On Robust Combiners for Private Information Retrieval and Other Primitives

  • Remo Meier
  • Bartosz Przydatek
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4117)


Let and \(\mathcal A\) and \(\mathcal B\) denote cryptographic primitives. \(\mathcal A\) (k ,m )-robust \(\mathcal A\)-to-\(\mathcal B\) combiner is a construction, which takes m implementations of primitive \({\ensuremath{{\cal A}}}\) as input, and yields an implementation of primitive \({\ensuremath{{\cal B}}}\), which is guaranteed to be secure as long as at least k input implementations are secure. The main motivation for such constructions is the tolerance against wrong assumptions on which the security of implementations is based. For example, a (1,2)-robust \(\mathcal A\)-to-\(\mathcal B\) combiner yields a secure implementation of \({\ensuremath{{\cal B}}}\) even if an assumption underlying one of the input implementations of \({\ensuremath{{\cal A}}}\) turns out to be wrong.

In this work we study robust combiners for private information retrieval (PIR), oblivious transfer (OT), and bit commitment (BC). We propose a (1,2)-robust PIR-to-PIR combiner, and describe various optimizations based on properties of existing PIR protocols. The existence of simple PIR-to-PIR combiners is somewhat surprising, since OT, a very closely related primitive, seems difficult to combine (Harnik et al., Eurocrypt’05). Furthermore, we present (1,2)-robust PIR-to-OT and PIR-to-BC combiners. To the best of our knowledge these are the first constructions of \(\mathcal A\)-to-\(\mathcal B\) combiners with \({\ensuremath{{\cal A}}}\neq {\ensuremath{{\cal B}}}\). Such combiners, in addition to being interesting in their own right, offer insights into relationships between cryptographic primitives. In particular, our PIR-to-OT combiner together with the impossibility result for OT-combiners of Harnik et al. rule out certain types of reductions of PIR to OT. Finally, we suggest a more fine-grained approach to construction of robust combiners, which may lead to more efficient and practical combiners in many scenarios.


robust combiners cryptographic primitives reductions private information retrieval oblivious transfer bit commitment 


  1. [AB81]
    Asmuth, C.A., Blakely, G.R.: An efficient algorithm for constructing a cryptosystem which is harder to break than two other cryptosystems. Computers and Mathematics with Applications 7, 447–450 (1981)CrossRefMathSciNetGoogle Scholar
  2. [BIKM99]
    Beimel, A., Ishai, Y., Kushilevitz, E., Malkin, T.: One-way functions are essential for single-server private information retrieval. In: Proc. ACM STOC, pp. 89–98 (1999)Google Scholar
  3. [BKY03]
    Bleichenbacher, D., Kiayias, A., Yung, M.: Decoding of interleaved Reed-Solomon codes over noisy data. In: Baeten, J.C.M., Lenstra, J.K., Parrow, J., Woeginger, G.J. (eds.) ICALP 2003. LNCS, vol. 2719, pp. 97–108. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. [Cha04]
    Chang, Y.-C.: Single database private information retrieval with logarithmic communication. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 50–61. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. [CK88]
    Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions (extended abstract). In: Proc. IEEE FOCS 1988, pp. 42–52 (1988)Google Scholar
  6. [CKGS98]
    Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. J. ACM 45(6), 965–981 (1998)MATHCrossRefMathSciNetGoogle Scholar
  7. [CMS99]
    Cachin, C., Micali, S., Stadler, M.A.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999)Google Scholar
  8. [Cré87]
    Crépeau, C.: Equivalence between two flavours of oblivious transfers. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 350–354. Springer, Heidelberg (1988)Google Scholar
  9. [DIO01]
    Di Crescenzo, G., Ishai, Y., Ostrovsky, R.: Universal service-providers for private information retrieval. Journal of Cryptology 14(1), 37–74 (2001)MATHCrossRefMathSciNetGoogle Scholar
  10. [DK05]
    Dodis, Y., Katz, J.: Chosen-ciphertext security of multiple encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 188–209. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. [DMO00]
    Di Crescenzo, G., Malkin, T.G., Ostrovsky, R.: Single database private information retrieval implies oblivious transfer. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 122–138. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. [EG85]
    Even, S., Goldreich, O.: On the power of cascade ciphers. ACM Trans. Comput. Syst. 3(2), 108–116 (1985)CrossRefGoogle Scholar
  13. [EGL85]
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Communications of the ACM 28(6), 637–647 (1985)CrossRefMathSciNetGoogle Scholar
  14. [Fis02]
    Fischlin, M.: On the impossibility of constructing non-interactive statistically-secret protocols from any trapdoor one-way function. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 79–95. Springer, Heidelberg (2006)Google Scholar
  15. [Gas04]
    Gasarch, W.I.: A survey on private information retrieval (column: Computational complexity). Bulletin of the EATCS 82, 72–107 (2004)MATHMathSciNetGoogle Scholar
  16. [Gol04]
    Goldreich, O.: The Foundations of Cryptography. Basic Applications, vol. II. Cambridge University Press, Cambridge (2004)CrossRefGoogle Scholar
  17. [Hai04]
    Haitner, I.: Implementing oblivious transfer using collection of dense trapdoor permutations. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 394–409. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. [Her05]
    Herzberg, A.: On tolerant cryptographic constructions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 172–190. Springer, Heidelberg (2005); Full version on Cryptology ePrint Archive, CrossRefGoogle Scholar
  19. [HKN+05]
    Harnik, D., Kilian, J., Naor, M., Reingold, O., Rosen, A.: On robust combiners for oblivious transfer and other primitives. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 96–113. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. [HL05]
    Hohenberger, S., Lysyanskaya, A.: How to securely outsource cryptographic computations. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. [IR89]
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proc. ACM STOC, pp. 44–61 (1989)Google Scholar
  22. [KO97]
    Kushilevitz, E., Ostrovsky, R.: Replication is not needed: Single database, computationally-private information retrieval. In: Proc. IEEE FOCS 2000, pp. 364–373 (1997)Google Scholar
  23. [KO00]
    Kushilevitz, E., Ostrovsky, R.: One-way trapdoor permutations are sufficient for non-trivial single-server private information retrieval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 104–121. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. [KY01]
    Kiayias, A., Yung, M.: Secure games with polynomial expressions. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 939–950. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. [Lip05]
    Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. [Nao91]
    Naor, M.: Bit commitment using pseudorandomness. J. Cryptology 4(2), 151–158 (1991)MATHCrossRefGoogle Scholar
  27. [Rab81]
    Rabin, M.O.: How to exchange secrets by oblivious transfer, Tech. Memo TR-81, Aiken Computation Laboratory (1981), available at:

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Remo Meier
    • 1
  • Bartosz Przydatek
    • 1
  1. 1.Department of Computer ScienceETH ZurichZurichSwitzerland

Personalised recommendations