PIR Based on the Phi-Hiding Problem

The Phi-Hiding PIR scheme consists of three algorithms. These are a query generator, a database algorithm, and a response retriever. The query generator encrypts the query i in such a way that bit bi can be

privately retrieved from B. Of course, i is not encrypted in the usual sense, but it is nonetheless concealed from the database administrator. The outputs of this algorithm are a queryq that hidesias well as a secret

s that can be used to recover bit bi. The database algorithm takes the

databaseB as input as well asqand applies the query to each entry in the database. The end result of this computation is a response r. The value

ris returned in response to the query. Finally, the valuesr and the secret

s are supplied to a response-retrieving algorithm. This algorithm outputs bit bi. This PIR is a two-round scheme since q is given to the database

administrator in round one and r is returned in round two.

The intuition behind the scheme is as follows. A schema is given that allows a sufficiently large prime numberpj to be constructed deterministi-

cally for each database entryj. Hence, the database entries 1,2, ..., nwill correspond to primes p1, p2, ..., pn. With overwhelming probability these

primes will be distinct. The user wants to obtain the bit in entryi of the database without revealingi. The prime that is used to obtain this bit is

pi. A compositemis then constructed that is tailored after this prime. It

is crafted in such a way that pi divides φ(m) evenly, yet m is difficult to

factor even when pi is known. A value x is then chosen uniformly at ran-

dom from ZZ∗_m. With overwhelming probability x will not have pth

i roots

modulo m. A value in ZZ∗_m that does not have pth_i roots modulo m is con- strued as a binary zero. Hence, with overwhelming probabilityx will be a binary zero. The database administrator is given the schema to compute the primes as well as x. The administrator uses the schema to compute

p1, p2, ..., pnand setsx0 =x. To retrieve the entry, the administrator com-

putes xj = x pbj_j

j−1 mod m and returns xn to the user. With overwhelming

with overwhelming probability the transformations on x will leave xn as

a binary zero unless bi = 1 in which casexn with have a pthi root, thereby

making xn a binary one. So, there is a forced correlation between bit bi

and whether or not xn has pthi roots or not.

The scheme utilizes a security parameterk. This value must be chosen such that k > (log n)2_{. It is not uncommon in a formal cryptographic}

algorithm to provide 1kas input. Recall that this is the binary string that consists ofk binary 1’s. The reason for this is to provide a suitable setting for measuring the running time of the algorithm. When 1k _{is provided}

as input, it becomes meaningful to say that the algorithm runs in time that is polynomial in the length of its input, no matter how tiny the usual inputs to the algorithm are. So, this custom is utilized in the descriptions of these algorithms.

The algorithm for the query generator is given below. It utilizes the subroutinesP rimeGeneratorand P hiHidethat are subsequently de- scribed. Also, the parameter f is covered in Appendix B.3.6.

QueryGenerator(n, i,1k):

input: integer n (number of bits in the database B) integer i satisfying 1≤i≤n

output: a query q = (m, x, Y) where:

m is a composite that is kf bits in length

x contained in ZZ∗_m

Y which consists of k3 k-bit strings secret s which is the factorization of m

1. generate random k-bit strings y0, y1, ..., yk3₋₁

2. set Y = (y0, y1, ..., yk3₋₁)

3. compute pi =P rimeGenerator(n, i, Y,1k)

4. compute (Q1, Q2) =P hiHide(f, pi,1k)

5. compute m=Q1Q2

6. choose xrandomly from ZZ∗_m

7. output q = (m, x, Y) and s and halt

AlgorithmP rimeGeneratorgenerates a prime in a deterministic fash- ion based on the values a and Y. It utilizes a deterministic primality testing algorithm [5].

P rimeGenerator(n, a, Y,1k):

input: integer n (number of bits in the database B) integer a satisfying 1≤a≤n

Y which consists of k3 k-bit strings output: a k-bit primepa

1. for j = 0 to 2k−log n _do:

2. set A to be the (log n)-bit representation ofa

3. set J to be the (k−log n)-bit representation ofj

4. set σaj =A||J

5. compute zj =Pk

3₋₁

`=0 y`σaj` mod2k

6. if zj is prime then output pa=zj and halt

7. output pa=zj and halt

A composite integer m is said to φ-hide a prime pa if pa divides φ(m)

evenly. It is implicitly assumed that m is difficult to factor completely. AlgorithmP hiHide is used to φ-hide pa within the compositem.

P hiHide(f, pa,1k):

input: integerf k-bit prime pa

output: the factorizations = (Q1, Q2) of a composite m=Q1Q2 where

m iskf _{bits in length}

1. repeatedly choose a random (kf _{−k)-bit integer q}

1 until

Q1 =paq1+ 1 is prime

2. choose a random kf_{-bit prime Q}

2

3. output s= (Q1, Q2) and halt

The tractability ofP hiHideholds under the Phi-Sampling assumption (see Appendix B.3.7). Under the Extended Riemann Hypothesis, algo- rithm P hiHide runs in expected polynomial time in kf_{. The database}

administrator runs DatabaseAlgorithm that takes the database B and query q as input.

DatabaseAlgorithm(B, q,1k):

input: database B =b1b2· · ·bn consisting of n bits

query q = (m, x, Y)

output: a response r contained in ZZ∗_m

1. set n=|B| 2. set x0 =x 3. for j = 1 to n do: 4. compute pj =P rimeGenerator(n, j, Y,1k) 5. compute ej =p bj j

6. compute xj =x ej

j−1 mod m

7. output r =xn and halt

The value r is then sent back to the entity that submitted the query

r. Once obtained, the entity runs algorithmResponseRetriever onr and the secret s.

ResponseRetriever(n, i,(q, s), r,1k_):

input: integer n (number of bits in the database B) integer i satisfying 1≤i≤n

query q= (m, x, Y)

secret factorization s= (Q1, Q2)

response r∈ZZ∗_m obtained from database administrator output: a bit b such that b=bi with overwhelming probability

1. compute pi =P rimeGenerator(n, i, Y,1k) 2. compute t= (Q1−1)(Q2−1) pi 3. compute w=rt _{mod m} 4. set b = 0 5. if w= 1 then set b= 1 6. output b and halt

The probability that a random element in ZZ∗_m has a pth

i root modulo

m is exponentially small in k. Observe that ResponseRetriever returns

b = 1 if and only if r has pth_i roots modulom.