1 / 20

Private Information Retrieval

Private Information Retrieval. Amos Beimel – Ben-Gurion University http://www.cs.bgu.ac.il/~beimel Tel-Hai, June 4, 2003 This talk is based on talks by: Yuval Ishai, Eyal Kushilevitz, Tal Malkin. Private Information Retrieval (PIR) [CGKS95].

bazyli
Télécharger la présentation

Private Information Retrieval

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Private Information Retrieval Amos Beimel – Ben-Gurion University http://www.cs.bgu.ac.il/~beimel Tel-Hai, June 4, 2003 This talk is based on talks by: Yuval Ishai,Eyal Kushilevitz, Tal Malkin

  2. Private Information Retrieval (PIR) [CGKS95] • Goal: allow user to query database while hiding the identity of the data-items she is after. • Note: hides identity of data-items; not existence of interaction with the user. • Motivation: patent databases; stock quotes; web access; many more.... • Paradox(?): imagine buying in a store without the seller knowing what you buy. (Encrypting requests is useful against third parties; not against owner of data.)

  3. Modeling • Server: holds n-bit string x n should be thought of as very large • User: wishes • to retrieve xi and • to keepi private • Remark: most basic version; building block for involved retrieval.

  4. Private Information Retrieval (PIR) n ? 4 3 7 i j i{1,…n} xi x=x1,x2 , . . ., xn {0,1}n USER SERVER

  5. Non-Private Protocol i{1,…n} xi NO privacy!!! Communication: log n i x =x1,x2 , . . ., xn SERVER USER

  6. Trivial Private Protocol x1,x2 , . . ., xn Server sends entire database x to User. Information theoretic privacy. Communication:n x =x1,x2 , . . ., xn xi SERVER USER Is this optimal?

  7. Obstacle Theorem [CGKS]: In any 1-server PIRwith information theoretic privacy the communication is at least n.

  8. More “solutions” • User asks for additional random indices. Drawback: reveals a lot of information • Employ general crypto protocols to compute xi privately. Drawback: highly inefficient (polynomial in n). • Anonymity (e.g., via Anonymizers). Note: different concern: hides identity of user; not the fact that xi is retrieved.

  9. Two Approaches Information-Theoretic PIR[CGKS95,Amb97,...] Replicate database among k servers. Unconditional privacy against tservers. Default: t=1 Computational PIR[CG97,KO97,CMS99,...] Computational privacy,based oncryptographic assumptions.

  10. Multiple servers, information-theoretic PIR: 2 servers, comm. n1/3[CGKS95] k servers, comm. n1/(k)[CGKS95, Amb96,…,BIKR02] log nservers, comm.Poly( log(n) )[BF90, CGKS95] Single server, computational PIR: Comm. Poly( log(n) ) Under appropriate computational assumptions [KO97,CMS99] Known Comm. Upper Bounds

  11. U ApproachI: k-Server PIR x {0,1}n S1 i Correctness: User obtains xi Privacy: No single server gets information about i x{0,1}n S2 x{0,1}n Sk

  12. Information-Theoretic 2-Server PIR • Best Known Protocol: comm. n1/3 [CGKS95] • Open Question: Is this optimal? • This Talk: comm. n1/2 Two Stages: • Protocol I: n bit queries, 1 bit answers • Protocol II: n1/2bit queries, n1/2 bit answers

  13. Protocol I: 2-server PIR n 0 1 0 0 1 1 0 1 0 0 1 0 S1 S2 i Q2=Q1  i Q1{1,…,n} i U

  14. Protocol I: 2-server PIR n 0 0 1 0 0 1 1 0 1 0 0 1 0 S1 S2 i Q2=Q1  i Q1{1,…,m} i U

  15. a1a2=xi Protocol I: 2-server PIR n 0 0 1 0 0 1 1 0 1 0 0 1 0 1 S1 S2 i Q2=Q1  i Q1{1,…,n} i U

  16. j,i i U PIR with O(n1/2) Communication m=n1/2 m=n1/2 X S1 S2 j Q2=Q1  i Q1{1,…,m} a1,ja2,j=xj,i

  17. b b’ b  b’  = Example Quadratic Residue: E(0)  QRN E(1)  NQRN QR QR = QR NQR QR = NQR Computational PIR with O(n1/2) Comm. Tool: (randomized) homomorphic encryption

  18. Computational PIR with O(n1/2) Comm. n1/2 0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 1 n1/2 j i • User sends n1/2 encryptions c1 =E(0), c2 =E(0), c3=E(1), c4 =E(0) • For each row Server sends a “bit” c2c3 c1 c2c3 c1c2 c4 • User recovers ith column of x

  19. PIR – Related Work • Extensions: • Symmetric PIR [GIKM,NP] • t-privacy [CGKS,IK,BI] • Robust PIR [BS] • More settings [OS,GGM,DIO,BIM,...] • PIR as a building-block [NN,FIMNSW,...]

  20. Current (& Future) Research Focus so far: communication complexity Obstacle:time complexity • All existing protocols require high computation by the servers(linear computation per query). Theorem [BIM]: Expected computation of the servers is (n) Major research goal: Improving time complexity via preprocessing / amortization / off-line computation ( Preliminary results in [BIM,IKOS])

More Related