SLIDE 1
PIR schemes with
- linear-time offline phase,
- sublinear-time online lookups,
- no additional storage on the server.
2
Henry Corrigan-Gibbs Dmitry Kogan EPFL & MIT Stanford - - PowerPoint PPT Presentation
Henry Corrigan-Gibbs Dmitry Kogan EPFL & MIT Stanford - - PowerPoint PPT Presentation
Henry Corrigan-Gibbs Dmitry Kogan EPFL & MIT Stanford Eurocrypt 2020 PIR schemes with linear-time offline phase, sublinear-time online lookups, no additional storage on the server. Results preview communication &
SLIDE 2
SLIDE 3
Background The offline/online model Our results 2-server scheme From two servers to one Conclusion & open problems
3
SLIDE 4
[CGKS95]
Goal Read a record from a DB without DB learning which record you read. Extensions larger records, key-value DBs [CGN98] Applications medical encyclopedia, stocks private messaging, search, DNS
4
Index π β [π] Database π¦ β 0,1 π π¦π β {0,1}
π = {1, β¦ , π}
SLIDE 5
Correctness Client learns its bit of interest (with overwhelming prob.) Security (Malicious) server βlearns nothingβ about clientβs desired bit For all databases π¦ β 0,1 π, for all π, π β [π],
View of server when client reads bit π βπ View of server when client reads bit π
5
SLIDE 6
Correctness Client learns its bit of interest (with overwhelming prob.) Security (Malicious) server βlearns nothingβ about clientβs desired bit Minimize communication
6
SLIDE 7
Multi-server PIR [CGKS95]
- Replicate DB on non-colluding servers
- State of the art (following [Amb97,CG97,BIO,BIKR02,Yek08,Efr12,β¦]):
- Information-theoretic security: ππ(1) communication [DG16]
- Computational security: π(log π) communication [GI14, BGI15]
Single-server PIR [KO97]
- Requires cryptographic assumptions
- State of the art:
- polylog π communication [CMS99, Lip05,β¦]
7
SLIDE 8
Server linearly scans the entire DB to respond to a query βa barrier to deployment Server must do π(π) work to respond to a query [BIM04]
- Intuition: If server doesnβt touch bit π, client isnβt reading bit π
- Holds even if you have many non-colluding servers
- Holds irrespective of cryptographic assumptions
8
SLIDE 9
- Encode the DB: PIR with preprocessing [BIM04]
- Advantage: significant decrease in server time
- Disadvantage: significant increase in server storage
- 1-server: DEPIR [BIPW17, CHR17], PANDA [HOWW18]
- Amortize cost: Batch PIR [IKOS04, IKOS06, LG15, Hen16, ACLS18]
- Reduce individual serverβs work: PIR with sharded DB [DHS14]
- Relax the privacy guarantee: PIR with differential privacy [TDG16]
- Move public-key operations to an offline phase:
Private Stateful Information Retrieval [PPY18]
9
SLIDE 10
Background The offline/online model Our results 2-server scheme From two servers to one Conclusion & open problems
10
SLIDE 11
11
π(π) time
Hint
π¦ β 0,1 π π¦ β 0,1 π
LEFT RIGHT
- The left server runs in linear time.
- But work happens before client
decides which bit to read.
β π bits
SLIDE 12
12
Hint Client stores hint
π¦ β 0,1 π π¦ β 0,1 π
LEFT RIGHT
SLIDE 13
13
π(π) time
Index π β [π] π¦π β {0,1} Sublinear online time
π¦ β 0,1 π π¦ β 0,1 π
LEFT RIGHT
Hint
π¦π
[DIO01, BIM04, BLW17, PPY18]
SLIDE 14
Two-server scheme
- π communication and online time (from any PRG)
- Can reuse a single offline interaction for many online queries
Single-server scheme
- π2/3 communication and online time (from DDH, DCR,β¦)
- π from FHE
- No public-key operations in the online phase
Lower bound
- For offline/online schemes that store DB in its original form
- Communication π· and online time π must be π· β π β₯ π
up to poly π, log π factors for length-π DB and sec. parameter π Our π schemes achieve
- ptimal commβonline time
tradeoff
14
SLIDE 15
15
Background The offline/online model Our results 2-server scheme From two servers to one Conclusion & open problems
SLIDE 16
16
π¦ β 0,1 π Random subsets π1, β¦ , ππ β [π] each of size π
π =
π
Use pseudorandomness to compress to ππ 1
Computes β1, β¦ , βπ β {0,1} βπ = ΰ·
ββππ
π¦β mod 2 S1, β1, β¦ , ππ, βπ
LEFT
π¦ β 0,1 π
RIGHT
SLIDE 17
LEFT
17
Index π β [π] π¦π = βπ + π mod 2 S1, β1, β¦ , π
π, βπ, β¦ , ππ, βπ
π = ΰ·
ββπ»β²π¦β mod 2
π¦ β 0,1 π
RIGHT
If π β π»π βͺ β― βͺ π»π , output βfailβ Else, π β π»π,
- With prob
πβ1 π
, send a random set π»β² containing π and output βfailβ
- Else, send βpunctured setβ π»β² = π»π β {π}
Ξ£ββπππ¦β Ξ£ββππβ{π}π¦β
π¦π
SLIDE 18
LEFT
18
Index π β [π] π¦π = βπ + π mod 2 S1, β1, β¦ , π
π, βπ, β¦ , ππ, βπ
π = ΰ·
ββπ»β²π¦β mod 2
π¦ β 0,1 π
RIGHT
If π β π»π βͺ β― βͺ π»π , output βfailβ Else, π β π»π,
- With prob
πβ1 π
, send a random set π»β² containing π and output βfailβ
- Else, send π»β² = π»π β {π}
Choose π β π β log π Then:
- Pr Fail1 β€ negl π
(π log2 π balls into π bins)
- Pr Fail2 β€ 1/ π
Repeat all π times to drive down failure prob.
SLIDE 19
19
RIGHT π¦ β 0,1 π
π¦ β 0,1 π
LEFT
SLIDE 20
20
LEFT RIGHT
π¦ β 0,1 π
- With prob
πβ1 π
, send a random set π»β² containing π, output βfailβ
- Else, send set π»β² = π»π β {π}
uniformly random size- π β 1 subset of [π]
w.p. π =
πβ1 π
w.p. 1 β π
random set containing π random set without π
SLIDE 21
21
LEFT RIGHT LEFT
π
π»β² ΰ·¨ π( π) bits ΰ·¨ π( π) bits ΰ·¨ π(π) time ΰ·¨ π( π) time
SLIDE 22
22
Problem: cannot reuse π
π
Given π
π 1and π π 2, server knows π1 = π π 2 β π π 1
RIGHT
S1, β1, β¦ , ππ , βπ, β¦ , ππ, βπ S1, β1, β¦ , ππ , βπ, β¦ , ππ, βπ S1, β1, β¦ , ππππ₯, , β¦ , ππ, βπ S1, β1, β¦ , ππππ₯, βπππ₯, β¦ , ππ, βπ
LEFT
Idea: sample replacement set ππππ₯ fetch its parity βπππ₯ from left server Preserving joint distribution of {π
π} and
privacy from left server requires care
(see paper)
Goal: amortize cost of offline phase
Linear time
Runs in π time (vs. π to redo offline phase)
π time
SLIDE 23
Two-server scheme summary
- π communication, online time, amortized total time per-query
- Client uses π time and storage
- Only need PRGs
Extensions (see paper)
- Trade-off communication for online time
- Statistical-security variant: π2/3 communication and client time
- Reducing online communication to π¦π©π‘ π
- Using short description of βPuncturable setsβ
- Client storage and time increase to π5/6
23
SLIDE 24
24
Background The offline/online model Our results 2-server scheme From two servers to one Conclusion & open problems
SLIDE 25
26
Linear-time
- ffline phase
Sublinear-time
- nline phase
Run both offline and online phases with the same server Single server homomorphically evaluates offline query
- Option 1: Fully HE
- π communication and online time
- Option 2: Additively HE
- π2/3 communication and online time
Security only holds if server does not see both offline and online queries
SLIDE 26
PIR with sublinear online time and no additional server storage 2-server:
- Offline: ΰ·¨
ππ( π) communication, linear time
- Online: Oπ log π communication, ΰ·¨
ππ( π) server time, ΰ·¨ ππ π5/6 client time
1-server: ΰ·¨
ππ(π2/3) communication & online time ( ΰ·¨ ππ( π) with FHE)
Matching communication-online time lower bound (see paper)
- Reduction from Yaoβs box problem
Open problems
dkogan@cs.stanford.edu henrycg@csail.mit.edu eprint 2019/1075
Open problem: reduce client work Open problem: amortize between clients
30