Xun Yi,M. G. Kaosar,R. Paulet,E. Bertino,Mohammed Golam Kaosar,Russell Paulet,Elisa Bertino

DOI: https://doi.org/10.1109/tkde.2012.90

IF: 9.235

2013-05-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Private Information Retrieval (PIR) allows a user to retrieve the ith bit of an n-bit database without revealing to the database server the value of i. In this paper, we present a PIR protocol with the communication complexity of O(γ logn) bits, where -y is the ciphertext size. Furthermore, we extend the PIR protocol to a private block retrieval (PBR) protocol, a natural and more practical extension of PIR in which the user retrieves a block of bits, instead of retrieving single bit. Our protocols are built on the state-of-the-art fully homomorphic encryption (FHE) techniques and provide privacy for the user if the underlying FHE scheme is semantically secure. The total communication complexity of our PBR is O(γ logm + γn/m) bits, where m is the number of blocks. The total computation complexity of our PBR is O(m logm) modular multiplications plus O(n=2) modular additions. In terms of total protocol execution time, our PBR protocol is more efficient than existing PBR protocols which usually require to compute O(n=2) modular multiplications when the size of a block in the database is large and a high-speed network is available.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-16342-5_12

2010-01-01

Abstract:In a selective private function evaluation (SPFE) protocol, the client privately computes some predefined function on his own input and on m out of server's n database elements. We propose two new generalized SPFE protocols that are based on the new cryptocomputing protocol by Ishai and Paskin and an efficient CPIR. The first protocol works only for constant values of m,, but has 2 messages, and is most efficient when m = 1. The second SPFE protocol works for any m, has 4 messages, and is efficient for a large class of functionalities. We then propose an efficient protocol for private similarity test, where one can compute how similar client's input is to a specific element in server's database, without revealing any information to the server. The latter protocol has applications in biometric authentication.

Hsuan-Yin Lin,Siddhartha Kumar,Eirik Rosnes,Alexandre Graell i Amat,Eitan Yaakobi

DOI: https://doi.org/10.48550/arXiv.2007.10174

2021-11-02

Abstract:Private information retrieval (PIR) protocols ensure that a user can download a file from a database without revealing any information on the identity of the requested file to the servers storing the database. While existing protocols strictly impose that no information is leaked on the file's identity, this work initiates the study of the tradeoffs that can be achieved by relaxing the perfect privacy requirement. We refer to such protocols as weakly-private information retrieval (WPIR) protocols. In particular, for the case of multiple noncolluding replicated servers, we study how the download rate, the upload cost, and the access complexity can be improved when relaxing the full privacy constraint. To quantify the information leakage on the requested file's identity we consider mutual information (MI), worst-case information leakage, and maximal leakage (MaxL). We present two WPIR schemes, denoted by Scheme A and Scheme B, based on two recent PIR protocols and show that the download rate of the former can be optimized by solving a convex optimization problem. We also show that Scheme A achieves an improved download rate compared to the recently proposed scheme by Samy et al. under the so-called $\epsilon$-privacy metric. Additionally, a family of schemes based on partitioning is presented. Moreover, we provide an information-theoretic converse bound for the maximum possible download rate for the MI and MaxL privacy metrics under a practical restriction on the alphabet size of queries and answers. For two servers and two files, the bound is tight under the MaxL metric, which settles the WPIR capacity in this particular case. Finally, we compare the performance of the proposed schemes and their gap to the converse bound.

Information Theory

Arman Fazeli,Alexander Vardy,Eitan Yaakobi

DOI: https://doi.org/10.48550/arXiv.1505.06241

2015-05-23

Abstract:Private information retrieval (PIR) protocols allow a user to retrieve a data item from a database without revealing any information about the identity of the item being retrieved. Specifically, in information-theoretic $k$-server PIR, the database is replicated among $k$ non-communicating servers, and each server learns nothing about the item retrieved by the user. The cost of PIR protocols is usually measured in terms of their communication complexity, which is the total number of bits exchanged between the user and the servers, and storage overhead, which is the ratio between the total number of bits stored on all the servers and the number of bits in the database. Since single-server information-theoretic PIR is impossible, the storage overhead of all existing PIR protocols is at least $2$. In this work, we show that information-theoretic PIR can be achieved with storage overhead arbitrarily close to the optimal value of $1$, without sacrificing the communication complexity. Specifically, we prove that all known $k$-server PIR protocols can be efficiently emulated, while preserving both privacy and communication complexity but significantly reducing the storage overhead. To this end, we distribute the $n$ bits of the database among $s+r$ servers, each storing $n/s$ coded bits (rather than replicas). For every fixed $k$, the resulting storage overhead $(s+r)/s$ approaches $1$ as $s$ grows; explicitly we have $r\le k\sqrt{s}(1+o(1))$. Moreover, in the special case $k = 2$, the storage overhead is only $1 + \frac{1}{s}$. In order to achieve these results, we introduce and study a new kind of binary linear codes, called here $k$-server PIR codes. We then show how such codes can be constructed, and we establish several bounds on the parameters of $k$-server PIR codes. Finally, we briefly discuss extensions of our results to nonbinary alphabets, to robust PIR, and to $t$-private PIR.

Information Theory

QI Kun,HUANG Liu-sheng,LUO Yong-long,JING Wei-wei

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.07.007

2007-01-01

Abstract:The Private Information Retrieval protocol(PIR) is an important secure multi-party computation protocol.In PIR,a user can perform a query from a database without revealing his private information;meanwhile the privacy of the database will be protected,too.This paper proposes a new scheme in which we apply cryptographic technology on the auxiliary random servers protocol to solve the problem of PIR.This scheme is efficient in computational complexity and doesn't increase the cost of communication.It is very practical and can retrieve a block of bits.Detailed analysis of security,computational complexity and communicational complexity to the scheme is also given in this paper.

Jian Liu,Jingyu Li,Di Wu,Kui Ren

DOI: https://doi.org/10.1109/sp54263.2024.00039

2024-01-01

Abstract:Private information retrieval (PIR) is a cryptographic protocol that enables a wide range of privacy-preserving applications. Despite being extensively studied for decades, it is still not efficient enough to be used in practice. In this paper, we propose a novel PIR protocol named PIRANA, based on the recent advances in constant-weight codes. It is up to 188.6× faster than the original constant-weight PIR (presented in Usenix SEC ’22). Most importantly, PIRANA naturally supports multi-query. It allows a client to retrieve a batch of elements from the server with a very small extra-cost compared to retrieving a single element, which results in up to an 14.4× speedup over the state-of-the-art multi-query PIR (presented in Oakland ’23). We also discuss a way to extend PIRANA to labeled private set intersection (LPSI). Compared with existing LPSI protocols, PIRANA is more friendly to the scenarios where the database updates frequently.

Stanislav Kruglik,Son Hoang Dau,Han Mao Kiah,Huaxiong Wang,Liang Feng Zhang

DOI: https://doi.org/10.1109/tifs.2024.3453550

IF: 7.231

2024-09-20

IEEE Transactions on Information Forensics and Security

Abstract:Private Information Retrieval (PIR) protocols allow a client to retrieve any file of interest while keeping the files identity hidden from the database servers. While many existing PIR protocols assume servers to be honest but curious, we investigate the scenario of dishonest servers that provide incorrect answers to mislead clients into obtaining wrong results. We propose a unified framework for polynomial PIR protocols encompassing various existing protocols that optimize the download rate or total communication cost. We introduce a way to transform a polynomial PIR to a verifiable one without increasing the number of involved servers by doubling the queries. The security guarantees can be information-theoretic or computational, and the verification keys can be public or private. Moreover, in one of our protocols, the ratio between the additional download overhead associated with verification and the normal download cost approaches zero as the file size goes to infinity.

computer science, theory & methods,engineering, electrical & electronic

Yiwei Zhang,Eitan Yaakobi,Tuvi Etzion,Moshe Schwartz

DOI: https://doi.org/10.48550/arXiv.1804.02692

2019-01-24

Abstract:Private information retrieval has been reformulated in an information-theoretic perspective in recent years. The two most important parameters considered for a PIR scheme in a distributed storage system are the storage overhead and PIR rate. The complexity of the computations done by the servers for the various tasks of the distributed storage system is an important parameter in such systems which didn't get enough attention in PIR schemes. As a consequence, we take into consideration a third parameter, the access complexity of a PIR scheme, which characterizes the total amount of data to be accessed by the servers for responding to the queries throughout a PIR scheme. We use a general covering codes approach as the main tool for improving the access complexity. With a given amount of storage overhead, the ultimate objective is to characterize the tradeoff between the rate and access complexity of a PIR scheme. This covering codes approach raises a new interesting coding problem of generalized coverings similarly to the well-known generalized Hamming weights.

Information Theory

Zengpeng Li,Chunguang Ma,Ding Wang,Gang Du

DOI: https://doi.org/10.1016/j.jisa.2016.11.003

IF: 4.96

2017-01-01

Journal of Information Security and Applications

Abstract:At FOCS2011 Brakerski and Vaikuntanathan proposed a single-server LWE-based private information retrieval (abbreviated as PIR) protocol with a security reduction to hard standard lattice problems and nearly optimal communication complexity. However, Brakerski just described a generic PIR protocol that utilized a somewhat homomorphic encryption and an arbitrary symmetric encryption as building blocks, he did not instantiate the generic construction. In this work, we first modify Brakerski's construction without the evaluating key and construct a new PIR model. Moreover, we instantiate our new model via matrix FHE first proposed by Ryo et al. at PKC2015 and vector symmetric encryption scheme proposed in this work as building block. Then we optimize the Response operations and several other aspects of the scheme.

Yiwei Zhang,Xin Wang,Hengjia Wei,Gennian Ge

DOI: https://doi.org/10.48550/arXiv.1609.09167

2016-09-29

Abstract:Given a database, the private information retrieval (PIR) protocol allows a user to make queries to several servers and retrieve a certain item of the database via the feedbacks, without revealing the privacy of the specific item to any single server. Classical models of PIR protocols require that each server stores a whole copy of the database. Recently new PIR models are proposed with coding techniques arising from distributed storage system. In these new models each server only stores a fraction $1/s$ of the whole database, where $s>1$ is a given rational number. PIR array codes are recently proposed by Fazeli, Vardy and Yaakobi to characterize the new models. Consider a PIR array code with $m$ servers and the $k$-PIR property (which indicates that these $m$ servers may emulate any efficient $k$-PIR protocol). The central problem is to design PIR array codes with optimal rate $k/m$. Our contribution to this problem is three-fold. First, for the case $1<s\le 2$, although PIR array codes with optimal rate have been constructed recently by Blackburn and Etzion, the number of servers in their construction is impractically large. We determine the minimum number of servers admitting the existence of a PIR array code with optimal rate for a certain range of parameters. Second, for the case $s>2$, we derive a new upper bound on the rate of a PIR array code. Finally, for the case $s>2$, we analyze a new construction by Blackburn and Etzion and show that its rate is better than all the other existing constructions.

Information Theory

Simon R. Blackburn,Tuvi Etzion

DOI: https://doi.org/10.48550/arXiv.1609.07070

2016-12-18

Abstract:There has been much recent interest in Private information Retrieval (PIR) in models where a database is stored across several servers using coding techniques from distributed storage, rather than being simply replicated. In particular, a recent breakthrough result of Fazelli, Vardy and Yaakobi introduces the notion of a PIR code and a PIR array code, and uses this notion to produce efficient protocols. In this paper we are interested in designing PIR array codes. We consider the case when we have $m$ servers, with each server storing a fraction $(1/\omegaR)$ of the bits of the database; here $\omegaR$ is a fixed rational number with $\omegaR > 1$. We study the maximum PIR rate of a PIR array code with the $k$-PIR property (which enables a $k$-server PIR protocol to be emulated on the $m$ servers), where the PIR rate is defined to be $k/m$. We present upper bounds on the achievable rate, some constructions, and ideas how to obtain PIR array codes with the highest possible PIR rate. In particular, we present constructions that asymptotically meet our upper bounds, and the exact largest PIR rate is obtained when $1 < \omegaR \leq 2$.

Information Theory

Sven Laur,Jan Willemson,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-24861-0_18

2011-01-01

Abstract:Most of the multi-party computation frameworks can be viewed as oblivious databases where data is stored and processed in a secret-shared form. However, data manipulation in such databases can be slow and cumbersome without dedicated protocols for certain database operations. In this paper, we provide efficient protocols for oblivious selection, filtering and shuffle essential tools in privacy-preserving data analysis. As the first contribution, we present a 1-out-of-n oblivious transfer protocol with 0(log log n) rounds, which achieves optimal communication and time complexity and works over any ring Z(N). Secondly, we show how to construct round-efficient shuffle protocols with optimal asymptotic computation complexity and provide several optimizations.

Hsuan-Yin Lin,Siddhartha Kumar,Eirik Rosnes,Alexandre Graell i Amat

DOI: https://doi.org/10.48550/arXiv.1806.01342

2018-09-18

Abstract:We consider private information retrieval (PIR) for distributed storage systems (DSSs) with noncolluding nodes where data is stored using a non maximum distance separable (MDS) linear code. It was recently shown that if data is stored using a particular class of non-MDS linear codes, the MDS-PIR capacity, i.e., the maximum possible PIR rate for MDS-coded DSSs, can be achieved. For this class of codes, we prove that the PIR capacity is indeed equal to the MDS-PIR capacity, giving the first family of non-MDS codes for which the PIR capacity is known. For other codes, we provide asymmetric PIR protocols that achieve a strictly larger PIR rate compared to existing symmetric PIR protocols.

Information Theory

Jean-Guillaume Dumas,Aude Maignan,Clément Pernet,Daniel S. Roche

DOI: https://doi.org/10.48550/arXiv.2110.02022

2023-03-13

Abstract:Proofs of Retrievability are protocols which allow a Client to store data remotely and to efficiently ensure, via audits, that the entirety of that data is still intact. Dynamic Proofs of Retrievability (DPoR) also support efficient retrieval and update of any small portion of the <a class="link-external link-http" href="http://data.We" rel="external noopener nofollow">this http URL</a> propose a novel protocol for arbitrary outsourced data storage that achieves both low remote storage size and audit complexity.A key ingredient, that can be also of intrinsic interest, reduces to efficiently evaluating a secret polynomial at given public points, when the (encrypted) polynomial is stored on an untrusted <a class="link-external link-http" href="http://Server.The" rel="external noopener nofollow">this http URL</a> Server performs the evaluations and also returns associated certificates. A Client can check that the evaluations are correct using the certificates and some pre-computed keys, more efficiently than re-evaluating the <a class="link-external link-http" href="http://polynomial.Our" rel="external noopener nofollow">this http URL</a> protocols support two important features: the polynomial itself can be encrypted on the Server, and it can be dynamically updated by changing individual coefficients cheaply without redoing the entire <a class="link-external link-http" href="http://setup.Our" rel="external noopener nofollow">this http URL</a> methods rely on linearly homomorphic encryption and pairings, and our implementation shows good performance for polynomial evaluations with millions of coefficients, and efficient DPoR with terabytes of <a class="link-external link-http" href="http://data.For" rel="external noopener nofollow">this http URL</a> instance, for a 1TB database, compared to the state of art, we can reduce the Client storage by 5000x, communication size by 20x, and client-side audit time by 2x, at the cost of one order of magnitude increase in server-side audit time.

Cryptography and Security,Symbolic Computation

Quang Cao,Hong Yen Tran,Son Hoang Dau,Xun Yi,Emanuele Viterbo,Chen Feng,Yu-Chih Huang,Jingge Zhu,Stanislav Kruglik,Han Mao Kiah

2023-09-25

Abstract:A private information retrieval (PIR) scheme allows a client to retrieve a data item $x_i$ among $n$ items $x_1,x_2,\ldots,x_n$ from $k$ servers, without revealing what $i$ is even when $t < k$ servers collude and try to learn $i$. Such a PIR scheme is said to be $t$-private. A PIR scheme is $v$-verifiable if the client can verify the correctness of the retrieved $x_i$ even when $v \leq k$ servers collude and try to fool the client by sending manipulated data. Most of the previous works in the literature on PIR assumed that $v < k$, leaving the case of all-colluding servers open. We propose a generic construction that combines a linear map commitment (LMC) and an arbitrary linear PIR scheme to produce a $k$-verifiable PIR scheme, termed a committed PIR scheme. Such a scheme guarantees that even in the worst scenario, when all servers are under the control of an attacker, although the privacy is unavoidably lost, the client won't be fooled into accepting an incorrect $x_i$. We demonstrate the practicality of our proposal by implementing the committed PIR schemes based on the Lai-Malavolta LMC and three well-known PIR schemes using the GMP library and blst, the current fastest C library for elliptic curve pairings.

Cryptography and Security,Databases,Information Retrieval

Huanyu Ma,Shuai Han,Hao Lei

DOI: https://doi.org/10.1145/3485832.3485842

2021-01-01

Abstract:In this paper, we propose a new optimization for the Paillier's additively homomorphic encryption scheme (Eurocrypt'99). At the heart of our optimization is a well-chosen subgroup of the underlying Z(N)*, which is used as the randomness space for masking messages during encryption. The size of the subgroup is significantly smaller than that of Z(N)*, leading to faster encryption and decryption algorithms of our optimization. We establish the one-wayness and semantic security of our optimized Paillier scheme upon those of an optimization (i.e., "Scheme 3") made by Paillier in Eurocrypt'99. Thus, our optimized scheme is one-way under the partial discrete logarithm (PDL) assumption, and is semantically secure under the decisional PDL (DPDL) assumption. On the other hand, we present a detailed analysis on the concrete security of our optimized scheme under several known methods. To provide 112-bit security, our analysis suggests that a 2048-bit modulus N and a well-chosen subgroup of size 448-bit would suffice. We compare our optimization with existing optimized Paillier schemes, including the Jurik's optimization proposed by Jurik in his Ph.D. thesis and the Paillier's optimization in Eurocrypt'99. Our experiments show that, - the encryption of our optimization is about 2.7 times faster than that of the Jurik's optimization and is about 7.5 times faster than that of the Paillier's optimization; - the decryption of our optimization is about 4.1 times faster than that of the Jurik's optimization and has a similar performance with that of the Paillier's optimization.

Jie Li,Okko Makkonen,Camilla Hollanti,Oliver W. Gnilke

DOI: https://doi.org/10.1109/jsac.2022.3142366

IF: 16.4

2022-03-01

IEEE Journal on Selected Areas in Communications

Abstract:This work considers the problem of privately outsourcing the computation of a matrix product over a finite field ${\mathbb {F}}_{q}$ to $N$ helper servers. These servers are considered to be honest but curious, i.e., they behave according to the protocol but will try to deduce information about the user’s data. Furthermore, any set of up to $X$ servers is allowed to share their data. Previous works considered this collusion a hindrance and the download cost of the schemes increases with growing $X$ . We propose to utilize such linkage between servers to the user’s advantage by allowing servers to cooperate in the computational task. This leads to a significant gain in the download cost for the proposed schemes. The gain naturally comes at the cost of increased communication load between the servers. Hence, the proposed cooperative schemes can be understood as outsourcing both computational cost and communication cost. Both information–theoretically secure and computationally secure schemes are considered, showing that allowing information leakage that is computationally hard to utilize will lead to further gains. The proposed server cooperation is then exemplified for specific secure distributed matrix multiplication (SDMM) schemes and linear private information retrieval (PIR). Similar ideas naturally apply to many other use cases as well, but not necessarily always with lowered costs.

telecommunications,engineering, electrical & electronic

Craig Gentry,Shai Halevi,Bernardo Magri,Jesper Buus Nielsen,Sophia Yakoubov

DOI: https://doi.org/10.1007/978-3-030-90456-2_2

2021-01-01

Abstract:Private information retrieval (PIR) lets a client retrieve an entry from a database without the server learning which entry was retrieved. Here we study a weaker variant that we call random-index PIR (RPIR), where the retrieved index is an output rather than an input of the protocol, and is chosen at random. RPIR is clearly weaker than PIR, but it suffices for some interesting applications and may be realized more efficiently than full-blown PIR.We report here on two lines of work, both tied to RPIR but otherwise largely unrelated. The first line of work studies RPIR as a primitive on its own. Perhaps surprisingly, we show that RPIR is in fact equivalent to PIR when there are no restrictions on the number of communication rounds. On the other hand, RPIR can be implemented in a “noninteractive” setting (with pre-processing), which is clearly impossible for PIR. For two-server RPIR we even show a truly noninteractive solution, offering information-theoretic security without any pre-processing.The other line of work, which was the original motivation for our work, uses RPIR to improve on the recent work of Benhamouda et al. (TCC’20) for maintaining secret values on public blockchains. Their solution depends on a method for selecting many random public keys from a PKI while hiding most of the selected keys from an adversary. However, the method they proposed is vulnerable to a double-dipping attack, limiting its resilience. Here we observe that a RPIR protocol, where the client is implemented via secure MPC, can eliminate that vulnerability. We thus get a secrets-on-blockchain protocol (and more generally large-scale MPC) which is resilient to any fraction f&lt;1/2$$f &lt; 1/2$$ of corrupted parties, resolving the main open problem left from the work of Benhamouda et al.As the client in this solution is implemented via secure MPC, it really brings home the need to make it as efficient as possible. We thus strive to explore whatever efficiency gains we can get by using RPIR rather than PIR. We achieve more gains by using batch RPIR where multiple indexes are retrieved at once. Lastly, we observe that this application can make do with a weaker security guarantee than full RPIR, and show that this weaker variant can be realized even more efficiently. We discuss one protocol in particular that may be attractive for practical implementations.

Liang Zhao,Xingfeng Wang,Xinyi Huang

DOI: https://doi.org/10.1016/j.ins.2020.08.071

IF: 8.1

2021-02-01

Information Sciences

Abstract:<p>Private Information Retrieval (PIR) allows a client to privately retrieve some data from a public database. There exist two types of PIR: (computational) Single-server PIR (SPIR) and (information-theoretic) multi-server PIR. In this paper, we focus on exploring SPIR. We first propose a simple and efficient additively-homomorphic encryption scheme of which privacy is based on the learning with binary errors assumption that is known as an interesting candidate for practical lattice-based cryptography. Then, according to our proposed homomorphic encryption scheme, we give a Verifiable (single/multi-bit) SPIR (VSPIR) scheme for the single-query case under the malicious server model. To the best of our knowledge, our proposal is the first practical non-interactive VSPIR scheme employing an efficient probabilistic proof that can discover the forged result with overwhelming probability. The corresponding communication complexity and computational complexity are comparable with those of some typical SPIR schemes. Moreover, we extend our single-query VSPIR scheme to construct a non-interactive multi-query solution. In particular, the corresponding communication complexity and computational complexity are the same as those of the single-query scheme. Finally, we provide detailed implementation results to confirm efficiency of our proposals.</p>

computer science, information systems

Cheng Huang 0001,Anjia Yang,Dongxiao Liu,Rongxing Lu,Xuemin Sherman Shen

DOI: https://doi.org/10.1109/iccc57788.2023.10233605

2023-01-01

Abstract:In this paper, we propose a high-throughput, logarithmic-bandwidth private information retrieval (PIR) scheme, which enables a client to securely retrieve any record from a database replicated on two remote servers without revealing the record index. Specifically, based on the puncturable pseudorandom function (PPRF), a client first leverages randomized mapping to locate a logarithmic-size punctured PRF key capable of replacing a randomized set of arbitrary size while concealing a chosen element within the set. With the key, the client then generates corresponding PIR queries for two servers, achieving logarithmic communication complexity. Upon receiving the queries, the servers independently perform level-I PPRF evaluations on partitioned databases, i.e., buckets, to obtain intermediate results, and cooperatively perform level-II PPRF evaluations on these results to provide fast PIR responses. The two-level recursive approach can significantly reduce the servers’ computational complexity from linear to sublinear, ensuring high throughput. Finally, we conduct a comprehensive security analysis and develop a proof-of-concept prototype to demonstrate the efficiency and security of the proposed PIR scheme.