Private information retrieval
2016-06-20 17:52
218 查看
In cryptography, a private information retrieval (PIR) protocolis a protocol that allows a user to retrieve an item from a server in possession of a database without revealing which item is retrieved. PIR is a weaker version of 1-out-of-n oblivious transfer, where it is also required that the user should not get information about other database items.
One trivial, but very inefficient way to achieve PIR is for the server to send an entire copy of the database to the user. In fact, this is the only possible protocol (in the classical or the quantum setting[1]) that gives the user information theoretic privacy for their query in a single-server setting.[2] There are two ways to address this problem: one is to make the server computationally bounded and the other is to assume that there are multiple non-cooperating servers, each having a copy of the database.
The problem was introduced in 1995 by Chor, Goldreich, Kushilevitz and Sudan[2] in the information-theoretic setting and in 1997 by Kushilevitz and Ostrovsky in the computational setting.[3] Since then, very efficient solutions have been discovered. Single database (computationally private) PIR can be achieved with constant (amortized) communication and k-database (information theoretic) PIR can be done with nO( log logkklogk) communication.
As shown by Ostrovsky and Skeith,[9] the schemes by Kushilevitz and Ostrovsky[3] and Lipmaa[5] use similar ideas based onhomomorphic encryption. The Kushilevitz and Ostrovsky protocol is based on theGoldwasser–Micali cryptosystem while the protocol by Lipmaa is based on the Damgård–Jurik crypto system.
Oblivious transfer, also called symmetric PIR, is PIR with the additional restriction that the user may not learn any item other than the one she requested. It is termed symmetric because both the user and the database have a privacy requirement.
Collision-resistant cryptographic hash functions are implied by any one-round computational PIR scheme, as shown by Ishai, Kushilevitz and Ostrovsky.[12]
A CPIR (Computatio
95b3
nally Private Information Retrieval) protocol is similar to a PIR protocol: thereceiver retrieves an element chosen by him from sender’s database, so that thesender obtains no knowledge about which element was transferred.[7] The only difference is that privacy is safeguarded against a polynomially bounded sender.[13]
One trivial, but very inefficient way to achieve PIR is for the server to send an entire copy of the database to the user. In fact, this is the only possible protocol (in the classical or the quantum setting[1]) that gives the user information theoretic privacy for their query in a single-server setting.[2] There are two ways to address this problem: one is to make the server computationally bounded and the other is to assume that there are multiple non-cooperating servers, each having a copy of the database.
The problem was introduced in 1995 by Chor, Goldreich, Kushilevitz and Sudan[2] in the information-theoretic setting and in 1997 by Kushilevitz and Ostrovsky in the computational setting.[3] Since then, very efficient solutions have been discovered. Single database (computationally private) PIR can be achieved with constant (amortized) communication and k-database (information theoretic) PIR can be done with nO( log logkklogk) communication.
Advances in computational PIR
The first single-database computational PIR scheme to achieve communication complexity less than nnwas created in 1997 by Kushilevitz and Ostrovsky[3] and achieved communication complexity of nϵnϵ for any ϵϵ, where n is the number of bits in the database. The security of their scheme was based on the well-studied Quadratic residuosity problem. In 1999, Christian Cachin, Silvio Micali and Markus Stadler[4] achieved poly-logarithmic communication complexity. The security of their system is based on the Phi-hiding assumption. In 2004, Helger Lipmaa [5] achieved log-squared communication complexity O(ℓlogn+klog2n) , where ℓ is the length of the strings and k {\displaystyle k} is the security parameter. The security of his system reduces to thesemantic security of a length-flexible additively homomorphic cryptosystem like theDamgård–Jurik cryptosystem. In 2005 Craig Gentry and Zulfikar Ramzan [6] achieved log-squared communication complexity which retrieves log-square (consecutive) bits of the database. The security of their scheme is also based on a variant of the Phi-hiding assumption. All previous sublinear-communication computational PIR protocol required linear computational complexity of Ω(n) public-key operations. In 2009,Helger Lipmaa [7] designed a computational PIR protocol with communication complexity O(ℓlogn+klog2n) and worst-case computation of O(n/logn) public-key operations. Amortization techniques that retrieve non-consecutive bits have been considered by Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky and Amit Sahai.[8]As shown by Ostrovsky and Skeith,[9] the schemes by Kushilevitz and Ostrovsky[3] and Lipmaa[5] use similar ideas based onhomomorphic encryption. The Kushilevitz and Ostrovsky protocol is based on theGoldwasser–Micali cryptosystem while the protocol by Lipmaa is based on the Damgård–Jurik crypto system.
Advances in information theoretic PIR
Achieving information theoretic security requires the assumption that there are multiple non-cooperating servers, each having a copy of the database. Without this assumption, any information-theoretically secure PIR protocol requires an amount of communication that is at least the size of the database n. Multi-server PIR protocols tolerant of non-responsive or malicious/colluding servers are calledrobust or Byzantine robust respectively. These issues were first considered by Beimel and Stahl (2002). An ℓ-server system that can operate where only k of the servers respond, ν of the servers respond incorrectly, and which can withstand up tot colluding servers without revealing the client’s query is called “t-private ν-Byzantine robustk-out-of-ℓ PIR” [DGH 2012]. In 2012, C. Devet, I. Goldberg, and N. Heninger (DGH 2012) proposed an optimally robust scheme that is Byzantine-robust to ν < k − t − 1 {\displaystyle \nuRelation to other cryptographic primitives
One-way functions are necessary, but not known to be sufficient, for nontrivial (i.e., with sublinear communication) single database computationally private information retrieval. In fact, such a protocol was proved by Giovanni Di Crescenzo, Tal Malkin and Rafail Ostrovsky to imply oblivious transfer (see below).[11]Oblivious transfer, also called symmetric PIR, is PIR with the additional restriction that the user may not learn any item other than the one she requested. It is termed symmetric because both the user and the database have a privacy requirement.
Collision-resistant cryptographic hash functions are implied by any one-round computational PIR scheme, as shown by Ishai, Kushilevitz and Ostrovsky.[12]
PIR variations
The basic motivation for Private Information Retrieval is a family of two-party protocols in which one of the parties (thesender) owns a database, and the other part (the receiver) wants to query it with certain privacy restrictions and warranties. So, as a result of the protocol, if thereceiver wants the i-th value in the database he must learn thei-th entry, but the sender must learn nothing about i. In a general PIR protocol, a computationally unboundedsender can learn nothing about i so privacy is theoretically preserved. Since the PIR problem was posed, different approaches to its solution have been pursued and some variations were proposed.A CPIR (Computatio
95b3
nally Private Information Retrieval) protocol is similar to a PIR protocol: thereceiver retrieves an element chosen by him from sender’s database, so that thesender obtains no knowledge about which element was transferred.[7] The only difference is that privacy is safeguarded against a polynomially bounded sender.[13]
Ref
wiki相关文章推荐
- Android之获取手机上的图片和视频缩略图thumbnails
- 数据库链接字符串查询网站
- MySQL 安全事宜
- DB2实例管理
- DB2实例管理
- 保障MySQL数据安全的14个最佳方法
- mysql问答汇集
- 第三章 数据库备份和还原
- 创建一个空的IBM DB2 ECO数据库的方法
- Access 2000 数据库 80 万记录通用快速分页类
- 开通一个数据库失败的原因的和解决办法
- 一个简单的asp数据库操作类
- CentOS下DB2数据库安装过程详解
- EasyASP v1.5发布(包含数据库操作类,原clsDbCtrl.asp)第1/2页
- sql2008 还原数据库解决方案
- Oracle 数据库自动存储管理-安装配置
- Oracle数据库执行脚本常用命令小结
- Oracle 数据库 临时数据的处理方法
- 数据库分页查询语句数据库查询