On Basing Private Information Retrieval on NP-Hardness Tianren Liu 1 - - PowerPoint PPT Presentation

on basing private information retrieval on np hardness
SMART_READER_LITE
LIVE PREVIEW

On Basing Private Information Retrieval on NP-Hardness Tianren Liu 1 - - PowerPoint PPT Presentation

Mar 27, 2023 118 likes •698 views

On Basing Private Information Retrieval on NP-Hardness Tianren Liu 1 Vinod Vaikuntanathan 1 1 MIT liutr@mit.edu , vinodv@csail.mit.edu Thirteenth IACR Theory of Cryptography Conference . . . . . . . . . . . . . . . . . . . . .

slide-1
SLIDE 1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

On Basing Private Information Retrieval on NP-Hardness

Tianren Liu1 Vinod Vaikuntanathan1

1MIT

liutr@mit.edu, vinodv@csail.mit.edu

Thirteenth IACR Theory of Cryptography Conference

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 1 / 14

slide-2
SLIDE 2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Assumptions and Primitives in Cryptography

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 2 / 14

slide-3
SLIDE 3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Assumptions and Primitives in Cryptography

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc Can we prove the security of a cryptographic primitive from the minimal assumption NP ⊈ BPP? (Brassard 1979)

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 2 / 14

slide-4
SLIDE 4

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(Black-box) Security Proofs

To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT R

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 3 / 14

slide-5
SLIDE 5

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(Black-box) Security Proofs

To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT R A

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 3 / 14

slide-6
SLIDE 6

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(Black-box) Security Proofs

To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT R A ( x ) { accepts w.p. ≥ 2/3, if x ∈ SAT accepts w.p. ≤ 1/3, if x / ∈ SAT

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 3 / 14

slide-7
SLIDE 7

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(Black-box) Security Proofs

To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT R A ( x ) { accepts w.p. ≥ 2/3, if x ∈ SAT accepts w.p. ≤ 1/3, if x / ∈ SAT Note: Black-box security proof but allow arbitrary construction.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 3 / 14

slide-8
SLIDE 8

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Impossibility Results

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc No known cryptographic scheme based on NP ⊈ BPP. Several negative results* (Brassard

1979, . . . )

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 4 / 14

slide-9
SLIDE 9

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Impossibility Results

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc One-way Permutations

(Brassard 1979)

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 4 / 14

slide-10
SLIDE 10

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Impossibility Results (restricting the primitives)

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc Homomorphic Encryption∗

(Bogdanov-Lee 2013)

One-way Functions∗

(Akavia-Goldreich-Goldwasser- Moshkovitz 2006, Bogdanov-Brzuska 2014)

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 4 / 14

slide-11
SLIDE 11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Impossibility Results (restricting the reductions)

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc Public-key Encryption Scheme, via “smart” reduction

(Goldreich-Goldwasser 1998)

Collision-resistant Hash Functions, via constant-adaptive reduction

(Haitner-Mahmoody-Xiao 2009)

Average-case NP, via non-adaptive reduction

(Bogdanov-Trevisan 2006)

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 4 / 14

slide-12
SLIDE 12

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Our Result: Private Information Retrieval [CGKS95, KO97]

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc

Theorem (Informal)

Let Π be a single-server

  • ne-round PIR scheme.

Security of Π can not be based on NP-hardness unless polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 5 / 14

slide-13
SLIDE 13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Our Result: Private Information Retrieval [CGKS95, KO97]

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc Rule out approximately correct PIR. Rule out PIR with communication complexity n − o(n).

Theorem (Informal)

Let Π be a single-server

  • ne-round PIR scheme.

Security of Π can not be based on NP-hardness unless polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 5 / 14

slide-14
SLIDE 14

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 6 / 14

slide-15
SLIDE 15

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 6 / 14

slide-16
SLIDE 16

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 6 / 14

slide-17
SLIDE 17

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 6 / 14

slide-18
SLIDE 18

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 6 / 14

slide-19
SLIDE 19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 6 / 14

slide-20
SLIDE 20

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 6 / 14

slide-21
SLIDE 21

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 6 / 14

slide-22
SLIDE 22

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Single-server One-round Private Information Retrieval

Client Index i ∈ {1, . . . , n} One Server Data x ∈ {0, 1}n

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 7 / 14

slide-23
SLIDE 23

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Single-server One-round Private Information Retrieval

Client Index i ∈ {1, . . . , n} Client send a query

q

− − − − − − − − → One Server Data x ∈ {0, 1}n

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 7 / 14

slide-24
SLIDE 24

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Single-server One-round Private Information Retrieval

Client Index i ∈ {1, . . . , n} Client send a query

q

− − − − − − − − → One Server Data x ∈ {0, 1}n

a

← − − − − − − − − Server answer

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 7 / 14

slide-25
SLIDE 25

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Single-server One-round Private Information Retrieval

Client Index i ∈ {1, . . . , n} Client send a query

q

− − − − − − − − → Correctness: The client learns xi One Server Data x ∈ {0, 1}n

a

← − − − − − − − − Server answer

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 7 / 14

slide-26
SLIDE 26

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Single-server One-round Private Information Retrieval

Client Index i ∈ {1, . . . , n} Client send a query

q

− − − − − − − − → Correctness: The client learns xi (W.p. 1 − ε.) One Server Data x ∈ {0, 1}n

a

← − − − − − − − − Server answer

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 7 / 14

slide-27
SLIDE 27

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Single-server One-round Private Information Retrieval

Client Index i ∈ {1, . . . , n} Client send a query

q

− − − − − − − − → Correctness: The client learns xi (W.p. 1 − ε.) One Server Data x ∈ {0, 1}n

a

← − − − − − − − − Server answer Privacy: The server learn nothing about i

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 7 / 14

slide-28
SLIDE 28

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Single-server One-round Private Information Retrieval

Client Index i ∈ {1, . . . , n} Client send a query

q

− − − − − − − − → Correctness: The client learns xi (W.p. 1 − ε.) One Server Data x ∈ {0, 1}n

a

← − − − − − − − − Server answer Privacy: The server learn nothing about i

An Oracle Breaking Single-server One-round PIR

Given a query q, guess the index with probability > 1/n + 1/ poly.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 7 / 14

slide-29
SLIDE 29

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − →

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-30
SLIDE 30

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − → Server Random x ∈ {0, 1}n

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-31
SLIDE 31

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − → Server Random x ∈ {0, 1}n

a

← − − − − − − − − Server answers

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-32
SLIDE 32

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − → Server Random x ∈ {0, 1}n

a

← − − − − − − − − Server answers Claim 1: I(xi; a) is big∗.

∗The randomness is from x and from the proceduce generating the answer. Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-33
SLIDE 33

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − → Server Random x ∈ {0, 1}n

a

← − − − − − − − − Server answers Claim 1: I(xi; a) is big∗. Proof: Correctness.

∗The randomness is from x and from the proceduce generating the answer. Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-34
SLIDE 34

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − → Server Random x ∈ {0, 1}n

a

← − − − − − − − − Server answers Claim 1: I(xi; a) = 1 assuming perfect correctness Proof: Correctness.

∗The randomness is from x and from the proceduce generating the answer. Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-35
SLIDE 35

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − → Server Random x ∈ {0, 1}n

a

← − − − − − − − − Server answers Claim 1: I(xi; a) = 1 assuming perfect correctness Proof: Correctness. Claim 2: ∑n

j=1 I(xj; a) ≤ H(a) ≤ |a|.

∗The randomness is from x and from the proceduce generating the answer. Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-36
SLIDE 36

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − → Server Random x ∈ {0, 1}n

a

← − − − − − − − − Server answers Claim 1: I(xi; a) = 1 assuming perfect correctness Proof: Correctness. Claim 2: ∑n

j=1 I(xj; a) ≤ H(a) ≤ |a|.

Proof: As x1, . . . , xn are independent.

∗The randomness is from x and from the proceduce generating the answer. Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-37
SLIDE 37

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Break PIR with SZK oracle (Lemma 1)

Client Index i ∈ {1, . . . , n} Generate a query

q

− − − − − − − − → Server Random x ∈ {0, 1}n

a

← − − − − − − − − Server answers Claim 1: I(xi; a) = 1 assuming perfect correctness Proof: Correctness. Claim 2: ∑n

j=1 I(xj; a) ≤ H(a) ≤ |a|.

Proof: As x1, . . . , xn are independent. Corollary: ∑n

j=1 I(xj; a) is small.

∗The randomness is from x and from the proceduce generating the answer. Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 8 / 14

slide-38
SLIDE 38

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Idea: Reduce Breaking PIR to Estimating Entropy

Given a query q, guess the index Claim 1: I(xi; a) = 1 assuming perfect correctness Claim 2: ∑n

j=1 I(xj; a) ≤ H(a) ≤ |a|.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 9 / 14

slide-39
SLIDE 39

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Idea: Reduce Breaking PIR to Estimating Entropy

Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) Claim 1: I(xi; a) = 1 assuming perfect correctness Claim 2: ∑n

j=1 I(xj; a) ≤ H(a) ≤ |a|.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 9 / 14

slide-40
SLIDE 40

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Idea: Reduce Breaking PIR to Estimating Entropy

Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) Output a random i′ w.p. I(xi′; a) ∑n

j=1 I(xj; a)

Claim 1: I(xi; a) = 1 assuming perfect correctness Claim 2: ∑n

j=1 I(xj; a) ≤ H(a) ≤ |a|.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 9 / 14

slide-41
SLIDE 41

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Idea: Reduce Breaking PIR to Estimating Entropy

Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) Output a random i′ w.p. I(xi′; a) ∑n

j=1 I(xj; a)

Guess correctly w.p. ≥ 1 |a| Claim 1: I(xi; a) = 1 assuming perfect correctness Claim 2: ∑n

j=1 I(xj; a) ≤ H(a) ≤ |a|.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 9 / 14

slide-42
SLIDE 42

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Idea: Reduce Breaking PIR to Estimating Entropy

Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) Output a random i′ w.p. I(xi′; a) ∑n

j=1 I(xj; a)

Guess correctly w.p. ≥ 1 − h(ε) |a| Claim 1: Eq[I(xi; a)] ≥ 1 − h(ε) assuming correctness w.h.p. Claim 2: ∑n

j=1 I(xj; a) ≤ H(a) ≤ |a|.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 9 / 14

slide-43
SLIDE 43

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mutual Information and SZK

Mutual information I(xi; a) = H(xi) + H(a) − H(xi, a) = H(xi) − H(xi|a) Entropy Approximation is in SZK:

Given a circuit generating a distribution D, and h To distinguish between H(D) ≥ h +

1 poly and H(D) ≤ h − 1 poly

Can estimate entropy given an SZK oracle

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 10 / 14

slide-44
SLIDE 44

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mutual Information and SZK

Mutual information I(xi; a) = H(xi) + H(a) − H(xi, a) = H(xi) − H(xi|a) Entropy Approximation is in SZK:

Given a circuit generating a distribution D, and h To distinguish between H(D) ≥ h +

1 poly and H(D) ≤ h − 1 poly

Can estimate entropy given an SZK oracle

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 10 / 14

slide-45
SLIDE 45

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mutual Information and SZK

Mutual information I(xi; a) = H(xi) + H(a) − H(xi, a) = H(xi) − H(xi|a) Entropy Approximation is in SZK:

Given a circuit generating a distribution D, and h To distinguish between H(D) ≥ h +

1 poly and H(D) ≤ h − 1 poly

Can estimate entropy given an SZK oracle

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 10 / 14

slide-46
SLIDE 46

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mutual Information and SZK

Mutual information I(xi; a) = H(xi) + H(a) − H(xi, a) = H(xi) − H(xi|a) Entropy Approximation is in SZK:

Given a circuit generating a distribution D, and h To distinguish between H(D) ≥ h +

1 poly and H(D) ≤ h − 1 poly

Can estimate entropy given an SZK oracle Client i, index Server data x, random tape q a

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 10 / 14

slide-47
SLIDE 47

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mutual Information and SZK

Mutual information I(xi; a) = H(xi) + H(a) − H(xi, a) = H(xi) − H(xi|a) Entropy Approximation is in SZK:

Given a circuit generating a distribution D, and h To distinguish between H(D) ≥ h +

1 poly and H(D) ≤ h − 1 poly

Can estimate entropy given an SZK oracle Client i, index Server data x, random tape q a

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 10 / 14

slide-48
SLIDE 48

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Mutual Information and SZK

Mutual information I(xi; a) = H(xi) + H(a) − H(xi, a) = H(xi) − H(xi|a) Entropy Approximation is in SZK:

Given a circuit generating a distribution D, and h To distinguish between H(D) ≥ h +

1 poly and H(D) ≤ h − 1 poly

Can estimate entropy given an SZK oracle Client i, index Server data x, random tape q, fixed a

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 10 / 14

slide-49
SLIDE 49

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Recall Proof Overview

Lemma 1 (Single-server one-round) PIR can be broken with an SZK

  • racle

Lemma 2 Language L ∈ BPPSZK = ⇒ L ∈ AM ∩ coAM

(Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses

(Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 11 / 14

slide-50
SLIDE 50

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Open problem: Multiple-round

Multiple-round PIR Could we rule out multiple-round PIR? One-round PIR

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 12 / 14

slide-51
SLIDE 51

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Open problem: Multiple-round

Multiple-round PIR Could we rule out multiple-round PIR? One-round PIR Client i, index

random tape

Server x, data

random tape

q a

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 12 / 14

slide-52
SLIDE 52

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Open problem: Multiple-round

Multiple-round PIR Could we rule out multiple-round PIR? One-round PIR Given the view of server, it’s easy to generate another view. Client i, index

random tape

Server x, data

random tape

q a

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 12 / 14

slide-53
SLIDE 53

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Open problem: Multiple-round

Multiple-round PIR Could we rule out multiple-round PIR? One-round PIR Given the view of server, it’s easy to generate another view. Client i, index

random tape

Server x, data

random tape

m1 a1 m2 a2 m3 a3 Client i, index

random tape

Server x, data

random tape

q a

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 12 / 14

slide-54
SLIDE 54

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Open problem: CRHF

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc PIR

(This work)

One-way Permutations

(Brassard 1979)

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 13 / 14

slide-55
SLIDE 55

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Open problem: CRHF

NP ⊈ BPP Avg-NP ⊈ BPP OWF CRHF Pub-key Enc OWP Trapdoor Permutation PIR Add-Homomorphic Enc PIR

(This work)

One-way Permutations

(Brassard 1979)

Could we rule out reduction from SAT to finding collisions?

(TCC 2017?)

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 13 / 14

slide-56
SLIDE 56

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Thank you!

Tianren, Vinod (MIT) Basing PIR on NP-Hardness TCC 2016-A 14 / 14