Научная статья на тему 'Сomputationally efficient private information retrieval protocol'

Сomputationally efficient private information retrieval protocol Текст научной статьи по специальности «Компьютерные и информационные науки»

CC BY
118
29
i Надоели баннеры? Вы всегда можете отключить рекламу.
Ключевые слова
ПРОТОКОЛ КОНФИДЕНЦИАЛЬНОГО ИЗВЛЕЧЕНИЯ ИНФОРМАЦИИ / PRIVATE INFORMATION RETRIEVAL PROTOCOL / ИНТЕРПОЛЯЦИЯ ПОЛИНОМОВ / POLYNOMIAL INTERPOLATION / ЛАГРАНЖ / LAGRANGE / ОРБИТЫ ДЕЙСТВИЯ ГРУПП ГАЛУА КОНЕЧНЫХ РАСШИРЕНИЙ ПОЛЯ / GALOIS GROUP COSETS OVER THE FINITE FIELDS / ЛОКАЛЬНО-ДЕКОДИРУЕМЫЕ КОДЫ / LOCALLY DECODABLE CODES

Аннотация научной статьи по компьютерным и информационным наукам, автор научной работы — Afanasyeva A.V., Bezzateev S.V.

This paper describes a new computationally efficient private information retrieval protocol for one q-ary symbol retrieving. The main advantage of the proposed solution lies in a low computational complexity of information extraction procedure, as well as the constructive simplicity and flexibility in choosing the system parameters. Such results are based on cosets properties. The proposed protocol has communication complexity slightly worse than the best schemes at the moment, which is based on locally decodable codes, but it can be easily built for any parameters of the system, as opposed to codes. In comparison with similar solutions based on polynomials, the proposed method gains in computational complexity, which is important especially for servers which must service multiple requests from multiple users.

i Надоели баннеры? Вы всегда можете отключить рекламу.
iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.
i Надоели баннеры? Вы всегда можете отключить рекламу.

Текст научной работы на тему «Сomputationally efficient private information retrieval protocol»

НАУЧНО-ТЕХНИЧЕСКИМ ВЕСТНИК ИНФОРМАЦИОННЫХ ТЕХНОЛОГИИ, МЕХАНИКИ И ОПТИКИ март-апрель 2016 Том 16 № 2 ISSN 2226-1494 http://ntv.i1mo.ru/

SCIENTIFIC AND TECHNICAL JOURNAL OF INFORMATION TECHNOLOGIES, MECHANICS AND OPTICS March-April 2016 Vol. 16 No 2 ISSN 2226-1494 http://ntv.i1mo.ru/en

COMPUTATIONALLY EFFICIENT PRIVATE INFORMATION RETRIEVAL

PROTOa COL a

A.V. Afanasyevaa, S.V. Bezzateeva

a Saint Petersburg State University of Aerospace Instrumentation, Saint Petersburg, 190000, Russian Federation Corresponding author: [email protected]

Article info

Received 23.11.15, accepted 26.01.16 doi: 10.17586/2226-1494-2016-16-2-290-294 Article in English

For citation: Afanasyeva A.V., Bezzateev S.V. Computationally efficient private information retrieval protocol. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2016, vol. 16, no. 2, pp. 290-294, doi:10.17586/2226-1494-2016-16-2-290-294

Abstract

This paper describes a new computationally efficient private information retrieval protocol for one q-ary symbol retrieving. The main advantage of the proposed solution lies in a low computational complexity of information extraction procedure, as well as the constructive simplicity and flexibility in choosing the system parameters. Such results are based on cosets properties. The proposed protocol has communication complexity slightly worse than the best schemes at the moment, which is based on locally decodable codes, but it can be easily built for any parameters of the system, as opposed to codes. In comparison with similar solutions based on polynomials, the proposed method gains in computational complexity, which is important especially for servers which must service multiple requests from multiple users. Keywords

private information retrieval protocol, polynomial interpolation, Galois group cosets over the finite fields, Lagrange, locally decodable codes

УДК 004.056.5

ВЫЧИСЛИТЕЛЬНО-ЭФФЕКТИВНЫЙ ПРОТОКОЛ КОНФИДЕНЦИАЛЬНОГО

ИЗВЛЕЧЕНИЯ ИНФОРМАЦИИ А.В. Афанасьева11, С.В. Беззатеев11

a Санкт-Петербургский государственный университет аэрокосмического приборостроения, Санкт-Петербург, 190000, Российская Федерация

Адрес для переписки: [email protected] [email protected]

Информация о статье

Поступила в редакцию 23.11.15, принята к печати 26.01.16

doi:10.17586/2226-1494-2016-16-2-

Язык статьи - английский

Ссылка для цитирования: Афанасьева А.В., Беззатеев С.В. Вычислительно-эффективный протокол конфиденциального извлечения информации // Научно-технический вестник информационных технологий, механики и оптики. 2016. Т. 16. № 2. С. 290-294. doi:10.17586/2226-1494-2016-16-2-290-294

Аннотация

Предложен новый вычислительно-эффективный протокол конфиденциального извлечения информации из удаленной базы данных. Основное достоинство предлагаемого решения состоит в низкой вычислительной сложности процедуры извлечения информации, а также в конструктивной простоте и гибкости выбора параметров системы. Результаты получены благодаря использованию свойств орбит действия групп Галуа конечных расширений поля GF(q). Наилучшим существующим на данный момент кодовым решениям схема уступает по коммуникационной сложности незначительно, но при этом имеет конструктивную процедуру построения для любых допустимых параметров. По сравнению с существующими решениями, основанными на свойствах полиномов, предложенный протокол имеет меньшую вычислительную сложность, что, безусловно, является важным фактором для серверной части, которая должна обслуживать множественные заявки. Ключевые слова

протокол конфиденциального извлечения информации, интерполяция полиномов, Лагранж, орбиты действия групп Галуа конечных расширений поля, локально-декодируемые коды

Introduction

The private information retrieval (PIR) concept was proposed by Chor, Goldreich, Kushilevitz and Sudan [1]. Authors were the first who has considered the problem of anonymity between data owner and data consumer, from the point of view of the user's security. They formalize the following problem: user would like receive some data from database without revealing its interest to database owner. More formal the problem could be presented in a following way: server holds N-bit string X, a user wishes to retrieve xt and keeps i private, without requesting all N-bits.

Complexity of PIR schemes includes two components: computation complexity is presented by a server's costs for calculating answer on the user's query by whole database; and communication complexity is presented by network overhead including lengths of queries and answers. Existing Schemes

All known PIR protocols realization can be divided into two classes: single-server protocols (see [2-10]) and multi-servers ones (see [11-14]).

Single-server solutions have two main advantages: they do not require replication of the original database, and among them there are solutions with the lowest known communication complexity at the moment. However, they also have several disadvantages: for all these systems, security is based on the assumptions of the computational hardness of some problems; in addition, communicatively effective solutions have high computational complexity of both server and client side, which greatly reduces their practical applicability, as they either require the use of expensive hardware or time-consuming.

The multi-server systems can be divided into two classes: the first is based on the arithmetic of polynomials, and the second - on locally decodable codes. Multi-servers PIRs have the following advantages: they can be proved as information-theoretic secure, they have low computational complexity (both on the client and on the server side), that is essential for practical implementation. Minimum known communication complexity provides an approach based on locally decodable codes (LDC), but at the moment there is no constructive algorithm for generating such codes with arbitrary parameters.

By estimating asymptotic behavior of communication complexities it could be concluded that PIRs from matching vectors codes are the most efficient construction, but there is no constructive procedure generating code for any parameters. There are only some examples of codes, and proof of existence, but the only known approach of code's construction is the exhaustive search. The main goal of proposed solution is to minimize calculation complexity without significant lost in communication complexity. The main advantage of proposed approach is constructive procedure for scheme with any parameters. There is description of this procedure in next section by the Initialization Stage.

Description of new private information retrieving protocol

The proposed PIR is described according to standard scheme stages. Stage 1. Initialization

An element Uj is associated with every y'-th position j £ {1,2, ...,n} of data vector X = {xux2,,xn} that is Uy treated as a vector of Hamming weight w and length I:

j ^ Uj = (u^0),uj(1).....uj(l~1)), uj0 £ {0,1} c GF(q),wt(Uj) = w, (¡J > n.

Set r = w + 1, where r is the number of servers from which we can obtain responds.

(0) (1) (l-l) u • u • u •

As in previous works [11, 12] each vector u, is mapped to monomial m.j = zQJ z±' .

Now the database can be described in the following way:

X ^ F(z0, Zl.....zl_1) = xjmj = E"=i Xj nd V . (1)

The last selected characteristic on this stage is field extension GF(qm). The value of variable m depends on r and should satisfy the inequality:

(w + 1)m < |{a £ GF(qm)IGF(q)(a) = GF(qm)}\.

For each server 5j the element a . £ GF(qm) should be choosen in such a way that provide its own coset Oi = {a flk = 0,...,m-1}.

Pre-calculate Lagrange coefficients |X01, X01,..., X0( for interpolation of polynomial

F( j ): deg(F( j )) < wm in a point x = 0 by standrd Lagrange formulas.

Stage 2. Query generation

A random matrix C of the size m x I over Zq is generated to retrieve y'-th q-ary block Xj (1). This matrix is common for all servers. The query for each server 5j is formed by using this matrix C. The following steps should be done:

1. To generate basis Bt for server 5j by using element at:

B,. =[a,., a,2, a3,..., am ].

2. To construct matrix Uj for binary vector u7- = ('uj0\uj1\...,u<jl~x)), which is the mapping of requested position j.

Uj = [u f a0, u f a0,..., u j ^ a0 ].

If an element a0 e GF(qm) of Galois field GF(qm) is presented as a column of size m from GF(q). And if

we use the basis of GF(qm) over GF(q) with first element 1. We receive the following matrix:

Uj =

u f> u f ... uj 0 0 ... 0

0 0 ... 0

3. Now we can calculate the request matrix by the formula:

R, =UJ+B,C.

The resulting request matrix R, can be expressed as a vector of the length I over GF(qm) in a following

way:

m m m

R, = uf a0 +X c„af, uf a0 + £ ^ af, ... , u™ a0 c„a

_ k=1 k=1 k=1

where ckj is an element of k-th row and y'-th column of matrix C .

Query is sent to corresponding server. Stage 3. Computation of server response

Each server S£ calculates the value of the function Fx(z0,.,zi_1) at the point R, = (ril,.,ra) and returns to a user the result as an element of GF(qm). Stage 4. Bit retrieving

The responding results that are received from the servers are the values of polynomial F(y) points (a1( a2,, aw+i) are used for the reconstruction of the polynomial F(y): deg(F(y)) < wm , and unknown values of the polynomial required for the Lagrange interpolation procedure are calculated considering the polynomial properties in GF(2m) field with the equation F(x2) = (F(x))2.Thus, for each received value F(Rh) additional m-1 values are calculated at different additional points that are the elements of corresponding coset Ch and the requested bit xt = F(0) is calculated by the Lagrange interpolation procedure using precalculated Lagrange coefficients {Xo1( X02,, Xo(wm+1)}.

User receives w + 1 values of function F(Ri), i = 1, ...,w + 1 in different points from w + 1 Servers. As all elements of request vector R, are functions of a,. then user can consider received values not as values of function F(z0, z1,..., zl_i) of I variables, but as values of function F(x) of one variable over the field GF(q) in a point x = a,..

The user can calculate additional values of the function F(x) in (m - 1)(w + 1) different points by using cosets Oi,i = 1, ...,w + 1 properties. User calculates the points by the following formulas:

F( a 1) = (F( a .))«,£( a f) = (F( a ,))«2.....F( a f"1) = (F( a ,))^m~1.

As a total resulting m(w + 1) values of the polynomial F(x) at different points could be received.

The value F(0) could be interpolated by Lagrange polynomial using this values. The value F(0) is equal to retrieving block Xj.

Competitive analysis

For competitive comparison of proposed scheme with existing solution all significant parameters are presented in the table. All results for competitive solutions are taken from original papers. The parameters for our scheme can be easily evaluated from the description.

It is possible to conclude from this table, that proposed solution has better computation complexity then Woodruff-Jekhanin scheme and congruent quantity of communication complexity.

The best communication complexity has Matching vectors based scheme. To compare both schemes lets estimate

Nr

2 e10^)1/2 (logiogw) i-1/2

for the case r = 3. This limit equals to +œ that shows that in asymptotic the nominator grows faster then denominator. So, the comparison of both schemes shows that in asymptotic communication complexity of our solution grows faster then one of Matching vectors. But non asymptotic comparison of communication overhead shows that LDC based approach is better from DB sizes starting from 2S0 bits.

Parameters Woodruff-Jekhanin Scheme [12] Matching vectors approach [11] r = 3- r2t~2 Our solution

Communication complexity 0(r2log2rN1/(2r~1)) 2 (logN) 1/c(loglogW) 1~1/t O(Nr)

Storage complexity N 22(iogw)1/t(iogiogN)1-1/t N

Computation complexity: - server side Q(r2N2r/(2r-l)) 0(1) O(rN)

- client side 0(r2Nl/(2r-l)) 0(r3) 0(r2)

Table. Comparison of proposed scheme with existing solution

Security analysis

Since the matrix C is randomly chosen from a uniform distribution over F™xl and B, is a basis of GF(qm), the matrix Rh of each server is distributed uniformaly over F™xl. By analogy with Shamir secret sharing scheme [15] we can show that each server after receiving Rh can calculate unique valid C for all possible Uj. So, even computationally unrestricted adversary can't obtain any information even having knowledge about it.

Conclusion

In this paper the authors proposed the new approach to private information retrieving protocol construction. A new PIR scheme is described with usage of proposed approach. All significant parameters of proposed scheme have been analyzed and compared with existing solutions. As the result of comparison the following conclusions can be done.

- Proposed solution has better or equal storage complexity then all concurrent solution.

- New scheme has better client side computation complexity.

- Proposed PIR algorithm just insignificantly loses in communication complexity.

- New approach allows reaching balance between algorithm parameters.

References

1. Chor B., Kushilevitz E., Goldreich O., Sudan M. Private information retrieval // Proc. 36th Annual IEEE Symp. Foundation of Computer Science. Milwaukee, USA, 1995. P. 41-50.

2. Chor B., Gilboa N. Computationally private information retrieval // Proc. 29th Annual ACM Symposium on Theory of Computing. El Paso, USA, 1997. P. 304-313.

3. Kushilevitz E., Ostrovsky R. Replication is not needed: single database, computationally-private information retrieval // Proc. 38th IEEE Annual Symposium on Foundations of Computer Science. Miami Beach, USA, 1997. P. 364-373.

4. Cachin C., Micaliy S., Stadlerz M. Computationally private information retrieval with polylogarithmic communication // Lecture Notes in Computer Science. 1999. V. 1592. P. 402-414. doi: 10.1007/3-540-48910-X_28

5. Chang Y.-C. Single database private information retrieval with logarithmic communication // Lecture Notes in Computer Science. 2004. V. 3108. P. 50-61. doi: 10.1007/978-3-540-27800-9_5

iНе можете найти то, что вам нужно? Попробуйте сервис подбора литературы.

6. Gentry C., Ramzan Z. Single-database private information retrieval with constant communication rate // Proc. 32th International Colloquium on Automata, Languages and Programming. Lisbon, Portugal, 2005. P. 803-815.

7. Melchor C., Gaborit P. A lattice-based computationally-efficient private information retrieval protocol // IACR Cryptology ePrint Archive. 2007.

8. Smith S.W., Safford D. Practical server privacy with secure coprocessors // IBM Systems Journal. 2001. V. 40. N 3. P. 683-695.

9. Asonov D., Freytag J.C. Almost optimal private information retrieval // Proc. 2nd Workshop on Privacy Enhancing Technologies. 2002. V. 2482. P. 209-223.

10. Ambainis A. Upper bound on the communication complexity of private information retrieval // Lecture Notes in Computer Science. 1997. V. 1256. P. 401-407.

11. Yekhanin S. Locally decodable codes // Lecture Notes in Computer Science. 2011. V. 6651. P. 289-290.

12. Woodruff D., Yekhanin S. A geometric approach to information-theoretic private information retrieval // SIAM Journal of Computing. 2007. V. 37. N 4. P. 1046-1056. doi: 10.1137/06065773X

13. Beimel A., Ishai Y., Kushilevitz E. General constructions for information-theoretic private information retrieval // Journal of Computer and System Sciences. 2005. V. 71. N 2. P. 213-247. doi: 10.1016/j.jcss.2005.03.002

14. Beimel A., Ishai Y., Kushilevitz E., Raymond J.F. Breaking the O(n1/(2k-1)) barrier for information-theoretic private information retrieval // Proc. 43rd Annual IEEE Symposium on Foundations of Computer Science. Vancouver, Canada, 2002. P. 261-270.

15. Shamir A. How to share a secret // Communications of the ACM. 1979. V. 22. N 11. P. 612-613. doi: 10.1145/359168.359176

Alexandra V. Afanasyeva

Sergey V. Bezzateev

Афанасьева Александра Валентиновна

Беззатеев Сергей Валентинович

senior lecturer, Saint Petersburg State University of Aerospace Instrumentation, Saint Petersburg, 190000, Russian Federation, [email protected]

D.Sc., Associate professor, Head of Chair, Saint Petersburg State University of Aerospace Instrumentation, Saint Petersburg, 190000, Russian Federation, [email protected]

старший преподаватель, Санкт-Петербургский государственный университет аэрокосмического приборостроения, Санкт-Петербург, 190000, Российская Федерация, [email protected] доктор технических наук, доцент, заведующий кафедрой, Санкт-Петербургский государственный университет аэрокосмического приборостроения, Санкт-Петербург, 190000, Российская Федерация, [email protected]

i Надоели баннеры? Вы всегда можете отключить рекламу.