Abstract
We present two new constructions for private information retrieval (PIR) in the classical setting where the clients do not need to do any preprocessing or store any database dependent information, and the server does not need to store any client-dependent information.
Our first construction (\({\textsf{Hintless}\textsf{PIR}}\)) eliminates the client preprocessing step from the recent LWE-based SimplePIR (Henzinger et al., USENIX Security 2023) by outsourcing the “hint” related computation to the server, leveraging a new concept of homomorphic encryption with composable preprocessing. We realize this concept with RLWE encryption schemes, and by leveraging the composibility of this technique we are able to preprocess almost all the expensive parts of the homomorphic computation and reuse them across multiple protocol executions. As a concrete application, we propose highly efficient matrix vector multiplication that allows us to build \({\textsf{Hintless}\textsf{PIR}}\). For a database of size 8 GB, \({\textsf{Hintless}\textsf{PIR}}\) achieves throughput about 6.37 GB/s without requiring transmission of any client or server state. We additionally formalize the matrix vector multiplication protocol as a novel primitive that we call \(\textsf{LinPIR}\), which may be of independent interest.
In our second construction (\(\textsf{Tensor}\textsf{PIR}\)) we reduce the communication of \({\textsf{Hintless}\textsf{PIR}}\) from square root to cubic root in the database size. We show how to use RLWE encryption with preprocessing to outsource LWE decryption for ciphertexts generated by homomorphic multiplications. This allows the server to do more complex processing using a more compact query under LWE.
We implement and benchmark \({\textsf{Hintless}\textsf{PIR}}\) which achieves better concrete costs than \(\textsf{Tensor}\textsf{PIR}\) for a large set of databases of interest. We show that it improves the communication of recent preprocessing constructions when clients do not have large numbers of queries or the database updates frequently. The computation cost for removing the hint is small and decreases as the database becomes larger, and it is always more efficient than other constructions with client hints such as Spiral PIR (Menon and Wu, S&P 2022). In the setting of anonymous queries we also improve on Spiral’s communication.
M. Schultz-Wu—Work performed at Google.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Without preprocessing.
- 2.
While in principle one can dynamically update the hint, this has many practical difficulties. We direct readers to the application of SimplePIR to Certificate Transparency Auditing [33, Section 7.2], where the SimplePIR authors preferred to have clients cache “stale” queries and periodically redownload the entire hint, rather than leverage their dynamic hint update mechanisms [33, Appendices C.3 and E.3].
- 3.
In particular, we are able to get considerable (though non-asymptotic) speedups in server processing time, which was our primary goal in this work. \({\textsf{NTTless}\textsf{PIR}}\) used in isolation significantly improves the server preprocessing of SimplePIR (and schemes that build on it) from \(O(mN)\) to \(O(m\log n)\), and is likely of independent interest in applications where minimizing this quantity is of primary importance.
- 4.
Our optimization is even compatible with a SimplePIR-type “hint” to reduce our per-query bandwidth. As it has a smaller impact (\(2\times \) reduction) in our setting than that of SimplePIR (\(2^{10}\times \) reduction), we instead omit it to achieve our goal of no database-dependent state on our clients.
- 5.
This is the idea at the basis of the “amortized LWE” cryptosystem of [43], as well as the property SimplePIR leverages to securely allow all clients to use the same hint.
- 6.
Of larger impact is that clients have to resample any encrypted key material they use. We minimize the use of such key material in our protocol to reduce this cost.
- 7.
There has been another recent practically-fast single-server PIR scheme, namely Piano [52]. This scheme requires the entire database be streamed to a memory-constrained client in a preprocessing step. As we are not modelling memory-constraints on clients, in our setting this protocol is essentially equivalent to the trivial PIR scheme that transmits the whole database to the client in a preprocessing step, so we will not formally compare our work to theirs.
- 8.
In our current implementation, this constant factor is somewhat large—\(\approx 33\times \) larger. We discuss several optimizations that would reduce this to \(\approx 9\times \) larger in the full version, though they are not currently implemented.
- 9.
Its server preprocessing is identical to SimplePIR, so the gap between its cost and \({\textsf{Hintless}\textsf{PIR}}\)’s costs similarly vanishes as \(m\rightarrow \infty \).
- 10.
For this database size, Tiptoe PIR’s bandwidth is \(3\times \) larger than the trivial PIR scheme of transmitting the entire database. Our bandwidth is \(\approx 1/16\) of the cost of this trivial protocol.
- 11.
In general p can be a prime power, but in our application we only use the case where p is a prime number.
- 12.
For simplicity, we assume the number of rows of \(H\) is equal to the RLWE ring degree \(n\).
- 13.
We reassure the reader that this restriction on \(n_{\textsf{cols}}\) will be unimportant to our main application of this scheme, namely removing the hint from \({\textsf{LWE}\textsf{PIR}}\) in Sect. 5.
- 14.
- 15.
We set N higher than the one proposed in [33] according to latest lattice attack estimates.
- 16.
- 17.
For Spiral, we could not find parameters that natively support this database on the public Spiral implementation; so we shard the database into smaller ones and estimated Spiral’s performance when running sequentially on the sub-databases.
References
Ahmad, I., Yang, Y., Agrawal, D., Abbadi, A.E., Gupta, T.: Addra: metadata-private voice communication over fully untrusted infrastructure. In: Brown, A.D., Lorch, J.R. (eds.) 15th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2021, 14–16 July 2021 (2021)
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015). http://www.degruyter.com/view/j/jmc.2015.9.issue-3/jmc-2015-0016/jmc-2015-0016.xml
Ali, A., et al.: Communication-computation trade-offs in PIR. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021: 30th USENIX Security Symposium, pp. 1811–1828. USENIX Association, 11–13 August 2021
Angel, S., Chen, H., Laine, K., Setty, S.: PIR with compressed queries and amortized query processing. In: 2018 IEEE Symposium on Security and Privacy (SP) (2018)
Angel, S., Setty, S.: Unobservable communication over fully untrusted infrastructure. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016) (2016)
Apple: icloud private relay overview (2021). https://www.apple.com/icloud/docs/iCloud_Private_Relay_Overview_Dec2021.pdf
Artioli, S.: How practical is single-server private information retrieval? (2023). https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/Howpracticalissingleserverprivateinformationretrievalcorrected.pdf
Backes, M., Kate, A., Maffei, M., Pecina, K.: ObliviAd: provably secure and practical online behavioral advertising. In: 2012 IEEE Symposium on Security and Privacy (2012)
Beimel, A., Ishai, Y., Malkin, T.: Reducing the servers computation in private information retrieval: PIR with preprocessing. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 55–73. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_4
blyss SDK for accessing data privately using homomorphic encryption (2023). https://github.com/blyssprivacy/sdk
Borisov, N., Danezis, G., Goldberg, I.: DP5: a private presence service. Proc. Priv. Enhancing Technol. (2015)
Boyle, E., Gilboa, N., Ishai, Y.: Function secret sharing: improvements and extensions. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016 (2016)
Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_28
Chen, H., Chillotti, I., Ren, L.: Onion ring ORAM: efficient constant bandwidth oblivious RAM from (leveled) TFHE. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019: 26th Conference on Computer and Communications Security, London, UK, 11–15 November 2019, pp. 345–360. ACM Press (2019). https://doi.org/10.1145/3319535.3354226
Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: 36th Annual Symposium on Foundations of Computer Science, Milwaukee, Wisconsin, USA, 23–25 October 1995 (1995)
Corrigan-Gibbs, H., Henzinger, A., Kogan, D.: Single-server private information retrieval with sublinear amortized time. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 3–33. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07085-3_1
Corrigan-Gibbs, H., Kogan, D.: Private information retrieval with sublinear online time. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 44–75. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45721-1_3
Davidson, A., Pestana, G., Celi, S.: FrodoPIR: simple, scalable, single-server private information retrieval. Proc. Priv. Enhanc. Technol. 2023(1), 365–383 (2023). https://doi.org/10.56553/popets-2023-0022
Davidson, A., Pestana, G., Celi, S.: FrodoPIR: simple, scalable, single-server private information retrieval. Cryptology ePrint Archive, Paper 2022/981 (2022). https://eprint.iacr.org/2022/981
Devet, C., Goldberg, I., Heninger, N.: Optimally robust private information retrieval. In: Kohno, T. (ed.) Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, 8–10 August 2012. USENIX Association (2012)
Dvir, Z., Gopi, S.: 2-server PIR with subpolynomial communication. J. ACM (JACM) 63(4), 1–15 (2016)
Genise, N., Micciancio, D., Polyakov, Y.: Building an efficient lattice gadget toolkit: subgaussian sampling and more. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 655–684. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-17656-3_23
Gentry, C., Halevi, S.: Compressible FHE with applications to PIR. In: Theory of Cryptography: 17th International Conference, TCC 2019 (2019)
Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49
Gentry, C., Ramzan, Z.: Single-database private information retrieval with constant communication rate. In: Proceedings of the 32nd International Conference on Automata, Languages and Programming, ICALP 2005, pp. 803–815 (2005)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Google: VPN by Google One. https://one.google.com/about/vpn
Google: Privacy sandbox IP protection proposal (2023). https://developer.chrome.com/en/docs/privacy-sandbox/ip-protection/
Green, M., Ladd, W., Miers, I.: A protocol for privately reporting ad impressions at scale. In: CCS 2016 (2016)
Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_31
Henry, R.: Polynomial batch codes for efficient IT-PIR. Proc. Priv. Enhancing Technol. 2016(4), 202–218 (2016)
Henzinger, A., Dauterman, E., Corrigan-Gibbs, H., Zeldovich, N.: Private web search with tiptoe. In: Proceedings of the the 29th ACM Symposium on Operating Systems Principles (2023)
Henzinger, A., Hong, M.M., Corrigan-Gibbs, H., Meiklejohn, S., Vaikuntanathan, V.: One server for the price of two: simple and fast single-server private information retrieval. In: Calandrino, J.A., Troncoso, C. (eds.) 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, 9–11 August 2023 (2023)
Kogan, D., Corrigan-Gibbs, H.: Private blocklist lookups with checklist. In: 30th USENIX Security Symposium (USENIX Security 2021) (2021)
Kushilevitz, E., Ostrovsky, R.: Replication is NOT needed: SINGLE database, computationally-private information retrieval. In: 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, Miami Beach, Florida, USA, 19–22 October 1997 (1997)
Lazzaretti, A., Papamanthou, C.: TreePIR: sublinear-time and polylog-bandwidth private information retrieval from DDH. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023, Part II. LNCS, vol. 14082, pp. 284–314. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_10
Lin, W., Mook, E., Wichs, D.: Doubly efficient private information retrieval and fully homomorphic RAM computation from ring LWE. In: Saha, B., Servedio, R.A. (eds.) Proceedings of the 55th Annual ACM Symposium on Theory of Computing, STOC 2023, Orlando, FL, USA, 20–23 June 2023
Melchor, C.A., Barrier, J., Fousse, L., Killijian, M.: XPIR: private information retrieval for everyone. Proc. Priv. Enhanc. Technol. (2016)
Menon, S.J., Wu, D.J.: SPIRAL: fast, high-rate single-server PIR via FHE composition. In: 2022 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 22–26 May 2022, pp. 930–947. IEEE Computer Society Press (2022). https://doi.org/10.1109/SP46214.2022.9833700
Mittal, P., Olumofin, F., Troncoso, C., Borisov, N., Goldberg, I.: PIR-Tor: scalable anonymous communication using private information retrieval. In: 20th USENIX Security Symposium (USENIX Security 2011) (2011)
Mughees, M.H., Chen, H., Ren, L.: OnionPIR: response efficient single-server PIR. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021 (2021)
Patel, S., Persiano, G., Yeo, K.: Private stateful information retrieval. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018 (2018)
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008, pp. 187–196. ACM Press (2008). https://doi.org/10.1145/1374376.1374406
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, Baltimore, MA, USA, 22–24 May 2005, pp. 84–93. ACM Press (2005). https://doi.org/10.1145/1060590.1060603
The reference implementation of SimplePIR and DoublePIR (2023). https://github.com/ahenzinger/simplepir
Thomas, K., et al.: Protecting accounts from credential stuffing with password breach alerting. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, 14–16 August 2019 (2019)
Tiptoe’s linearly homomorphic encryption scheme (2023). https://github.com/ahenzinger/underhood
Tor: The tor project. https://www.torproject.org/
Vershynin, R.: High-Dimensional Probability: An Introduction with Applications in Data Science, vol. 47. Cambridge University Press, Cambridge (2018)
Yeo, K.: Lower bounds for (batch) PIR with private preprocessing. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part I. LNCS, vol. 14004, pp. 518–550. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-30545-0_18
Zhou, M., Park, A., Zheng, W., Shi, E.: Piano: extremely simple, single-server PIR with sublinear server computation. In: 2024 IEEE Symposium on Security and Privacy (SP), Los Alamitos, CA, USA, p. 55. IEEE Computer Society, May 2024. https://doi.org/10.1109/SP54263.2024.00055. https://doi.ieeecomputersociety.org/10.1109/SP54263.2024.00055
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Li, B., Micciancio, D., Raykova, M., Schultz-Wu, M. (2024). Hintless Single-Server Private Information Retrieval. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14928. Springer, Cham. https://doi.org/10.1007/978-3-031-68400-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-68400-5_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-68399-2
Online ISBN: 978-3-031-68400-5
eBook Packages: Computer ScienceComputer Science (R0)
