ConstantRound Private Database Queries

1
Constant-Round Private Database Queries

• Nenad Dedic and Payman Mohassel

Boston University
UC Davis
2
Outline

• Introduction
• Element rank protocol
• Other protocols
• Equivalence to one-round PIR
• Open problems

3
Succinct Computation

• Computing f(x,y)
• One round of interaction

• Communication Complexity
• q a O(poly(log(x), log(y), f(x,y),
  s))
• Or linear in f(x,y)

4
Privacy

• Computational setting
• Client side
• For any x, x, Q(x) and Q(x) are
  indistinguishable
• Server side
• Simulator S, simulates A(x,y) given x and f(x,y)
• Semi-honest adversaries

5
Private Database Queries

• Servers input is a database
• Clients input is a query
• Private information retrieval (PIR)
• f(i, (x1,x2,,xn)) xi
• Private Keyword search (PKS)
• f(w, (x1,v1),,(xn,vn))

va if there is xa w
otherwise
-
6
Existing Solutions

• PIR / SPIR
• KO97, Lipmaa05,
• One-round, sublinear communication
• PKS
• FIPR05
• One-round, polylog(n) communication
• PIR and homomorphic encryption
• How about more general queries?

7
More General Queries

• General MPC
• Not efficient
• Circuits with look-up tables NN01
• Communication efficient
• High round complexity
• One-round secure computation CCKM00
• Round efficient
• High comm.
• Computing BP on encrypted data IP07
• Independent work
• Round and communication efficient
• Strong assumption

8
Private Element Rank

• Interval Labeling
• f(b, (x1,x2,,xn,v1,,vn))
• vi such that b ? (xi, xi1
• Element Rank
• Add x0 -8 and xn18
• vi i
• Applications
• Ranking in auctions
• Online testing services
• Use to design other protocols

9
Interval Labeling Protocol

• b, x1,x2,,xn ? 0,1k
• Run a PKS for every prefix of b
• jth query j-bit prefix of b
• Create and use a database D

10
Interval Labeling Protocol
D (000,v0),(001,v1),(0100,v1) ,
(0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)
11
Interval Labeling Protocol
b 1000
b1 1
b2 10
b3 100
b4 1000
D (000,v0),(001,v1),(0100,v1) ,
(0101,v2),(011,v2),(100,v2),(101,v3),(11,v4)
12
Interval Labeling Protocol

• w is w with last bit flipped
• Database D, where D 2kn
• For every 1 j k, let w be j-bit prefix of xi
• Add (w,vi) to D if
• w0k-j, w1k-j xi,xi1 , but
  not true for w
• Add (w,vi) to D if
• w0k-j, w1k-j xt ,xt1 , but not
  true for w
• Prefixes of xis and/or their siblings

13
Interval Labeling

• ri PKSA(bi ,D) for 1 i k
• Randomly permute (r1, r2, ,rk) and send
• Decode retrieve the only ri ? - in the list
• One round, polylog(n) communication
• Reduced to PKS

14
Other Protocols

• Private Rectangle Labeling
• Which rectangle is query point in?
• Extension to higher dimensions
• One round
• Private Range Queries
• Retrieve all the points in the range
• On a line or in a plane
• Constant round
• Comm. proportional to number of retrieved points

15
Other Protocols

• mth ranked element
• Alice holds database A
• Bob holds database B
• Find mth ranked element in (A U B)
• AMP04, O(log(m)) rounds, and sublinear comm.
• We use our rank protocol as subprotocol
• O(log(log(m))) rounds
• Still sublinear comm.

16
PKS to PIR

• FIPR05
• Database
• Hash function h 0,1n 0,1n/log(n)
• Hash keywords (xis) to n/log(n) bins
• Create degree log(n) polynomials for each bin
• Client
• Compute h(w)
• Send E(h(w)) , E(h(w)2), , E(h(w)log(n))
• Database evaluates all polynomials at h(w)
• Client gets one result via PIR

f(w, (x1 ,v1),,(xn ,vn ))
17
PKS to PIR

• Assumption One-round PIR
• Replace polynomials with Yaos garbled circuit
• Circuit of size O(polylog(n)) size
• Yaos protocol
• Pseudorandom function, OT
• Can be reduced to one-round PIR
• CMO00, BIKM99
• One-round PKS one-round PIR
• One-round Rank one-round PKS

18
Open Problems

• Succinct Computation of
• Branching programs (not length-bounded)
• General circuits
• Reduction to one-round PIR
• Any special functionality
• Decision trees
• Branching programs

19
Thank you!