Computational Code-Based Single-Server Private Information Retrieval - - PowerPoint PPT Presentation

computational code based single server private
SMART_READER_LITE
LIVE PREVIEW

Computational Code-Based Single-Server Private Information Retrieval - - PowerPoint PPT Presentation

Jun 23, 2023 146 likes •433 views

Computational Code-Based Single-Server Private Information Retrieval Lukas Holzbaur , Camilla Hollanti, Antonia Wachter-Zeh Technical University of Munich Institute for Communications Engineering Private Information Retrieval Goal: Retrieve

slide-1
SLIDE 1

Computational Code-Based Single-Server Private Information Retrieval

Lukas Holzbaur, Camilla Hollanti, Antonia Wachter-Zeh Technical University of Munich Institute for Communications Engineering

slide-2
SLIDE 2

Private Information Retrieval

  • Goal: Retrieve file from database without revealing index to

the server(s)

1Chor, Benny, et al. "Private information retrieval." Proceedings of IEEE 36th Annual Foundations of Computer Science. IEEE, 1995. 2Sun, Hua, and Syed Ali Jafar. "The capacity of private information retrieval." IEEE Transactions on Information Theory 63.7 (2017): 4075-4088. 3Kadhe, Swanand, et al. "Private information retrieval with side information." IEEE Transactions on Information Theory (2019). 4Kushilevitz, Eyal, and Rafail Ostrovsky. "Replication is not needed: Single database, computationally-private information retrieval." Proceedings 38th

Annual Symposium on Foundations of Computer Science. IEEE, 1997. Lukas Holzbaur (TUM) 2

slide-3
SLIDE 3

Private Information Retrieval

  • Goal: Retrieve file from database without revealing index to

the server(s)

  • Perfect privacy with a single server is only possible with

trivial “download-everything” solution1

  • Different approaches:

1Chor, Benny, et al. "Private information retrieval." Proceedings of IEEE 36th Annual Foundations of Computer Science. IEEE, 1995. 2Sun, Hua, and Syed Ali Jafar. "The capacity of private information retrieval." IEEE Transactions on Information Theory 63.7 (2017): 4075-4088. 3Kadhe, Swanand, et al. "Private information retrieval with side information." IEEE Transactions on Information Theory (2019). 4Kushilevitz, Eyal, and Rafail Ostrovsky. "Replication is not needed: Single database, computationally-private information retrieval." Proceedings 38th

Annual Symposium on Foundations of Computer Science. IEEE, 1997. Lukas Holzbaur (TUM) 2

slide-4
SLIDE 4

Private Information Retrieval

  • Goal: Retrieve file from database without revealing index to

the server(s)

  • Perfect privacy with a single server is only possible with

trivial “download-everything” solution1

  • Different approaches:

◮ Multiple, non-colluding servers2 ◮ Private side-information3 ◮ Computational Privacy4

1Chor, Benny, et al. "Private information retrieval." Proceedings of IEEE 36th Annual Foundations of Computer Science. IEEE, 1995. 2Sun, Hua, and Syed Ali Jafar. "The capacity of private information retrieval." IEEE Transactions on Information Theory 63.7 (2017): 4075-4088. 3Kadhe, Swanand, et al. "Private information retrieval with side information." IEEE Transactions on Information Theory (2019). 4Kushilevitz, Eyal, and Rafail Ostrovsky. "Replication is not needed: Single database, computationally-private information retrieval." Proceedings 38th

Annual Symposium on Foundations of Computer Science. IEEE, 1997. Lukas Holzbaur (TUM) 2

slide-5
SLIDE 5

System Setup

  • System storing m files

X = X 1 X 2 X 3

· · ·

X m L

(s − v)(n − k)

  • User wants file X i and keep index i private

Lukas Holzbaur (TUM) 3

slide-6
SLIDE 6

Query Generation

User chooses:

  • A random [n, k]qs code C

Qi =

Lukas Holzbaur (TUM) 4

slide-7
SLIDE 7

Query Generation

User chooses:

  • A random [n, k]qs code C
  • Matrix D ∈ Fmδ×n

qs

where each row Dl,: is chosen uniformly at random from C Qi = D

+

n

Lukas Holzbaur (TUM) 4

slide-8
SLIDE 8

Query Generation

User chooses:

  • A random [n, k]qs code C
  • Matrix D ∈ Fmδ×n

qs

where each row Dl,: is chosen uniformly at random from C

  • Random information set I ⊂ [n] of C
  • A random basis Γ = {γ1, γ2, ..., γs} of Fqs over Fq

→ Let V = {γ1, ..., γv}q

  • A matrix ˆ

E ∈ V mδ×n−k i.i.d. at random Qi = D

+

n

+

E

Lukas Holzbaur (TUM) 4

slide-9
SLIDE 9

Query Generation

User chooses:

  • A random [n, k]qs code C
  • Matrix D ∈ Fmδ×n

qs

where each row Dl,: is chosen uniformly at random from C

  • Random information set I ⊂ [n] of C
  • A random basis Γ = {γ1, γ2, ..., γs} of Fqs over Fq

→ Let V = {γ1, ..., γv}q

  • A matrix ˆ

E ∈ V mδ×n−k i.i.d. at random

  • Full-rank matrix ˆ

∆ ∈ (Fqs/V)(s−v)(n−k)×n−k

Qi = D

+

n

+

E m(s − v)(n − k)

∆ ∆ ⊗ em

i Lukas Holzbaur (TUM) 4

slide-10
SLIDE 10

Server Reply

X = X 1 X 2 X 3

· · ·

X m L

(s − v)(n − k)

Qi = D

+

n

+

E m(s − v)(n − k)

∆ ∆ ⊗ em

i

Server Replies with: Ai = X · Qi

∈ FL×n

qs

For simplicity, let L = 1.

Lukas Holzbaur (TUM) 5

slide-11
SLIDE 11

Decoding

User receives: Ai = X · Qi =

m

  • l=1

X l · (D(l−1)δ+1:lδ,: + E(l−1)δ+1:lδ,:)

  • + X i · ∆

Qi = D + n + E m(s − v)(n − k) ∆ ∆ ⊗ em

i

Lukas Holzbaur (TUM) 6

slide-12
SLIDE 12

Decoding

User receives: Ai = X · Qi =

m

  • l=1

X l · (D(l−1)δ+1:lδ,: + E(l−1)δ+1:lδ,:)

  • + X i · ∆

= m

  • l=1

X l · D(l−1)δ+1:lδ,:

  • ∈C

+ m

  • l=1

X l · E(l−1)δ+1:lδ,:

  • + X i · ∆
  • zero in positions I

Qi = D + n + E m(s − v)(n − k) ∆ ∆ ⊗ em

i

Lukas Holzbaur (TUM) 6

slide-13
SLIDE 13

Decoding

User receives: Ai = X · Qi =

m

  • l=1

X l · (D(l−1)δ+1:lδ,: + E(l−1)δ+1:lδ,:)

  • + X i · ∆

= m

  • l=1

X l · D(l−1)δ+1:lδ,:

  • ∈C

+ m

  • l=1

X l · E(l−1)δ+1:lδ,:

  • + X i · ∆
  • zero in positions I

Qi = D + n + E m(s − v)(n − k) ∆ ∆ ⊗ em

i

The set I is an information set, so the user can retrieve

m

  • l=1

X l · E(l−1)δ+1:lδ,:

  • + X i · ∆

Lukas Holzbaur (TUM) 6

slide-14
SLIDE 14

Decoding

m

  • l=1

X l · E(l−1)δ+1:lδ,:

  • + X i · ∆
  • Entries of Data matrix X: Fq
  • Entries of Matrix E:
  • Entries of Matrix ∆:

Lukas Holzbaur (TUM) 7

slide-15
SLIDE 15

Decoding

m

  • l=1

X l · E(l−1)δ+1:lδ,:

  • + X i · ∆
  • Entries of Data matrix X: Fq
  • Entries of Matrix E: V
  • Entries of Matrix ∆: Fqs/V

Lukas Holzbaur (TUM) 7

slide-16
SLIDE 16

Decoding

m

  • l=1

X l · E(l−1)δ+1:lδ,:

  • + X i · ∆
  • Entries of Data matrix X: Fq
  • Entries of Matrix E: V
  • Entries of Matrix ∆: Fqs/V

⇒ Intersection with Fqs/V gives X i · ∆

Lukas Holzbaur (TUM) 7

slide-17
SLIDE 17

Decoding

m

  • l=1

X l · E(l−1)δ+1:lδ,:

  • + X i · ∆
  • Entries of Data matrix X: Fq
  • Entries of Matrix E: V
  • Entries of Matrix ∆: Fqs/V

⇒ Intersection with Fqs/V gives X i · ∆ ⇒ ∆ is full-rank by definition ⇒ User obtains X i

Lukas Holzbaur (TUM) 7

slide-18
SLIDE 18

Performance

Theorem: PIR rate

The rate of the scheme is RPIR = L mδ + L

  • 1 − k + v

s(n − k)

n

  • .

For large files, i.e., L → ∞, the rate becomes RPIR = 1 − k + v

s(n − k)

n

.

Lukas Holzbaur (TUM) 8

slide-19
SLIDE 19

Attacks

Problem: Error Subspace Search Problem

Given a set of words in Fn

qs which are each the sum of a codeword of a random code C and an error

  • vector. Find a v-dimensional subspace that contains the largest possible number of these error vectors.

Lukas Holzbaur (TUM) 9

slide-20
SLIDE 20

Attacks

Problem: Error Subspace Search Problem

Given a set of words in Fn

qs which are each the sum of a codeword of a random code C and an error

  • vector. Find a v-dimensional subspace that contains the largest possible number of these error vectors.
  • Consider the query as the basis of a code
  • QT

=

  • D · A, ˆ

E + ˆ

∆ ⊗ em

i

T

Lukas Holzbaur (TUM) 9

slide-21
SLIDE 21

Attacks

Problem: Error Subspace Search Problem

Given a set of words in Fn

qs which are each the sum of a codeword of a random code C and an error

  • vector. Find a v-dimensional subspace that contains the largest possible number of these error vectors.
  • Consider the query as the basis of a code
  • QT

=

  • D · A, ˆ

E + ˆ

∆ ⊗ em

i

T

  • The elements of ˆ

E are from the space V

  • Puncturing the positions corresponding to i gives a large subspace subcode for V

Lukas Holzbaur (TUM) 9

slide-22
SLIDE 22

Attacks

Problem: Error Subspace Search Problem

Given a set of words in Fn

qs which are each the sum of a codeword of a random code C and an error

  • vector. Find a v-dimensional subspace that contains the largest possible number of these error vectors.
  • Consider the query as the basis of a code
  • QT

=

  • D · A, ˆ

E + ˆ

∆ ⊗ em

i

T

  • The elements of ˆ

E are from the space V

  • Puncturing the positions corresponding to i gives a large subspace subcode for V

⇒ Make it difficult to guess the subspace V

Lukas Holzbaur (TUM) 9

slide-23
SLIDE 23

Attacks

Problem: Quotient Error Search Problem

Given a set of words in Fn

qs which are each the sum of a codeword of a random code C and an error

vector from a subspace Fn

qv, except for one, to which an additional error vector from the quotient space

Fn

qs/Fn qv is added. Find the word with the additional error vector from the quotient space. Lukas Holzbaur (TUM) 10

slide-24
SLIDE 24

Attacks

Problem: Quotient Error Search Problem

Given a set of words in Fn

qs which are each the sum of a codeword of a random code C and an error

vector from a subspace Fn

qv, except for one, to which an additional error vector from the quotient space

Fn

qs/Fn qv is added. Find the word with the additional error vector from the quotient space.

  • One probabilistic method for solving this is checking the rank of submatrices
  • Matrices containing the i-th row are more likely to be linearly independent

Lukas Holzbaur (TUM) 10

slide-25
SLIDE 25

Attacks

Problem: Quotient Error Search Problem

Given a set of words in Fn

qs which are each the sum of a codeword of a random code C and an error

vector from a subspace Fn

qv, except for one, to which an additional error vector from the quotient space

Fn

qs/Fn qv is added. Find the word with the additional error vector from the quotient space.

  • One probabilistic method for solving this is checking the rank of submatrices
  • Matrices containing the i-th row are more likely to be linearly independent

⇒ Ensure that every square submatrix is of full rank w.h.p.

Lukas Holzbaur (TUM) 10

slide-26
SLIDE 26

Attacks

  • Recently, a new attack1 has been published that efficiently solves Quotient Error Search Problem in the

considered setting

  • Relies on finding submatrix of Q with low Fq column-rank
  • Breaks scheme for all relevant parameters

1Bordage, Sarah, and Julien Lavauzelle. "On the privacy of a code-based single-server computational PIR scheme." arXiv preprint arXiv:2004.00509

(2020). Lukas Holzbaur (TUM) 11

slide-27
SLIDE 27

Conclusion and Future Work

Conclusion

  • A single-server PIR scheme related to coding theoretic problems has been proposed
  • Two attacks have been presented
  • Recently, the scheme has been broken

2Bordage, Sarah, and Julien Lavauzelle. "On the privacy of a code-based single-server computational PIR scheme." arXiv preprint arXiv:2004.00509

(2020). Lukas Holzbaur (TUM) 12

slide-28
SLIDE 28

Conclusion and Future Work

Conclusion

  • A single-server PIR scheme related to coding theoretic problems has been proposed
  • Two attacks have been presented
  • Recently, the scheme has been broken

Future Work

  • Fix the vulnerability exploited by the critical attack2

2Bordage, Sarah, and Julien Lavauzelle. "On the privacy of a code-based single-server computational PIR scheme." arXiv preprint arXiv:2004.00509

(2020). Lukas Holzbaur (TUM) 12