Efficient Private Information Retrieval
|
|
- Vernon Hancock
- 6 years ago
- Views:
Transcription
1 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 PAPER Special Section on Cryptography and Information Security Efficient Private Information Retrieval Toshiya ITOH, Member SUMMARY Informally, private information retrieval for k > databases (k-pir) is an interactive scheme that enables a user to make access to (separated) k replicated copies of a database and privately retrieve any single bit out of the n bits of data stored in the database In this model, privacy implies that the user retrieves the bit he is interested in but releases to each database nothing about which bit he really tries to get Chor et al proposed -PIR with communication complexity n /3 + that is based on the covering codes Then Ambainis recursively extended the scheme by Chor et al and showed that for each k >, there exists k-pir with communication complexity at most c k n /(k ) some constant c k > 0 In this paper, we relax the condition for the covering codes and present time-efficient -PIR with communication complexity n /3 In addition, we generally formulate the recursive scheme by Ambainis and show that for each k > 4, there exists k-pir with communication complexity at most c k n/(k ) for some constant c k c k key words: information retrieval, privacy, communication complexity, time complexity, covering codes Introduction Background Private information retrieval for k > databases (k- PIR) is initiated by Chor et al [4] as a useful way for a user to privately get information through networks It would be quite natural to ask for the privacy of the user For example, an investor (or a speculator) that makes access to the stock-market database to get the value of a certain stock may wish to keep private which stock he is interested in Informally, k-pir is a scheme that enables a user to make access to (separated) k replicated copies of a database and privately retrieve a single bit of data stored in the database In this framework, private implies that the user is able to retrieve his desired bit but releases to each database nothing about which bit he tries to get in the information-theoretic sense In the practical point of view, the communication complexity between the user and the databases (and the time complexity of the user and the databases) seems to be one of the most important resources for constructing efficient and practical k-pir When the user makes access to only a single database, he may ask for a copy of the whole database Manuscript received March 8, 998 Manuscript revised July, 998 The author is with Interdisciplinary Graduate School of Science and Engineering, Tokyo Institute of Technology, Yokohama-shi, Japan to privately retrieve the bit that he is interested in Obviously, this requires O(n) communication complexity but is proved to be essentially the best he can do Indeed, Chor et al [4] showed that any -PIR requires Ω(n) communication complexity To reduce communication complexity of k-pir, Chor et al [4] applied the covering codes [0] and proposed -PIR with communication complexity n /3 + and k-pir with communication complexity O(n /k ), where n is the length of total data stored in the database It is conjectured by Chor et al [4] that O(n /3 ) might be the lower bound for the communication complexity of any -PIR Then Ambainis [] recursively extended the scheme by Chor et al [4] to construct k-pir with less communication complexity and showed that for each k >, there exists k-pir with communication complexity O(n /(k ) ) By applying cryptographic (secure) primitives, Chor and Gilboa [3] extended k-pir in a natural way to define computationally private information retrieval for k > databases (k-cpir) This is a scheme that is similar to the original k-pir but the user releases (in the computational sense) to each database nothing about which bit he tries to retrieve In this framework, Chor and Gilboa [3] showed that for any ε>0, there exists -CPIR with communication complexity O(n ε ) under the general assumption that pseudo-random generators exist [6], [7] Intuitively, -CPIR with communication complexity o(n) would be impossible, however, Kushilevitz and Ostrovsky [8] recently showed that for any ε>0, there exists -CPIR with communication complexity O(n ε ) under the (stronger but reasonable) assumption that quadratic residuosity [5] is hard Motivation As for the communication complexity, the -CPIR [3] and the -CPIR [8] achieve much better than k-pir for any reasonable k >, however, there exist trade-offs between the communication complexity and the time complexity To achieve O(n ε ) communication complexity for any ε>0, the -CPIR [3] and the -CPIR [8] are recursively constructed and in each recursive step, each database (in the -CPIR [3] and the -CPIR [8]) needs to execute large amount of computations This may eventually lead to a large delay until the user receives the response from the database In addition to this, the privacy of the user in k-cpir is asymptotically guaran-
2 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 teed with respect to n (the length of total data stored in the database), ie, the privacy of the user in k-cpir is protected for sufficiently large n In general, this implies that the privacy of the user in k-cpir are not necessarily guaranteed for reasonable size of data stored in the database Thus k-pir is more advantageous than k-cpir from the practical-oriented privacy point of view, because k-pir protects the privacy of the user for any size of data stored in the database The goal of this paper is to design time-efficient (or communication-efficient) k-pir 3 Main Results In this paper, we relax the condition for the covering codes to design time-efficient -PIR and present -PIR PIR BD with communication complexity n /3 In addition, we generally formulate the recursive k-pir by Ambainis [] and show that for each k > 4, there exist k-pir PIR k BREC of which communication complexity is much less than that of k-pir by Ambainis [] Preliminaries In this paper, x x x x n {0, } n denotes the contents of the database and let n x For m>0, let [m] {,,,m} and d(a, b) be the Hamming distance of a and b The Model A model for k-pir is similar to that of multi-prover interactive proofs [] We use U to denote a user that is a probabilistic polynomial time interactive Turing machine and DB, DB,, DB k denote deterministic polynomial time interactive Turing machines that are allowed to communicate with U but are not allowed to communicate with each other We also use qj l to denote the lth question made by U to DB j and a l j to denote the lth answer returned by DB j to U For each j [k], let Q l j (q j,q j,,ql j ) and Al j (a j,a j,,al j ) Definition [4]: We say that (U DB, DB,, DB k ) is m-round information retrieval for k > databases (k-ir) if for any n>0, any x {0, } n, and any i [n], it satisfies the following: Let x i {0, } be the bit that U wishes to retrieve from x For each round l [m] and each j [k], U sends qj l(i) U(i, j, n A l,a l,,a l k )todb j as the lth question and DB j responds U with a l j DB j (x, Q l j (i)) as the lth answer At the end of round m, U can always retrieve the bit x i from A m,am,,am k, ie, x i U(i, n A m,a m,,a m k ) random variable, because it is the bit position that U wishes to retrieve Definition (Privacy [4]): We say that (U DB, DB,, DB k )ism-round private information retrieval for k > databases (k-pir) ifitisk-ir and satisfies the following: For each j [k], Q m j (i ) and Q m j (i ) are identically distributed for every i,i [n] Definition 3 (Communication Complexity [4]): Let Π(U DB, DB,, DB k )bek-pir Then communication complexity of Π is the sum of the total amount of bits exchanged between U and each DB j ( < j < k), i,e, j [k] { Qm j (i) + Am j } Definition 4 (Time Complexity): Let Π (U DB, DB,, DB k )bek-pir Then time complexity of Π is the sum of the running time of U and the maximum running time of DB j Obviously, communication complexity corresponds to the network cost and time complexity to the delay to retrieve information For k-pir Π, we use COM Π (n) to denote communication complexity of PIR Π, and TIME Π (n) to denote time complexity of PIR Π Useful Properties For any S [m], S (s,s,,s m ) {0, } m is defined to be s i ifi S and s i 0ifi S For any S [m] and i [m], define S i to be S \{i} if i S and S {i} if i S, and for a (a,a,,a m ) {0, } m and b (b,b,,b m ) {0, } m, let (a, b) denote the inner product of a and b modulo, ie, (a, b) i [m] a ib i (mod ) i [m] a ib i Proposition 5 [4, 3]: For any S [n] and i [n], let S S and S S i and also let A (x, S ) i S x i and A (x, S ) i S x i Then A A x i For each d >, we assume without loss of generality that n l d, ie, l n /d If it is not the case, we expand x by padding appropriate number of zeros to satisfy the condition We embed x in a d-dimensional cube by associating each position i [n] with a d-tuple (i,i,,i d ) in a natural manner The following is essential to design communication-efficient k-pir Proposition 6 [4, 3]: For each t [n], let (t, t,,t d ) be the associated d-tuple of t [n] For each j [d], we also let Sj [l] and S j Sj t j, and for each σ σ σ σ d {, } d, we define A σσ σ d i S σ i S σ i d S σ d x i,i d,,i d Then x t,t,,t d σ σ σ d {0,} A d σ σ σ d Q m j Since U is a probabilistic polynomial time machine, (i) is a random variable Note that i [n] is not a For any integer s >, let m n/s and X (X,X,,X m )x {0, } n, where X i {0, } s for
3 ITOH: EFFICIENT PRIVATE INFORMATION RETRIEVAL each block i [m], and we also assume without loss of generality that m l d, ie, l m /d In a way similar to the above, we embed X in a d-dimensional cube by associating each block i [m] with a d-tuple (i,i,,i d ) in a natural manner Note that Proposition 6 holds for the case that s but can be generalized to the case that s > inan obvious way The lemma below will play a central role in Sect 3 to design time-efficient (and communicationefficient) k-pir by an appropriate choice of s> Lemma 7: For each t [m], let (t,t,,t d ) be the associated d-tuple of t For each j [d], let Sj [l] and Sj S j t j, and for each σ σ σ d {, } d, define i S σ i d S σ d d A σσ σ d i S σ Then X t,t,,t d σ σ σ d {0,} A d σσ σ d 3 Time-Efficient -PIR X i,i,,i d To analyze time complexity, we will make the following (practical) assumption: Let r 3 or r 64 and U and DB i are equipped with an r-bit CPU Since we are interested in information-theoretic (not complexitytheoretic) private information retrieval, U is allowed to make access to truly random bit sequence ρ and requires a single step to read a random bit from ρ Let r l For any S [l], pointing index i S requires (lg l)/r steps Note that (lg l)/r for r 3ifl < 0 9 and (lg l)/r for r 64ifl < The Covering Codes Scheme To be self-contained, we show the -PIR (PIR CC )by Chor et al [4] that is based on the covering codes [0] Let d 3 and l n /3 and assume that U wishes to retrieve x t for some t [n] Then (t,t,t 3 ) [l] 3 is the associated 3-tuple of t in the 3-dimensional cube The Covering Codes Scheme: PIR CC U-: U chooses Sj [l] uniformly and independently for each < j < 3 U-: U computes Sj S j t j for each < j < 3 U DB : S,S,S 3 [l] U DB : S,S,S 3 [l] DB-: DB computes b 000 x i,i,i 3 DB-: DB computes b h 00 b h 00 i S i 3 S3 h i S i 3 S3 i S h i 3 S3 x i,i,i 3 x i,i,i 3 b h 00 i S for each h [l], and defines i 3 S 3 h x i,i,i 3, B 00 (b 00,b 00,,bl 00 ) B 00 (b 00,b 00,,b l 00) B 00 (b 00,b 00,,b l 00) DB U: b 000 {0, }, B 00,B 00,B 00 {0, } l DB-: DB computes c DB-: DB computes c h 0 c h 0 c h 0 i S i 3 S3 h i S i 3 S3 x i,i,i 3 i S h i 3 S3 i S for each h [l], and defines x i,i,i 3 x i,i,i 3 i 3 S 3 h x i,i,i 3, C 0 (c 0,c 0,,cl 0 ) C 0 (c 0,c 0,,c l 0) C 0 (c 0,c 0,,c l 0) DB U: c {0, }, C 0,C 0,C 0 {0, } l U-3: U computes b 000 b t 00 bt 00 bt3 00 c c t 0 ct 0 ct3 0 ( x t) Obviously, (S,S,S 3) [l] 3 and (S,S,S 3) [l] 3 are uniformly distributed over [l] 3 for any t [n] Thus it follows from Proposition 6 that PIR CC is -PIR Lemma 3 [4]: COM CC (n) n /3 + Lemma 3: TIME wc CC (n) 3n +6n/3 + 9 and TIME av CC (n) (/4) n +6n/3 + 9 Proof: In the practical point of view, we assume that n < 0 0 and also that pointing i S [l] [n /3 ] requires a single step From the description of PIR CC, we immediately have the following: In both the worst and average cases, 3l steps for random generation in U-, 3 steps for index pointing and 3 steps for XOR in U-, and 6 steps for index pointing and 7 steps for XOR in U-3 are required To compute b 000 in DB-, DB requires 3l 3 steps for index pointing and l 3 steps for XOR in the worst case and 3(l/) 3 steps for index pointing and (l/) 3 steps for XOR in the average case To compute B 00 in DB-, DB requires (l +)l steps for index pointing and l 3 steps for XOR in the 3
4 4 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 worst case and {(l/) +}l steps for index pointing and (l/) l steps for XOR in the average case by evaluating b h 00 b 000 ( i S i 3 S x 3 h,i,i 3 ) for each h [l] The analysis similar to this can be applied to B 00,B 00 Since the number of steps made by DB is the same with that made by DB and l n /3, we have that TIME wc CC (n) 3n +6n/3 + 9 and TIME av CC (n) (/4) n +6n/ The Block Division Scheme In this subsection, we show new -PIR (PIR BD ) that is based on Lemma 7 Let m n/s for some s > (s will be fixed later), and X (X,X,,X m )x {0, } n, where X i {0, } s for each block i [m] Let d and l m / and we embed X in a -dimensional cube by associating each block i [m] with a -tuple (i,i ) in a natural manner Here we assume that U wishes to retrieve x t for some t [n] and that x t is located at the τth bit of X β, where τ [s] and β [m] Let (β,β ) [l] be the associated -tuple of β, and for any A (A,A,,A l ) {0, } l and α [l], let pick α (A) A α The Block Division Scheme: PIR BD U-: U chooses S,S [l] and T [s] uniformly and independently U-: U computes S S β, S S β, and T T τ U DB : S,S [l], T [s] U DB : S,S [l], T [s] DB-: DB computes B 00 X i,i i S DB-: For each h [l], DB computes b h 0 (X i,i, T ) b h 0 h i S i S i S h (X i,i, T ), and defines B 0 (b 0,b 0,,bl 0 ), B 0 (b 0,b 0,,b l 0) DB U: B 00 {0, } s, B 0,B 0 {0, } l DB-: DB computes C i S X i,i DB-: For each h [l], DB computes c h 0 (X i,i, T ) c h 0 h i S i S i S h (X i,i, T ), and defines C 0 (c 0,c 0,,c l 0), C 0 (c 0,c 0,,cl 0 ) DB U: C {0, } s, C 0,C {0, } l U-3: U computes pick τ (B 00 )pick τ (C )(b β c β 0 ) (bβ 0 cβ 0 )(x t) 0 The intuition behind PIR BD is as follows: For each h [l], let Y0 h i h S X i,i and Y0 h i S h X i,i instead of b h 0 and b h 0 respectively, and let Z0 h h i S X i,i and Z0 h i S h X i,i instead of c h 0 and ch 0 respectively Recall that U wishes to retrieve x t for some t [n] and x t is located at the τth bit of X β,β Then it follows from Lemma 7 that X β,β B 00 Y β 0 Y β 0 C, but this blows up communication complexity Since U is interested in the τ th bit of X β,β and Y β 0 Z β β 0 and Y0 Z β 0 hold from Proposition 5 and the definitions of T and T, (Y β 0, T ) (Z β 0, T )b β 0 cβ 0 provides the τth bit of Y β β 0 and (Y0, T ) (Z β 0, T )b β 0 cβ 0 provides the τth bit of Y β 0 These are sufficient for U to retrieve x t and reduce communication complexity Theorem 33: The block division scheme PIR BD is private information retrieval for databases Proof: For d, it follows from Lemma 7 that X β,β A 00 A 0 A 0 A, where A 00 X i,i i S A 0 A 0 A X i,i i S β i S X i,i β i S i S X i,i X i,i X i,i β i S β i S X i,i, for any S [l] and any S [l] Since x t is located at the τth bit of X β,β, we have that x t pick τ (X β,β )
5 ITOH: EFFICIENT PRIVATE INFORMATION RETRIEVAL 5 pick τ (A 00 )pick τ (A 0 )pick τ (A 0 )pick τ (A ) From the definitions of A 00,A and B 00,C, it is immediate that A 00 B 00 and A C, and thus we have that pick τ (B 00 ) pick τ (C ) pick τ (A 00 ) pick τ (A ) () On the other hand, from the definitions of B 0,C 0 and A 0, it is obvious that b β 0 (X i,i, T ) β i S c β 0 i S X i,i, T (X i,i, T ) i S β X i,i, T i S ( A 0, T ) ( A 0, T ) Then from the fact that T T τ and Proposition 5, it follows that b β 0 cβ 0 pick τ(a 0 ) and b β 0 cβ 0 pick τ (A 0 ) Thus we have that b β 0 cβ 0 pick β (B 0 ) pick β (C 0 ) pick τ (A 0 ) () b β 0 cβ 0 pick β (B 0 ) pick β (C 0 ) pick τ (A 0 ) (3) Then from Eqs (), (), and (3), it turns out that x t pick τ (X β,β ) pick τ (A 00 ) pick τ (A 0 ) pick τ (A 0 ) pick τ (A ) pick τ (B 00 ) pick τ (C ) (b β 0 cβ 0 ) (bβ 0 cβ 0 ) It is obvious that for any t [n], (S,S,T ) [l] [s] and (S,S,T ) [l] [s] are uniformly distributed over [l] [s] Thus PIR BD is -PIR Theorem 34: COM BD (n) n /3 Proof: From the description of PIR BD, it is immediate that COM BD (n) 8l +4s 8 (n/s) / +4s Then we have that COM BD (n) n /3 by setting s n /3 Theorem 35: TIME wc BD (n) 5n +4n/3 +9n /3 +7 and TIME av BD (n) (5/4) n +(3/) n/3 +8n /3 + 7 Proof: In a way similar to the proof of Lemma 3, we assume that pointing i S [l] [n /3 ] requires a single step From the description of PIR BD, we immediately have the following: In both the worst and average cases, l + s steps for random generation in U-, 3 steps for index pointing and 3 steps for XOR in U-, and 6 steps for index pointing and 5 steps for XOR in U-3 are required To compute B 00 in DB-, DB requires l steps for index pointing and l s steps for XOR in the worst case and (l/) steps for index pointing and (l/) s steps for XOR in the average case To compute B 0 in DB-, DB first evaluate b (B 00, T ) for which DB requires s steps for AND and s steps for XOR in the worst case and s/ steps for AND and s/ steps for XOR in the average case Then DB evaluates b h 0 b { i S (X h,i, T )} for each h [l] This requires (l +)l steps for index pointing, l s steps for AND, and (ls+)l steps for XOR in the worst case and {(l/) + }l steps for index pointing, (l/) (s/) steps for AND and {(l/)(s/) + }l steps for XOR in the average case The analysis similar to this can be applied to B 0 Since the number of steps made by DB is the same with that made by DB and s l n /3, we have that TIME wc BD (n) 5n+4n/3 +9n /3 +7 and TIME av BD (n) (5/4) n +(3/) n/3 +8n / Communication-Efficient k-pir Let k > Here wee assume without loss of generality that n l k, ie, l n /(k ), and we embed x {0, } n in a (k )-dimensional cube by associating each position i [n] with a (k )-dimensional tuple (i,i,,i k ) [l] k in a natural manner We also assume that U wishes to retrieve x t for some t [n] and let (t,t,,t k ) [l] k be the associated (k )-tuple of t 4 General Frameworks We first show general recursive schemes for k- PIR (k-pir GREC ) with communication complexity O(n /(k ) ) that includes the scheme by Ambainis [] as a special case For any d, r > and any c {0, } d, let B d (c,r) be the set of all d- bit long strings that differ from c in at most r positions, ie, B d (c,r) {v {0, } d : d(c,v) < r} For any S (S,S,,S k ) [l] k, let S ( S, S,, S k ) {0, } l(k ) Then for each δ [k ], we define C k (S, δ) T (T,T,,T k ) [l] k : T B l(k ) ( S,δ) & k j [ Tj B l ( S j, )] ie, T (T,T,,T k ) C k (S, δ) if () for each j [k ], T j S j i j for some i j [l] ort j S j and () T j S j happens at most δ times Let A be
6 6 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 the number of elements in a finite set A We number each element of C k (S, δ) in a natural order Obviously, M(k, δ) C k (S, δ) δ ( ) k l i i i0 Recall that t [n] is the bit position U wishes to retrieve and (t,t,t k ) [l] k is the associated (k )-tuple of t For any S (S,S,,S k ) [l] k, define { H k (S, t, δ) T (T,T,,T k ) [l] k : T C k (S, δ) & j [k ] [ T j S j T j S j t j ] }, ie, T H k (S, t, δ) ift C k (S, δ) and T j differs from S j only on t j [l] for j [k ] From the definition of H k (S, t, δ), it is obvious that N(k, δ) H k (S, t, δ) δ ( ) k i i0 Since H k (S, t, δ) C k (S, δ), each element of H k (S, t, δ) has the unique number assigned by the numbering for all elements of C k (S, δ) Here we define P k (S, t, δ) (p,p,,p N(k,δ) ) to be the set of the numbers that are assigned to all elements of H k (S, T, δ) Let k,k [k], where k + k k We present -PIR, (k,k )-BASIS, for U and DB, DB that will be a building block for constructing general recursive k-pir (k-pir GREC ) As noticed above, k-pir GREC includes the recursive scheme by Ambainis [] as a special case The Building Block: (k,k )-BASIS U-: U chooses Sj [l] uniformly and independently for each j [k ] U-: U computes Sj Sj t j for each j [k ] U DB : Q (S,S,,S k ) [l] k U DB : Q (S,S,,Sk ) [l] k DB-: DB enumerates L h (L h,,lh k ) C k (Q, k ) and computes a h x i,,i k, i L h i k L h k for each h [M(k, k )] DB U : A (a,a,,a M(k,k ) ) DB-: DB enumerates R h (R h,,r h k ) C k (Q, k ) and computes a h i R h i k R h k for each h [M(k, k )] DB U : A (a,a,,a M(k,k ) ) x i,,i k, U-3: U obtains { i P k (Q,t,k ) pick i (A )} { i P k (Q,t,k ) pick i (A )} ( x t ) The intuition behind (k,k )-BASIS is as follows: From Proposition 6 and the definition of C k (S, δ), it follows that A and A include enough information to retrieve x t After receiving A and A, U retrieves x t by picking appropriate bits from A and A Lemma 4: The building block (k,k )-BASIS is private information retrieval for databases Proof: For each σ (σ,σ,,σ k ) {, } k, let w (σ) be the number of j [k ] such that σ j and w (σ) the number of j [k ] such that σ j We define Σ k {σ {, } k : w (σ) < k } and Σ k {σ {, } k : w (σ) < k } For any σ, if w (σ) < k, then w (σ) k w (σ) > k (k ) (k k )k, because w (σ)+w (σ) k and k + k k Thus we have that Σ k {σ {, } k : w (σ) > k }, and this implies that Σ k, Σ k is a bipartition of {, } k Let Q k {S σ (S σ,sσ,,sσ k k ) [l]k : σ (σ,σ,,σ k ) {, } k } be the set of questions for which Proposition 5 holds, and define Q k {S σ Q k : σ Σ k } Q k {S σ Q k : σ Σ k } Then Q k, Q k is a bipartition of Q k, because Σ k, Σ k is a bipartition of {, } k From the definition of H k (S, t, δ), Q k, and Q k, it is obvious that Q k H k (Q,t,k ) and Q k H k (Q,t,k ) Note that P k (Q,t,k ) and P k (Q,t,k ) respectively characterize the position for each element of H k (Q,t,k ) and H k (Q,t,k ) Then it follows from Proposition 5 that x t pick i (A ) i P k (Q,t,k ) pick i (A ) i P k (Q,t,k ) Obviously, Q (S,S,,S k ) [l] k and Q (S,S,,S k ) [l] k are uniformly distributed over [l] k for any t [n] Thus the building block (k,k )-BASIS is -PIR Now we are ready to show general recursive k-pir,
7 ITOH: EFFICIENT PRIVATE INFORMATION RETRIEVAL 7 k-pir GREC, for U, DB(k ) (DB,, DB k ), and DB(k )(DB,, DB k ) Recall that k,k [k] such that k + k k The General Recursive Scheme: k-pir GREC U-: U simulates U of (k,k )-BASIS to generate Q,Q [l] k U DB(k ): Q [l] k U DB(k ): Q [l] k DB(k )-: DB(k ) simulates DB of (k,k )-BASIS on Q to generate A {0, } M(k,k ) DB(k )-: DB(k ) simulates DB of (k,k )-BASIS on Q to generate A {0, } M(k,k ) U DB(k ): For each h P k (Q,t,k ), U and DB(k ) run k -PIR GREC on A to get a h U DB(k ): For each h P k (Q,t,k ), U and DB(k ) run k -PIR GREC on A to get a h U-: U computes { h P k (Q,t,k ) a h } { h P k (Q,t,k ) a h } ( x t) The intuition behind k-pir GREC is as follows: We have already known -PIR (eg, PIR CC and PIR BD in Sect 3) with communication complexity O(n /3 ), and for each k > 3, k-pir GREC is inductively constructed from k -PIR GREC with communication complexity O(n /(k ) ) and k -PIR GREC with communication complexity O(n /(k ) ) Here we recall that A and A include enough information for U to retrieve x t (as we have noticed above) Since A O(n (k )/(k ) ) and A O(n (k )/(k ) ), we can achieve O(n /(k ) ) communication complexity by picking appropriate bits from A and A Theorem 4: For each k >, the general recursive scheme k-pir GREC is k-pir with communication complexity O(n /(k ) ) Proof: We prove the theorem by induction on k For convenience, -PIR GREC for U and DB is assumed to be a scheme that U asks nothing and DB responds U with the whole stored data Base Stage: Assume that k Since k,k [k] and k +k k, we have that k k This implies that DB(k )DB and DB(k )DB Note that (, )-BASIS is exactly the same with PIR CC in Sect 3 and that DB and DB respond U with A and A, respectively Then it turns out that -PIR GREC is exactly the same with PIR CC Thus it follows from Lemma 3 that -PIR GREC is -PIR with communication complexity n /3 +O(n /( ) ) Induction Stage: Let k > 3 and assume that for any < k <k, k -PIR GREC is k -PIR with communication complexity O(n /(k ) ) To complete the proof, we show in the following that k-pir GREC is k-pir with communication complexity O(n /(k ) ) From the induction hypothesis, it follows that k - PIR GREC is k -PIR with communication complexity O(n /(k ) ) and k -PIR GREC is k -PIR with communication complexity O(n /(k ) ) For each j [k ], let Q j {Q,qj (),q j (),,q j (N(k,k ))} be the set of questions made by U to DB j and for each j [k ], let Q j {Q,qj (),q j (),,q j (N(k,k ))} be the set of questions made by U to DB j Since k -PIR GREC is k -PIR, qj (h) isidentically (and independently) distributed for each h P k (Q,t,k ) Note that Q is uniformly distributed for any t [n] and is independently distributed of qj (h) for each h P k(q,t,k ) Then it follows that for any t [n], Q j is identically distributed for each j [k ] In a way similar to this, we can show that for any t [n], Q j is identically distributed for each j [k ] Thus k-pir GREC is k-pir for each k > Finally, we analyze communication complexity of k-pir GREC We use COM k GREC (n) to denote communication complexity of k-pir GREC Note that Q Q (k ) l (k ) n /(k ) The definition of M(k, δ) guarantees that there exist c k,c k > 0 such that A M(k, k ) k ( ) k l i < i c k n k i0 A M(k, k ) k ( ) k l i < i c k n k i0 k k Since COM k GREC (n) ) ) for each k <k O(n/(k (induction hypothesis), there exist d k,d k > 0 such that COM k GREC (n) < d k n /(k ) COM k GREC (n) < d k n /(k ), respectively Then we have that COM k GREC (n) k Q + k Q + N(k, k ) COM k GREC ( A ) + N(k, k ) COM k GREC ( A ) < k(k ) n/(k ) + N(k, k ) d k A /(k ) + N(k, k ) d k A /(k ) <c k n /(k ), for some c k > 0 Thus for each k >, COM k GREC (n) O(n /(k ) ) for any n>0 Note that in Theorem 4, COM k GREC (n) is measured independently of the choices of k,k [k] To
8 8 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 analyze the inherent behavior of COM k GREC (n) more precisely for each k >, we define D k GREC lim COM k GREC (n) n /(k ) It is obvious that D k GREC is the coefficient for the dominant factor of COM k GREC (n) 4 The Unbalanced Recursive Scheme For each k >, we assume that k k and k Then k-pir GREC coincides with the recursive k-pir by Ambainis [] and we refer to the unbalanced recursive scheme as k-pir UREC Let COM k UREC (n) denote communication complexity of k-pir UREC for each k > Theorem 43: For each k > 4, D k UREC > (k ) k(k ) Proof: Since k k and k ink-pir UREC, U sends DB j Q [l] k for each j [k ][k ], and U sends DB j Q [l]k for j [k ] [] Then U and DB, DB,, DB k run (k )-PIR UREC N(k, k 3) times to retrieve a h for each h P k(q,t,k 3), however, U asks nothing more and DB responds U with A in -PIR UREC Here we note that N(k, k 3) k (k ) k k and A M(k, ) +(k ) n /(k ) Then COM k UREC (n) (k + k )(k ) n /(k ) + COM UREC (M(k, )) + N(k, k 3) COM k UREC (M(k, k 3)) ( k k) COM k UREC (M(k, k 3)) +(k )(k +) n /(k ) + (4) From the definitions of D k GREC and M(k, δ), we have that COM k lim UREC (M(k, k 3)) lim n /(k ) [ {M(k, k 3)} /(k 3) n /(k ) ] COMk UREC (M(k, k 3)) {M(k, k 3)} /(k 3) ( ) /(k 3) k D k k 3 UREC (5) Note that k k > k for each k > ( and that n ) k > (n/k) k [9, Proposition B] Then from Eqs (4) and (5), it follows that for each k > 4, D k UREC lim COM k UREC (n) n /(k ) D k UREC > lim { (k )(k +)+ n /(k ) +( k k) } COMk UREC (M(k, k 3)) n /(k ) ( ) /(k 3) k ( k k) D k k 3 UREC +(k )(k + ) (6) ( ) /(k 3) k > (k k) D k k 3 UREC ( ) /(k 3) k > k D k k 3 UREC > k k k 3 Dk UREC (7) Since -PIR UREC is exactly the same with PIR CC, we have that COM UREC (n) n/3 +, and thus D UREC Then it follows from Eq (7) that { k i ( i ) } i + D i UREC k (k+)(k ) 3 Hence D k UREC > (k ) k(k ) for each k > 4 43 The Balanced Recursive Scheme In this subsection, we present new k-pir with (much) less communication complexity than k-pir UREC by taking k k/ and k k k/ The way of taking k,k [k] is more balanced than that of k-pir UREC We refer to the balanced recursive scheme as k-pir BREC and use COM k BREC (n) to denote communication complexity of k-pir BREC for each k > In k-pir UREC, we take k k and k, and this causes k-pir UREC to recursively call k -PIR UREC (for k <k) k times On the other hand, k-pir BREC needs to recursively call k -PIR BREC (for k <k) only lg k times because of its balanced way of taking k,k [k] Intuitively, the difference between k-pir UREC and k-pir BREC provides a huge gap between D k UREC and D k BREC Theorem 44: For each k > 4, D k BREC <k 5k Proof: We first note that -PIR BREC is the same with PIR CC and 3-PIR BREC is the same with 3-PIR UREC Then from Lemma 3, it follows that D BREC < and from Eq (6), it follows that D 3 BREC 69 < For each k > 4, let k k/ and k k k/ For each j [k ], U sends Q [l] k to DB j and for
9 ITOH: EFFICIENT PRIVATE INFORMATION RETRIEVAL 9 each j [k ], U sends Q [l] k to DB j Then U and DB(k ) run k -PIR UREC N(k, k ) times to get a h for each h P k(q,t,k ), and U and DB(k ) run k -PIR UREC N(k, k ) times to get a h for each h P k (Q,t,k ) Thus it follows that COM k BREC (n) k(k ) n /(k ) + N(k, k ) COM k BREC (M(k, k )) + N(k, k ) COM k BREC (M(k, k )) (8) From the definition of D k GREC and M(k, δ), we have that COM k lim BREC (M(k, k )) lim n /(k ) [ {M(k, k )} /(k ) n /(k ) COMk BREC (M(k, k ] )) {M(k, k )} /(k ) ( ) /(k ) k k COM k lim BREC (M(k, k )) lim n /(k ) [ {M(k, k )} /(k ) n /(k ) COMk BREC (M(k, k ] )) {M(k, k )} /(k ) ( ) /(k ) k k D k BREC (9) D k BREC (0) Thus from the definition of D k GREC and Eqs (8) to (0), it follows that D k BREC lim COM k BREC (n) n /(k ) k(k ) + N(k, k ) { COM k lim BREC (M(k, k } )) n /(k ) + N(k, k ) { COM k lim k(k ) + N(k, k ) ( k k + N(k, k ) BREC (M(k, k )) n /(k ) ) /(k ) D k BREC } ( ) /(k ) k D k k BREC, () for each k > 4 In the following, we show the theorem by induction on k > 4 Base Stage: Let k 4 and we have that k k From the definition of N(k, δ), it immediate to see that N(4, 3) 64 Thus it follows from Eq () that D 4 BREC 505 < Induction Stage: Let k > 5 and assume that D k BREC < k 5k for each < k < k Note that k < {k (k/)} k < (k )/ Then we have that for each k > 5, N(k, k ) N(k, k ) k i0 k i0 ( ) k < 3 i 4 k () ( ) k < k i (3) We also note that k > k (k )/ and k > {k (k/) (/)} k > (k )/3 for each k > 5 Then we have that for each k > 5, lim lim {M(k, k )} /(k ) ( k k n ) /(k ) /(k ) < k k < 4 (4) {M(k, k )} /(k ) ( k k n /(k ) ) /(k ) < k k < 8 (5) Thus from Eq () and Eqs () to (5), it immediately follows that D k BREC <k(k ) k+ D k BREC + k+ D k BREC From the assumption that D k BREC <k 5k < k <k, it turns out that D k BREC <k(k ) k+ k 5k for each + k+ k 5k { k 5k k 5k k k 5k+ 3k } + k k 5k+ 3k < k 5k, because < k < k <kfor k > 5 Thus we have that D k BREC <k 5k for each k > 4
10 0 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 Theorem 45: For each k > 4, D k BREC < Dk UREC References Proof: Recall that D UREC D BREC (Lemma 3) From Eqs (6) and (), it is immediate that D 4 BREC 505 < 574 D4 UREC D 5 BREC 7049 < D5 UREC For each k > 6, it follows from Theorems 43 and 44 that D k BREC <k 5k < (k ) k(k ) < D k UREC Thus we have that D k BREC < Dk UREC for each k > 4 5 Concluding Remarks In this paper, we have presented -PIR (PIR BD ) with communication complexity n /3 that is more time-efficient than -PIR (PIR CC []) Then for each k >, we have generally formulated (unbalanced) recursive scheme k-pir (k-pir UREC ) given by Ambainis [] and have presented (balanced) recursive scheme k-pir (k-pir BREC ) with communication complexity O(n /(k ) ) that is more communication-efficient than k-pir UREC Recall that k-pir BREC (and k-pir UREC ) is constructed from PIR CC for each k > Then it seems natural to expect that we could reduce communication complexity of k-pir BREC (and/or k-pir UREC )ifwe would have more communication-efficient -PIR Actually, we can show that if there exists -PIR with communication complexity O(n /(3+e) ) for some integer e >, then for each k >, there exists k-pir with communication complexity O(n /(k +e) ) Then we have () For some ε>0, find -PIR with communication complexity O(n /(3+ε) ) () For some ε>0, find k-pir with communication complexity O(n /(k +ε) ) for each k > 3 (3) Show a (nontrivial) lower bound on communication complexity of -PIR (4) Show a (nontrivial) lower bound on communication complexity of k-pir for each k > 3 Presumably, time complexity of k-pir BREC is much less than that of k-pir UREC, but we have not analyzed them due to their recursive structures Then we finally have (5) Analyze the time complexity of k-pir BREC and k-pir BREC for each k > 3 [] A Ambainis, Upper bound on the communication complexity of private information retrieval, Proc ICALP, Lecture Notes in Computer Science, vol56, pp40 409, 997 [] M Ben-Or, S Goldwasser, J Kilian, and A Wigderson, Multi-prover interactive proofs: How to remove intractability assumptions, Proc 0th ACM Symposium on Theory of Computing, pp3 3, 988 [3] B Chor and N Gilboa, Computationally information retrieval, Proc 9th ACM Symposium on Theory of Computing, pp304 33, 997 [4] B Chor, O Goldreich, E Kushilevitz, and M Sudan, Private information retrieval, Proc 36th IEEE Symposium on Foundations of Computer Science, pp4 50, 995 [5] S Goldwasser and S Micali, Probabilistic encryption, Journal of Computer and System Sciences, vol8, pp70 99, 984 [6] J Håstad, Pseudo-random generators with uniform assumptions, Proc nd ACM Symposium on Theory of Computing, pp , 990 [7] R Impagliazzo, LA Levin, and M Luby, Pseudo-random generation from one-way functions, Proc 30th IEEE Symposium on Foundations of Computer Science, pp 4, 989 [8] E Kushilevitz and R Ostrovsky, Replication is not needed: Single database, computationally-private information retrieval, Proc 38th IEEE Symposium on Foundations of Computer Science, pp , 997 [9] R Motwani and P Raghavan, Randomized Algorithms, Cambridge University Press, 995 [0] FJ MacWilliams and NJA Sloane, The Theory of Error- Correcting Codes, 9th edition, North-Holland, 996 Toshiya Itoh was born in Urawa, Japan, in 959 He received the B Eng, the MS Eng, and the Dr Eng degree in electronic engineering in 98, 984, and 988, respectively from Tokyo Institute of Technology, Tokyo, Japan From 985 to 990, he was an Assistant Professor in the Department of Electrical and Electronic Engineering at Tokyo Institute of Technology, and from 990 to 99, he was a Lecturer in the Department of Information Processing at Tokyo Institute of Technology Since 99, he has been an Associate Professor in the Department of Information Processing at Tokyo Institute of Technology His current interests are modern cryptographies, finite field arithmetics, and complexity theory Dr Itoh is a member of the Information Processing Society of Japan, the International Association for Cryptologic Research, the Association for Computing Machinery, and LA Acknowledgments The author thanks anonymous referees for their several valuable comments, especially for the comments on the analysis for time complexity of -PIR
Computationally Private Information Retrieval With Polylogarithmic Communication
Computationally Private Information Retrieval With Polylogarithmic Communication Christian Cachin Silvio Micali Markus Stadler August 9, 1999 Abstract We present a single-database computationally private
More informationReport on PIR with Low Storage Overhead
Report on PIR with Low Storage Overhead Ehsan Ebrahimi Targhi University of Tartu December 15, 2015 Abstract Private information retrieval (PIR) protocol, introduced in 1995 by Chor, Goldreich, Kushilevitz
More informationQuantum Symmetrically-Private Information Retrieval
Quantum Symmetrically-Private Information Retrieval Iordanis Kerenidis UC Berkeley jkeren@cs.berkeley.edu Ronald de Wolf CWI Amsterdam rdewolf@cwi.nl arxiv:quant-ph/0307076v 0 Jul 003 Abstract Private
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationA Study of Computational Private Information Retrieval Schemes and Oblivious Transfer
MASTER ALGANT University of Padova and University of Bordeaux 1 Master Thesis in Mathematics A Study of Computational Private Information Retrieval Schemes and Oblivious Transfer Valentina Settimi Supervisor:
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationNondeterminism LECTURE Nondeterminism as a proof system. University of California, Los Angeles CS 289A Communication Complexity
University of California, Los Angeles CS 289A Communication Complexity Instructor: Alexander Sherstov Scribe: Matt Brown Date: January 25, 2012 LECTURE 5 Nondeterminism In this lecture, we introduce nondeterministic
More informationComputer Science Dept.
A NOTE ON COMPUTATIONAL INDISTINGUISHABILITY 1 Oded Goldreich Computer Science Dept. Technion, Haifa, Israel ABSTRACT We show that following two conditions are equivalent: 1) The existence of pseudorandom
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationBreaking the O(n 1/(2k 1) ) Barrier for Information-Theoretic Private Information Retrieval
Breaking the O(n 1/(2k 1) ) Barrier for Information-Theoretic Private Information Retrieval Amos Beimel Yuval Ishai Eyal Kushilevitz Jean-François Raymond April 24, 2006 Abstract Private Information Retrieval
More informationPseudorandom Generators
8 Pseudorandom Generators Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 andomness is one of the fundamental computational resources and appears everywhere. In computer science,
More informationDistributed Point Functions and their Applications
Distributed Point Functions and their Applications Niv Gilboa 1 and Yuval Ishai 2 1 Dept. of Communication Systems Eng., Ben-Gurion University, Beer-Sheva, Israel gilboan@bgu.ac.il 2 Dept. of Computer
More informationPrivate Information Retrieval Based on the Subgroup Membership Problem
Private Information Retrieval Based on the Subgroup Membership Problem Akihiro Yamamura 1 and Taiichi Saito 2 1 Communications Research Laboratory, 4-2-1, Nukui-Kitamachi, Koganei, Tokyo 184-8795, Japan
More informationPrivate Access to Distributed. Information. Eran Mann
Private Access to Distributed Information Eran Mann 1 Private Access to Distributed Information Research Thesis Submitted in partial fulllment of the requirements for the degree of Master of Science in
More informationPrivate Information Retrieval from MDS Coded Data in Distributed Storage Systems
Private Information Retrieval from MDS Coded Data in Distributed Storage Systems Joint work with Razane Tajeddine Salim El Rouayheb ECE Department Illinois Institute of Technology Motivation 1 Secure Multiparty
More informationSingle Database Private Information Retrieval with Logarithmic Communication
Single Database Private Information Retrieval with Logarithmic Communication Yan-Cheng Chang Harvard University ycchang@eecs.harvard.edu February 10, 2004 Abstract In this paper, we study the problem of
More informationOn the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited
On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited Moni Naor Omer Reingold Abstract Luby and Rackoff [26] showed a method for constructing a pseudo-random permutation from a pseudo-random
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationOn Pseudorandomness w.r.t Deterministic Observers
On Pseudorandomness w.r.t Deterministic Observers Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded@wisdom.weizmann.ac.il Avi Wigderson The Hebrew University,
More informationOn the Cryptographic Complexity of the Worst Functions
On the Cryptographic Complexity of the Worst Functions Amos Beimel 1, Yuval Ishai 2, Ranjit Kumaresan 2, and Eyal Kushilevitz 2 1 Dept. of Computer Science, Ben Gurion University of the Negev, Be er Sheva,
More informationAbstract. Often the core diculty in designing zero-knowledge protocols arises from having to
Interactive Hashing Simplies Zero-Knowledge Protocol Design Rafail Ostrovsky Ramarathnam Venkatesan y Moti Yung z (Extended abstract) Abstract Often the core diculty in designing zero-knowledge protocols
More informationPrivate Information Retrieval from Coded Databases
Private Information Retrieval from Coded Databases arim Banawan Sennur Ulukus Department of Electrical and Computer Engineering University of Maryland, College Park, MD 20742 kbanawan@umdedu ulukus@umdedu
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationTutorial on Coded Private Information Retrieval
Tutorial on Coded Private Information Retrieval Camilla Hollanti Aalto University, Finland 5th ICMCTA, Vihula, August 2017 Based on joint work with Salim El Rouayheb, Ragnar Freij-Hollanti, Oliver Gnilke,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 21 November 15, 2017 CPSC 467, Lecture 21 1/31 Secure Random Sequence Generators Pseudorandom sequence generators Looking random
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationA Geometric Approach to Information-Theoretic Private Information Retrieval
A Geometric Approach to Information-Theoretic Private Information Retrieval David Woodruff MIT dpwood@mit.edu Sergey Yekhanin MIT yekhanin@mit.edu Abstract A t-private private information retrieval PIR
More informationKey words: Batch codes, error-correcting codes, computationally-private information retrieval, load balancing, distributed storage.
Linear Batch Codes Helger Lipmaa and Vitaly Skachek Abstract In an application, where a client wants to obtain many symbols from a large database, it is often desirable to balance the load. Batch codes
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationBreaking the O(n 1/(2k 1) ) Barrier for Information-Theoretic Private Information Retrieval
Breaking the O(n 1/(2k 1) ) Barrier for Information-Theoretic Private Information Retrieval Amos Beimel Yuval Ishai Eyal Kushilevitz Jean-François Raymond Abstract Private Information Retrieval (PIR) protocols
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationOn Lower Bounds for the Communication Complexity of Private Information Retrieval
IEICE TRANS FUNDAMENTALS, VOLE84 A, NO JANUARY 200 57 PAPER Special Sectio o Cryptography ad Iformatio Security O Lower Bouds for the Commuicatio Complexity of Private Iformatio Retrieval Toshiya ITOH,
More information1 Randomized Computation
CS 6743 Lecture 17 1 Fall 2007 1 Randomized Computation Why is randomness useful? Imagine you have a stack of bank notes, with very few counterfeit ones. You want to choose a genuine bank note to pay at
More informationA Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem
A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem Daniel Augot and Matthieu Finiasz INRIA, Domaine de Voluceau F-78153 Le Chesnay CEDEX Abstract. The Polynomial Reconstruction
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationError-Tolerant Combiners for Oblivious Primitives
Error-Tolerant Combiners for Oblivious Primitives Bartosz Przydatek 1 and Jürg Wullschleger 2 1 Google Switzerland, (Zurich, Switzerland) przydatek@google.com 2 University of Bristol (Bristol, United Kingdom)
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationImproved Lower Bounds for Locally Decodable Codes and Private Information Retrieval
Improved Lower Bounds for Locally Decodable Codes and Private Information Retrieval Stephanie Wehner and Ronald de Wolf CWI, Kruislaan 43, 098 SJ, Amsterdam, the Netherlands. {wehner, rdewolf}@cwi.nl Abstract.
More informationNotes for Lecture 14 v0.9
U.C. Berkeley CS27: Computational Complexity Handout N14 v0.9 Professor Luca Trevisan 10/25/2002 Notes for Lecture 14 v0.9 These notes are in a draft version. Please give me any comments you may have,
More informationGeneralized Lowness and Highness and Probabilistic Complexity Classes
Generalized Lowness and Highness and Probabilistic Complexity Classes Andrew Klapper University of Manitoba Abstract We introduce generalized notions of low and high complexity classes and study their
More informationCorrecting Codes in Cryptography
EWSCS 06 Palmse, Estonia 5-10 March 2006 Lecture 2: Orthogonal Arrays and Error- Correcting Codes in Cryptography James L. Massey Prof.-em. ETH Zürich, Adjunct Prof., Lund Univ., Sweden, and Tech. Univ.
More informationGeneration of Shared RSA Keys by Two Parties
Generation of Shared RSA Keys by Two Parties Guillaume Poupard and Jacques Stern École Normale Supérieure, Laboratoire d informatique 45 rue d Ulm, F-75230 Paris Cedex 05, France email: {Guillaume.Poupard,Jacques.Stern}@ens.fr
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationState Recovery Attacks on Pseudorandom Generators
Appears in WEWoRC 2005 - Western European Workshop on Research in Cryptology, Lecture Notes in Informatics (LNI) P-74 (2005) 53-63. Gesellschaft für Informatik. State Recovery Attacks on Pseudorandom Generators
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationFrom Non-Adaptive to Adaptive Pseudorandom Functions
From Non-Adaptive to Adaptive Pseudorandom Functions Itay Berman Iftach Haitner January, 202 Abstract Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to
More informationWell known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne
Design of SAC/PC(l) of order k Boolean functions and three other cryptographic criteria Kaoru Kurosawa 1 and Takashi Satoh?2 1 Dept. of Comper Science, Graduate School of Information Science and Engineering,
More informationConstructing Verifiable Random Number in Finite Field
Jun Ye 1, Xiaofeng Chen 2, and Jianfeng Ma 2 1 School of Science, Sichuan University of Science and Engineering Zigong, Sichuan, China yejun@suseeducn 2 School of Telecommunication Engineering, Xidian
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationWhere do pseudo-random generators come from?
Computer Science 2426F Fall, 2018 St. George Campus University of Toronto Notes #6 (for Lecture 9) Where do pseudo-random generators come from? Later we will define One-way Functions: functions that are
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationTwo Comments on Targeted Canonical Derandomizers
Two Comments on Targeted Canonical Derandomizers Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded.goldreich@weizmann.ac.il April 8, 2011 Abstract We revisit
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationLecture 2. 1 More N P-Compete Languages. Notes on Complexity Theory: Fall 2005 Last updated: September, Jonathan Katz
Notes on Complexity Theory: Fall 2005 Last updated: September, 2005 Jonathan Katz Lecture 2 1 More N P-Compete Languages It will be nice to find more natural N P-complete languages. To that end, we ine
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationarxiv: v1 [cs.it] 23 Jan 2019
Single-Server Single-Message Online Private Information Retrieval with Side Information Fatemeh azemi, Esmaeil arimi, Anoosheh Heidarzadeh, and Alex Sprintson arxiv:90.07748v [cs.it] 3 Jan 09 Abstract
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationElectronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP
Electronic Colloquium on Computational Complexity, Report No. 31 (2007) Interactive PCP Yael Tauman Kalai Weizmann Institute of Science yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il
More informationA Combinatorial Bound on the List Size
1 A Combinatorial Bound on the List Size Yuval Cassuto and Jehoshua Bruck California Institute of Technology Electrical Engineering Department MC 136-93 Pasadena, CA 9115, U.S.A. E-mail: {ycassuto,bruck}@paradise.caltech.edu
More informationInteractive PCP. Yael Tauman Kalai Georgia Institute of Technology Ran Raz Weizmann Institute of Science
Interactive PCP Yael Tauman Kalai Georgia Institute of Technology yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract A central line of research in the area of PCPs
More informationUniversally Composable Multi-Party Computation with an Unreliable Common Reference String
Universally Composable Multi-Party Computation with an Unreliable Common Reference String Vipul Goyal 1 and Jonathan Katz 2 1 Department of Computer Science, UCLA vipul@cs.ucla.edu 2 Department of Computer
More informationGeneric Case Complexity and One-Way Functions
Groups-Complexity-Cryptology Volume 1 2009), No. 1, 13 31 Generic Case Complexity and One-Way Functions Alex D. Myasnikov Department of Mathematical Sciences, Stevens Institute of Technology, Hoboken,
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationCOS598D Lecture 3 Pseudorandom generators from one-way functions
COS598D Lecture 3 Pseudorandom generators from one-way functions Scribe: Moritz Hardt, Srdjan Krstic February 22, 2008 In this lecture we prove the existence of pseudorandom-generators assuming that oneway
More informationPseudo-Random Generators and Structure of Complete Degrees
Pseudo-Random Generators and Structure of Complete Degrees Manindra Agrawal Dept of CSE, IIT Kanpur 208016, India email: manindra@iitk.ac.in Abstract It is shown that if there exist sets in E that require
More informationarxiv: v3 [quant-ph] 30 Mar 2016
On the Composition of Two-Prover Commitments, and Applications to Multi-Round Relativistic Commitments Serge Fehr and Max Fillinger Centrum Wiskunde & Informatica (CWI), Amsterdam, The Netherlands {serge.fehr,
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationLecture 10 + additional notes
CSE533: Information Theorn Computer Science November 1, 2010 Lecturer: Anup Rao Lecture 10 + additional notes Scribe: Mohammad Moharrami 1 Constraint satisfaction problems We start by defining bivariate
More informationLecture 7 Limits on inapproximability
Tel Aviv University, Fall 004 Lattices in Computer Science Lecture 7 Limits on inapproximability Lecturer: Oded Regev Scribe: Michael Khanevsky Let us recall the promise problem GapCVP γ. DEFINITION 1
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationRON M. ROTH * GADIEL SEROUSSI **
ENCODING AND DECODING OF BCH CODES USING LIGHT AND SHORT CODEWORDS RON M. ROTH * AND GADIEL SEROUSSI ** ABSTRACT It is shown that every q-ary primitive BCH code of designed distance δ and sufficiently
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationZero-Knowledge Against Quantum Attacks
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19. Hard Core
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More information1 Distributional problems
CSCI 5170: Computational Complexity Lecture 6 The Chinese University of Hong Kong, Spring 2016 23 February 2016 The theory of NP-completeness has been applied to explain why brute-force search is essentially
More informationOn-line Scheduling to Minimize Max Flow Time: An Optimal Preemptive Algorithm
On-line Scheduling to Minimize Max Flow Time: An Optimal Preemptive Algorithm Christoph Ambühl and Monaldo Mastrolilli IDSIA Galleria 2, CH-6928 Manno, Switzerland October 22, 2004 Abstract We investigate
More informationSome results on the existence of t-all-or-nothing transforms over arbitrary alphabets
Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets Navid Nasr Esfahani, Ian Goldberg and Douglas R. Stinson David R. Cheriton School of Computer Science University of
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationBeing Taught can be Faster than Asking Questions
Being Taught can be Faster than Asking Questions Ronald L. Rivest Yiqun Lisa Yin Abstract We explore the power of teaching by studying two on-line learning models: teacher-directed learning and self-directed
More informationFrom Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.
From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationLecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science,
More informationLecture 12: Interactive Proofs
princeton university cos 522: computational complexity Lecture 12: Interactive Proofs Lecturer: Sanjeev Arora Scribe:Carl Kingsford Recall the certificate definition of NP. We can think of this characterization
More informationCS Communication Complexity: Applications and New Directions
CS 2429 - Communication Complexity: Applications and New Directions Lecturer: Toniann Pitassi 1 Introduction In this course we will define the basic two-party model of communication, as introduced in the
More informationBinary construction of quantum codes of minimum distances five and six
Discrete Mathematics 308 2008) 1603 1611 www.elsevier.com/locate/disc Binary construction of quantum codes of minimum distances five and six Ruihu Li a, ueliang Li b a Department of Applied Mathematics
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More information