Henry Corrigan-Gibbs Dmitry Kogan EPFL & MIT Stanford - PowerPoint PPT Presentation

Henry Corrigan-Gibbs Dmitry Kogan EPFL & MIT Stanford Eurocrypt 2020

PIR schemes with • linear-time offline phase, • sublinear-time online lookups, • no additional storage on the server. Results preview 𝑜 communication & online time from PRG Two servers: Single server: 𝑜 2/3 communication & online time from DCR 2

Background The offline/online model Our results 2-server scheme From two servers to one Conclusion & open problems 3

[CGKS95] Goal Database 𝑦 ∈ 0,1 𝑜 Read a record from a DB without DB learning which record you read. Extensions larger records, key-value DBs [CGN98] Applications Index 𝑦 𝑗 ∈ {0,1} medical encyclopedia, stocks 𝑗 ∈ [𝑜] private messaging, search, DNS 𝑜 = {1, … , 𝑜} 4

Correctness Client learns its bit of interest (with overwhelming prob.) Security (Malicious) server “learns nothing” about client’s desired bit For all databases 𝑦 ∈ 0,1 𝑜 , for all 𝑗, 𝑘 ∈ [𝑜] , View of server when View of server when ≈ 𝑑 client reads bit 𝑘 client reads bit 𝑗 5

Correctness Client learns its bit of interest (with overwhelming prob.) Security (Malicious) server “learns nothing” about client’s desired bit Minimize communication 6

Multi-server PIR [CGKS95] • Replicate DB on non-colluding servers • State of the art (following [Amb97,CG97,BIO,BIKR02,Yek08, Efr12,… ] ): • Information-theoretic security: 𝑜 𝑝(1) communication [DG16] • Computational security: 𝑃(log 𝑜) communication [GI14, BGI15] Single-server PIR [KO97] • Requires cryptographic assumptions • State of the art: • polylog 𝑜 communication [CMS99, Lip05,…] 7

Server linearly scans the entire DB to respond to a query ⇒ a barrier to deployment Server must do 𝛁(𝒐) work to respond to a query [BIM04] • Intuition: If server doesn’t touch bit 𝑗 , client isn’t reading bit 𝑗 • Holds even if you have many non-colluding servers • Holds irrespective of cryptographic assumptions 8

• Encode the DB: PIR with preprocessing [BIM04] • Advantage: significant decrease in server time • Disadvantage: significant increase in server storage • 1-server: DEPIR [BIPW17, CHR17], PANDA [HOWW18] • Amortize cost: Batch PIR [IKOS04, IKOS06, LG15, Hen16, ACLS18] • Reduce individual server’s work: PIR with sharded DB [DHS14] • Relax the privacy guarantee: PIR with differential privacy [TDG16] • Move public-key operations to an offline phase: Private Stateful Information Retrieval [PPY18] 9

Background The offline/online model Our results 2-server scheme From two servers to one Conclusion & open problems 10

𝑦 ∈ 0,1 𝑜 𝑦 ∈ 0,1 𝑜 RIGHT LEFT 𝑃(𝑜) time ≈ 𝑜 bits Hint • The left server runs in linear time. • But work happens before client decides which bit to read. 11

𝑦 ∈ 0,1 𝑜 𝑦 ∈ 0,1 𝑜 RIGHT LEFT Client stores hint Hint 12

[DIO01, BIM04, BLW17, PPY18] 𝑦 𝑗 𝑦 ∈ 0,1 𝑜 𝑦 ∈ 0,1 𝑜 RIGHT LEFT 𝑝(𝑜) time Sublinear online time Index 𝑦 𝑗 ∈ {0,1} 𝑗 ∈ [𝑜] Hint 13

up to poly 𝜇, log 𝑜 factors for length- 𝑜 DB and sec. parameter 𝜇 Two-server scheme • 𝑜 communication and online time (from any PRG) • Can reuse a single offline interaction for many online queries Single-server scheme • 𝑜 2/3 communication and online time (from DDH, DCR,…) • 𝑜 from FHE Our 𝑜 schemes achieve • No public-key operations in the online phase optimal comm – online time tradeoff Lower bound • For offline/online schemes that store DB in its original form • Communication 𝐷 and online time 𝑈 must be 𝐷 ⋅ 𝑈 ≥ 𝑜 14

Background The offline/online model Our results 2-server scheme From two servers to one Conclusion & open problems 15

𝑦 ∈ 0,1 𝑜 𝑦 ∈ 0,1 𝑜 RIGHT LEFT Computes ℎ 1 , … , ℎ 𝑛 ∈ {0,1} ℎ 𝑘 = ෍ 𝑦 ℓ mod 2 ℓ∈𝑇 𝑘 Random subsets 𝑇 1 , … , 𝑇 𝑛 ⊂ [𝑜] each of size 𝑇 𝑘 = 𝑜 Use pseudorandomness to compress to 𝑃 𝜇 1 S 1 , ℎ 1 , … , 𝑇 𝑛 , ℎ 𝑛 16

𝑦 𝑗 If 𝑗 ∉ 𝑻 𝟐 ∪ ⋯ ∪ 𝑻 𝒏 , output “fail” 𝑦 ∈ 0,1 𝑜 RIGHT LEFT Else, 𝑗 ∈ 𝑻 𝒌 , 𝑜−1 , send a random set 𝑻 ′ • With prob 𝑏 = ෍ ℓ∈𝑻 ′ 𝑦 ℓ mod 2 𝑜 containing 𝑗 and output “fail” Else, send “punctured set” 𝑻 ′ = 𝑻 𝒌 ∖ {𝑗} • Σ ℓ∈𝑇 𝑘 𝑦 ℓ Σ ℓ∈𝑇 𝑘 ∖{𝑗} 𝑦 ℓ Index 𝑦 𝑗 = ℎ 𝑘 + 𝑏 mod 2 𝑗 ∈ [𝑜] S 1 , ℎ 1 , … , 𝑇 𝑘 , ℎ 𝑘 , … , 𝑇 𝑛 , ℎ 𝑛 17

Choose 𝑛 ≈ 𝑜 ⋅ log 𝑜 𝑦 ∈ 0,1 𝑜 RIGHT LEFT If 𝑗 ∉ 𝑻 𝟐 ∪ ⋯ ∪ 𝑻 𝒏 , output “fail” Then: Else, 𝑗 ∈ 𝑻 𝒌 , • Pr Fail 1 ≤ negl 𝑜 𝑏 = ෍ ℓ∈𝑻 ′ 𝑦 ℓ mod 2 ( 𝑜 log 2 𝑜 balls into 𝑜 bins) 𝑜−1 , send a random set 𝑻 ′ • With prob 𝑜 • Pr Fail 2 ≤ 1/ 𝑜 containing 𝑗 and output “fail” Else, send 𝑻 ′ = 𝑻 𝒌 ∖ {𝑗} • Repeat all 𝜇 times to drive down failure prob. Index 𝑦 𝑗 = ℎ 𝑘 + 𝑏 mod 2 𝑗 ∈ [𝑜] S 1 , ℎ 1 , … , 𝑇 𝑘 , ℎ 𝑘 , … , 𝑇 𝑛 , ℎ 𝑛 18

𝑦 ∈ 0,1 𝑜 RIGHT 𝑦 ∈ 0,1 𝑜 LEFT 19

𝑦 ∈ 0,1 𝑜 𝑜−1 , send a random set 𝑻 ′ • With prob RIGHT LEFT 𝑜 containing 𝑗 , output “fail” • Else, send set 𝑻 ′ = 𝑻 𝒌 ∖ {𝑗} 𝑜 − 1 subset of [𝑜] uniformly random size- 𝑜−1 w.p. 1 − 𝑞 w.p. 𝑞 = 𝑜 random set containing 𝑗 random set without 𝑗 20

෨ RIGHT LEFT 𝑃(𝑜) time LEFT ෨ 𝑃( 𝑜) time 𝑻′ 𝑏 ෨ 𝑃( 𝑜) bits ෨ 𝑃( 𝑜) bits 21

Goal: amortize cost of offline phase Problem : cannot reuse 𝑇 RIGHT 𝑘 LEFT 2 ∖ 𝑇 1 and 𝑇 2 , server knows 𝑗 1 = 𝑇 1 Given 𝑇 𝑘 𝑘 𝑘 𝑘 𝑜 time Linear time Idea: sample replacement set 𝑇 𝑜𝑓𝑥 fetch its parity ℎ 𝑜𝑓𝑥 from left server Preserving joint distribution of {𝑇 𝑘 } and privacy from left server requires care (see paper) Runs in 𝒐 time (vs. 𝒐 to redo offline phase) S 1 , ℎ 1 , … , 𝑇 𝑘 , ℎ 𝑘 , … , 𝑇 𝑛 , ℎ 𝑛 S 1 , ℎ 1 , … , 𝑇 𝑘 , ℎ 𝑘 , … , 𝑇 𝑛 , ℎ 𝑛 S 1 , ℎ 1 , … , 𝑇 𝑜𝑓𝑥 , S 1 , ℎ 1 , … , 𝑇 𝑜𝑓𝑥 , ℎ 𝑜𝑓𝑥 , … , 𝑇 𝑛 , ℎ 𝑛 , … , 𝑇 𝑛 , ℎ 𝑛 22

Two-server scheme summary • 𝑜 communication, online time, amortized total time per-query • Client uses 𝑜 time and storage • Only need PRGs Extensions (see paper) • Trade-off communication for online time • Statistical-security variant: 𝑜 2/3 communication and client time • Reducing online communication to 𝐦𝐩𝐡 𝒐 • Using short description of ‘Puncturable sets’ • Client storage and time increase to 𝑜 5/6 23

Background The offline/online model Our results 2-server scheme From two servers to one Conclusion & open problems 24

Security only holds if server does not see both offline and online queries Run both offline and online phases with the same server Linear-time Sublinear-time offline phase online phase Single server homomorphically evaluates offline query • Option 1: Fully HE • 𝑜 communication and online time • Option 2: Additively HE • 𝑜 2/3 communication and online time 26

PIR with sublinear online time and no additional server storage Open problem: amortize between clients 2-server : Open problem: reduce client work • Offline: ෨ 𝑃 𝜇 ( 𝑜 ) communication, linear time 𝑃 𝜇 𝑜 5/6 client time • Online: O 𝜇 log 𝑜 communication, ෨ 𝑃 𝜇 ( 𝑜) server time, ෨ 1-server : ෨ 𝑃 𝜇 (𝑜 2/3 ) communication & online time ( ෨ 𝑃 𝜇 ( 𝑜) with FHE) Matching communication-online time lower bound (see paper) • Reduction from Yao’s box problem Open problems dkogan@cs.stanford.edu henrycg@csail.mit.edu eprint 2019/1075 30