International Symposium on Information Theory and its Applications, ISITA2008
Auckland, New Zealand, 7-10, December, 2008
A Note on the Error of Optimized LFC Private Information Retrieval Scheme
Jin Tamura† , Kazukuni Kobara‡ , Ryo Nojima† , Hideki Imai‡ and Helger Lipmaa††
†
National Institute of Information and
Communications Technology, Japan
E-mail: [email protected], [email protected]
††
‡
National Institute of Advanced
Industrial Science and Technology, Japan
E-mail: [email protected], [email protected]
Information Security Research Division of Cybernetica AS, Estonia
E-mail: [email protected]
Abstract
A number of low communication-cost Private Information Retrieval(PIR) schemes have been proposed in recent years. In JWIS2006, Kwon et al. proposed a
new scheme (optimized LFCPIR, or OLFCPIR), which
aimed at reducing the communication cost of Lipmaa’s
O(log2 n) PIR(LFCPIR) to O(log n). However, in this
paper, we demonstrate OLFCPIR’s fatal mistake of
overflow contained, and show that it does not function
as a PIR scheme.
Nowadays, a large amount of data is computerized
and the processing efficiency has also improved. However, such computerization carries with it huge risks of
leakage of personal or private information (for example,
leakage of information related to patents).
A private information retrieval (PIR) protocol allows a chooser to retrieve an item from a server containing a database without revealing the identity of that
item.
The first single-database computational PIR
(CPIR) scheme to achieve a communication complexity less than n was developed in 1997 by E. Kushilevitz et al[8] and achieved communication complexity of
1
O(n 2 ) was achieved, where n is the number of bits in
the database.
In 2004, Helger Lipmaa [9](Length Flexible CPIR，
in short, LFCPIR）achieved log-squared communication complexity. The security of LFCPIR is based on
the semantic security of the Damgaard-Jurik cryptosystem, which is a length-flexible additively homomorphic
cryptosystem.
In 2006, Kwon et al proposed a new
scheme(optimized LFCPIR, or OLFCPIR), which
aimed at reducing the communication cost of Lipmaa’s
O(log2 n) LFCPIR to O(log n)[7].
This research was partially supported by the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Young
Scientists, 19860094, 2008.
In LFCPIR, a chooser has to expand his query,
which consists of encryptions of 0 and 1, and this
depends on the dimensions of the database; on the
other hand, in OLFCPIR, the chooser does not have
to expand the query (cipher text). Alternatively, the
database expands the ciphertext by their original mapping while offline.
However, we must mention that OLFCPIR suffers
from the disadvantage that it contains overflow when
their original map (”ι map”, see section 3) is used; in
this paper, we also show that it does not function as
PIR.
The history of PIR research and the position of our
note can be seen in figure 1.
Informational PIR (IPIR)
[CGKS95]: (2DB， O( n1/ 3 ) )
1DB IPIR: Comm. Costs ≥ n
Computational PIR(CPIR)
[3] CG97：kDB, the first CPIR
1/ 2
[9] KO97：1R1DB, O( n
1/(2 k −1)
[1] Amb96: k DB, O( n
)
) CPIR
[5] CMS99： 1R1DB, O( Poly (log n)) CPIR
Hyper
Rectangle
Database
[10] Pai99： Pailler
PKC(homomorphic)
[2] BIKR02: k DB, O( n log log k / k log k )
[6] DJ03：Length Flexible
PKC(homomorphic)
[9] Lip05： LFCPIR (1R1DB， O(log 2 n))
[8] KL06： Optimized LFCPIR (1R1DB，O(log n) )
[This Paper]：We show the fatal error of OLFCPIR
R : Protocol Rounds
DB : DataBases
Figure 1: The history of Private Information Retrieval
This paper is divided into the following sections;
in section 2, we describe the details of LFCPIRLip05，
and in section 3, we describe the details of OLFCPIR[7]
and point out its drawback. Finally, we present the
conclusions in section 4.
・Functions
DJ Encrypt Function：E(x)
DJ Decrypt Function：D(x)
1. LFCPIR
1.1. DJ Cryptosystem
Database
and
Hyperrectangle
begin
In order to describe Lipmaa’s CPIR protocol
LFCPIR, we review Damgard-Jurik public key encryption with some fixed parameters (for simplicity) [6]. Let
a k-bit integer m = pq be a public key for odd primes
p and q. For a positive integer s, the encryption is
defined as follows:
【Step1: Chooser Query Q(u)】
For j=1 to α do,
For t = 1 to λj do:
Generate a random rjt
If uj = t then set bjt ← 1 else set bjt ← 0
s+j−1
(bjt , rjt )
Set βjt ← Em
Send Q(u) = (βjt )j∈[α],t∈Zλj
s
Em
: Zms × Z∗ms+1 −→ Z∗ms+1
(M, r) 7−→ (1 + m)M rm
s
where M is a plaintext and r is a random element. Thus the encryption algorithm probabilistically
maps sk-bit plaintexts to (s+1)k-bit ciphertexts, where
k = log m. For simplicity, we sometimes omit the rans
s
dom parameter r and write Em
(M, r) = Em
(M ). Now
the Damgard-Jurik encryption has the following properties:
【Step2: Sender Answer A(xu )】
For j=1 to α do
For ij+1 ← 0 to λj+1 − 1,
ij+2 ← 0 to λj+2 − 1, · · · , iα ← 0 to λα − 1 do:
Set xj (ij+1 , · · · , iα ) ← Πt∈Zλj βjt xj−1 (t−1,ij+1 ,··· ,iα )
Send A(xu ) = xα
【Step3: Chooser Retrieval (x(u1 , · · · , uα ))】
For j ← α downto 1 do:
s+j−1 0
Set x0j−1 ← D(p,q)
(xj )
Output x(u1 , · · · , uα ) = x00
s
s
s
1.Em
(M1 )Em
(M2 ) = Em
(M1 + M2 )
s
s
s+1
s
2.Em
(M1 )Em (M2 ) = Em
(M1 Em
(M2 ))
Another way to build LFCPIR is by using a different arrangement of the database. For a fixed α ∈ [α],
the database DB = (u[1], · · · , u[n]) is arranged as a
α- dimensional λ1 × · · · × λα hyperrectangle, where
λj , j = 1, · · · , α are positive integers such that n =
Πα
j=1 λj . We index every element u[i] in the database
by its coordinates (i1 , · · · , iα ) ∈ Πα
j=1 Zλj in this hypperrectangle. Thus we denote
end
We illustrate the generic idea of the protocol by an
example using α = 2, λ1 = λ2 = 4. Here, the database
is a 4 × 4 rectangle and it denotes the (i, j)-th element
of sk-bits by x(i, j). Assume that a chooser wants to
know u = x(2, 3) privately. Then the protocol proceeds
as follows:
α
u(i1 , · · · , iα ) := u[i1 Πα
j=2 λj +i2 Πj=3 λj +· · ·+iα−1 λα +iα +; 1]
for (i1 , · · · , iα ) ∈ Πα
j=1 Zλj .
1.2. LFCPIR Protocol
Now, we provide a general description of LFCPIR
for s = dl/ke, where k is a security parameter.
【Step0: Parameters’ Setup】
・Public Parameters
Database size n，dimension α
Chooser’s public key m = pq
・Private Input Parameters
Chooser: secret key Λ = LCM (p − 1, q − 1)
a requested data coordinate u = (u1 , · · · , uα )
Sender: Database data X
・Private Output Parameters
Chooser’s retrieved data x(u1 , · · · , uα ) ∈ X
【Step1】
Chooser computes
s
s
β11 = Em
(0), β12 = Em
(0),
s
s
β13 = Em (1), β14 = Em (0),
s+1
s+1
(1),
β21 = Em
(0), β22 = Em
s+1
s+1
β23 = Em (0), β24 = Em
(0),
and sends them to Sender.
【Step2】
Sender computes
x(j,i)
s
ω1j = Π4i=1 β1i
= Em
(x(j, 3))
for each j = 1, . . . , 4, and
ω
s+1
s
ω2 = Π4j=1 β2jij = Em
(Em
(x(2, 3)))
and then, sends ω2 to Chooser.
【Step3】
Chooser recovers x(2, 3) by decrypting ω2 twice.
2. OLFCPIR
2.1. ι Map
In the LFCPIR protocol, βjt is given by
s+j−1
Em
(bjt , rjt ), where the ciphertext is (s+j−1)k-bits
in size and bjt is either 0 or 1. Kwon et al. introduced
the following map to replace the encryptions of various
sizes by those of a constant smaller size;
ιss+t : Z∗ms+1 −→ Z∗ms+t+1
t
x mod ms+1 7−→ xm mod ms+t+1
The ι map is well-defined and
s
s+t−1
ιss+t (Em
(0, r)) = Em
(0, r0 )
s
s+t−1
(mt , r0 )
ιs+t
s (Em (1, r)) = Em
for any r0 ∈ Z∗ms+t+1 such that r = r0 mod ms+1 .
2.2. OLFCPIR Protocol
The general OLFCPIR is described as follows:
【Step0: Parameters’ Setup】
・Public Parameters
Database size n，dimension α
Chooser’s public key m = pq
・Private Input Parameters
Chooser: secret key Λ = LCM (p − 1, q − 1)
a requested data coordinate u = (u1 , · · · , uα )
Sender: Database data X
・Private Output Parameters
Chooser’s retrieved data x(u1 , · · · , uα ) ∈ X
・Functions
DJ Encrypt Function：E(x)
DJ Decrypt Function：D(x)
begin
【Step1: Chooser Query Q(u)】
For j=1 to α do,
For j=1 to α do:
For t = 1 to λj do:
Generate a random rjt
If uj = t then set bjt ← 1 else set bjt ← 0
s
Set βjt ← Em
(bjt , rjt )
Send Q(u) = (βjt )j∈[α],t∈Zλj
【Step2: Sender Answer A(xu )】
For j = 1 to α do
For ij+1 ← 0 to λj+1 − 1,
ij+2 ← 0 to λj+2 − 1, · · · , iα ← 0 to λα − 1 do:
Set xj (ij+1 , · · · , iα )
←
Πt∈Zλj ((ιs+j−1
(βjt ))xj−1 (t−1,ij+1 ,··· ,iα )
s
mod ms+j )
Send A(xu ) = xα
【Step3: Chooser Retrieval (x(u1 , · · · , uα ))】
s+α−1 0
Set x0α−1 ← Dp,q
(xα )
For j ← α − 1 down to 1 do:
s+j−1 0
Set x0j−1 ← D(p,q)
(xj /mj )
Output x(u1 , · · · , uα ) = x00
end
2.3. The Error
When we multiply out the Answer A(xu ) = xα ,
which is generated after multiple ι mappings at Step2,
s+α−2
s+α−1
(· · ·
(mα−1 ∗ Em
xα = Em
2
s+1
s
m ∗ Em (m ∗ Em
(x(u1 , · · · , uα )))))
This implies that it comprises multiple encryptions
s+j−1
s+j−2
Em
(mj−1 ∗ Em
(C))．
s+j−1
map and the
Note that the domain of the Em
s+j−2
codomain of Em
(C) map are both mod ms+j−1 ．
s+j−2
We then describe Em
(C) into base m number
as as+j−2 as+j−3 · · · a1 a0 ,
s+j−2
Em
(C) ≡ as+j−2 ∗ ms+j−2 + as+j−3 ∗ ms+j−3 +
· · · a1 ∗ m + a0 ( mod ms+j−1 )
if we multiply mj−1 , which is derived from the ι
map, with both sides,
s+j−2
(C)
mj−1 ∗ Em
≡ as+j−2 ∗ ms+2j−3 +
· · · + as−1 ∗ ms+j−2 + · · · + a1 ∗ mj + a0 ∗ mj−1
≡ as−1 ∗ ms+j−2 + as−2 ∗ ms+j−3 +
· · · + a1 ∗ mj + a0 ∗ mj−1 ( mod ms+j−1 )
Again, if we describe it into the base m number,
as−1 · · · a1 a0 0 · · · 0
Thus, as the result of the overflow, the lower j − 1
s+j−1
digits of Em
become 0，and the coefficients with
s+j−2
upper s + j − 1 to s digits of Em
(C) disappear．
As a result，the chooser cannot retrieve
x(u1 , · · · , uα ) correctly even if he decrypts the
answer A(xu ) = xα .
Therefore, the OLFCPIR protocol does not function as PIR．Here, we illustrate the OLFCPIR protocol with an example of the same setting as in section??
(i.e. α = 2, λ1 = λ2 = 4, 4 × 4 rectangle database and
the chooser wants to know u = x(2, 3)):
【Step1】
Chooser computes
s
s
β11 = Em
(0), β12 = Em
(0),
s
s
β13 = Em (1), β14 = Em
(0),
s
s
β21 = Em
(0), β22 = Em
(1),
s
s
β23 = Em
(0), β24 = Em
(0),
and sends them to Sender.
【Step2】
Sender computes
x(j,i)
s
ω1j = Π4i=1 β1i
= Em
(x(j, 3))
for each j = 1, . . . , 4, and
ω2 = Π4j=1 (ιj+1
(β2j )ωij )
j
s+2
s
= Em (m ∗ Em (x(2, 3)))
and then sends ω2 to Chooser.
【Step3】
Although the chooser decrypts ω2 , he/she cannot
s
obtain m ∗ Em
(x(2, 3)) mod ms+2 , but can obtain
s
m∗Em (x(2, 3)) mod ms+1 . Therefore, the chooser fail
s
to decrypt m ∗ Em
(x(2, 3))/m mod ms+2 to recover
x(2, 3).
3. Conclusion
In this paper, we described the details of OLFCPIR,
which aims to reduce the communication cost of Lipmaa’s O(log2 n) PIR(LFCPIR) to O(log n). However,
we pointed out of OLFCPIR’s fatal mistake of overflow contained, and we showed that OLFCPIR does
not function as a PIR scheme.
References
[1] A. Ambainis：Upper Bound on the Communication
Complexity of Private Information Retrieval Automata，Languages and Programming，Vol. 1256
of LNCS, pp. 401–407，1997.
[2] A. Beimel, Y. Ishai, E. Kushilevitz and J. Rayomnd：Breaking on the o(n( 1/(2k − 1))) barrier
for information theoretic private information retrieval，41th IEEE Symposium on Foundation of
Computation Science, 2002.
[3] B. Chor and MN. Gilboa：Computationally Private Information Retrieval，ACM Symposium on
Theory of Computing, pp. 303–313, 1997.
[4] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan：Private Information Retrieva，IEEE Symposium on Foundations of Computer Science, pp. 41–
50, 1995.
[5] C. Cachin, S. Micali, and M. Stadler：Computationally private information retrieval with polylogarithmic communication， Eurocrypt’99, pp. 402–
414, 1999.
[6] I. Damgard and M. Jurik：A Length-Flexible
Threshold Cryptosystem with Applications，The
8th Australasian Conference on Information Security and Privacy, Vol. 2727 of LNCS, pp. 350–364,
Wollongong, Australia, July 9-11, 2003.
[7] D. Kwon and J. Lee：An efficient Computationally
PIR protocol with Log Communication，The 1st
Joint Workshop on Information Security(JWIS),
pp. 491-499, Seoul Korea ,September 20-21, 2006.
[8] E. Kushilevitz and R. Ostrovsky：Replication is
not neeeded: Single database, computationallyprivate information retrieval, In 38th IEEE Symposium on Foundimental of Computer Science, pp.
364–373, 1997.
[9] H. Lipmaa：An Oblivious Transfer Protocol with
Log-Squared Communication，The 8th Information Security Conference (ISC), Vol. 3650 of
LNCS, pp. 314–328, Singapore, September 20-23,
2005.
[10] P. Paillier：Public-Key Cryptosystems Based on
Composite Degree Residuosity Classes，Advances
in Cryptology EUROCRYPT, Vol 1592 of LNCS,
pp. 223–238, Prague, Czech Republic, May 2-6,
1999.