Transcript scws2 6708

An Ω(n1/3) Lower Bound for
Bilinear Group Based
Private Information Retrieval
Alexander Razborov
Sergey Yekhanin
Private Information Retrieval [CGKS]
D
1≤i≤n
:
:
D
• D is a binary string of length n.
• k non-communicating servers hold the same database D.
• User holds index i and wants to retrieve Di.
• Each individual server should get no information about i.
• Goal: Minimize communication complexity!
PIR: progress
k
Lower bound
Θ(n) [CGKS]
1
2
3
Upper bound
5 log n [WdW]
O(n1/3) [CGKS,BI+IK,WY]
• O(n1/3) [CGKS]
• O(n1/5) [A]
• O(n1/5.25) [BIKR]
• O(n1/32,582,658) [Y]
• nO(1/log log n) [Y]
2 server case: restricted lower bounds
[Itoh]
Ω(n1/4)
[GKST] Ω(n1/(s+1))
[WdW]
This
work
Ω(n1/3)
Servers return affine
functions of the queries
User reads at most s bits
from servers’ responses
Bilinear group based PIR
schemes
• Models are incomparable
• Each model captures all known PIR schemes
Plan of the talk
• An example PIR scheme [WY]
• Statement of our lower bound
• Our technique
Example PIR: algebraization
1 ≤ i ≤ n, wants Di.
P  Fqm , wants F P 
D= 1 0 1 … 0 1 1
F ( x1 ,..., xm )  Fq [ x1 ,..., xm ]
• Database D[n] is represented by a cubic multivariate
polynomial F(x1,…, xm) over a finite field Fq
• Polynomial is in m=n1/3 variables
• For every i there is a point Pi such that Di=F(Pi)
Example PIR
P
P  1V
P  4V
L  {P  V |   Fq }
User : Picks V uniformly at random.
U  S h : P  hV
U  S h : F ( P  hV )
• Privacy, O(n1/3) communication, correctness
• The scheme requires at least 4 servers
• Note: the communication is unbalanced
Example PIR
P  1V
P  2V
P
L  {P  V |   Fq }
User : Picks V uniformly at random.
U  S h : P  hV
F
U  S h : F ( P  hV ),
x1
F
,...,
xm
P  V
h
Privacy, O(n1/3) communication, correctness …
P  hV
Example PIR
Correctness:
F ( P  V )  f ( )
from the values of partial derivatives of F ( x1 ,..., xm )
User reconstructs values of derivatives of
f

h
m
F ( P  V )
F



i 1 xi
h
User learns:
Reconstructs:
Vi .
P  hV
f (1 ), f (2 ), f ' (2 ), f ' (2 ).
f (0)  F ( P )
Key properties of example PIR
Servers represent database D by a function on a group,
and user can retrieve the function value at any group
element (including elements that do not correspond to
database bits).
User computes the dot product of servers’ responses to
obtain Di.
These properties are common to all known PIR
schemes.
Our result
Theorem: Every bilinear group based PIR
protocol requires Ω(n1/3) communication
– Bilinear: user outputs dot product of servers’
responses
– Servers represent database by a function on a finite
group G and user can retrieve function values at
arbitrary group elements using the natural secret
sharing based on G.
Our technique
•
•
•
•
Combinatorial view of PIR
Specialization to bilinear PIR
Specialization to bilinear group based PIR
Algebraic problem
Combinatorial view of PIR
Notion – Generalized Latin Square S[n, T]:
• Square of size T by T
• n variables
• Every variable appears
x1
x1
x2
x2
once in every row/column
x2
x3
x3
x3
x3
x3
x1
x1
x1
x2
x2
Combinatorial view of PIR
Notion – Embedding of matrices:
Let S∈{0,1}T T A∈{0,1}L L. S embeds into A if there exist two
embedding maps r,c :[T]→[L] such that for all j,k∈[T]:
Sjk=Ar(j)c(k)
╳
1 0
1 1
╳
0
0
0
0 0 0 1
0 1 1 1
0 1 0 1
1
1
1
1
0 1
1 1
0
1
Combinatorial view of PIR
Theorem: PIR schemes with t long
queries and r long answers are
equivalent* to pairs of matrices SA
such that:
– S is Generalized Latin Square [n, 2t]
– A is a binary square matrix of size 2r
– For every {0,1} assignment to variables
xi S can be completed to a {0,1} matrix
that embeds into A.
x1
x2
x1 x2
x3
x2
x3
x3
x3
x3
x1
x1
x2
x1
x2
0 1 0 0 1
1 1 0 0 1
1 0 0 0 1
0
0
1
0 1 0 1 0
1 0 0 0 1
1 0 1 1 0
0
1
0
Combinatorial view of PIR: Proof
Given SA we construct a PIR protocol:
Servers obtain the embedding maps r,c:[T]→[L]
• U : Randomly picks j,k∈[T] such that Sjk=i
• U→S1 : j
• U→S2 : k
• S1→U : r(j)
• S1→U : c(k)
• U: Outputs Ar(j)c(k)
Communication complexity, correctness, privacy
Combinatorial view of bilinear PIR
Bilinear PIR schemes SA have A=Hr
Theorem: Bilinear PIR schemes with t
long queries and r long answers are
equivalent* to 2t by 2t matrices S
that are:
– Generalized Latin Squares [n, 2t]
– For every {0,1} assignment to
variables xi can be completed to F2
rank ≤ r.
x1 x2
x3
x1 x2
x3
x2
x3
x1
x3
x1 x2
x3
x1 x2
Specialization to group based PIR
Notion - Matrix S respects the structure of a finite group G
Example: G=Z5 (circulant matrices)
0
1
2
3
4
0
0
1
0
0
1
1
1
0
0
1
0
2
0
0
1
0
1
3
0
1
0
1
0
4
1
0
1
0
0
0
1
2
3
4
0
1
0
0
1
1
1
0
0
1
1
1
2
0
1
1
1
0
3
1
1
1
0
0
4
1
1
0
0
1
Specialization to group based PIR
2n different databases yield 2n different low
rank completions of a GLS S[n, 2t].
In group based PIR over a group G schemes
all such completions respect the structure
of G
We use representation theory to count the
total number A(G,r) of rank ≤ r matrices
respecting the group structure
0
x1
x2
1
x3
x1
x2
1
x3
0
x2
1
x3
0
x1
1
x3
0
x1
x2
x3
0
x1
x2
1
Algebraic problem
A(G,r) can be defined in algebraic terms:
A(G, r )  {  F2 [G] | dim(  )  r}
The upper bound proof requires modular (i.e. nonsemisimlpe) representation theory and yields:
A(G,r) ≤ 2(log G)*r
2
n ≤ (log G) * r2
Open problems
• Can our technique be extended to a lower
bound for bilinear PIR?
• Can our technique be used to establish a
connection to matrix rigidity?