Sublinear Scaling for Multi-Client Private Information Retrieval

Abstract

Private information retrieval (PIR) allows clients to retrieve records from online database servers without revealing to the servers any information about what records are being retrieved. To achieve this, the servers must typically do a computation involving the entire database for each query. Previous work by Ishai et al. has suggested using batch codes to allow a single client (or collaborating clients) to retrieve multiple records simultaneously while allowing the server computation to scale sublinearly with the number of records fetched.

In this work, we observe a useful mathematical relationship between batch codes and efficient matrix multiplication algorithms, and use this to design a PIR server algorithm that achieves sublinear scaling in the number of records fetched, even when they are requested by distinct, non-collaborating clients; indeed, the clients can be completely unaware that the servers are implementing our optimization. Our multi-client server algorithm is several times faster, when enough records are fetched, than existing optimized PIR severs.

As an application of our work, we show how retrieving proofs of inclusion of certificates in a Certificate Transparency log server can be made privacy friendly using multi-client PIR.

A Strassen’s Algorithm

Strassen’s algorithm is best explained by looking at matrix multiplication from a block-matrix perspective. For simplicity, assume that all matrices have size \(n \times n\) where n is even. If

$$\begin{aligned} \mathbf {Q}= \left( \begin{array}{cc} \mathbf {Q}_{11} &{} \mathbf {Q}_{12} \\ \mathbf {Q}_{21} &{} \mathbf {Q}_{22} \\ \end{array} \right) \quad \text {and} \quad \mathbf {D}= \left( \begin{array}{cc} \mathbf {D}_{11} &{} \mathbf {D}_{12} \\ \mathbf {D}_{21} &{} \mathbf {D}_{22} \\ \end{array} \right) , \end{aligned}$$

then the matrix product \(\mathbf {R}= \mathbf {Q}\cdot \mathbf {D}\) is given by

$$\begin{aligned} \mathbf {R}= \left( \begin{array}{cc} \mathbf {R}_{11} &{} \mathbf {R}_{12} \\ \mathbf {R}_{21} &{} \mathbf {R}_{22} \\ \end{array} \right) , \end{aligned}$$

where

$$\begin{aligned} \mathbf {R}_{11}&= \mathbf {Q}_{11}\cdot \mathbf {D}_{11} + \mathbf {Q}_{12}\cdot \mathbf {D}_{21} \\ \mathbf {R}_{12}&= \mathbf {Q}_{11}\cdot \mathbf {D}_{12} + \mathbf {Q}_{12}\cdot \mathbf {D}_{22} \\ \mathbf {R}_{21}&= \mathbf {Q}_{21}\cdot \mathbf {D}_{11} + \mathbf {Q}_{22}\cdot \mathbf {D}_{21} \\ \mathbf {R}_{22}&= \mathbf {Q}_{21}\cdot \mathbf {D}_{12} + \mathbf {Q}_{22}\cdot \mathbf {D}_{22}. \\ \end{aligned}$$

It thus reduces to 8 matrix multiplications of size n / 2. In Strassen’s algorithm the following 7 matrix products are calculated first (note that in fields of characteristic 2, the \(+\) and \(-\) operations are of course the same):

$$\begin{aligned} \mathbf {M}_1&= (\mathbf {Q}_{11}+\mathbf {Q}_{22}) \cdot (\mathbf {D}_{11}+\mathbf {D}_{22}) \\ \mathbf {M}_2&= (\mathbf {Q}_{21}+\mathbf {Q}_{22}) \cdot \mathbf {D}_{11} \\ \mathbf {M}_3&= \mathbf {Q}_{11} \cdot (\mathbf {D}_{12}-\mathbf {D}_{22}) \\ \mathbf {M}_4&= \mathbf {Q}_{22} \cdot (\mathbf {D}_{21}-\mathbf {D}_{11}) \\ \mathbf {M}_5&= (\mathbf {Q}_{11}+\mathbf {Q}_{12}) \cdot \mathbf {D}_{22} \\ \mathbf {M}_6&= (\mathbf {Q}_{21}-\mathbf {Q}_{11}) \cdot (\mathbf {D}_{11}+\mathbf {D}_{12}) \\ \mathbf {M}_7&= (\mathbf {Q}_{12}-\mathbf {Q}_{22}) \cdot (\mathbf {D}_{21}+\mathbf {D}_{22}). \\ \end{aligned}$$

The matrix product is then given by:

$$\begin{aligned} \mathbf {R}_{11}&= \mathbf {M}_1 + \mathbf {M}_4 - \mathbf {M}_5 + \mathbf {M}_7 \\ \mathbf {R}_{12}&= \mathbf {M}_3 + \mathbf {M}_5 \\ \mathbf {R}_{21}&= \mathbf {M}_2 + \mathbf {M}_4 \\ \mathbf {R}_{22}&= \mathbf {M}_1 - \mathbf {M}_2 + \mathbf {M}_3 + \mathbf {M}_6. \\ \end{aligned}$$

Using this algorithm, only 7 matrix multiplications of size n / 2 are necessary. Applying this trick recursively gives a complexity of \(O(n^{\lg 7})\).