On Basing Private Information Retrieval on NP-Hardness Tianren Liu1

Vinod Vaikuntanathan1

1 MIT [email protected], [email protected]

Thirteenth IACR Theory of Cryptography Conference

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

1 / 14

Assumptions and Primitives in Cryptography Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

OWP

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

2 / 14

Assumptions and Primitives in Cryptography Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

OWP

OWF Avg-NP ⊈ BPP NP ⊈ BPP Can we prove the security of a cryptographic primitive from the minimal assumption NP ⊈ BPP? (Brassard 1979) . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

2 / 14

(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT

R

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

3 / 14

(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT

A

R

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

3 / 14

(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT

A

{ ( ) accepts w.p. ≥ 2/3, x accepts w.p. ≤ 1/3,

if x ∈ SAT if x ∈ / SAT

R

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

3 / 14

(Black-box) Security Proofs To prove the security of X based on NP ⊈ BPP, find a (p.p.t.) reduction R s.t. for any oracle A that “breaks the security of X”, RA solves SAT

A

{ ( ) accepts w.p. ≥ 2/3, x accepts w.p. ≤ 1/3,

if x ∈ SAT if x ∈ / SAT

R Note: Black-box security proof but allow arbitrary construction.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

3 / 14

Impossibility Results Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

No known cryptographic scheme based on NP ⊈ BPP. Several negative results* (Brassard

OWP

1979, . . . )

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

4 / 14

Impossibility Results Add-Homomorphic Enc

One-way Permutations (Brassard 1979)

Trapdoor Permutation

PIR

Pub-key Enc

CRHF

OWP

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

4 / 14

Impossibility Results (restricting the primitives) Add-Homomorphic Enc

Homomorphic Encryption∗ (Bogdanov-Lee 2013)

Trapdoor Permutation

PIR

Pub-key Enc

CRHF

One-way Functions∗ OWP

(Akavia-Goldreich-GoldwasserMoshkovitz 2006, Bogdanov-Brzuska 2014)

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

4 / 14

Impossibility Results (restricting the reductions) Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

Public-key Encryption Scheme, via “smart” reduction (Goldreich-Goldwasser 1998)

OWP

Collision-resistant Hash Functions, via constant-adaptive reduction (Haitner-Mahmoody-Xiao 2009)

OWF Avg-NP ⊈ BPP

Average-case NP, via non-adaptive reduction (Bogdanov-Trevisan 2006)

NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

4 / 14

Our Result: Private Information Retrieval

[CGKS95, KO97]

Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

Theorem (Informal) OWP

OWF Avg-NP ⊈ BPP

Let Π be a single-server one-round PIR scheme. Security of Π can not be based on NP-hardness unless polynomial hierarchy collapses.

NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

5 / 14

Our Result: Private Information Retrieval

[CGKS95, KO97]

Add-Homomorphic Enc Trapdoor Permutation

PIR

Pub-key Enc

CRHF

Theorem (Informal) OWP

OWF Avg-NP ⊈ BPP NP ⊈ BPP

Let Π be a single-server one-round PIR scheme. Security of Π can not be based on NP-hardness unless polynomial hierarchy collapses. Rule out approximately correct PIR. Rule out PIR with communication complexity n − o(n). . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

5 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

6 / 14

Single-server One-round Private Information Retrieval Client Index i ∈ {1, . . . , n}

One Server Data x ∈ {0, 1}n

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer Correctness: The client learns xi

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)

Privacy: The server learn nothing about i

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Single-server One-round Private Information Retrieval Client

One Server

Index i ∈ {1, . . . , n} Client send a query

Data x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answer Correctness: The client learns xi (W.p. 1 − ε.)

Privacy: The server learn nothing about i

An Oracle Breaking Single-server One-round PIR Given a query q, guess the index with probability > 1/n + 1/ poly.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

7 / 14

Break PIR with SZK oracle (Lemma 1) Client Index i ∈ {1, . . . , n} Generate a query

q

−−−−−−−−→

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) is big∗ .



The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) is big∗ . Proof: Correctness.



The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness.



The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.



The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|. Proof: As x1 , . . . , xn are independent.



The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Break PIR with SZK oracle (Lemma 1) Client

Server

Index i ∈ {1, . . . , n} Generate a query

Random x ∈ {0, 1}n q

−−−−−−−−→ a

←−−−−−−−− Server answers Claim 1: I(xi ; a) = 1 assuming perfect correctness Proof: Correctness. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|. Proof: As x1 , . . . , xn are independent. ∑ Corollary: nj=1 I(xj ; a) is small.



The randomness is from x and from the proceduce generating the answer. . . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

8 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index

Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide)

Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a)

Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a) Guess correctly w.p. ≥

1 |a|

Claim 1: I(xi ; a) = 1 assuming perfect correctness ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Idea: Reduce Breaking PIR to Estimating Entropy Given a query q, guess the index Emulate how the server answer q when x ∈ {0, 1}n is random Estimate I(xj ; a) for each j ∈ {1, . . . , n} using SZK oracle (on next slide) I(xi′ ; a) Output a random i′ w.p. ∑n j=1 I(xj ; a) Guess correctly w.p. ≥

1 − h(ε) |a|

Claim 1: Eq [I(xi ; a)] ≥ 1 − h(ε) assuming correctness w.h.p. ∑ Claim 2: nj=1 I(xj ; a) ≤ H(a) ≤ |a|.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

9 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

Server data x, random tape

Client i, index q a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

Server data x, random tape

Client i, index q a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Mutual Information and SZK Mutual information I(xi ; a) = H(xi ) + H(a) − H(xi , a) = H(xi ) − H(xi |a) Entropy Approximation is in SZK: Given a circuit generating a distribution D, and h 1 To distinguish between H(D) ≥ h + poly and H(D) ≤ h −

1 poly

Can estimate entropy given an SZK oracle

Server data x, random tape

Client i, index q, fixed a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

10 / 14

Recall Proof Overview Lemma 1 (Single-server one-round) PIR can be broken with an SZK oracle Lemma 2 Language L ∈ BPPSZK =⇒ L ∈ AM ∩ coAM (Mahmoody & Xiao, 2010)

Thus: if there is a reduction from SAT to breaking PIR, then SAT ∈ AM ∩ coAM. Lemma 3 NP ̸⊆ coAM unless polynomial hierarchy collapses (Boppana, H˚ astad & Zachos, 1987)

Thus: if there is a reduction from SAT to breaking PIR, then polynomial hierarchy collapses.

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

11 / 14

Open problem: Multiple-round Multiple-round PIR

One-round PIR

Could we rule out multiple-round PIR?

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

12 / 14

Open problem: Multiple-round Multiple-round PIR

One-round PIR

Could we rule out multiple-round PIR? Server x, data

Client i, index random tape

random tape

q a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

12 / 14

Open problem: Multiple-round Multiple-round PIR Could we rule out multiple-round PIR?

One-round PIR Given the view of server, it’s easy to generate another view. Server x, data

Client i, index random tape

random tape

q a

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

12 / 14

Open problem: Multiple-round Multiple-round PIR

One-round PIR

Could we rule out multiple-round PIR?

Given the view of server, it’s easy to generate another view.

Server x, data

Client i, index random tape

random tape

m1 m2 m3

random tape

random tape

q a1

a

a2 a3

. . .

Tianren, Vinod (MIT)

Server x, data

Client i, index

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

12 / 14

Open problem: CRHF Add-Homomorphic Enc

(This work)

Trapdoor Permutation Pub-key Enc

PIR

PIR CRHF

One-way Permutations OWP

(Brassard 1979)

OWF Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

13 / 14

Open problem: CRHF Add-Homomorphic Enc

(This work)

Trapdoor Permutation Pub-key Enc

PIR

PIR CRHF

One-way Permutations OWP

OWF

(Brassard 1979)

Could we rule out reduction from SAT to finding collisions? (TCC 2017?)

Avg-NP ⊈ BPP NP ⊈ BPP

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

13 / 14

Thank you!

. . .

Tianren, Vinod (MIT)

Basing PIR on NP-Hardness

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

TCC 2016-A

. .

.

. . . . . .

14 / 14

On Basing Private Information Retrieval on NP-Hardness

Assumptions and Primitives in Cryptography. NP ⊈ BPP. Avg-NP ⊈ BPP. OWF. CRHF. Pub-key Enc. OWP. Trapdoor. Permutation. PIR. Add-Homomorphic Enc. Can we prove the security of a cryptographic primitive from the minimal assumption NP ⊈ BPP? (Brassard 1979). Tianren, Vinod (MIT). Basing PIR on NP-Hardness.

260KB Sizes 0 Downloads 45 Views

Recommend Documents

Private Location-Based Information Retrieval through ...
Nov 2, 2009 - Privacy and security are paramount in the proper deployment of location-based services (LBSs). We present a ..... an incremental path-building design, where a client who wishes to .... ing secure network communication may be satisfied b

Impact of Retrieval Precision on Perceived ... - Semantic Scholar
Department of Management Sciences. University ... David R. Cheriton School of Computer Science ... We conducted a user study that controlled retrieval preci-.

Image Retrieval: Color and Texture Combining Based on Query-Image*
into account a particular query-image without interaction between system and .... groups are: City, Clouds, Coastal landscapes, Contemporary buildings, Fields,.

Interactive Cluster-Based Personalized Retrieval on ... - Springer Link
consists of a good test-bed domain where personalization techniques may prove ... inserted by the user or implicitly by monitoring a user's behavior. ..... As the underlying distributed memory platform we use a beowulf-class linux-cluster .... Hearst

Interactive Cluster-Based Personalized Retrieval on ... - Springer Link
techniques based on user modeling to initiate the search on a large ... personalized services, a clustering based approach towards a user directed ..... Communities on the Internet Using Unsupervised Machine Learning Techniques. ... Distributed Compu

Video Retrieval Based on Textual Queries
Center for Visual Information Technology,. International Institute of Information Technology,. Gachibowli ... There are two important issues in Content-Based Video Ac- cess: (a) A .... matching algorithm then computes the degree of similarity be-.

Shape Indexing and Semantic Image Retrieval Based on Ontological ...
Retrieval Engine by NEC USA Inc.) provides image retrieval in Web by ...... The design and implementation of the Redland RDF application framework, Proc.

Shape Indexing and Semantic Image Retrieval Based on Ontological ...
Center retrieves images, graphics and video data from online collections using color, .... ular class of image collection, and w(i,j) is semantic weight associated with a class of images to which .... Mn is defined by means of two coordinates (x;y).

Interactive and progressive image retrieval on the ...
INTERNET, we present the principle of an interactive and progressive search ... make difficult to find a precise piece of information with the use of traditional text .... images, extracted from sites of the architect and providers of building produc

Video Retrieval Based on Textual Queries
Audio and the textual content in videos can be of immense use ... An advanced video retrieval solution could identify the text ..... Conference on Computer.

Detailed guidance on the electronic submission of information on ...
Apr 19, 2017 - marketing authorisation holders to the European Medicines Agency in accordance with Article .... Pharmacovigilance enquiry email (AP.7) .