A Linear Lower Bound on the Communication Complexity of Single-Server PIR

1
A Linear Lower Bound on the Communication
Complexity of Single-Server PIR
Iftach Haitner
Jonathan Hoch
Gil Segev
Weizmann Institute of ScienceIsrael
2
Private Information Retrieval
xi
Receiver
Server
Receiver
x x1 ? xn
i 2 1,...,n
i 2 1,...,n
¼
j 2 1,...,n

• Functionality Receiver retrieves xi

• Privacy Server does not learn i

3
The Trivial Solution
Not information theoretically CGKS
Can we do better than trivial?
x1 ? xn
Receiver
Server
Receiver
x x1 ? xn
i 2 1,...,n
i 2 1,...,n

• Inefficient -- x may be very large

4
Two Approaches

• Multiple-server PIR
• Information theoretic privacy
• Many exciting results, but not the focus of this
  talk

CGKS95,...,Yek07,...

• Single-server PIR
• Computational privacy
• Implies Oblivious Transfer
• 2-message PIR implies collision-resistant hash
  functions and public-key encryption
• Many applications...

CG97, KO97, CMS99, ...
5
Current Status

• Specific number-theoretic assumptions
• Communication polylog(n)

KO97, CMS99, ...

• General assumptions
• Communication n - o(n)
• Black-box construction based on TDPs

KO00
Question Can we base single-server PIR with
sublinear communication on general assumptions?
6
Main Result
In any fully black-box construction of
single-server PIR for an n-bit database from
trapdoor permutations over ?(n) bits, the server
sends ?(n) bits.

• Two restrictions
• Fully black-box
• Tight security reduction permutations over ?(n)
  bits

KO 00 ?(n²) bits

• Previous results
• Fis02 Similar result for 2-message protocols
  (less restrictions)
• HHRS07 ?(n/logn) lower bound (same
  restrictions)
• ?(n²) lower bound for
  not so tight reductions

7
Fully Black-Box Reductions
A fully black-box reduction from B to A

• Black-box proof of security
• Any adversary for B implies an adversary for A
• Only care about functionality of the adversary
  for B

• Black-box construction
• Any implementation of A implies an implementation
  of B
• Only care about the functionality of A

Adversary for A
B
Adversary for B
A
A
8
Our Approach

• Fully black-box reductions relativize

• We present an oracle O relative to which

1. There exists a collection of TDPs over 0,1n

• A random function is hard to invert even with
  access to O

2. There is no single-server PIR protocol for an
n-bit database in which the server sends o(n)
bits

• There exists an efficient server that uses O to
  break any such protocol

9
The Oracle HHRS 07

• O (Sam, ?)
• ? is a random collection of TDPs over 0,1n
• Sam is an interactive collision-finding oracle
• Samples random collisions
• Extends the non-interactive oracle of Simon 98

A?
Sam?
v0
v0 Ã 0,1n
C1
C1(v1) C1(v0)
v1
C2(v2) C2(v1)
C2
v2
10
The Oracle HHRS 07

• O (Sam, ?)
• ? is a random collection of TDPs over 0,1n
• Sam is an interactive collision-finding oracle
• Samples random collisions
• Extends the non-interactive oracle of Simon 98

A?
Sam?
v0
Theorem A random TDP is one-way as long as Sam
answers queries of depth n/log(n)
C1
v1
n/log(n)

• The proof requires additional restrictions(Ci1
  refines Ci, commit to Ci1 at depth i, ...)
• ...but this suffices for the purpose of this talk

C2
v2
11
Breaking 2-Message PIR
a(i)
b(a,x)
x x1 ? xn
i 2 1,...,n
12
Breaking 2-Message PIR
a
b(a,x0)

b(a,x1)
i 2 1,...,n
1. Receive x0 from Sam
2. Send the circuit b(a,) to Sam
x0i x1i and x0 ? x1
3. Receive x1 from Sam
4. Output a random index j for which x0j x1j
Claim The malicious server guesses i w.p.
1/(n-1)
13
Breaking Any Sublinear PIR
a1
b1
...
ao(n)
bo(n)
i 2 1,...,n
Communication vs. Rounds Server sends o(n) bits
) o(n) rounds, server sends one bit each round
14
Breaking Any Sublinear PIR
a1
b1
..
alog(n)
blog(n)
..
i 2 1,...,n
ao(n)
bo(n)
Key observation The malicious server can invoke
Sam every log(n) rounds
15
Breaking Any Sublinear PIR
a1
b1
..
alog(n)
blog(n)
i 2 1,...,n
1. Receive x0 from Sam
2. Simulate the honest server for log(n) rounds
3. Send b1(a1,) to Sam until receiving xlog(n)
which is consistent with all log(n) rounds
(rewind Sam if inconsistent)
Claim The malicious server guesses i w.p.
1/(n-1)
16
Summary

• Communication lower bound for single-server PIR
• Fully black-box constructions from (enhanced)
  TDPs
• The trivial solution is optimal up to constant
  factors

Matches the upper bound of NOVY

• In the paper
• Communication lower bound for statistically-hiding
  bit-commitment
• The sender must send ?(n) bits
• Communication preserving reduction to
  single-server PIR

• Open problem
• A linear lower bound for not so tight
  reductions?
• KO 00 TDPs over ?(n²) bits

Thank you!