250 likes | 515 Views
Private Information Retrieval. Amos Beimel – Ben-Gurion University http://www.cs.bgu.ac.il/~beimel Tel-Hai, June 4, 2003 This talk is based on talks by: Yuval Ishai, Eyal Kushilevitz, Tal Malkin. Private Information Retrieval (PIR) [CGKS95].
E N D
Private Information Retrieval Amos Beimel – Ben-Gurion University http://www.cs.bgu.ac.il/~beimel Tel-Hai, June 4, 2003 This talk is based on talks by: Yuval Ishai,Eyal Kushilevitz, Tal Malkin
Private Information Retrieval (PIR) [CGKS95] • Goal: allow user to query database while hiding the identity of the data-items she is after. • Note: hides identity of data-items; not existence of interaction with the user. • Motivation: patent databases; stock quotes; web access; many more.... • Paradox(?): imagine buying in a store without the seller knowing what you buy. (Encrypting requests is useful against third parties; not against owner of data.)
Modeling • Server: holds n-bit string x n should be thought of as very large • User: wishes • to retrieve xi and • to keepi private • Remark: most basic version; building block for involved retrieval.
Private Information Retrieval (PIR) n ? 4 3 7 i j i{1,…n} xi x=x1,x2 , . . ., xn {0,1}n USER SERVER
Non-Private Protocol i{1,…n} xi NO privacy!!! Communication: log n i x =x1,x2 , . . ., xn SERVER USER
Trivial Private Protocol x1,x2 , . . ., xn Server sends entire database x to User. Information theoretic privacy. Communication:n x =x1,x2 , . . ., xn xi SERVER USER Is this optimal?
Obstacle Theorem [CGKS]: In any 1-server PIRwith information theoretic privacy the communication is at least n.
More “solutions” • User asks for additional random indices. Drawback: reveals a lot of information • Employ general crypto protocols to compute xi privately. Drawback: highly inefficient (polynomial in n). • Anonymity (e.g., via Anonymizers). Note: different concern: hides identity of user; not the fact that xi is retrieved.
Two Approaches Information-Theoretic PIR[CGKS95,Amb97,...] Replicate database among k servers. Unconditional privacy against tservers. Default: t=1 Computational PIR[CG97,KO97,CMS99,...] Computational privacy,based oncryptographic assumptions.
Multiple servers, information-theoretic PIR: 2 servers, comm. n1/3[CGKS95] k servers, comm. n1/(k)[CGKS95, Amb96,…,BIKR02] log nservers, comm.Poly( log(n) )[BF90, CGKS95] Single server, computational PIR: Comm. Poly( log(n) ) Under appropriate computational assumptions [KO97,CMS99] Known Comm. Upper Bounds
U ApproachI: k-Server PIR x {0,1}n S1 i Correctness: User obtains xi Privacy: No single server gets information about i x{0,1}n S2 x{0,1}n Sk
Information-Theoretic 2-Server PIR • Best Known Protocol: comm. n1/3 [CGKS95] • Open Question: Is this optimal? • This Talk: comm. n1/2 Two Stages: • Protocol I: n bit queries, 1 bit answers • Protocol II: n1/2bit queries, n1/2 bit answers
Protocol I: 2-server PIR n 0 1 0 0 1 1 0 1 0 0 1 0 S1 S2 i Q2=Q1 i Q1{1,…,n} i U
Protocol I: 2-server PIR n 0 0 1 0 0 1 1 0 1 0 0 1 0 S1 S2 i Q2=Q1 i Q1{1,…,m} i U
a1a2=xi Protocol I: 2-server PIR n 0 0 1 0 0 1 1 0 1 0 0 1 0 1 S1 S2 i Q2=Q1 i Q1{1,…,n} i U
j,i i U PIR with O(n1/2) Communication m=n1/2 m=n1/2 X S1 S2 j Q2=Q1 i Q1{1,…,m} a1,ja2,j=xj,i
b b’ b b’ = Example Quadratic Residue: E(0) QRN E(1) NQRN QR QR = QR NQR QR = NQR Computational PIR with O(n1/2) Comm. Tool: (randomized) homomorphic encryption
Computational PIR with O(n1/2) Comm. n1/2 0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 1 n1/2 j i • User sends n1/2 encryptions c1 =E(0), c2 =E(0), c3=E(1), c4 =E(0) • For each row Server sends a “bit” c2c3 c1 c2c3 c1c2 c4 • User recovers ith column of x
PIR – Related Work • Extensions: • Symmetric PIR [GIKM,NP] • t-privacy [CGKS,IK,BI] • Robust PIR [BS] • More settings [OS,GGM,DIO,BIM,...] • PIR as a building-block [NN,FIMNSW,...]
Current (& Future) Research Focus so far: communication complexity Obstacle:time complexity • All existing protocols require high computation by the servers(linear computation per query). Theorem [BIM]: Expected computation of the servers is (n) Major research goal: Improving time complexity via preprocessing / amortization / off-line computation ( Preliminary results in [BIM,IKOS])