![Page 1: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/1.jpg)
Distributed Point Functions and their Applications
Niv Gilboa (BGU)Yuval Ishai (Technion)
![Page 2: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/2.jpg)
The concept
• Consider point functions – Pxy; x{0,1}n, y{0,1}m
• Point function– Pxy(x’)=0 if x’x and Pxy(x)=y.
• Our goal is additively share a secret point function using a succinctrepresentation – The shares are F0 and F1 s.t Pxy=F0F1.
![Page 3: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/3.jpg)
Model
• More formally, a Distributed Point Function (DPF) is two PPT algorithms– Gen(x,y)=(k0,k1)– Eval(k,x’)
• Such that– Correctness - Pxy(x’)=Eval(k0,x’)Eval(k1,x’)– Secrecy – k0 (or separately k1) can be
simulated given only |x| and |y|.
![Page 4: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/4.jpg)
Motivation• Why be interested in this question?• Interesting applications!• Two server Private Information Retrieval
(PIR) [CGKS95]. • Two server Private retrieval by Keywords
[CGN97, FIPR05, OS07].• Private Information Storage [OS97].• Worst-case to average case reductions
[BF90, BFNW91].
![Page 5: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/5.jpg)
Using DPF for keywords
Server0
Server1
Userw1 … wn
w1 … wn
w
Run Gen(w,1)=(k0,k1)
k0
k1
Compute r0=j Eval(k0,wj)
Compute r1=j Eval(k1,wj)
r0
r1
Compute r0r1
![Page 6: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/6.jpg)
Using DPF for keywords
Server0
Server1
Userw1, d1 … wn, dn
w1, d1 … wn. dn
w
Run Gen(w,1)=(k0,k1)
k0
k1
Compute r0=j dj·Eval(k0,wj)
Compute r1=j dj·Eval(k1,wj)
r0
r1
Compute r0r1
![Page 7: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/7.jpg)
Results
• Main theorem: OWF DPF.• Key size is short
– For security parameter k (e.g. length of AES key) it is ~8k·|x|log 3+|y| bits.
• Converse: DPF OWF
![Page 8: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/8.jpg)
Exact numbersKey size (in
bytes)|X|
300 bytes20
~630 bytes40
~2.25 Kbytes80
~8 Kbytes160
![Page 9: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/9.jpg)
Results - applications• PIR scheme –
– First poly-logarithmic, constant server PIR scheme based on OWF.
– First poly-logarithmic, binary, two server scheme (improving on [CG97]).
• PIR writing (storage) – similar to PIR results.• Keyword search – first 2-server solution with
1-bit answers.• Efficient worst-case to average-case
2-query reductions for PSPACE and EXPTIME complete languages.
![Page 10: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/10.jpg)
Trivial Solution (2|x|)Target Function Px,y
00
…y
…0
X
Gen(x,y)
a0
a1
…
…a2|x|
K0
a0
a1
…
…a2|x|
K1
a0R{0,1}|y|
,R{0,1}|y|
=y
Eval(k0,x’)=k0[x’]
Eval(k1,x’)=k1[x’]
=Px,y(x’)
![Page 11: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/11.jpg)
Improvement-Preliminaries• Regard Px,y as two-dimensional.• Instead of Px,y:{0,1}|x|{0,1}|y| think of
P(i,j),y:{0,1}|x|/2{0,1}|x|/2{0,1}|y|
• Let G be a pseudo-random generator.
![Page 12: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/12.jpg)
Preliminaries (cont.)• What if Gen(x,y) produces
– k0=(s1,…,si0,…,s2|x|/2)– k1=(s1,…,si1,…,s2|x|/2)
• For x’ represented by (i’,j’), let Eval(k0,x’)=G(si’)[j’].
• Then
Eval(k0,x’)Eval(k1,x’)=
Pxy(x’) if i’=i
Junk if i’i
![Page 13: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/13.jpg)
0 0
Target Function Px,y
y
0…
… 0
2|x|/2
2|x|/2
i
j
2|x|/2 solution
![Page 14: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/14.jpg)
2|x|/2 solutionGen(x,y)
s0
s1
…1is
…s2|x|/2
K1
Identical seeds
K0
s0
s1
…0is
…s2|x|/2
Independent seeds
CW0
CW1
CW0
CW1
2|x|/2
Iy|2|x|/2
CW0CW1G(si0) G(si1)=y·ej
t0
t1
…
it
…
t2m
t0
t1
…
it
…
t2m
Identical bits
Opposite bits
![Page 15: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/15.jpg)
2|x|/2 solution
Eval(k0,x’)=(G(si’)CWti’)[j’]
s0
s1
…si’
…s2|x|/2
CW0
CW1
t0
t1
…
ti’
…
t2m
K0 x’=(i’,j’)
Eval(k0,x’) Eval(k1 ,x’)=
0 (i’,j’)(i,j)
y (i’,j’)=(i,j)
Eval(k0,x)
![Page 16: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/16.jpg)
Secrecy
s0
s1
…si’
…s2|x|/2
CW0
CW1
t0
t1
…
ti’
…
t2m
K0
Independent seeds
CW0CW1G(si0) G(si1)=y·ej
![Page 17: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/17.jpg)
Is this good or bad?
• We have a solution for a distributed point function.
• Oh! That’s good!• But the key length and running times
are exponential in |x| (2|x|/2|y| to be exact).
• Oh! That’s bad!• Can we improve the length and time?
![Page 18: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/18.jpg)
Recursion - Gen
• Let’s look at the Gen algorithm again.• The keys k0, k1 are made up of
– 2|x|/2 seeds – all identical except one– 2|x|/2 bits (ti) – all identical except one– Two identical correction words CW0, CW1
• Call Gen(i, seed) recursively on domain of size 2|x|/2 seeds (plus bits).
![Page 19: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/19.jpg)
Recursion - Gen (cont.)• What about the two correction words?• Recall: CW0CW1=G(si0) G(si1)y·ej
– Exchange y·ej by a call to Gen(j,y)• Result – each step of recursion returns
a key of length 3(previous length)1/2.• Stop recursion at shortest key
length.
![Page 20: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/20.jpg)
Recursion - Eval
• On a call Eval(k0,x’) for x’=(i’,j’)– Parse k0 as , CW0, CW1, where is the
result of Gen on the seeds.– Run Eval recursively on to derive si’, ti’
– Compute v=G(si’)CWti’
– Run Eval recursively on (v,j’) to obtain output.
![Page 21: Distributed Point Functions and their Applicationsec14.compute.dtu.dk/talks/37.pdf · xy; x {0,1}n, y {0,1}m • Point function –P xy(x’)=0 if x’ xand P xy(x)=y. • Our goal](https://reader034.vdocuments.net/reader034/viewer/2022052000/6011fdf9a496616ac470835d/html5/thumbnails/21.jpg)
Thank You!!!