Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin Outline Introduction Common approaches Information-theoretical Computational Summary Private Information Retrieval (PIR):assumptions Semi-honest assumption on servers Server is trustable in terms of honestly following the protocol Server knows every bit of the data Server may record clients requests/queries Malicious servers Drop messages Change messages Collude with other parties Private Information Retrieval (PIR): intro Goal: allow user to query database while hiding the identity of the data-items she is after. Note: hides identity of data-items; not the existence of interaction with the user. Motivation: patent databases; stock quotes; web access; many more.... Paradox(?): imagine buying in a store without the seller knowing what you buy. (Encrypting requests is useful against third parties; not against the owner of data.) Modeling Server: holds n-bit string x n should be thought of as very large User: wishes to retrieve x i and to keep i private Remark: it is the most basic version; the building block for involved retrieval. Server sends entire database x to User. Information theoretic privacy. Communication: n SERVER xixi USER x =x 1,x 2,..., x n x 1,x 2,..., x n Trivial Private Protocol Is this optimal? Obstacle Theorem [CGKS]: In any 1-server PIR with information theoretic privacy the communication is at least n. Information theoretic privacy/security: The ciphertext gives no information about the plaintext More solutions User asks for additional random indices. Pick a few random indices to hide the real one Drawback: can be estimated Employ general crypto protocols to compute x i privately. 1-out-N Oblivious Transfer Drawback: highly inefficient (polynomial in n ). Anonymity (e.g., via Anonymizers). Note: address different problems: hides identity of user; not the fact that x i is retrieved. Two Approaches Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers. servers do collude. Computational PIR [CG97,KO97,CMS99,...] Computational privacy, based on cryptographic assumptions NP hard to break the approach Known Communication Upper Bounds Multiple servers, information-theoretic PIR: 2 servers, comm. n 1/3 [CGKS95] k servers, comm. n 1/(k) [CGKS95, Amb96,,BIKR02] log n servers, comm. Poly( log(n) ) [BF90, CGKS95] Single server, computational PIR: Comm. Poly( log(n) ), n is the # of items Under appropriate computational assumptions [KO97,CMS99] Approach I: k-Server PIR Correctness: User obtains x i Privacy: No single server gets information about i U S1S1 x {0,1} n S2S2 i SkSk Information-Theoretic 2-Server PIR Best Known Protocol: comm. n 1/3 Lets look at an example with comm. cost n 1/2 Two protocols: Protocol I: n bit queries, 1 bit answers Protocol II: n 1/2 bit queries, n 1/2 bit answers Protocol I: 2-server O(n) PIR S2S2 i U i n Q 1 {1,,n} S1S1 Q 2 =Q 1 i *User sent O(n) bits = = = 1 Meaning of Q 2 =Q 1 i Q 1 is a random subset Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,,n} S1S1 Q 2 =Q 1 i *Server replies 1 bit Protocol I: 2-server PIR S2S2 i U i n Q 1 {1,,n} S1S1 a1a2=xia1a2=xi Q 2 =Q 1 i Protocol II: PIR with O(n 1/2 ) Communication S2S2 j,i U i X m=n 1/2 Q 1 {1,,m} S1S1 Q 2 =Q 1 i j a 1,j a 2,j =x j,i Make the n-bit vector as a n 1/2 * n 1/2 matrix Apply ex-or sum to each row Computational PIR with O(n 1/2 ) Comm. Based on encryption Quadratic Residue (QR) N = p*q, p,q are primes. Q(y, N) = 0 iff exists w such that w^2 = y (mod N) 1 otherwise Security: if p, q is unknown, it is computationally impossible to determine Q(y,N). If p,q is known, Q(y,N) can be determined in O(|N|^3) Understanding modulo: w^2 = y+k*N, k can be any integer Example: 2^2 = 4 (mod 10), 4^2 = 6 (mod 10) Example Quadratic Residue: E(0) QR N E(1) NQR N Properties: QR QR = QR NQR QR = NQR For any y, y^2 is QR. Computational PIR with O(n 1/2 ) Comm n 1/2 b Goal: user wants to know entry M(a,b) 1.User picks N=pq and sends N to server 2.User picks uniformly at random s= n 1/2 numbers, from the set Z={x|1