Title: A Linear Lower Bound on the Communication Complexity of Single-Server PIR
1A Linear Lower Bound on the Communication
Complexity of Single-Server PIR
Iftach Haitner
Jonathan Hoch
Gil Segev
Weizmann Institute of ScienceIsrael
2Private Information Retrieval
xi
Receiver
Server
Receiver
x x1 ? xn
i 2 1,...,n
i 2 1,...,n
¼
j 2 1,...,n
- Functionality Receiver retrieves xi
- Privacy Server does not learn i
3The Trivial Solution
Not information theoretically CGKS
Can we do better than trivial?
x1 ? xn
Receiver
Server
Receiver
x x1 ? xn
i 2 1,...,n
i 2 1,...,n
- Inefficient -- x may be very large
4Two Approaches
- Multiple-server PIR
- Information theoretic privacy
- Many exciting results, but not the focus of this
talk
CGKS95,...,Yek07,...
- Single-server PIR
- Computational privacy
- Implies Oblivious Transfer
- 2-message PIR implies collision-resistant hash
functions and public-key encryption - Many applications...
CG97, KO97, CMS99, ...
5Current Status
- Specific number-theoretic assumptions
- Communication polylog(n)
KO97, CMS99, ...
- General assumptions
- Communication n - o(n)
- Black-box construction based on TDPs
KO00
Question Can we base single-server PIR with
sublinear communication on general assumptions?
6Main Result
In any fully black-box construction of
single-server PIR for an n-bit database from
trapdoor permutations over ?(n) bits, the server
sends ?(n) bits.
- Two restrictions
- Fully black-box
- Tight security reduction permutations over ?(n)
bits
KO 00 ?(n²) bits
- Previous results
- Fis02 Similar result for 2-message protocols
(less restrictions) - HHRS07 ?(n/logn) lower bound (same
restrictions) - ?(n²) lower bound for
not so tight reductions
7Fully Black-Box Reductions
A fully black-box reduction from B to A
- Black-box proof of security
- Any adversary for B implies an adversary for A
- Only care about functionality of the adversary
for B
- Black-box construction
- Any implementation of A implies an implementation
of B - Only care about the functionality of A
Adversary for A
B
Adversary for B
A
A
8Our Approach
- Fully black-box reductions relativize
- We present an oracle O relative to which
1. There exists a collection of TDPs over 0,1n
- A random function is hard to invert even with
access to O
2. There is no single-server PIR protocol for an
n-bit database in which the server sends o(n)
bits
- There exists an efficient server that uses O to
break any such protocol
9The Oracle HHRS 07
- O (Sam, ?)
- ? is a random collection of TDPs over 0,1n
- Sam is an interactive collision-finding oracle
- Samples random collisions
- Extends the non-interactive oracle of Simon 98
A?
Sam?
v0
v0 Ã 0,1n
C1
C1(v1) C1(v0)
v1
C2(v2) C2(v1)
C2
v2
10The Oracle HHRS 07
- O (Sam, ?)
- ? is a random collection of TDPs over 0,1n
- Sam is an interactive collision-finding oracle
- Samples random collisions
- Extends the non-interactive oracle of Simon 98
A?
Sam?
v0
Theorem A random TDP is one-way as long as Sam
answers queries of depth n/log(n)
C1
v1
n/log(n)
- The proof requires additional restrictions(Ci1
refines Ci, commit to Ci1 at depth i, ...) - ...but this suffices for the purpose of this talk
C2
v2
11Breaking 2-Message PIR
a(i)
b(a,x)
x x1 ? xn
i 2 1,...,n
12Breaking 2-Message PIR
a
b(a,x0)
b(a,x1)
i 2 1,...,n
1. Receive x0 from Sam
2. Send the circuit b(a,) to Sam
x0i x1i and x0 ? x1
3. Receive x1 from Sam
4. Output a random index j for which x0j x1j
Claim The malicious server guesses i w.p.
1/(n-1)
13Breaking Any Sublinear PIR
a1
b1
...
ao(n)
bo(n)
i 2 1,...,n
Communication vs. Rounds Server sends o(n) bits
) o(n) rounds, server sends one bit each round
14Breaking Any Sublinear PIR
a1
b1
..
alog(n)
blog(n)
..
i 2 1,...,n
ao(n)
bo(n)
Key observation The malicious server can invoke
Sam every log(n) rounds
15Breaking Any Sublinear PIR
a1
b1
..
alog(n)
blog(n)
i 2 1,...,n
1. Receive x0 from Sam
2. Simulate the honest server for log(n) rounds
3. Send b1(a1,) to Sam until receiving xlog(n)
which is consistent with all log(n) rounds
(rewind Sam if inconsistent)
Claim The malicious server guesses i w.p.
1/(n-1)
16Summary
- Communication lower bound for single-server PIR
- Fully black-box constructions from (enhanced)
TDPs - The trivial solution is optimal up to constant
factors
Matches the upper bound of NOVY
- In the paper
- Communication lower bound for statistically-hiding
bit-commitment - The sender must send ?(n) bits
- Communication preserving reduction to
single-server PIR
- Open problem
- A linear lower bound for not so tight
reductions? - KO 00 TDPs over ?(n²) bits
Thank you!