Puncturable Pseudorandom Sets and Private Information Retrieval with Near-Optimal Online Bandwidth and Time

Imagine one or more non-colluding servers each holding a large public database, e.g., the repository of DNS entries. Clients would like to access entries in this database without disclosing their queries to the servers. Classical private information retrieval (PIR) schemes achieve polylogarithmic bandwidth per query, but require the server to perform linear computation per query, which is a significant barrier towards deployment. Several recent works showed, however, that by introducing a one-time, per-client, off-line preprocessing phase, an unbounded number of client queries can be subsequently served with sublinear online computation time per query (and the cost of the preprocessing can be amortized over the unboundedly many queries). Existing preprocessing PIR schemes (supporting unbounded queries), unfortunately, make undesirable tradeoffs to achieve sublinear online computation: they are either significantly non-optimal in online time or bandwidth, or require the servers to store a linear amount of state per client or even per query, or require polylogarithmically many non-colluding servers. We propose a novel 2-server preprocessing PIR scheme that achieves Õ( √ n) online computation per query and Õ( √ n) client storage, while preserving the polylogarithmic online bandwidth of classical PIR schemes. Both the online bandwidth and computation are optimal up to a polylogarithmic factor. In our construction, each server stores only the original database and nothing extra, and each online query is served within a single round trip. Our construction relies on the standard LWE assumption. As an important stepping stone, we propose new, more generalized definitions for a cryptographic object called a Privately Puncturable Pseudorandom Set, and give novel constructions that depart significantly from prior approaches.

[1]  Rafail Ostrovsky,et al.  Private Anonymous Data Access , 2018, IACR Cryptol. ePrint Arch..

[2]  Dan Boneh,et al.  Private Puncturable PRFs from Standard Lattice Assumptions , 2017, EUROCRYPT.

[3]  Vinod Vaikuntanathan,et al.  Private Constrained PRFs (and More) from LWE , 2017, TCC.

[4]  Yuval Ishai,et al.  Reducing the Servers’ Computation in Private Information Retrieval: PIR with Preprocessing , 2004, Journal of Cryptology.

[5]  Rafail Ostrovsky,et al.  Garbled RAM Revisited , 2014, EUROCRYPT.

[6]  Sanjam Garg,et al.  TWORAM: Efficient Oblivious RAM in Two Rounds with Applications to Searchable Encryption , 2016, CRYPTO.

[7]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[8]  Elaine Shi,et al.  FastPRP: Fast Pseudo-Random Permutations for Small Domains , 2012, IACR Cryptol. ePrint Arch..

[9]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[10]  Asra Ali,et al.  Communication-Computation Trade-offs in PIR , 2019, IACR Cryptol. ePrint Arch..

[11]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[12]  Henry Corrigan-Gibbs,et al.  Private Information Retrieval with Sublinear Online Time , 2020, IACR Cryptol. ePrint Arch..

[13]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[14]  George Danezis,et al.  Lower-Cost ∈-Private Information Retrieval , 2016, Proc. Priv. Enhancing Technol..

[15]  Thomas Ristenpart,et al.  The Mix-and-Cut Shuffle: Small-Domain Encryption Secure against N Queries , 2013, CRYPTO.

[16]  Henry Corrigan-Gibbs,et al.  Private Blocklist Lookups with Checklist , 2021, IACR Cryptol. ePrint Arch..

[17]  Phillip Rogaway,et al.  Sometimes-Recurse Shuffle - Almost-Random Permutations in Logarithmic Expected Time , 2014, EUROCRYPT.

[18]  Silvio Micali,et al.  Computationally Private Information Retrieval with Polylogarithmic Communication , 1999, EUROCRYPT.

[19]  Yuval Ishai,et al.  Function Secret Sharing: Improvements and Extensions , 2016, CCS.

[20]  Elaine Shi,et al.  Oblivious RAM with O((logN)3) Worst-Case Cost , 2011, ASIACRYPT.

[21]  Rafail Ostrovsky,et al.  A Survey of Single-Database Private Information Retrieval: Techniques and Applications , 2007, Public Key Cryptography.

[22]  Tommy Pauly,et al.  Oblivious DNS over HTTPS , 2022, RFC.

[23]  Craig Gentry,et al.  Single-Database Private Information Retrieval with Constant Communication Rate , 2005, ICALP.

[24]  Rafail Ostrovsky,et al.  Cryptography from Anonymity , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[25]  Frank Wang,et al.  Splinter: Practical Private Queries on Public Data , 2017, NSDI.

[26]  Ran Canetti,et al.  Constraint-Hiding Constrained PRFs for NC1 from LWE , 2017, EUROCRYPT.

[27]  Rafail Ostrovsky,et al.  Universal service-providers for database private information retrieval (extended abstract) , 1998, PODC '98.

[28]  Vojtech Rödl,et al.  Modified ranks of tensors and the size of circuits , 1993, STOC '93.

[29]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[30]  Elaine Shi,et al.  Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM , 2016, TCC.

[31]  Sarvar Patel,et al.  Private Stateful Information Retrieval , 2018, CCS.

[32]  Rafail Ostrovsky,et al.  How to Garble RAM Programs , 2013, EUROCRYPT.

[33]  Nick Sullivan,et al.  Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS , 2020, Proc. Priv. Enhancing Technol..

[34]  Yuval Ishai,et al.  Reducing the Servers Computation in Private Information Retrieval: PIR with Preprocessing , 2000, CRYPTO.

[35]  Ran Canetti,et al.  Towards Doubly Efficient Private Information Retrieval , 2017, TCC.

[36]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[37]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[38]  W. Gasarch A Survey on Private Information Retrieval , 2004 .

[39]  Amir Herzberg,et al.  RAID-PIR: Practical Multi-Server PIR , 2014, CCSW.

[40]  Rafail Ostrovsky,et al.  Batch codes and their applications , 2004, STOC '04.

[41]  Yan-Cheng Chang,et al.  Single Database Private Information Retrieval with Logarithmic Communication , 2004, ACISP.

[42]  Ian Goldberg,et al.  Sublinear Scaling for Multi-Client Private Information Retrieval , 2015, Financial Cryptography.

[43]  Srinath T. V. Setty,et al.  PIR with Compressed Queries and Amortized Query Processing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[44]  Helger Lipmaa,et al.  First CPIR Protocol with Data-Dependent Computation , 2009, ICISC.

[45]  Oded Goldreich,et al.  Towards a theory of software protection and simulation by oblivious RAMs , 1987, STOC.

[46]  Zeev Dvir,et al.  2-Server PIR with Subpolynomial Communication , 2016, J. ACM.

[47]  Yuval Ishai,et al.  Can We Access a Database Both Locally and Privately? , 2017, TCC.

[48]  Ryan Henry,et al.  Querying for Queries: Indexes of Queries for Efficient and Expressive IT-PIR , 2017, IACR Cryptol. ePrint Arch..

[49]  Dan Boneh,et al.  Constraining Pseudorandom Functions Privately , 2015, Public Key Cryptography.

[50]  Dan Boneh,et al.  Constrained Keys for Invertible Pseudorandom Functions , 2017, TCC.