/
Using low-degree Homomorphism for Private Conjunction Queries Using low-degree Homomorphism for Private Conjunction Queries

Using low-degree Homomorphism for Private Conjunction Queries - PowerPoint Presentation

danika-pritchard
danika-pritchard . @danika-pritchard
Follow
344 views
Uploaded On 2019-06-30

Using low-degree Homomorphism for Private Conjunction Queries - PPT Presentation

Dan Boneh Craig Gentry Shai Halevi Frank Wang David Wu December 3 2012 1 Private Conjunction Queries Clinet has an SQL query of the type SELECT FROM db WHERE a ID: 760880

2012 december degree deg december 2012 deg degree queries database homomorphism attri records random roots conjunction polynomial 50k enc

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Using low-degree Homomorphism for Privat..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Using low-degree Homomorphism for Private Conjunction Queries

Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David Wu

December 3, 2012

1

Slide2

Private Conjunction Queries

Clinet has an SQL query of the type SELECT ⋆ FROM db WHERE a1=v1 AND … AND at=vtWant to hide the values vi from the servemaybe also the attributes ai themselvesOur protocols return the indexes of the matching recordsThe client can use PIR or ORAM to fetch the records themselves

December 3, 2012

2

Slide3

The Basic Approach

Encode database as a polynomialA set S is encoded as a polynomial P(X) s.t. P(s)=0 for all s  SUse Kissner-Song trickIf P1(X), P2(X) represent S1, S2, the a random linear combination represents the intersection of S1, S2, whp.If and then A(X) does not leak any information beyond the intersection

 

December 3, 2012

3

Slide4

Two-Party Settings

Server has databaseClient has secret-key for SWHE schemeServer encode database as bivariate polynomial D(x,y)D(r,a)=v if record r has attribute a=value vSize of D ~ size of database

December 3, 2012

4

Slide5

Conjunction Queries

“attr1=val1 AND … AND attrt=valt”Client interpolates Q(y) s.t. Q(attri)=vali Send the encrypted Q to serverFor simplicity send also attr1,…,attrt in the clearServer computes Additive homomorphism sufficesA(r,attri)=0 iff D(r,attri)=vali Server defines Ai(X) = A(X,attri)Roots of Ai(X) are records that have attri=vali

 

December 3, 2012

5

Slide6

Conjunction Queries (cont.)

Server uses Kissner-Song trick, set for random ’sWhp roots of B are the records in the intersection of the ’sStill additive homomorphism is enoughNeed more if attri’s are not send in the clearServer sends encrypted to clientClient decrypts, find roots , uses PIR/ORAM to get actual recordsTo hide also the attributes we need higher-degree homomorphism

 

December 3, 2012

6

Slide7

Three parties: Client-Proxy-Server

Proxy has encrypted inverted indexFor every attr=val in DB, keeps a pair (t, Enc(P)) Tag t = Hash(“attr=val”)P is polynomial s.t. P(r)=0 if record #r contains this “attr=val” pairClient sends tags ti for attri=valuei in queryProxy chooses randomizers Ri sets Q has roots in the intersectionServer obliviously decrypts for ClientClient factors Q, finds roots , uses PIR/ORAM to get actual records

 

December 3, 2012

7

Slide8

Conserving Bandwidth

is a wasteful representationDegree ~ 2 max(deg(Pi))High degree needed for Q to not leak information on the Pi’sReducing to max(deg(Pi))+min(deg(Pi)) easy:Say P1 has smallest degree, then set The si’s are random scalars, deg(R)=deg(Q’), deg(R’)=def(P1)Can we reduce it further?We show how to get min(deg(Pi))

 

December 3, 2012

8

Slide9

Polynomial GCD

P1, P2 are (monic) polynomials for the sets S1,S2The smallest polynomial defining is G does not leak information on P1,P2 beyond the intersectionComputing Enc(G) from {Enc(Pb)}b takes high homomorphic capacity

 

December 3, 2012

9

Slide10

Reducing The Degree

Instead of , use It has degree If Q is a random multiple of G, so is Q’Computing Enc(Q mod P1) is easierBasic Solution:Store also Given the encrypted coefficeints of Q ()Compute Only takes quadratic homomorphism

 

December 3, 2012

10

Slide11

Reducing The Degree (cont.)

Storage/homomorphism tradeoffCan store less encryptions of by using higher homomorphic capacityE.g., Store , When deg(Q)=d+m, it takes log m steps to reduce Q mod P1Using

 

December 3, 2012

11

deg

< 2

t

deg

< d

Slide12

Speedup Using Batching

Recall: a HE ciphertext encrypts an array of L valuesL is at least a few hundred, maybe moreCan use it to get significant speedup:Break the database into L small db’sEach record is places at random in one of the small db’sRun the same query against all the small db’s at onceThe i’th database in the i’th entry of all the cipehrtextsSo we get L lists of indexes instead of onei’th list has the indexes of the records in the i’th database that match the queryLists are much shorter polynomials have much smaller degree

December 3, 2012

12

Slide13

Implementing 3-party protocol

Two implementation:Only the basic scheme using additive cryptosystem (Pallier)The full scheme using the [Bra’12] HEOnly the 2nd implementation scales to large databasesBatching is keyWith and without the bandwidth-reduction GCD trickWithout it we need lower homomorphism, smaller parametersAll tests run against a 1-million record database, executing a 5-attribute conjunction ()Balanced tests: each matches roughly same # or recordsUnbalanced: matches only ~5% as many as

 

December 3, 2012

13

Slide14

Balanced Queries

December 3, 2012

14

Time (minutes)

Bandwidth (MB)

~2000 matches per tag,

8 minutes, 1MB

Slide15

Unbalanced Queries – Time (min)

December 3, 2012

15

(2.5K,2.5K,5K,10K,50K)

(10K,20K,25K,50K,200K)

(2.5K,2.5K,5K,5K,350K)

Slide16

Unbalanced Queries – Bandwidth (MB)

December 3, 2012

16

(2.5K,2.5K,5K,10K,50K)

(10K,20K,25K,50K,200K)

(2.5K,2.5K,5K,5K,350K)