Private Information Retrieval from MDS Coded Data in Distributed Storage Systems

Transcription

1 Private Information Retrieval from MDS Coded Data in Distributed Storage Systems Joint work with Razane Tajeddine Salim El Rouayheb ECE Department Illinois Institute of Technology

2 Motivation 1

3 Secure Multiparty Computation Differential privacy Anonymity Privacy Cryptography Private Information Retrieval (PIR) 2

4 Private Information Retrieval (PIR) User wants to retrieve a file from a database without revealing the identity of this file. This problem was first introduced by Chor et. al in [Chor, Goldreich, Kuchilevitz and Sudan 95].... User wants to watch a video on North Korean Revolution Server 3

5 Toy Example Database replicated on two non colluding servers. KX + K =X K + E 5 KX + E 5 X User wants file X 5 E 5 = [Chor et al. 1995] 4

6 Computational vs. Info Theoretic Privacy Relaxation: Computational PIR Can achieve privacy on one server without downloading whole database. [Kushilevitz and Ostrovsky, 97], [Chor and Gilboa, 97], [Cachin, Micali, and Stadler, 99], High computational complexity. [Sion and Carbunar, 07] 5

7 PIR Computational Information Theoretic This Talk Replication Coded 6

8 Model A distributed storage system with n nodes storing files X 1,, X m (n,k) MDS code is given and not design parameter. b passive spy nodes Goal: Design PIR scheme with min download cost Perfect privacy: H(f queries to b servers) = H(f), (n,k) MDS code n nodes, b spies User wants X f chosen uniformly at random 7

9 Related work: Replicated Data PIR scheme on replicated non-colluding nodes with total, upload and download, communication cost of O((n 2 log n)m 1/n ) and O(m 1/3 ) for the case when n=2 [Chor, Goldreich, Kuchilevitz and Sudan 95] PIR scheme on replicated non-colluding nodes with communication cost O(m 1/(2n 1) c log log n ) [Ambainis, 97] and O(m [Beimel et al, 02] n log n ) PIR protocols with total communication cost that is subpolynomial in the size of the database [Yekhanin 08], [Efremenko 12] and [Dvir and Gopi 15] Fundamental limits and achievable schemes on download cost for replication. [Sun and Jafar 16]

10 Related Work on Coded PIR Batch codes [Ishai et al. 04] One extra bit of download is sufficient to achieve PIR. [Shah, Rashmi, and Ramchandran, ISIT 14] Methods for transforming a replication-based PIR scheme into a coded-based PIR scheme with the same communication cost [Fazeli, Vardy, and Yaakobi, ISIT 15] Bounds on the the tradeoff between storage and download communication cost. [Chan, Ho, and Yamamoto, ISIT 15] PIR array codes [Blackburn & Etzion 16] 9

11 Our Results: Single Spy Theorem 1: Consider a DSS using an MDS code over, with b =1spy node. Then, there is an explicit linear PIR scheme for any number of files m over with download communication cost (price of privacy): Achieves the information theoretic optimum given in [Chan et al, ISIT 15] for linear PIR scheme. Achieve the bound given in [Sun et. al, ISIT 16] when applying replication.* (0.5, 2) (0.8, 5) The PIR scheme is universal, i.e. does not depend on the MDS code. 10

12 Our Results: Multiple Spies Theorem 2: Consider a DSS using an MDS code over, with spy nodes. Then, there is an explicit linear PIR scheme over with download communication cost, Impossible 11

13 Example on Theorem 1 Consider a (5,2) MDS code with b =1spy node. Goal is to achieve PoP = n. n k = 5 3 File1 File2 File m a 1 a... 2 a m Server 1 b 1 b 2... b m Server 2 a 1 + b 1 a 2 + b 2... a m + b m Server 3 a 1 +2b 1 a 2 +2b 2 a m +2b m... Server 4 a 1 +3b 1 a 2 +3b 2... a m +3b m Server 5 12

14 First Attempt Generate an iid random vector U = u 1 u 2... u m. a 1 a 2 a m A T... b 1 b 2 b m B T... User wants file 1 E 1 = a 1 + b 1 a 2 + b 2... a 1 +2b 1 a 2 +2b 2 a 1 +3b 1 a 2 +3b a m + b m a m +2b m a m +3b m P op =2 P op = This achieves instead of.

15 Subdivision Divide each part into 3, a 11 a 12 1 a 13 2 subqueries. 2 random vectors U and V apple u1 +1 u Q 1 = 2 u 3... v 1 v 2 v 3... apple u1 u Q 2 = 2 u 3... v 1 +1 v 2 v 3... apple u1 u Q 3 = Q 4 = 2 +1 u 3... v 1 v 2 v apple u1 u Q 5 = 2 u 3... v 1 v 2 v 3... Q 1 U.A + a 11 Q 2 U.B Q 3 U.A + U.B + a 12 + b 12 Q 4 U.A +2U.B + a 12 +2b 12 U.A +3U.B Q 5... File 1 a 11 a 12 a 13 b 11 b 12 b a 11 + b 11 a 12 + b 12 a 13 + b a 11 +2b 11 a 12 +2b 12 a 13 +2b a 11 +3b 11 a 12 +3b 12 a 13 +3b

16 Proof of Theorem 1 Scheme: We divide each file into n k stripes. k sub-queries are made to each node (dimension of code is d). We write n k = k + r. Conditions: Decode n k parts in each sub-query. Parts not on same node. Different parts in each sub-query Retrieval pattern 15

17 Retrieval pattern for (15,4) MDS

18 Querying U + E 1 U + E 2 U + E r U E i Where the s are matrices with 1s at the positions we want to decode. U + E r+1 U + E r+ k U kequations to decode interference. r equations from systematic nodes to decode parts of the first r stripes. k equations from parity nodes to decode k complete stripes. In total, k + r parts decoded. 17

19 Querying 18

20 Response and Decoding 19

21 Decoding 20

22 Part 3 Privacy Privacy: Since b = 1, the only way a node l can learn information about f is from its own query matrix Q i. By, construction Q i is statistically independent of f and this scheme achieves perfect privacy. cpop: Every node responds with d = k symbols. Therefore, the total number of symbols downloaded by the user is kn. Therefore, cp op = kn k(n k) = 1 1 R

23 Example on Theorem 2 Assume a (5,3) MDS code. Consider b = 2 colluding nodes. W.L.O.G. user wants file 1. File 1 File 2 File m a 1 a 2 a... m b 1 b 2... b m c 1 c 2 c m... a 1 + b 1 + c 1 a 2 + b 2 + c 2... a m + b m + c m a 1 +2b 1 +3c 1 a 2 +2b 2 +3c 2... a m +2b m +3c m 22

24 Example on Theorem 2 User generates 2 random vectors Uand V. UA+ VA+ a 1 U + V + E 1 UB +2VB U +2V UC +3VC U +3V UA+ UB + UC a 1 a 2... a m b 1 b 2... b m c 1 c 2 c... m A T B T C T User wants X 1 VA+2VB+3VC V U a 1 + b 1 + c 1 a 2 + b 2 + c 2... a m + b m + c m 5 equations, 7 unknowns: UA, VA, UB, VB, UC, VC, a 1 a 1 +2b 1 +3c 1 a 2 +2b 2 +3c 2... a m +2b m +3c m 23

25 Proof of Theorem 2 Theorem 2: Consider a DSS using an MDS code over, with spy nodes. Then, there is an explicit linear PIR scheme over with download communication cost, Consider an (n,k) MDS code with the following generator matrix: 24

26 Decodability 1 n U 1,...,U b : b random vectors 25

27 Open Problems Fundamental information theoretical bounds of the communication cost (cpop). Is joint design of MDS code and PIR scheme necessary to achieve fundamental bounds? Partial retrieval of parts of the file. Beyond MDS codes, general linear codes, regenerating codes, Locally Recoverable codes, etc. General collusion patterns Malicious nodes etc 26

28 27