Random-index PIR with Applications to Large-Scale Secure MPC

Private information retrieval (PIR) lets a client retrieve an entry from a database held by a server, without the server learning which entry was retrieved. Here we study a weaker variant that we call random-index PIR (RPIR). It differs from standard PIR in that the retrieved index is an output rather than an input of the protocol, and it is chosen at random. Our motivation for studying RPIR comes from a recent work of Benhamouda et al. (TCC’20) about maintaining secret values on public blockchains. Their solution involves choosing a small anonymous committee from among a large universe, and here we show that RPIR can be used for that purpose. The RPIR client must be implemented via secure MPC for this use case, stressing the need to make it as efficient as can be. Combined with recent techniques for secure-MPC with stateless parties, our results yield a new secrets-on-blockchain construction (and more generally large-scale MPC). Our solution tolerates any fraction f 1/2 of corrupted parties, solving an open problem left from the work of Benhamouda et al. Considering RPIR as a primitive, we show that it is in fact equivalent to PIR when there are no restrictions on the number of communication rounds. On the other hand, RPIR can be implemented in a “noninteractive” setting, which is clearly impossible for PIR. We also study batch RPIR, where multiple indexes are retrieved at once. Specifically we consider a weaker security guarantee than full RPIR, which is still good enough for our motivating application. We show that this weaker variant can be realized more efficiently than standard PIR or RPIR, and we discuss one protocol in particular that may be attractive for practical implementations.

[1]  Yuval Ishai,et al.  Protecting data privacy in private information retrieval schemes , 1998, STOC '98.

[2]  Chen-Da Liu Zhang,et al.  Asynchronous Byzantine Agreement with Subquadratic Communication , 2020, IACR Cryptol. ePrint Arch..

[3]  Konstantinos Panagiotou,et al.  On the Insertion Time of Cuckoo Hashing , 2010, SIAM J. Comput..

[4]  Arka Rai Choudhuri,et al.  Fluid MPC: Secure Multiparty Computation with Dynamic Participants , 2020, IACR Cryptol. ePrint Arch..

[5]  Rafail Ostrovsky,et al.  One-Way Trapdoor Permutations Are Sufficient for Non-trivial Single-Server Private Information Retrieval , 2000, EUROCRYPT.

[6]  Elaine Shi,et al.  Path ORAM: an extremely simple oblivious RAM protocol , 2012, CCS.

[7]  Rasmus Pagh,et al.  Cuckoo Hashing , 2001, Encyclopedia of Algorithms.

[8]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[9]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[10]  Craig Gentry,et al.  Can a Public Blockchain Keep a Secret? , 2020, TCC.

[11]  Rafail Ostrovsky,et al.  Batch codes and their applications , 2004, STOC '04.

[12]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[13]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[14]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.