A Linear Lower Bound on the Communication Complexity of

Single-Server PIR

Weizmann Institute of ScienceIsrael

Iftach Haitner Jonathan Hoch Gil Segev

2

Private Information Retrieval

Functionality: Receiver retrieves xi

Privacy: Server does not learn i

x = x1 xn i 2 {1,...,n}

ReceiverServer

i 2 {1,...,n}

Receiver

j 2 {1,...,n}¼

xi

3

The Trivial Solution

x = x1 xn i 2 {1,...,n}

ReceiverServer

i 2 {1,...,n}

Receiver

x1 xn

Inefficient -- x may be very large

Can we do better than

trivial?

Not information theoretically [CGKS]

4

Two Approaches Multiple-server PIR

Information theoretic privacy Many exciting results, but not the focus of this talk

[CGKS95,...,Yek07,...]

Single-server PIR Computational privacy Implies Oblivious Transfer 2-message PIR implies collision-resistant hash functions and public-

key encryption Many applications...

[CG97, KO97, CMS99, ...]

5

Current Status Specific number-theoretic assumptions

Communication polylog(n)

[KO97, CMS99, ...]

General assumptions Communication n - o(n) Black-box construction based on TDPs

[KO00]

Question:

Can we base single-server PIR with sublinear communication on general assumptions?

6

Main ResultIn any fully black-box construction of single-server PIR for an n-bit database from trapdoor permutations over (n) bits,

the server sends (n) bits.

Previous results [Fis02]: Similar result for 2-message protocols (less restrictions) [HHRS07]: (n/logn) lower bound (same restrictions)

(n²) lower bound for “not so tight” reductions

Two restrictions Fully black-box Tight security reduction: permutations over (n) bits

[KO ‘00]: (n²) bits

7

Fully Black-Box Reductions

Black-box proof of security Any adversary for B implies an

adversary for A Only care about functionality of the

adversary for B

A fully black-box reduction from B to A:

Black-box construction Any implementation of A implies an

implementation of B Only care about the functionality of A

Adversary for A

Adversary for BA

B

A

8

Our Approach

We present an oracle O relative to which:

1. There exists a collection of TDPs over {0,1}n

2. There is no single-server PIR protocol for an n-bit database in which the server sends o(n) bits

A random function is hard to invert even with access to O

There exists an efficient server that uses O to break any such protocol

Fully black-box reductions relativize

9

The Oracle [HHRS ‘07] O = (Sam, ) is a random collection of TDPs over {0,1}n

Sam is an interactive collision-finding oracle Samples random collisions Extends the non-interactive oracle of [Simon ‘98]

C1(v1) = C1(v0)

v0 Ã {0,1}n

C2(v2) = C2(v1)

A Samv0

C1

v1

C2

v2

10

The Oracle [HHRS ‘07]

A Samv0

C1

v1

C2

v2

Theorem:

A random TDP is one-way as long as Sam answers queries of depth · n/log(n)

The proof requires additional restrictions(Ci+1 refines Ci, commit to Ci+1 at depth i, ...)

...but this suffices for the purpose of this talk

O = (Sam, ) is a random collection of TDPs over {0,1}n

Sam is an interactive collision-finding oracle Samples random collisions Extends the non-interactive oracle of [Simon ‘98]

n/log(n)

11

Breaking 2-Message PIR

x = x1 xn i 2 {1,...,n}

a(i)

b(a,x)

12

Breaking 2-Message PIR

i 2 {1,...,n}

a

b(a,x0

)

1. Receive x0 from Sam

2. Send the circuit b(a,¢) to Sam

3. Receive x1 from Sam

4. Output a random index j for which x0j x1

j

Claim: The malicious server guesses i w.p. ¸ 1/(n-1)

x0i x1

i and x0 x1

b(a,x1

)

=

13

Breaking Any Sublinear PIR

i 2 {1,...,n}

a1

b1

ao(n)

bo(n)

...

Communication vs. Rounds: Server sends o(n) bits ) o(n) rounds, server sends one bit each round

14

Breaking Any Sublinear PIR

i 2 {1,...,n}

a1

b1

alog(n)

blog(n)

ao(n)

bo(n)

..

..

Key observation: The malicious server can invoke Sam every log(n) rounds

15

Breaking Any Sublinear PIR

i 2 {1,...,n}

a1

b1

alog(n)

blog(n)

..

1. Receive x0 from Sam

2. Simulate the honest server for log(n) rounds3. Send b1(a1,¢) to Sam until receiving xlog(n) which is consistent with all log(n) rounds (rewind Sam if inconsistent)

Claim: The malicious server guesses i w.p. ¸ 1/(n-1)

16

Summary Communication lower bound for single-server PIR

Fully black-box constructions from (enhanced) TDPs The trivial solution is optimal up to constant factors

In the paper: Communication lower bound for statistically-hiding bit-commitment The sender must send (n) bits Communication preserving reduction to single-server PIR

Open problem: A linear lower bound for “not so tight” reductions? [KO ‘00]: TDPs over (n²) bits

Thank you!

Matches the upper bound of [NOVY]