Random-Index PIR and Applications

Craig Gentry*, Shai Halevi, Bernardo Magri, Jesper Buus Nielsen, Sophia Yakoubov

*Corresponding author for this work

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review

Abstract

Private information retrieval (PIR) lets a client retrieve an entry from a database without the server learning which entry was retrieved. Here we study a weaker variant that we call random-index PIR (RPIR), where the retrieved index is an output rather than an input of the protocol, and is chosen at random. RPIR is clearly weaker than PIR, but it suffices for some interesting applications and may be realized more efficiently than full-blown PIR. We report here on two lines of work, both tied to RPIR but otherwise largely unrelated. The first line of work studies RPIR as a primitive on its own. Perhaps surprisingly, we show that RPIR is in fact equivalent to PIR when there are no restrictions on the number of communication rounds. On the other hand, RPIR can be implemented in a “noninteractive” setting (with pre-processing), which is clearly impossible for PIR. For two-server RPIR we even show a truly noninteractive solution, offering information-theoretic security without any pre-processing. The other line of work, which was the original motivation for our work, uses RPIR to improve on the recent work of Benhamouda et al. (TCC’20) for maintaining secret values on public blockchains. Their solution depends on a method for selecting many random public keys from a PKI while hiding most of the selected keys from an adversary. However, the method they proposed is vulnerable to a double-dipping attack, limiting its resilience. Here we observe that a RPIR protocol, where the client is implemented via secure MPC, can eliminate that vulnerability. We thus get a secrets-on-blockchain protocol (and more generally large-scale MPC) which is resilient to any fraction f< 1 / 2 of corrupted parties, resolving the main open problem left from the work of Benhamouda et al. As the client in this solution is implemented via secure MPC, it really brings home the need to make it as efficient as possible. We thus strive to explore whatever efficiency gains we can get by using RPIR rather than PIR. We achieve more gains by using batch RPIR where multiple indexes are retrieved at once. Lastly, we observe that this application can make do with a weaker security guarantee than full RPIR, and show that this weaker variant can be realized even more efficiently. We discuss one protocol in particular that may be attractive for practical implementations.

Original languageEnglish
Title of host publicationTheory of Cryptography : 19th International Conference, TCC 2021, Proceedings
EditorsKobbi Nissim, Brent Waters
Number of pages30
PublisherSpringer
Publication date2021
Pages32-61
ISBN (Print)9783030904555
DOIs
Publication statusPublished - 2021
Event19th International Conference on Theory of Cryptography, TCC 2021 - Raleigh, United States
Duration: 8 Nov 202111 Nov 2021

Conference

Conference19th International Conference on Theory of Cryptography, TCC 2021
Country/TerritoryUnited States
CityRaleigh
Period08/11/202111/11/2021
SeriesLecture Notes in Computer Science
Volume13044
ISSN0302-9743

Keywords

  • Batch PIR
  • Large-scale MPC
  • Private information retrieval
  • Random ORAM
  • Random PIR
  • Secrets on blockchain

Fingerprint

Dive into the research topics of 'Random-Index PIR and Applications'. Together they form a unique fingerprint.

Cite this