Send Heterogenous Time with airSlate SignNow

Send heterogenous time

hi I'm Deema a fourth-year PhD student at Stanford working with Dan Bonilla and today I will be talking about private information retrieval with sublinear online time this is joint work with Henry Corrigan Gibbs thank you for watching this virtual presentation and I hope you enjoy it in this work we present a new method for making PIR faster specifically our in UPI our schemes push the bulk of the work to a preliminary offline phase during which the client fetches a short string from the server in a subsequent online phase the client can privately query the database and the server can respond to the query very quickly in time sublinear in the database size moreover our schemes do not require any additional storage on the servers first let me give you a little bit of background about PIR private information retrieval introduced by Shaw Godhra Kushi Levitt and Sudan is a cryptographic protocol between a database and a client that allows the client to read any records in the database without the database server learning which record the client is reading and throughout this talk we will model our database as an n-bit array meaning each record is only a single bit however using standard techniques PIR can be applied to databases with larger records as well as to key value databases rather than plain arrays PIR is useful in scenarios where the users query contains some sensitive information for instance a query to a database of medical conditions might reveal some information about the user's disease and a query to a database of stock prices may contain information about the user's financial interests and in both cases the user would ideally want to keep his query private Pierre is also useful as a building block in larger privacy preserving systems for applications such as private messaging search or DNS more formally a PIR protocol has to satisfy the following properties first correctness meaning that an honest client interacting with an honest server should learn the correct value of its bit of interest and second security meaning that the server should learn nothing about which bit the client is reading and as always learns nothing means that the view of the server when the client is reading beat I should be in English Bible from the view of the server when the client is reading BJ and actually there is a trivial protocol that meets both of these requirements the client can simply download the entire database and perform its query locally however downloading the entire database is impractical in most settings so we would want the protocol to be efficient meaning that the total communication between the server and the client should be minimized and indeed these requirements can be met the same work that introduced PIR also presented a protocol that achieves sub linear communication by replicating the database on two or more non colluding servers and ever since there has been a long line of work improving the communication complexity of multi server PIR and today the best PIR protocols have communication complexity and to the little of one and they provide information theoretic security moreover if we settle on computational security recent protocols achieve logarithmic communication just from one-way functions in addition soon after the original multi server PIR paper crucial evidence trotsky showed that one can build PIR with only a single server but here computational assumptions are necessary today we know how to build PIR with poly logarithmic communication complexity in the single server setting from a wide range of public key assumptions so it seems that in terms of communication our situation is actually very good however the situation is not as good if we look at computation in fact in the protocols on the last slide a server needs to scan the entire database to respond to a query and in practice doing linear work on every query is very expensive it turns out this is in some sense inherent since the expected server work in any PIR protocol must be linear in the database size the intuition is that a server must touch every bit of the database since if it doesn't touch one of the bits while it is responding to a query it can guess that this ant touch bit is not the bit the client is attempting to read and although it is not at all trivial it also holds in the multi server setting there have been several approaches to reduce the server work in PIR may somehow circumventing this lower bound a very promising approach is called PIR with pre-processing where the basic idea is that the servers store the database in encoded form and using this encoding they can respond to user queries much faster than in linear time the catch is that now this encoding of the database which the servers need to store is much much larger than the original database so for instance to get query time and to the point 6 using this approach the servers need to store code words that have length larger than n cubed and this is not very practical for databases that are a gigabyte in size there have also been other approaches that reduce the server's work in PIR by batching queries charting the database relaxing the privacy guarantees or moving the more expensive part of the work to an offline phase however the overall amount of online work in all of these approaches is still linear in the database size so the plan for the rest of this talk is first I will define the offline online model then I will present our results in more detail then in the main technical part I will explain the main ideas behind our two server PIR construction in the end I will talk a little bit about the single server setting and then I will conclude but let's start by defining the model for simplicity we will be working in the two server setting and we will refer to our two servers as the left server and the right server and crucially we assume that the two servers are non colluding meaning that the adversary controls at most one of the two servers our scheme start with an offline phase in the offline phase the client interacts with the left server who provides it with a hint which is a string that depends on the database itself the length of the hint has to be sub linear in the database size as otherwise the hint could just be the entire database and to give you a preview in our constructions the hint will be about square root and bits in length to produce this hint the server does need to perform a linear amount of work but the key point is that this phase can take place before the client has decided on which bit it wants to read from the database so the server has much more flexibility to perhaps run this phase overnight and without any strict latency requirements so after completing the offline phase the client stores this hint and waits for the online phase to begin and note that unlike in da ER with pre processing approach the server's don't use any extra storage and in fact they just store the database in its original form and then the second phase is the online phase here the client decides and the actual input index I the index of the element from the database it wants to read and it uses the locally stored hint to generate the query to the other server the right server and the response to this query together with the hint allow the client to recover the bit of interest X sub I and crucially the server's work in this phase as well as the communication between the client and the server has to be sub linear in the database size I should mention that an offline online model has been considered in the past yet previous schemes in this model either have linear online time or require additional storage on the server so now we can state our results in a bit more detail our first result is a two server offline online PIR scheme with square root communication and square root online time and for simplicity throughout this talk I will avoid explicitly writing factors that are polynomial in the security parameter lambda and poly logarithmic in the database size n so when we talk about square root of what we really mean is Oh tilde of square root of n times some polynomial in lambda and this construction uses only basic symmetric key primitives so it is concretely efficient the construction also has the extra property of allowing to execute multiple online queries without having to redo the offline phase from scratch each time and this means that the linear cost of the offline phase can be further amortized across multiple queries our second result is a single server of an online PR scheme which uses n to the 2/3 communication and into the 2/3 online time in terms of assumptions what we need here is black box use of any single server PIR scheme with low communication and additively homomorphic encryption and both of these can be built from a variety of public key assumptions if we are willing to use heavier tools namely fhe then we can recover back the square root of n running time and an extra property of our single server scheme is that it doesn't require any public key operations in the online phase which makes the online phase even faster a drawback that our single server scheme has is that unlike the two server scheme it requires a separate execution of an offline phase before each query and finally we give a lower bound for offline online PIR schemes in this model where the server's need to store the database in its original form specifically we show that the product of the communication C and the online time T must be at least linear in the database size and this matches our two server scheme and the fhe based single server scheme and I should say that this lower bound holds even in the computational setting so now we proceed to the main technical part of the talk and we'll see how the two server scheme works so let's start with the offline phase here the client chooses M random subsets for a parameter M that we will set later so these are these are M subsets where each subset contains square root n independent random elements from the universe of 1 through n and then what the client does it sends those sets to the left server and the easily sending this amount of information would take too much communication so we could either generate those sets using some shared randomness between the left server and the right server or we can just use a pseudo-random generator and then the client only needs to send a seed to the left server so yeah when the server receives this M set for each of the sets it computes the parity of the database bits that are indexed by the set so overall it computes M such parity bits one for each set and sends them back to the client and what the client does it stores the collection of the set and their parities as the hint so the heat hint contains a collection of sets and their parity bits and that's the entire offline phase notice that there is no index I in the picture so everything here is completely independent of any particular particular database index and this can happen offline now we move on to the online phase here the client decides which index I it wants to read from the database and the first thing it does is to look for a set in its local collection that contains the index of interest I if none of the sets contain index I then the client fails and we will later see how to deal with all these failures if such a good set SJ does exist then the basic idea is that the client removes element I from set and send the set as prime which we call the punctured set to the right server except that with some small probability of roughly 1 over square root of n the client actually does something different it sends to the right server a random set s Prime that does contain index I and this is also considered a failure which we will account for later in any event the right server receives from the client the set S prime which has size square root n minus 1 and just like the left server did before it computes the parity of the database bits indexed by this set and sends back the parity bit back to the client and now the client has two bits it has the parity bit H J from the hint and it has the answer with a from the right server so the client just outputs there some mod - and note that HJ is the sum of all the database bits in the set s J and the bit a is the parity of all those same bits except big X I since the client removed index I from the set as J therefore the sum of those two bits is exactly the bit of interest X I and that's the construction ok so now let's go back and look at those two failure events so the first failure event is when the collection of sets doesn't cover all indices and here's where we choose the number of sets little m to be roughly square root n times log n and then by a standard coupon collector argument the failure probability of this first event would be something negligible in N and then the second failure probability it comes directly from our construction which is the event that we send this random set as prime that contains I and consider it is a failure and this happens with probability roughly 1 over square root of n which is also the overall failure probability so what we do next is we actually want to drive down the failure probability even further we want to be negligible in the security parameter lambda so we repeat our entire construction lambda times in parallel and this is not the most tight analysis but in any event now that we have lambda instances the probability that all those instances fail happens with a probability that is negligible in the security parameter lambda and one point that I want to emphasize is that those repetitions they include both the offline phase and the online phase so in fact the client generates lambda independent hints in the offline phase and it repeats this online phase lambda times in parallel completely obliviously of any successes or failures it has in some of those iterations to avoid leaking anything from those failures to the server okay so that's overall we end up with a negligible failure probability and this is the correctness that we want okay so now we turn to doing the sketch of the security proof so first of all the security from the left server is actually pretty immediate the assets that the client sends to the left server they do not depend on the index I in any way so they can't possibly leak anything about index I the security against the right server is trickier since the set SJ clearly depends on index I and here is where the non collusion assumption and this weird-lookin sampling coming to play since they guarantee that the resulting set s Prime is a uniformly random subset of size square root n minus 1 independent of I and therefore hides I from the right server and to see this we can identify the distribution of the set S Prime with the following way to sample a uniformly random set so fix any index I and then a uniformly random set of size square root n minus 1 should contain this fixed I with probability square root n minus 1 over N which corresponds to the first case above and with the remaining probability the set should contain elements which are all distinct from I and this is what happens in the second case where we explicitly remove AI from the set s J so overall the set s prime is independent of I which shows security from the right server and just one more thing if we generate all the sets using a PRG rather than using true randomness then we simply lose some negligible distinguishing advantage but the argument is basically the same let's now look at the efficiency of our protocol the communication in the offline phase consists of the client sending square root and random sets which we assume we can shrink using either a PRG or shared randomness and the server sends back square root and parity bits so the total communication in the offline phase is square root of n in the online phase the client just needs to send a single punctured set to the right server and get back one parity bit so the total communication is also square root of n in terms of computation the offline phase is linear since the server needs to process all the sets and the online phase runs in time square root of n since the server just needs to process a single set next I want to discuss a main feature of our two server scheme which is that it amortizes the linear cost of the offline phase by running multiple successive online queries without having to redo the offline phase each time the problem in naively running multiple queries as is is that the client must be careful not to reuse the same set SJ for two different reads if the client would accidentally do that then from the symmetric difference between the two appearances of the same set the server would be able to learn the clients indices so instead the idea is that we refresh the hint by sampling a replacement set as new and then fetch the parity of this new set from the left server and we need to be careful to sample the new set in a way that preserves the joint distribution of the sets in the collection to provide correctness guarantees for future queries and also everything needs to be done in a way that hides index I from the left server this refreshing procedure can be done any polynomial number of times and the bottom line is that now preparing for the next query only takes square root n time rather than linear time which is what redoing the offline phase from scratch each time would have cost us so to sum up the two server results we show the scheme with square root n communication online time and even amortize total time per query the client storage and running time in our scheme is square root n and the scheme requires either pseudo-random generators or shared randomness between the client and the Left server we also have extensions to our scheme such as trading off communication for online time and vice versa and there's also a statistical security variant that works even when there is no shared randomness finally using punctual pseudo-random functions we can have the client send only a short description of a punctured set which shrinks the communication in the online phase to only log in the resulting scheme is highly efficient in terms of communication so the clients running time is not as good as before the last thing I want to talk about before I conclude is to give you an idea of how our single server scheme works the general idea is that we want to transform our two server of an online scheme into a single server scheme by running both phases on the same server however this breaks security which crucially relies on no single server seeing both the offline and online queries to work around this the client encrypts the offline query using homomorphic encryption and the server evaluates the offline phase without seeing the clients query in the clear the online phase remains the same as before and here we have two options we could either use fully homomorphic encryption which preserves the asymptotic running time of square root of n or we can use an additive glioma morphic encryption scheme but then having to express the scheme as a linear transformation forces us to use a less efficient representation of the sets which results in a worse asymptotic running time of n to the 2/3 the advantage is that the second scheme is concretely more efficient so to summarize we have seen the new type of PIR schemes that get sampling your online time and requiring no additional storage on the server in the paper we also have a lower bound for this model which we prove using a reduction from a classic problem by au and finally I want to mention two open problems first it would be great to get schemes with better running time on the clients end in our scheme with log and online communication the clients running time is n to the 5 over 6 it would be great to make the client more efficient and second one limitation of the offline online model is that the offline phase is separate for each client it would be very interesting to be able somehow amortize the offline cost across multiple mutual distrusting clients and with this I'll conclude