Abstract
In Private Information Retrieval (PIR), a client wishes to retrieve the value of an index i from a public database of N values without leaking any information about i. In their recent seminal work, Corrigan-Gibbs and Kogan (EUROCRYPT 2020) introduced the first two-server PIR protocol with sublinear amortized server time and sublinear \(O(\sqrt{N} \log N)\) bandwidth. In a followup work, Shi et al. (CRYPTO 2021) reduced the bandwidth to polylogarithmic by proposing a construction based on privately puncturable pseudorandom functions, a primitive whose only construction known to date is based on heavy cryptographic primitives such as LWE. Partly because of this, their PIR protocol does not achieve concrete efficiency. In this paper we propose TreePIR, a two-server PIR protocol with sublinear amortized server time and polylogarithmic bandwidth whose security can be based on just the DDH assumption. TreePIR can be partitioned in two phases that are both sublinear: The first phase is remarkably simple and only requires pseudorandom generators. The second phase is a single-server PIR protocol on only \(\sqrt{N}\) indices, for which we can use the protocol by Döttling et al. (CRYPTO 2019) based on DDH, or, for practical purposes, the most concretely efficient single-server PIR protocol. Not only does TreePIR achieve better asymptotics than previous approaches while resting on weaker cryptographic assumptions, it also outperforms existing two-server PIR protocols in practice. The crux of our protocol is a new cryptographic primitive that we call weak privately puncturable pseudorandom functions, which we believe can have further applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A non-exhaustive list, we provide more background on related work in Sect. 1.3.
- 2.
We note that this construction is only secure for a fixed input length. Also, we can support any output length either truncating an output to be less than \(\lambda \) or reapplying G sequentially on the final leaf node to increase the output size.
- 3.
- 4.
This is equivalent to a depth-first ordering up to some deterministic shifting, however this ordering will be more intuitive for our approach moving forward.
- 5.
These sets are related, and there are only \(N \log N\) unique elements across all sets. We can exploit this, defining the first set in full and the following ones as set differences.
- 6.
Client time is probabilistic because sampling a set that contains x takes \(O(\sqrt{N})\) time probabilistically by naively sampling keys and testing until we find one that contains x. We discuss an optimization to this naive approach in Appendix A.
- 7.
This is amortized per client.
References
Source code for TreePIR. https://github.com/alazzaretti/treePIR
Aguilar-Melchor, C., Barrier, J., Fousse, L., Killijian, M.O.: XPIR: private information retrieval for everyone. Proc. Privacy Enhancing Technol. 2016(2), 155–174 (2016). https://doi.org/10.1515/popets-2016-0010. https://petsymposium.org/popets/2016/popets-2016-0010.php
Angel, S., Setty, S.: Unobservable communication over fully untrusted infrastructure. In: Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation, OSDI 2016, pp. 551–569. USENIX Association, USA, November 2016
Backes, M., Kate, A., Maffei, M., Pecina, K.: ObliviAd: provably secure and practical online behavioral advertising. In: 2012 IEEE Symposium on Security and Privacy, pp. 257–271, May 2012. https://doi.org/10.1109/SP.2012.25. iSSN: 2375-1207
Beimel, A., Ishai, Y.: Information-theoretic private information retrieval: a unified construction. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 912–926. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-48224-5_74
Beimel, A., Ishai, Y., Malkin, T.: Reducing the servers computation in private information retrieval: PIR with preprocessing. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 55–73. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_4
Boneh, D., Kim, S., Montgomery, H.: Private puncturable PRFs from standard lattice assumptions. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 415–445. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_15
Boneh, D., Lewi, K., Wu, D.J.: Constraining pseudorandom functions privately. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 494–524. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_17
Boyle, E., Gilboa, N., Ishai, Y.: Function secret sharing. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 337–367. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_12
Boyle, E., Ishai, Y., Pass, R., Wootters, M.: Can We Access a Database Both Locally and Privately? pp. 662–693, November 2017. https://doi.org/10.1007/978-3-319-70503-3_22
Brakerski, Z., Tsabary, R., Vaikuntanathan, V., Wee, H.: Private constrained PRFs (and More) from LWE. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 264–302. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_10
Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_28
Canetti, R., Chen, Y.: Constraint-hiding constrained PRFs for NC\(^1\) from LWE. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 446–476. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_16
Chor, B., Gilboa, N., Naor, M.: Private Information Retrieval by Keywords (1998). https://eprint.iacr.org/1998/003, report Number: 003
Corrigan-Gibbs, H., Kogan, D.: Private information retrieval with sublinear online time. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 44–75. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_3
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976). https://doi.org/10.1109/TIT.1976.1055638. conference Name: IEEE Transactions on Information Theory
Dong, C., Chen, L.: A fast single server private information retrieval protocol with low communication cost. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 380–399. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_22
Döttling, N., Garg, S., Ishai, Y., Malavolta, G., Mour, T., Ostrovsky, R.: Trapdoor hash functions and their applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 3–32. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_1
Dvir, Z., Gopi, S.: 2-Server PIR with Subpolynomial Communication. J. ACM 63(4), 1–15 (2016). https://doi.org/10.1145/2968443
Efremenko, K.: 3-query locally decodable codes of subexponential length. SIAM J. Comput. 41(6), 1694–1703 (2012). https://doi.org/10.1137/090772721. http://epubs.siam.org/doi/10.1137/090772721
Gentry, C., Ramzan, Z.: Single-database private information retrieval with constant communication rate. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 803–815. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468_65
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS (1984). https://doi.org/10.1109/SFCS.1984.715949
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43(3), 431–473 (1996). https://doi.org/10.1145/233551.233553
Gupta, T., Crooks, N., Mulhern, W., Setty, S., Alvisi, L., Walfish, M.: Scalable and private media consumption with Popcorn. In: Proceedings of the 13th Usenix Conference on Networked Systems Design and Implementation, NSDI 2016, pp. 91–107. USENIX Association, USA, March 2016
Hafiz, S.M., Henry, R.: A Bit More Than a Bit Is More Than a Bit Better: Faster (essentially) optimal-rate many-server PIR. Proceedings on Privacy Enhancing Technologies 2019(4), 112–131 (2019). https://doi.org/10.2478/popets-2019-0061. https://petsymposium.org/popets/2019/popets-2019-0061.php
Henzinger, A., Hong, M.M., Corrigan-Gibbs, H., Meiklejohn, S., Vaikuntanathan, V.: One Server for the Price of Two: Simple and Fast Single-Server Private Information Retrieval, p. 27 (2022)
Hohenberger, S., Koppula, V., Waters, B.: Adaptively secure puncturable pseudorandom functions in the standard model. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 79–102. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_4
Holmgren, J., Canetti, R., Richelson, S.: Towards Doubly Efficient Private Information Retrieval. Technical report 568 (2017). https://eprint.iacr.org/2017/568
Kales, D., Omolola, O., Ramacher, S.: Revisiting User Privacy for Certificate Transparency. In: 2019 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 432–447. IEEE, Stockholm, Sweden, June 2019. https://doi.org/10.1109/EuroSP.2019.00039. https://ieeexplore.ieee.org/document/8806754/
Kiayias, A., Leonardos, N., Lipmaa, H., Pavlyk, K., Tang, Q.: Optimal Rate Private Information Retrieval from Homomorphic Encryption. Proceedings on Privacy Enhancing Technologies 2015(2), 222–243 (2015). https://doi.org/10.1515/popets-2015-0016. https://www.sciendo.com/article/10.1515/popets-2015-0016
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, CCS 2013, pp. 669–684. Association for Computing Machinery, New York, NY, USA, November 2013. https://doi.org/10.1145/2508859.2516668
Kogan, D., Corrigan-Gibbs, H.: Private blocklist lookups with checklist. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 875–892. USENIX Association (2021). https://www.usenix.org/conference/usenixsecurity21/presentation/kogan
Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally-private information retrieval. In: Proceedings 38th Annual Symposium on Foundations of Computer Science. pp. 364–373. IEEE Comput. Soc, Miami Beach, FL, USA (1997). https://doi.org/10.1109/SFCS.1997.646125. http://ieeexplore.ieee.org/document/646125/
Lazzaretti, A., Papamanthou, C.: TreePIR: Sublinear-Time and Polylog-Bandwidth Private Information Retrieval from DDH (2023). https://eprint.iacr.org/2023/204, report Number: 204
Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Proceedings of the 8th international conference on Information Security, ISC 2005, pp. 314–328. Springer, Heidelberg (Sep 2005). https://doi.org/10.1007/11556992_23
Lipmaa, H., Pavlyk, K.: A Simpler Rate-Optimal CPIR Protocol. In: Financial Cryptography and Data Security, 2017 (2017). http://eprint.iacr.org/2017/722
Menon, S.J., Wu, D.J.: Spiral: fast, high-rate single-server PIR via FHE composition. In: IEEE Symposium on Security and Privacy, 2022 (2022). http://eprint.iacr.org/2022/368
Mughees, M.H., Chen, H., Ren, L.: OnionPIR: response efficient single-server PIR. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021, pp. 2292–2306. Association for Computing Machinery, New York, November 2021. https://doi.org/10.1145/3460120.3485381
Patarin, J.: Security of random feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_7
Peikert, C., Shiehian, S.: Constraining and watermarking PRFs from milder assumptions. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 431–461. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_15
Pietrzak, Momchil Konstantinov, K.G.F., Rao, V.: Adaptive Security of Constrained PRFs (2014). http://eprint.iacr.org/undefined/undefined
Rabin, Ke Zhong, T.Y.M., Angel, S.: Incremental Offline/Online PIR (extended version). In: USENIX Security 2022 (2022). http://eprint.iacr.org/2021/1438
Shi, E., Aqeel, W., Chandrasekaran, B., Maggs, B.: Puncturable pseudorandom sets and private information retrieval with near-optimal online bandwidth and time. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 641–669. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_22
Singanamalla, S., et al.: Oblivious DNS over HTTPS (ODoH): a practical privacy enhancement to DNS. Proc. Privacy Enhancing Technol. 2021(4), 575–592 (2021). https://doi.org/10.2478/popets-2021-0085. https://www.sciendo.com/article/10.2478/popets-2021-0085
Stefanov, E., Papamanthou, C., Shi, E.: Practical Dynamic Searchable Encryption with Small Leakage, January 2014. https://doi.org/10.14722/ndss.2014.23298
Stefanov, E., Shi, E.: FastPRP: Fast pseudo-random permutations for small domains. Cryptology ePrint Report 2012/254. Technical report (2012)
Yekhanin, S.: Towards 3-query locally decodable codes of subexponential length. J. ACM 55(1), 1–16 (2008). https://doi.org/10.1145/1326554.1326555
Acknowledgements
This research was supported by the National Science Foundation, the Algorand Foundation and Protocol Labs. We thank Samir Menon for a helpful exchange regarding SPIRAL and the reviewers for helping improve our work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Further Optimizations
Further Optimizations
We discuss here some further optimizations to TreePIR.
1.1 Deterministic Client Time
Our protocol in Fig. 6 has probabilistic client time due to Step 1 of the Online Query algorithm, which is:
-
1.
Sample \(k' \leftarrow F.\textsf {Gen}(1^\lambda )\) until \(F.\textsf {Eval}(k',x^\ell ) = x^r\).
In practice, sampling several keys until finding one can be time consuming, and as N increases, the worst case run-time can be very expensive. To achieve both faster and more consistent run-times, it is desirable to have a fully deterministic PIR algorithm. This is achievable by introducing an additional parameter to each of our ‘sets’, a shift. The shift will permute every element in the set by a fixed offset (this technique was used before in [15]). We modify the TreePIR by include a shift \(s \in \left[ \sqrt{N}\right] \) to be a part of every pseudorandom set (which is now defined as a tuple of a wpPRF key and a shift).
Offline, the client now generates tuples \((k_i,s_i)\) for \(i = 1,\ldots ,M-1\); where \(k_i \leftarrow F.\textsf {Gen}(1^\lambda )\) as before, and \(s_i\) is sampled uniformly from \(\left[ \sqrt{N}\right] \). Then, for all \(i = 0,\ldots ,M-1\), \({\textbf {server}}_{0}\) computes the appropriate parities \(p_i\) as before, except we now define our set \(S_i\) as:
The membership check also is changed accordingly. Finally, the reason for this change is that we can now run Step 1 of the online query as:
-
1.
Sample \(k' \leftarrow F.\textsf {Gen}(1^\lambda )\). Let \(s' = x^r \oplus F.\textsf {Eval}(k',x^\ell )\).
Note that this guarantees that we generate a set with x sampling only a single \(k'\) instead of an expected \(\sqrt{N}\) (and potentially many more) different keys. We sketch the privacy proof here and include refer to the full version of the paper [34] for a complete proof. For sets generated offline, the shifts are sampled uniformly at random, and therefore do not affect privacy or correctness for the initially generated sets, they only shift all elements of the initial sets by a fixed offset. However, in Step 1 of the Online Query, \(s'\) is dependent on x, our query index.
Then, we must now show that upon sending such tuple to \({\textbf {server}}_{0}\) does not reveal any additional information. We must show that the tuple \((q_0,s')\) can be simulated without knowledge of x. This follows from the fact that we can replace our \(q_0\) by some freshly sampled key punctured at a uniformly sampled point in the functions domain. We denote u to be a point sampled uniformly from the range of the PRF. Then, since \(F.\textsf {Eval}(k',x^\ell )\) for a freshly sampled key is computationally indistinguishable from u given only \(q_0\) (follows from Definition 2.6), and completely independent from x (since we are using a fresh sample key), from the server’s view, \(s' = x^r \oplus u\). Since the xor operation is randomness preserving, we can replace the whole \(s'\) by a uniformly sampled point in \(\left[ \sqrt{N}\right] \). Then, if we do this for the Sim algorithm, we have shown that our query is computationally indistinguishable from a query generated without knowledge of x. The rest of the proof follows as in Sect. 4.
1.2 Generalizing TreePIR to More Flexible Database Sizes
In Sect. 4 we assume that N is a perfect square and a power of two for simplicity and exposition. This allows us to use concatenations and splitting to go between our index x and the building blocks \(x^\ell \) and \(x^r\). With some extra steps, TreePIR can be generalized to work with any N that is a perfect square by replacing the concatenation operation by a multiplication by \(\sqrt{N}\) and addition by the function evaluation value. Our sets \(S_i\) are therefore now defined as:
Here, \(*\) and \(+\) are plain addition and multiplication over the natural numbers. Checking membership is done in the corresponding fashion. For an index \(x \in \left[ N\right] \), let \(x^\ell = \left\lfloor x /\sqrt{N} \right\rfloor \) (where \(\lfloor \cdot \rfloor \) denotes the floor function, rounding down to the nearest integer). We can check if x is in \(S_i\) by checking whether \(x - x^\ell * \sqrt{N} =F.\textsf {Eval}(k_i,x^\ell )\)
If a database size N is not a perfect square, one can simply use the domain and range of F to be \(\left\lceil \sqrt{N} \right\rceil \) with little to no overhead at the client or server and treat elements larger than N as 0-strings (when necessary for calculating parities). We use \(\lceil \cdot \rceil \) to denote the ceil function, rounding up to the nearest integer.
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Lazzaretti, A., Papamanthou, C. (2023). TreePIR: Sublinear-Time and Polylog-Bandwidth Private Information Retrieval from DDH. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14082. Springer, Cham. https://doi.org/10.1007/978-3-031-38545-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-38545-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38544-5
Online ISBN: 978-3-031-38545-2
eBook Packages: Computer ScienceComputer Science (R0)