On Basing Private Information Retrieval on NP-Hardness Tianren Liu1
Vinod Vaikuntanathan1
1 MIT
[email protected],
[email protected]
Thirteenth IACR Theory of Cryptography Conference
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
1 / 14
Assumptions and Primitives in Cryptography Add-Homomorphic Enc Trapdoor Permutation
PIR
Pub-key Enc
CRHF
OWP
OWF Avg-NP ⊈ BPP NP ⊈ BPP
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
2 / 14
Assumptions and Primitives in Cryptography Add-Homomorphic Enc Trapdoor Permutation
PIR
Pub-key Enc
CRHF
OWP
OWF Avg-NP ⊈ BPP NP ⊈ BPP Can we prove the security of a cryptographic primitive from the minimal assumption NP ⊈ BPP? (Brassard 1979) . . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
2 / 14
(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT
R
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
3 / 14
(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT
A
R
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
3 / 14
(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT
A
{ ( ) accepts w.p. ≥ 2/3, x accepts w.p. ≤ 1/3,
if x ∈ SAT if x ∈ / SAT
R
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
3 / 14
(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT
A
{ ( ) accepts w.p. ≥ 2/3, x accepts w.p. ≤ 1/3,
if x ∈ SAT if x ∈ / SAT
R Note: Black-box security proof but allow arbitrary construction.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
3 / 14
Impossibility Results Add-Homomorphic Enc Trapdoor Permutation
PIR
Pub-key Enc
CRHF
No known cryptographic scheme based on NP ⊈ BPP. Several negative results* (Brassard
OWP
1979, . . . )
OWF Avg-NP ⊈ BPP NP ⊈ BPP
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
4 / 14
Impossibility Results Add-Homomorphic Enc
One-way Permutations (Brassard 1979)
Trapdoor Permutation
PIR
Pub-key Enc
CRHF
OWP
OWF Avg-NP ⊈ BPP NP ⊈ BPP
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
4 / 14
Impossibility Results (restricting the primitives) Add-Homomorphic Enc
Homomorphic Encryption∗ (Bogdanov-Lee 2013)
Trapdoor Permutation
PIR
Pub-key Enc
CRHF
One-way Functions∗ OWP
(Akavia-Goldreich-GoldwasserMoshkovitz 2006, Bogdanov-Brzuska 2014)
OWF Avg-NP ⊈ BPP NP ⊈ BPP
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
4 / 14
Impossibility Results (restricting the reductions) Add-Homomorphic Enc Trapdoor Permutation
PIR
Pub-key Enc
CRHF
Public-key Encryption Scheme, via “smart” reduction (Goldreich-Goldwasser 1998)
OWP
Collision-resistant Hash Functions, via constant-adaptive reduction (Haitner-Mahmoody-Xiao 2009)
OWF Avg-NP ⊈ BPP
Average-case NP, via non-adaptive reduction (Bogdanov-Trevisan 2006)
NP ⊈ BPP
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
4 / 14
Our Result: Private Information Retrieval
[CGKS95, KO97]
Add-Homomorphic Enc Trapdoor Permutation
PIR
Pub-key Enc
CRHF
Theorem (Informal) OWP
OWF Avg-NP ⊈ BPP
Let Π be a single-server one-round PIR scheme. Security of Π can not be based on NP-hardness unless polynomial hierarchy collapses.
NP ⊈ BPP
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
5 / 14
Our Result: Private Information Retrieval
[CGKS95, KO97]
Add-Homomorphic Enc Trapdoor Permutation
PIR
Pub-key Enc
CRHF
Theorem (Informal) OWP
OWF Avg-NP ⊈ BPP NP ⊈ BPP
Let Π be a single-server one-round PIR scheme. Security of Π can not be based on NP-hardness unless polynomial hierarchy collapses. Rule out approximately correct PIR. Rule out PIR with communication complexity n − o(n). . . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
5 / 14
Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
6 / 14
Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
6 / 14
Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
6 / 14
Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
6 / 14
Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
6 / 14
Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
6 / 14
Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
6 / 14
Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
6 / 14
Single-server One-round Private Information Retrieval Client Index i ∈ {1, . . . , n}
One Server Data x ∈ {0, 1}n
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
7 / 14
Single-server One-round Private Information Retrieval Client
One Server
Index i ∈ {1, . . . , n} Client send a query
Data x ∈ {0, 1}n q
−−−−−−−−→
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
7 / 14
Single-server One-round Private Information Retrieval Client
One Server
Index i ∈ {1, . . . , n} Client send a query
Data x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answer
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
7 / 14
Single-server One-round Private Information Retrieval Client
One Server
Index i ∈ {1, . . . , n} Client send a query
Data x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answer Correctness: The client learns xi
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
7 / 14
Single-server One-round Private Information Retrieval Client
One Server
Index i ∈ {1, . . . , n} Client send a query
Data x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
7 / 14
Single-server One-round Private Information Retrieval Client
One Server
Index i ∈ {1, . . . , n} Client send a query
Data x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)
Privacy: The server learn nothing about i
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
7 / 14
Single-server One-round Private Information Retrieval Client
One Server
Index i ∈ {1, . . . , n} Client send a query
Data x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)
Privacy: The server learn nothing about i
An Oracle Breaking Single-server One-round PIR Given a query q, guess the index with probability > 1/n + 1/ poly.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
7 / 14
Break PIR with SZK oracle (Lemma 1) Client Index i ∈ {1, . . . , n} Generate a query
q
−−−−−−−−→
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Break PIR with SZK oracle (Lemma 1) Client
Server
Index i ∈ {1, . . . , n} Generate a query
Random x ∈ {0, 1}n q
−−−−−−−−→
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Break PIR with SZK oracle (Lemma 1) Client
Server
Index i ∈ {1, . . . , n} Generate a query
Random x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answers
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Break PIR with SZK oracle (Lemma 1) Client
Server
Index i ∈ {1, . . . , n} Generate a query
Random x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answers Claim 1: I(xi ; a) is big∗ .
∗
The randomness is from x and from the proceduce generating the answer. . . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Break PIR with SZK oracle (Lemma 1) Client
Server
Index i ∈ {1, . . . , n} Generate a query
Random x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answers Claim 1: I(xi ; a) is big∗ . Proof: Correctness.
∗
The randomness is from x and from the proceduce generating the answer. . . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Break PIR with SZK oracle (Lemma 1) Client
Server
Index i ∈ {1, . . . , n} Generate a query
Random x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness.
∗
The randomness is from x and from the proceduce generating the answer. . . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Break PIR with SZK oracle (Lemma 1) Client
Server
Index i ∈ {1, . . . , n} Generate a query
Random x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.
∗
The randomness is from x and from the proceduce generating the answer. . . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Break PIR with SZK oracle (Lemma 1) Client
Server
Index i ∈ {1, . . . , n} Generate a query
Random x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|. Proof: As x1 , . . . , xn are independent.
∗
The randomness is from x and from the proceduce generating the answer. . . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Break PIR with SZK oracle (Lemma 1) Client
Server
Index i ∈ {1, . . . , n} Generate a query
Random x ∈ {0, 1}n q
−−−−−−−−→ a
←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|. Proof: As x1 , . . . , xn are independent. ∑ Corollary: nj=1 I(xj ; a) is small.
∗
The randomness is from x and from the proceduce generating the answer. . . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
8 / 14
Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index
Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
9 / 14
Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide)
Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
9 / 14
Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a)
Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
9 / 14
Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a) Guess correctly w.p. ≥
1 |a|
Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
9 / 14
Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a) Guess correctly w.p. ≥
1 − h(ε) |a|
Claim 1: Eq [I(xi ; a)] ≥ 1 − h(ε) assuming correctness w.h.p. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
9 / 14
Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −
1 poly
Can estimate entropy given an SZK oracle
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
10 / 14
Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −
1 poly
Can estimate entropy given an SZK oracle
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
10 / 14
Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −
1 poly
Can estimate entropy given an SZK oracle
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
10 / 14
Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −
1 poly
Can estimate entropy given an SZK oracle
Server data x, random tape
Client i, index q a
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
10 / 14
Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −
1 poly
Can estimate entropy given an SZK oracle
Server data x, random tape
Client i, index q a
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
10 / 14
Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −
1 poly
Can estimate entropy given an SZK oracle
Server data x, random tape
Client i, index q, fixed a
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
10 / 14
Recall Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)
Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)
Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
11 / 14
Open problem: Multiple-round Multiple-round PIR
One-round PIR
Could we rule out multiple-round PIR?
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
12 / 14
Open problem: Multiple-round Multiple-round PIR
One-round PIR
Could we rule out multiple-round PIR? Server x, data
Client i, index random tape
random tape
q a
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
12 / 14
Open problem: Multiple-round Multiple-round PIR Could we rule out multiple-round PIR?
One-round PIR Given the view of server, it’s easy to generate another view. Server x, data
Client i, index random tape
random tape
q a
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
12 / 14
Open problem: Multiple-round Multiple-round PIR
One-round PIR
Could we rule out multiple-round PIR?
Given the view of server, it’s easy to generate another view.
Server x, data
Client i, index random tape
random tape
m1 m2 m3
random tape
random tape
q a1
a
a2 a3
. . .
Tianren, Vinod (MIT)
Server x, data
Client i, index
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
12 / 14
Open problem: CRHF Add-Homomorphic Enc
(This work)
Trapdoor Permutation Pub-key Enc
PIR
PIR CRHF
One-way Permutations OWP
(Brassard 1979)
OWF Avg-NP ⊈ BPP NP ⊈ BPP
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
13 / 14
Open problem: CRHF Add-Homomorphic Enc
(This work)
Trapdoor Permutation Pub-key Enc
PIR
PIR CRHF
One-way Permutations OWP
OWF
(Brassard 1979)
Could we rule out reduction from SAT to finding collisions? (TCC 2017?)
Avg-NP ⊈ BPP NP ⊈ BPP
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
13 / 14
Thank you!
. . .
Tianren, Vinod (MIT)
Basing PIR on NP-Hardness
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCC 2016-A
. .
.
. . . . . .
14 / 14