## Private Information Retrieval (1997)

### Cached

### Download Links

- [www.wisdom.weizmann.ac.il]
- [www.wisdom.weizmann.ac.il]
- [theory.lcs.mit.edu]
- [www.cs.technion.ac.il]
- [cgis.cs.umd.edu]
- [www.cs.umd.edu]
- [www.cs.umd.edu]
- [www.cs.umd.edu]
- [www.cs.tau.ac.il]
- [www.cs.umd.edu]
- [www.cs.umd.edu]
- [www.cs.umd.edu]
- [cgis.cs.umd.edu]
- [www.cs.umd.edu]
- [people.csail.mit.edu]
- [ftp.wisdom.weizmann.ac.il]
- [theory.lcs.mit.edu]
- [www.cs.technion.ac.il]
- [www.freehaven.net]
- [www.cs.technion.ac.il]
- DBLP

### Other Repositories/Bibliography

Citations: | 445 - 12 self |

### BibTeX

@MISC{Chor97privateinformation,

author = {Benny Chor and Oded Goldreich and Eyal Kushilevitz and Madhu Sudan},

title = {Private Information Retrieval },

year = {1997}

}

### Years of Citing Articles

### OpenURL

### Abstract

Publicly accessible databases are an indispensable resource for retrieving up to date information. But they also pose a significant risk to the privacy of the user, since a curious database operator can follow the user's queries and infer what the user is after. Indeed, in cases where the users ' intentions are to be kept secret, users are often cautious about accessing the database. It can be shown that when accessing a single database, to completely guarantee the privacy of the user, the whole database should be downloaded, namely n bits should be communicated (where n is the number of bits in the database). In this work, we investigate whether by replicating the database, more efficient solutions to the private retrieval problem can be obtained. We describe schemes that enable a user to access k replicated copies of a database (k * 2) and privately retrieve information stored in the database. This means that each individual database gets no information on the identity of the item retrieved by the user. Our schemes use the replication to gain substantial saving. In particular, we have ffl A two database scheme with communication complexity of O(n1=3). ffl A scheme for a constant number, k, of databases with communication complexity O(n1=k). ffl A scheme for 13 log2 n databases with polylogarithmic (in n) communication complexity.

### Citations

1542 |
Information Theory and Reliable Communications
- Gallager
- 1968
(Show Context)
Citation Context ...rem need not be greater than 2d . On the other hand, since every radius 1 ball contains exactly d+1 points in {0, 1} d , the number of codewords k satisfies k ≥ 2d d+1 (this is the volume bound, cf., =-=[16]-=-). This lower bound is not always attainable. The construction given above, for d = 3, uses the fact that {(0, 0, 0), (1, 1, 1)} is a covering code with radius 1 of {0, 1} 3 . For d = 4 there exist co... |

749 | A Pseudorandom Generator from any One-way Function - Hastad, Impagliazzo, et al. - 1999 |

619 | How to generate cryptographically strong sequences of pseudo-random bits - Blum, Micali - 1984 |

527 | Theory and applications of trapdoor functions - Yao - 1982 |

522 | Cryptography and Data Security
- DENNING
- 1982
(Show Context)
Citation Context ...nst a “curious” user. For example, there are methods that enable a user to ask queries to a statistical database in a way that prevents him from reconstructing the value of particular entities (e.g., =-=[2, 9, 13, 14, 26]-=- and [27, Section 10.5]). It may seem surprising at first glance that there are no methods to protect the privacy of the user. For example, an investor that queries the stock-market database for the v... |

407 | Nondeterministic exponential time has two-prover interactive protocols - Babai, Fortnow, et al. - 1991 |

337 | Security-control methods for statistical databases: A comparative study - Adam, Wortmann - 1989 |

310 | Algebraic methods for interactive proof systems - Lund, Fortnow, et al. - 1992 |

278 |
Principles of Database Systems
- Ullman
- 1982
(Show Context)
Citation Context ... complexity O(n1/3 ). Our schemes are based on exclusive-or (linear summations, or sum) queries; this type of queries is very common and is actually implemented in several “real-world” databases (see =-=[9, 14, 27]-=-). 1.1 Omitted from this Version Our original work [12] contained a full description of • Schemes for a constant number, k, of servers with communication complexity O(n 1/k ). • A scheme for 1 log2 lo... |

257 | Checking computations in polylogarithmic time - Babai, Fortnow, et al. - 1991 |

232 | Replication is not needed: single database, computationally private information retrieval
- Kushilevitz, Ostrovsky
- 1997
(Show Context)
Citation Context ...y. In particular, assuming the existence of one-way functions, they present a two-server computational PIR scheme whose communication complexity is O(n ε ), for every ε > 0. Kushilevitz and Ostrovsky =-=[20]-=- observed that the linear lower bound on communication complexity (see Section 5.1) ceases to hold for computational privacy. Indeed, assuming the intractability of the Quadratic Residuosity problem, ... |

188 | Software Protection and Simulation on Oblivious RAMs
- Goldreich, Ostrovsky
- 1996
(Show Context)
Citation Context ... Ostrovsky and Shoup achieve this with an addition of one server and a poly-logarithmic communication overhead (compared to the retrieval only schemes). They use and adapt techniques of Oblivious RAM =-=[18]-=-, and inherit some properties of this construction. In particular, the protocols are multi-round and the data is stored in coded form (in particular, different servers do not hold replications of the ... |

159 | Hiding instances in multioracle queries - Beaver, Feigenbaum - 1990 |

139 | On data banks and privacy homomorphisms - Rivest, Adleman, et al. - 1978 |

137 |
Distributed Databases: Principles and Systems
- Ceri, Pelagatti
- 1984
(Show Context)
Citation Context ...ng he can do is to ask for a copy of the whole database. Clearly, this is too much communication overhead, which makes it practically unacceptable. The rapid development of distributed databases (see =-=[8]-=-) and fast communication networks results in many scenarios in which the same database is replicated at several sites. This raises hope to get around the difficulty of achieving privacy in the single ... |

130 | On Hiding Information from an Oracle
- Abadi, Feigenbaum, et al.
- 1989
(Show Context)
Citation Context ...e, using the results of [4] one can get much better private information retrieval schemes than those that can be obtained using [22], but still not as good as the schemes constructed in our paper. In =-=[25, 1, 24, 5, 6]-=- the instance hiding problem is introduced and studied. In this problem, a computationally bounded player U that holds an input (instance) i wishes to compute a known function f on input i. The functi... |

112 | Protecting data privacy in private information retrieval schemes - Gertner, Ishai, et al. |

90 | Secure Databases: Protection against User Influence
- Dobkin, Jones, et al.
- 1979
(Show Context)
Citation Context ...nst a “curious” user. For example, there are methods that enable a user to ask queries to a statistical database in a way that prevents him from reconstructing the value of particular entities (e.g., =-=[2, 9, 13, 14, 26]-=- and [27, Section 10.5]). It may seem surprising at first glance that there are no methods to protect the privacy of the user. For example, an investor that queries the stock-market database for the v... |

87 | Upper bound on the communication complexity of private information retrieval
- Ambainis
- 1997
(Show Context)
Citation Context ...cient than) schemes presented in [5, 6] for the related (but different) context of instance hiding (see discussion below). Furthermore, these schemes have been subsumed by subsequent work of Ambainis =-=[3]-=-. Following a recommendation by an anonymous referee, the description of these schemes was omitted from the current version. Also omitted with the abovementioned schemes are their modifications to a s... |

68 | Towards a theory of software protection and simulation by oblivious RAMs - Goldreich - 1987 |

58 | Private information retrieval by keywords
- Chor, Gilboa, et al.
- 1997
(Show Context)
Citation Context ... that the user knows the physical location of the information that it is interested in. A more realistic model allows the user to retrieve information based on keywords. Such schemes are presented in =-=[11]-=-. 5s3.1 A Basic Two-Server Scheme We start by describing a very simple PIR scheme that allows U to privately obtain the bit xi by receiving a single bit from each of two servers. The user uniformly se... |

44 |
Security with low communication overhead
- Beaver, Feigenbaum, et al.
- 1990
(Show Context)
Citation Context ... 1 servers with total communication complexity 1 3 (1 + o(1)) · log22 n · These constructions are based on polynomial interpolation. They are similar to (but more efficient than) schemes presented in =-=[5, 6]-=- for the related (but different) context of instance hiding (see discussion below). Furthermore, these schemes have been subsumed by subsequent work of Ambainis [3]. Following a recommendation by an a... |

43 |
A modified random perturbation method for database security
- Tendick, Matloff
- 1994
(Show Context)
Citation Context ...nst a “curious” user. For example, there are methods that enable a user to ask queries to a statistical database in a way that prevents him from reconstructing the value of particular entities (e.g., =-=[2, 9, 13, 14, 26]-=- and [27, Section 10.5]). It may seem surprising at first glance that there are no methods to protect the privacy of the user. For example, an investor that queries the stock-market database for the v... |

41 |
Security Control Methods for Statistical Databases
- Adam, Wortmann
- 1989
(Show Context)
Citation Context |

38 |
Private information storage
- Ostrovsky, Shoup
(Show Context)
Citation Context ...me (with certain properties). The basis of the recursion (i.e., k = 2) is our two-servers scheme. Ostrovsky and Shoup have extended the PIR scope, and invented schemes for private information storage =-=[21]-=-. These are schemes which, in the same distributed scenario as PIR, enable users both to read and to write into the database in a private manner (where privacy in this case is only with respect to the... |

35 | Locally random reductions: Improvements and applications - Beaver, Feigenbaum, et al. - 1997 |

27 | Simultaneous messages vs. communication
- Babai, Kimmel, et al.
- 1995
(Show Context)
Citation Context ...the first server, ℓ to the second and the three of them execute the [22] protocol. This yields a two-server PIR with communication complexity o(n). Independently of our work, Babai, Kimmel, and Lokam =-=[4]-=- studied the following problem, related to the one studied in [22] (where, again, the motivation comes from complexity theory). There are k + 1 players S1, . . . , Sk and U. The player U holds k indic... |

25 | Boolean circuits, tensor ranks, and communication complexity - Pudlak, Rodl, et al. - 1997 |

17 |
Modified bounds for covering codes
- Honkala
- 1991
(Show Context)
Citation Context ...bounds, and the communication complexity of the resulting protocol (i.e., (2 d + (d − 1)k) · n 1/d , ignoring the additive term of k). We note that all these covering codes are optimal (minimum size) =-=[19]-=-. For d = 3 and d = 7, these are Hamming Codes which are perfect codes (all balls are disjoint). As one can see from this table, the improvement derived by the emulation method (over the simpler metho... |

17 | Principles of Database Systems (Second Edition)",Computer - Ullman - 1982 |

16 | Modified ranks of tensors and the size of circuits - Pudlak, Rodl - 1993 |

13 | On the Power of Two-Local Random Reductions
- Fortnow, Szegedy
- 1992
(Show Context)
Citation Context ...t(n) · c√ n), was given. 1.2 Related Work For the case k = 2 (i.e., two servers), the question whether replication of databases can help was explicitly asked, but not answered, by Fortnow and Szegedy =-=[15]-=-. A first indication that something better than the user asking for a copy of x can be done is given by a result of Pudlák and Rödl [22]. With a complexity-theory motivation in mind they studied the f... |

11 |
Security Problems on Inference Control for
- Chin
- 1986
(Show Context)
Citation Context |

4 | Approximating clique is almost NP-Complete. FOCS - FEIGE, GOLDWASSER, et al. - 1991 |

2 | private communication - Itkis - 1996 |

2 | Private Information Storage", these proceedings - Ostrovsky, Shoup - 1997 |

2 |
Private communication, quoted in the Acknowledgment Section of Abadi et al. [1
- Rivest
(Show Context)
Citation Context ...e, using the results of [4] one can get much better private information retrieval schemes than those that can be obtained using [22], but still not as good as the schemes constructed in our paper. In =-=[25, 1, 24, 5, 6]-=- the instance hiding problem is introduced and studied. In this problem, a computationally bounded player U that holds an input (instance) i wishes to compute a known function f on input i. The functi... |

1 | An upper bound for Private Information Retrieval", manuscript - Ambainis - 1996 |

1 | Private communication, quoted - RIVEST - 1989 |

1 |
Modified Ranks of Tensors and the Size of Circuits. STOC
- Pudlák, Rödl
- 1993
(Show Context)
Citation Context ... was explicitly asked, but not answered, by Fortnow and Szegedy [15]. A first indication that something better than the user asking for a copy of x can be done is given by a result of Pudlák and Rödl =-=[22]-=-. With a complexity-theory motivation in mind they studied the following question. There are three players: player S1 that holds a string x and an index j, player S2 that holds the same string x and a... |