Public Key Encryption That Allows PIR Queries

Dan Boneh, Eyal Kushilevitz, Rafail Ostrovsky,

William E. Skeith IIIPresenter: 紀汶承

Outline

Introduction Tools Definition Main Construction

Introduction Tools Definition Main Construction

PIR(Private Information Retrieval)

允許 user 從擁有 database 的 server 中取回資料 (item) ，但不洩漏取回的是什麼資料。

PIR solutions 藉由 address ，從 database 中，取回一

個 ( 明文 或 加密過 ) 的 record 。 靠關鍵字搜尋一個未加密的資料 (data)

Introduction Tools Definition Main Construction

Bloom filter

觀念 : Hash function: suppose A array: such that

and such that Note that ,then

kiih 1}{ ][}1,0{: * mhi

*1 }1,0{}{

liiaS

miitT 1}{ ][1 kjt i

][' lj iah jj )( '

Sa ][,1)( kit ahi

Bloom filter(cont.)Input a to hi, i: 1~k

0

1

1

1

0

h1 h2 hk T

H1(a)

H2(a)

Hk(a)

If

then

][,1)( kit ahi

Sa

驗證 :

Bloom filter(cont.)

儲存什麼 ? 不只是單單儲存 element ，改儲存 : 表示與 elements 的關係 ( 表達 element

所存放的位址 ) 現今儲存 (a,v), , where

v 被加入 for all If a S,∈

Vv

*}1,0{a mjjB 1}{ VB j

)(ahiB ][ki

)(][ ahki iBv

Bloom filter(cont.)

v1

v1

v1

v1,v2

v1

v2,v3

v1,v2,v3

v3

Insert: (a1,v1) Insert: (a2,v2)

H1(a1)

H2(a1)

Hk(a1)

B1

B2

B3

B4

Bm

)1(][ ahki iBv

{v1,v2}

{v1}

{v1,v2,v3}

∩

∩

∩

={v1}

Modifying Encrypted Data in a Communication Efficient Way

Based on group homomorphic encryption with communication O(√n).

Technique : : database (not encrypted) (i*,j*): the position of particular element α: the value we want to add. v , w: two vector of length √n where

Here δkl = 1 when k=l and 0 otherwise Then

njiijx 1,}{

*iivi *jjjw

otherwise

jjiiifwv ji

0

)( **

Modifying Encrypted Data in a Communication Efficient Way (cont.)

Parameters: (K, , D): a CPA-secure public-key encry

ption : an array of ciphertexts which i

s held by a party S. Define F(X, Y, Z)=X+YZ. By our assumpti

on, there exists some such that

nlll xc 1)}({

F~

),,()))(),(),((~

( zyxFzyxFD

Modifying Encrypted Data in a Communication Efficient Way (cont.)

Protocol: ModifyU,S(l, α) where l and α are private input to U.1. U compute i*, j* as the coordinates of l (i.e., i* and

j* are quotient and remainder of l/n, respectively)

2. U sends to S where all values are encrypted under Apublic.

3. S computes for all , and replaces each cij with the corresponding resulting ciphertext.

nii iiv 1

* )}({ nij jjw 1

* )}({

),,(~

jiij wvcF ][, nji

每一次修改都對所有的 Cij 作修改，因此，可以簡易看出保有私密性

Introduction Tools Definition Main Construction

Definition

參數 : X: message sending parties. Y: message receiving party. S: server/storage provider

定義 : KeyGen(1S): 產生公密鑰對 SendX,S(M, K, Apublic) RetrieveY,S(w, Aprivate)

Introduction Tools Definition Main Construction

Main Construction

S maintains in its storage space encryptions of the buffers, denote these encryptions

For , we defined KeyGen(k) :Run K(1s), generate Apublic

and Aprivate.

mjjB 1}{

*}1,0{w ]}[|)({ kiwhH iw

SendX,S(M, K, Apublic)

Sender Server/Storage

Bloom filter buffer

ε(M)

ρ

γcopies of the address ρ

ρ

ρε(M) M + K

mjjB 1}{

ρ

Message buffer

ρ

ρρ

wKw Hj

RetrieveY,S(w, Aprivate)

Receiver

mjjB 1}{

Bloom filter buffer

Message buffer

Server/Storage

PIR query

wHjjB }ˆ{

PIR query, L

ε(M)

wHjjB }ˆ{解密

jHj BLw m

jjB 1}{

))(()( MDM privateA 解密

wHjjB }{