Private Information Retrieval

1
Private Information Retrieval

• Amos Beimel Ben-Gurion University
• http//www.cs.bgu.ac.il/beimel
• Tel-Hai, June 4, 2003
• This talk is based on talks by
• Yuval Ishai, Eyal Kushilevitz, Tal Malkin

2
Private Information Retrieval (PIR) CGKS95

• Goal allow user to query database while hiding
  the identity of the data-items she is after.
• Note hides identity of data-items not existence
  of interaction with the user.
• Motivation patent databases stock quotes web
  access many more....
• Paradox(?) imagine buying in a store without the
  seller knowing what you buy.
• (Encrypting requests is useful against third
  parties not against owner of data.)

3
Modeling

• Server holds n-bit string x
• n should be thought of as very large
• User wishes
• to retrieve xi
• and
• to keep i private
• Remark most basic version
• building block for involved
  retrieval.

4
Private Information Retrieval (PIR)
n
?
4
3
7
i
j
i 1,n
xi
xx1,x2 , . . ., xn 0,1n
USER
SERVER
5
Non-Private Protocol
i 1,n
xi
i
x x1,x2 , . . ., xn
SERVER
USER

• NO privacy!!!
• Communication log n

6
Trivial Private Protocol
x1,x2 , . . ., xn
xi
x x1,x2 , . . ., xn
SERVER
USER

• Server sends entire database x to User.
• Information theoretic privacy.
• Communication n

Is this optimal?
7
Obstacle

• Theorem CGKS
• In any 1-server PIR with information
• theoretic privacy the communication is at
• least n.

8
More solutions

• User asks for additional random indices.
• Drawback reveals a lot of information
• Employ general crypto protocols to compute xi
  privately.
• Drawback highly inefficient (polynomial in n).
• Anonymity (e.g., via Anonymizers).
• Note different concern hides identity of user
  not the fact that xi is retrieved.

9
Two Approaches

• Information-Theoretic PIR CGKS95,Amb97,...
• Replicate database among k servers.
• Unconditional privacy against t servers.
• Default t1
• Computational PIR CG97,KO97,CMS99,...
• Computational privacy, based on cryptographic
  assumptions.

10
Known Comm. Upper Bounds

• Multiple servers, information-theoretic PIR
• 2 servers, comm. n1/3 CGKS95
• k servers, comm. n1/?(k) CGKS95,
  Amb96,,BIKR02
• log n servers, comm. Poly( log(n) ) BF90,
  CGKS95
• Single server, computational PIR
• Comm. Poly( log(n) )
• Under appropriate computational assumptions
  KO97,CMS99

11
Approach I k-Server PIR
x 0,1n
S1
i
x 0,1n
S2

• Correctness User obtains xi
• Privacy No single server gets information about i

x 0,1n
Sk
12
Information-Theoretic 2-Server PIR

• Best Known Protocol comm. n1/3 CGKS95
• Open Question Is this optimal?
• This Talk comm. n1/2
• Two Stages
• Protocol I n bit queries, 1 bit answers
• Protocol II n1/2 bit queries, n1/2 bit answers

13
Protocol I 2-server PIR
n
0
0
1
1
0
0
1
1
1
0
0
0
S2
S1
i
Q2Q1 ? i
Q1?1,,n
i
U
14
Protocol I 2-server PIR
n
0
1
0
0
1
1
0
1
0
0
0
1
0
S2
S1
i
Q2Q1 ? i
Q1?1,,m
i
U
15
Protocol I 2-server PIR
n
0
1
0
0
1
0
1
0
0
0
1
1
1
0
S2
S1
i
Q2Q1 ? i
Q1?1,,n
i
U
16
PIR with O(n1/2) Communication
mn1/2
mn1/2
X
S2
S1
j
Q2Q1 ? i
Q1?1,,m
a1,j?a2,jxj,i
17
Computational PIR with O(n1/2) Comm.

• Tool (randomized) homomorphic encryption

18
Computational PIR with O(n1/2) Comm.
n1/2
0 1 1 0 1 1 1 0 1 1 0 0 0 0 0 1
n1/2
j
i

• User sends n1/2 encryptions
• c1 E(0), c2 E(0), c3E(1), c4 E(0)
• For each row Server sends a bit
• c2?c3
• c1? c2?c3
• c1?c2
• c4
• User recovers ith column of x

19
PIR Related Work

• Extensions
• Symmetric PIR GIKM,NP
• t-privacy CGKS,IK,BI
• Robust PIR BS
• More settings OS,GGM,DIO,BIM,...
• PIR as a building-block NN,FIMNSW,...

20
Current ( Future) Research

• Focus so far communication complexity
• Obstacle time complexity
• All existing protocols require high computation
  by the servers (linear computation per query).
• Theorem BIM
• Expected computation of the servers is ?(n)
  
• Major research goal
• Improving time complexity via
• preprocessing / amortization / off-line
  computation
• ( Preliminary results in BIM,IKOS)