TreePIR: Sublinear-Time and Polylog-Bandwidth Private Information Retrieval from DDH

Abstract

In Private Information Retrieval (PIR), a client wishes to retrieve the value of an index i from a public database of N values without leaking any information about i. In their recent seminal work, Corrigan-Gibbs and Kogan (EUROCRYPT 2020) introduced the first two-server PIR protocol with sublinear amortized server time and sublinear \(O(\sqrt{N} \log N)\) bandwidth. In a followup work, Shi et al. (CRYPTO 2021) reduced the bandwidth to polylogarithmic by proposing a construction based on privately puncturable pseudorandom functions, a primitive whose only construction known to date is based on heavy cryptographic primitives such as LWE. Partly because of this, their PIR protocol does not achieve concrete efficiency. In this paper we propose TreePIR, a two-server PIR protocol with sublinear amortized server time and polylogarithmic bandwidth whose security can be based on just the DDH assumption. TreePIR can be partitioned in two phases that are both sublinear: The first phase is remarkably simple and only requires pseudorandom generators. The second phase is a single-server PIR protocol on only \(\sqrt{N}\) indices, for which we can use the protocol by Döttling et al. (CRYPTO 2019) based on DDH, or, for practical purposes, the most concretely efficient single-server PIR protocol. Not only does TreePIR achieve better asymptotics than previous approaches while resting on weaker cryptographic assumptions, it also outperforms existing two-server PIR protocols in practice. The crux of our protocol is a new cryptographic primitive that we call weak privately puncturable pseudorandom functions, which we believe can have further applications.

Further Optimizations

We discuss here some further optimizations to TreePIR.

1.1 Deterministic Client Time

Our protocol in Fig. 6 has probabilistic client time due to Step 1 of the Online Query algorithm, which is:

1. 1.

   Sample \(k' \leftarrow F.\textsf {Gen}(1^\lambda )\) until \(F.\textsf {Eval}(k',x^\ell ) = x^r\).

In practice, sampling several keys until finding one can be time consuming, and as N increases, the worst case run-time can be very expensive. To achieve both faster and more consistent run-times, it is desirable to have a fully deterministic PIR algorithm. This is achievable by introducing an additional parameter to each of our ‘sets’, a shift. The shift will permute every element in the set by a fixed offset (this technique was used before in [15]). We modify the TreePIR by include a shift \(s \in \left[ \sqrt{N}\right] \) to be a part of every pseudorandom set (which is now defined as a tuple of a wpPRF key and a shift).

Offline, the client now generates tuples \((k_i,s_i)\) for \(i = 1,\ldots ,M-1\); where \(k_i \leftarrow F.\textsf {Gen}(1^\lambda )\) as before, and \(s_i\) is sampled uniformly from \(\left[ \sqrt{N}\right] \). Then, for all \(i = 0,\ldots ,M-1\), \({\textbf {server}}_{0}\) computes the appropriate parities \(p_i\) as before, except we now define our set \(S_i\) as:

$$ S_i = \left\{ v || \left( F.\textsf {Eval}(k_i,v) \oplus s_i \right) : v \in \left[ \sqrt{N} \right] \right\} . $$

The membership check also is changed accordingly. Finally, the reason for this change is that we can now run Step 1 of the online query as:

1. 1.

   Sample \(k' \leftarrow F.\textsf {Gen}(1^\lambda )\). Let \(s' = x^r \oplus F.\textsf {Eval}(k',x^\ell )\).

Note that this guarantees that we generate a set with x sampling only a single \(k'\) instead of an expected \(\sqrt{N}\) (and potentially many more) different keys. We sketch the privacy proof here and include refer to the full version of the paper [34] for a complete proof. For sets generated offline, the shifts are sampled uniformly at random, and therefore do not affect privacy or correctness for the initially generated sets, they only shift all elements of the initial sets by a fixed offset. However, in Step 1 of the Online Query, \(s'\) is dependent on x, our query index.

Then, we must now show that upon sending such tuple to \({\textbf {server}}_{0}\) does not reveal any additional information. We must show that the tuple \((q_0,s')\) can be simulated without knowledge of x. This follows from the fact that we can replace our \(q_0\) by some freshly sampled key punctured at a uniformly sampled point in the functions domain. We denote u to be a point sampled uniformly from the range of the PRF. Then, since \(F.\textsf {Eval}(k',x^\ell )\) for a freshly sampled key is computationally indistinguishable from u given only \(q_0\) (follows from Definition 2.6), and completely independent from x (since we are using a fresh sample key), from the server’s view, \(s' = x^r \oplus u\). Since the xor operation is randomness preserving, we can replace the whole \(s'\) by a uniformly sampled point in \(\left[ \sqrt{N}\right] \). Then, if we do this for the Sim algorithm, we have shown that our query is computationally indistinguishable from a query generated without knowledge of x. The rest of the proof follows as in Sect. 4.

1.2 Generalizing TreePIR to More Flexible Database Sizes

In Sect. 4 we assume that N is a perfect square and a power of two for simplicity and exposition. This allows us to use concatenations and splitting to go between our index x and the building blocks \(x^\ell \) and \(x^r\). With some extra steps, TreePIR can be generalized to work with any N that is a perfect square by replacing the concatenation operation by a multiplication by \(\sqrt{N}\) and addition by the function evaluation value. Our sets \(S_i\) are therefore now defined as:

$$ S_i = \left\{ v * \sqrt{N} + F.\textsf {Eval}(k_i,v): v \in \left[ \sqrt{N}\right] \right\} . $$

Here, \(*\) and \(+\) are plain addition and multiplication over the natural numbers. Checking membership is done in the corresponding fashion. For an index \(x \in \left[ N\right] \), let \(x^\ell = \left\lfloor x /\sqrt{N} \right\rfloor \) (where \(\lfloor \cdot \rfloor \) denotes the floor function, rounding down to the nearest integer). We can check if x is in \(S_i\) by checking whether \(x - x^\ell * \sqrt{N} =F.\textsf {Eval}(k_i,x^\ell )\)

If a database size N is not a perfect square, one can simply use the domain and range of F to be \(\left\lceil \sqrt{N} \right\rceil \) with little to no overhead at the client or server and treat elements larger than N as 0-strings (when necessary for calculating parities). We use \(\lceil \cdot \rceil \) to denote the ceil function, rounding up to the nearest integer.