Private Information Retrieval

Amos Beimel – Ben-Gurion University

http://www.cs.bgu.ac.il/~beimel

Tel-Hai, June 4, 2003

This talk is based on talks by:

Yuval Ishai, Eyal Kushilevitz, Tal Malkin

Private Information Retrieval (PIR) [CGKS95]

• Goal: allow user to query database while hiding the identity of the data-items she is after.

• Note: hides identity of data-items; not existence of interaction with the user.

• Motivation: patent databases; stock quotes; web access; many more....

• Paradox(?): imagine buying in a store without the seller knowing what you buy.

(Encrypting requests is useful against third parties; not against owner of data.)

Modeling

• Server: holds n-bit string x n should be thought of as very large

• User: wishes– to retrieve xi and– to keep i private

• Remark: most basic version; building block for involved retrieval.

Private Information Retrieval (PIR)

x=x1,x2 , . . ., xn {0,1}n

SERVER

i {1,…n}

xi

USER

i j

?

7

43

n

NO privacy!!!

Communication: log n

SERVER USER

x =x1,x2 , . . ., xn

xi

Non-Private Protocol

i

i {1,…n}

Server sends entire database x to User.

Information theoretic privacy.

Communication: n

SERVER

xi

USER

x =x1,x2 , . . ., xn

x1,x2 , . . ., xn

Trivial Private Protocol

Is this optimal?

Obstacle

Theorem [CGKS]:

In any 1-server PIR with information

theoretic privacy the communication is at

least n.

More “solutions”• User asks for additional random indices.Drawback: reveals a lot of information • Employ general crypto protocols to

compute xi privately.Drawback: highly inefficient (polynomial in

n).• Anonymity (e.g., via Anonymizers).Note: different concern: hides identity of user;

not the fact that xi is retrieved.

Two Approaches

Information-Theoretic PIR [CGKS95,Amb97,...] Replicate database among k servers.

Unconditional privacy against t servers.

Default: t=1

Computational PIR [CG97,KO97,CMS99,...] Computational privacy, based on cryptographic assumptions.

Known Comm. Upper Bounds

Multiple servers, information-theoretic PIR:• 2 servers, comm. n1/3 [CGKS95]

• k servers, comm. n1/(k) [CGKS95, Amb96,…,BIKR02]

• log n servers, comm. Poly( log(n) ) [BF90, CGKS95]

Single server, computational PIR:

Comm. Poly( log(n) ) Under appropriate computational assumptions [KO97,CMS99]

Approach I: k-Server PIR

Correctness: User obtains xi

Privacy: No single server gets information about i

U

S1

x {0,1}n

S2x {0,1}n

i

x {0,1}n Sk

Information-Theoretic 2-Server PIR

• Best Known Protocol: comm. n1/3 [CGKS95]• Open Question: Is this optimal?• This Talk: comm. n1/2

Two Stages:

1. Protocol I: n bit queries, 1 bit answers

2. Protocol II: n1/2 bit queries, n1/2 bit answers

Protocol I: 2-server PIR

S2

i

U

i

n

Q1{1,…,n}

S1

Q2=Q1 i

0 0 1 1 0 011 10 00

Protocol I: 2-server PIR

S2

i

U

i

n

Q1{1,…,m}

S1

11

Qa x

Q2=Q1 i

0 1 0 0 1 1 0 1 0 0 010

Protocol I: 2-server PIR

S2

i

U

i

n

Q1{1,…,n}

S1

a1a2=xi

11

Qa x

2

2Q

a x

Q2=Q1 i

0 1 0 0 1 0 1 0 0 01 110

PIR with O(n1/2) Communication

S2

j,i

U

i

X

m=n1/2

m=n1/2

Q1{1,…,m}

S1

1,1 1,2 1,, ,..., ma a a

Q2=Q1 i

j

2,1 2,2 2,, ,..., ma a a

1, ja

1,2a1,1a

a1,ja2,j=xj,i

Computational PIR with O(n1/2) Comm.

Tool: (randomized) homomorphic encryption

b b’ b b’=

Example Quadratic Residue:

E(0) QRN

E(1) NQRN

QR QR = QR

NQR QR = NQR

Computational PIR with O(n1/2) Comm.

0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 1

n1/2

n1/2

i• User sends n1/2 encryptions

c1 =E(0), c2 =E(0), c3=E(1), c4 = E(0)

• For each row Server sends a “bit”c2c3

c1 c2c3

c1c2

c4

• User recovers ith column of x

j

PIR – Related Work

• Extensions:– Symmetric PIR [GIKM,NP]– t-privacy [CGKS,IK,BI]– Robust PIR [BS]

• More settings [OS,GGM,DIO,BIM,...]

• PIR as a building-block [NN,FIMNSW,...]

Current (& Future) Research

Focus so far: communication complexity

Obstacle: time complexity • All existing protocols require high computation by the

servers (linear computation per query).

Theorem [BIM]:

Expected computation of the servers is (n)

Major research goal:

Improving time complexity via

preprocessing / amortization / off-line computation( Preliminary results in [BIM,IKOS])