Usable PIR. Network Security and Applied. Cryptography Laboratory.

Transcription

1 Network Security and Applied Cryptography Laboratory Usable PIR NDSS '08, San Diego, CA Peter Williams Radu Sion ver. 2.1 (02/11/2008) All Rights Reserved.

2 Overview: PIR 2

3 Types of PIR Trivial - Download entire database Pretty good PIR Information Theoretic PIR Multiple non-colluding servers Single Server Computational PIR Secure hardware 3

4 Past: cpir is impractical Sion & NDSS

5 Future: cpir is impractical The wizard predicts (logarithmic) Sion & NDSS

6 Oblivious RAM Read Access Pattern Privacy Protocol Write CPU Data Block Encrypted Data Block Outsourced Data RAM 6

7 Can we use ORAM? Main Idea: ORAM + Trusted Party = PIR Client A PIR ORAM Data Remote Un-trusted Server Client B Trusted Party Client C Make this practical! Asonov, Smith and others 7

8 ORAM Overview Query Data Item Fake bucket filler Level 0: 1 bucket Level 1: 4 buckets Level 2: 16 buckets Level i: 4 i buckets ORAM: Ostrovsky,

9 ORAM: Level full? Data Item Fake bucket filler ORAM: Ostrovsky,

10 ORAM: How to re-shuffle? sorting network ORAM: Ostrovsky, b

11 Re-shuffle: faster? all levels n items total Level i: 4 i buckets x log(n) blocks all levels Level i: 4 i buckets x log(n) blocks Buffer: 4 i items un-trusted server Removing Oblivious Adding Fakes Buffer: c n items Fakes Merge Sort ORAM client 11

12 Remove fakes obliviously Discard fakes without revealing their locations But: how big of a buffer do we need? Untrusted Server Large remote buffer (no privacy) Client Encrypt items Download Bucket Discard Fakes Small local buffer (read / write privacy) 12

13 Re-shuffle: merge sort all levels n items total Level i: 4 i buckets x log(n) blocks all levels Level i: 4 i buckets x log(n) blocks Buffer: 4 i items un-trusted server Removing Oblivious Adding Fakes Buffer: c n items Fakes Merge Sort ORAM client 13

14 Merge sort on random keys input: items, no more fakes output: sorted on crypto hash 14

15 Sort obliviously Idea: Buffer reads to hide the permutation Key: Cursors remain close, since keys random Arrays to sort remote - no read privacy small buffer local - read privacy real-time buffer sizes Output: 15

16 Re-shuffle: add new fakes all levels n items total Level i: 4 i buckets x log(n) blocks all levels Level i: 4 i buckets x log(n) blocks Buffer: 4 i items un-trusted server Removing Oblivious Adding Fakes Buffer: c n items Fakes Merge Sort ORAM client 16

17 Add new fakes obliviously Large remote buffer, sorted by bucket (no privacy) Untrusted Server Client Small local buffer Divide into (read / write privacy) buckets Add Fakes & Re-encrypt 17

18 Costs Database size n consists of log(n) levels Level i is reshuffled once every 4 i accesses Reshuffle of i costs O 4 i log4 i Amortized cost per query for reshuffling: log i= ( i i 4 log4 ) ( n ) log ( n ) 1 O 4 i = i= ( ) ( ) 2 i = O log ( n ) Online cost per query: log(n) levels x O(log(n)) bucket size = 2 O 1 O ( log ( n )) ( ) 18

19 Existing work For client storage O ( n ) Goldreich/Ostrovsky ORAM Smith/Illiev O ( n log n ) Wang et al. ESORICS This protocol - O ( log n ) O O ( n ) ( 4 log n ) 19

20 How fast can we run? 20

21 Closing in Conclusions Practical Private Information Retrieval Protocol Several queries per second over large data sets Full computational privacy Future Work De-amortize re-shuffle costs Reduce server storage overhead - eliminate use of fakes ( ) New mechanism with O log n log log n overhead 21

22 Closing in Thank you! 22