1 / 21

An Ω (n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval

An Ω (n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval. Alexander Razborov Sergey Yekhanin. Private Information Retrieval [CGKS]. D. 1 ≤ i ≤ n. :. :. D. D is a binary string of length n. k non-communicating servers hold the same database D.

harlan
Télécharger la présentation

An Ω (n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Ω(n1/3) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin

  2. Private Information Retrieval [CGKS] D 1 ≤ i ≤ n : : D • D is a binary string of length n. • k non-communicating servers hold the same database D. • User holds index i and wants to retrieve Di. • Each individual server should get no information about i. • Goal: Minimize communication complexity!

  3. PIR: progress

  4. 2 server case: restricted lower bounds • Models are incomparable • Each model captures all known PIR schemes

  5. Plan of the talk • An example PIR scheme [WY] • Statement of our lower bound • Our technique

  6. Example PIR: algebraization D= 1 ≤ i ≤ n, wants Di. • Database D[n] is represented by a cubic multivariate polynomial F(x1,…, xm) over a finite field Fq • Polynomial is in m=n1/3 variables • For every i there is a point Pi such that Di=F(Pi)

  7. Example PIR • Privacy, O(n1/3) communication, correctness • The scheme requires at least 4 servers • Note: the communication is unbalanced

  8. Example PIR Privacy, O(n1/3) communication, correctness …

  9. Example PIR Correctness: User reconstructs values of derivatives of from the values of partial derivatives of User learns: Reconstructs:

  10. Key properties of example PIR Servers represent database D by a function on a group, and user can retrieve the function value at any group element (including elements that do not correspond to database bits). User computes the dot product of servers’ responses to obtain Di. These properties are common to all known PIR schemes.

  11. Our result Theorem: Every bilinear group based PIR protocol requires Ω(n1/3) communication • Bilinear: user outputs dot product of servers’ responses • Servers represent database by a function on a finite group G and user can retrieve function values at arbitrary group elements using the natural secret sharing based on G.

  12. Our technique • Combinatorial view of PIR • Specialization to bilinear PIR • Specialization to bilinear group based PIR • Algebraic problem

  13. Combinatorial view of PIR Notion – Generalized Latin Square S[n, T]: • Square of size T by T • n variables • Every variable appears once in every row/column

  14. Combinatorial view of PIR Notion – Embedding of matrices: Let S∈{0,1}T ╳T A∈{0,1}L ╳ L. S embeds into A if there exist two embedding maps r,c :[T]→[L] such that for all j,k∈[T]: Sjk=Ar(j)c(k)

  15. Combinatorial view of PIR Theorem: PIR schemes with t long queries and r long answers are equivalent* to pairs of matrices SA such that: • S is Generalized Latin Square [n, 2t] • A is a binary square matrix of size 2r • For every {0,1} assignment to variables xiS can be completed to a {0,1} matrix that embeds into A.

  16. Combinatorial view of PIR: Proof Given SA we construct a PIR protocol: Servers obtain the embedding maps r,c:[T]→[L] • U : Randomly picks j,k∈[T] such that Sjk=i • U→S1 : j • U→S2 : k • S1→U : r(j) • S1→U : c(k) • U: Outputs Ar(j)c(k) Communication complexity, correctness, privacy

  17. Combinatorial view of bilinear PIR Bilinear PIR schemes SAhave A=Hr Theorem: Bilinear PIR schemes with t long queries and r long answers are equivalent* to 2t by 2t matrices S that are: • Generalized Latin Squares [n, 2t] • For every {0,1} assignment to variables xi can be completed to F2 rank ≤ r.

  18. Specialization to group based PIR Notion - Matrix S respects the structure of a finite group G Example: G=Z5 (circulant matrices)

  19. Specialization to group based PIR 2n different databases yield 2n different low rank completions of a GLS S[n, 2t]. In group based PIR over a group G schemes all such completions respect the structure of G We use representation theory to count the total number A(G,r) of rank ≤ r matrices respecting the group structure

  20. Algebraic problem A(G,r) can be defined in algebraic terms: The upper bound proof requires modular (i.e. non-semisimlpe) representation theory and yields: A(G,r) ≤ 2(log G)*r2 n ≤ (log G) * r2

  21. Open problems • Can our technique be extended to a lower bound for bilinear PIR? • Can our technique be used to establish a connection to matrix rigidity?

More Related