160 likes | 295 Vues
A Linear Lower Bound on the Communication Complexity of Single-Server PIR. Jonathan Hoch. Iftach Haitner. Gil Segev. Weizmann Institute of Science Israel. Private Information Retrieval. x i. Server. Receiver. Receiver. x = x 1 x n. i 2 {1,...,n}. i 2 {1,...,n}. ¼.
E N D
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Jonathan Hoch Iftach Haitner Gil Segev Weizmann Institute of ScienceIsrael
Private Information Retrieval xi Server Receiver Receiver x = x1 xn i 2 {1,...,n} i 2 {1,...,n} ¼ j 2 {1,...,n} • Functionality: Receiver retrieves xi • Privacy: Server does not learn i
The Trivial Solution Not information theoretically [CGKS] Can we do better than trivial? x1 xn Server Receiver Receiver x = x1 xn i 2 {1,...,n} i 2 {1,...,n} • Inefficient -- x may be very large
Two Approaches • Multiple-server PIR • Information theoretic privacy • Many exciting results, but not the focus of this talk [CGKS95,...,Yek07,...] • Single-server PIR • Computational privacy • Implies Oblivious Transfer • 2-message PIR implies collision-resistant hash functions and public-key encryption • Many applications... [CG97, KO97, CMS99, ...]
Current Status • Specific number-theoretic assumptions • Communication polylog(n) [KO97, CMS99, ...] • General assumptions • Communication n - o(n) • Black-box construction based on TDPs [KO00] Question: Can we base single-server PIR with sublinear communication on general assumptions?
Main Result In any fully black-box construction of single-server PIR for an n-bit database from trapdoor permutations over (n) bits, the server sends (n) bits. • Two restrictions • Fully black-box • Tight security reduction: permutations over (n) bits [KO ‘00]: (n²) bits • Previous results • [Fis02]: Similar result for 2-message protocols (less restrictions) • [HHRS07]: (n/logn) lower bound (same restrictions) (n²) lower bound for “not so tight” reductions
Fully Black-Box Reductions A fully black-box reduction from B to A: Black-box construction • Any implementation of A implies an implementation of B • Only care about the functionality of A Black-box proof of security • Any adversary for B implies an adversary for A • Only care about functionality of the adversary for B Adversary for A B Adversary for B A A
Our Approach • Fully black-box reductions relativize • We present an oracle O relative to which: 1. There exists a collection of TDPs over {0,1}n • A random function is hard to invert even with access to O 2. There is no single-server PIR protocol for an n-bit database in which the server sends o(n) bits • There exists an efficient server that uses O to break any such protocol
The Oracle [HHRS ‘07] • O= (Sam, ) • is a random collection of TDPs over {0,1}n • Sam is an interactive collision-finding oracle • Samples random collisions • Extends the non-interactive oracle of [Simon ‘98] A Sam v0 v0Ã {0,1}n C1 C1(v1) = C1(v0) v1 C2(v2) = C2(v1) C2 v2
The Oracle [HHRS ‘07] • O= (Sam, ) • is a random collection of TDPs over {0,1}n • Sam is an interactive collision-finding oracle • Samples random collisions • Extends the non-interactive oracle of [Simon ‘98] A Sam v0 Theorem: A random TDPis one-way as long as Sam answers queries of depth · n/log(n) C1 v1 n/log(n) • The proof requires additional restrictions(Ci+1 refines Ci, commit to Ci+1 at depth i, ...) • ...but this suffices for the purpose of this talk C2 v2
Breaking 2-Message PIR a(i) b(a,x) x = x1 xn i 2 {1,...,n}
Breaking 2-Message PIR a b(a,x0) = b(a,x1) i 2 {1,...,n} 1. Receive x0 from Sam 2. Send the circuit b(a,¢) to Sam x0i =x1i and x0x1 3. Receive x1 from Sam 4. Output a random index j for which x0j=x1j Claim: The malicious server guesses i w.p. ¸1/(n-1)
Breaking Any Sublinear PIR a1 b1 ... ao(n) bo(n) i 2 {1,...,n} Communication vs. Rounds:Server sends o(n) bits )o(n) rounds, server sends one bit each round
Breaking Any Sublinear PIR a1 b1 .. alog(n) blog(n) .. i 2 {1,...,n} ao(n) bo(n) Key observation: The malicious server can invoke Sam every log(n) rounds
Breaking Any Sublinear PIR a1 b1 .. alog(n) blog(n) i 2 {1,...,n} 1. Receive x0 from Sam 2. Simulate the honest server for log(n) rounds 3. Send b1(a1,¢) to Sam until receiving xlog(n)which is consistent with all log(n) rounds (rewind Sam if inconsistent) Claim: The malicious server guesses i w.p. ¸1/(n-1)
Summary • Communication lower bound for single-server PIR • Fully black-box constructions from (enhanced) TDPs • The trivial solution is optimal up to constant factors Matches the upper bound of [NOVY] • In the paper: • Communication lower bound for statistically-hiding bit-commitment • The sender must send (n) bits • Communication preserving reduction to single-server PIR • Open problem: • A linear lower bound for “not so tight” reductions? • [KO ‘00]: TDPs over (n²) bits Thank you!