Single-Database Private Information Retrieval

Similar documents
Single Database Private Information Retrieval with Logarithmic Communication

Lecture 7: ElGamal and Discrete Logarithms

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Introduction to Cryptography. Lecture 8

CPSC 467b: Cryptography and Computer Security

An Overview of Homomorphic Encryption

Notes for Lecture 17

Lecture Notes, Week 6

Introduction to Modern Cryptography. Benny Chor

Elliptic Curve Cryptography

The security of RSA (part 1) The security of RSA (part 1)

An Oblivious Transfer Protocol with Log-Squared Communication

Public-Key Encryption: ElGamal, RSA, Rabin

Chapter 8 Public-key Cryptography and Digital Signatures

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

CRYPTOGRAPHY AND NUMBER THEORY

A Lattice-Based Computationally-Efficient Private Information Retrieval Protocol

Mathematics of Public Key Cryptography

Public-Key Cryptosystems CHAPTER 4

Lecture 1: Introduction to Public key cryptography

Cryptography IV: Asymmetric Ciphers

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Carmen s Core Concepts (Math 135)

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Mathematics of Cryptography

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

CPSC 467: Cryptography and Computer Security

Threshold Cryptography

10 Public Key Cryptography : RSA

Breaking Plain ElGamal and Plain RSA Encryption

An Introduction to Probabilistic Encryption

Bandwidth Efficient PIR from NTRU

Recent Advances in Identity-based Encryption Pairing-free Constructions

MATH3302 Cryptography Problem Set 2

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

ASYMMETRIC ENCRYPTION

Topics in Cryptography. Lecture 5: Basic Number Theory

Short Exponent Diffie-Hellman Problems

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Public-key Cryptography and elliptic curves

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Discrete Logarithm Problem

Introduction to Modern Cryptography. Benny Chor

Homomorphic Encryption. Liam Morris

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain

Cryptography and Security Final Exam

Other Public-Key Cryptosystems

arxiv: v3 [cs.cr] 15 Jun 2017

Public Key Cryptography

Efficient Computationally Private Information Retrieval From Anonymity or Trapdoor Groups

4-3 A Survey on Oblivious Transfer Protocols

Discrete logarithm and related schemes

Cryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

1 Number Theory Basics

The Theory and Applications of Homomorphic Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Quantum Symmetrically-Private Information Retrieval

Computationally Private Information Retrieval With Polylogarithmic Communication

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Introduction to Cybersecurity Cryptography (Part 4)

5.4 ElGamal - definition

Introduction to Elliptic Curve Cryptography. Anupam Datta

Discrete Mathematics GCD, LCM, RSA Algorithm

RSA. Ramki Thurimella

Efficient encryption and decryption. ECE646 Lecture 10. RSA Implementation: Efficient Encryption & Decryption. Required Reading

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Number Theory & Modern Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Advanced Topics in Cryptography

A new security notion for asymmetric encryption Draft #8

5199/IOC5063 Theory of Cryptology, 2014 Fall

NAVAL POSTGRADUATE SCHOOL THESIS

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Advanced Cryptography 03/06/2007. Lecture 8

Evaluating 2-DNF Formulas on Ciphertexts

MATH 158 FINAL EXAM 20 DECEMBER 2016

Math/Mthe 418/818. Review Questions

Practical Fully Homomorphic Encryption without Noise Reduction

CPSC 467: Cryptography and Computer Security

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Chapter 4 Asymmetric Cryptography

Question: Total Points: Score:

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Asymmetric Cryptography

Public-key Cryptography and elliptic curves

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

10 Modular Arithmetic and Cryptography

Exercise Sheet Cryptography 1, 2011

Double-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls

Secure Outsourcing of DNA Searching via Finite Automata

Transcription:

MTAT.07.006 Research Seminar in Cryptography 07.11.2005 Tartu University a g@ut.ee 1

Overview of the Lecture CMS - first single database private information retrieval scheme Gentry-Ramzan PBR Lipmaa Oblivious Transfer Protocol with Log-Squared Communication 2

PIR, PBR PIR - allows a user to retrieve the i th bit of an n-bit database, without revealing the value of index i to the database. PBR - natural and more practical extension of PIR in which, instead of retrieving only a single bit, the user retrieves a i th block with d bits in it. 3

CMS - first single-database PIR Proposed by Cachin, Micali and Stadler in 1999 Based on Φ - hiding assumption (that it is hard to distinguish which of two primes divide φ(m) for composite modulus m). Communication complexity is about O(log 8 n) per bit. 4

CMS - first single-database PIR, slide 2 Each index j [1, n] is mapped to a distinct prime p j. Query for bit b i : hard-to-factor modulus m so that p i φ(m) and a generator x Z m. Server response: r = x P mod m, where P = j p b j j Response retrieval: y : y p i r (mod m) b i = 1 5

Gentry-Ramzan private block retrieval scheme Published in 2005 Uses the fact that discrete logarithm computation is feasible in hidden subgroups of smooth order, while this task is still hard in general groups. (A number is called smooth if it has only small prime factors) 6

Gentry-Ramzan private block retrieval scheme, slide 2 The server partitions the n-bit database B into t blocks B = C 1 C 2... C t of size at most l bits. S = {p 1,..., p t } is a set of small distinct prime numbers. Each block C i is associated to a prime power π i (π i = p c i i, where c i is the smallest integer so that p c i i 2 l ) All parameters above are public. 7

Gentry-Ramzan private block retrieval scheme, slide 3 Server precomputes an integer e that satisfies e C i (mod π i ) using Chinese Remainder Theorem. To retrieve C i it suffices to retrieve e mod π i. 8

Gentry-Ramzan private block retrieval scheme, slide 4 To query for block C i, the user generates an appropriate cyclic group G = g with order G = qπ i for some suitable integer q and sends (G, g) to server, keeping q private. Example: an Z m group, where m is constructed to Φ - hide π i. m = Q 0 Q 1, where Q 0, Q 1 are safe primes: Q 0 = 2q 0 π i + 1, Q 1 = 2q 1 d + 1; q 0, q 1 are primes. Notice that G contains a subgroup H of smooth order π i, and that h = g q is a generator of H. 9

Gentry-Ramzan private block retrieval scheme, slide 5 Server responds with g e = g e G The user obtains e mod π i by setting h e = ge q H and performing a (tractable) discrete logarithm computation log h h e, which occurs entirely in the subgroup H of order p c i i and can be quite efficient if p i is small. To prove that log h h e = C i, let s rewrite e e πi (mod π i ) as e = e πi + π i E, for some E Z. Now: h e = g q e = g g /π i e = g e g /π i = g e π i g /π i g E g = g e π i g /π i = h e π i. 10

Gentry-Ramzan private block retrieval scheme, slide 6 Pohlig-Hellman algorithm let s write C i = log h h e in base p i (remember that C i is a number modulo p c i i ): C i = x 0 + x 1 p +... x c 1 p c 1, 0 x i < p 11

Gentry-Ramzan private block retrieval scheme, slide 7 Computational complexity Querier side: no more than 4 nl group operations. Server side: Θ(n) group operations. Communication complexity Suppose that the group G and any element of G can be described in l G bits. Then the total complexity is 3l G bits. 12

Lipmaa PIR protocol with log-squared communication first published in 2004 Takes advantage of the concept of length-flexible additively homomorphic (LFAH) public-key cryptosystems. Length-flexible public-key cryptosystem has an additional length parameter s Z +. The encryption algorithm maps sk-bit plaintexts, for any s and for security parameter k, to (s+ξ)k -bit ciphertexts for some small integer ξ q. 13

Lipmaa PIR protocol with log-squared communication Communication complexity Θ(k log 2 n + l log n) k = Ω(log 3 o(1) n); Computational complexity Sender s work is equivalent to Θ(nl) k 2+o(1) bit operations; Receiver s work is Θ((k log n + l) 2+o(1) ) 14

Lipmaa PIR protocol with log-squared communication Communication complexity The ratio of amount of bits transferred to the communication complexity is 1/(log n) to achieve a good rate in practice, n and l must be quite large (on the order of gigabits and megabits, respectively), before they begin to offset the large one-time cost represented by the k log 2 n term. Computational complexity Sender s work is equivalent to Θ(nl) k 2+o(1) bit operations; Receiver s work is Θ((k log n + l) 2+o(1) ) 15

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback