Efficient Private Information Retrieval

Transcription

1 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 PAPER Special Section on Cryptography and Information Security Efficient Private Information Retrieval Toshiya ITOH, Member SUMMARY Informally, private information retrieval for k > databases (k-pir) is an interactive scheme that enables a user to make access to (separated) k replicated copies of a database and privately retrieve any single bit out of the n bits of data stored in the database In this model, privacy implies that the user retrieves the bit he is interested in but releases to each database nothing about which bit he really tries to get Chor et al proposed -PIR with communication complexity n /3 + that is based on the covering codes Then Ambainis recursively extended the scheme by Chor et al and showed that for each k >, there exists k-pir with communication complexity at most c k n /(k ) some constant c k > 0 In this paper, we relax the condition for the covering codes and present time-efficient -PIR with communication complexity n /3 In addition, we generally formulate the recursive scheme by Ambainis and show that for each k > 4, there exists k-pir with communication complexity at most c k n/(k ) for some constant c k c k key words: information retrieval, privacy, communication complexity, time complexity, covering codes Introduction Background Private information retrieval for k > databases (k- PIR) is initiated by Chor et al [4] as a useful way for a user to privately get information through networks It would be quite natural to ask for the privacy of the user For example, an investor (or a speculator) that makes access to the stock-market database to get the value of a certain stock may wish to keep private which stock he is interested in Informally, k-pir is a scheme that enables a user to make access to (separated) k replicated copies of a database and privately retrieve a single bit of data stored in the database In this framework, private implies that the user is able to retrieve his desired bit but releases to each database nothing about which bit he tries to get in the information-theoretic sense In the practical point of view, the communication complexity between the user and the databases (and the time complexity of the user and the databases) seems to be one of the most important resources for constructing efficient and practical k-pir When the user makes access to only a single database, he may ask for a copy of the whole database Manuscript received March 8, 998 Manuscript revised July, 998 The author is with Interdisciplinary Graduate School of Science and Engineering, Tokyo Institute of Technology, Yokohama-shi, Japan to privately retrieve the bit that he is interested in Obviously, this requires O(n) communication complexity but is proved to be essentially the best he can do Indeed, Chor et al [4] showed that any -PIR requires Ω(n) communication complexity To reduce communication complexity of k-pir, Chor et al [4] applied the covering codes [0] and proposed -PIR with communication complexity n /3 + and k-pir with communication complexity O(n /k ), where n is the length of total data stored in the database It is conjectured by Chor et al [4] that O(n /3 ) might be the lower bound for the communication complexity of any -PIR Then Ambainis [] recursively extended the scheme by Chor et al [4] to construct k-pir with less communication complexity and showed that for each k >, there exists k-pir with communication complexity O(n /(k ) ) By applying cryptographic (secure) primitives, Chor and Gilboa [3] extended k-pir in a natural way to define computationally private information retrieval for k > databases (k-cpir) This is a scheme that is similar to the original k-pir but the user releases (in the computational sense) to each database nothing about which bit he tries to retrieve In this framework, Chor and Gilboa [3] showed that for any ε>0, there exists -CPIR with communication complexity O(n ε ) under the general assumption that pseudo-random generators exist [6], [7] Intuitively, -CPIR with communication complexity o(n) would be impossible, however, Kushilevitz and Ostrovsky [8] recently showed that for any ε>0, there exists -CPIR with communication complexity O(n ε ) under the (stronger but reasonable) assumption that quadratic residuosity [5] is hard Motivation As for the communication complexity, the -CPIR [3] and the -CPIR [8] achieve much better than k-pir for any reasonable k >, however, there exist trade-offs between the communication complexity and the time complexity To achieve O(n ε ) communication complexity for any ε>0, the -CPIR [3] and the -CPIR [8] are recursively constructed and in each recursive step, each database (in the -CPIR [3] and the -CPIR [8]) needs to execute large amount of computations This may eventually lead to a large delay until the user receives the response from the database In addition to this, the privacy of the user in k-cpir is asymptotically guaran-

2 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 teed with respect to n (the length of total data stored in the database), ie, the privacy of the user in k-cpir is protected for sufficiently large n In general, this implies that the privacy of the user in k-cpir are not necessarily guaranteed for reasonable size of data stored in the database Thus k-pir is more advantageous than k-cpir from the practical-oriented privacy point of view, because k-pir protects the privacy of the user for any size of data stored in the database The goal of this paper is to design time-efficient (or communication-efficient) k-pir 3 Main Results In this paper, we relax the condition for the covering codes to design time-efficient -PIR and present -PIR PIR BD with communication complexity n /3 In addition, we generally formulate the recursive k-pir by Ambainis [] and show that for each k > 4, there exist k-pir PIR k BREC of which communication complexity is much less than that of k-pir by Ambainis [] Preliminaries In this paper, x x x x n {0, } n denotes the contents of the database and let n x For m>0, let [m] {,,,m} and d(a, b) be the Hamming distance of a and b The Model A model for k-pir is similar to that of multi-prover interactive proofs [] We use U to denote a user that is a probabilistic polynomial time interactive Turing machine and DB, DB,, DB k denote deterministic polynomial time interactive Turing machines that are allowed to communicate with U but are not allowed to communicate with each other We also use qj l to denote the lth question made by U to DB j and a l j to denote the lth answer returned by DB j to U For each j [k], let Q l j (q j,q j,,ql j ) and Al j (a j,a j,,al j ) Definition [4]: We say that (U DB, DB,, DB k ) is m-round information retrieval for k > databases (k-ir) if for any n>0, any x {0, } n, and any i [n], it satisfies the following: Let x i {0, } be the bit that U wishes to retrieve from x For each round l [m] and each j [k], U sends qj l(i) U(i, j, n A l,a l,,a l k )todb j as the lth question and DB j responds U with a l j DB j (x, Q l j (i)) as the lth answer At the end of round m, U can always retrieve the bit x i from A m,am,,am k, ie, x i U(i, n A m,a m,,a m k ) random variable, because it is the bit position that U wishes to retrieve Definition (Privacy [4]): We say that (U DB, DB,, DB k )ism-round private information retrieval for k > databases (k-pir) ifitisk-ir and satisfies the following: For each j [k], Q m j (i ) and Q m j (i ) are identically distributed for every i,i [n] Definition 3 (Communication Complexity [4]): Let Π(U DB, DB,, DB k )bek-pir Then communication complexity of Π is the sum of the total amount of bits exchanged between U and each DB j ( < j < k), i,e, j [k] { Qm j (i) + Am j } Definition 4 (Time Complexity): Let Π (U DB, DB,, DB k )bek-pir Then time complexity of Π is the sum of the running time of U and the maximum running time of DB j Obviously, communication complexity corresponds to the network cost and time complexity to the delay to retrieve information For k-pir Π, we use COM Π (n) to denote communication complexity of PIR Π, and TIME Π (n) to denote time complexity of PIR Π Useful Properties For any S [m], S (s,s,,s m ) {0, } m is defined to be s i ifi S and s i 0ifi S For any S [m] and i [m], define S i to be S \{i} if i S and S {i} if i S, and for a (a,a,,a m ) {0, } m and b (b,b,,b m ) {0, } m, let (a, b) denote the inner product of a and b modulo, ie, (a, b) i [m] a ib i (mod ) i [m] a ib i Proposition 5 [4, 3]: For any S [n] and i [n], let S S and S S i and also let A (x, S ) i S x i and A (x, S ) i S x i Then A A x i For each d >, we assume without loss of generality that n l d, ie, l n /d If it is not the case, we expand x by padding appropriate number of zeros to satisfy the condition We embed x in a d-dimensional cube by associating each position i [n] with a d-tuple (i,i,,i d ) in a natural manner The following is essential to design communication-efficient k-pir Proposition 6 [4, 3]: For each t [n], let (t, t,,t d ) be the associated d-tuple of t [n] For each j [d], we also let Sj [l] and S j Sj t j, and for each σ σ σ σ d {, } d, we define A σσ σ d i S σ i S σ i d S σ d x i,i d,,i d Then x t,t,,t d σ σ σ d {0,} A d σ σ σ d Q m j Since U is a probabilistic polynomial time machine, (i) is a random variable Note that i [n] is not a For any integer s >, let m n/s and X (X,X,,X m )x {0, } n, where X i {0, } s for

3 ITOH: EFFICIENT PRIVATE INFORMATION RETRIEVAL each block i [m], and we also assume without loss of generality that m l d, ie, l m /d In a way similar to the above, we embed X in a d-dimensional cube by associating each block i [m] with a d-tuple (i,i,,i d ) in a natural manner Note that Proposition 6 holds for the case that s but can be generalized to the case that s > inan obvious way The lemma below will play a central role in Sect 3 to design time-efficient (and communicationefficient) k-pir by an appropriate choice of s> Lemma 7: For each t [m], let (t,t,,t d ) be the associated d-tuple of t For each j [d], let Sj [l] and Sj S j t j, and for each σ σ σ d {, } d, define i S σ i d S σ d d A σσ σ d i S σ Then X t,t,,t d σ σ σ d {0,} A d σσ σ d 3 Time-Efficient -PIR X i,i,,i d To analyze time complexity, we will make the following (practical) assumption: Let r 3 or r 64 and U and DB i are equipped with an r-bit CPU Since we are interested in information-theoretic (not complexitytheoretic) private information retrieval, U is allowed to make access to truly random bit sequence ρ and requires a single step to read a random bit from ρ Let r l For any S [l], pointing index i S requires (lg l)/r steps Note that (lg l)/r for r 3ifl < 0 9 and (lg l)/r for r 64ifl < The Covering Codes Scheme To be self-contained, we show the -PIR (PIR CC )by Chor et al [4] that is based on the covering codes [0] Let d 3 and l n /3 and assume that U wishes to retrieve x t for some t [n] Then (t,t,t 3 ) [l] 3 is the associated 3-tuple of t in the 3-dimensional cube The Covering Codes Scheme: PIR CC U-: U chooses Sj [l] uniformly and independently for each < j < 3 U-: U computes Sj S j t j for each < j < 3 U DB : S,S,S 3 [l] U DB : S,S,S 3 [l] DB-: DB computes b 000 x i,i,i 3 DB-: DB computes b h 00 b h 00 i S i 3 S3 h i S i 3 S3 i S h i 3 S3 x i,i,i 3 x i,i,i 3 b h 00 i S for each h [l], and defines i 3 S 3 h x i,i,i 3, B 00 (b 00,b 00,,bl 00 ) B 00 (b 00,b 00,,b l 00) B 00 (b 00,b 00,,b l 00) DB U: b 000 {0, }, B 00,B 00,B 00 {0, } l DB-: DB computes c DB-: DB computes c h 0 c h 0 c h 0 i S i 3 S3 h i S i 3 S3 x i,i,i 3 i S h i 3 S3 i S for each h [l], and defines x i,i,i 3 x i,i,i 3 i 3 S 3 h x i,i,i 3, C 0 (c 0,c 0,,cl 0 ) C 0 (c 0,c 0,,c l 0) C 0 (c 0,c 0,,c l 0) DB U: c {0, }, C 0,C 0,C 0 {0, } l U-3: U computes b 000 b t 00 bt 00 bt3 00 c c t 0 ct 0 ct3 0 ( x t) Obviously, (S,S,S 3) [l] 3 and (S,S,S 3) [l] 3 are uniformly distributed over [l] 3 for any t [n] Thus it follows from Proposition 6 that PIR CC is -PIR Lemma 3 [4]: COM CC (n) n /3 + Lemma 3: TIME wc CC (n) 3n +6n/3 + 9 and TIME av CC (n) (/4) n +6n/3 + 9 Proof: In the practical point of view, we assume that n < 0 0 and also that pointing i S [l] [n /3 ] requires a single step From the description of PIR CC, we immediately have the following: In both the worst and average cases, 3l steps for random generation in U-, 3 steps for index pointing and 3 steps for XOR in U-, and 6 steps for index pointing and 7 steps for XOR in U-3 are required To compute b 000 in DB-, DB requires 3l 3 steps for index pointing and l 3 steps for XOR in the worst case and 3(l/) 3 steps for index pointing and (l/) 3 steps for XOR in the average case To compute B 00 in DB-, DB requires (l +)l steps for index pointing and l 3 steps for XOR in the 3

4 4 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 worst case and {(l/) +}l steps for index pointing and (l/) l steps for XOR in the average case by evaluating b h 00 b 000 ( i S i 3 S x 3 h,i,i 3 ) for each h [l] The analysis similar to this can be applied to B 00,B 00 Since the number of steps made by DB is the same with that made by DB and l n /3, we have that TIME wc CC (n) 3n +6n/3 + 9 and TIME av CC (n) (/4) n +6n/ The Block Division Scheme In this subsection, we show new -PIR (PIR BD ) that is based on Lemma 7 Let m n/s for some s > (s will be fixed later), and X (X,X,,X m )x {0, } n, where X i {0, } s for each block i [m] Let d and l m / and we embed X in a -dimensional cube by associating each block i [m] with a -tuple (i,i ) in a natural manner Here we assume that U wishes to retrieve x t for some t [n] and that x t is located at the τth bit of X β, where τ [s] and β [m] Let (β,β ) [l] be the associated -tuple of β, and for any A (A,A,,A l ) {0, } l and α [l], let pick α (A) A α The Block Division Scheme: PIR BD U-: U chooses S,S [l] and T [s] uniformly and independently U-: U computes S S β, S S β, and T T τ U DB : S,S [l], T [s] U DB : S,S [l], T [s] DB-: DB computes B 00 X i,i i S DB-: For each h [l], DB computes b h 0 (X i,i, T ) b h 0 h i S i S i S h (X i,i, T ), and defines B 0 (b 0,b 0,,bl 0 ), B 0 (b 0,b 0,,b l 0) DB U: B 00 {0, } s, B 0,B 0 {0, } l DB-: DB computes C i S X i,i DB-: For each h [l], DB computes c h 0 (X i,i, T ) c h 0 h i S i S i S h (X i,i, T ), and defines C 0 (c 0,c 0,,c l 0), C 0 (c 0,c 0,,cl 0 ) DB U: C {0, } s, C 0,C {0, } l U-3: U computes pick τ (B 00 )pick τ (C )(b β c β 0 ) (bβ 0 cβ 0 )(x t) 0 The intuition behind PIR BD is as follows: For each h [l], let Y0 h i h S X i,i and Y0 h i S h X i,i instead of b h 0 and b h 0 respectively, and let Z0 h h i S X i,i and Z0 h i S h X i,i instead of c h 0 and ch 0 respectively Recall that U wishes to retrieve x t for some t [n] and x t is located at the τth bit of X β,β Then it follows from Lemma 7 that X β,β B 00 Y β 0 Y β 0 C, but this blows up communication complexity Since U is interested in the τ th bit of X β,β and Y β 0 Z β β 0 and Y0 Z β 0 hold from Proposition 5 and the definitions of T and T, (Y β 0, T ) (Z β 0, T )b β 0 cβ 0 provides the τth bit of Y β β 0 and (Y0, T ) (Z β 0, T )b β 0 cβ 0 provides the τth bit of Y β 0 These are sufficient for U to retrieve x t and reduce communication complexity Theorem 33: The block division scheme PIR BD is private information retrieval for databases Proof: For d, it follows from Lemma 7 that X β,β A 00 A 0 A 0 A, where A 00 X i,i i S A 0 A 0 A X i,i i S β i S X i,i β i S i S X i,i X i,i X i,i β i S β i S X i,i, for any S [l] and any S [l] Since x t is located at the τth bit of X β,β, we have that x t pick τ (X β,β )

5 ITOH: EFFICIENT PRIVATE INFORMATION RETRIEVAL 5 pick τ (A 00 )pick τ (A 0 )pick τ (A 0 )pick τ (A ) From the definitions of A 00,A and B 00,C, it is immediate that A 00 B 00 and A C, and thus we have that pick τ (B 00 ) pick τ (C ) pick τ (A 00 ) pick τ (A ) () On the other hand, from the definitions of B 0,C 0 and A 0, it is obvious that b β 0 (X i,i, T ) β i S c β 0 i S X i,i, T (X i,i, T ) i S β X i,i, T i S ( A 0, T ) ( A 0, T ) Then from the fact that T T τ and Proposition 5, it follows that b β 0 cβ 0 pick τ(a 0 ) and b β 0 cβ 0 pick τ (A 0 ) Thus we have that b β 0 cβ 0 pick β (B 0 ) pick β (C 0 ) pick τ (A 0 ) () b β 0 cβ 0 pick β (B 0 ) pick β (C 0 ) pick τ (A 0 ) (3) Then from Eqs (), (), and (3), it turns out that x t pick τ (X β,β ) pick τ (A 00 ) pick τ (A 0 ) pick τ (A 0 ) pick τ (A ) pick τ (B 00 ) pick τ (C ) (b β 0 cβ 0 ) (bβ 0 cβ 0 ) It is obvious that for any t [n], (S,S,T ) [l] [s] and (S,S,T ) [l] [s] are uniformly distributed over [l] [s] Thus PIR BD is -PIR Theorem 34: COM BD (n) n /3 Proof: From the description of PIR BD, it is immediate that COM BD (n) 8l +4s 8 (n/s) / +4s Then we have that COM BD (n) n /3 by setting s n /3 Theorem 35: TIME wc BD (n) 5n +4n/3 +9n /3 +7 and TIME av BD (n) (5/4) n +(3/) n/3 +8n /3 + 7 Proof: In a way similar to the proof of Lemma 3, we assume that pointing i S [l] [n /3 ] requires a single step From the description of PIR BD, we immediately have the following: In both the worst and average cases, l + s steps for random generation in U-, 3 steps for index pointing and 3 steps for XOR in U-, and 6 steps for index pointing and 5 steps for XOR in U-3 are required To compute B 00 in DB-, DB requires l steps for index pointing and l s steps for XOR in the worst case and (l/) steps for index pointing and (l/) s steps for XOR in the average case To compute B 0 in DB-, DB first evaluate b (B 00, T ) for which DB requires s steps for AND and s steps for XOR in the worst case and s/ steps for AND and s/ steps for XOR in the average case Then DB evaluates b h 0 b { i S (X h,i, T )} for each h [l] This requires (l +)l steps for index pointing, l s steps for AND, and (ls+)l steps for XOR in the worst case and {(l/) + }l steps for index pointing, (l/) (s/) steps for AND and {(l/)(s/) + }l steps for XOR in the average case The analysis similar to this can be applied to B 0 Since the number of steps made by DB is the same with that made by DB and s l n /3, we have that TIME wc BD (n) 5n+4n/3 +9n /3 +7 and TIME av BD (n) (5/4) n +(3/) n/3 +8n / Communication-Efficient k-pir Let k > Here wee assume without loss of generality that n l k, ie, l n /(k ), and we embed x {0, } n in a (k )-dimensional cube by associating each position i [n] with a (k )-dimensional tuple (i,i,,i k ) [l] k in a natural manner We also assume that U wishes to retrieve x t for some t [n] and let (t,t,,t k ) [l] k be the associated (k )-tuple of t 4 General Frameworks We first show general recursive schemes for k- PIR (k-pir GREC ) with communication complexity O(n /(k ) ) that includes the scheme by Ambainis [] as a special case For any d, r > and any c {0, } d, let B d (c,r) be the set of all d- bit long strings that differ from c in at most r positions, ie, B d (c,r) {v {0, } d : d(c,v) < r} For any S (S,S,,S k ) [l] k, let S ( S, S,, S k ) {0, } l(k ) Then for each δ [k ], we define C k (S, δ) T (T,T,,T k ) [l] k : T B l(k ) ( S,δ) & k j [ Tj B l ( S j, )] ie, T (T,T,,T k ) C k (S, δ) if () for each j [k ], T j S j i j for some i j [l] ort j S j and () T j S j happens at most δ times Let A be

6 6 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 the number of elements in a finite set A We number each element of C k (S, δ) in a natural order Obviously, M(k, δ) C k (S, δ) δ ( ) k l i i i0 Recall that t [n] is the bit position U wishes to retrieve and (t,t,t k ) [l] k is the associated (k )-tuple of t For any S (S,S,,S k ) [l] k, define { H k (S, t, δ) T (T,T,,T k ) [l] k : T C k (S, δ) & j [k ] [ T j S j T j S j t j ] }, ie, T H k (S, t, δ) ift C k (S, δ) and T j differs from S j only on t j [l] for j [k ] From the definition of H k (S, t, δ), it is obvious that N(k, δ) H k (S, t, δ) δ ( ) k i i0 Since H k (S, t, δ) C k (S, δ), each element of H k (S, t, δ) has the unique number assigned by the numbering for all elements of C k (S, δ) Here we define P k (S, t, δ) (p,p,,p N(k,δ) ) to be the set of the numbers that are assigned to all elements of H k (S, T, δ) Let k,k [k], where k + k k We present -PIR, (k,k )-BASIS, for U and DB, DB that will be a building block for constructing general recursive k-pir (k-pir GREC ) As noticed above, k-pir GREC includes the recursive scheme by Ambainis [] as a special case The Building Block: (k,k )-BASIS U-: U chooses Sj [l] uniformly and independently for each j [k ] U-: U computes Sj Sj t j for each j [k ] U DB : Q (S,S,,S k ) [l] k U DB : Q (S,S,,Sk ) [l] k DB-: DB enumerates L h (L h,,lh k ) C k (Q, k ) and computes a h x i,,i k, i L h i k L h k for each h [M(k, k )] DB U : A (a,a,,a M(k,k ) ) DB-: DB enumerates R h (R h,,r h k ) C k (Q, k ) and computes a h i R h i k R h k for each h [M(k, k )] DB U : A (a,a,,a M(k,k ) ) x i,,i k, U-3: U obtains { i P k (Q,t,k ) pick i (A )} { i P k (Q,t,k ) pick i (A )} ( x t ) The intuition behind (k,k )-BASIS is as follows: From Proposition 6 and the definition of C k (S, δ), it follows that A and A include enough information to retrieve x t After receiving A and A, U retrieves x t by picking appropriate bits from A and A Lemma 4: The building block (k,k )-BASIS is private information retrieval for databases Proof: For each σ (σ,σ,,σ k ) {, } k, let w (σ) be the number of j [k ] such that σ j and w (σ) the number of j [k ] such that σ j We define Σ k {σ {, } k : w (σ) < k } and Σ k {σ {, } k : w (σ) < k } For any σ, if w (σ) < k, then w (σ) k w (σ) > k (k ) (k k )k, because w (σ)+w (σ) k and k + k k Thus we have that Σ k {σ {, } k : w (σ) > k }, and this implies that Σ k, Σ k is a bipartition of {, } k Let Q k {S σ (S σ,sσ,,sσ k k ) [l]k : σ (σ,σ,,σ k ) {, } k } be the set of questions for which Proposition 5 holds, and define Q k {S σ Q k : σ Σ k } Q k {S σ Q k : σ Σ k } Then Q k, Q k is a bipartition of Q k, because Σ k, Σ k is a bipartition of {, } k From the definition of H k (S, t, δ), Q k, and Q k, it is obvious that Q k H k (Q,t,k ) and Q k H k (Q,t,k ) Note that P k (Q,t,k ) and P k (Q,t,k ) respectively characterize the position for each element of H k (Q,t,k ) and H k (Q,t,k ) Then it follows from Proposition 5 that x t pick i (A ) i P k (Q,t,k ) pick i (A ) i P k (Q,t,k ) Obviously, Q (S,S,,S k ) [l] k and Q (S,S,,S k ) [l] k are uniformly distributed over [l] k for any t [n] Thus the building block (k,k )-BASIS is -PIR Now we are ready to show general recursive k-pir,

7 ITOH: EFFICIENT PRIVATE INFORMATION RETRIEVAL 7 k-pir GREC, for U, DB(k ) (DB,, DB k ), and DB(k )(DB,, DB k ) Recall that k,k [k] such that k + k k The General Recursive Scheme: k-pir GREC U-: U simulates U of (k,k )-BASIS to generate Q,Q [l] k U DB(k ): Q [l] k U DB(k ): Q [l] k DB(k )-: DB(k ) simulates DB of (k,k )-BASIS on Q to generate A {0, } M(k,k ) DB(k )-: DB(k ) simulates DB of (k,k )-BASIS on Q to generate A {0, } M(k,k ) U DB(k ): For each h P k (Q,t,k ), U and DB(k ) run k -PIR GREC on A to get a h U DB(k ): For each h P k (Q,t,k ), U and DB(k ) run k -PIR GREC on A to get a h U-: U computes { h P k (Q,t,k ) a h } { h P k (Q,t,k ) a h } ( x t) The intuition behind k-pir GREC is as follows: We have already known -PIR (eg, PIR CC and PIR BD in Sect 3) with communication complexity O(n /3 ), and for each k > 3, k-pir GREC is inductively constructed from k -PIR GREC with communication complexity O(n /(k ) ) and k -PIR GREC with communication complexity O(n /(k ) ) Here we recall that A and A include enough information for U to retrieve x t (as we have noticed above) Since A O(n (k )/(k ) ) and A O(n (k )/(k ) ), we can achieve O(n /(k ) ) communication complexity by picking appropriate bits from A and A Theorem 4: For each k >, the general recursive scheme k-pir GREC is k-pir with communication complexity O(n /(k ) ) Proof: We prove the theorem by induction on k For convenience, -PIR GREC for U and DB is assumed to be a scheme that U asks nothing and DB responds U with the whole stored data Base Stage: Assume that k Since k,k [k] and k +k k, we have that k k This implies that DB(k )DB and DB(k )DB Note that (, )-BASIS is exactly the same with PIR CC in Sect 3 and that DB and DB respond U with A and A, respectively Then it turns out that -PIR GREC is exactly the same with PIR CC Thus it follows from Lemma 3 that -PIR GREC is -PIR with communication complexity n /3 +O(n /( ) ) Induction Stage: Let k > 3 and assume that for any < k <k, k -PIR GREC is k -PIR with communication complexity O(n /(k ) ) To complete the proof, we show in the following that k-pir GREC is k-pir with communication complexity O(n /(k ) ) From the induction hypothesis, it follows that k - PIR GREC is k -PIR with communication complexity O(n /(k ) ) and k -PIR GREC is k -PIR with communication complexity O(n /(k ) ) For each j [k ], let Q j {Q,qj (),q j (),,q j (N(k,k ))} be the set of questions made by U to DB j and for each j [k ], let Q j {Q,qj (),q j (),,q j (N(k,k ))} be the set of questions made by U to DB j Since k -PIR GREC is k -PIR, qj (h) isidentically (and independently) distributed for each h P k (Q,t,k ) Note that Q is uniformly distributed for any t [n] and is independently distributed of qj (h) for each h P k(q,t,k ) Then it follows that for any t [n], Q j is identically distributed for each j [k ] In a way similar to this, we can show that for any t [n], Q j is identically distributed for each j [k ] Thus k-pir GREC is k-pir for each k > Finally, we analyze communication complexity of k-pir GREC We use COM k GREC (n) to denote communication complexity of k-pir GREC Note that Q Q (k ) l (k ) n /(k ) The definition of M(k, δ) guarantees that there exist c k,c k > 0 such that A M(k, k ) k ( ) k l i < i c k n k i0 A M(k, k ) k ( ) k l i < i c k n k i0 k k Since COM k GREC (n) ) ) for each k <k O(n/(k (induction hypothesis), there exist d k,d k > 0 such that COM k GREC (n) < d k n /(k ) COM k GREC (n) < d k n /(k ), respectively Then we have that COM k GREC (n) k Q + k Q + N(k, k ) COM k GREC ( A ) + N(k, k ) COM k GREC ( A ) < k(k ) n/(k ) + N(k, k ) d k A /(k ) + N(k, k ) d k A /(k ) <c k n /(k ), for some c k > 0 Thus for each k >, COM k GREC (n) O(n /(k ) ) for any n>0 Note that in Theorem 4, COM k GREC (n) is measured independently of the choices of k,k [k] To

8 8 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 analyze the inherent behavior of COM k GREC (n) more precisely for each k >, we define D k GREC lim COM k GREC (n) n /(k ) It is obvious that D k GREC is the coefficient for the dominant factor of COM k GREC (n) 4 The Unbalanced Recursive Scheme For each k >, we assume that k k and k Then k-pir GREC coincides with the recursive k-pir by Ambainis [] and we refer to the unbalanced recursive scheme as k-pir UREC Let COM k UREC (n) denote communication complexity of k-pir UREC for each k > Theorem 43: For each k > 4, D k UREC > (k ) k(k ) Proof: Since k k and k ink-pir UREC, U sends DB j Q [l] k for each j [k ][k ], and U sends DB j Q [l]k for j [k ] [] Then U and DB, DB,, DB k run (k )-PIR UREC N(k, k 3) times to retrieve a h for each h P k(q,t,k 3), however, U asks nothing more and DB responds U with A in -PIR UREC Here we note that N(k, k 3) k (k ) k k and A M(k, ) +(k ) n /(k ) Then COM k UREC (n) (k + k )(k ) n /(k ) + COM UREC (M(k, )) + N(k, k 3) COM k UREC (M(k, k 3)) ( k k) COM k UREC (M(k, k 3)) +(k )(k +) n /(k ) + (4) From the definitions of D k GREC and M(k, δ), we have that COM k lim UREC (M(k, k 3)) lim n /(k ) [ {M(k, k 3)} /(k 3) n /(k ) ] COMk UREC (M(k, k 3)) {M(k, k 3)} /(k 3) ( ) /(k 3) k D k k 3 UREC (5) Note that k k > k for each k > ( and that n ) k > (n/k) k [9, Proposition B] Then from Eqs (4) and (5), it follows that for each k > 4, D k UREC lim COM k UREC (n) n /(k ) D k UREC > lim { (k )(k +)+ n /(k ) +( k k) } COMk UREC (M(k, k 3)) n /(k ) ( ) /(k 3) k ( k k) D k k 3 UREC +(k )(k + ) (6) ( ) /(k 3) k > (k k) D k k 3 UREC ( ) /(k 3) k > k D k k 3 UREC > k k k 3 Dk UREC (7) Since -PIR UREC is exactly the same with PIR CC, we have that COM UREC (n) n/3 +, and thus D UREC Then it follows from Eq (7) that { k i ( i ) } i + D i UREC k (k+)(k ) 3 Hence D k UREC > (k ) k(k ) for each k > 4 43 The Balanced Recursive Scheme In this subsection, we present new k-pir with (much) less communication complexity than k-pir UREC by taking k k/ and k k k/ The way of taking k,k [k] is more balanced than that of k-pir UREC We refer to the balanced recursive scheme as k-pir BREC and use COM k BREC (n) to denote communication complexity of k-pir BREC for each k > In k-pir UREC, we take k k and k, and this causes k-pir UREC to recursively call k -PIR UREC (for k <k) k times On the other hand, k-pir BREC needs to recursively call k -PIR BREC (for k <k) only lg k times because of its balanced way of taking k,k [k] Intuitively, the difference between k-pir UREC and k-pir BREC provides a huge gap between D k UREC and D k BREC Theorem 44: For each k > 4, D k BREC <k 5k Proof: We first note that -PIR BREC is the same with PIR CC and 3-PIR BREC is the same with 3-PIR UREC Then from Lemma 3, it follows that D BREC < and from Eq (6), it follows that D 3 BREC 69 < For each k > 4, let k k/ and k k k/ For each j [k ], U sends Q [l] k to DB j and for

9 ITOH: EFFICIENT PRIVATE INFORMATION RETRIEVAL 9 each j [k ], U sends Q [l] k to DB j Then U and DB(k ) run k -PIR UREC N(k, k ) times to get a h for each h P k(q,t,k ), and U and DB(k ) run k -PIR UREC N(k, k ) times to get a h for each h P k (Q,t,k ) Thus it follows that COM k BREC (n) k(k ) n /(k ) + N(k, k ) COM k BREC (M(k, k )) + N(k, k ) COM k BREC (M(k, k )) (8) From the definition of D k GREC and M(k, δ), we have that COM k lim BREC (M(k, k )) lim n /(k ) [ {M(k, k )} /(k ) n /(k ) COMk BREC (M(k, k ] )) {M(k, k )} /(k ) ( ) /(k ) k k COM k lim BREC (M(k, k )) lim n /(k ) [ {M(k, k )} /(k ) n /(k ) COMk BREC (M(k, k ] )) {M(k, k )} /(k ) ( ) /(k ) k k D k BREC (9) D k BREC (0) Thus from the definition of D k GREC and Eqs (8) to (0), it follows that D k BREC lim COM k BREC (n) n /(k ) k(k ) + N(k, k ) { COM k lim BREC (M(k, k } )) n /(k ) + N(k, k ) { COM k lim k(k ) + N(k, k ) ( k k + N(k, k ) BREC (M(k, k )) n /(k ) ) /(k ) D k BREC } ( ) /(k ) k D k k BREC, () for each k > 4 In the following, we show the theorem by induction on k > 4 Base Stage: Let k 4 and we have that k k From the definition of N(k, δ), it immediate to see that N(4, 3) 64 Thus it follows from Eq () that D 4 BREC 505 < Induction Stage: Let k > 5 and assume that D k BREC < k 5k for each < k < k Note that k < {k (k/)} k < (k )/ Then we have that for each k > 5, N(k, k ) N(k, k ) k i0 k i0 ( ) k < 3 i 4 k () ( ) k < k i (3) We also note that k > k (k )/ and k > {k (k/) (/)} k > (k )/3 for each k > 5 Then we have that for each k > 5, lim lim {M(k, k )} /(k ) ( k k n ) /(k ) /(k ) < k k < 4 (4) {M(k, k )} /(k ) ( k k n /(k ) ) /(k ) < k k < 8 (5) Thus from Eq () and Eqs () to (5), it immediately follows that D k BREC <k(k ) k+ D k BREC + k+ D k BREC From the assumption that D k BREC <k 5k < k <k, it turns out that D k BREC <k(k ) k+ k 5k for each + k+ k 5k { k 5k k 5k k k 5k+ 3k } + k k 5k+ 3k < k 5k, because < k < k <kfor k > 5 Thus we have that D k BREC <k 5k for each k > 4

10 0 IEICE TRANS FUNDAMENTALS, VOL E8 A, NO JANUARY 999 Theorem 45: For each k > 4, D k BREC < Dk UREC References Proof: Recall that D UREC D BREC (Lemma 3) From Eqs (6) and (), it is immediate that D 4 BREC 505 < 574 D4 UREC D 5 BREC 7049 < D5 UREC For each k > 6, it follows from Theorems 43 and 44 that D k BREC <k 5k < (k ) k(k ) < D k UREC Thus we have that D k BREC < Dk UREC for each k > 4 5 Concluding Remarks In this paper, we have presented -PIR (PIR BD ) with communication complexity n /3 that is more time-efficient than -PIR (PIR CC []) Then for each k >, we have generally formulated (unbalanced) recursive scheme k-pir (k-pir UREC ) given by Ambainis [] and have presented (balanced) recursive scheme k-pir (k-pir BREC ) with communication complexity O(n /(k ) ) that is more communication-efficient than k-pir UREC Recall that k-pir BREC (and k-pir UREC ) is constructed from PIR CC for each k > Then it seems natural to expect that we could reduce communication complexity of k-pir BREC (and/or k-pir UREC )ifwe would have more communication-efficient -PIR Actually, we can show that if there exists -PIR with communication complexity O(n /(3+e) ) for some integer e >, then for each k >, there exists k-pir with communication complexity O(n /(k +e) ) Then we have () For some ε>0, find -PIR with communication complexity O(n /(3+ε) ) () For some ε>0, find k-pir with communication complexity O(n /(k +ε) ) for each k > 3 (3) Show a (nontrivial) lower bound on communication complexity of -PIR (4) Show a (nontrivial) lower bound on communication complexity of k-pir for each k > 3 Presumably, time complexity of k-pir BREC is much less than that of k-pir UREC, but we have not analyzed them due to their recursive structures Then we finally have (5) Analyze the time complexity of k-pir BREC and k-pir BREC for each k > 3 [] A Ambainis, Upper bound on the communication complexity of private information retrieval, Proc ICALP, Lecture Notes in Computer Science, vol56, pp40 409, 997 [] M Ben-Or, S Goldwasser, J Kilian, and A Wigderson, Multi-prover interactive proofs: How to remove intractability assumptions, Proc 0th ACM Symposium on Theory of Computing, pp3 3, 988 [3] B Chor and N Gilboa, Computationally information retrieval, Proc 9th ACM Symposium on Theory of Computing, pp304 33, 997 [4] B Chor, O Goldreich, E Kushilevitz, and M Sudan, Private information retrieval, Proc 36th IEEE Symposium on Foundations of Computer Science, pp4 50, 995 [5] S Goldwasser and S Micali, Probabilistic encryption, Journal of Computer and System Sciences, vol8, pp70 99, 984 [6] J Håstad, Pseudo-random generators with uniform assumptions, Proc nd ACM Symposium on Theory of Computing, pp , 990 [7] R Impagliazzo, LA Levin, and M Luby, Pseudo-random generation from one-way functions, Proc 30th IEEE Symposium on Foundations of Computer Science, pp 4, 989 [8] E Kushilevitz and R Ostrovsky, Replication is not needed: Single database, computationally-private information retrieval, Proc 38th IEEE Symposium on Foundations of Computer Science, pp , 997 [9] R Motwani and P Raghavan, Randomized Algorithms, Cambridge University Press, 995 [0] FJ MacWilliams and NJA Sloane, The Theory of Error- Correcting Codes, 9th edition, North-Holland, 996 Toshiya Itoh was born in Urawa, Japan, in 959 He received the B Eng, the MS Eng, and the Dr Eng degree in electronic engineering in 98, 984, and 988, respectively from Tokyo Institute of Technology, Tokyo, Japan From 985 to 990, he was an Assistant Professor in the Department of Electrical and Electronic Engineering at Tokyo Institute of Technology, and from 990 to 99, he was a Lecturer in the Department of Information Processing at Tokyo Institute of Technology Since 99, he has been an Associate Professor in the Department of Information Processing at Tokyo Institute of Technology His current interests are modern cryptographies, finite field arithmetics, and complexity theory Dr Itoh is a member of the Information Processing Society of Japan, the International Association for Cryptologic Research, the Association for Computing Machinery, and LA Acknowledgments The author thanks anonymous referees for their several valuable comments, especially for the comments on the analysis for time complexity of -PIR