Report on Private Information Retrieval over Unsynchronized Databases

Transcription

1 Report o Private Iformatio Retrieval over Usychroized Databases Lembit Valgma Supervised by Vitaly Skachek May 25, Problem Statemet There are may challeges cocerig olie privacy. Private iformatio retrieval (PIR) tries to fid solutio to followig problem. Server has a database of records ad cliet wats to retrieve w-th record without revealig w to the server. PIR schemes ca be described for sigle-server ad multi-server case (where each server holds idetical copy of database). Curret report reviews a multi-server scheme proposed by Fati ad Ramchadra [1]. They adapt a previously described scheme [2] by addig ability to hadle some umber of usychroized records. Scheme also allows some servers to collaborate without discoverig w. 1.1 Formal Problem Descriptio We have d servers, each holdig a copy of database with records. Let f i represet the value of i-th database record, the etire database ca be described by f = [ f 1,..., f ] T. Cliet wats to retrieve f w without revealig w to server(s). Up to s records ca be usychroized. We assume that all of the records belog to fiite field GF(2 l ) (have l bits). Up to k < d servers ca collaborate with each other. All servers follow protocol, but will try to lear as much iformatio as possible (hoest-but-curious model). 1.2 Basic PIR Scheme Here we describe a simple PIR scheme with oly two servers which both hold idetical copy of f. For simplicity, let all records be sigle bit ( or 1). Cliet s iterest could be represeted by idicator vector e w {,1} which cosists of s except o w-th idex which is 1. To disguise e w, cliet chooses a radom vector a {,1} ad costructs two queries (oe for each server) q(1) = a, q(2) = a e w. Servers compute ier product betwee received query vector ad database records ad both retur aswer (oe bit) to cliet r(1) = a T f, r(2) = (a e w ) T f = a T f e T wf = a T f f w Cliet sums the aswers ad obtais f w (sice a T f cacel out) r(1) r(2) = a T f (a T f f w ) = (a T f a T f) f w = f w. 1

2 Sice a ad a e w appear radom bit-strigs ad servers caot commuicate with each other, the servers have o way of figurig out which record the cliet was iterested i. The scheme ca be easily exteded for records loger tha oe bit. Figure 1: Basic two-server PIR scheme [1] for database size = 3. Cliet is iterested i f 1 ad sets (e w ) 1 = 1. Whe summig the aswers, f 2 ad f 3 cacel out ad cliet obtais f Requiremets ad Proposed Solutio Described scheme was ice ad simple, but it assumes that 1. Both servers have idetical database (o record usychroized). 2. Servers do ot exchage iformatio. Neither of these assumptios is very realistic. Authors i [1] describe a scheme that deals with both of these issues. They take pragmatic two-step approach 1. Locate idices of usychroized records. 2. Costruct PIR query that avoids those records ad allows up to k servers to collude 1. As log as the umber of usychroized records is small ad at least some servers do ot collude, the scheme ca hide the idex of the record that cliet is iterested i. 2 Phase 1: Locatig Usychroized Records We have d servers (S 1,...,S d ) ad cliet wats to fid out the locatios of records that are ot idetical over all servers. There are at most s such records. Sice at this poit, cliet is ot iterested i the cotet of the records, we ca use hashes istead of full records to reduce the commuicatio ad computatioal complexity. Still we assume that hashes belog to GF(2 l ). Let f j represet the database of S j ad H(f j ) its elemetwise hashed vector. We kow that with very high probability, if the records are ot equal the hashes of that record are ot equal. 1 By collusio of k servers, we mea that after the protocol has fiished, ay collectio of up to k servers ca combie their iformatio ad based o that collective iformatio figure out which record, w, cliet was iterested i. Iformatio from all other servers is ukow. 2

3 2.1 Basic Method Give two servers, S 1 ad S 2, we defie vector r() = H(f 1 ) H(f 2 ). (1) If records are the same i both servers, r() is zero. Otherwise, it has o-zero etries where records are ot equal. Sice most of the database is assumed to be sychroized, r() cosists mostly of zeros ad has up to s o-zero elemets. Sice we are iterested oly i o-zero etries, we ca compress r() by left-multiplyig it with parity check matrix A (m ) to obtai vector of parity symbols y y = A r(). (2) Figure 2: Basic compressio setup [1] with parity check matrix A. Sparse r() ca be recovered from y which is of legth m <. If A is well costructed, r() ca be recostructed from y. I particular, authors i [1] use Reed- Solomo (RS) codes [4]. I systematic RS codes, the codeword cosists of origial vector ad 2s parity symbols that allow to fix s errors i the origial vector. Thus, for our case the RS codeword for r() would be [r() T,g 1,g 2,...,g 2s ], which would allow to fix up to s errors i r(). Sice there are up to s o-zero etries, we ca assume first elemets of codeword to be zero ad still ca recover origial r(). Thus oly 2s values eed to be set ad y = [g 1,g 2,...,g 2s ]. Sice r() is ot actually kow to ay server (sice it s the differece of database records), both servers have to separately apply A to its hash-vector ad sed the 2s values to cliet. Sice by liearity A r() = A ( H(f 1 ) H(f 2 ) ) = ( A H(f 1 ) ) ( A H(f 2 ) ) = r(1) r(2) = y, (3) cliet ca combie the replies to recostruct r(). That way cliet ca get compressed replies from all servers ad do pairwise recostructio to fid usychroized records betwee (S 1,S 2 ),(S 2,S 3 ),...(S d 1,S d ). Takig uio would give all usychroized records. Problem with this approach is that cliet eeds to do d recostructios which is computatioally expesive. Therefore authors describe a scheme for doig oly oe recostructio. 3

4 2.2 More Efficiet Method At first we describe the ucompressed method Defie a degree d 1 polyomial q(x) = X d 1 + X d X 2 + X. (4) Cliet calculates for each server S j the polyomial value q( j) ad seds each server its value. Server multiplies the each database hash with the received value ad seds the vector to cliet r( j) = q( j)h(f j ) (5) Cliet iterpolates where V is d d matrix ˆr() T = [,...,1] V 1 R, (6) }{{} 1 d V = 2 d 1 2 d , or V i, j = i d j (7) d d 1 d d 2... d ad R is d matrix r(1) T R =.... (8) r(d) T Authors [1] show that for such ˆr(), if f i is sychroized the ˆr() i = ad if f i is ot sychroized the with very high probability ˆr() i. Authors also show that ˆr() ca be similarly compressed usig RS codes. Each server multiplies its respose with A to get A r( j) ad seds oly 2s symbols, ˆr( j). Usig values ˆr( j) cliet ca costruct vector y y = [ˆr(1),..., ˆr(d)](V 1 ) T 1 = ART (V 1 ) T = A(V 1 R) T... = A([,...,,1]V 1 R) = Aˆr(). 1 Give y ad A, cliet ca recostruct ˆr() usig the RS decodig procedure, same way as i Basic method. As see, cliet oly had to do oe RS decodig procedure, sigificatly reducig computatioal complexity. To icrease efficiecy, values q( j), r( j) ca be precomputed by server ad cliet simply seds j ad s. 1 (9) 4

5 Figure 3: Idetifyig usychroized records without compressio [1], 3 records ad 3 servers. f 2 is differet i S 2 ad therefore the recovered ˆr() has o-zero etry o that locatio. 3 Phase 2: Retrievig the Wated Record At the ed of Phase 2, cliet kows the idices of usychroized records. Sice those records are ureliable, we wat to avoid usig their values i our scheme. Now we deal with database records directly, ot hashes aymore. Cosider the simple scheme preseted i 1.2. If we kow that f i is usychroized, we simply set a i =. The i the reply calculatios, elemet f i is multiplied with ad it does t have ay effect o the replies. We follow similar logic i the collusio resistat scheme. 3.1 Collusio Resistat Scheme We have d servers ad allow k of them to collude. The followig scheme preserves secrecy of w. Authors use polyomials. Namely, we show how to desig degree k polyomial r(x) such that r() = f w. The cliet seds istructios to each server how to evaluate the polyomial at differet poits (server S j evaluates r( j)) ad fially cliet ca iterpolate r(). Sice correct iterpolatio of degree k polyomial requires k + 1 values, up to k servers ca combie ifo ad still ot fid out f w. To achieve that, first cliet geerates for each record degree k polyomial q(x) i with radom coefficiets, however costat terms are for all polyomials except for q(x) w, where it is 1. The we have k q(x) i = a i, j X k j+1 + (e w ) i, i = 1,..., (1) j=1 where a i, j are radomly draw from GF(2 l ). Now cliet evaluates all polyomials at d distict poits to obtai d vectors of legth q( j) = [q( j) 1,q( j) 2,...,q( j) ], j = 1,...,d. (11) 5

6 Cliet seds to server S j vector q( j). Sice selectio of polyomial coefficiets was radom, q( j) also seems radom. Server calculates the ier product betwee q( j) ad f ad seds reply to cliet. That ier product represets our polyomial r(x) sice r(x) = q(x) T f = = = ( f i k j=1 ( ) k a i, j X k j+1 + (e w ) i j=1 a i, j X k j+1 ) + k f i a i, j )X j=1( k j+1 + f w. f i (e w ) i = ( ) k f i a i, j X k j+1 + f i (e w ) i j=1 ( ) k f i a i, j X k j+1 + f w j=1 We ca see that r(x) is degree k polyomial with coefficiets f ia i, j ad that r() = f w. For iterpolatio we ca use the matrix V defied i Equatio 7. The f i = [ ]... A T r = V e T f = V w... r() (12), (13) from where f w = r() = [,...,,1]V 1 r. (14) 3.2 Obfuscatig Usychroized Idices The method described i previous sectio assumed that there were o usychroized records. If cliet kows that some record f k is ot sychroized, he ca simply set the query vector elemet to zero, q( j) k = for all servers. To maitai the distributio of polyomials, it makes sese to first check if there exist ay zero polyomials for some record that is sychroized ad assig the origial k-th polyomial to that record. If there are eough zero polyomials, the this procedure would maitai the umber of zero polyomials ad simply permute the order of polyomials - sice they are radom ayway this would t affect the distributio. Assigig s to usyced records would still allow colludig servers to discover the usyced records (ad thus reducig somewhat the possible rage for w) if they see that some query idices are s for may servers. Thus, cliet ca pick a radom umber for each server, p(i) which to add to each query elemet ˆq( j) = q( j) + p( j). (15) Server reply would be ˆr( j) = ˆq( j) T f = (q( j) + p( j)) T f = q( j) T f + p( j) f i. (16) If server seds ˆr( j) ad f i, the cliet ca calculate p( j) f i ad subtract this from ˆr( j) to get origial r( j). 6

7 Figure 4: Example of Phase 2 of the PIR algorithm [1]. Agai 3 records, 3 servers. Cliet wats to obtai f 1 ad kows that f 2 i usychroized. He fids zero polyomial from sychroized records ad swaps it with secod polyomial. The evaluates polyomials at j ad adds radom umber p( j). Servers fid ier products ad also the sum of its records T j = f j i. Cliet subtracts p( j)t j from replies ad iterpolates to obtai f 1. 4 Efficiecy ad privacy I case of smaller database size ad there ot beig eough zero polyomials to swap (to usyced locatios), the cliet is forced to simply set zero polyomials to those locatios. As metioed, this ca leak iformatio for colludig servers ad reduce rage for w. Authors show that if umber of usychroized records grows subliearly i the database size, the leaked ifo is asymptotically egligible. 4.1 Efficiecy The described RS code based scheme has commuicatio complexity of dl(log 2 d + 2sclog l L + log 2 ζ + + ζ L) where = database size, d = umber of servers, L = record size, ζ = umber of records requested, 2 l = field size. Olie server computatio complexity of ad olie cliet computatioal complexity of L(ζ + 2s) O(d 3 ) + O(ζ 3 d 2 L). Largest computatioal overhead appears i the RS codig decode phase, which is cubic i database size. To solve that, authors also propose probabilistic compressio scheme PULSE [3]. It trades small error probability ad somewhat larger commuicatio vector for much better decodig speed (O(ds) istead of O(d 3 )). 7

8 Refereces [1] Giulia Fati ad Kaa Ramchadra. Efficiet private iformatio retrieval over usychroized databases. IEEE Joural of Selected Topics i Sigal Processig, 9(7): , , 2, 3, 4, 5, 7, 9 [2] Ia Goldberg. Improvig the robustess of private iformatio retrieval. I Security ad Privacy, 27. SP 7. IEEE Symposium o, pages IEEE, [3] Sameer Aadrao Pawar. Pulse: Peelig-based ultra-low complexity algorithms for sparse sigal estimatio. PhD thesis, Uiversity of Califoria, Berkeley, [4] Ro Roth. Itroductio to codig theory. Cambridge Uiversity Press,

9 5 Appedix A - Algorithms Figure 5: Detailed algorithms [1] for locatig usychroized records ad recoverig desired records. Additioally, Algorithm 2 here is parameter ζ that allows to recover several records with oe query. This allows to reduce the commuicatio overhead somewhat. 9