160 likes | 307 Vues
Public Key Encryption that Allows PIR Queries. Dan Boneh 、 Eyal Kushilevitz 、 Rafail Ostrovsky and William E. Skeith Crypto 2007. Private Information Retrieval (PIR). n. ?. 4. 3. 7. i. j. i {1,… n }. x i. x = x 1 , x 2 , . . ., x n { 0,1} n. USER. SERVER. PIR.
E N D
Public Key Encryption that Allows PIR Queries Dan Boneh、Eyal Kushilevitz、 Rafail Ostrovsky and William E. Skeith Crypto 2007
Private Information Retrieval (PIR) n ? 4 3 7 i j i{1,…n} xi x=x1,x2 , . . ., xn {0,1}n USER SERVER
PIR • allows a user to retrieve an item from a server in possession of a database without revealing which item she is retrieving. • existing PIR solutions • retrieving a (plain or encrypted) record of the database by address • search by keyword in a non-encrypted data
Query Answer
Outline • Introduction • Tools: • Bloom Filter • Modifying Encrypted Data in a Communication Efficient Way • Definition • Main Construction
Introduction • Interesting in: • communication-efficient • complete privacy. • Technique: • Receiver: creates a public key . • Sender: message M is accompanied by an “encoded” list of keywords .
Bloom Filters • Basic idea: Suppose … 1 2 3 4 5 6 m … h1(a) … h2(a) … h3(a) … hk(a) … 1 1 T 0 1 1 0 1
Bloom Filters (cont.) • What to store : • certain element is in a set • value which are associated to the element in the set. • Definition. As same to above. But together with a collection of sets, ,where . Then to insert a pair (a, v) into this structure, v is added to for all . The set of values associated with is simply .
Insert (a1, v1) then (a2, v2) … check h1(a1) V1 B1 V1 ,V2 h1(a1) {V1 ,V2} B2 ∩ V3 h2(a2) h2(a2) {V1} V2 B3 ∩ ……. ……. V1 V1 {V1 ,V3} ……. V2 ,V3 || hk(ak) hk(ak) V1 V1 Bm V1 ,V3
Modifying Encrypted Data in a Communication Efficient Way • Based on group homomorphic encryption with communication O(√n). • Technique : • : database (not encrypted) • (i*,j*): the position of particular element • α: the value we want to add. • v , w: two vector of length √n where • Here δkl = 1 when k=l and 0 otherwise • Then
Modifying Encrypted Data in a Communication Efficient Way (cont.) • Parameters: • (K, E, D): a CPA-secure public-key encryption • : an array of ciphertexts which is held by a party S. • Define F(X, Y, Z)=X+YZ. By ourassumption, there exists some such that
Modifying Encrypted Data in a Communication Efficient Way (cont.) • Protocol: ModifyU,S(l, α) where l and α are private input to U. • U compute i*, j* as the coordinates of l (i.e., i* and j* are quotient and remainder of l/n, respectively) • U sends to S where all values are encrypted under Apublic. • S computes for all , and replaces each cij with the corresponding resulting ciphertext.
Definition • Parameters: • X: message sending parties. • Y: message receiving party. • S: server/storage provider. • Definition 1:probabilistic polynomial time algorithms and protocols: • KeyGen(1S) • SendX,S(M, K, Apublic) • RetrieveY,S(w, Aprivate)
Main Construction • S maintains in its storage space encryptions of the buffers, denote these encryptions • For , we defined • KeyGen(k) :Run K(1s), generate Apublic and Aprivate.
SendX,S(M, K, Apublic) Sender Storage Provider ρ γ copies of the address ρ ρ ρ ρ ρ ρ ModifyX,S(x, α) Message Buffer Bloom Filter Buffer
RetrieveY,S(w, Aprivate) Receiver Storage Provider PIR Query PIR Query Message Buffer Bloom Filter Buffer Modifyy,S(x, α)