1 / 19

Constant-Round Private Database Queries

Constant-Round Private Database Queries. Nenad Dedic and Payman Mohassel. Boston University. UC Davis. Outline. Introduction Element rank protocol Other protocols Equivalence to one-round PIR Open problems. q = Q(x). y. x. Server. Client. Dec(a) = f(x,y). a = A(q,y).

khuong
Télécharger la présentation

Constant-Round Private Database Queries

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston University UC Davis

  2. Outline • Introduction • Element rank protocol • Other protocols • Equivalence to one-round PIR • Open problems

  3. q = Q(x) y x Server Client Dec(a) = f(x,y) a = A(q,y) Succinct Computation • Computing f(x,y) • One round of interaction • Communication Complexity • |q| +|a| = O(poly(log(|x|), log(|y|), |f(x,y)|, s)) • Or linear in |f(x,y)|

  4. Privacy • Computational setting • Client side • For any x, x’, Q(x) and Q(x’) are indistinguishable • Server side • Simulator S, simulates A(x,y) given x and f(x,y) • Semi-honest adversaries

  5. Private Database Queries • Server’s input is a database • Client’s input is a query • Private information retrieval (PIR) • f(i, (x1,x2,…,xn)) = xi • Private Keyword search (PKS) f(w, {(x1,v1),…,(xn,vn)}) = va if there is xa= w otherwise ┴

  6. Existing Solutions • PIR / SPIR • [KO97], [Lipmaa05], … • One-round, sublinear communication • PKS • [FIPR05] • One-round, polylog(n) communication • PIR and homomorphic encryption How about more general queries?

  7. More General Queries • General MPC • Not efficient • Circuits with look-up tables [NN01] • Communication efficient • High round complexity • One-round secure computation [CCKM00] • Round efficient • High comm. • Computing BP on encrypted data [IP07] • Independent work • Round and communication efficient • Strong assumption

  8. Private Element Rank • Interval Labeling • f(b, (x1,x2,…,xn,v1,…,vn)) = vi such that b є (xi, xi+1] • Element Rank • Add x0 = -∞ and xn+1=+∞ • vi = i • Applications • Ranking in auctions • Online testing services • Use to design other protocols

  9. Interval Labeling Protocol • b, x1,x2,…,xnє {0,1}k • Run a PKS for every prefix of b • jth query = j-bit prefix of b • Create and use a database D

  10. 0 1 0 1 1 0 v4 0 0 1 0 1 0 1 1 v0 v1 v2 v2 v3 v1 v2 x1 x2 x3 x4 Interval Labeling Protocol D = {(000,v0),(001,v1),(0100,v1) , (0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)}

  11. 0 1 0 1 1 0 v4 0 0 1 0 1 0 1 1 v0 v1 v2 v2 v3 v1 v2 x1 x2 x3 x4 Interval Labeling Protocol b = 1000 b1 = 1 b2 =10 b3 =100 b4 =1000 D = {(000,v0),(001,v1),(0100,v1) , (0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)}

  12. Interval Labeling Protocol • w’ is w with last bit flipped • Database D, where |D| ≤ 2kn • For every 1≤ j ≤ k, let w be j-bit prefix of xi: • Add (w,vi) to D if: [w||0k-j, w||1k-j] [xi,xi+1] , but not true for w’ • Add (w’,vi) to D if: [w’||0k-j, w’||1k-j] [xt ,xt+1] , but not true for w • Prefixes of xi’sand/or their siblings

  13. Interval Labeling • ri = PKSA(bi ,D) for 1 ≤ i ≤ k • Randomly permute (r1, r2, … ,rk) and send • Decode; retrieve the only ri ≠ ┴ in the list • One round, polylog(n) communication • Reduced to PKS

  14. Other Protocols • Private Rectangle Labeling • Which rectangle is query point in? • Extension to higher dimensions • One round • Private Range Queries • Retrieve all the points in the range • On a line or in a plane • Constant round • Comm. proportional to number of retrieved points

  15. Other Protocols • mth ranked element • Alice holds database A • Bob holds database B • Find mth ranked element in (A U B) • [AMP04], O(log(m)) rounds, and sublinear comm. • We use our rank protocol as subprotocol • O(log(log(m))) rounds • Still sublinear comm.

  16. va if there is xa= w otherwise ┴ PKS to PIR • [FIPR05] • Database • Hash function h : {0,1}n {0,1}n/log(n) • Hash keywords (xi’s) to n/log(n) bins • Create degree log(n) polynomials for each bin • Client • Compute h(w) • Send E(h(w)) , E(h(w)2), …, E(h(w)log(n)) • Database evaluates all polynomials at h(w) • Client gets one result via PIR f(w, {(x1 ,v1),…,(xn ,vn )}) =

  17. PKS to PIR • Assumption: One-round PIR • Replace polynomials with Yao’s garbled circuit • Circuit of size O(polylog(n)) size • Yao’s protocol • Pseudorandom function, OT • Can be reduced to one-round PIR • [CMO00], [BIKM99] • One-round PKS one-round PIR • One-round Rank one-round PKS

  18. Open Problems • Succinct Computation of • Branching programs (not length-bounded) • General circuits • Reduction to one-round PIR • Any special functionality • Decision trees • Branching programs

  19. Thank you!

More Related