Private Access to Distributed. Information. Eran Mann

Transcription

1 Private Access to Distributed Information Eran Mann 1

2 Private Access to Distributed Information Research Thesis Submitted in partial fulllment of the requirements for the degree of Master of Science in Computer Science Eran Mann Submitted to the Senate of the Technion Israel Institute of Technology Tamuz 5758 Haifa July 1998

3 This research was carried out in the Faculty of Computer Science under the supervision of Prof. Eyal Kushilevitz. I would like to thank Prof. Eyal Kushilevitz for his instructive guidance, and the (formal and informal) members of room 429 for fruitfull discussions on relevant subjects. The generous nancial help of the Technion is gratefully acknowledged. 1

4 Contents Abstract 1 1 Introduction Related Work : : : : : : : : : : : : : : : : : : : : : : : : : : : : : PIR and Its Generalizations : : : : : : : : : : : : : : : : : Related Problems : : : : : : : : : : : : : : : : : : : : : : : Our Results : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : Impossibility Result : : : : : : : : : : : : : : : : : : : : : Single Server cpir Scheme From Generalized Assumptions Organization of the Work : : : : : : : : : : : : : : : : : : : : : : 8 2 Denitions of PIR Schemes 9 3 A Gap Between PIR and Non-Private Retrieval The 2-server Case : : : : : : : : : : : : : : : : : : : : : : : : : : : The Case of k > 2 Servers : : : : : : : : : : : : : : : : : : : : : : 17 4 Single-Server PIR schemes from generalized assumptions Examples of Trapdoor Predicates : : : : : : : : : : : : : : : : : : Quadratic Residuosity : : : : : : : : : : : : : : : : : : : : A Predicate Based On The Decisional Die-Hellman Assumption : : : : : : : : : : : : : : : : : : : : : : : : : : : Denitions of Trapdoor Predicates and Homomorphic Trapdoor Predicates : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : Any Homomorphic Trapdoor Predicate Implies Single Server Computational PIR : : : : : : : : : : : : : : : : : : : : : : : : : : : : A Simplied Scheme : : : : : : : : : : : : : : : : : : : : : A Recursive Scheme : : : : : : : : : : : : : : : : : : : : : Homomorphic Trapdoor Predicates Constructions : : : : : : : : : A Trapdoor Predicate Based On the Decisional Die- Hellman Assumption : : : : : : : : : : : : : : : : : : : : : A Trapdoor Predicate Based on The Hardness of Approximating Lattice Reductions : : : : : : : : : : : : : : : : : 36 5 Discussion 38 0

5 List of Figures 3.1 The queries matrix : : : : : : : : : : : : : : : : : : : : : : : : : : 15 1

6 Abstract Consider the following setting: A user wishes to retrieve information from a database residing in a remote server (e.g. - stock quotes for a specic company), over a network. However the user is reluctant to expose her interest in that information (e.g. because it would expose her future intentions with respect to that company). The question is whether we could devise a scheme in which the user would receive the desired information without exposing her interests to the database's operator. A trivial solution to the problem would be for the user to receive a complete copy of the database. Unless the database's size is very small, such a solution would have a prohibitively large overhead in communication. Formally, the Private Information Retrieval (or PIR) problem is stated as follows: The database is modeled by a string x held by some server(s), and the user wants to retrieve the bit x i for some i, without disclosing any information about i to the server. A simple proof shows that if we want information theoretic privacy (i.e. privacy against servers that are computationally unbounded) and have only a single server, the trivial solution is the best we can hope for. A way to obtain smaller (i.e. sub-linear) communication complexity is to replicate the database in several servers. Denote jxj by n. If we do not demand privacy, log n + 1 bits of communication are necessary and sucient to retrieve a bit. Previous work showed how to achieve communication complexity O(n 2k?1 1 ) when using k servers (each holding x). If one settles for computational privacy (i.e., privacy against computationally-bounded servers) it was shown that the problem could be solved using 2 servers with communication complexity O(n ) for every > 0, assuming one-way functions exist, and using only a single server, under the Quadratic Residuosity Assumption (with the same communication complexity). We extend these results in two respects: We show that no PIR scheme for 2 servers that achieves informationtheoretic privacy could have communication complexity of at most (4? ) log n. For larger number of servers we give smaller lower bounds. We generalize the assumptions upon which single-server computational PIR scheme could be based: we show that such a scheme could be based on any trapdoor predicate that exhibits certain homomorphism properties. 1

7 Notations and Abbreviations PTA Polynomial time algorithm PPTA Probabilistic polynomial time algorithm u 2 R U u is an element chosen at random with the uniform distribution over U. hu; vi Inner product of vectors u and v: P n i=1 u i v i? (where addition and multiplication depend on the specic eld) 2? 1 n -OT 1 out of 2 oblivious transfer 1 -OT 1 out of n oblivious transfer pp n jjujj The Euclidean norm of the vector u - i=1 u2 i jjujj 1 The innity norm of the vector u - max fju i jg Z N The multiplicative group modulo N QR N () The Quadratic Residuosity predicate in Z N DDH p;g;g a() A trapdoor predicate based on the Decisional Die Hellman assumption in Z p with generator g and trapdoor a AD u () The Ajtai-Dwork predicate with trapdoor vector u 2

8 Chapter 1 Introduction In today's networked computing environments (Internet, intranets), there are many servers that distribute information to the public (whether it is the general public on the Internet, or the company's employees on an intranet). A lot of eorts were devoted to nding methods that protect the servers from nonlegitimate users (e.g. by authentication of the users) as well as to protecting the information from eavesdroppers (by encryption). An issue that was not studied that intensively in the past is the question of protecting the privacy of the user against the server operators. Consider a user who wishes to retrieve some information from a remote database (e.g. - stock quotes for a specic company) but is reluctant to expose her interest in that information (e.g. because it would expose her future intentions with respect to that company). The question is whether we could devise a scheme in which the user would receive the desired information without exposing her interests to the database's operators. Formally the Private Information Retrieval (or PIR ) problem, which was introduced in [CGKS95], is stated as follows: The database is modeled by a string x held by some server(s), and the user wants to retrieve the bit x i for some i, without disclosing any information about i to the server(s). We denote jxj by n. [CGKS95] shows that if we want information-theoretic privacy (i.e. privacy against servers that are computationally unbounded) and have only a single server holding the data, the only solution to the PIR problem would be the trivial solution - to send the whole database (i.e. the string x) from the server to the user, resulting in n bits of communication. In realistic settings the size of the database (n) is very large, so sending all of the database's contents on the communication channel seems impractical. Note that if we do not require privacy, x i could be retrieved using log n + 1 bits of communication: the user simply sends i to the server, and the server sends back x i. A possible way to overcome the above mentioned impossibility result, is by replication of the database, i.e. having k > 1 servers, each holding the database x. [CGKS95] shows how to achieve communication complexity O(n 1 3 ) with 2 servers, and how to use even less communication when using more servers. Later on, in [CG97, OS97] the notion of computational privacy (i.e., privacy 3

9 against computationally-bounded servers) is introduced, resulting in a Computationally Private Information Retrieval or cpir schemes. These works show that if we settle for computational privacy, the problem could be solved using 2 servers with much smaller communication complexity (e.g. O(n ) for every > 0 in [CG97]), based on certain intractability assumptions. In [KO97] it was shown that in the setting of cpir, replication of the data is not necessary. This work shows how to construct a cpir scheme using only a single server, and O(n ) communication (for every > 0) based on the quadratic residuosity assumption. In this work we show 2 new results: We consider the question of lower-bounds for information-theoretic PIR. Prior to this work, no lower-bound on the communication complexity of PIR schemes was known, other than the trivial log n + 1 lower bound (which applies to any retrieval scheme, with or without privacy). The trivial log n + 1 non-private retrieval scheme implies that any lower bound better than log n + 1 must rely on the privacy requirement. We show that no information-theoretic PIR scheme could have communication complexity which is close (up to a certain constant factor) to the log n + 1 bits necessary and sucient for non-private retrieval. More precisely, we show a tradeo between the amount of communication sent from the user to the servers, and the amount of communication sent from the servers to the user. This tradeo implies that no scheme for 2 servers could have communication complexity of (4? ) log n for any > 0. Similarly we show that for every k there is a constant c k > 1 such that for any > 0 no scheme for k server could have communication complexity (c k? ) log n. The previously known construction of a single-server cpir scheme was based on the Quadratic Residuosity assumption. We show that a similar scheme could be based on any trapdoor-predicate that exhibits certain homomorphism properties. 1.1 Related Work PIR and Its Generalizations As mentioned above, the problem of Private Information Retrieval was introduced by Chor, Goldreich, Kushilevitz and Sudan in [CGKS95]. They show that (in the information theoretic privacy setting) the problem could not be solved with a single server with sub-linear communication complexity, but that with 2 servers it could be solved with communication complexity O(n 3 1 ). They also give a scheme for k servers with communication complexity O(n k 1 ) and a scheme for 1 log n servers with communication complexity 3 O(log2 n log log n). Ambainis [Amb97] generalized the 2-server scheme to obtain a k server scheme with communication complexity O(n 2k?1 1 ). [CGKS95] also denes several extensions of the PIR problem: 4

10 Private Retrieval of Blocks: The database consists of n blocks of ` bits each. The user wants to retrieve the i th block of the database. A trivial solution would be to use a PIR scheme ` times to retrieve a single bit from the block we are interested in. [CGKS95] shows that if we have a PIR scheme (for retrieval of single bits) in which the user sends to the servers queries of (n) bits, and the servers send replies of (n) bits (for a total of k((n) + (n)) bits), then we can construct from it a scheme for retrieval of blocks of size ` with query complexity (n) bits and reply complexity of `(n), resulting in a total of k((n) +`(n)) bits (compared to the ` k((n) + (n)) bits of the trivial solution). For instance, one could have a 2-servers PIR scheme for retrieval of blocks of size ` from a database of n blocks with communication complexity O(` n 1 3 ). t-private Information Retrieval: In this problem we are interested in protecting the privacy of the query not only against each of the servers, but against coalitions of up-to t servers. [CGKS95] shows a construction which achieves communication complexity O(t n d 1 ) with t d servers. [CGKS95] also shows that if there exists a t-private scheme for t d servers with some communication complexity, then we can construct from it a scheme for d servers with the same communication complexity. This implies that any t-private scheme for t d servers with communication complexity better than O(n 2d?1 1 ) would enable us to construct PIR schemes that are more ecient than those we already know. The schemes of [CGKS95] and [Amb97] share some desired properties: The database is stored in each server in plain form, so the servers can serve PIR users and users who do not require privacy at the same time, and non-private queries will be served with minimal communication costs. The schemes consist of a single query-reply round, freeing the servers from storing any state-information with respect to the queries between rounds of communication. We will call schemes with these properties Plaintext One-round PIR schemes, or more shortly, POP schemes. In [CG97, OS97] Chor and Gilboa and Ostrovsky and Shoup present the notion of Computationally Private Information Retrieval, i.e. PIR schemes in which the privacy of the user is guaranteed only against computationallybounded servers. These schemes achieve much better communication complexity than the known perfect-privacy schemes, but have to rely of course on certain intractability assumptions. [CG97] presents a 2-server POP scheme that achieves communication complexity O(n ) for every > 0, based on the assumption that one-way functions exist. [OS97] present the notion of private information storage - i.e. enabling the users to both write and read any desired bit of the database, however their schemes are not POP schemes, they have to keep the database in some sort of \encrypted" form (otherwise the server will be able to observe changes done by the user), and they use logarithmic (in n) number of rounds. [OS97] show private information storage schemes with computational privacy and polylogarithmic communication complexity, based on the 5

11 existence of pseudo-random functions. [OS97] also presents a generic reduction from information theoretic PIR schemes to information theoretically private storage schemes with polylogarithmic overhead in communication complexity, and logarithmic number of rounds. The schemes of [OS97] are based on the work on Oblivious RAM by Goldreich and Ostrovsky ([Gol87, Ost90, GO96]). In [KO97] Kushilevitz and Ostrovsky show how to construct a single server computational PIR scheme based on the Quadratic Residuosity Assumption. This scheme is also a POP scheme, and achieves communication complexity O(n ) for every > 0. In [GI + 98] Gertner, Kushilevitz, Ishay and Malkin present the problem of Symmetric PIR (SPIR ), which is a PIR scheme which also maintains the data privacy. That is, in such a scheme, for any query the user sends to the servers, any information the user may get follows from a single physical bit of the database. This means that if (for instance) the user \payed" for a single bit of the database, she will not be able to obtain more information than what she payed for, no matter what query she sends. However if she sends legal queries her privacy will remain intact. The paper presents generic reductions from any PIR scheme to SPIR scheme, and more ecient reductions (in terms of shared randomness and the number of servers) for the known PIR and cpir schemes. Note that transforming the single-database cpir scheme to an SPIR? scheme n results in a communication-ecient implementation of (computational) 1 -OT (see below) Related Problems Instance Hiding: The instance hiding problem is dened as follows: Let f : f0; 1g! f0; 1g be some function, and assume we have k oracles for f. A computationally-bounded user wishes to compute f(i) for some string i 2 f0; 1g using the oracles, without exposing i (or any information about it except jij) to the oracles. This problem was introduced and studied in [AFK89, BF90, BFKR97, BFOS93, RAD78]. Any (information theoretic) PIR scheme could be used as an instance hiding scheme: the oracles will simply use all the values of f on strings of length jij as the database x, where the bit x i would be f(i). The PIR scheme would enable the user to retrieve x i while hiding the value of i from the oracles. The main dierence between this problem and the PIR problem, is that in the instance hiding setting the user is limited to computations that require time polynomial in jij, while in the PIR setting computations which are polynomial in n (and super-polynomial in jij) are allowed. A more subtle dierence is that in the instance hiding setting the user knows the function f and could use its structure to improve the scheme's eciency, while in the PIR setting the user has no a priori knowledge of the database's contents. Though this dierence seems to make instance hiding somewhat easier than PIR, no known instance hiding scheme takes advantage of this a priori knowledge. 6

12 The low-degree polynomial interpolation PIR scheme which yields communication complexity O(log 2 n log log n) from [CGKS95] could be considered an adoption of the polynomial interpolation scheme presented in [BF90]. Oblivious Transfer:? The problem of 1 out of n Oblivious Transfer, n abbreviated 1 -OT, was presented in [BCR86, BCS96](This problem is also known as ANDOS - All or Nothing Disclosure Of Secrets). This problem, which? is a natural extension of the well-known 1 out of 2 Oblivious 2 Transfer ( 1 -OT ) problem [Rab81, EGL85], consists of two players: one holding n secrets, and the other wants to retrieve one of these secrets. In the information? theoretic setting, the SPIR model is actually a distributed n version of the 1 -OT problem (when used for retrieval of blocks instead of single bits). In the computational setting, the SPIR counterpart of the single server cpir scheme of [KO97] is actually a communication-ecient implementation of computational? n 1 -OT. Impagliazzo and Rudich [IR89] show that it is \very-hard" (almost as hard? 2 as separating P from N P) to prove that 1 -OT can be implemented based on general one-way permutations (i.e. without a trapdoor) as a black-box. This result limits our attempts at generalizing the assumptions, on which single-server cpir could be based, to assumptions that are stronger than the existence of one-way functions (assuming any such scheme could be turned into a SPIR scheme). 1.2 Our Results Impossibility Result So far most of the works concerning perfect-privacy PIR schemes dealt with upper-bounds. The only known impossibility results are the proof of [CGKS95] that any single-server scheme has to use linear communication, and another proof of [CGKS95] that any linear summation scheme with single bit answers also requires linear communication. The only lower bound we know for PIR schemes, even for the simplest case of single round, two servers, perfect privacy schemes, is the log n + 1 lower bound, that applies to any retrieval scheme (private or non-private). In Chapter 3 we give the rst proof that there is a dierence between the communication complexity of non-private retrieval schemes and the communication complexity that could be achieved in single-round information theoretic PIR schemes. More particularly we show a tradeo between the amount of communication sent from the user to the servers, and the amount of communication sent from servers to the user. Let C be the communication complexity of the scheme, and let min be the minimum among all servers of the size of queries sent from the user to that server (or conversely the number of random bits used by the user). We show that C p 2 min = (n). 7

13 Using this tradeo we show that no single-round PIR scheme for 2 servers can use only (4? ) log n bits of communication (for any > 0), compared with the log n + 1 bits necessary and sucient for non-private retrieval. This tradeo also implies that if the user sends to the servers only (4? ) log n bits, the servers would have to send (n 0 ) bits. Our proof could be modied to show that for every k there is a constant c k > 1 such that no scheme for k server uses only (c k?)log n bits of communication (for any > 0) Single Server cpir Scheme From Generalized Assumptions As mentioned above, in [KO97] Kushilevitz and Ostrovsky present a singleserver cpir scheme based on the Quadratic Residuosity Assumption, and raised the question, whether cpir scheme could be based on more general assumptions. In Chapter 4 we show that a construction similar to the one in [KO97] could be based on any trapdoor predicate that exhibits certain, relatively weak, homomorphism properties. We go on to present few examples of such predicates based on dierent assumptions. We note that any homomorphic public-key encryption function (such as the functions used for \blinding" encryption [Cha83]) that also exhibits message indistinguishability (or equivalently semantic security) could be \downgraded" to a trapdoor predicate that is homomorphic in our denitions, and thus could be used to construct a single-database cpir scheme. Changing the basis of the construction from the Quadratic Residuosity predicate to other predicate does not prevent the scheme from being used as the core of more complicated constructions, such as the SPIR scheme presented in [GI + 98] and the commodity based PIR presented in [DIO98]. 1.3 Organization of the Work This work is organized as follows: In Chapter 2 we formally dene PIR schemes. In Chapter 3 we show our impossibility result. In Chapter 4 we show how to construct a single server cpir scheme from any homomorphic trapdoor predicate. Chapter 5 contains some concluding remarks and open problems. 8

14 Chapter 2 Denitions of PIR Schemes In this chapter we give few denitions of PIR schemes. Generally speaking, a PIR scheme has to meet two main requirements: Correctness: In every invocation of the scheme the user retrieves the bit she is interested in. Privacy: In every invocation of the scheme the server does not gain any information about the index of the bit that the user retrieves. The privacy condition could be dened in two ways: Information Theoretic Privacy: The distribution of the queries the user sends to any server is independent of the index the user tries to retrieve. This condition implies that the server cannot gain any information about the user's interest regardless of the server's computational power. This kind of privacy is usually called perfect privacy. Computational Privacy: The distribution of queries the user sends to the server when she tries to retrieve x i and the distribution of the queries she sends when she tries to retrieve x i 0 are computationally indistinguishable. This means that the server can not gain any information about the user's interests provided that the server is computationally bounded (e.g. - a polynomial size circuit). Remarks: 1. In all the denitions in this section we are concerned only with singleround schemes, i.e. schemes in which the communication consist only of queries from the user to the server, and a reply from each server on the query it received. Note that this property of a scheme already assures that the privacy of the user does not depend on the behavior of the servers. 2. There are two natural variations on the denition of PIR that we will not dene here. One is the possibility of weakening the correctness demand, 9

15 to enable some small probability of error. The other is the possibility of ensuring only statistical privacy to the user (like in statistical zeroknowledge proofs for example), which is a stronger demand than computational privacy, but weaker than perfect privacy. To the best of our knowledge, no work has taken advantage of these variations in the context of PIR. Denition 1: (Information Theoretic) PIR Scheme Let P be some polynomial. A k-server (information theoretic) PIR scheme is a triplet of algorithms: A 1 - the query algorithm - is a polynomial-time algorithm (run by the user) that given (1 n ; i; r), where i 2 f1; : : :; ng and r 2 R f0; 1g P (n) is a random string, outputs a k-tuple of queries (q 1 ; : : :; q k ) (where q j is intended for server j). A 2 - the reply algorithm - is a polynomial time algorithm (run by the servers) that given (x; q j ), where x 2 f0; 1g n and q j is a query sent by the user, outputs a reply R j. 1 A 3 - the reconstruction algorithm - is a polynomial time algorithm (run by the user) that given (1 n ; i; r; R 1 ; : : :; R k ) outputs a bit b (which is supposedly x i ). meeting the following two conditions: Correctness: Let A j 1(1 n ; i; r) be the j th element of A 1 (1 n ; i; r). For every n, for every x 2 f0; 1g n, i 2 f1; : : :; ng and r 2 f0; 1g P (n) : A 3 (1 n ; i; r; A 2 (x; A 1 1 (1n ; i; r)); : : :; A 2 (x; A k 1 (1n ; i; r))) = x i : Privacy: Let D j i be the distribution of queries from the user to server j when the user is interested in the i th bit of the database (that is D j i is the distribution of A j 1(1 n ; i; r) where r 2 R f0; 1g P (n) ). For every i; i 0 2 f1; : : :; ng it holds that D j i = D j i 0. Denition 2: Computational PIR Scheme Let P be some polynomial. A k-server computational PIR scheme is a triplet of algorithms A 1 ; A 2 ; A 3 as in the denition of information theoretic PIR schemes, meeting the same correctness condition, and the following privacy condition: For every family of polynomial-size circuits fc j g and for every polynomial Q, there exists n 0 s.t. for every n > n 0 for every i 1 ; i 2 2 f1; : : :; ng: jp r[c n (A 1 (1 n ; i 1 ; r 1 )) = 1]? P r[c n (A 1 (1 n ; i 2 ; r 2 )) = 1]j < 1 Q(n) 1 We could assume that every server has a dierent algorithm, however we can easily observe that assuming all the servers have the same algorithm would only cost us an additive factor of log k bits of communication to each server 10

16 where r 1 ; r 2 2 R f0; 1g P (n) and the probability is taken on the choice of r 1 ; r 2 and the internal coin-tosses of C n. 2 Remark: In the denition of cpir schemes we used a somewhat simplied denition of security that is concerned only with security against polynomial adversaries. Adapting the denitions to account for any security assumption (e.g. assuming some one-way function cannot be inverted even by circuits of size O(2 logc n ) for some c > 1) requires a slightly more complicated denition (see for instance [DIO98]), however our results would still hold for the latter case. Denition 3: The Communication Complexity of a PIR Scheme Intuitively the communication complexity of a scheme is the maximum (over all possible invocations) of the sum of the lengths of the queries and the lengths of the replies. Formally let S= (A 1 ; A 2 ; A 3 ) be a (computational or information theoretic) PIR scheme for k servers, as dened above. The communication complexity of the scheme C S (n) is dened as: C S (n) = 0 ja1 (1 n ; i; r)j + x2f0;1g n ;i2f1;:::;ng;r2f0;1g P(n) kx j=1 A 2 x; A j 1(1 n ; i; r) 1 A : 2 In this denition and the following ones we use non-uniform adversaries. Similar results could be obtained if we consider uniform adversaries instead. 11

17 Chapter 3 A Gap Between PIR and Non-Private Retrieval In this chapter we show that no PIR scheme can have a communication complexity which is close (up to a certain constant factor) to the communication complexity of non-private retrieval. The non-private retrieval problem has a trivial solution: The user sends the index i of the bit she is interested in to the server, and the server sends the desired bit x i in return. The communication complexity of this scheme is log n + 1 bits (and it is easy to show that log n bits are necessary). We show that any PIR scheme for two servers has communication complexity larger than (4? ) log n for any > 0. We prove that by showing a tradeo between the communication sent from the user to the servers, and the communication sent from the servers to the user. More precisely, we show that if the user sends to the servers only (4? ) log n bits, then the servers would have to send (n 0 ) bits to the user, for some constant 0 (depending only on ). The proof is stated in terms of single-round PIR schemes (as dened in Chapter 2), however similar results may be obtained in the interactive case. See remarks in this respect at the end of the chapter. To prove our claim, we need the following lemma about the communication complexity of restricted retrieval schemes, in which only the servers send information to the user. Lemma 1: Every retrieval scheme with error probability 0 < 1, in which only the servers send information to the user, and the user is deterministic, has ((1? ) n) communication complexity. Proof: First, note that any such restricted scheme could be performed by a single server. The intuition behind the proof is that if there is only a probability that the user would make an error, then there has to be a single message the server may send to the user that contains information about a 1? fraction of the database (for any content of the database). This message has to contain number of bits which is linear in (1? ) n. Next we formalize this intuition. 12

18 Denote by R the set of all possible values of the random string used by the server, and denote by B(x; r) the string the server would send to the user when the random string it got is r 2 R and the content of the database is x 2 f0; 1g n. Let p x;i;r be a random variable that is equal to 1 if the user would calculate x i correctly given B(x; r) (assuming she is interested in the i th bit of the database), and 0 otherwise. Assume that the random input of the server is distributed uniformly in R (If in the original scheme the server uses non-uniform distribution of random inputs, then it could use instead a certain polynomial amount of random bits to approximate the desired distribution [DA76]). Assume that the probability of an error in our scheme is, then: P 8x 2 f0; 1g n 8i 2 f1; : : :; ng P r2r p x;i;r (1? ) jrj ) 8x 2 f0; 1g n P P i2f1;:::;ng r2r p x;i;r (1? ) n jrj P ) 8x 2 f0; 1g n r2r i2f1;:::;ng p x;i;r (1? ) n jrj P ) 8x 2 f0; 1g n 9r x 2 R s:t: i2f1;:::;ng p x;i;r x (1? ) n So for every content x of the database there is a random input r x for the server such that B(x; r x ) would enable the user to calculate correctly the value of (1? ) n bits of the database, and therefore B(x; r x ) must contain at least (1? ) n bits. 3.1 The 2-server Case Now we will make a reduction from any 2-server PIR scheme to a restricted scheme that meets the conditions of Lemma 1. This reduction will imply the tradeo we are looking for. Generally speaking, in the restricted scheme that we construct, the server draws randomly some t queries that the user may send to each server in the PIR scheme (where t is large enough), and sends these queries and the corresponding replies (of the servers in the PIR scheme) to the user. The user looks for a pair of queries that could have been sent by her in a normal invocation of the original PIR scheme on input i. If such a pair exists she could calculate x i from it; otherwise, she assumes x i = 0. We need to have a large enough t such that the probability that the user will not nd a good query will be bounded by a constant. We use a \Birthday Paradox"-like argument to show that t which is roughly square-root of the possible number of queries would be enough to get a constant error probability. An obstacle in this approach is, that if we use it naively, we would only get a bound for the possible number of queries for each server. Since the user may send radically dierent amount of bits to each server in a specic invocation of the scheme, the fact that there has to be some t 2 dierent queries to each server does not imply that the user has to send to the servers 2 log(t 2 ) bits in some invocation; in principle, it is possible that whenever the user sends log(t 2 ) bits to one server, she sends a much shorter query to the other server. To overcome this obstacle we need to prove a tradeo of the form \if in every invocation the user sends to some server a small amount of bits, then 13

19 the servers would have to send a large amount of bits to the user". To this end we present the following denitions. Given a single-round PIR scheme S for 2 servers, we dene the following notations: D j - The distribution of messages from the user to server j (note that by the denition of privacy, this distribution is independent of the index i the user is interested in). j - The maximal number of bits that the user may send to server j in any invocation of the scheme. j - The maximal number of bits that server j may send to the user in any invocation of the scheme. = = Given a pair of queries q 1 ; q 2 for servers 1 and 2 respectively, we say that (q 1 ; q 2 ) is a good pair given i, if there is a random input for the user that would cause her to send q j to server j when she wants to retrieve x i. We will abbreviate the statement that (q 1 ; q 2 ) is a good pair given i by (q 1 ; q 2 ) 2 good i. For each query q 2 for server 2 let good i (q 2 ) = fq 1 j(q 1 ; q 2 ) 2 good i g. Order all the possible queries for the two servers in lexicographic order. Let (q) be the index of the query q in that order. Note that jqj log (q). Let max = max f (q)g. Dene i 0 = max (q1;q2)2good min( (q 1 ); (q 2 )). i Intuitively, if we consider the max max zero-one matrix whose columns and rows are indexed by the ordered set of queries, and the (q 1 ; q 2 ) th entry of it contains 1 i (q 1 ; q 2 ) 2 good i, then each q such that i 0 = (q) denes an ( max? (q)) ( max? (q)) sub-matrix, that contains only zeros (see gure). Dene 0 = max i2f1;:::;ng i 0. t = p 2 0 Lemma 2: For every single-round PIR scheme for 2 servers it holds that: ( + ) t = (n) 1 Note that the amount of communication that the user sends to the servers in the scheme is not necessarily, because it is possible (for instance) that when the user sends the longest query (of length 1) to server 1, she sends a very short query to server 2 (i.e. of length much shorter than 2). Note however the dierence is bounded by a factor of 2 (the number of servers). 14

20 1 good i i 0 Empty Sub-matrix 1 i 0 max max Figure 3.1: The queries matrix Proof: Given a PIR scheme S for 2 servers, we construct from S a new scheme with constant error probability, in which only the server sends information to the user, and the user is deterministic. The communication complexity of the new scheme will be: ( + ) t From Lemma 1 this expression has to be (n), as needed. The Scheme: 1. The server draws at random b 2 R f1; 2g. 2. The server draws t queries independently according to D b : q b 1 ; : : :; qb t and sends them to the user. 3. The server selects the t queries with the highest probability according to D 2?b,: q 2?b 1 ; : : :; qt 2?b, such that (q 2?b ) (q) for every 1 m t. m 4. The server computes the values of the t corresponding replies: r j 1; : : :; r j t, for each sequence of t queries, and sends them to the user. 5. The user checks if there exist ` and m such that (q 1` ; q2 m) is a good pair given i. If so she calculates from (q 1` ; r1`) and (q 2 m ; r2 m) (and the random string that would cause her to send this pair of queries) the value of x i. 6. If there are no such `; m, the user assumes x i = 0. Communication Complexity: The server sends to the user t (query, reply) pairs for each server j, each of which contains at most ( j + j ) bits. Therefore the communication from the servers to the user is ( + ) t. Correctness: From the description of the protocol it is clear that the errors the user may make are only one-sided - i.e. she may assume that x i = 0 when actually x i = 1, but not the opposite. We will show that the probability that the user would err is bounded by a constant. 15

21 The probability that the user would err is bounded by the probability that none of the pairs q 1` ; q2 m is good given i. From the denition of 0, for every pair of queries (q 1 ; q 2 ) in good i it holds that either (q 1 ) 0 or (q 2 ) 0. So: good i f(q 1 ; q 2 )j (q 1 ) 0 g [ f(q 1 ; q 2 )j (q 2 ) 0 g : So either with probability at least 1, when the user tries to retrieve x 2 i she sends pairs of queries from the set f(q 1 ; q 2 )j (q 1 ) 0 g, or with probability at least 1 she sends pairs from the set f(q 2 1; q 2 )j (q 2 ) 0 g. Assume wlog that with probability at least 1 the user sends queries from f(q 2 1; q 2 )j (q 2 ) 0 g. With probability 1 the server in the restricted scheme draws b = 1 in the 2 rst step. In this case all the possible pairs of queries it draws come from the set f(q 1 ; q 2 )j (q 2 ) 0 g. We will assume that this is the case in the rest of the analysis. In step 3, the server selects the t most probable queries according to D 2 that satisfy (qm) 2 0. We know that with probability at least 1 the user 2 sends to server 2 a query that satisfy this condition in a normal invocation of S. Because q 2 1 ; : : :; q2 t are the most probable queries that satisfy this condition, the probability that the user sends one of q 2 1 ; : : :; q2 t in a normal invocation of S is at least 1 t 2 0 = 1 p = p In other words, Pr D2 [q 2 1 ; : : :; q2 t ] p = 1. t In any invocation of S, when the user wants to retrieve x i, the pair of queries it sends is from good i, therefore for every query q 2, the probability that the user sends a query from good i (q 2 ) to server 1, is at least the probability that the user sends q 2 to server 2. Since the probability that the user sends some query to server 1 has to be independent of i (from the privacy condition), we conclude: Pr D1 " t [ m=1 good i (q 2 m) # 1 t : So the probability of any of the t choices of the server in step 2 to form a good pair given i with one of fq 2 1 ; : : :; q2 t g is at least 1, and since all the choices in t this step are? independent, the probability that none of them is successful is bounded by 1? t 1 t 1. e Recall that we made our analysis under the assumption that the server made the \right choice" of b in the rst step, and this event happens with probability 1 2, therefore the success probability of the scheme is at least 1 2? 1? 1 e We have shown that the restricted scheme has a constant success probability and therefore conclude that its communication complexity has to be (n). Corollary 3: In every single round PIR scheme for 2 servers, if the user sends only (4? ) log n bits to the servers, then the servers send at least (n 4 ) bits to the user. Proof: Assume that for some PIR scheme the user sends only (4? ) log n bits to the servers (in any invocation). From the denition of 0, there is an invocation of the scheme in which the user sends a pair of queries (q 1 ; q 2 ) where either (q 1 ) = 0 and (q 2 ) 0, or (q 2 ) = 0 and (q 1 ) 0. Recall that for every query q it holds that jqj log (q), therefore the user sends to the servers 16

22 at least 2 log 0 bits, and because we assume the user sends to the servers only (4? ) log n bits, we get: log 0 (4?)log n (2? ) log n. From Lemma 2 it 2 2 holds that: p ( + ) 2 0 = (n) Therefore But, n = ( p )? 2 2 (1? 4 : )log n 2 (1? 4 )log n = n 1? 4 and since the user sends only (4? ) log n bits to the servers (8? 2) log n = O(log n): Therefore: = (n 4 )? O(log n) = (n 4 ): Corollary 4: For every > 0 there is no single-round PIR scheme for 2 servers with communication complexity bounded by (4? ) log n. Proof: Assume towards a contradiction that such a scheme exists, then (4? ) log n. From Corollary 3, = (n 4 ) in contradiction to the assumption that the communication complexity of the scheme is bounded by (4? ) log n. 3.2 The Case of k > 2 Servers We want to prove a tradeo similar to the one in Lemma 2, for k > 2 servers. We will proceed in a similar manner to the previous section, and reduce any k server scheme to a restricted scheme that meets the conditions of Lemma 1. However, we will have to be a little more careful in our probability analysis, and the reduction will incur a larger communication overhead. For simplicity, assume that the user sends the same amount of communication to each server, and that all the queries that the user may send to some server are equally probable. These two assumptions will simplify our analysis considerably. Of these two assumptions the assumption that all queries are equally probable is only technical - avoiding it will only make the proof a little bit more complex (see Footnote 2 below). The assumption that all servers receive the same amount of communication not only simplies the proof but actually adds a factor of k to the lower bound we get (using this assumption we can prove a claim of the form \each server receives at least bits" instead of \there is some server that receives at least bits"). Note that all known \natural" schemes meet these assumptions (although one can construct schemes that violate the assumptions). Like in the previous section we denote by the total amount of communication from the user to the servers, and by the total 17

23 amount of communication from the servers to to the user. We denote by D j the distribution of queries sent by the user to server j. Let ` = 2 k. Note that ` bounds the number of possible queries each server may get. Let t = ` k?1 k. We will prove the following tradeo: Lemma 5: For every k-server PIR scheme as above it holds that ( + ) t = (n): Proof: Given a k-serverpir scheme S as above, we construct from S a new scheme with constant error probability, in which only the servers send information to the user, and the user is deterministic. The communication complexity of the new scheme will be: ( + ) t: By Lemma 1 this expression has to be (n), as needed. The Scheme: Server j draws t queries according to D j : q j 1; : : :; q j t. Server 1 makes sure all the queries it chose are dierent. Server j computes the values of the t corresponding replies: r j 1; : : :; r j t, and sends them to the user. The user checks if there exists a k-tuple of queries drawn by the servers, that may be sent by her to the servers when she is interested in the i th bit of the database. If such a tuple exits she uses it and the corresponding replies to compute the value of x i. If no such k-tuple exist, the user outputs x i = 0. Communication Complexity: Each server j sends to the user t (query, reply) pairs, each of which contains at most ( j + j ) bits. So the total communication from the servers to the user is: ( + ) t. Correctness: Again we need to prove that with constant probability a good tuple exists. We prove that by showing by induction on j (where 1 j k), that with some constant probability c j, there are ` k?j k dierent j-tuples among 8 j?1 the choices of the j rst servers which are \good given i" (i.e. the user may send any of these j-tuples to those j servers in a normal invocation of S, when she wants to retrieve x i ). Induction basis: For j = 1 there is probability 1 that the choices of server 1 are t = ` k?1 k legitimate queries. 18

24 Induction step: Assume that with probability c j there are ` k?j k dierent 8 j?1 good (given i) j-tuples. We will now bound the probability that there are \enough" (as required in the claim) good (j + 1)-tuples, given that there are \enough" good j-tuples. For each good j-tuple the probability that a random query chosen by server j +1 could be added to that tuple to make a good (j +1)- tuple is at least `?1 (because there are ` possible queries for server j + 1 and at least one of them is good for that j-tuple). So the probability of a randomly chosen query to form a good tuple with one of the j-tuples is at least ` k?j k j k `? 8 `?1 = j?1 8 : j?1 Server j + 1 makes ` k?1 k such choices, so the expected number of queries chosen by server j + 1 which form good j + 1-tuples is ` k?1 k? k j k?j?1 k = ` 8 j?1 8 : j?1 By Cherno bound, if we make t independent choices and the success probability of each of them is p then the probability that we would make less then tp good 2 choices is bounded by 2 e? tp 8(1?p). since in our case (1? p) is very close to 1, the above is very close to which is o(1) 2. 2 e? tp 8 = 2 e? ` k?j?1 k 8j We found that given that there are ` k?j k dierent good j-tuples we will have 8 j?1 with high probability ` k?j?1 k queries chosen by server 24 j?1 j + 1 that form good (j + 1)-tuples. This still does not guarantee that the good (j + 1)-tuples we got are indeed dierent as needed. Let m ` k?j?1 k be the number of \good" queries 28 j?1 (i.e. choices of server j + 1 that form good (j + 1)-tuples). we want to show that with high probability the m good choices made by server j + 1 contain at least m=4 dierent queries (and therefore correspond to at-least m=4 dierent good (j + 1)-tuples). Let q 1 ; : : :; q m be the m good queries. Let z 1 ; : : :; z m be random variables, such that: z j = ( 1 if 9j 0 j s.t. q j = q j 0 0 otherwise Clearly the number of dierent \good" queries is P m m? j=1 z j. From the definition Pr fz j = 1g j. Therefore E[P m m o j=1 z j] m(m+1) = m+1. By Markov 2m o 2 Inequality: Pr n m? P m j=1 z j < m=4 PrnP m j=1 z j 3(m+1) 4 2 If we avoid the assumption that all queries are equally probable, then the claim we prove by induction cannot be about the number of good j-tuples, and should be about the \probabilistic weight" of the good tuples - i.e. the probability of observing any of them in an invocation of the original scheme. To prove that the probabilistic weight remains large enough after each step, we would have to use Hoefding's inequality instead of the Cherno bound

25 So the probability that there are ` k?j?1 k dierent good 8 j (j + 1)-tuples given that there are ` k?j k dierent good j-tuples is very close to 3, and therefore 8 j?1 8 proven our claim. We conclude that there is a constant probability that there ` are 1k good k-tuples among the queries, and therefore our scheme would 8 k?1 succeed with at least that probability. Corollary 6: In every single round k-server PIR scheme, in which the user sends equal number of bits to every server, if the user sends only ( k2?)log n k?1 bits to the servers, then the servers send at least (n (k?1) k2 ) bits to the user. Assume that for some PIR scheme ( k2? ) log n. Then from k?1 Proof: Lemma 5 it holds that: Therefore But, and therefore: ( + ) 2 k?1 k2 = (n) = ( 2 2 (k?1) (1? k 2 = (n (k?1) k2 n (k?1) (1? k2 )log n? ): )log n (k?1) 1? = n k 2? log n) = (n (k?1) k2 ) Corollary 7: For every > 0 there is no single-round PIR scheme for k servers, in which every server receives the same amount of communication, with communication complexity bounded by ( k2? ) log n. k?1 Proof: Assume towards a contradiction that such a scheme exists, then ( k2 (k?1)? ) log n. From Corollary 6, = (n k 2 ) in contradiction to the k?1 assumption that the communication complexity of the scheme is bounded by? ) log n. ( k2 k?1 Remark: As mentioned earlier, the impossibility results in this chapter hold also in the interactive case (i.e., for schemes with more than one round of communication). To obtain these results, we need to quantify each statement by the contents of the database (x), since the queries the user sends depend on the replies she received from the servers in previous rounds, which in turn depend on x. This quantication should be applied to both the statements and proofs of Lemma 2 and Lemma 5. In particular, the following changes should be made in the denitions and the proofs: The denition of D j should be \the distribution of queries sent from the user to server j, given that the database contents is x" (Note that, by the privacy requirement, this distribution is still independent of i). The denition of 0 should be maximized over all possible values of x. 20

26 The denition of good i should be \all the tuples of queries that the user may send to the servers for some value of x, given that she is interested in the i th bit". The choices of queries by the server in the restricted schemes, are done according to the distributions (D j ) implied by x (which is known to the server of course). In particular, when required to choose the t most probable queries according to D j (for some j), the server would select the t most probable queries, given the value of x. The user in the restricted scheme should look for a tuple of queries which is in good i and is also consistent with the corresponding replies sent by the server. Note that the user in the restricted retrieval schemes may check if a tuple belongs to good i since she is not restricted to polynomialtime computations (in particular she may check all possible values of x), since the lower bound in Lemma 1 follows from information theoretic considerations, and does not assume any limitation on the computational power of the parties. 21

27 Chapter 4 Single-Server PIR schemes from generalized assumptions In this chapter we show that a similar construction to the one in [KO97] could be used to devise a PIR scheme based on more general assumptions than the one that the original construction was based upon. While the original construction was based on the Quadratic Residuosity Assumption, we show that any trapdoor predicate that exhibits some homomorphism property could be used for that construction. In Section 4.2 we present the required denitions for the proof of the above claim, in Section 4.3 we prove that claim, and in Section 4.4 we show several examples of trapdoor-predicate constructions, that exhibit the desired homomorphism properties, based on dierent security assumptions. First, let us give few examples of trapdoor predicates that would serve to exemplify the denitions. 4.1 Examples of Trapdoor Predicates In this Section we dene informally few examples of trapdoor predicates. In Section 4.4 we will give these predicates a more thorough treatment and present more examples. Informally, a trapdoor predicate is a predicate on strings, that is hard to compute without additional information, but that is easy to compute given a special trapdoor information associated with it Quadratic Residuosity The quadratic residuosity predicate was presented in [GM84] and is perhaps the "canonic" example of trapdoor predicate. A number x is a quadratic residue modulo N if there exists a number y such that y 2 = x mod N. Formally, the predicate QR N (x) is dened as follows: ( 0 if 9y 2 Z QR N (x) = N s.t. y 2 = x(modn) 1 otherwise 22