Efficient Private Information Retrieval protocols based on - - PowerPoint PPT Presentation
Efficient Private Information Retrieval protocols based on transversal designs Julien Lavauzelle Team GRACE LIX & INRIA Saclay, Universit Paris-Saclay Workshop Code-Based Cryptography 2017, Tenerife, Spain 02/06/2017 1. Definitions 2.
Team GRACE LIX & INRIA Saclay, Université Paris-Saclay
Workshop Code-Based Cryptography 2017, Tenerife, Spain 02/06/2017
1/21
Workshop CBC 2017
First construction: affine transversal designs Second construction: with orthogonal arrays
1/21
Workshop CBC 2017
Given a file F,
Examples:
◮ confidential medical data, ◮ stock exchange prices... 2/21
Workshop CBC 2017
Let F be a file stored on a DSS with ℓ servers S1, . . . , Sℓ. Private Information Retrieval (PIR) protocol: a user U wants to recover Fi privately.
vector q = Q(i) and sends qj to Sj
aj = A(qj, F) and sends it back to U
Fi = R(q, a, i)
S1 S2 Sℓ Q(i) = (q1, . . . , qℓ) {aj = A(qj, F)}
3/21
Workshop CBC 2017
Design goals:
◮ Low communication complexity (exchanged bits). ◮ Low computation complexity for A (server) and R (user). ◮ Low storage overhead (for the servers). 4/21
Workshop CBC 2017
Design goals:
◮ Low communication complexity (exchanged bits). ◮ Low computation complexity for A (server) and R (user). ◮ Low storage overhead (for the servers).
Existing solutions:
◮ Download the whole file F... 4/21
Workshop CBC 2017
Design goals:
◮ Low communication complexity (exchanged bits). ◮ Low computation complexity for A (server) and R (user). ◮ Low storage overhead (for the servers).
Existing solutions:
◮ Download the whole file F... inefficient, but it’s the best solution
with only one server [Chor Goldreich Kushilevitz Sudan ’95].
4/21
Workshop CBC 2017
Design goals:
◮ Low communication complexity (exchanged bits). ◮ Low computation complexity for A (server) and R (user). ◮ Low storage overhead (for the servers).
Existing solutions:
◮ Download the whole file F... inefficient, but it’s the best solution
with only one server [Chor Goldreich Kushilevitz Sudan ’95].
◮ Use smooth locally decodable codes with locality ℓ:
◮ ℓ servers, each storing a copy of F ◮ use the ℓ-query local decoding algorithm to recover Fi ◮ smoothness ensures security
4/21
Workshop CBC 2017
Design goals:
◮ Low communication complexity (exchanged bits). ◮ Low computation complexity for A (server) and R (user). ◮ Low storage overhead (for the servers).
Existing solutions:
◮ Download the whole file F... inefficient, but it’s the best solution
with only one server [Chor Goldreich Kushilevitz Sudan ’95].
◮ Use smooth locally decodable codes with locality ℓ:
◮ ℓ servers, each storing a copy of F (heavy storage overhead) ◮ use the ℓ-query local decoding algorithm to recover Fi (complexity?) ◮ smoothness ensures security
4/21
Workshop CBC 2017
First construction: affine transversal designs Second construction: with orthogonal arrays
4/21
Workshop CBC 2017
Storage: split an encoded version of the file over the servers (instead of replicating) Security: the code must have a “smooth” set of parity-check equations for recovering any symbol Fi
5/21
Workshop CBC 2017
Let Fm
q = {P1, . . . , Pqm}. A q-ary Reed-Muller code is:
RMq(m, r) =
For r ≤ q − 2, every c ∈ RMq(m, r) satisfies:
cP = 0, ∀ line L ⊂ Fm
q 6/21
Workshop CBC 2017
Let G = {G1, . . . , Gq} be a partition of Fm
q into q hyperplanes.
1) Encode F into c with RMq(m, r). Give c|Gj to server Sj. 2) To recover Fi = ci for some i ∈ Fm
q : ◮ Pick a line L through i ◮ Ask server Sj for cPj where {Pj} = L ∩ Gj, except if Pj = i. ◮ Reconstruct
ci = −
cPj Security: there is a line between i and any other point of Fm
q . 7/21
Workshop CBC 2017
But RMq(m, r) with r < q has rate ≤
1 m!
8/21
Workshop CBC 2017
A transversal design T = TD(ℓ, s) is a 3-tuple (X, B, G) of sets:
◮ X is the set of points, |X| = n = sℓ,
. . .
Workshop CBC 2017
A transversal design T = TD(ℓ, s) is a 3-tuple (X, B, G) of sets:
◮ X is the set of points, |X| = n = sℓ, ◮ the groups G = {Gj}1≤j≤ℓ satisfy
X =
ℓ
Gj and |Gj| = s , . . .
Gℓ−1Gℓ
9/21
Workshop CBC 2017
A transversal design T = TD(ℓ, s) is a 3-tuple (X, B, G) of sets:
◮ X is the set of points, |X| = n = sℓ, ◮ the groups G = {Gj}1≤j≤ℓ satisfy
X =
ℓ
Gj and |Gj| = s ,
◮ the blocks B ∈ B satisfy:
– B ⊂ X and |B| = ℓ; – {i, j} ⊂ X lie in the same group, or ∃!B ∈ B such that {i, j} ⊂ B
Gℓ−1Gℓ
j i
Workshop CBC 2017
A transversal design T = TD(ℓ, s) is a 3-tuple (X, B, G) of sets:
◮ X is the set of points, |X| = n = sℓ, ◮ the groups G = {Gj}1≤j≤ℓ satisfy
X =
ℓ
Gj and |Gj| = s ,
◮ the blocks B ∈ B satisfy:
– B ⊂ X and |B| = ℓ; – {i, j} ⊂ X lie in the same group, or ∃!B ∈ B such that {i, j} ⊂ B
Gℓ−1Gℓ
j i
Workshop CBC 2017
A transversal design T = TD(ℓ, s) is a 3-tuple (X, B, G) of sets:
◮ X is the set of points, |X| = n = sℓ, ◮ the groups G = {Gj}1≤j≤ℓ satisfy
X =
ℓ
Gj and |Gj| = s ,
◮ the blocks B ∈ B satisfy:
– B ⊂ X and |B| = ℓ; – {i, j} ⊂ X lie in the same group, or ∃!B ∈ B such that {i, j} ⊂ B
Gℓ−1Gℓ
j i
Mi,j =
if xj ∈ Bi
9/21
Workshop CBC 2017
A transversal design T = TD(ℓ, s) is a 3-tuple (X, B, G) of sets:
◮ X is the set of points, |X| = n = sℓ, ◮ the groups G = {Gj}1≤j≤ℓ satisfy
X =
ℓ
Gj and |Gj| = s ,
◮ the blocks B ∈ B satisfy:
– B ⊂ X and |B| = ℓ; – {i, j} ⊂ X lie in the same group, or ∃!B ∈ B such that {i, j} ⊂ B
Gℓ−1Gℓ
j i
Mi,j =
if xj ∈ Bi
The code C based on T over Fq is the Fq-linear code having M as parity-check matrix.
9/21
Workshop CBC 2017
Let C ⊆ Fn
q be a code based on a TD(ℓ, s).
j = 1, . . . , ℓ.
10/21
Workshop CBC 2017
Let C ⊆ Fn
q be a code based on a TD(ℓ, s).
j = 1, . . . , ℓ. To recover Fi = ci:
qj = Q(i)j = B ∩ Gj if i / ∈ Gj a random point in Gj
ci = −
∈Gj
cqj
10/21
Workshop CBC 2017
Theorem.– If the servers do not collude, then our PIR protocol is information-theoretically secure.
11/21
Workshop CBC 2017
Theorem.– If the servers do not collude, then our PIR protocol is information-theoretically secure.
Proof: – the only server which holds Fi received a random query; – for each other server Sj, there is a constant (=1) number of blocks passing through i and each qj ∈ Gj ⇒ no information leaks on i.
11/21
Workshop CBC 2017
Theorem.– If the servers do not collude, then our PIR protocol is information-theoretically secure.
Proof: – the only server which holds Fi received a random query; – for each other server Sj, there is a constant (=1) number of blocks passing through i and each qj ∈ Gj ⇒ no information leaks on i.
◮ communication complexity: ℓ(log s + log q) bits ◮ computational complexity:
◮ O(1) for A (instead of Ω(k log q)) ◮ O(ℓ) Fq-operations for R
◮ storage overhead: (n − k) log q bits (instead of (ℓ − 1)k log q) 11/21
Workshop CBC 2017
Theorem.– If the servers do not collude, then our PIR protocol is information-theoretically secure.
Proof: – the only server which holds Fi received a random query; – for each other server Sj, there is a constant (=1) number of blocks passing through i and each qj ∈ Gj ⇒ no information leaks on i.
◮ communication complexity: ℓ(log s + log q) bits ◮ computational complexity:
◮ O(1) for A (instead of Ω(k log q)) ◮ O(ℓ) Fq-operations for R
◮ storage overhead: (n − k) log q bits (instead of (ℓ − 1)k log q)
11/21
Workshop CBC 2017
First construction: affine transversal designs Second construction: with orthogonal arrays
11/21
Workshop CBC 2017
First construction: affine transversal designs Second construction: with orthogonal arrays
11/21
Workshop CBC 2017
Let TA be the classical affine TD:
◮ X = Fm q , m ≥ 2, ◮ G a set of q disjoint hyperplanes partitionning X, ◮ B = {affine lines L secant to each group of G}. 12/21
Workshop CBC 2017
Let TA be the classical affine TD:
◮ X = Fm q , m ≥ 2, ◮ G a set of q disjoint hyperplanes partitionning X, ◮ B = {affine lines L secant to each group of G}.
The associated Fq-linear code has
◮ length n = qm ◮ block size ℓ = q ◮ dimension?
– its parity-check matrix has qm columns and q2m−2 rows... – ... but it contains RM(m, q − 2) which has rate ≃ 1/m!, – and sometimes it is even larger:
12/21
Workshop CBC 2017
rate R = k/n
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 210 215 220 225 230 235 240 245 m=2 m=3 m=4 m=5
length n = 2em
13/21
Workshop CBC 2017
For m = 2, q = pe, using Hamada’s formula [Ham68] we obtain: n = p2e, k ≥ p2e − p + 1 2 e , ℓ = √n, that is R = k/n = 1 − Θ(ncp) ℓ = Θ(n1/2) where cp = 1
2(logp( p+1 2 ) − 1) < 0.
We have cp ր, with c2 = −0.208 and c∞ = 0. Questions:
◮ is this construction optimal? ◮ bounds on ℓ and R? 14/21
Workshop CBC 2017
First construction: affine transversal designs Second construction: with orthogonal arrays
14/21
Workshop CBC 2017
An orthogonal array OA(t, ℓ, s) of strength t may be seen as a code over S, with: – |S| = s, – length ℓ, – cardinality N = st, – and dual distance d⊥ = t + 1
15/21
Workshop CBC 2017
An orthogonal array OA(t, ℓ, s) of strength t may be seen as a code over S, with: – |S| = s, – length ℓ, – cardinality N = st, – and dual distance d⊥ = t + 1
OA(2, 3, 2) = a b b b b a b a b a a a
15/21
Workshop CBC 2017
An orthogonal array OA(t, ℓ, s) of strength t may be seen as a code over S, with: – |S| = s, – length ℓ, – cardinality N = st, – and dual distance d⊥ = t + 1 Construction OA → TD :
◮ X = S × [1, ℓ] ◮ G = {S × {i}, i ∈ [1, ℓ]}
OA(2, 3, 2) = a b b b b a b a b a a a (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)
15/21
Workshop CBC 2017
An orthogonal array OA(t, ℓ, s) of strength t may be seen as a code over S, with: – |S| = s, – length ℓ, – cardinality N = st, – and dual distance d⊥ = t + 1 Construction OA → TD :
◮ X = S × [1, ℓ] ◮ G = {S × {i}, i ∈ [1, ℓ]} ◮ B = {{(ci, i), 1 ≤ i ≤ ℓ}, c ∈ OA}
OA(2, 3, 2) = a b b b b a b a b a a a (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)
15/21
Workshop CBC 2017
An orthogonal array OA(t, ℓ, s) of strength t may be seen as a code over S, with: – |S| = s, – length ℓ, – cardinality N = st, – and dual distance d⊥ = t + 1 Construction OA → TD :
◮ X = S × [1, ℓ] ◮ G = {S × {i}, i ∈ [1, ℓ]} ◮ B = {{(ci, i), 1 ≤ i ≤ ℓ}, c ∈ OA}
OA(2, 3, 2) = a b b b b a b a b a a a (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)
15/21
Workshop CBC 2017
An orthogonal array OA(t, ℓ, s) of strength t may be seen as a code over S, with: – |S| = s, – length ℓ, – cardinality N = st, – and dual distance d⊥ = t + 1 Construction OA → TD :
◮ X = S × [1, ℓ] ◮ G = {S × {i}, i ∈ [1, ℓ]} ◮ B = {{(ci, i), 1 ≤ i ≤ ℓ}, c ∈ OA}
OA(2, 3, 2) = a b b b b a b a b a a a (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)
15/21
Workshop CBC 2017
What about OA(t, ℓ, s) with t > 2? For each t-tuple of points lying in t different groups, there is a block which contains them all. ⇒ Our PIR protocol resists t − 1 collusive servers.
16/21
Workshop CBC 2017
What about OA(t, ℓ, s) with t > 2? For each t-tuple of points lying in t different groups, there is a block which contains them all. ⇒ Our PIR protocol resists t − 1 collusive servers. But in practice, the PIR storage overhead increases with t (see later).
16/21
Workshop CBC 2017
Definition.– We call C0-coded-queries code (denoted Codeq(C0)) the Fq-linear code C coming from the successive constructions: C0 = OA(t, ℓ, s) → generalized TD(ℓ, s; t) → C = Codeq(C0) We derive PIR parameters from those of C0:
◮ d⊥ − 2 is the number of collusive servers the protocol resists ◮ the larger C0, the larger PIR storage overhead
⇒ let’s use MDS codes
17/21
Workshop CBC 2017
Example: for OA(t + 1, ℓ = q, s = q) = RS(Fq, t + 1):
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 6 8 10 12 14 16 18 20 t=1 t=2 t=4 t=log(q) t=q1/2 t=q/8 t=q/2 t=q-1
18/21
Workshop CBC 2017
Summary: (server-)efficient PIR protocols can be built upon codes from transversal designs Current issues:
◮ transversal designs with low-rank parity-check matrices? ◮ bounds, optimal constructions? ◮ (divisible projective codes C0 over large alphabets?)
Questions?
19/21
Workshop CBC 2017
Proposition.– For all codes C0 of length ℓ over Fs, Codeq(C0) is an [n, k]q code with:
◮ n = sℓ, ◮ ℓ − 1 ≤ k ≤ n − √n.
Proposition.– Let H be the parity-check matrix of Codeq(C0). Then, HHT = ℓJ − D(C0) , where J is the all-1 matrix and D(C0)c,c′ = d(c, c′), ∀c, c′ ∈ C0
20/21
Workshop CBC 2017
A p-divisible code is a code whose codewords’ weights are divisible by p. Corollary.– If C0 is p-divisible for p = char(Fq), then: k = dim Codeq(C0) ≥ n − 1 2 . Furthermore, if p | ℓ, then: HHT = 0 ⇒ C⊥ ⊆ C Theorem.– If there exists a p-divisible code C0 of length ℓ and dual distance t + 2, then there exists a PIR protocol resisting to t colluding servers, with rate 1/2. Question.– Do there exist projective (d⊥ ≥ 3) p-divisible codes of length ℓ over Fq, with q ≫ ℓ?
21/21
Workshop CBC 2017