An Oblivious Transfer Protocol with Log-Squared Communication

(1)

An Oblivious Transfer Protocol with Log-Squared

Communication

Helger Lipmaa

1 _{Cybernetica AS, Lai 6, 51005 Tartu, Estonia} 2

Institute of Computer Science, University of Tartu, J. Liivi 2, 50409 Tartu, Estonia

Abstract. We propose a one-round1-out-of-ncomputationally-private informa-tion retrieval protocol for`-bit strings with low-degree polylogarithmic receiver-computation, linear sender-computation and communicationΘ(k·_log2_n₊_`·

logn), wherek is a possibly non-constant security parameter. The new proto-col is receiver-private if the underlying length-flexible additively homomorphic public-key cryptosystem is IND-CPA secure. It can be transformed to a one-round computationally receiver-private and information-theoretically sender-private 1-out-of-noblivious-transfer protocol for`-bit strings, that has the same asymptotic communication and is private in the standard complexity-theoretic model. Keywords. Computationally-private information retrieval, length-flexible addi-tively homomorphic public-key cryptosystem, oblivious transfer.

1 Introduction

During a 1-out-of-n computationally-private information retrieval protocol for ` -bit strings, CPIRn`, Receiver retrieves an entry from Sender’s database S =

(S[1], . . . , S[n]),S[j] ∈ {0,1}`, so that a computationally bounded Sender will not obtain any information on which element was retrieved. The first and up to now the only CPIRn` protocol, CMSn`, with polylogarithmic in n communication was proposed in [CMS99]. Alternatively, based on an earlier work by Kushilevitz and Ostrovsky [KO97], Julien P. Stern [Ste98] proposed another family—that we call

HomCPIRn_`(α)—ofCPIRn` protocols, based on an arbitrary IND-CPA secure addi-tively homomorphic public-key cryptosystem. If sayn < 240_{, then Stern’s protocol} is quite communication-efficient. In particular, for all realistic values ofnand`, it is vastly more communication-efficient thanCMSn_`.

However, the communication ofHomCPIRn_`(α)is not polylogarithmic, and may be even more importantly, it has superpolylogarithmic Receiver’s computation and su-perlinear Sender’s computation in n. In particular, Sender’s superlinear computation makes Stern’s protocol inapplicable for sayn >215_{. This can be compared with} essen-tially constant-time Receiver’s computation and linear-time Sender’s computation in the linear-communicationCPIRn` protocols of [NP01,AIR01]. Construction of an efficient-in-practice (this involves both communication-efficiency and computation-efficiency) and yet polylogarithmicCPIRn` protocol has been a major open problem.

(2)

such that given a public and private key pair of the receiver and a random value be-longing to ans-independent set, the encryption algorithm mapssk-bit plaintexts, for anysand for a security parameterk, to(s+ξ)k-bit ciphertexts for some small integer ξ≥1;ξ= 1in the case of the cryptosystem from [DJ01]. This can be compared to the conventional additively homomorphic public-key cryptosystems [Pai99] that mapk-bit plaintexts toηk-bit ciphertexts for someη≥2.

Now, assume thats=d`/ke. Assume the existence of an LFAH public-key cryp-tosystem with the mentioned properties. We show that for anyα∈[logn], there exists a

CPIRn` protocolLFCPIR n

`(α)with communication(α·(s+ ξ

2(α+ 1))(n

1/α_{−1) +}_s₊

αξ)·kbits. In particular, in the asymptotically optimal caseα= logn, the communica-tion ofLFCPIRn`(logn)is(ξ2·log

2_n_{+ (}_s₊3ξ

2)·logn+s)·k=Θ(k·log

2_n₊_`_·_log_n₎

bits. Moreover, if`≥k·logn, thenLFCPIRn`(logn)has communicationΘ(`·logn) bits with the constant in theΘ-expression being arbitrary close to1; this is very close to the communication of non-private information retrieval,dlogne+`. An important property of our protocols is that they are simple to understand and to implement.

Additionally, we describe some variants of our basic protocol that are especially efficient for particular values of ` andn, and that enable to balance communication and computation. For example, we describe anCPIRn` protocol with communication

(1 +ξ)((n−1)k+`); this results in close-to-optimal communication in the case of small databases but long documents.

If one uses a fast exponentiation algorithm, Sender’s work in a slight variant of

LFCPIRn_`(logn)is equivalent toΘ(n`)·k2+o(1) _{bit-operations; this is optimal in} _n up to a multiplicative constant. Receiver’s work is low-degree polylogarithmic in n, Θ((k·logn+`)2+o(1)₎_{bit-operations, and therefore also close to optimal.}

Our results indicate that in the case of CPIRn` protocols, one should not over-emphasise complexity-theoretic notions like polylogarithmicity, but instead study the communication of a protocol in a very concrete framework. This is best illustrated by the fact that forn ≤ 240_{, the only previous polylogarithmic}_CPIRn

` protocol by Cachin, Micali and Stadler requires more communication then just transferring the whole database. On the other hand, we do not deny that having polylogarithmic com-munication is important in theoretic frameworks. The new protocols, proposed in this paper, are both polylogarithmic (“good in theory”) and require less communication than any of the previousCPIRn` protocols for practically any values ofnand`(“good in practice”).

(3)

We briefly discuss the potentially stronger setting where one needs security against adversaries that work in time poly(n`). Since the Decisional Composite Residuos-ity Problem moduloM can be solved in timeexp(O(1) log1/3M ·(log logM)2/3₎ by using general number field sieve, one must have k = Ω(log3−o(1)(n`)). Thus, if security against such adversaries is required,LFCPIRn_`(logn)has communication Ω(log3−o(1)(n`)·log2n+`·logn). If one comes up with a suitable cryptosystem that has better security guarantees, then the exponent3−o(1)can be improved to2−o(1)or even to1. Additionally, we show thatLFCPIRn`(logn), if based on the cryptosystems from [DJ01,DJ03], has communicationΘ(κ3−o(1) _·_log2_n₊_`_·_log_n₎_{, where}_κ_{is a} security parameter that corresponds to the exponential security level.

Finally, we show that one can transformLFCPIRn_`(α)to a computationally receiver-private and information-theoretically sender-receiver-private one-roundOTn` protocol, with log-squared communication, that is secure in the standard complexity-theoretic model.

An early version of this paper (that in particular had the description ofLFCPIRn_`(α)) was posted on the IACR eprint server [Lip04] in Spring 2004. The conference version has been shortened due to the lack of space. The full version is available from [Lip04].

2 Preliminaries

For at ∈ Z+, let[t]denote the set {1, . . . , t}. All logarithms in this paper will be on base 2, unless explicitly mentioned. Let e be the base of the natural logarithm, that is, lne = 1. For a distribution (random variable)X, letx ← X denote the as-signment ofx according toX. We often identify sets with the uniform distributions on them, and algorithms with their output distributions, assuming that the algorithm that outputs this distribution is clear from the context or just straightforward to con-struct. Letkandκbe two security parameters, wherekcorresponds to the superpoly-nomial security (breaking some primitive is hard in timepoly(k)) andκcorresponds to the exponential security (breaking some primitive is hard in time 2o(κ)_{). Denote} LM[a, b] := exp(a(lnM)b·(ln lnM)1−b). Throughout this paper, we denote Sender’s database size byn, assume that database elements belong to{0,1}` = Z2` for some

fixed positive integer`, and denotes:=d`/ke. We denotesqrtlog(a, b) :=plogab. Assume thatM = p1p2 is a product of two large primes. A numberz is said to be an M-th residue modulo M2 _{if there exists a number}_y _∈ _ZM₂ _{such that} _z ₌ yM _mod_M2_{. The decisional composite residuosity problem [Pai99] (DCRP) is to} distinguishM-th residues from M-th non-residues. The fastest known way to break DCRP is to factor the modulus M, which can be done in time O(LM[(64/9)1/3+ o(1),1/3])by using general number field sieve.

A length-flexible additively homomorphic (LFAH) public-key cryptosystem is a tuple Π = (Gen,Enc,Dec), where (a)Genis a key generation algorithm, that on input1k_, returns(sk,pk), whereskis a secret key andpkis a public key, (b)Encis an encryption algorithm, that on input (pk, s, m, r), wherepk is a public key,s ∈ Z+ is a length parameter,mis a plaintext andris a random coin, returns a ciphertextEncspk(m;r), and (c) Dec is an decryption algorithm that on input (sk, s, c), where skis a secret key,sis a length parameter andcis a ciphertext, returns a plaintextDecs_sk(c). For any

(sk,pk)←Gen(1k₎_{and for any}_s_∈ _Z+_,_Encs

(4)

Ms, whereCsis the ciphertext space andMsis the plaintext space corresponding tos, andRis thes-independent randomness space. We require that for some positive integer a,Cs⊆ Ms+afor everys; we assume thatξis the minimal among sucha’s. Length-flexible cryptosystems not satisfying the latter requirement exist but are not interesting in the context of our application. An LFAH public-key cryptosystemΠ is additively homomorphic if for any key pair(sk,pk), any length parameters, anym, m0_{∈ M}

s= Z]Msand anyr, r

0_{∈ R}_,_Encs

pk(m;r)·Enc s

pk(m0;r0) =Enc s

pk(m+m0;r◦r0), where

·is a multiplicative group operation inCs,+is addition inZ]Ms, and◦is a groupoid

operation inR. We assume thatk= log]M1is the security parameter. For the sake of simplicity, in our computations we will assume that]Ms= (]M1)swithlog]Ms= sk, and that]Cs=]Ms+ξ.

LetΠ = (Gen,Enc,Dec)be a LFAH public-key cryptosystem. We define the ad-vantage of a randomised algorithm A in breaking its IND-CPA security as follows:

Advindcpa_Π,k (A) := 2·Pr[(sk,pk)←Gen(1k₎_,₍_m

0, m1, s)←A(pk), b← {0,1}, r ←

R:A(pk, m0, m1, s,Encpks (mb;r)) =b]−1₂

. Here, the probability is taken over the random coin tosses ofGen,A,Encs_pkand over the choice ofbandr. We say thatΠ is

(ε, τ)-secure in the sense of IND-CPA ifAdvindcpa_Π,k (A) ≤εfor any randomised algo-rithmAthat works in timeτ. Ifτ(k)is polynomial inkandε(k)is negligible ink, then we sometimes just say thatΠis secure in the sense of IND-CPA.

The Damg˚ard-Jurik cryptosystemDJ01from PKC 2001 [DJ01] was the first pub-lished IND-CPA secure LFAH public-key cryptosystem. Assume that M = p1p2 is an RSA modulus. Here, for a fixed length parameter s, Ms = ZMs, R = Z∗_M

and Cs = Z∗_Ms+1, thus log]Cs/log]Ms ≈ 1 + 1/s and ξ = 1. Encryption is defined by Encs_pk(m;r) := (1 +M)m _·_rMs

modMs+1_{, where}_r _← _ZM_{. The}

DJ01cryptosystem is additively homomorphic sinceEncs_pk(m1;r1)·Encspk(m2;r2) =

Encs_pk(m1 +m2;r1r2). The DJ01 LFAH public-key cryptosystem is secure in the sense of IND-CPA, assuming that the DCRP is hard [DJ01]. The Damg˚ard-Jurik cryp-tosystem DJ03 from ACISP 2003 [DJ03] is slightly less efficient than DJ01, with

log]Cs/log]Ms≈1 + 2/s, that is, withξ= 2.

IND-CPA secure LFAH public-key cryptosystems have been used before, in partic-ular, to implement multi-candidate electronic voting [DJ01,DJ03] and large-scale elec-tronic auctions [LAN02] over large plaintext spaces. We use LFAH cryptosystems in a more complicated setup that requires the transfer of encryptions of related plaintexts modulo different length parameters during the same protocol instance.

During a (single-server)1-out-of-ncomputationally-private information retrieval (CPIRn`) protocol for `-bit strings, Receiver fetches S[q] from the database S =

(S[1], . . . , S[n]),S[j] ∈ {0,1}`, so that a computationally bounded Sender does not know which entry Receiver is learning. We do not require Sender to commit to or even “know” a database to which Client’s search is effectively applied. Such a relaxation is standard in the case of protocols like oblivious transfer, computationally-private in-formation retrieval and oblivious keyword search; our security definitions correspond closely to the formalisation given in [NP01,AIR01].

Formally, a one-round CPIRn` protocol Γ is a triple of algorithms,

(5)

context of this paper, deterministic. LetRQ andRT be two distributions, associated withΓ, and letkbe the security parameter. As usually, we assume that the database size nis known to Receiver. The first message,msgq←Query(1k_{, q, n}_;_r

Q), of a protocol run is by ReceiverRec, whereqis his input (index to the database),nis the database size andrQ ← RQis a new random value. The second message is bySen, who replies withmsgt ← Transfer(1k_{, S,}_msgq_;_r

T), where S is her input (the database),msgq is the first message of the protocol, andrT ← RT is a new random value. After the second message, Receiver returns his private output Recover(1k_{, q,}_msgq_,_msgt₎_{. In} general, the communication ofΓ is equal to|msgq|+|msgt|. However, we make a convention that transferring Receiver’s public key—that is a part of several well-known

CPIRn` protocols—does not increase the communication ofΓ. We can do this because the usually very short public key can often be transferred before the actual data itself becomes available; the key can also be shared between many protocol runs. However, we will not prove security in this setting. Note that the communication complexity of information retrieval, without any privacy requirements and with no additional information on the structure of the data that would enable to compress it, isdlogne+`. We say that aCPIRn` protocolΓ = (Query,Transfer,Recover)is correct if for anyn,S ∈ {0,1}n`,q∈[n],Recover(1k_{, q,}_msgq_,_msgt_{) =}_S_[_q_]_{, given that}_msgq_←

Query(1k_{, q, n}_;_r

Q) for some rQ ∈ RQ andmsgt ← Transfer(1k, S,msgq;rT)for somerT ∈ RT. For a randomised algorithmA executing Sender’s part in aCPIRn` protocolΓ and for a positive integern, define

Advcpir_Γ,n,k(A) := 2·max

q0,q1

Pr

"

b← {0,1}, rQ← RQ:

A(1k, q0, q1, n,Query(1k, qb, n;rQ)) =b

#

−1 2

to be the scaled advantage over random coin-tossing thatAhas in guessing, which of the two possible choicesq0andq1was used by the receiver, after observing a single query from Receiver. Here,q0andq1are supposed to be valid inputs toQuery(·,·, n;·). The probability is taken over the coin tosses ofAandQuery, and over the choices ofband rQ. We callΓ a(τ, ε)-receiver-privateCPIRn` protocol, ifAdv

cpir

Rec,n,k(A)≤ε(k, n, `) for any probabilistic algorithmAthat works in timeτ(k, n, `). In Sect. 4, we study an alternative definition whereτis an unspecified value withτ >poly(n`).

The firstCPIRn1protocol with sublinear communication,O(2sqrtlog(2,n)·sqrtlog(2,k)), was proposed by Kushilevitz and Ostrovsky in [KO97]. The first CPIRn1 protocol

(6)

LFCPIRHRn`(0.371·logn) CMSn` HomCPIRn`(sqrtlog(η, n)) AIRn`

log(n)

log(communication

in

bits)

45 40 35 30 25 20 15 10 5

60 55 50 45 40 35 30 25 20 15 10

Fig. 1. Logarithm of communication of some of the previously known CPIR’s on the logarithmic scale inn, assuming thatk= 1024andη= 2. (Except for theCMSn

`protocol that has a security

parameterκ= max(80,log2n).) Here,`= 1024

One can transformCMSn₁ to aCPIRn` protocol by running it`times in parallel (with the same Receiver’s query); thusCMSn_` has communicationΩ(`·log2fn+ log8n). Even if polylogarithmic, the communication of theCMSn_` protocol is larger than just sending the database to Receiver for all relevant database sizes. (See Fig. 1.) In the

CMSn_` protocol, Receiver’s computation is polylogarithmic inn.

The Kushilevitz-OstrovskyCPIRn` was generalised by Julien P. Stern [Ste98]; Stern’s protocol was later rediscovered by Chang [Cha04]. Stern’s CPIRn` is based on an arbitrary IND-CPA secure additively homomorphic cryptosystem Π. Simi-larly to our previous convention, Mis Π’s plaintext space and C is Π’s ciphertext space. Let η := dlog]C/log]Me be the ciphertext expansion ratio of Π; η = 2

for the Paillier cryptosystem [Pai99] and for the Damg˚ard-Jurik cryptosystem from PKC 2001 [DJ01] and η ∈ {2,3}for another cryptosystem by Damg˚ard and Ju-rik [DJ03]. W.l.o.g., assume that Sender’s database S = (S[1], . . . , S[n]) contains n=λα_{entries from}_{0_,_1}`

for some positive integerλand forα∈[logηn]. As always, lets :=d`/ke. As shown in [Ste98], there exists anCPIRn` protocolHomCPIRn`(α) with the communication(ηαn1/α₊_sηα₎_·_k_{bits. In particular, for}_δ_:=_sqrtlog₍_{η, n}₎_,

(7)

byΘ(sn2δ₎_(resp.,_Θ₍_snδ₂δ₎₎_k_{-bit exponentiations. This means that Stern’s CPIR is} computationally less efficient than the Cachin-Micali-Stadler CPIR.

A CPIRn` protocol (Query,Transfer,Recover) is an (computationally receiver-private and information-theoretically sender-receiver-private)1-out-of-noblivious transfer pro-tocol for`-bit strings (anOTn` protocol) if also Sender’s privacy is guaranteed. For the formal definition, we make a comparison to the ideal implementation, using a trusted third party that receives S from Sender, receivesq from Receiver, and sendsS[q] to Receiver. We assume that Receiver receives garbage (that is, a random value from some S-independent setT) ifq 6∈ [n]. We do not need an explicit security definition of a secure oblivious transfer protocol in this paper. (See, for example, [NP01].)

3 New

CPIR

n_`

_{with Log-Squared Communication}

In this section, we use a LFAH public-key cryptosystem Π = (Gen,Enc,Dec) to improve over the concrete and the asymptotic communication (and computation) of

HomCPIRn_`(α), by presenting a familyLFCPIR_`n(α)ofCPIRn` protocols. As always, we defines:=d`/ke.

The basic idea of Protocol 1 is relatively simple. Fixα ∈ [logn]. Assume that the databaseS = (S[1], . . . , S[n]) is arranged as anα-dimensionalλ1 × · · · ×λα hyperrectangle, for some positive integersλj that will be defined later. W.l.o.g., we assume that n = Qα_j=1λj. In the simplest case, α = logn andλj = 2, then the database is just arranged on a2× · · · ×2hypercube. We index every elementS[i]in the database by its coordinates(i1, . . . , iα)on this hyperrectangle, whereij ∈Zλj. I.e.,

S(i1, . . . , iα) :=S[i1· α

Y

j=2

λj+i2· α

Y

j=3

λj+· · ·+iα−1·λα+iα+ 1]

forij∈Zλj. Analogously, Receiver’s query isq= (q1, . . . , qα)withqj∈Zλj.

We use homomorphic properties ofΠto create a new databaseS1that hasα−1 di-mensions, such thatS1(i2, . . . , iα)is equal to an encryption ofS0(q1, i2, . . . , iα), where S0 =S. We use this procedure repeatedly forj ∈[α], to create(α−j)-dimensional databases Sj, where the (s+jξ)k-bit element Sj(ij, . . . , iα) encrypts j times the valueS(q1, . . . , qj−1, ij, . . . , iα). At the end of theαth iteration, Sender has a single

(s+αξ)k-bit elementSαthat is anα-times encryption ofS(q1, . . . , qα) =S[q]. There-fore, it suffices for Sender to just transfer one valueSα, with length|Sα|= (s+αξ)k, to Receiver. After that, Receiver recoversS[q] by decryptingSα αtimes. Thus, the basic idea of the new protocol is similar to that ofHomCPIRn_`(α). SinceΠ is length-flexible, instead of dividing every intermediate ciphertext intoηchunks as in the case ofHomCPIRn`(α), we additively increase the length of the plaintexts. Our underlying observation is thatEncs+ξ_pk (m2;r2)Enc

s

pk(m1;r1) ₌ _Encs+ξ

pk (m2·Encspk(m1;r1);r3) ∈

Ms+2ξ for anym1 ∈ Ms,m2 ∈ Ms+ξ andr1, r2 ∈ R, and for somer3 ∈ R. In particular, it is equal to an encryption of zero if m2 = 0and to a double-encryption ofm1 ifm2 = 1. Protocol 1 depicts the newLFCPIRn`(α)protocol with parameters, optimised for large values of`. Note that hereRQ=R

P

j∈[α]λj _and_R

(8)

Private Input : Receiver hasnandq= (q1, . . . , qα), Sender hasS.

Private Output : Receiver obtainsS(q1, . . . , qα).

Receiver,Query(1k

, q, n;R_Q_):

Generate a key pair(sk,pk)←Gen(1k_).

Forj←₁_to_α_{do, for}_t←₀_to_λ_j−₁_do:

Generaterjt← R.

Ifqj =tthen setbjt←1else setbjt←0.

Setβjt←Enc s+(j−1)ξ

pk (bjt;rjt).

Send(pk,(βjt)j∈[α],t∈Z_λj)to Sender.

Sender,Transfer(1k

, S0,msgq;RT):

Forj←₁_toαdo

Forij+1←0toλj+1−1, . . . ,iα←0toλα−1do:

SetSj(ij+1, . . . , iα)←Q_t∈Z_λjβ

S_j−1(t,ij+1,...,iα)

jt .

SendSαto Receiver.

ReceiverRecover(1k_{, q,}_msgq_{, S}0 α):

Forj←_α_downto₁_{do: Set}_S0

j−1 ←Dec

s+(j−1)ξ sk (S

0 j).

OutputS0

0.

Protocol 1: ProtocolLFCPIRn_`(α)(non-optimised version), for fixedΠ and fixeds. Here,βjt, Sj(ij+1, . . . , iα)∈ Cs+(j−1)ξ

We make the next simple observation that Sender can computeβj,λj−1 by

him-self, by settingβj,λj−1 ← Enc

s+(j−1)ξ pk (1; 0)/

Qλj−2

t=0 βjt; this optimisation is valid sinceQλj−1

t=1 βjtis always an encryption of1. Therefore, in Protocol 1, Receiver does not have to sendβj,λj−1 to Sender. In the most practical case, whereλj = 2, this

optimisation reduces communication by a factor of2. In this case, this optimisation also substantially simplifies some of the oblivious transfer protocols, mentioned later in Sect. 4. In the following, when we talk about theLFCPIRn_`(α)protocol, we always assume that one applies this optimisation. Moreover, recall that the communication of aCPIRn` protocol does not includepk.

Theorem 1. LetΠ = (Gen,Enc,Dec)be an LFAH public-key cryptosystem. Assume thatMs+1 < 2` ≤ Msfor some fixeds ≥1, that Receiver has private inputqand Sender has private inputS= (S[1], . . . , S[n]). Assume thatλj=n1/αfor allj∈[α].

1. For everyα∈[logn], there exists a correctCPIR`nprotocolLFCPIRn`(α)with the receiver-side and the sender-side communicationα(s+ (α+ 1)₂ξ)(n1/α₋₁₎_·_k and(αξ+s)·kbits.

2. LFCPIRn`(logn)has receiver-side communication(ξ2·log

2_n₊₍_s₊ξ

2)·logn)·k= Θ(k·log2n+`·logn) and sender-side communication(ξ ·logn+s)·k =

(9)

Proof. Correctness: clear, since Sj(ij+1, . . . , iα) is an j-times encryption of S(q1, . . . , qj, ij+1, . . . , iα)and thusSα0−1=Sα−1(qα),Sα0−2=Sα−2(qα−1, qα), . . . , S0

i−1=Si−1(qi, . . . , qα), . . . , andS00 =S(q1, . . . , qα).

Communication:The receiver-side communication|msgq|is

α

X

j=1 λ_Xj−1

t=1

(s+jξ)k=

α

X

j=1

(s+jξ)·(n1/α−1)·k=α·(s+ (α+ 1)ξ/2)(n1/α−1)·k

bits. This is asymptotically optimal ins·lognifα= logn.

Computation (in the case (2)):Sender’s work is dominated by 2logn−j exponen-tiations modulo Ms+jξ _{for every} _j _∈ _[2_{, α}_]_{. Assume that a} _k_{-bit exponentiation} can be done in time Θ(ka₎ _{for some} _a_{. Then, Sender’s workload is dominated by} n·Plog_j=2n2−j_·_Θ₍₍_s₊_jξ₎a_ka₎_{bit-operations. Asymptotically in}_n_{, this is equal to} Θ(n)·(sk)a_{; fast exponentiation algorithms result in Sender’s time}_Θ₍_n₎_·₍_sk₎2+o(1)_. Receiver must doλj−1encryptionsEnc_pks+(j−1)ξfor anyj∈[n]. Thus, Receiver’s work isPlog_j=1nΘ((s+ (j−1)ξ)a_ka_{) =}Plogn

j=1 Θ((sa+ (jξ)a)ka) = Θ((s2+o(1)logn+ ξslog2+o(1)n+ξ2+o(1) _·_log3+o(1)_n₎_k2+o(1) _{bit-operations, if using asymptotically}

fast exponentiation algorithms. ut

It is surprising that such a seemingly simple modification ofHomCPIRn`(α)results in the important asymptotic improvement, stated by Thm. 1: namely, using an LFAH public-key cryptosystem where (s+jξ)k-bit plaintexts are encrypted to (s+ (j + 1)ξ)k-bit ciphertexts, we achieve communicationΘ(k·log2n+`·logn), while using an additively homomorphic public-key cryptosystem where(s+j)k-bit plaintexts are encrypted to η(s+j)k-bit ciphertexts, enabled [Ste98] to get communication Θ(`·

sqrtlog(η, n)·2sqrtlog(η,n)₊_k_·_sqrtlog₍_{η, n}_)·2sqrtlog(η,n)₎_{. Additionally,}_LFCPIRn `(n)is also more computation-efficient. These substantial improvements are possible because a LFAH public-key cryptosystem is essentially a new primitive and not just another off-the-shelf homomorphic cryptosystem.

We will prove the receiver-privacy of this protocol later in Section 4. In the rest of this section, we propose some quite important optimisations.

Optimisation for long documents and in Sender’s computation. For long documents,

LFCPIRn`(α)gains even more on the competitors than for short documents. For` = Ω(k·logn), the asymptotic communication ofLFCPIRn`(α)isΘ(`·logn)that is asymp-totically optimal. Note that the constant inside theΘexpression gets arbitrary close to

1. If` > k, then one can executes =d`/keinstances ofLFCPIRn₂k(α)’s in parallel,

with the same Receiver’s message, with the receiver-side and the sender-side communi-cation of respectivelyPα_j=1Pλj−1

t=1 (1 +jξ)k =

Pα

j=1(1 +jξ)·(n1/α−1)·k = α·(1 + (α+ 1)ξ/2)(n1/α₋₁₎ _·_k _and _s₍_αξ _{+ 1)}_· _k _{bits. We call this version}

(10)

is the same as HomCPIRn`(1). A variant like LFCPIRBIGn`(sqrtlog(2, n)) seems to perform reasonably well in the practice, with typically less communication than

HomCPIRn`(sqrtlog(2, n)).

Optimisation for short documents. For short documents, we can apply a different optimisation strategy. As always, let s := d`/ke. Let W be Lambert’s W func-tion, that is, W satisfies the functional identityW(x)eW(x) ₌ _x_{. First, we can use}

LFCPIRn_`(α0·logn)withα0 = ln 2/(W(−2e−2) + 2) ≈ 0.435; this results in the minimal communication≈(0.371·ξ·log2n+ 1.706·s·logn+ 1.288·ξ·logn+s)·k for small values of the length parameters. Second, we can redefine the values ofλj

as λj ← ((s+α)!/s!)1/α·(s+j)−1·n1/α. This choice ofλj results in the mini-mal value of Pα_j=1(λj −1)(s+j) = Pαj=1λj(s+j)−α(s+ (α+ 1)/2) under the constraint thatQα_j=1λj =n. (In practice, we must roundλi-s to the nearest inte-gers. For the simplicity of exposition, we will not explicitly mention such issues any-more.) Call the resulting instantiation of the protocolLFCPIRHRn`(α).LFCPIRHRn`(α) has receiver-side and sender-side communication of respectively((s+α)!/s!)1/α·α· (n1/α₋₁₎_·_k_and₍_s₊_α₎_·_k_{bits. In particular,}_LFCPIRHRn

`(α0·logn)has com-munication≈ (0.273·logn+ (0.627·s+ 0.314)·log logn+O(1))k ·logn =

Θ(k·log2n+`·logn·log logn). Fors= 1,LFCPIRHRn_`(α)is asymptotically ap-proximately1.348times more communication-efficient thanLFCPIRn_`(α).

Ifz:=bsk/`c>1, then one can use the next optimisation. ExecuteLFCPIRn_`(¯α)

with the queryq¯:=bq/zcand the databaseS¯= ( ¯S[1], . . . ,S¯[bn/zc]), whereS¯[j]is the concatenation ofzdifferent consequent elementsS[dj/ze], . . . , S[dj/ze+z−1]

from the database S. Fixingα¯ = log(n/z), one can construct a CPIRn_` with total communication≈(0.273·log2(n`/(sk))+0.435·s·log(n`/(sk))·log log(n`/(sk))+

O(1))·k. This optimisation can be quite important in practice. In the extreme case when n = k = 1024and` = 1, the optimised version is100times more communication-efficient than the unoptimised version.

4 On Security of LFCPIR And Transformation to OT

In allCPIRn` protocols, proposed in Sect. 3, we have the next novel adversarial sit-uation. Given a LFAH public-key cryptosystemΠ = (Gen,Enc,Dec), the adversary obtains encryptions of interrelated plaintexts by using potentially different values of the length parameters, wheresis possibly chosen by herself. It must be the case that the ad-versary obtains no new knowledge about the encrypted values. Clearly, security in this adversarial situation is a generally desirable feature of LFAH public-key cryptosystems whenever it might be the case that the adversary obtains different-length encryptions of related plaintexts. This may happen almost always, except when all participants are explicitly prohibited to encrypt related messages by using different values ofs. There-fore, we will introduce the corresponding security requirement formally and prove that some of the previously introduced LFAH public-key cryptosystems have tight security also in such an adversarial situation.

(11)

fol-lows:

Advlf_Π,k-indcpa(A, α) := 2·

Pr        

(sk,pk)←Gen(1k),

(m0, m1, s1, . . . , sα)←A(pk), b← {0,1}, c1←Encs_pk1(mb mod]Ms1;R), . . . , cα←Encs_pkα(mb mod]Msα;R) :

A(pk, m0, m1, s1, . . . , sα, c1, . . . , cα) =b

        −1 2 .

(To prove the security of LFCPIRn_`(α), we could use a slightly weaker assumption where s1, . . . , sα are not chosen by A; it is sufficient to consider the case sj = s+ (j−1)ξ. We omit discussion because of the lack of space.) Here, probability is taken over random coin tosses ofGen,Encsj

pk,Aand over the choice ofband of ran-dom elements fromR. We say thatΠ is(ε, τ)-secure in the sense ofα-IND-LFCPA if

Advlf_Π,k-indcpa(A, α) ≤εfor any probabilistic algorithmAthat works in timeτ. Ifτ(k)

is polynomial inkandε(k)is negligible ink, then we just say thatΠ is secure in the sense ofα-IND-LFCPA. We omitαifαmay be any polynomial ink.

By a standard hybrid argument,(αε, τ −O(α))-security in the sense ofα -IND-LFCPA follows from the(ε, τ)-security in the sense of CPA. However, since IND-LFCPA security is such a basic notion for LFAH public-key cryptosystems, it makes sense to prove the IND-LFCPA security directly, without the intermediateα-times se-curity degradation. Next, we will show that for both well-known LFAH public-key cryptosystems (DJ01andDJ03), IND-LFCPA security follows from IND-CPA secu-rity under a tight reduction. First, we prove the following lemma that is motivated by the observation that IND-LFCPA is a potentially stronger security notion than IND-CPA only in situations where the adversary cannot herself compute, givenEncs_pk(m;R), en-cryptions of related plaintexts with different values of the length parameters.

Lemma 1. Assume Π = (Gen,Enc,Dec) is a LFAH cryptosystem that is (ε, τ) -secure in the sense of IND-CPA. Assume there exists an algorithm Shorten, such that for all (sk,pk) ← Gen(1k₎_{, any} _s

1 < s2, anym ∈ Ms1 and any r ∈ R, Shorten(pk, s1, s2,Encs_pk2(m;r)) = Encs_pk1(m;R). AssumeShortencan be computed in time tShorten(k, s2). ThenΠ is(ε, τ −α·tShorten(k, smax)−O(α))-secure in the sense ofα-IND-LFCPA wheresmaxis the largestsi that an admissible adversary can choose.

Proof. Really, assumeA is an adversary who breaks the α-IND-LFCPA security in timeτ0_{and with probability}_ε_{. Construct the next adversary}_MA_{that breaks the} IND-CPA security of Π: Obtain a new random public key pk, send this to A. M asks A to produce(m0, m1, s1, . . . , sα). Assume that s1 ≤ s2 ≤ · · · ≤ sα ≤ smax. Give (m0, m1, sα) to the black box, who returns cα ← Encs_pkα(mb;R). Compute ci←Shorten(pk, si, sα,Encs_pk2(mb;R))fori∈[α−1]. Send(c1, . . . , cα)toA, obtain her guessb0_{. Return}_b0_{. Clearly, if}_A_{has guessed correctly then}_b0 ₌_b_. _u_t

For bothDJ01andDJ03it is straightforward to construct the required functionShorten. In the case of the DJ01, Encs1

pk(m;R) = (Enc s2

(12)

modM)Ms

modMs+1₎_{. Therefore, given}_Encs2

pk(m;r) = (a, b), one can compute

Encs1

pk(m;R) = (a, b modMs1)·Enc s1

pk(0;R). We would get a similar security re-sult, if there existed an efficient functionExpand, such that fors2 < s1, and for any m∈ Ms2,Expand(pk, s1, s2,Enc

s2

pk(m;R)) =Enc s1

pk(m;R). As we show in the full version, the existence of such a function would additionally result in aCPIRn` protocol with logarithmic communication. Now, we can prove the next result.

Theorem 2. Fixnandα∈ [logn]. LetΠ = (Gen,Enc,Dec)be a LFAH public-key cryptosystem that is(ε, τ)-secure in the sense ofα-IND-LFCPA, whereτ τSen. Fixs. ThenLFCPIRn_`(α)is(ε, τ0₎_{-receiver-private. Here,}_τ0₌_τ₋_τRec₋_O₍_α_·₍_sk₎1+o(1)₎_, whereτRecis the time to execute the honest Receiver.

Proof. Assume that some adversaryAthat works in timeτ breaks the receiver-privacy ofLFCPIRn`(α)with probabilityε. More precisely,Agenerates a key pair(sk,pk)←

Gen(1k₎_{. Given}_pk_{and an arbitrary}₍_q

0, q1),AgeneratesS and sendsnto Receiver. Receiver picks a random bit bb and sends the first message Query(1k_{, q}

b

b, n;rQ) =

(pk,(βjt)jt) of the LFCPIRn`(α)protocol, where rQ is randomly chosen fromRQ, toA.Aoutputs a guessbb0_{, such that}₂_{· |}_Pr[_b_b ₌_b_b0_]₋ 1

2| ≥ ε. Next, we construct a machineM that usesAas an oracle to break theα-IND-LFCPA security ofΠ with probabilityAdvindcpa_Π,k (MA_{) =} _ε_{. That is, given a random key pair}₍_sk_,_pk₎_,_M _comes up with a message pair(m0, m1)and length parameters(s1, . . . , sα), such that after seeingEncsi

pk(mb;R)for a randomb← {0,1}and fori∈[α],Moutputs a bitb

0_{, such}

that2· |Pr[b=b0_]₋1 2| ≥ε.

M does the next: Let Receiver to generate (pk,sk), obtain pk and forward it to A. Obtain (q0, q1) where qi = (qi1, . . . , qiα). Assume that q0 and q1 differ in the coordinate set J. M sets m0 ← 0, m1 ← 1 and asks for a challenge on

(m0, m1,(s+ (j−1)ξ)j∈J). For a randomb← {0,1},Mobtains the challenge tuple (cj ←Encs+(j

−1)ξ

pk (mb;R))j∈J.Mconstructs the query(βjt)j,texactly as in Proto-col 1, except that whenj∈ J, he setsβj,q0j ←cjandβj,q1j ←Enc

s+(j−1)ξ pk (1; 0)·c

−1 j . Therefore,(pk,(βjt)j,t) =Query(1k, qb, n;RQ).Msends(pk,(βjt)j,t)toAand ob-tains her guessbb0_._M_returns_b0 ₌b_b0_{. Clearly,}_b₌_b0_if_A_{guessed correctly. Therefore,}

Mhas success probabilityε.M’s time is equal toτ+τRec+O(α·(sk)1+o(1)₎_. _u_t

This result means in particular thatLFCPIRn`(α)is receiver-private (a) under loose re-duction withα-times security degradation, in the caseΠ is an arbitrary IND-CPA se-cure LFAH public-key cryptosystem; (b) under tight reduction to the underlying cryp-tographic problems, in the caseΠisDJ01orDJ03.

On Concrete Versus Polynomial Security. It is necessary to use concrete security

(13)

by requiring that τ τSen. Alternatively, one can require that no adversary is able to breakCPIRn` in time, polynomial in n`, with a non-negligible probability in n`. Assume also that the underlying hard problem, with inputsM of size k, can be bro-ken in time LM[a, b]. In the case of LFCPIRn`(α), when based on theDJ01 or the

DJ03cryptosystem,b = 1/3. Then, it is necessary thatLM[a, b] = ω((n`)c)for ev-ery constantc, or thatkb_log1−b_k ₌_ω_(log(_n`₎₎_{. Omitting the logarithmic factor, we} get thatk =Ω(log1/b(n`)). Therefore, if we want security against adversaries, work-ing in timepoly(n`), when basingLFCPIRn_`(α)on the DCRP, we must assume that k = Ω(log3−o(1)(n`))and thus the communication of theLFCPIRn`(logn)becomes Θ(log3−o(1)(n`)·log2n+`·logn). While such an analysis is usually not necessary in stand-alone applications of computationally-private information retrieval, there are theoretical settings where polynomial security is desired (e.g., when a CPIR protocol is a subprotocol of a higher level application).

Alternatively, one can define another security parameter,κ, corresponding to the desideratum that breaking the CPIRn` protocol should be hard in time 2o(κ), and then expressing the communication in the terms of κ. Based on the hypothesis that the best attack against the DCRP is the general number field sieve, it means that k· (lnk)2 ₌ _Ω₍9(ln 2)2_κ3

64 ) = Ω(κ3) and thusLFCPIR n

`(α), based on any LFAH public-key cryptosystem that relies on the DCRP being hard, has communication Θ(κ3−o(1) _·_log2

n+`·logn). In particular, this captures reasonably well the natu-ral requirement that the adversary should be able to spend at least as much time as Sender: in practice, given large enoughκ(say,κ= 80), we may assume that a honest Sender always spends considerably less time than2κ units. This also means thatnis restricted to be considerably smaller than2κ_{, but we do not see now problems with that} in practice; it is hard to imagine anybody executing aCPIRn` protocol withnlarger than240_{! Additionally, this gives us another argument why small sender-side} computa-tion is important for aCPIRn` protocol. As mentioned before,LFCPIRn`(·)does better thanHomCPIRn`(·)also in this sense.

Oblivious Transfer with Log-Squared Communication. We can use one of several

existing techniques to transform theLFCPIRn_`(α) protocol into an oblivious transfer protocol. For these techniques to apply, one must first modify Protocol 1 so that it would be sender-private if the receiver is semi-honest. IfRis a quasigroup (that is, if

∀a, b∈ Rthere exist uniquex, y∈ Rsuch thatax=bandya=b, then alsoxR=R

(14)

sender-privacy, and to the transformation based on zero-knowledge proofs since the latter either takes four rounds or works in a non-standard model (that is, either in the random oracle model or in the common reference string model).

LetMbe a plaintext space andC a ciphertext space, corresponding to some pa-rameter choice of ElGamal public-key cryptosystem. In [AIR01], the authors proposed the next generic transformation of aCPIRnlog]C protocol to anOT

n

log]Mprotocol:

Re-ceiver sends an ElGamal encryptioncof the queryq, together with the first message of

CPIRnlog]C, to Sender. Sender applies the computations, corresponding to the second

step of theAIRn_]Mprotocol, with inputc, to her database, and then the second step of the CPIRnlog]C, to the resulting database of ciphertexts. When applied toLFCPIRn`(logn), the resultingOTn` protocol has communicationlog]C+(ξ2·log

2_n₊₍_s0₊3ξ

2 logn+s

0₎_k

instead of(ξ₂·log2n+(s+3ξ₂) logn+s)kin theLFCPIRn_]M(logn)protocol. Here,sand s0_{are the smallest integers, such that}_sk_≥_log_]_M_and_s0_k_≥_log_]_C_{; usually}_s0_{= 2}_s_.

Therefore, this transformation increases communication bylog]C+ (s·logn+s)k bits. The resulting

oblivious transfer protocol is information-theoretically sender-private (not like the protocol based on the Naor-Pinkas transform) if ElGamal is IND-CPA secure andΠ is IND-LFCPA secure, that is, in the standard complexity-theoretic model (not like the protocol based on non-interactive honest-verifier zero-knowledge proofs). However, it still makes the additional assumption that ElGamal is IND-CPA secure.

5 Comparisons

Fix k = 1024 and s = 1. The difference between the communications of the linear Aiello-Ishai-Reingold CPIR AIRn_` [AIR01] (with communication2(n+ 1)k), the polylogarithmic CPIR CMSn_` [CMS99] (with possibly overly optimistic setting κ = min(80,log2n) and f = 4; whether the CMSn_` CPIR is actually secure in this setting is unknown), the superpolylogarithmic HomCPIRn_`(sqrtlog(2, n)), and

LFCPIRn_`(logn)is depicted by Fig. 1. For small values of `, the best solution is to use theLFCPIRn_`( ln 2

W(−2e−2₎₊₂·logn)protocol. For large values of`, one might to use LFCPIRBIGn_`(α)with a suitably tunedα, sayα=sqrtlog(2, n).

Computation-efficiency is an important property of theLFCPIRn`(α)protocol since otherwise in some applications one would prefer a protocol with a smaller computa-tional complexity but with linear communication. Moreover, in practice, Sender’s huge computation is mostly likely going to be the first obstacle in applyingCPIRn` pro-tocols on large databases. InLFCPIRn_`(logn), Sender’s computation is Θ(n`) k-bit exponentiations, which is asymptotically optimal inn. This compares favourable with Θ(`·n2sqrtlog(η,n)₎ _k_{-bit exponentiations in}_HomCPIRn

`(sqrtlog(η, n)). In particular, Sender’s computation cost inLFCPIRn_`(logn)is comparable to that of the1-out-of-n oblivious transfer protocols from [NP01,AIR01] that have linear communication.

Acknowledgements. We would like to thank Yan-Cheng Chang, Sven Laur and

(15)

References

[AIR01] William Aiello, Yuval Ishai, and Omer Reingold. Priced Oblivious Transfer: How to Sell Digital Goods. In Birgit Pfitzmann, editor, Advances in Cryptology — EURO-CRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 119–135, Innsbruck, Austria, May 6–10, 2001. Springer-Verlag.

[Cha04] Yan-Cheng Chang. Single Database Private Information Retrieval with Logarithmic Communication. In Josef Pieprzyk and Huaxiong Wang, editors, The 9th Australasian Conference on Information Security and Privacy (ACISP 2004), volume 3108 of Lec-ture Notes in Computer Science, pages 50–61, Sydney, Australia, July 13–15, 2004. Springer-Verlag.

[CMS99] Christian Cachin, Silvio Micali, and Markus Stadler. Computational Private Informa-tion Retrieval with Polylogarithmic CommunicaInforma-tion. In Jacques Stern, editor, Advances in Cryptology — EUROCRYPT ’99, volume 1592 of Lecture Notes in Computer Sci-ence, pages 402–414, Prague, Czech Republic, May 2–6, 1999. Springer-Verlag. [DJ01] Ivan Damg˚ard and Mads Jurik. A Generalisation, a Simplification and Some

Appli-cations of Paillier’s Probabilistic Public-Key System. In Kwangjo Kim, editor, Public Key Cryptography 2001, volume 1992 of Lecture Notes in Computer Science, pages 119–136, Cheju Island, Korea, February 13–15, 2001. Springer-Verlag.

[DJ03] Ivan Damg˚ard and Mads Jurik. A Length-Flexible Threshold Cryptosystem with Ap-plications. In Rei Safavi-Naini, editor, The 8th Australasian Conference on Information Security and Privacy, volume 2727 of Lecture Notes in Computer Science, pages 350– 364, Wollongong, Australia, July 9-11, 2003. Springer-Verlag.

[KO97] Eyal Kushilevitz and Rafail Ostrovsky. Replication is Not Needed: Single Database, Computationally-Private Information Retrieval. In 38th Annual Symposium on Foun-dations of Computer Science, pages 364–373, Miami Beach, Florida, October 20–22, 1997. IEEE Computer Society.

[LAN02] Helger Lipmaa, N. Asokan, and Valtteri Niemi. Secure Vickrey Auctions without Threshold Trust. In Matt Blaze, editor, Financial Cryptography — Sixth International Conference, volume 2357 of Lecture Notes in Computer Science, pages 87–101, South-hampton Beach, Bermuda, March 11–14, 2002. Springer-Verlag.

[Lip04] Helger Lipmaa. An Oblivious Transfer Protocol with Log-Squared Total Communica-tion. Technical Report 2004/063, International Association for Cryptologic Research, February 25, 2004.

[NP99] Moni Naor and Benny Pinkas. Oblivious Transfer and Polynomial Evaluation. In Proceedings of the Thirty-First Annual ACM Symposium on the Theory of Computing, pages 245–254, Atlanta, Georgia, USA, May 1–4, 1999. ACM Press.

[NP01] Moni Naor and Benny Pinkas. Efficient Oblivious Transfer Protocols. In Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, pages 448–457, Washington, DC, USA, January 7–9, 2001. ACM Press.

[Pai99] Pascal Paillier. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In Jacques Stern, editor, Advances in Cryptology — EUROCRYPT ’99, volume 1592 of Lecture Notes in Computer Science, pages 223–238, Prague, Czech Republic, May 2–6, 1999. Springer-Verlag.