dvir.pptx

(1)

2-Server PIR with

sub-polynomial

communication

Zeev Dvir

Princeton University

Joint work with Sivakanth

(2)

Private Information Retrieval [CKGS98]

User

𝒂

_𝒕

=

?

Server

User wants to retrieve without revealing to

(3)

User

𝒂

_𝒕

=

?

Server

Formally: The distribution of

messages sent by the user do not depend on

(4)

Two broad types of protocols:

Single Server + Cryptographic assumptions

(5)

Focus of this talk: 2-Server PIR

(hardest)

𝒂

𝒕

=

?

Server 1

Server 2

Distribution of messages sent

to each server is independent

(6)

(hardest)

𝒂

𝒕

=

?

Server 1

Server 2

Simplest: One round most protocols)

* User sends one message to each server

(7)

(hardest)

𝒂

𝒕

=

?

Server 1

Server 2

Perfect correctness : User always

(8)

Upper bounds:

# Servers Cost Ref method

) [CGKS95 ,BI01, WY05]

Low degree polynomials +Composition ) [CGKS95]

) [Amb97] [BIKR02]

[Yek08, Efr09] Matching-Vector Families

[This work] MV codes viewed as polynomials [DGY10]

(9)

Lower bounds

[WdW05] for 2-Server PIR [RY05] lower bound for 2-server bilinear group-based

schemes.

• _{Captures all previous}

constructions

• _{Our protocol can be made}

bilinear but is not group based*

(10)

Talk Outline

•

Overview of existing

constructions

•

The new protocol

•

PIR and LDCs

(11)

A 6-Server scheme

[Yek08,Efr09,

_{First ingredient: Matching Vector}

DGY10

]

Family

mod 6 iff

[Gro99] Exists with Second Ingredient:

Field , with of order (e.g.

(12)

A 6-Server scheme [Yek08,Efr09,DGY10]

,

mod 6 iff of order

Database User wants

¿ 𝜸 ¿𝒌 ≈ 𝒁_𝟔𝒌

User picks random

𝒛

𝒗_𝒕

Restrict of to the `line' :

𝝓 (𝒔 )=𝑷 _𝒂(𝜸 𝒛+𝒔 𝒗𝒕) ,𝒔

=𝟎,𝟏,𝟐, … ,𝟓

Claim: is a degree 5

polynomial in whose value at zero gives

Each server stores values of over

(13)

A 6-Server scheme [Yek08,Efr09,DGY10]

,

𝝓 (𝒔)=𝑷 _𝒂 (𝜸 𝒛+𝒔 𝒗𝒕)

=∑_𝐢𝒏₌_𝟏 𝒂_𝐢(𝜸 _¿¿ 𝒛 + 𝒔 𝒗_𝒕)𝐮𝐢

¿

∑

𝒏_𝐢₌_𝟏

𝒂

_𝐢

𝜸

¿

¿ ∑𝒏_𝐢₌_𝟏 𝒂_𝐢 𝜸 ¿ 𝒛 , 𝒖𝒊>¿ 𝜸

¿

𝒂

_𝒕

𝜸

¿ 𝒛 , 𝒖_𝒕> ¿+

∑

𝟏≤𝒓 ≤ 𝟓

𝒄_𝒓 (𝜸 𝒔)𝒓 ¿

= Degree 5 polynomial such that determines

mod 6

(14)

A 6-Server scheme [Yek08,Efr09,DGY10]

,

Each server stores values of

over ¿ 𝜸 ¿

𝒏 _≈ _𝒁

𝟔

𝒏

𝒛

𝒗_𝒕

𝝓 (𝒔 )=𝑷 _𝒂 (𝜸 𝒛+𝒔 𝒗𝒕)

=𝒈(𝜸𝒔)

Ask Server for

Interpolate the polynomial from

(15)

A 6-Server scheme [Yek08,Efr09,DGY10]

,

Each server stores values of

over ¿ 𝜸 ¿

𝒏 _≈ _𝒁

𝟔

𝒏

𝒛

𝒗_𝒕

𝝓 (𝒔 )=𝑷 _𝒂 (𝜸 𝒛+𝒔 𝒗𝒕)

=𝒈(𝜸𝒔)

Ask Server for

Cost: User sends bits

(16)

Talk Outline

•

constructions

•

The new protocol

•

PIR and LDCs

(17)

High level idea

•

Instead of obtaining values

of at six different points,

try to evaluate at only two

points

•

Inspired by existing

2-server protocol of

[WY05]

(18)

Case study: Restriction

to `real’ lines

𝑷

(

𝒙

_𝟏

,… ,

𝒙

_𝒌

)

∈

𝑭

_𝒒

[

𝒙

_𝟏

, … ,

𝒙

_𝒌

]

with

a

𝒃

𝛁 𝐏

(

𝐱

_𝟏

, … ,

𝒙

_𝒌

)

=

(

𝝏 𝑷

𝝏 𝒙

_𝟏

(

𝒙

)

, … ,

𝝏 𝑷

𝝏 𝒙

_𝒌

(

𝒙

)

𝒉

′

(

𝒕

)

=

¿

𝛁 𝐏

(

𝐚

+

𝐭𝐛

)

,

𝐛

>

¿

Given user can calculate

(19)

`Nicer’ derivatives

(20)

𝑷

(

𝒙

_𝟏

,… ,

𝒙

_𝒌

)

=

𝒙

𝒖

=

𝒙

_𝟏𝒖𝟏

𝒙

𝟐

𝒖_𝟐

⋯

𝒙

𝒌 𝒖_𝒌

𝝏 𝑷

𝝏 𝒙

_𝒊

(

𝒙

)

=

𝒖

𝒊

𝒙

𝟏 𝒖_𝟏

𝒙

_𝟐𝒖𝟐

⋯

𝒙

𝒌 𝒖_𝒌

𝛁 𝐏

(

𝐱

)

=

𝐮

𝒙

_𝟏𝒖𝟏

𝒙

𝟐

𝒖_𝟐

⋯

𝒙

_𝒌𝒖𝒌

=

𝐮

𝒙

𝐮

¿

𝛁 𝐏

(

𝐱

)

,

𝐯

>

¿

<

𝐮

,

𝐯

>

𝐱

𝐮

Inner product

over

Not mod 6 !!

But let’s pretend for

a second that it

is

mod 6…

(21)

𝝓 (𝒔 )=𝑷 _𝒂 (𝜸 𝒛+𝒔 𝒗𝒕)

=∑_𝐢𝒏₌_𝟏 𝒂_𝐢(𝜸 _¿¿ 𝒛 + 𝒔 𝒗_𝒕)𝐮𝐢

¿

𝒂

_𝒕

𝜸

¿ 𝒛 , 𝒖_𝒕> ¿+

∑

𝟏≤ 𝒓 ≤ 𝟓

𝒄_𝒓 (𝜸 𝒔)𝒓 ¿

𝒈 (𝑺)=𝒄_𝟎+ 𝒄_𝟏 𝑺 +𝒄_𝟐 𝑺𝟐+ … 𝒄_𝟓 𝑺𝟓 𝑺₌𝜸 𝒔

𝒛

𝒗

_𝒕

¿ 𝛁 𝐏_𝐚

(

𝜸𝐳+𝐬 𝐯𝐭

)

, 𝐯

𝐭> ¿ ∑𝐢=𝟏

𝒏 _𝒂

𝐢 ¿ 𝒗 𝒕 ,𝒖𝒊>(𝜸 ¿¿ 𝒛 + 𝒔 𝒗 𝒕)

𝐮_𝐢

¿

“Pretend” mod 6

¿

…

¿

¿ 𝒈′

(

𝜸𝒔

)

=𝒄_𝟏𝜸 +𝟐 𝒄_𝟐𝜸 𝟐+…+𝟓 𝒄_𝟓𝜸 𝟓

(22)

Removing the `pretend mod 6’ :

Matching Vector family over with prime

power ??

Does not exist with

Replace with ?? No of order 6

Solution: Construct a

ring

with

characteristic 6

containing an element

(23)

The ring

𝑹= 𝒁 𝟔

[

𝜸

]

𝜸𝟔−𝟏

Polynomial in with coefficient in modulo the equation

𝒒

(

𝜸

)

=

𝒒

_𝟎

+

𝒒

_𝟏

𝜸

+

…

+

𝒒

_𝟓

𝜸

𝟓

Group ring : Linear

combinations of elements of a (multiplicative) group with coefficients in a ring

𝑹

=

𝒁

_𝟔

[

𝑪

_𝟔

]

(24)

Question: can we check if

given, say:

with

(zero iff is)

(25)

Matrix notation

(

𝒈𝒈′((𝟏𝟏))

𝒈′ ′(𝟏)

𝒈(𝜸)

𝒈′ (𝜸 )

𝒈′ ′ (𝜸 )

)

=

(

𝟏 𝟏𝟎 𝟏 𝟏𝟐 𝟏𝟑 𝟏𝟒 𝟏𝟓 𝟎 𝟏 𝟒 𝟗 𝟏𝟔 𝟐𝟓 𝟏 𝜸 𝜸𝟐 𝜸𝟑 𝜸𝟒 𝜸𝟓

𝟎 𝜸 𝟐𝜸𝟐 𝟑𝜸𝟑 𝟒 𝜸𝟒 𝟓𝜸𝟓

𝟎 𝜸 𝟒𝜸𝟐 𝟗𝜸𝟑 𝟏𝟔𝜸𝟒 𝟐𝟓𝜸𝟓

)

⋅

(26)

Matrix notation

(

𝒈𝒈′((𝟏𝟏))

𝒈 ′ ′(𝟏)

𝒈 (𝜸)

𝒈′ (𝜸 )

𝒈 ′ ′ (𝜸 )

)

=

(

𝟏 𝟏𝟎 𝟏 𝟏𝟐 𝟏𝟑 𝟏𝟒 𝟏𝟓 𝟎 𝟏 𝟒 𝟑 𝟒 𝟏 𝟏 𝜸 𝜸𝟐 𝜸𝟑 𝜸𝟒 𝜸𝟓

𝟎 𝜸 𝟐 𝜸𝟐 𝟑 𝜸𝟑 𝟒 𝜸 𝟒 𝟓𝜸𝟓

𝟎 𝜸 𝟒 𝜸𝟐 𝟑 𝜸𝟑 𝟒 𝜸 𝟒 𝟏𝜸𝟓

)

⋅

(

𝒄𝒄𝟎_𝟏 𝒄_𝟐 𝒄_𝟑 𝒄_𝟒 𝒄_𝟓

)

𝑴

(27)

Over any ring: There always exists a matrix (adjugate) s.t

(

𝒈𝒈′((𝟏𝟏))

𝒈′ ′(𝟏)

𝒈(𝜸)

𝒈′(𝜸 )

𝒈′ ′ (𝜸 )

)

=

(

𝟏𝟎 𝟏𝟏 𝟏𝟐 𝟏𝟑 𝟏𝟒 𝟏𝟓 𝟎 𝟏 𝟒 𝟑 𝟒 𝟏 𝟏 𝜸 𝜸𝟐 𝜸𝟑 𝜸𝟒 𝜸𝟓

𝟎 𝜸 𝟐𝜸𝟐 𝟑𝜸𝟑 𝟒𝜸 𝟒 𝟓𝜸𝟓

𝟎 𝜸 𝟒𝜸𝟐 𝟑𝜸𝟑 𝟒𝜸 𝟒 𝟏𝜸𝟓

)

⋅

(

𝒄𝒄𝟎_𝟏 𝒄_𝟐 𝒄_𝟑 𝒄_𝟒 𝒄_𝟓

)

=𝑴

(

𝒄𝒄𝟎_𝟏 𝒄_𝟐 𝒄_𝟑 𝒄_𝟒 𝒄_𝟓

)

𝑴¿

(

𝒈𝒈′((𝟏𝟏))

𝒈′ ′(𝟏)

𝒈(𝜸 )

𝒈′ (𝜸 )

𝒈′ ′ (𝜸 )

)

=𝑴¿ 𝑴

(

𝒄𝒄𝟎_𝟏 𝒄_𝟐 𝒄_𝟑 𝒄_𝟒 𝒄_𝟓

)

=𝒅𝒆𝒕( 𝑴)

(

𝒄𝒄𝟎_𝟏 𝒄_𝟐 𝒄_𝟑 𝒄_𝟒

𝒄_𝟓

)

?

(28)

A 2-Server scheme

,

mod 6 iff 𝑹=

𝒁 _𝟔 [ 𝜸 ]

𝜸 𝟔−𝟏

Database User wants

Each server stores values of over

¿ 𝜸 ¿𝒌 ≈ 𝒁_𝟔𝒌

User restricts to for random Sends to server

Server sends for all

(29)

Variations:

•

Can use only first order

derivatives

•

Can encode more than

one bit in each coefficient

of

•

Can replace the ring with

•

In general can reduce

(30)

Talk Outline

•

constructions

•

The new protocol

•

PIR and LDCs

(31)

Locally Decodable Codes

[KT00]

Message Encode as

Given corrupted encoding (small)

Can recover a particular bit using only queries to

Challenge: for small, say constant, , find the best

dependence

(𝟎𝟏𝟏𝟎𝟏𝟎𝟏𝟎𝟎𝟏𝟎)

(𝟎𝟏𝟐𝟏𝟎𝟏𝟎𝟐𝟏𝟎𝟎𝟏𝟎𝟎𝟏𝟐𝟏)

(𝟎𝟏𝟏𝟏𝟐𝟏𝟎𝟎𝟏𝟎𝟎𝟏𝟏𝟎𝟏𝟐𝟏)

+

𝒘

𝒂_𝒕=?

Decod er

(w.h.p)

(32)

Locally Decodable Codes

(𝟎𝟏𝟏𝟎𝟏𝟎𝟏𝟎𝟎𝟏𝟎)

(𝟎𝟏𝟐𝟏𝟎𝟏𝟎𝟐𝟏𝟎𝟎𝟏𝟎𝟎𝟏𝟐𝟏)

(𝟎𝟏𝟏𝟏𝟐𝟏𝟎𝟎𝟏𝟎𝟎𝟏𝟏𝟎𝟏𝟐𝟏)

+

𝒘

𝒂_𝒕=?

Decod er

(w.h.p)

𝒔

[Fact] -server PIR scheme

with communication

gives an -query LDC with and alphabet size

(Proof: encode the

message as a list of all possible answers by a server)

[Cor] There exists a

2-query LDC with and

[GKST02,KdW03] for

(33)

Talk Outline

•

constructions

•

The new protocol

•

PIR and LDCs

(34)

Future work (?)

Can we reduce the

communication further by taking more derivatives?_[_Gro99_{] If then there is an MV family}

over of size

(communication cost )

The polynomial has degree . Can ask each server for derivatives of order

Problem: The determinant of is zero!

(35)

Future work (?)

Can we construct larger MV families over ?

We really don't know:

• _{Current upper bounds are*}

*Assuming Polynomial Freiman Ruzsa conjecture in [BDL12]

• _{If tight would give cost PIR}

(36)

(37)