Upload
kamin
View
35
Download
0
Embed Size (px)
DESCRIPTION
A Linear Lower Bound on the Communication Complexity of Single-Server PIR. Jonathan Hoch. Iftach Haitner. Gil Segev. Weizmann Institute of Science Israel. Private Information Retrieval. x i. Server. Receiver. Receiver. x = x 1 x n. i 2 {1,...,n}. i 2 {1,...,n}. ¼. - PowerPoint PPT Presentation
Citation preview
A Linear Lower Bound on the Communication Complexity of
Single-Server PIR
Weizmann Institute of ScienceIsrael
Iftach Haitner Jonathan Hoch Gil Segev
2
Private Information Retrieval
Functionality: Receiver retrieves xi
Privacy: Server does not learn i
x = x1 xn i 2 {1,...,n}
ReceiverServer
i 2 {1,...,n}
Receiver
j 2 {1,...,n}¼
xi
3
The Trivial Solution
x = x1 xn i 2 {1,...,n}
ReceiverServer
i 2 {1,...,n}
Receiver
x1 xn
Inefficient -- x may be very large
Can we do better than
trivial?
Not information theoretically [CGKS]
4
Two Approaches Multiple-server PIR
Information theoretic privacy Many exciting results, but not the focus of this talk
[CGKS95,...,Yek07,...]
Single-server PIR Computational privacy Implies Oblivious Transfer 2-message PIR implies collision-resistant hash functions and public-
key encryption Many applications...
[CG97, KO97, CMS99, ...]
5
Current Status Specific number-theoretic assumptions
Communication polylog(n)
[KO97, CMS99, ...]
General assumptions Communication n - o(n) Black-box construction based on TDPs
[KO00]
Question:
Can we base single-server PIR with sublinear communication on general assumptions?
6
Main ResultIn any fully black-box construction of single-server PIR for an n-bit database from trapdoor permutations over (n) bits,
the server sends (n) bits.
Previous results [Fis02]: Similar result for 2-message protocols (less restrictions) [HHRS07]: (n/logn) lower bound (same restrictions)
(n²) lower bound for “not so tight” reductions
Two restrictions Fully black-box Tight security reduction: permutations over (n) bits
[KO ‘00]: (n²) bits
7
Fully Black-Box Reductions
Black-box proof of security Any adversary for B implies an
adversary for A Only care about functionality of the
adversary for B
A fully black-box reduction from B to A:
Black-box construction Any implementation of A implies an
implementation of B Only care about the functionality of A
Adversary for A
Adversary for BA
B
A
8
Our Approach
We present an oracle O relative to which:
1. There exists a collection of TDPs over {0,1}n
2. There is no single-server PIR protocol for an n-bit database in which the server sends o(n) bits
A random function is hard to invert even with access to O
There exists an efficient server that uses O to break any such protocol
Fully black-box reductions relativize
9
The Oracle [HHRS ‘07] O = (Sam, ) is a random collection of TDPs over {0,1}n
Sam is an interactive collision-finding oracle Samples random collisions Extends the non-interactive oracle of [Simon ‘98]
C1(v1) = C1(v0)
v0 Ã {0,1}n
C2(v2) = C2(v1)
A Samv0
C1
v1
C2
v2
10
The Oracle [HHRS ‘07]
A Samv0
C1
v1
C2
v2
Theorem:
A random TDP is one-way as long as Sam answers queries of depth · n/log(n)
The proof requires additional restrictions(Ci+1 refines Ci, commit to Ci+1 at depth i, ...)
...but this suffices for the purpose of this talk
O = (Sam, ) is a random collection of TDPs over {0,1}n
Sam is an interactive collision-finding oracle Samples random collisions Extends the non-interactive oracle of [Simon ‘98]
n/log(n)
11
Breaking 2-Message PIR
x = x1 xn i 2 {1,...,n}
a(i)
b(a,x)
12
Breaking 2-Message PIR
i 2 {1,...,n}
a
b(a,x0
)
1. Receive x0 from Sam
2. Send the circuit b(a,¢) to Sam
3. Receive x1 from Sam
4. Output a random index j for which x0j x1
j
Claim: The malicious server guesses i w.p. ¸ 1/(n-1)
x0i x1
i and x0 x1
b(a,x1
)
=
13
Breaking Any Sublinear PIR
i 2 {1,...,n}
a1
b1
ao(n)
bo(n)
...
Communication vs. Rounds: Server sends o(n) bits ) o(n) rounds, server sends one bit each round
14
Breaking Any Sublinear PIR
i 2 {1,...,n}
a1
b1
alog(n)
blog(n)
ao(n)
bo(n)
..
..
Key observation: The malicious server can invoke Sam every log(n) rounds
15
Breaking Any Sublinear PIR
i 2 {1,...,n}
a1
b1
alog(n)
blog(n)
..
1. Receive x0 from Sam
2. Simulate the honest server for log(n) rounds3. Send b1(a1,¢) to Sam until receiving xlog(n) which is consistent with all log(n) rounds (rewind Sam if inconsistent)
Claim: The malicious server guesses i w.p. ¸ 1/(n-1)
16
Summary Communication lower bound for single-server PIR
Fully black-box constructions from (enhanced) TDPs The trivial solution is optimal up to constant factors
In the paper: Communication lower bound for statistically-hiding bit-commitment The sender must send (n) bits Communication preserving reduction to single-server PIR
Open problem: A linear lower bound for “not so tight” reductions? [KO ‘00]: TDPs over (n²) bits
Thank you!
Matches the upper bound of [NOVY]