On Basing Private Information Retrieval on NP-Hardness Tianren Liu1

Vinod Vaikuntanathan1

1 MIT [email protected], [email protected]

Thirteenth IACR Theory of Cryptography Conference

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

1 / 14

Assumptions and Primitives in Cryptography Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

OWP

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

2 / 14

Assumptions and Primitives in Cryptography Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

OWP

OWF Avg-NP ⊈ BPP NP ⊈ BPP Can we prove the security of a cryptographic primitive from the minimal assumption NP ⊈ BPP? (Brassard 1979) . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

2 / 14

(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT

R

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

3 / 14

(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT

A

R

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

3 / 14

(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT

A

{ ( ) accepts w.p. ≥ 2/3, x accepts w.p. ≤ 1/3,

if x ∈ SAT if x ∈ / SAT

R

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

3 / 14

(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT

A

{ ( ) accepts w.p. ≥ 2/3, x accepts w.p. ≤ 1/3,

if x ∈ SAT if x ∈ / SAT

R Note: Black-box security proof but allow arbitrary construction.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

3 / 14

Impossibility Results Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

No known cryptographic scheme based on NP ⊈ BPP. Several negative results* (Brassard

OWP

1979, . . . )

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

4 / 14

Impossibility Results Add-Homomorphic Enc

One-way Permutations (Brassard 1979)

Trapdoor Permutation

PIR

Pub-key Enc

CRHF

OWP

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

4 / 14

Impossibility Results (restricting the primitives) Add-Homomorphic Enc

Homomorphic Encryption∗ (Bogdanov-Lee 2013)

Trapdoor Permutation

PIR

Pub-key Enc

CRHF

One-way Functions∗ OWP

(Akavia-Goldreich-GoldwasserMoshkovitz 2006, Bogdanov-Brzuska 2014)

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

4 / 14

Impossibility Results (restricting the reductions) Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

Public-key Encryption Scheme, via “smart” reduction (Goldreich-Goldwasser 1998)

OWP

Collision-resistant Hash Functions, via constant-adaptive reduction (Haitner-Mahmoody-Xiao 2009)

OWF Avg-NP ⊈ BPP

Average-case NP, via non-adaptive reduction (Bogdanov-Trevisan 2006)

NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

4 / 14

Our Result: Private Information Retrieval

[CGKS95, KO97]

Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

Theorem (Informal) OWP

OWF Avg-NP ⊈ BPP

Let Π be a single-server one-round PIR scheme. Security of Π can not be based on NP-hardness unless polynomial hierarchy collapses.

NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

5 / 14

Our Result: Private Information Retrieval

[CGKS95, KO97]

Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

Theorem (Informal) OWP

OWF Avg-NP ⊈ BPP NP ⊈ BPP

Let Π be a single-server one-round PIR scheme. Security of Π can not be based on NP-hardness unless polynomial hierarchy collapses. Rule out approximately correct PIR. Rule out PIR with communication complexity n − o(n). . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

5 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Single-server One-round Private Information Retrieval Client Index i ∈ {1, . . . , n}

One Server Data x ∈ {0, 1}n

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer Correctness: The client learns xi

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)

Privacy: The server learn nothing about i

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)

Privacy: The server learn nothing about i

An Oracle Breaking Single-server One-round PIR Given a query q, guess the index with probability > 1/n + 1/ poly.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Break PIR with SZK oracle (Lemma 1) Client Index i ∈ {1, . . . , n} Generate a query

q

−−−−−−−−→

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) is big∗ .

∗

The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) is big∗ . Proof: Correctness.

∗

The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness.

∗

The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

∗

The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|. Proof: As x1 , . . . , xn are independent.

∗

The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|. Proof: As x1 , . . . , xn are independent. ∑ Corollary: nj=1 I(xj ; a) is small.

∗

The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index

Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide)

Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a)

Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a) Guess correctly w.p. ≥

1 |a|

Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a) Guess correctly w.p. ≥

1 − h(ε) |a|

Claim 1: Eq [I(xi ; a)] ≥ 1 − h(ε) assuming correctness w.h.p. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

Server data x, random tape

Client i, index q a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

Server data x, random tape

Client i, index q a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

Server data x, random tape

Client i, index q, fixed a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Recall Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

11 / 14

Open problem: Multiple-round Multiple-round PIR

One-round PIR

Could we rule out multiple-round PIR?

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

12 / 14

Open problem: Multiple-round Multiple-round PIR

One-round PIR

Could we rule out multiple-round PIR? Server x, data

Client i, index random tape

random tape

q a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

12 / 14

Open problem: Multiple-round Multiple-round PIR Could we rule out multiple-round PIR?

One-round PIR Given the view of server, it’s easy to generate another view. Server x, data

Client i, index random tape

random tape

q a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

12 / 14

Open problem: Multiple-round Multiple-round PIR

One-round PIR

Could we rule out multiple-round PIR?

Given the view of server, it’s easy to generate another view.

Server x, data

Client i, index random tape

random tape

m1 m2 m3

random tape

random tape

q a1

a

a2 a3

. . .

Tianren, Vinod (MIT)

Server x, data

Client i, index

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

12 / 14

Open problem: CRHF Add-Homomorphic Enc

(This work)

Trapdoor Permutation Pub-key Enc

PIR

PIR CRHF

One-way Permutations OWP

(Brassard 1979)

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

13 / 14

Open problem: CRHF Add-Homomorphic Enc

(This work)

Trapdoor Permutation Pub-key Enc

PIR

PIR CRHF

One-way Permutations OWP

OWF

(Brassard 1979)

Could we rule out reduction from SAT to finding collisions? (TCC 2017?)

Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

13 / 14

Thank you!

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

14 / 14