170 likes | 317 Views
Revisiting the Computational Practicality of Private Information Retrieval⋆. Femi Olumofin and Ian Goldberg Cheriton School of Computer Science University of Waterloo (2011). Presented by Santiago Vera . Roadmap. Results from the Previous Paper The Goal Introduction & Preliminaries
E N D
Revisiting the Computational Practicality of Private Information Retrieval⋆ Femi Olumofin and Ian Goldberg Cheriton School of Computer Science University of Waterloo (2011) Presented by Santiago Vera
Roadmap • Results from the Previous Paper • The Goal • Introduction & Preliminaries • Related Work • Efficient Single-server PIR (LPIR-A) |Aguilar-Melchor| • Multi-server PIR -First Scheme (MPIR-C) |Chor et al| -Second Scheme (MPIR-G) |Goldberg| -Response Time Measurement Experiment • Comparing the Trivial and Non-Trivial PIR Schemes • Conclusions
Results from the Previous Paper • Explore S-S PIR for client access privacy. • S-S PIR protocol is slower than the trivial transfer of the dB to the client. (Past, Present, Future) • Explore scenarios where S-S PIR protocol my become useful. (high limited bandwidth)
The Goal: • Extendand clarifythe results in the previous paper “On the Computational Practicality of Private Information Retrieval” by Sion, R. & Carbunar, B. since for M-S & new S-S schemes , their results not heavily rely on number theory. • Performance analysis S-S lattice-based scheme [1,2] and 2 M-S Info-Theory PIR schemes [7], [16].
Introduction 1. Data Indices, Search Keywords, orStructured Queries 2. Requirement for user-centric/privacy-preserving systems 3. PIR Provides a mean of retrieval that guarantees access privacy, by preventing the database admin from being able to learn any info about which particular item was retrieved. 4. OR and Mix Networks anonymity of users only PIR content of the queries
Introduction • According to [7], trivial PIR scheme has optimal comm complexity with S-S. • However, a solution of multi-server PIR schemes with sub-linear comm complexity, non- colluding multiple servers hold copies of the dB Scheme bits n=size of the DB, is the # of servers
Is not clear whether the conclusions of Sion and Carbunar also apply to multi-server PIR schemes • M-S PIR schemes will continue to guarantee security and privacy without requiring key size changes (hardware&networks)
How to achieve the Goal? Analytical and experimental techniques: 1. Performance analysis S-S lattice-based scheme [1,2] by using cheaper operations than modular multiplication. (linear algebra (lattices)) 2. 2 M-S Info-Theory PIR schemes [7], [16], no requirement of costly modular arithmetic. Derive upper-bound for query round-trip response times. (2 to 3 orders of magnitude smaller that the trivial PIR)
Preliminaries • Hardware= 2 quad-core/less than $8,000 • Network=Table 1 • Modular Mult= Multi-core CPUs. Measure the time directly by using the Key size from NIST[22]. (1536 bits) • Projections = Moore’s Law : 60% vs. 50% of Nielsen’s Law. Computing capabilities favor Multi-server PIR Schemes rather than S-S PIR schemes
Related Work In PIR schemes: • Comm complexity between the User and Server (s) is the most expensive resource. • Barriers: computational requirement. • Compare Bandwidth cost of trivial PIR to the computation and bandwidth cost of a S-S computational PIR scheme. (Sion&Carbonar) “more efficient”
Efficient S-S PIR (LPIR-A) • By Aguilar-Melchor, most efficient S-S PIR scheme Every PIR scheme consist 3 basic algorithms: Query generation (C) Response encoding (S) Response decoding (C)
Multi-server PIR • Performance analyses of 2 Multi-server PIR scheme [Chor et al.,7], [Goldberg ,16] • Overview of 2 and then compare with S-S schemes and trivial PIR scheme. • [Chor et al.] simplicity & first PIR protocol invented and [Goldberg,16] easy to understand and source availability (Percy++) • User’s privacy=no collusion of servers - DNS -TOR & Anonymous remailers.
Second Scheme (MPIR-G) • Similar to the First Scheme (XOR) • Shamir Secret sharing (Ei L ) (2)
Comparing the Trivial and Non-Trivial PIR Schemes Non-trivial PIR schemes: • The data is tiny vs. size of the dB Comparison with Trivial PIR scheme: LPIR –A is over 10 times faster MPIR-G is 4 times faster MPIR-C is over 10 times faster M-S PIR schemes will become faster than trivial scheme.
Conclusions • Reexamine the computational practicality of PIR • LPIR – A an order of magnitude more efficient than trivial PIR. • 2 M-S PIR schemes to be a further 1 to 2 orders of magnitude more efficient. • This work can help to decide to use PIR or trivial schemes in real world situations, based on computing and network limitations.