Optimal Rate Private Information Retrieval from Homomorphic - PowerPoint Presentation

Slide1

Optimal Rate Private Information Retrieval from Homomorphic Encryption

Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk and Qiang Tang

Estonian Theory Days, Oct 2, 2015Slide2

motivation

I am

boooored

I want to watch a movie

Bob sells them!Slide3

motivation

Yo

, send me “

Teletubbies

”

0x123456789ABCDEF…

Accompanied with a payment

But Bob thinks I am a cool guy, I don’t want him to know I watch “

Teletubbies

”Slide4

Computationally private information retrieval

Encrypt

pk

(index)

Encrypt

pk

(movie[index])

Generates

pk

,

sk

Uses

sk

to decrypt, obtains movie[index]

n

movies, each

ℓ

bitsSlide5

Requirements

Encrypt

pk

(index)

Encrypt

pk

(movie[index])

Correctness:

Alice obtains movie[index]

Bob’s privacy:

Alice obtains

only

movie[index]

Alice’s privacy:

Bob obtains no information about index

Efficiency:

It should be communication-wise and computation-wise efficientSlide6

Rate

Rate:

Useful information:

index + movie

Important in this context since

ℓ

= |movie|

is huge

Gigabytes in the case of HD movies

Rate

1 / 2

means transferring (say) 8 GB instead of 4 GB

= log

2

n

+

ℓ

bitsSlide7

Goal of this work

Achieve optimal rate 1 – o (1)As close to 1 as possibleSo we get a good rate for practically relevant values of

ℓ

S

ome loss due to added privacySlide8

Previous work: Rate of

(N, ℓ)CPIR

Focus was on minimizing communication as a function of

n

Rate

[Lipmaa, 2005]

1 / (log

2

n + 1)

– o (1)

[Gentry, Ramzan 2005]1 / 4 –

o (1)[Lipmaa, 2009]

1 / 2 – o (1)Slide9

Previous work: Rate of (

N, ℓ)CPIR

Rate

[Lipmaa, 2005]

1 / (log

2

n

+ 1)

– o (1)[Gentry,

Ramzan 2005]

1 / 4 – o (1)

[Lipmaa, 2009]

1 / 2 – o (1)This work

1 – o (1)

Focus was on minimizing communication as a function of

n

Focus on minimizing communication as a function of

ℓ

Slide10

Efficient (

w, ℓ)CPIRWe use (w,

ℓ

)

CPIR from [Lipmaa 2005]

F

or any

ℓAlice transfers w – 1

ciphertexts, (w

– 1) (ℓ +

k)

bitsBob transfers one ciphertext, ℓ

+ k bitsRate (approx.):

ℓ / (wℓ) – o (1) = 1 /

w – o (1)Best rate (w

= 2

):

1 / 2 –

o

(1)

Recursive construction relies on Bob’s message being short

k

– security parameter (key length)

Requires rate-optimal additively homomorphic PKC (

Damgård-Jurik

)Slide11

(oblivious) decision tree

x2

x

3

x

2

x

1

x

1

x

1

x

1

……Slide12

private decision tree

x2

x

3

x

2

x

1

x

1

x

1

x

1

……

2CPIR(

x

1

,

)

( )

( )

D

0

D

1

D

2

D

3

D

4

D

5

D

x

1

D

2+x

1

D

4

+x

1

D

6

+x

1

2CPIR(

x

2

,

)

)

(

D

x

1

+2x

2

D

4+x

1

+2x

2

2CPIR(

x

3

,

)

D

x

1

+2x

2

+4x

3

Generalization:

use

w-

ary

tree instead of binarySlide13

Communication

Communication of [Lip05]:rec5 (w, n, ℓ

,

k

)

= (

ℓ

+ (log

w n + 1)k

/2) (w – 1)

logw

n sen5 (w

, n, ℓ,

k) = (ℓ / k + logw

n) k = ℓ + k

log

w

n

Rate of [Lip05]:

(

ℓ

+

log

2

n

) / (rec5 + sen5)

= 1 / ((

w

–

1)

log

w

n

+ 1)

–

o

(1)

Optimal when

w

= 2

:

1 / (log

2

n

+ 1) –

o

(1)

Alice

BobSlide14

Known optimization: Piece-wise cpir

For some t, execute in parallel t copies of (

w

,

ℓ

/

t

)CPIR

rec9 (w,

n, ℓ,

k) = rec5

(w, n

, ℓ / t

, k) = (ℓ

/ t + (log

w

n

+ 1)

k

/

2)

(

w

– 1)

log

w

n

sen9

(w

,

n

,

ℓ

,

k

) =

t

sen5

(

w

,

n

,

ℓ

/

t

,

k

) =

ℓ

+

kt

log

w

n

Rate:

(

ℓ

+

log

2

n

) / (rec +

sen

) =

t

/ ((

w

– 1)

log

w

n + t

) –

o

(1)

t

must be independent of

ℓ

[Lip09] recommendation: if

w

=

2,

t = log

2

n

, then

rate = 1 / 2 –

o

(1)

Alice

BobSlide15

Our approach

x2

x

3

x

2

x

1

x

1

x

1

x

1

……

D

0

D

1

D

2

D

3

D

4

D

5

ℓ

=s

1

k

bits

t

1

pieces,

Each

s

1

k

/

t

1

bits

t

1

pieces, each

(

s

1

+1)

k

/

t

1

bits

t

2

pieces, each

s

2

k

/

t

2

bits

(s

1

+1

)

k

bits

t

2

pieces, each

(

s

2

+1)

k

/

t

2

bits

t

3

pieces, each

s

3

k

/

t

3

bits

….

(s

1

+1

)

k

bitsSlide16

Communication + optimizing

Communication for m = logw n:

com

(

w

,

m

, s

, k, ℓ)

=(w

- 1) k

(∑i=1…m s

i + m

) + ℓ ∏i=1...m

(1 + 1/si)Using multivariate optimization:Optimal choice

s

1

= … =

s

m

=:

s

com (

w

,

m

,

s

,

k

,

ℓ

) = (

w

- 1)

k

(

s + 1)

m

+

ℓ

(

1 +

1/

s

)

m

Optimal

s

:

When

∂

com / ∂

s = (

w

– 1)

mk

–

m

(

s

+ 1)

m

-1

/ s

m+1

ℓ

= 0Slide17

Communication + optimizing

Alternatively: fm (s, σ

) = 0

where

f

m

(x

, y) := yx

m+1 – (

x + 1)m

-1σ = (

w – 1) k / ℓ

Optimal s: root of a degree-(m+1) polynomial

Abel-Ruffini: cannot find roots for m > 3 In practice m

< 15

but still…

Abel-

Ruffini

: cannot solve degree-(

m

+1) polynomials in general. We use Galois theory to show that we cannot even do it for

f

4

(

x

, 1)Slide18

Rest of the paper

Use the Newton-Puiseux algorithm to find series for optimal ss = ∑

i

=0,…

c

i

σ(

i - 1)/2 =

σ

-1/2 + (

m – 1) / 2 – (m

2 – 1) σ1/2

/ 8 + O (σ)

σ

= (

w

– 1)

k

/

ℓSlide19

Rest of the paper

Communication with this s:

Rate with this

s

:

Optimal

w

= 5

, rate:

σ

= (

w

– 1)

k

/

ℓ

m

=

log

w

n

Quinary

decision trees?!Slide20

Uh…?!

In practice:Suffices to find an integer approximation of sWe show σ -

1/2

<

s

<

σ

-1/2 + (

m – 1) / 2We find optimal integer

s

by using Boolean search≈ log2

m ≈ log2

log2 n steps… in practice up to 3 stepsSlide21

Numerical examples

ℓInteger

s

rate

200

k

= 409.6 KB

10

0.27013

1200 k = 2.4576 MB20

0.511077

104 k = 20.48 MB

530.7653466.95 * 10

4 k = 142.3MB1350.901275

105 k = 204.8 MB

162

0.915617

10

6

k =

2.048 GB

503

0.971661

10

7

k =

20.48 GB

1585

0.991067

k

= 2048

w

= 5

n

= 5

7

=78125Slide22

PRACTICE => Theory => Practice

Getting an asymptotically good rate is importantGetting o in 1 – o (1) as small as possible is more important

Rate

> 0.9

for realistic movie sizes!

Nice math is also important

Slide23

Generalization: rate-optimal hom

. Enc.

(

w

,

ℓ

)

CPIR

with rate-optimal output

Rate-optimal

(

w

m

,

ℓ)CPIR

Rate-optimal additively

homomorphic PKC

Rate-optimal homomorphic PKC for

p

oly-size decision diagrams

Decision tree

Decision diagramSlide24

Thank you!