Chapter 15

Algebraic Approaches to a Network-Type Private Information Retrieval

Vladimir B. Balakirsky and Anahit R. Ghazaryan,    State University of Aerospace Instrumentation, St-Petersburg, Russia

We propose a network-type scheme of private information retrieval, presented as a modification of the conventional setup, where the user is replaced with two users, the user-sender and the user-receiver. As a result of communication, the user-receiver becomes informed about the bit located at a certain position of the database, owned by the servers. Each server receives a query from the user-sender that contains information about the position in a hidden form and the server cannot disclose this position. On the basis of the query and the database, each server forms the replica, which is then transmitted to the user-receiver. By combining replicas, the user-receiver decodes the retrieved bit. We present a simple algebraic scheme where the communication complexity and the computational complexity are expressed as functions of the logarithm of the database size. The approaches allow extensions to the one-server scheme, the multi-scheme with noisy replicas of a fixed number of servers, and the authentication of a certain fragment of the database.

Keywords

privacy; cryptography; networking; encoding; decoding

Information in this chapter

• Information retrieval

• Privacy

• How to form the query

• How to encode the database

• How to decode replicas

Introduction

Private information retrieval schemes are cryptographic protocols designed to safeguard the privacy of database users. They allow clients to retrieve records from public databases while completely hiding the identity of the retrieved records from database owners [1]. One of the earliest references for problems of this sort belongs to Rivest et al. [2]. Formalization of the private retrieval problem, which was studied by many authors, belongs to Chor et al. [3] and a number of surveys are available on the Internet. If the database is owned by one server and information-theoretic privacy is required, then there is no better solution than the trivial one when the server transmits the whole database to the user. However, if constraints on the privacy of the retrieval are relaxed, there are algorithms based on the use of computationally hard problems that have to be solved by the server to discover the data and the use of the so-called one-way hash functions. An implementation of these algorithms is usually time-consuming for the database user. Solutions to the multi-server private information retrieval problem are based on the encoding of the content of the database, as shown by Chor et al. [3]. In particular, Woodruff-Yekhanin [4] proposed solutions that are based on algebraic encoding.

We use the ideas of the Woodruff-Yekhanin scheme and present a simple algebraic solution to a variant of the multi-server private information retrieval problem. Moreover, the database user in our scheme can be split between the user-sender, who sends the query to the servers, and the user-receiver, who decodes the retrieved bit. This network-type organization of information retrieval brings additional possibilities. As the server, which makes the decision associated with the corresponding bits, does not emit energy, its location cannot be discovered. Furthermore, the query is randomized by the user-sender, but parameters of the randomization should not be delivered to the user-receiver, which decodes the retrieved bit without knowledge of the query.

The chapter is organized as follows: In the first section we describe the data processing scheme and discuss its constraints and complexities. In the second section we present algorithmic aspects of the approach, while we discuss their algebraic background in the third sections. Possible extensions of the setup are briefly discussed in the concluding section.

The data processing scheme and statement of the problem

Description of the data processing scheme

We will consider the data processing scheme containing the user-sender, the user-receiver, and image servers. Each server has a binary vector, image, which is interpreted as content of the database. The user-sender chooses an index, image. The user-receiver wants to know the bit image, while servers have to be ignorant about the index image

We fix an integer image and assume that image where image is the function specified later, which is determined by the structure of the image-ary extension of the Galois field image, and design a scheme parameterized by the integers image chosen in such a way that image image and image The user-sender sends a query image formed as a list of image binary image matrices, where the matrix image is constructed by application of a deterministic function of image and a randomly chosen binary matrix image that is, image for all image The image-th server computes the replica, expressed as a binary column vector image of length image by application of a deterministic function of the query and the vector image that is, image for all image The scheme is constructed in such a way that the value of image and the binary vector of length image, obtained by the concatenation of replicas image allows the user-receiver to decode bit image

Constraints on parameters and complexities of the data processing scheme

The communication complexity of the scheme is defined as the total number of bits transmitted over the channels user-sender → servers → user-receiver. As image and image are lengths of the query and the replicas, the communication complexity can be expressed as Comp image We are also interested in the quantity image since image is the number of bits needed to specify the index image when no constraints on privacy of the retrieval are included. The computational complexity is understood as the total number of arithmetic operations performed by the user-sender, the servers, and the user-receiver. As it will follow from the description of the scheme, all operations are reduced to multiplications of binary matrices and their number is linear in image

The approximation image and the approximation to the function image given above, bring image and image Therefore, Comp image where image The numerical illustration of the line

image

where we do not use the approximations, is as follows:

4→(3,4)→0.8→17

6→(9,16)→4.1→63

8→(30,58)→16.5→63

10→(99,196)→57.8→1011

Algorithmic description of the solution

The (n, w)-Encoding of indices and polynomial representation of the database

We assume that image and introduce image as the set of column-vectors whose components, denoted by image belong to the set image and image for all image Let us construct a one-to-one mapping image which will be referred to as the image-encoding. This can be done by the following lexicographic algorithm: (1) Set image for all image output the vector image having components image and the set image (2). For all image find the minimum index image such that image where image, and set image equal to image if image respectively. Output the vector image having components image and the set image

Let image be the image-ary extension of the Galois field image constructed using a primitive polynomial image of degree image and let image be the primitive element defined as the root of the polynomial image that is, image As each element image can be uniquely expressed by a linear combination of the elements image components image of the column-vector image which specifies the binary representation of the element image are determined by the equality

image

Moreover, image implies image and vice versa for all image and image

For any vector image let

image

where image.

Encoding the algorithm

Let the encoding algorithm be organized on the basis of image binary matrices image We also introduce the image binary matrix image, where the vector image is constructed in such a way that the 0-th component is equal to 1 or 0, if image or image respectively. All other components of the vector image are 0s. Let the encoding be defined as image dependent transformations

image

for all image

Constructing the image-th replica to the query

Let the image-th server run the following algorithm: (1) Represent the matrix image by the vector imageimage (2) Compute image and transmit the binary column-vector image to the user-receiver.

Decoding of the bit image by the user-receiver

The user-receiver uses the received replicas and the binary matrix image, determined by the primitive polynomial image, and runs the following algorithm: (1) Construct the binary column-vector image of length image by concatenating column-vectors image (2) Compute the binary column-vector image and output the decision image if image is the all-zero vector and image otherwise.

Implementing the data processing algorithms

The testing program contains the subroutines:

Construct_query: image

Form_replica: image

Decode_bit: image

and it should be organized according to a certain scenario of generating the index image the matrix image and the vector image The subroutines above use the matrices image and image determined by the primitive polynomial image

In the following numerical illustration, we assume that image and use the hex-decimal notation for binary vectors.

Suppose that image is the primitive polynomial, which is used to construct image Then the elements of image are determined by the vector

image

We set image and consider the retrieval of a bit in the binary vector image of length image. If the (4,2)-encoding is organized according to the lexicographic algorithm, then

image

In particular, if image then image and image(0,8,8,0). The columns of the image matrices image are defined as binary representations of four powers of the elements image that is,

image

Suppose that image Then

image

and

image

The 4×4 matrices image are transmitted to the first server, the second server, and the third server, respectively. Having received the matrix image the image-th server forms the vector image image Thus,

image

Let image10001. As image we write image Therefore,

image

The image-th server sends the vector image to the user-receiver, who concatenates the received vectors image and constructs the column-vector image The product of the matrix

image

by the vector image is equal to the all-zero column-vector of length 4. Therefore, the user-receiver decides that image Rules for constructing the decoding matrix image will be specified in the next section.

Algebraic description of the solution

Cyclotomic classes of GF(2m) having the maximum size m

Let image be the vector of the maximum length image whose components image belong to the set image and satisfy the condition image where image Under additional constraint that image is the minimum element of the set image the vector image is uniquely determined, and it is known as the vector specifying leaders of cyclotomic classes or chords of size image We also denote image and image for all image Notice that all coefficients of the polynomial image belong to image For example, if image then image and image

Assigning the encoding matrices

For all image let us introduce the matrix image and let imagebin image for all image For example, if image and image then

image

For a binary column-vector image having components image let

image

where image if image and image if image One can easily see that imagebinimage image are binary representations of the values of the polynomial image at image We also denote image

Representing the algorithm for constructing the bit xi as finding the solution to the two-hypotheses testing problem

Notice that image if image and imageimage if image where

imageimage is the polynomial of degree at most image having the 0-th coefficient equal to 0. The 0-th coefficient of the polynomial image is equal to 1. We force the user-receiver to solve the problem of constructing the bit image on the basis of the values image which is formulated as finding the solution to the two-hypotheses testing problem: imageimage The scheme should be designed in such a way that this problem has a unique solution in the following sense. Suppose that the system consisting of image equations image uniquely specifies the 0-th coefficient of the polynomial image of degree at most image The user-receiver outputs this coefficient as bit image

Let us extend the notation of the previous subsection and denote

image

image

We also introduce image as the vector of length image whose components are different and belong to the set image As image the possible vector is image Let image and binimage be the matrices constructed by the row concatenation of the matrices image and image respectively.

Consider the system of linear equations image or, equivalently, the system

image

where image is a binary column-vector of length image. These systems have a unique solution for image or, equivalently, the image matrix binimage has rank image because there does not exist a polynomial of image having the degree at most image and the 0-th coefficient equal to 0, which is divisible by the product image Let us denote the solution by image and let image Construct the vector binimage and notice that

image

image

Therefore, if image then the matrix image which is used by the user-receiver, can be constructed by the concatenation of the binary identity image matrix and the product of the matrix bin(image) by the inverse matrix for the matrix binimage.

Conclusion

Implementation of the proposed simple data processing scheme, where all operations are reduced to matrix multiplications, can meet practical difficulties, as we require many servers to have the identical database, and all servers should simultaneously carry out any update of the database. However, our algorithms are prepared for extensions and used in the situation when the setup with the user-sender, image servers, and the user-receiver is modified. Here we mention a few extensions:

1. There is a one-server scheme and the server, having received the query, forms the replicas from which he knows the bit transmitted to the user-receiver (actually, the decoding can be assigned to the server in this case). In other words, there is some information leakage in the retrieval. However, if the database contains approximately equal numbers of 0s and 1s, then the knowledge that the index image belongs to the subset of cardinality image image does not seem to be essential. The problem is to find the encoding algorithm, which does not allow further reduction of the ambiguity about the index image by analyzing the query. Algebraic approaches, described for the image-server scheme, can be used to attack this problem.

2. Some of replicas in the scheme with image servers can be incorrect. The case appears when some servers do not update the content of the database. This situation leads to the problem of decoding bit image when at least image replicas are generated by servers having identical databases.

3. The user-receiver wants to know whether a certain fragment of the database coincides with the fixed vector or not. In particular, the user-receiver can be interested in the solution to the problem when the fixed vector is the all-zero vector. A more efficient solution than asking the server(s) about all bits of the fragment can be found in this case.

We believe that the investigations in the directions above should start with the understanding of the approaches for the setup that is presented in this chapter.

Summary

In this chapter, we present simple algebraic solutions to some multi-server private information retrieval problems. Approaches are general, and they are useful for the development of other private information retrieval schemes.

References

1. Yekhanin S. A locally decodable codes and private information retrieval schemes. Foundations and Trends in Theoretical Computer Science. 2011;7(1):1–117.

2. Rivest R, Adelman L, Dertouzos M. On database and privacy homomorphism. Foundations of Secure Computation 1978;168–177.

3. Chor B, Goldreich O, Kushilevitz E, Sudan M. Private information retrieval. Proceedings of the thirty sixth Annual Foundations of Computer Science; 1995. p. 41–50. Also in Journal of the ACM 1998;45: 965–81.

4. Woodruff D, Yekhanin S. A geometric approach to information-theoretic private retrieval. Proceedings of the twentieth IEEE Computational Complexity Conference 2005;275–284.

Deceased

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.189.31.26