Keywords

1 Introduction

Secure Multi-Party Computation (MPC), allows two parties to jointly evaluate a function f while leaking nothing about their input to the other party beyond the output of f. A central goal of modern cryptography is to construct efficient MPC protocols. This goal is important not only from a theoretical but also from a practical viewpoint. The computational efficiency of all MPC protocols is typically bottlenecked by public-key operations (e.g., group operations, oblivious transfers (OT)). OT extension is a technique toward reducing public-key operations [3, 29], allowing one to get the results of many OTs at the cost of performing only a few OTs and some symmetric-key operations. This technique has revolutionized the practical development of MPC, leading to protocols which employ a small number of public-key operations for sophisticated tasks.

A significant limitation of existing OT extension techniques are their high communication cost: for performing \(\ell \) 1-out-of-2 bit OTs, the sender communicates at least \(2 \ell \) bits. This severely limits the use of OT extension in MPC settings where a low amount of communication is required ‘by design’ (e.g., Private-Information Retrieval (PIR)). The overarching goal of our paper is to understand communication-computation tradeoffs in such MPC settings. We show that in many such situations, performing many public-key operations is provably unavoidable. To put our results in context, let us illustrate how communication efficient OT would impact private information retrieval.

Private-Information Retrieval (PIR). Private information retrieval [15, 33] is a fundamental cryptographic primitive that allows a user to fetch a database entry without revealing to the server which database entry it learns. PIR becomes non-trivial if the server-to-user communication is strictly less than the database size (and ideally growing sub-linearly or even polylogarithmically in the database size). In some applications, one may need extra properties, such as an overall (as opposed to server-to-user) sub-linear communication or server privacy. Throughout the paper, we require neither of these unless otherwise stated. Since we prove lower bounds, this makes our results stronger. A truly efficient PIR protocol has significant real-world applications such as private certificate retrieval or private DNS lookups. By now, we know how to build PIR with communication complexity polylogarithmic in n from a wide range of assumptions [10, 12, 19, 27, 30]. While the amount of communication is attractively low, the computation overhead leaves much to be desired. [19] demonstrates that a communication efficient OT would imply PIR.

Computational Complexity of PIR. In (single-server) PIR protocols, the running time of the server cannot be sub-linear in n, the database size, without preprocessing [4]. If it was sub-linear the server could not read all the entries, leaking information about the user’s index i. Faced with this lower-bound, and the fact that PIR requires public-key assumptions [18], one may wish to settle for the next best thing: making the number of public-key operations independent of n. Somehow curiously, in all existing PIR protocols based on Diffie-Hellman or OT related assumptions [12, 19], not only the server’s running time, but the number of public-key operations performed by the server grows at least linearly with n. There is no evidence, however, if this is inherent, and in fact, it has remained an open problem whether one can build a PIR protocol where the number of public-key operations is sub-linear in n.

Is it possible construct PIR with a sub-linear amount of public-key operations and an arbitrarily large number of symmetric-key operations?

OT Extension. A major tool used for minimizing computation is OT extension. Existing OT extension techniques induce at least a linear amount of communication for the sender, making them unsuitable for PIR applications. Specifically, under existing constructions, an extended OT sender needs to communicate at least as many bits as its total input length. Beaver’s seminal construction [3] works by encoding all the sender messages into a garbled circuit, which the receiver can evaluate only on the labels that correspond to her choice bits; the IKNP protocol [29] establishes correlated randomness between the sender and the receiver, allowing the sender to XOR his messages with the corresponding masks such that the receiver can only de-mask the correct messages. In both these protocols, the sender’s outgoing protocol messages information-theoretically determine the entire sender’s input, causing the communication overhead. This state of affairs raises the following natural question.

Is it possible construct OT extension where the sender communication is close to optimal?

In the above question, by ‘optimal sender communication’ we mean the best information-theoretically achievable communication: which is \(\ell \) bits for the sender for performing \(\ell \) 1-out-2 single-bit OTs. Since OT extension is crucially used in many MPC protocols, understanding its communication complexity is of both practical and theoretical value.

Having optimal sender communication for OT extension is reminiscent of rate-1 string OT: building 1-out-of-2 string OTs for a pair of \(\ell \)-bit strings, where (roughly speaking) the sender communication grows as \(\ell + \lambda \) (as opposed to \(2 \ell + \lambda \)), where \(\lambda \) is the security parameter. Two-round rate-1 OT has found a number of applications, notably in the construction of PIR protocols with polylogarithmic communication [1, 8, 12, 19, 21, 30]. We know how to build rate-1 OT from a wide variety of assumptions [1, 12, 19, 21, 30], but all these constructions make at least a linear number of public-key operations. In particular, computational efficiency (e.g., sub-linear number of public-key operations) and communication efficiency (e.g., sub-linear communication) seem to have largely been in conflict with each other — for reasons we have not been to justify so far. The goal of our paper is to elucidate this conflicting situation.

1.1 Our Results

We answer both of the above questions, and several other related ones, negatively. In particular, we give a lower-bound on the number of public-key operations that need to be performed by servers in PIR protocols, and use this lower-bound to derive similar results for related primitives. Our core idea is based on a compilation technique that allows one to remove public-key operation queries from a PIR protocol at the cost of proportionally increasing the communication complexity in the public-key operation free protocol. As applications of our main theorem, we obtain results that settle several open problems in MPC.

In the statement below, by an \(\textsf{SO}\) oracle we mean a simulatable oracle: roughly speaking, one that can be simulated via lazy sampling. Examples of such oracles include generic-group oracles, public-key encryption oracles, etc. See Sect. 2 for more details. Also, we use the term a “party’s \(\textsf{SO}\) bit complexity” to indicate the total bit size of all \(\textsf{SO}\) queries made by the party.

Theorem 1

(Informal Main Theorem). If there exists a PIR for n-bit databases with oracle access to simulatable oracle \(\textsf{SO}\), arbitrary oracle \(\textsf{O}\), server communication of \(\eta <cn\) for \(c<1\), \(r\in o(n)\) rounds of interaction with the user, and \(q\in o(n)\) bits of communication with the \(\textsf{SO}\) oracle, then there exists a PIR with oracle access to \(\textsf{O}\), server communication \(\overline{\eta } \le \overline{c}n\) for \(\overline{c}<1\), and no calls to \(\textsf{SO}\).

We derive the following corollary.

Corollary 1

There exists no n-bit PIR protocol built solelyFootnote 1 from a simulatable oracle \(\textsf{SO}\) and a random oracle \(\textsf{O}\) with o(n) round complexity, with o(n) server’s \(\textsf{SO}\) bit complexity and with \(\eta \le cn\) server’s communication for \(c < 1\).

For example, letting \(\textsf{SO}\) be a generic group oracle (GGM), we rule out all n-bit PIR protocols that have o(n) rounds and where the server’s communication and the server’s total number of GGM queries are, respectively, cn and o(n) for \(c < 1\). This holds irrespective of the number of RO queries the protocol is allowed to make. This closely matches the known upper-bounds, as [19, 35] give n-bit PIR protocols based on the DDH assumption with server communication of \(O(\lambda )\) and with the sever making O(n) group operations.

The strength of the main theorem lies in its flexibility in instantiating the oracle \(\textsf{SO}\): for example, one may let \(\textsf{SO}\) be an FHE oracle, and obtain similar results as long as the amount of server’s communication with the FHE oracle respects the bounds. The work of [35] shows how to obtain PIR generically from (additively) homomorphic encryption, where the sever performs O(n) homomorphic additions. Our work shows that this is close to optimal.

We will show that our computational lower-bounds for PIRs give rise to communication lower-bounds for OT extension.

Corollary 2

(OT Extension: Communication Lower-Bounds). There exists no \(\ell \)-batch k-bit OT extension protocol with round complexity \(r\in o(k\ell )\) and with server communication \(\eta <c2k\ell \) for \(c<1\).

In the above corollary, by \(\ell \)-batch k-bit OT we mean performing \(\ell \) OTs for pairs of k-bit strings. The IKNP protocol [29] in the \(\ell \) single-bit OT case achieves sender communication of \(>2 \ell \). Our result shows that the IKNP’s sender communication complexity is close to optimal.

Finally, we relate PIR to other MPC protocols such as rate-1 OT to arrive at the following corollary. For brevity, we describe the statements when \(\textsf{O}\) is the GGM oracle, and only for rate-1 OT. In fact, we can show that achieving any rate strictly greater than 1/2 (measured as the information-theoretically optimal sender communication size divided by the sender’s communication size in the actual protocol) requires making an almost linear number of group operations.

Corollary 3

(String OT Corollary). There exists no \(\ell \)-bit string OT protocol in the GGM+RO model with sender communication of \(\eta \le c2\ell \) and \(o(\ell )\) calls to the generic group for \(c<1\).

Similar results can be proven about unbalanced PSI, see Sect. 5.2 for details.

2 Technical Overview

First, we will give a quick example of how to simulate a generic group efficiently to illustrate a simulatable oracle. Then, we sketch the proof of the main theorem. We proceed by showing why the main theorem is useful by demonstrating a few MPC protocols which imply non-trivial PIR, allowing us to apply our lower-bounds to them.

2.1 Generic Group Model

A generic group of order p is the group \(\mathbb {Z}_p\) together with the random injective encoding function \(\sigma :\mathbb {Z}_p \rightarrow S\), where \(S = \{0, \dots , p-1 \}\). The algorithms can access this group via the oracle \(\textsf{Add}\) which decodes two encoded elements, computes a linear combination of them and gives back the encoded result. More formally, \(\textsf{Add}: \mathbb {Z}_p^2 \times S^2 \rightarrow S\), \(( a_1, a_2 , \ell _1, \ell _2)\mapsto \sigma (a_1 v_1 + a_2 v_2)\), where \(v_i = \sigma ^{-1}(\ell _i)\) for \(i \in \{1,2\}\).Footnote 2 This way the algorithms interacting with the oracle can only access encodings instead of the real group.

To simulate a GGM oracle efficiently, the simulator dynamically generates the encoding function \(\sigma \). More specifically, it maintains a partial set L of \(\mathbb {Z}_p\)-label pairs sampled by the simulator so far. (It is initially empty.) Whenever a query \(( a_1, a_2 , \ell _1, \ell _2)\) is made, the simulator checks if \((*, \ell _1) \in L\) (meaning that if for some \(v_1\), \((v_1, \ell _1) \in L\)); if not, the simulator samples a random \(v_1\) from \(\mathbb {Z}_p\) subject to \((v_1, *) \notin L\), and adds \((v_1, \ell _1)\) to L. The simulator does the same thing for \(\ell _2\). Now assuming \((v_1, \ell _1) \in L\) and \((v_2 , \ell _2) \in L\), letting \(a_3 = a_1 v_1 + a_2 v_2\) if \((a_3, \ell _3) \in L\) for some \(\ell _3\), the simulator responds to the query with \(\ell _3\); else, the simulator samples a random \(\ell _3\) subject to \((*, \ell _3) \notin L\), adds \((a_3 , \ell _3)\) to L, and responds to the query with \(\ell _3\).

Other simulatable oracles that are useful in our main theorem are black-box oblivious transfer [26], black-box public-key encryption [26], and ideal obfuscation [31].

2.2 Proof Sketch of Main Theorem

The observation that leads to the main theorem is that in PIR protocols the server does not need to be secure. This means the protocol would still be secure if the user learned all of the servers oracle queries. Also, the user knows all of its own oracle queries. Therefore, the user can just simulate the oracle for both of the parties. For this the server just has to send all of its queries to the user. This modification increases the server communication roughly by the amount that the server would have communicated to the oracle. We will prove that this transformation preserves user security. Since we require the oracle communication to be in o(n) and the server communication to be \(<cn\) for some \(c<1\), the modified protocol will have no oracle queries and the server communication will be \(<\overline{c}n\) for \(\overline{c}<1\). Moreover, in the actual compiled protocol, to enable the compiled user to distinguish query messages from normal protocol messages, we append a flag bit to the end of each server’s protocol messages — causing a dependency on r, the number of rounds, in Theorem 1.

2.3 PIR Related Protocols

Now we exhibit a few protocols which imply non-trivial PIR, allowing us to apply our impossibility results for PIR to these protocols.

Low Sender-Communication OT. We show that an \(\ell \)-batch k-bit OT protocol with sender communication \(<c2k\ell \) for \(c<1\) implies a PIR. The transformation works as follows: suppose w.l.o.g the database size is \(2k\ell \). The server runs the OT protocol and encodes the first half of the database into the messages \((m^{(0)}_i)_{i\in [\ell ]}\) and the second half into \((m^{(1)}_i)_{i\in [\ell ]}\). Now, if a user wants to look up the j-th element of the database, it acquires \((m^{(0)}_i)_{i\in [\ell ]}\) if \(j\le k\ell \) and \((m^{(1)}_i)_{i\in [\ell ]}\) otherwise. The database entry that the client wants to learn is contained in the OT output. The server communication is \(<c2k\ell \) and the user’s input j is hidden from the server by the OT’s receiver security.

Low Total Communication OT. We next attempt to prove lower-bounds for the case where the OT protocol has low total communication (as opposed to low sender communication). For convenience we focus on \(\ell \)-batch single-bit OT. By low total communication we mean an amount that is close the information-theoretically optimal communication, which is \(2 \ell \) bits. The techniques for low sender-communication as above do not apply outright because the sender might cause the bulk of communication itself, an amount close to \(2 \ell \) bits. We get around this issue via the following intuitive idea: When an OT protocol has low total communication it must have either low sender communication, from which we already showed how to obtain a non-trivial PIR, or it must have low receiver communication. In the latter case, we swap the roles of the two different parties with a role-flipping trick implicitly in [29] and explicitly in [39]. This role flipping trick turns the low receiver communication into low sender communication, which we can then turn into a non-trivial PIR. Figure 1 depicts the construction for \(\ell =1\). In essence, we show how to turn a communication-efficient OT into a sender-communication-efficient OT by introducing an additioal round.

Fig. 1.
figure 1

Similar to [39] a visual representation of how to build an oblivious transfer \(\textsf{OT}\) from an oblivious transfer \(\textsf{TO}\) that goes in the opposite direction.

Full size image

OT Extension. The above results immediately imply communication lower bounds for OT extension: showing that performing OT extension for \(\ell \)-batch k-bit OTs with \(c 2 k \ell \) bits of sender communication for \(c<1\), and with an \(O(\lambda )\) (and even \(o(k \ell )\)) number of public-key operations is impossible.

Unbalanced PSI. Private set intersection (PSI) is an MPC protocol between two parties each holding a set and the party called the receiver learns the intersection of the two sets. No other information should be revealed to is to any of the parties. In Unbalanced PSI, a special case of PSI, the receiver set is much smaller than the sender set and the communication should only scale with the receiver set. To build a non-trivial PIR from such a protocol, for a client index i, the client sets \(x := i\) (padding it out if necessary), and for a database \(\textsf{DB}\), the server forms the set \(\{ i \mid \textsf{DB}[i]=1 \}\). An answer to \(x \in ^? S\) reveals \(\textsf{DB}[i]\). This observation allows us to prove that in unbalanced PSI with sub-linear communication, the receiver should perform close to linear public-key operations. This shows that the large number of public-key operations used in unbalanced PSI protocols of [12, 19, 21] is inherent.

Non-Trivial PIR implies Oblivious Transfer. We know that non-trivial PIR implies oblivious transfer [18], and this is used to get our final impossibility results. The transformation utilizes the user security of the PIR protocol and deploys a compression argument to argue information loss. The entropy garnered from the information loss is then fed into a randomness extractor, the output of which can be used to guarantee sender security in the resulting oblivious transfer protocol.

2.4 Oracles

Notice that all these transformations only make black-box use of the protocols they transform. This means that if the starting protocol uses some oracle other than the one we want to remove, say the random oracle [6], then the resulting protocol will also use the random oracle even if we remove other oracle queries.

3 Related Work

Technique. Our ‘compilation-out’ techniques bear some similarities to ideas used by Gennaro and Trevisan [25] for giving lower-bounds on the query complexity of PRGs from OWPs. Essentially, they showed that if the number of queries is ‘small’, they can be encoded as part of the input, hence getting rid of OWP calls in the construction of a PRG. Gennaro et al. [24] built on that idea to give lower-bounds on the efficiency of various cryptographic primitives. These works mostly deal with non-interactive primitives. Our techniques are used in a different way in that we leverage the lack of security requirements for a party to get rid of oracle calls of an interactive protocol.

Private-Information Retrieval. In all but this section of the paper we talk about non-trivial single-server private information retrieval, which is why we will sometimes leave out the descriptor “single-server”. Traditionally, PIR [15, 33] is a protocol between one user and possibly multiple servers. Just like in the non-trivial single-server case the user with an index \(i \in [n]\) learns the i-th element of a database \(\textsf{DB}\in \{0,1\}^n\) held by all the servers without disclosing i to the servers. In other words, if the caveat of non-triviality is not made, then not only the server communication needs to be sub-linear in n, but also the total communication. Thus, a non-trivial PIR is a weaker primitive than PIR. Multi-server PIR protocols assume some kind of non-collusion between the servers, which allows them to achieve statistical security as opposed to computational security in the single-server case.

By now PIR is a well studied primitive; here we focus on the single server setting. We know how to build PIR with communication complexity polylogarithmic in n from a wide range of assumptions [10, 12, 19, 30]. In the last few years, we have also made progress towards practically efficient PIR [16, 17, 28, 32, 37, 42, 43] and asymptotically efficient PIR [7, 11, 34] when the server and the client (or sometimes only the server) are allowed to preprocess the database. We even know some lower bounds for different preprocessing settings [5, 16, 17, 36, 40]. Preprocessing, however, only makes sense if one expects to use the PIR multiple times. We focus on a single query PIR and uniquely distinguish between public-key and symmetric key operations.

OT Extension. The intuition behind OT extension is that it only uses very few calls to an OT functionality to implement many more OTs. An equivalent description is that an OT extension protocol is an OT protocol that can make calls to an OT functionality. The protocol becomes valuable if the number of OT calls in the protocol is much less than the ‘size’ of the OT being implemented. OT calls are typically modelled as oracle calls to an OT functionality or the OT hybrid model.

Beaver [3] constructed the first OT extension protocol, which makes non-black-box use of pseudorandom generators and which has two rounds. Ishai et al. [29] give the first OT extension protocol only making black-box use of symmetric-key cryptography while increasing the rounds to three. Garg et al. [22] show that three rounds are necessary in the OT hybrid model when only making black-box use of symmetric-key cryptography.

Rate-1 String OT. The notion of rate-1 OT has applications beyond the construction of PIR with polylog communication. In particular, a generalization of this notion, called trapdoor hash, has been used as a building block to build non-interactive zero knowledge for NP [9]. This has made the notion of rate-1 OT appealing from both a theoretical and practical points of view.

Unbalanced Private-Set Intersection (PSI). Private keyword search allows a receiver, with a single element x, to learn whether x is a member of a large set S held by a sender, or sometimes called PIR for keywords [14]. This is an instance of the so-called unbalanced PSI problem, defined earlier. A desirable feature of such unbalanced PSI protocols is sub-linear communication: the total amount of communication must be sub-linear the larger set size. We have protocols, from a wide variety of cryptographic assumptions, for unbalanced PSI whose communication complexity grows only polylogarithmically with the larger set size [12, 19, 21, 30].

Again, the Diffie-Hellman-based protocols come with a high sender computation cost: the number of group operations grows at least linearly in the bigger set size. As in PIR, one can prove that the strict running time of the sender in unbalanced PSI cannot be sub-linear in \(|S_1|\), but that does not mean the number of public-key operations must also grow with n — especially, if the sender is allowed to make an arbitrarily-large number of symmetric-key operations. In fact, while the protocols in [12, 19, 21] induce little communication, the large number of public-key operations involved is a major bottleneck.

In the absence of the sub-linear communication requirement, one may use oblivious-transfer (OT) extension techniques [3, 29] to design unbalanced PSI protocols with a number of public-key operations independent of \(|S_1|\). These protocols can be made concretely efficient as well (e.g., [13]). However, all these OT-extension-based protocols fail to achieve sub-linear communication.

4 Preliminaries

We denote the security parameter by \(\lambda \). We say a function \(\textsf{negl}\) is negligible if for any polynomial \(\textsf{poly}\) we have \(\textsf{negl}(\lambda )\in o(\frac{1}{\textsf{poly}(\lambda )})\). For two integers i and \(i'\), we define \([i, i'] := \{ i, i+1, \dots , i'\}\). We let \([n] := \{ 1, \dots , n \}\).

For \(i \in \{r, s\}\), denoting receiver (r) and sender (s), we let \(\textsf{view}_i^\varPi (1^\lambda , x,y)\) denote the view of Party i in an honest execution of the protocol \(\varPi \) on \(1^\lambda \) and on the parties’ respective inputs, where the view contains the private input and the random coins of the respective party, the protocol’s transcript, and the transcript of oracle queries and their responses. We may omit the security parameter \(1^\lambda \) whenever it is clear from the context.

4.1 Oblivious Transfer

Definition 1

(Oblivious Transfer (OT)). An \(\ell \)-batch k-bit string OT protocol \(\textsf{OT}\) is a protocol between two interactive PPT programs \((\textsf{OTR}, \textsf{OTS})\), where \(\textsf{OTR}\) and \(\textsf{OTS}\) denote, respectively, the receiver and the sender.

  • \(\textsf{OTR}(1^\lambda ,1^\ell , 1^k , s):\) An interactive algorithm that takes in a security parameter \(1^\lambda \), batching parameter \(1^\ell \), message parameter \(1^k\), and choice vector \(s\in \{0,1\}^\ell \), and outputs \(m \in \{0,1\}^\ell \).

  • \(\textsf{OTS}(1^\lambda ,1^\ell , 1^k , m^{(0)},m^{(1)}):\) An interactive algorithm that takes in a security parameter \(1^\lambda \), batching parameter \(1^\ell \), message parameter \(1^k\) and two message vectors \(m^{(0)},m^{(1)}\in \textsf{M}^\ell \), for \(\textsf{M} = \{0,1\}^k\), and outputs \(\bot \)

We require the following.

Correctness. \(\textsf{OT}\) is \(\alpha (\cdot )\)-correct if for any \(\lambda \), \(s\in \{0,1\}^\ell \), \((m_i^{(0)},m_i^{(1)})_{i \in [\ell ]} \in (\textsf{M} \times \textsf{M})^\ell \), the probability over an honest interaction between \(\textsf{OTR}(1^\lambda ,1^k,1^\ell ,s)\) and \(\textsf{OTS}(1^\lambda ,1^k,1^\ell ,m^{(0)},m^{(1)})\) that \(\textsf{OTR}\) outputs \((m^{(s_1)}_1\dots m^{(s_\ell )}_\ell )\) is \(\ge \alpha (\lambda )\). The protocol is perfectly correct if \(\alpha = 1\). By default we require prefect correctness.

Semi-Honest Receiver Security. For any strings \(s_0, s_1 \in \{0,1\}^\ell \), \(m^{(0)},m^{(1)}\in \textsf{M}^\ell \) we have that \(\textsf{view}_s^{\textsf{OT}}(s_0 , (m^{(0)},m^{(1)}))\) and \(\textsf{view}_s^{\textsf{OT}}(s_1 , (m^{(0)},m^{(1)}))\) are computationally indistinguishable.

Semi-Honest Sender Security. For any \(s \in \{0,1\}^\ell \) and \(m^{(0)},m^{(1)}, z^{(0)},z^{(1)} \in \textsf{M}^\ell \) such that \(\{(m_i^{s_i}) \} = \{(z_i^{s_i}) \}\), we have that the two views \(\textsf{view}_r^{\textsf{OT}}(s , (m^{(0)},m^{(1)}))\) and \(\textsf{view}_r^{\textsf{OT}}(s , (z^{(0)},z^{(1)}))\) are computationally indistinguishable.

OT Terminologies. We may sometimes refer to an \(\ell \)-batch single-bit OT as an \(\ell \)-batch OT. Also, whenever we say a k-bit string OT we mean \(\ell =1\).

We define notions of rate as asymptotic ratios between the actual communication under a given protocol and the best achievable communication under a (possibly) insecure protocol; i.e., for \(\ell \)-batch single-bit OT the sender must communicate at least \(\ell \) bits to the receiver, if perfect correctness is required. Therefore, the optimal download communication is \(\ell \). Similarly, the optimal total communication is \(2 \ell \).

Expected Download Rate. An \(\ell \)-batch single-bit OT protocol has expected download rate c if for all \(\lambda \), s, \(m^{(0)}\), \(m^{(1)}\), and all but finitely many \(\ell \)

$$\begin{aligned} \frac{\ell }{d(\lambda , \ell )} \ge c, \end{aligned}$$

where \(d(\lambda , \ell )\) is expected communication from \(\textsf{OTS}(1^\lambda ,1^\ell ,m^{(0)},m^{(1)})\) to \(\textsf{OTR}(1^\lambda ,1^\ell ,s)\).

Expected (Overall) Rate. An \(\ell \)-batch single-bit OT protocol has expected (overall) rate c if for all \(\lambda \), s, \(m^{(0)}\), \(m^{(1)}\), and all but finitely many \(\ell \)

$$\begin{aligned} \frac{2 \ell }{t(\lambda , \ell )} \ge c, \end{aligned}$$

where \(t(\lambda ,\ell )\) is the expected total communication.

We now define the notion of OT extension in the black-box OT model, which is stronger than the OT-hybrid model.

Definition 2

(Black-Box OT Extension). A black-box OT extension \(\textsf{OTExt}^\textsf{OT}\) \(=\) \((\textsf{OTRExt}^\textsf{OT}\), \(\textsf{OTSExt}^\textsf{OT})\) is an \(\ell \)-batch k-bit OT protocol that for a fixed polynomial \(\textsf{poly}\), independent of \(\ell \), makes at most \(\textsf{poly}(\lambda )\) calls to the base single-bit OT oracle \(\textsf{OT}=(\textsf{OTR},\textsf{OTS})\).

4.2 Private-Information Retrieval (PIR)

Definition 3

(Non-Trivial PIR). A non-trivial (single-server) private information retrieval \(\textsf{ntPIR}\) is an interactive protocol between two interactive PPT programs \((\textsf{PIRU}, \textsf{PIRS})\), where \(\textsf{PIRU}\) and \(\textsf{PIRS}\) denote, respectively, the client (user) and the server.

  • \(\textsf{PIRU}(1^\lambda , 1^n , i)\): An interactive algorithm that takes in a security parameter \(1^\lambda \), the database size n, and a choice index \(i\in [n]\), and at the end of the interaction outputs \(y \in \{0,1\}\).

  • \(\textsf{PIRS}(1^\lambda , 1^n , \textsf{DB})\): An interactive algorithm that takes in a security parameter \(1^\lambda \), database size n and a database \(\textsf{DB}\in \{0,1\}^n\), and outputs \(\bot \).

We require the following properties.

Correctness. The PIR protocol is \(\alpha (\cdot )\)-correct if for any \(\lambda \), n, \(i \in [n]\) and \(\textsf{DB}\in \{0,1\}^n\), the probability over an honest interaction between \(\textsf{PIRU}(1^\lambda , 1^n , i)\) and \(\textsf{PIRS}(1^\lambda , 1^n , \textsf{DB})\) that \(\textsf{PIRU}\) outputs \(\textsf{DB}_i\) is \(\ge \alpha (\lambda )\). The protocol is perfectly correct if \(\alpha = 1\). By default we require perfect correctness.

Semi-Honest Client Security. For any n, \(i, i'\in [n]\), \(\textsf{DB}\in \{0,1\}^n\), \(\textsf{view}_s^{\textsf{ntPIR}}(i,\textsf{DB})\) and \(\textsf{view}_s^{\textsf{ntPIR}}(i',\textsf{DB})\) are computationally indistinguishable.

Non-Trivial Expected Download Communication. There exists a polynomial \(\mathsf {\textsf{poly}}\) such that for all sufficiently large \(\lambda \), for all \(n \ge \textsf{poly}(\lambda )\), for all \(i \in [n]\), and \(\textsf{DB}\in \{0,1\}^n\), the expected communication from \(\textsf{PIRS}(1^\lambda , 1^n , i)\) to \(\textsf{PIRU}(1^\lambda , 1^n , \textsf{DB})\) is \(d(\lambda , n)< n\).

The following result shows that non-trivial PIR implies public-key cryptography in a black-box way. We use this theorem for our lower-bound results.

Theorem 2

([18]). There exists a black-box construction of OT from a non-trivial PIR protocol.

5 Protocols that Imply Non-Trivial PIR

We substantiate the relevence of non-trivial PIR by showing that communication-efficient versions of some popular MPC protocols can be transformed into non-trivial PIR in a black-box manner. These transformations later let us transfer the lower-bounds regarding PIR to these protocols.

In the following, we focus on different variants of oblivious transfer and unbalanced private set intersection to demonstrate the concept. The same ideas apply to many other protocols such as vector oblivious linear evaluation and oblivious polynomial evaluation.

5.1 Oblivious Transfer

We show how to transform a protocol for k-bit string oblivious transfer \(\textsf{OT}=(\textsf{OTR},\textsf{OTS})\) that makes calls to an oracle \(\mathcal {O}\) into a PIR protocol \((\textsf{PIRU},\textsf{PIRS})\) with database size \(n=2k\) that makes calls to the same oracle \(\mathcal {O}\) in a black-box manner. The construction is folklore and works by splitting the database in half, using each half as one of the two strings, and choosing the OT choice bit based on the PIR client’s index accordingly.

  • \(\textsf{PIRU}^\mathcal {O}(1^\lambda , 1^{n} , i)\): For \(n = 2k\), set the choice bit \(b\leftarrow \lfloor (i-1)/k\rfloor \). Run the OT receiver \(m_b\leftarrow \textsf{OTR}^\mathcal {O}(1^\lambda ,b)\) to get the chosen string \(m_b\). Return \(m_b[i-k b]\)

  • \(\textsf{PIRS}^\mathcal {O}(1^\lambda , 1^n , \textsf{DB})\): Let strings \(m_0\leftarrow \textsf{DB}[1,\dots ,k]\) and \(m_1\leftarrow \textsf{DB}[k+1,\dots ,2k]\). Run the OT sender \(\textsf{OTS}^\mathcal {O}(1^\lambda ,m_0,m_1)\).

Lemma 1

(Folklore). The PIR protocol \((\textsf{PIRU},\textsf{PIRS})\) has the same correctness error, the same sender/receiver query complexity, and the same sender/receiver communication as those of the OT protocol \(\textsf{OT}\).

That means if the expected sender communication in \(\textsf{OT}\) is less than \(n=2k\), then \((\textsf{PIRU},\textsf{PIRS})\) is a non-trivial PIR protocol.

Proof of Correctness. Correctness follows from the correctness of the OT protocol and for \(b=\lfloor (i-1)/k\rfloor \) we have \(m_b[i-k b]=\textsf{DB}[k b+1,\dots ,k b+k][i-k b]=\textsf{DB}[i]\).    \(\square \)

Proof of Client Security. Suppose there exists \(i,i'\in [N]\), \(\textsf{DB}\in \{0,1\}^N\) such that an adversary \(\mathcal {A}\) can distinguish \(\textsf{view}_s^{\textsf{PIR}}(i,\textsf{DB})\) from \(\textsf{view}_s^{\textsf{PIR}}(i',\textsf{DB})\) with non-negligible probability. Then \(\lfloor (i-1)/k\rfloor \ne \lfloor (i'-1)/k\rfloor \) else \(\textsf{view}_s^{\textsf{PIR}}(i,\textsf{DB})\) and \(\textsf{view}_s^{\textsf{PIR}}(i',\textsf{DB})\) follow the exact same distribution. The same adversary \(\mathcal {A}\) distinguishes between \(\textsf{view}_s^{\textsf{OT}}(\lfloor (i-1)/k\rfloor ,(\textsf{DB}[1,\dots ,k],\textsf{DB}[k+1,\dots ,2k]))\) and \(\textsf{view}_s^{\textsf{OT}}(\lfloor (i'-1)/k\rfloor ,(\textsf{DB}[1,\dots ,k],\textsf{DB}[k+1,\dots ,2k]))\) with the same non-negligible probability since the views are exactly the same as \(\textsf{view}_s^{\textsf{PIR}}(i,\textsf{DB})\) and \(\textsf{view}_s^{\textsf{PIR}}(i',\textsf{DB})\) respectively.    \(\square \)

Remark 1

One can transform any \(\ell \)-batch k-bit OT protocol into a \(k\ell \)-bit string OT protocol by reusing the same choice bit across all the \(\ell \) batches. This works without any issues because we only talk about semi-honest security.

OT With Low Total Communications. Using the symmetric nature of OT we transform an OT protocol with low communication (not just low sender communication) into a low sender communication OT protocol in a black-box manner. This allows us to apply our PIR lower-bounds to OT with low expected communication. Our transformation works by noting that every communication efficient OT protocol has either low sender or low receiver communication; if the receiver communication is low, our transformation will swap the roles of the sender and receiver, to obtain an OT protocol with low sender communication, as desired.

The following transformation was implicitly used in [29] and explicitly in [39]. The transformation works as follows: Let \(\textsf{OT}=(\textsf{OTR},\textsf{OTS})\) be an \(\ell \)-batch single-bit OT with expected total communication \(t(\lambda ,\ell )\), expected download communication \(d(\lambda ,\ell )\), expected upload communication \(u(\lambda ,\ell )\), and oracle accesses to \(\mathcal {O}\). We define a \(\textsf{OT}'=(\textsf{OTR}',\textsf{OTS}')\) as follows

  • \(\textsf{OTR}'^\mathcal {O}(1^\lambda ,1^\ell ,s)\):

    1. 1.

      If the expected download communication of \(\textsf{OT}\) is \(d(\lambda ,\ell )<u(\lambda ,\ell )+\ell \):

      1. (a)

        Run \((m'_1,\dots ,m'_\ell )\leftarrow \textsf{OTR}^\mathcal {O}(1^\lambda ,1^\ell ,s)\), the \(\ell \)-batch OT receiver on the choice string s.

      2. (b)

        Return \((m'_1,\dots ,m'_\ell )\)

    2. 2.

      Else:

      1. (a)

        Sample \(r\xleftarrow {\$}\{0,1\}^\ell \) uniformly at random.

      2. (b)

        Run \(\textsf{OTS}^\mathcal {O}(1^\lambda ,1^\ell ,r,s\oplus r)\), the \(\ell \)-batch OT sender on messages \(m_0=r\) and \(m_1=r\oplus s\).

      3. (c)

        Receive v in the round after \(\textsf{OTS}\) is done.

      4. (d)

        Return \(v\oplus r\)

  • \(\textsf{OTS}'^\mathcal {O}(1^\lambda ,1^\ell ,m^{(0)},m^{(1)})\) :

    1. 1.

      If the expected download communication of \(\textsf{OT}\) is \(d(\lambda ,\ell )<u(\lambda ,\ell )+\ell \):

      1. (a)

        Run \(\textsf{OTS}^\mathcal {O}(1^\lambda ,1^\ell ,m^{(0)},m^{(1)})\), the \(\ell \)-batch OT sender on messages \(m_0=m^{(0)}\) and \(m_1=m^{(1)}\).

      2. (b)

        Return

    2. 2.

      Else:

      1. (a)

        Run \(z\leftarrow \textsf{OTR}^\mathcal {O}(1^\lambda ,1^\ell ,m^{(1)}\oplus m^{(0)})\), the \(\ell \)-batch OT receiver on the choice string \(m^{(1)}\oplus m^{(0)}\) to receive the string z.

      2. (b)

        Send \(z\oplus m^{(0)}\) in the round after \(\textsf{OTR}\) is done

      3. (c)

        Return

Lemma 2

The constructed OT protocol \(\textsf{OT}'=(\textsf{OTR}',\textsf{OTS}')\) has the same correctness as the base OT \(\textsf{OT}=(\textsf{OTR},\textsf{OTS})\). Moreover, \(\textsf{OT}'=(\textsf{OTR}',\textsf{OTS}')\) is secure if \(\textsf{OT}=(\textsf{OTR},\textsf{OTS})\) is secure.

Assuming \(\textsf{OT}=(\textsf{OTR},\textsf{OTS})\) has expected overall rate \(r > 2/3\), the constructed OT has expected download rate \(w > 1/2\).

Correctness. If \(d(\lambda ,\ell )<u(\lambda ,\ell )+\ell \) then both parties behave exactly like \(\textsf{OT}\) and therefore correctness is inherited.

If \(d(\lambda ,\ell )\ge u(\lambda ,\ell )+\ell \) the sender \(\textsf{OTS}'\) learns

$$\begin{aligned} \left( r_1\oplus s_1\cdot (m^{(1)}_1\oplus m^{(0)}_1),\dots , r_\ell \oplus s_\ell \cdot (m^{(1)}_\ell \oplus m^{(0)}_\ell )\right) \end{aligned}$$

it then sends back

$$\begin{aligned} \left( r_1\oplus s_1\cdot (m^{(1)}_1\oplus m^{(0)}_1)\oplus m^{(0)}_1,\dots , r_\ell \oplus s_\ell \cdot (m^{(1)}_\ell \oplus m^{(0)}_\ell )\oplus m^{(0)}_\ell \right) \end{aligned}$$

then the receiver \(\textsf{OTR}'\) computes

$$\begin{aligned} & \left( s_1\cdot (m^{(1)}_1\oplus m^{(0)}_1)\oplus m^{(0)}_1,\dots , s_\ell \cdot (m^{(1)}_\ell \oplus m^{(0)}_\ell )\oplus m^{(0)}_\ell \right) \\ = & \left( m^{(s_1)}_1,\dots ,m^{(s_\ell )}_\ell \right) \end{aligned}$$

   \(\square \)

Security. The security in the case that \(d(\lambda ,\ell )<u(\lambda ,\ell )+\ell \) directly follows from the security of \(\textsf{OT}\).

In the other case it follows from the security of \(\textsf{OT}\) and the work of [39] which proves that this exact construction is secure. For receiver security we have that the sender (according to sender security of \(\textsf{OT}\)) only learns z. Each bit \(z_i\) is either \(r_i\) or \(s_i\oplus r_i\), in both cases it is uniformly random because r is uniformly random. Sender security of \(\textsf{OT}'\) follows because the execution of \(\textsf{OT}\) leaks nothing to the receiver (according to the receiver security of \(\textsf{OT}\)). That means all the receiver learns is \(z\oplus m^{(0)}\). By correctness of \(\textsf{OT}'\) this is exactly \((m_1^{(s_1)}\oplus r_1,\dots ,m_\ell ^{(s_\ell )}\oplus r_\ell )\) and therefore contains no information about \((m_1^{(1-s_1)},\dots ,m_\ell ^{(1-s_\ell )})\).    \(\square \)

Expected Download Communication. Let r be the rate, \(t(\lambda ,n)\) be the expected total communication which is the sum of the expected receiver-to-sender communication \(u(\lambda ,\ell )\) and the expected sender-to-receiver communication \(d(\lambda ,\ell )\). Then for all but finitely many \(\ell \) we have \(t(\lambda ,\ell )<\frac{2\ell }{r}\). In the following, the expected sender-to-receiver communication of \(\textsf{OT}'\) will be called \(d'(\lambda ,\ell )\).

If \(d(\lambda ,\ell )<u(\lambda ,\ell )+\ell \) then

figure a

Else the new expected sender-to-receiver communication is

figure b

Either way, \(d'(\lambda ,\ell )\le \frac{t(\lambda ,\ell )+\ell }{2}\) which means that for all but finitely many \(\ell \) we have \(d'(\lambda ,\ell )< (\frac{1}{r}+\frac{1}{2})\ell \). Therefore, the expected download rate is \(\frac{2}{(\frac{1}{r}+\frac{1}{2})}\) which is \(>1/2\) for \(r>2/3\).    \(\square \)

5.2 Unbalanced Private-Set Intersection

In unbalanced private set intersection we have a set A of n \(\lambda \)-bit messages, held by a sender \(\textsf{PSIS}(1^\lambda , 1^n , A)\), and a singleton set B, held by a receiver \(\textsf{PSIR}(1^\lambda , 1^n, B)\). The goal is for the receiver to learn \(A\cap B\) while the sender should learn nothing. Semi-honest receiver security can be defined along the lines of receiver (client) security of PIR (Definition 3).

We show how to transform a protocol for unbalanced private-set intersection \(\textsf{PSI}=(\textsf{PSIS},\textsf{PSIR})\) that makes calls to oracle \(\mathcal {O}\) into a PIR protocol \((\textsf{PIRU},\textsf{PIRS})\) that makes calls to the same oracle \(\mathcal {O}\) in a black-box manner. We do this by simply encoding the PIR-database and the PIR-query as sets.

  • \(\textsf{PIRU}^\mathcal {O}(1^\lambda , 1^n , i)\): Set \(A := \{i\}\). Run the PSI receiver \(I\leftarrow \textsf{PSIR}^OO(1^\lambda ,A)\) to get the intersection I. Return 1 if \(\{i\}=I\) and 0 otherwise.

  • \(\textsf{PIRS}^\mathcal {O}(1^\lambda , 1^n , \textsf{DB})\): Form the set \(B := \{x \mid \textsf{DB}[x]=1\}\). Run the PSI sender \(\textsf{PSIS}^\mathcal {O}(1^\lambda ,B)\).

Lemma 3

(Folklore). The PIR protocol \((\textsf{PIRU},\textsf{PIRS})\) has the same correctness error, sender and receiver communication and sender and receiver query complexity as those of \(\textsf{PSI}\). Moreover, the resulting PIR protocol has client security if \(\textsf{PSI}\) provides receiver security.

That means if the sender communication in \(\textsf{PSI}\) is less than n, then \((\textsf{PIRU},\textsf{PIRS})\) is a non-trivial PIR protocol.

Proof of Correctness. Correctness follows from the correctness of the PSI protocol and the intersection of \(\{i\}\) and B being \(\{i\}\) if \(i\in B\Leftrightarrow \textsf{DB}[i]=1\) and \(\emptyset \) otherwise.

Proof of Client Security. Suppose there exists \(i,i'\in [n]\), \(\textsf{DB}\in \{0,1\}^n\) such that an adversary \(\mathcal {A}\) can distinguish \(\textsf{view}_s^{\textsf{PIR}}(i,\textsf{DB})\) from \(\textsf{view}_s^{\textsf{PIR}}(i',\textsf{DB})\) with non-negligible probability. The same adversary \(\mathcal {A}\) distinguishes between \(\textsf{view}_s^{\textsf{PSI}}(\{i\},B)\) and \(\textsf{view}_s^{\textsf{PSI}}(\{i'\},B)\) with the same non-negligible probability since the views are exactly the same.    \(\square \)

6 Lower-Bounds on the Number Oracle Queries in PIR

In this section, we show how to transform a private information retrieval (PIR) protocol with access to some simulatable oracle \(\textsf{SO}\) into one that does not query that oracle. To have something concrete in mind one may imagine \(\textsf{SO}\) being the generic group model, though the technique is much more general. We will later go into common instantiations of the oracle. This transformation allows us to transfer lower-bounds from PIR without oracle access to PIR with oracle access.

Simulatable Oracles. A simulatable oracle is an oracle \(\textsf{SO}\) which can efficiently be simulated by a stateful simulator \(\textsf{Sim}\). More formally, a computationally unbounded adversary \(\mathcal {A}\) cannot win the following game with a non-negligible advantage in polynomially many rounds r, where \(\textsf{Sim}\) is a PPT algorithm:

  1. 1.

    Sample random bit \(b\xleftarrow {\$}\{0,1\}\).

  2. 2.

    Initialize the state of the oracle as \(\textsf{st}\leftarrow \bot \).

  3. 3.

    Initialize the state of the adversary \(\textsf{ast}\leftarrow \bot \).

  4. 4.

    The adversary produces a first query \(\textsf{qu}\).

  5. 5.

    For \(i \in [r]\):

    1. (a)

      If \(b=0\):

      • Let the response be \(\textsf{resp}\leftarrow \textsf{SO}(\textsf{qu})\)

    2. (b)

      Else:

      • Let response and new oracle state be \((\textsf{resp},\textsf{st})\leftarrow \textsf{Sim}(\textsf{qu},\textsf{st})\)

    3. (c)

      Let new query and adversary state be \((\textsf{qu},\textsf{ast})\leftarrow \mathcal {A}(\textsf{ast},\textsf{resp})\)

  6. 6.

    Let the adversary output its guess \(b'\leftarrow \mathcal {A}(\textsf{ast})\).

  7. 7.

    The adversary wins if \(b=b'\).

Typical examples of simulatable oracles include the random oracle and the generic group oracle.

Construction 1

Let \(\textsf{PIR}:= (\textsf{PIRU}^{\textsf{SO},\textsf{O}}, \textsf{PIRS}^{\textsf{SO},\textsf{O}})\) be a bit PIR protocol that uses a simulatable oracle \(\textsf{SO}\) and another oracle \(\textsf{O}\). We show how to compile out the \(\textsf{SO}\)-calls of \((\textsf{PIRU}^{\textsf{SO},\textsf{O}} , \textsf{PIRS}^{\textsf{SO},\textsf{O}})\), obtaining an \(\textsf{SO}\)-free PIR protocol \(\overline{\textsf{PIR}}:= (\overline{\textsf{PIRU}}^{\textsf{O}} , \overline{\textsf{PIRS}}^{\textsf{O}})\).

For notational convenience, in the following whenever calling \(\textsf{PIRU}\) or \(\textsf{PIRS}\), we omit the private-state part of the input.

The protocol messages sent from \(\overline{\textsf{PIRU}}\) to \(\overline{\textsf{PIRS}}\) are tagged with either ‘protocol’ (or bit zero) signifying a normal protocol message, or with ‘query’ (or bit 1) signifying a query message.

  • \(\overline{\textsf{PIRU}}^{\textsf{O}}(1^\lambda , 1^n , i)\):

    • Initialize the state of the simulatable oracle \(\textsf{st}\leftarrow \bot \).

    • Run the interactive PPT \(\textsf{PIRU}^{\textsf{SO},\textsf{O}}\) with the following interactions:

      1. 1.

        When \(\textsf{PIRU}^{\textsf{SO},\textsf{O}}\) calls \(\textsf{O}\) on a query \(\textsf{qu}\) forward the query to \(\textsf{O}\) and respond with the received response.

      2. 2.

        When \(\textsf{PIRU}^{\textsf{SO},\textsf{O}}\) calls \(\textsf{SO}\) on a query \(\textsf{qu}\), simulate the response and update the oracle simulators state \((\textsf{resp},\textsf{st})\leftarrow \textsf{Sim}(\textsf{qu},\textsf{st})\).

      3. 3.

        Upon \(\overline{\textsf{PIRU}}\) receiving a message of the form \((`query',\textsf{msgs})\), interpret \(\textsf{msgs}\) as a query \(\textsf{qu}\), simulate the oracle response and update the oracle simulators state as \((\textsf{resp},\textsf{st})\leftarrow \textsf{Sim}(\textsf{qu},\textsf{st})\) and return \(\textsf{resp}\) to the sender \(\overline{\textsf{PIRS}}\). If the message has the form \((`protocol',\textsf{msgs})\), run \(\textsf{PIRU}^{\textsf{SO},\textsf{O}}\) on the protocol message \(\textsf{msgs}\) until it produces the next message \(\textsf{msgr}\) and send that to \(\overline{\textsf{PIRS}}\). The oracle queries are handled as described above.

  • \(\overline{\textsf{PIRS}}^{\textsf{O}}(1^\lambda , 1^n, \textsf{DB})\):

    • Run the interactive PPT \(\textsf{PIRS}^{\textsf{SO},\textsf{O}}\) with the following interactions:

      1. 1.

        When \(\textsf{PIRS}^{\textsf{SO},\textsf{O}}\) calls \(\textsf{O}\) on a query \(\textsf{qu}\), forward the query to \(\textsf{O}\) and respond with the received response.

      2. 2.

        When \(\textsf{PIRS}^{\textsf{SO},\textsf{O}}\) calls \(\textsf{SO}\) on a query \(\textsf{qu}\), send a tagged query pair \((`query',\textsf{qu})\) to \(\overline{\textsf{PIRU}}\) and use the response \(\textsf{msgr}\) as a query response for \(\textsf{qu}\) to \(\textsf{PIRS}\).

      3. 3.

        Else, run \(\textsf{PIRS}^{\textsf{SO},\textsf{O}}\) until it produces a message \(\textsf{msgs}\) and send the tagged message \((`protocol',\textsf{msgs})\) to \(\overline{\textsf{PIRU}}\), then wait for the response \(\textsf{msgr}\) and continue.

Theorem 3

If \(\textsf{PIR}\) is a non-trivial private information retrieval with server communication of \(\eta <cn\) for \(c<1\), \(r\in o(n)\) rounds of interaction with the user, and \(q\in o(n)\) bits of communication with the \(\textsf{SO}\) oracle then \(\overline{\textsf{PIR}}\) is a non-trivial private information retrieval with server communication \(\overline{\eta } \le \overline{c}n\) for \(\overline{c}<1\) and no calls to \(\textsf{SO}\).

Server Communication. The server’s additional communication overhead includes 1 bit per round as well as a total of O(q) bits. Since the number rounds is o(n), the total server communication complexity becomes \(c n +o(n) \), which is less than \(\overline{c}n\) for some \(\overline{c}<1\).    \(\square \)

Correctness. Notice that the above protocol will have different output from an execution of \(\textsf{PIR}\) either

  1. 1.

    if a with \(\textsf{Sim}\) simulated oracle behave differently from the real oracle behaviour or

  2. 2.

    if a message in the execution of \(\textsf{PIR}\) happens to start with t.

Both of these events happen with negligible probability. Therefore, if \(\textsf{PIR}\) has statistical correctness then so does \(\overline{\textsf{PIR}}\).   \(\square \)

Client Security. Suppose there exists \(i,i'\in [n]\), \(\textsf{DB}\in \{0,1\}^n\) such that an adversary \(\overline{\mathcal {A}}\) can distinguish \(\textsf{view}_s^{\overline{\textsf{PIR}}}(i,\textsf{DB})\) from \(\textsf{view}_s^{\overline{\textsf{PIR}}}(i',\textsf{DB})\) with non-negligible probability. We construct a new adversary \(\mathcal {A}\) to distinguish between \(\textsf{view}_s^{\textsf{PIR}}(i,\textsf{DB})\) and \(\textsf{view}_s^{\textsf{PIR}}(i',\textsf{DB})\). The new adversary \(\mathcal {A}\) gets as input a view v either from \(\textsf{view}_s^{\textsf{PIR}}(i,\textsf{DB})\) or \(\textsf{view}_s^{\textsf{PIR}}(i',\textsf{DB})\) and does the following:

  1. 1.

    Generate an empty view \(\overline{v}\).

  2. 2.

    Copy all \(\textsf{O}\)-oracle calls from v to \(\overline{v}\).

  3. 3.

    Run \(\textsf{PIRS}\) on the randomness and \(\textsf{DB}\) as defined in the view v and simulate its interaction as follows:

    1. (a)

      For \(\textsf{PIRS}\)’s calls to the \(\textsf{SO}\) oracle with query \(\textsf{qu}\) and gets response \(\textsf{resp}\) enter \(('query',\textsf{qu})\) as a server message into \(\overline{v}\) and \(\textsf{resp}\) as a user message.

    2. (b)

      For \(\textsf{PIRS}\)’s messages \(\textsf{msgs}\) enter \(('protocol,\textsf{msgs})\) in the transcript \(\overline{v}\) as a server message and enter the users response \(\textsf{msgr}\) as a users message.

  4. 4.

    Run \(b\leftarrow \overline{\mathcal {A}}(\overline{v})\), on the view \(\overline{v}\) produced by \(\overline{\textsf{PIRS}}\)

  5. 5.

    Return b

\(\mathcal {A}\) will distinguish \(\textsf{view}_s^{\textsf{PIR}}(i,\textsf{DB})\) and \(\textsf{view}_s^{\textsf{PIR}}(i',\textsf{DB})\) with negligibly close to the probability as \(\overline{\mathcal {A}}\) can distinguish \(\textsf{view}_s^{\overline{\textsf{PIR}}}(i,\textsf{DB})\) from \(\textsf{view}_s^{\overline{\textsf{PIR}}}(i',\textsf{DB})\). This is because \(\overline{v}\) follows the same distribution as \(\textsf{view}_s^{\overline{\textsf{PIR}}}(i,\textsf{DB})\) (except that the \(\textsf{SO}\) queries are produced by the real oracle, not the simulator) if v was from \(\textsf{view}_s^{\textsf{PIR}}(i,\textsf{DB})\) and \(\overline{v}\) follows the same distribution as \(\textsf{view}_s^{\overline{\textsf{PIR}}}(i',\textsf{DB})\) (same caveat here) if v was from \(\textsf{view}_s^{\textsf{PIR}}(i',\textsf{DB})\). If the adversary could notice the simulation of \(\textsf{SO}\) then it would break its simulatability.    \(\square \)

Remark 2

Theorem 3 is applicable to any two-PC protocol with one-sided receiver security. Of course, in the absence of further restrictions, such protocols are trivial to realize (e.g., by the sender sending its input in the clear to the receiver). One restriction that makes the problem non-trivial is to require the sender-to-receiver communication to be sub-linear in the sender’s input size, as in PIR.

The utility of Theorem 3, beyond PIR itself, becomes apparent when one considers other protocols that imply non-trivial PIR while instantiating their underlying oracles via ideal forms of powerful primitives. We first discuss the implications of the theorem in terms of particular instantiations of the oracle, and in the next section we consider protocols that imply PIR.

Theorem 3 allows us to also rule out powerful non-black-box techniques for building PIR. We demonstrate this by letting \(\textsf{SO}\) include an OT oracle and an ideal obfuscation oracle that can obfuscate circuits with generic OT gates and random oracle gates. (See [2, 20] for capturing similar non-black-box techniques via oracle-aided circuits.)

Corollary 4

For any constants \(c < 1\), there exists no n-bit PIR protocol with server communication \(\eta \le c n\), round complexity \(r\in o(n)\), and with oracle access to a PSPACE-complete oracle, a random oracle, a generic OT oracle, and an obfuscation oracle for circuits with OT and random oracle gates, and where the server only communicates \(q \in o(n)\) bits to the ideal obfuscation and OT oracles.

Proof

In Lemma 1 we show an OT protocol with the above mentioned characteristics implies a non-trivial PIR. Let \(\textsf{SO}\) consist of an OT oracle [26] and an ideal obfuscation oracle [2, 31] for obfuscating circuits with OT/RO gates. (Such an \(\textsf{SO}\) oracle is simulatable.) By invoking Theorem 3 one gets a non-trivial PIR with oracle access to the random oracle and an PSPACE-complete oracle. This in turn can be transformed into an OT protocol (while retaining the \(\textsf{O}\) oracles) via [18]. The existence of such an object however was ruled out by [26].    \(\square \)

Back to the black-box setting, other illustrative examples include the use of GGMs for building non-trivial PIR.

Corollary 5

For any constants \(c < 1\), a non-trivial n-bit PIR protocol with server communication of cn, round complexity \(r\in o(n)\) and where the server makes sublinear in n many generic group queries requires MPC-hard assumptions, beyond the generic group.

Proof

In Theorem 3, if one instantiates \(\textsf{SO}\) by a generic group [38] and let the \(\textsf{O}\) oracle be empty, then one gets a non-trivial PIR without any oracle calls. This in turn can be transformed into an OT protocol without any oracles via [18]. OT is an MPC-complete protocol.    \(\square \)

The above corollary is almost tight as there exists GGM-based PIR protocols with a linear number of GGM queries.

Lemma 4

([19]). Based on the DDH assumption, there exists a non-trivial n-bit PIR protocol with server communication of \(O(\lambda )\) and with the sever making O(n) group operations.

Finally, we may derive a statement for FHE oracles.

Corollary 6

For any constants \(c < 1\), a non-trivial n-bit PIR protocol with server communication of cn, round complexity \(r\in o(n)\) where the server makes \(q\in o(n)\) black-box use of fully homomorphic encryptionFootnote 3 requires MPC-hard assumptions, even beyond the fully homomorphic encryption.

Proof

Let \(\textsf{SO}\) be an FHE oracle [23] (defined similarly to a generic PKE oracle of [26]). Let the O oracle be empty. Invoking Theorem 3 one gets a non-trivial PIR without any oracle calls. This in turn can be transformed into an OT protocol without oracles via [18]. OT is an MPC-complete protocol.    \(\square \)

7 Communication Lower-Bounds for OT Extension

Theorem 3 provides lower-bounds on the computational complexity of PIR protocols. In this section, we show that these computational lower-bounds give rise to communication lower-bounds for OT extension (i.e., the number of bits that an extended OT sender needs to communicate). The result of this section implies that the communication complexity of the sender in the IKNP OT extension protocol [29] is close to optimal.

Corollary 7

(OT Extension: Sender Communication Lower-Bound). For any constants \(c < 1\), there exist no \(\ell \)-batch k-bit OT extension protocol with sender communication \(\eta <c2k \ell \), round complexity \(r\in o(k \ell )\), and with the sender making \(q\in o(k \ell )\) OT calls.

Proof

OT extension is just an OT protocol that makes use of only a black-box OT and a random oracle. An \(\ell \)-batch k-bit OT naturally gives rise to a \(k \ell \)-bit string OT. In Lemma 1 we show that such an OT protocol implies a non-trivial PIR for databases of \(2 \ell k\) bits. Under the resulting PIR protocol, the server communication is \(\eta < c2k\ell \), round complexity \(r\in o(k\ell )\), and the server communicates a total of \( o(k\ell )\) bits with the OT oracle. Invoking Theorem 3, by instantiating \(\textsf{SO}\) with a generic OT oracle [26] and \(\textsf{O}\) with the random oracle [6] and by also including a PSPACE-complete oracle, we get a non-trivial PIR with oracle access to the random oracle and a PSPACE-complete oracle. This in turn can be transformed into an OT protocol (while retaining the \(\textsf{O}\) oracles) via [18]. The existence of such an object however was ruled out by [26].    \(\square \)

Corollary 8

(OT Extension: Total Communication Lower-Bound ). For any constants \(c < 1\), there exist no \(\ell \)-batch k-bit OT extension protocol with total communication \(\eta < \frac{3}{2} c (\ell +k \ell )\), round complexity \(r\in o(k \ell )\), and with the sender making \(q\in o(k \ell )\) OT calls.

Proof

Follows from Lemma 2 and Corollary 7.    \(\square \)