on the computational practicality of private information retrieval

On the Computational Practicality of Private Information Retrieval

Radu Sion, Bogdan Carbunar

Presented by Sultan Moukli

1

Agenda

- Introduction- Privacy information retrieval- Building Blocks

- Fast modular arithmetic- Quadratic Residuosity PIR

- cPIR- Key size - Final equation - Result- Other protocols - Conclusion

2

Introduction

The normal case

User send a query to database to get some information

SELECT fieldListFROM objectType[WHERE conditionExpression]

3

Introduction

4

Introduction

User U Database DB

Secure Channel

X1 X2 X3 ….. Xn

Needs Xi info

Please give me i

Xi

The database knows what U are

looking for

5

Introduction

What is the problem?

The database server knows about the privacy information of the user

The history of user U’s query

- Clothes men size XXX

- Part for car model XXX 6

IntroductionSoultion

PIRSend entire

DB

Multi server

Single server

7

Introduction

The objective of this paper

Investigate PIR computation times and compare against the alternative of transferring the entire database to the client.

The experimental discuss

- general lower bounds on server-side per-data-bit computation

- communication complexity.

8

Introduction

Private Information Retrieval (PIR) schemes allow a user to retrieve information from a database while maintaining the privacy of the queries from the database.

Private information retrieval (PIR) provides a cryptographic means for retrieving data from a database without the database or database administrator learning any information about which particular item was retrieved.

9

Privacy information retrieval

- Information-Theoretic PIR ( k servers k>=2 )

- Computational PIR (single server)

10

Building Blocks

- Hardware

- CPU ALU(arithmetic and logic units)

- Parallelism

- MIPS (Millions of instructions per second) arithmetic and logic units

- Fast Modular Arithmetic Algorithms

- Quadratic Residuosity PIR- Key Sizes

11

Fast Modular Arithmetic Algorithmsm is the number of digits in the operands

12

Quadratic Residuosity PIR

x is quadratic residue modulo n if there exists a є Zn* such that

x = a2 mod nFor example Z10

a=

a2 =

1 2 3 4 5 6 7 8 9

1 4 9 6 5 6 9 4 1

13

cPIR

The client:• Chooses two prime numbers p and q of similar bit length, computes their product, N = p.q and sends it to the server.• Generates √n numbers s1, s2, . . . , s√n, such that sx is a quadratic non-residue (QNR) and the rest are quadratic residues (QR) in Z*

N.• Sends s1, s2, . . . , s√n to the server.For each “column” j (1,√n) in the √n × √n matrix,∈The server: qij = si

2 if M(i, j) = 1 qij = si if M(i, j) = 0• Computes the product rj = ∏0<i<√n qij then send r1..r√n to client

14

Key Size

the single-server computational PIR setting of choice relies on the quadratic residuosity assumption they considered here the (equivalent) assumed hardness of factoring as a metric for achieved privacy.

to establish the values of |N| for different points in time.

15

Final equation

tt = 1/B the time required to transmit one bit between the server and the client

tqrv(b) the time required to verify the quadratic residuosity of one b-bit number

16

Result 1995-2006

17

Result 1995-2006

18

Result 2006

19

Result 2010-2035

Moore’s Law impact in computing performance

Nielsen’s Law of network bandwidth

20

Result 2010-2035

21

Others protocol

- Cashin proposed Hiding Assumption to perform PIR with poly-logarithmic communication complexity. Authors note the protocol requires the server to perform n exponentiations modulo m.

- Symmetric Private Information Retrieval

- Computation-Amortized PIR

22

Conclusion

showed that single-server PIR protocols, running on modern high-end non-specialized hardware and networks, are mostly orders of magnitude slower than the trivial transfer of the entire database to the client.

They believe it is important to explore protocols for single-server PIR in the presence of server-side trusted hardware [15, 69]. This should allow the delegation of client-logic in closer proximity to the data and might yield significant benefits.

23

References

● On the Computational Practicality of Private Information Retrieval

● Replication Is Not Needed: Single Database, Computationally-Private Information Retrieval

● Revisiting the Computational Practicality of Private Information Retrieval

● Protecting Data Privacy in Private Information Retrieval Schemes

24

25