Docstoc

pir

Document Sample
pir Powered By Docstoc
					Private Information Retrieval


Based on the talk by
Yuval Ishai, Eyal Kushilevitz, Tal Malkin
Outline
 Introduction
 Common approaches
  Information-theoretical
  Computational
 Summary
Private Information Retrieval
(PIR):assumptions
 Semi-honest assumption on servers
   Server is trustable in terms of honestly
    following the protocol
   Server knows every bit of the data
   Server may record client’s
    requests/queries


 Malicious servers
   Drop messages
   Change messages
   Collude with other parties
 Private Information Retrieval (PIR): intro

 Goal: allow user to query database while
  hiding the identity of the data-items she is
  after.
 Note: hides identity of data-items; not the
  existence of interaction with the user.
 Motivation: patent databases; stock quotes;
  web access; many more....
 Paradox(?): imagine buying in a store without
  the seller knowing what you buy.
 (Encrypting requests is useful against third parties; not
  against the owner of data.)
Modeling
 Server: holds n-bit string x
  n should be thought of as very large

 User: wishes
   to retrieve xi
  and
   to keep i private


 Remark: it is the most basic version;
     the building block for involved retrieval.
Trivial Private Protocol

                                     x1,x2 , . . ., xn



          x =x1,x2 , . . ., xn                   xi
             SERVER                                      USER


Server sends entire database x to User.
  Information theoretic privacy.
  Communication:                 n

                Is this optimal?
Obstacle

Theorem [CGKS]:
In any 1-server PIR with information
theoretic privacy the communication is
   at
least n.

Information theoretic privacy/security:
The ciphertext gives no information about the
   plaintext
More “solutions”
 User asks for additional random indices.
      Pick a few random indices to hide the real one
      Drawback: can be estimated


 Employ general crypto protocols to
  compute xi privately.
      1-out-N Oblivious Transfer
      Drawback: highly inefficient (polynomial in n).


 Anonymity (e.g., via Anonymizers).
      Note: different concern: hides identity of
       user; not the fact that xi is retrieved.
Two Approaches
Information-Theoretic PIR      [CGKS95,Amb97,...]

  Replicate database among k servers.
  servers do collude.




Computational PIR     [CG97,KO97,CMS99,...]

  Computational privacy, based on
  cryptographic assumptions – NP hard to
  break the approach
 Known Comm. Upper Bounds
Multiple servers, information-theoretic
  PIR:
 2 servers, comm. n1/3 [CGKS95]
 k servers, comm. n1/(k) [CGKS95,
  Amb96,…,BIKR02]
 log n servers, comm. Poly( log(n) )      [BF90,
  CGKS95]


Single server, computational PIR:
   Comm. Poly( log(n) ), n is the # of items
   Under appropriate computational assumptions
  [KO97,CMS99]
Approach I: k-Server PIR
 x  {0,1}n        i
              S1




 x  {0,1}n
              S2       U
                       Correctness: User obtains
                          xi

                       Privacy: No single server
                           gets information
 x  {0,1}n
              Sk           about i
Information-Theoretic 2-Server PIR
 Best Known Protocol: comm. n1/3
 Let’s look at an example with comm.
  cost n1/2

Two Stages:
1. Protocol I: n bit queries, 1 bit
   answers
2. Protocol II: n1/2 bit queries, n1/2 bit
   answers
Protocol I: 2-server O(n) PIR
                                   n


                   0 1 0 0 1 1 0 1 0 0 1 0
              S1
                           i                   S2

                                   Q2=Q1  i

         Q1{1,…,n}

 1+1=0
 0+0=0                         i               *User sent O(n) bits
 1+0=1                         U
Protocol I: 2-server PIR
                                         n


        0                0 1 0 0 1 1 0 1 0 0 1 0


                    S1           i                   S2

                                         Q2=Q1  i

        a1   x           Q1 {1,…,n}
              Q1



                                     i
   *Server replies 1 bit
                                     U
Protocol I: 2-server PIR
                                     n


      0              0 1 0 0 1 1 0 1 0 0 1 0                 1


                S1           i                    S2

                                     Q2=Q1  i

      a1   x         Q1 {1,…,n}               a2   x
                                                       Q2
          Q1

                                                  a1a2=xi
                                 i

                                 U
Protocol II: PIR with O(n1/2)
Communication
Make the n-bit vector                          m=n1/2

as a n * n matrix
     1/2    1/2
                                                          a1,1
                                                          a1,2        m=n1/2

                                                   X
                         S1        j                       a1, j      S2

                                           i
                                                   Q2=Q1  i

           a1,1, a1,2 ,..., a1,m       Q1 {1,…,m}                 a2,1 , a2,2 ,..., a2,m


   Apply ex-or sum to                          j,i      a1,ja2,j=xj,i
   each row                                    U
Computational PIR with O(n1/2) Comm.
 Based on encryption
   Quadratic Residue (QR)
    N = p*q , p,q are primes.
    Q(y, N) = 0 iff exists w such that w^2 = y (mod N)
              1 otherwise

   Understanding modulo: w^2 = y+k*N, k can be any integer

   Example: 2^2 = 4 (mod 10), 4^2 = 6 (mod 10)


  Security:
  if p, q is unknown, it is computationally impossible
  to determine Q(y,N).
  If p,q is known, Q(y,N) can be determined in O(|N|^3)
Example Quadratic Residue:
E(0)  QRN
E(1)  NQRN
Properties:
QR   QR = QR
NQR  QR = NQR


For any y, y^2 is QR.
    Computational PIR with O(n1/2) Comm.

Goal: user wants to know entry M(a,b)                         n1/2
                                                           0110
•User picks N=pq and sends N to server           a         1110
                                                           1100      n1/2
• User picks uniformly at random s=n1/2 numbers,           0001
from the set Z={x|1<=x<=N, gcd(N, x)=1},
such that yb is QNR and yj j!=b is QR, and sends
                                                              b
them to server

•For each row r, server calculate                 •Server sends Z1,…,Zs
     W(r,j) = yj2 if M(r,j) =0,                   To User, and User
             yj if M(r,j)=1                       checks with Za is QR
            t
     Z r   w(r , j )     Zr is a QR iff M(r,b) =0
           j 1
Related work
 Can be a building block for high-level
  security protocols
 Has connection with “Locally
  Decodable Codes” (LDC)
 It was proved that the three
  problems: PIR, LDC, and Circuit-
  based SMC are equivalent.
Summary
Focus so far: communication complexity
Obstacle: time complexity
All existing protocols require high
   computation by the servers (linear
   computation per query).

Are there methods to reduce server cost?
Next class
 Secure database outsourcing to
  untrusted server
   Storing data in untrusted servers
   issues
     Data confidentiality
     Access privacy
     Query correctness

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:5
posted:9/12/2011
language:English
pages:22