Dan Boneh Craig Gentry Shai Halevi Frank Wang David Wu December 3 2012 1 Private Conjunction Queries Clinet has an SQL query of the type SELECT FROM db WHERE a ID: 760880
Download Presentation The PPT/PDF document "Using low-degree Homomorphism for Privat..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Using low-degree Homomorphism for Private Conjunction Queries
Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David Wu
December 3, 2012
1
Slide2Private Conjunction Queries
Clinet has an SQL query of the type SELECT ⋆ FROM db WHERE a1=v1 AND … AND at=vtWant to hide the values vi from the servemaybe also the attributes ai themselvesOur protocols return the indexes of the matching recordsThe client can use PIR or ORAM to fetch the records themselves
December 3, 2012
2
Slide3The Basic Approach
Encode database as a polynomialA set S is encoded as a polynomial P(X) s.t. P(s)=0 for all s SUse Kissner-Song trickIf P1(X), P2(X) represent S1, S2, the a random linear combination represents the intersection of S1, S2, whp.If and then A(X) does not leak any information beyond the intersection
December 3, 2012
3
Slide4Two-Party Settings
Server has databaseClient has secret-key for SWHE schemeServer encode database as bivariate polynomial D(x,y)D(r,a)=v if record r has attribute a=value vSize of D ~ size of database
December 3, 2012
4
Slide5Conjunction Queries
“attr1=val1 AND … AND attrt=valt”Client interpolates Q(y) s.t. Q(attri)=vali Send the encrypted Q to serverFor simplicity send also attr1,…,attrt in the clearServer computes Additive homomorphism sufficesA(r,attri)=0 iff D(r,attri)=vali Server defines Ai(X) = A(X,attri)Roots of Ai(X) are records that have attri=vali
December 3, 2012
5
Slide6Conjunction Queries (cont.)
Server uses Kissner-Song trick, set for random ’sWhp roots of B are the records in the intersection of the ’sStill additive homomorphism is enoughNeed more if attri’s are not send in the clearServer sends encrypted to clientClient decrypts, find roots , uses PIR/ORAM to get actual recordsTo hide also the attributes we need higher-degree homomorphism
December 3, 2012
6
Slide7Three parties: Client-Proxy-Server
Proxy has encrypted inverted indexFor every attr=val in DB, keeps a pair (t, Enc(P)) Tag t = Hash(“attr=val”)P is polynomial s.t. P(r)=0 if record #r contains this “attr=val” pairClient sends tags ti for attri=valuei in queryProxy chooses randomizers Ri sets Q has roots in the intersectionServer obliviously decrypts for ClientClient factors Q, finds roots , uses PIR/ORAM to get actual records
December 3, 2012
7
Slide8Conserving Bandwidth
is a wasteful representationDegree ~ 2 max(deg(Pi))High degree needed for Q to not leak information on the Pi’sReducing to max(deg(Pi))+min(deg(Pi)) easy:Say P1 has smallest degree, then set The si’s are random scalars, deg(R)=deg(Q’), deg(R’)=def(P1)Can we reduce it further?We show how to get min(deg(Pi))
December 3, 2012
8
Slide9Polynomial GCD
P1, P2 are (monic) polynomials for the sets S1,S2The smallest polynomial defining is G does not leak information on P1,P2 beyond the intersectionComputing Enc(G) from {Enc(Pb)}b takes high homomorphic capacity
December 3, 2012
9
Slide10Reducing The Degree
Instead of , use It has degree If Q is a random multiple of G, so is Q’Computing Enc(Q mod P1) is easierBasic Solution:Store also Given the encrypted coefficeints of Q ()Compute Only takes quadratic homomorphism
December 3, 2012
10
Slide11Reducing The Degree (cont.)
Storage/homomorphism tradeoffCan store less encryptions of by using higher homomorphic capacityE.g., Store , When deg(Q)=d+m, it takes log m steps to reduce Q mod P1Using
December 3, 2012
11
deg
< 2
t
deg
< d
Slide12Speedup Using Batching
Recall: a HE ciphertext encrypts an array of L valuesL is at least a few hundred, maybe moreCan use it to get significant speedup:Break the database into L small db’sEach record is places at random in one of the small db’sRun the same query against all the small db’s at onceThe i’th database in the i’th entry of all the cipehrtextsSo we get L lists of indexes instead of onei’th list has the indexes of the records in the i’th database that match the queryLists are much shorter polynomials have much smaller degree
December 3, 2012
12
Slide13Implementing 3-party protocol
Two implementation:Only the basic scheme using additive cryptosystem (Pallier)The full scheme using the [Bra’12] HEOnly the 2nd implementation scales to large databasesBatching is keyWith and without the bandwidth-reduction GCD trickWithout it we need lower homomorphism, smaller parametersAll tests run against a 1-million record database, executing a 5-attribute conjunction ()Balanced tests: each matches roughly same # or recordsUnbalanced: matches only ~5% as many as
December 3, 2012
13
Slide14Balanced Queries
December 3, 2012
14
Time (minutes)
Bandwidth (MB)
~2000 matches per tag,
8 minutes, 1MB
Slide15Unbalanced Queries – Time (min)
December 3, 2012
15
(2.5K,2.5K,5K,10K,50K)
(10K,20K,25K,50K,200K)
(2.5K,2.5K,5K,5K,350K)
Slide16Unbalanced Queries – Bandwidth (MB)
December 3, 2012
16
(2.5K,2.5K,5K,10K,50K)
(10K,20K,25K,50K,200K)
(2.5K,2.5K,5K,5K,350K)