Efficient transformation capabilities of single database private block retrieval

Private information retrieval (PIR) is one of the promising techniques to preserve user privacy in the presence of trusted-but-curious servers. The information theoretically private query construction assures the highest user privacy over curious and unbounded computation servers. Therefore, the need for information-theoretic private retrieval was fulfilled by various schemes in a variety of PIR settings. But, there is a lack of efficient encryption switching scheme which supports efficient switching between information-theoretic to/from computationally bounded PIRs. We propose a combination of new bit connection methods called rail-shape and signal-shape and new quadratic residuosity assumption based family of trapdoor functions for generic single database private block retrieval (PBR). The main goal of this work is to show that the possibility of mapping from computationally bounded privacy to information theoretic privacy or vice-versa in a single database setting using newly constructed bit connection and trapdoor function combinations. Notably, the proposed schemes are single round, memoryless and plain database schemes (at their basic constructions).


Introduction
The goal of any privacy critical applications is to preserve the underlying privacy (like user privacy or server privacy or data privacy) with guaranteed confidentiality primitive (i.e., information theoretic).
Among all other user privacy-preserving techniques, Private Information Retrieval (PIR) is one of the prominent privacy-preserving techniques to preserve both user privacy and data privacy introduced by Chor et al. [12,13].The private information retrieval also called as special case of 1-out-of-n oblivious transfer involves two communicating parties: user and server in which user privately reads a sin-information-theoretic schemes [3,4,8,17,19,28,32] and some PBR extensions [2,5,13,14,16,21,30,31,37] have concentrated on providing information-theoretic privacy using database replications.
-Computationally bounded PIR (cPIR): If the PIR protocol involves a computationally bounded (or computationally intractable) database server entities then such scheme is considered as computationally bounded PIR (cPIR) in which the privacy is preserved based on the well-defined cryptographic intractability assumption(s).
There are following major problems in the existing single database PBR schemes (including both itPBR and cPBR).
-Lack of sufficient itPIR approaches: More research focus was on the construction of an efficient cPBR instead of itPBR in a single database setting.This leads to the lack of information-theoretic privacy guarantee to the user in single database setting.-Lack of independency between user and data privacy: Most of the existing cPBR schemes use a single intractability assumption (such as Quadratic residuosity, Phi-hiding, Lattices, Composite residuosity etc) to preserve both user privacy and data privacy.If the curious party breaks the underlying intractability assumption then both the privacy concerns are easily compromised without extra effort.For instance, the single database PIR protocol constructed by Kushilevitz and Ostrovsky [25] rely on the well-known intractability assumption called Quadratic Residuosity Assumption (QRA) to achieve both the user privacy (through the computationally intractable query inputs with quadratic residuosity properties) and the data privacy (through the quadratic residuosity ciphertexts).Note that compromising the QRA naturally reveals both privacy concerns (without extra effort).Therefore, there is a strong need of a generic scheme with efficient mapping from cPBR to itPBR in such a way that the underlying primitive of user privacy should also map from intractability assumption to information-theoretic privacy.Note that, Kushilevitz and Ostrovsky scheme does not support an efficient mapping cPBR to/from itPBR.-Lack of generic framework that fulfills the above needs: Due to the lack of generic PBR framework (which can be used as a generic framework for several privacy critical applications such as PBR, oblivious transfer, asymmetric encryption etc), there is a strong need of a generic PBR scheme that can efficiently transform between several PBR extensions like information-theoretic PBR, compu-tationally bounded PBR, oblivious transfer, asymmetric encryption etc.
With this thorough investigation, the natural question that arises is as follows.

Related work
Many PIR schemes have also been extended to orivide database security.Naor and Pinkas [34] have first proposed the transformation of cPIR to OT with a small computation overhead.Gertner et al. [18] have proposed the way of transforming cPIT to cOT with a small communication overhead.To achieve this, the system must add one more auxillary database to store some rando strings.been slightly relaxed from the standard notion.Chang [10] has proposed the first balanced computationally bounded OT scheme in single database setting.But, no method has been proposed to convert cOT to cPIR.Laur and Lipmaa [27] have proposed a disclose-if-equal (DIE) protocol which in turn supports cPIR to OT transformation.The proposed protocol involves compulsory client encryption operations, it is not best-suited for large database PIR operations.Kiayias et al. [24] have proposed rate-optimal cPIR-to-OT transformation.But, the transformed OT scheme is computationally secure on the server side.Therefore, authors left the informationtheoretically server-private optimal-rate OT protocol as an interesting open problem.But, there is no substancial efforts visible till date in the transformation of cPIR to itPIR.It is generally hard to achieve the sublinear communication in single database itPIR.But, it is essential to go with single database setting as multidatabase setting provides weaker privacy guarantee.This basic reason motivated the design of the proposed transformation scheme.

Preliminaries and notations
Let [1, u] denotes taking all values from 1 to u and [u] {1, 2, . . ., u} denotes taking any one value in the range from 1 to u.Let k denotes the security parameter, N ← − {0, 1} k = P Q be the RSA composite modulus where P ≡ 3 (mod 4), Q ≡ 3 (mod 4), Z +1 N denotes the set of all elements with Jacobi Symbol (JS) 1.Let Q R and Q R denote the quadratic residue and quadratic non-residue sets with JS = 1 respectively.Let a, b be a set consists of two components in which a ∈ Z +1 N , and b = {i : i ∈ {0, 1}}.
Correctness: In any given instance, user must be able to retrieve the correct desired bit.
User privacy: In any given instance, user interest (may be in terms of database index) should not be revealed to the server.
Information theoretic privacy: Even after receiving the user query and having unbounded computation power, server should not gain any (even partial) information about the database index.

Map(cPBR)→itPBR
Map(itPBR)→cPBR single database PBR Fig. 1 A single database private block retrieval framework with itPBR to/from cPBR transformations respective inverse function is . We use the alternative square root syntax as

Combination of new bit connection methods and trapdoor functions
We have introduced a novel combinations of the quadratic residuosity based trapdoor functions in Sect.4.1 and the database bit connection methods in Sect.4.2 that can be used as a generic framework for itPBR to/from cPBR transformations as shown in Fig. 1.These combinations can assure many privacy concerns such as user privacy, data privacy and server privacy.

A new quadratic residuosity based trapdoor functions
consists of the following functions.
-Sampling an input (I): The algorithm I receives the input 1 k and produces the large RSA composite N = P Q where P and Q are large distinct primes with P ≡ Q ≡ 3 (mod 4) or 1 (mod 4).Then chooses an "identically distributed" random x ∈ Z +1 N .The input domain of the random input x is Z +1 N .-Sampling a lossless injective function (G 0 ): On receiving the composite N , the algorithm G 0 chooses a random N such that the quadratic residuosity predicate of K 1 and K 2 must be different (i.e., QRP(K 1 ) = QRP(K 2 )).The function parameters are σ = (N , K 1 , K 2 ) 123 Int.j. inf.tecnol.(May 2022) 14(3):1415-1423 and the trapdoor/private key is τ = (P, Q).Now it is clear that the injective function is defined over the domain Z +1 N .-Sampling a lossy trapdoor function (G 1 ): On receiving the composite N , the algorithm G 1 chooses a random K 1 , K 2 ∈ Z +1 N such that the quadratic residuosity predicate of K 1 and K 2 must be equal (i.e., QRP(K 1 )=QRP(K 2 )).
-Evaluation of trapdoor function of [15] (g ): The algorithm g receives the input x and produces "h" value of x (as described in quadratic residuosity based lossy trapdoor function [15]) as trapdoor bit as follows.
-Inversion of trapdoor function of [15] (g -1 ): Given the modular square x 2 and "h" value of x, the algorithm g -1 obtains the input x as follows.
-Evaluation of lossless injective function (f ): The algorithm f chooses a bit b ∈ {0, 1}.It then receives the function parameters, g (x) and evaluates the following.
-Inversion of lossless injective function (f -1 ): Given the function parameters, trapdoor τ , trapdoor bit h and ciphertext y, the algorithm f -1 obtains both x and b as follows. where

A new bit connection methods (BCMs)
We introduce new methods of interconnecting the database bits during PBR response creation on the server side as shown in Fig. 1.Based on the interconnectivity of the database bits, we classify the newly introduced bit connection methods as rail-shape and signal-shape as shown in Fig. 2. Let the database be Note that if the absolute difference between any two database indices of the underlying set is 1 then such set is used for rail-shape connection and if the absolute difference between any two database indices of the underlying set is 2 then such set is used for signal-shape connection.Therefore, it is now intuitive that the set DB is used for rail-shape connection and S 1 /S 2 are used for signal-shape connections.Now, let's see the main advantage of using these BCMs in a single database PBR setting as follows.
-Most of the existing PBR schemes provide the whole database as input to their underlying trapdoor functions as shown in Fig. 3a.Consequently, this method of providing a database to the underlying trapdoor function in PBR results in the following types of PBR: either itPBR or cPBR.Also, there should always be a chance of transforming from each itPBR scheme to its cPBR version (i.e., Map(itPBR)→ cPBR).But, there is no chance of transforming from each cPBR scheme to its itPBR version (i.e., Map( cPBR) itPBR 5 A new single database information-theoretic private block retrieval schemes (SitPBR) In this section, we have introduced a new informationtheoretic private block retrieval technique.At the abstract view, the proposed scheme is a 3-tuple (QG, RC , RR) involves two communicating parties: user and server in which user generates an information-theoretically private query from the input domain Z +1 N using QG algorithm and sends this query to server.On the other hand, using query and the database DB, server generates the response using RC algorithm and sends back to user.Finally, user retrieves the intended block privately using RR algorithm.The detailed description of the proposed scheme is given as follows.
Let n = u × v bit 2-dimensional matrix database with u rows and v columns be DB = {D 1 , D 2 , . . ., D u } where ) is further viewed as two subsets S 2 and S 1 where The idea here is to use new bit connections using the subsets S 2 , S 1 and apply the recursive execution of the proposed trapdoor function of Sect.4.1.The detailed description of the proposed algorithms is given as follow.
-Query generation (QG): (user generates) Generate (public key, private key) pair from the query input domain Z +1 N as follows.Generate the public key σ = (N , {K z,1 , K z,2 : z ∈ [1, u]}), and the private key τ = (P, Q) as described in the algorithm G 0 .Also, generate an "identically distributed" random x ∈ Z +1 N as described in the algorithm I.Then, generate an information-theoretically private query Q = (N , {K z,1 , K z,2 : z ∈ [1, u]}, x) where Q z represents the z-th block query with public key components (K z,1 , K z,2 ).
-Response creation (RC): (server generates) Using the information theoretic query Q and the database DB, generate the response by executing the following.For all database block D z , z ∈ [1, u], using respective public key components K z,1 , K z,2 , execute the following recursive function f (g (•), •) as described in the algorithm f and obtain the intermediate ciphertext bits from each g (•) (as described in the algorithm g ) and two final cipher-texts as follows.
where i ∈ [v, 4], j ∈ [v-1, 3] and each f (g (•), •) is an injective function described in the algorithm f .Finally, the database response would be N , s, t ∈ {0, 1}}.The pictorial representation of the block response creation process is given in Fig. 4.
-Response retrieval (RR): (user generates) Using the response R and the trapdoor τ , retrieve the required block w ∈ [u] (generally single block) as follows. where is the inverse of the injective function described in Eq. ( 7).The pictorial representation of the response retrieval process is given in Fig. 4.

A new single database computationally bounded private block retrieval schemes (ScPBR)
In this section, we have introduced a new computationally bounded block retrieval technique using computationally intractable queries.The response creation and the response retrieval algorithms are same as the SitPBR scheme.The detailed description of the query generation algorithm is given as follows.
Generate (public key, private key) pair from the query input domain Z +1 N as follows.Let the user is interested in ).Note that these two sets of public key components are computationally intractable under quadratic residuosity assumption.The public key is , and private key is τ = (P, Q).Also, generate a random x ∈ Z +1 N .Then, generate a computationally intractable query N , Q i represents the i-th block query with public key components (K i,1 , K i,2 ).

Transformation (or mapping) of SitPBR to/from ScPBR without affecting the basic setup
Most of the existing single database PBR schemes are concentrated on constructing single type of PBR either itPBR or cPBR.But, what if somebody wants to covert from one type to another without changing the basic setup?Essentially, there should be a framework of techniques that provides both types and the transformation mechanism between them.
In order to provide the above mentioned generic framework, we have proposed single database itPBR schemes in Sect.5, single database cPBR in Sect.6.Now, we describe the transformation of one type to another without changing the basic setup as follows.
The transformation of the proposed SitPBR to/from ScPBR depends upon the appropriate quadratic residuosity properties of the public key components.If so, how to choose the appropriate property public key components in the proposed PBR?Just look into the following descriptions to find the answer to this.
-Sampling function parameters for SitPBR (L 0 ) : The algorithm L 0 chooses the identically distributed public key components K 1 , K 2 from Z +1 N such that QRP(K 1 ) = QRP(K 2 ) (as described in the algorithm G 0 ) during QG algorithm execution without altering the remaining algorithms.
-Sampling function parameters for ScPBR (L 1 ) : The algorithm L 1 chooses both kinds of public key components from G 0 and G 1 algorithms during QG algorithm execution such that both kinds of components are computationally indistinguishable.Note that choosing these appropriate property public key components neither affects the remaining PBR algorithms nor effect the basic PBR setup.
Table 1 An illustrative example of the proposed scheme with two database blocks Step Response Creation (RC) Step Response Retrieval (RR) -Sampling function parameters for Map(Sit PBR) →ScPBR (M 0 ): In order to map from proposed SitPBR to ScPBR, just choose the appropriate public key components from L 1 during QG algorithm execution and continue to execute the remaining PBR algorithms.Note that this mapping process is computationally indistinguishable.-Sampling function parameters for Map(ScP BR) →SitPBR (M 1 ): In order to map from proposed ScPBR to SitPBR, just choose the appropriate public key components from L 0 during QG algorithm execution and continue to execute the remaining PBR algorithms (as usual).Note that this mapping process is also computationally indistinguishable.

Performance evaluation
Privacy: The proposed scheme of Sect. 5 always preserves the user privacy against the curious-server through the generation of information-theoretically private queries.If ) are any two randomly generated queries in QG algorithm then the selection of public key components from the identically distributed domain for all database blocks always guarantees perfect user privacy i.e., the query components are randomly chosen from an identically distributed domain in such a way that the mutual information between any two queries is always zero and assures perfect privacy to the user.The proposed scheme of Sect.6 always preserves the user privacy against the curious-server through the generation of computationally bounded queries.If Q 1 = (N , K 1 , K 2 , x 1 ), Q 2 = (N , K 3 , K 4 , x 2 ) are any two randomly generated queries in QG algorithm then the computationally indistinguishable selection of public key components for all database blocks always guarantees computationally bounded user privacy.In other words, the quadratic residuosity properties of publickey components of Q 1 and Q 2 are computationally hidden from the curious server.
Both the proposed schemes of Sects.5 and 6 use quadratic residuosity assumption to preserve data privacy against intermediate adversary.
Communication and Computation: In the proposed schemes of Sects.5 and 6, user sends O((2u + 2)•log N ) query bits to the server.The server sends O(u(v − 2) + 2u log N ) response bits to the user where u is the row size of the database, v is the column size of the database, N is the composite modulus.Both the proposed schemes are single a b Fig. 5 Proposed privacy preserving big data access control models round PBR protocols use only one request-response cycle where user requests for a database block and server responds through the response.
The execution of the RC algorithms of the Sect. 5 and Sect.6 involve uv number of lossless trapdoor functions f (•) and u(v − 2) number of lossy trapdoor functions g (•).Each trapdoor function (either lossy or lossless) involves a single modular multiplication, the RC algorithm involves a total of u(2v − 2) number of modular multiplications.On the other hand, the RR algorithms of Sects.5 and 6 involve only (2v−2) number of modular multiplications plus (v − 2) number of quadratic square roots to retrieve the required block.

Privacy preserving big data access control
We will extend our work to introduce a novel privacy preserving access control model in Big Data information processing environment.The core idea is to store only the CCA secure ciphertext components of the proposed PBR schemes of Sect. 5 or Sect.6 on the Big Data and download the stored information using one of the proposed PBR techniques in 2party and 3-party scenarios as shown in Fig. 5a, b.This idea covers many privacy critical applications such as Healthcare, Patent and Stock search, Email, Social media, Private chat which cannot be handled by traditional Big Data information processing model alone.
In 2-party scenario, the proposed model consists of two communicating parties: Alice and Cloud in which Alice encrypts his/her data DB using his/her own public key σ using RC algorithm and stores one of the ciphertext components C 1 = {(s z,1 , s z,2 , ••, s z, v 2 -1 ), (t z,1 , t z,2 , • •, t z, v 2 -1 )}, ∀z ∈ [1, u] on Cloud (which maintains Big Data storage and processing) and keeps other ciphertext components C 2 = (y z,1 , y z,2 ), ∀z ∈ [1, u] with him/her.Whenever required, Alice directly downloads partial ciphertext component C 1 from Cloud or downloads using the proposed schemes of Sects.5, 6 and decrypts his/her data DB using his/her own private key τ using RR algorithm.
In 3-party scenario, the proposed model consists of three communicating parties: Alice, Bob and Cloud in which Alice encrypts his/her data using Bob's public key σ using RC algorithm and stores one of the ciphertext components C 1 = {(s z,1 , s z,2 , ••, s z, v 2 -1 ), (t z,1 , t z,2 , ••, t z, v 2 -1 )}, ∀z ∈ [1, u] on Cloud (which maintains Big Data storage and processing) and sends other ciphertext component C 2 = (y z,1 , y z,2 ), ∀z ∈ [1, u] to Bob.Whenever required, Bob downloads a part of ciphertext components C 2 from Alice and downloads other ciphertext component C 1 from Cloud and decrypts Alice's data using his/her private key τ using RR algorithm.

Conclusion and future work
We have presented a new combination of trapdoor functions and bit connection methods to achieve a novel mapping single database information-theoretic and computationally bounded private block retrieval schemes and their transformations.Although, the proposed schemes show reasonable performance with the current state-of-art work, focusing on other dimensions such as scalable and fault-tolerant multiserver PBR scheme for practical privacy-preserving BigData access control applications is the future direction.
long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.

Fig. 2 AFig. 3
Fig. 2 A new bit connection methods used to interconnect the proposed trapdoor functions
).-Introducing the unique bit connection methods (other than using the whole plaintext) is helpful to achieve Map(itPBR)→cPBR?Yes.It is possible to achieve both Map(itPBR)→cPBR and Map(cPBR)→itPBR using the combination of BCMs and newly constructed trapdoor 123