V1

V1

B1

B2

B3

Bm

…….

…….

V1 ,V2

V1

V2

V3

V2 ,V3

V1 ,V3

h1(a1)

h2(a2)

hk(ak)

…….

{V1 ,V2}

{V1}

{V1 ,V3}

∩

∩

||

V1

Modifying Encrypted Data in a Communication Efficient Way• Based on group homomorphic encryption with

communication O(√n).• Technique :

– : database (not encrypted)– (i*,j*): the position of particular element – α: the value we want to add.– v , w: two vector of length √n where

– Here δkl = 1 when k=l and 0 otherwise– Then

n

jiijx 1,

*iiiv *jjjw

otherwise

jjiiifwv ji

0

)( **

Modifying Encrypted Data in a Communication Efficient Way (cont.)• Parameters:

– (K, E, D): a CPA-secure public-key encryption

– : an array of ciphertexts which is held by a party S.

– Define F(X, Y, Z)=X+YZ. By our assumption, there exists some such that

ulll xEc 1)(

F~

),,()))(),(),((~

( zyxFzEyExEFD

Modifying Encrypted Data in a Communication Efficient Way (cont.)• Protocol: ModifyU,S(l, α) where l and α are p

rivate input to U.1. U compute i*, j* as the coordinates of l (i.e., i* and

j* are quotient and remainder of l/n, respectively)

2. U sends to S where all values are encrypted under Apublic.

3. S computes for all , and replaces each cij with the corresponding resulting ciphertext.

n

jjjj

n

iiii EwEv11

)(,)( **

),,(~

jiij wvcF nji ,

Definition

• Parameters:– X: message sending parties.

– Y: message receiving party.

– S: server/storage provider.

• Definition 1:probabilistic polynomial time algorithms and protocols:– KeyGen(1S)

– SendX,S(M, K, Apublic)

– RetrieveY,S(w, Aprivate)

Main Construction

• S maintains in its storage space encryptions of the buffers, denote these encryptions

• For , we defined

• KeyGen(k) :Run K(1s), generate Apublic and Aprivate.

mjjB

1

*1,0w kiwhH iw )(

SendX,S(M, K, Apublic)

KMME publicA )(

)(MEStorage ProviderSender

MessageBuffer

wHjjB

Bloom FilterBuffer

ρ

ρ

)(ME

γ copies of the address ρ

ρ

ρ

ρ

ρ

ModifyX,S(x, α)

RetrieveY,S(w, Aprivate)

wHjjB

ww

HjjDec

Hjj BB

Receiver

Storage Provider

PIR Query

ww Hjj

compute

Hj j BBL

wHjjB

MessageBuffer

Bloom FilterBuffer

PIR Query

LMEpo

int)(

)(ME

))(( MEDM privateA

Modifyy,S(x, α)