## Reducing the servers' computation in private information retrieval: Pir with preprocessing (2000)

### Cached

### Download Links

- [www.iacr.org]
- [www.cs.technion.ac.il]
- [www.cs.bgu.ac.il]
- [www.cs.bgu.ac.il]
- DBLP

### Other Repositories/Bibliography

Venue: | In CRYPTO 2000 |

Citations: | 45 - 8 self |

### BibTeX

@INPROCEEDINGS{Beimel00reducingthe,

author = {Amos Beimel and Yuval Ishai and Tal Malkin},

title = {Reducing the servers' computation in private information retrieval: Pir with preprocessing},

booktitle = {In CRYPTO 2000},

year = {2000},

pages = {56--74},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Private information retrieval (PIR) enables a user to retrieve a specific data item from a database, replicated among one or more servers, while hiding from each server the identity of the retrieved item. This problem was suggested by Chor et al. [11], and since then efficient protocols with sub-linear communication were suggested. However, in all these protocols the servers ’ computation for each retrieval is at least linear in the size of entire database, even if the user requires just one bit. In this paper, we study the computational complexity of PIR. We show that in the standard PIR model, where the servers hold only the database, linear computation cannot be avoided. To overcome this problem we propose the model of PIR with preprocessing: Before the execution of the protocol each server may compute and store polynomially-many information bits regarding the database; later on, this information should enable the servers to answer each query of the user with more efficient computation. We demonstrate that preprocessing can save work. In particular, we construct, for any constant k ≥ 2, a k-server protocol with O(n 1/(2k−1)) communication and O(n / log 2k−2 n) work, and for any constants k ≥ 2 and ɛ> 0 a k-server protocol with O(n 1/k+ɛ) communication and work. We also prove some lower bounds on the work of the servers when they are only allowed to store a small number of extra bits. Finally, we present some alternative approaches to saving computation, by batching queries or by moving most of the computation to an off-line stage. 1

### Citations

8565 |
Elements of information theory
- Cover, Thomas
- 1991
(Show Context)
Citation Context ...xtra Bits In this section we show that a small number of extra bits cannot reduce the work too much. The proof uses information theory, and especially properties of the entropy function H (see, e.g., =-=[12]-=-). To describe the ideas of the proof of the lower bound we first consider a special case where each of the e extra bits is an exclusive-or of a subset of the bits of the database. That is, there is a... |

801 |
Matrix multiplications via arithmetic progressions
- Coppersmith, Winograd
- 1990
(Show Context)
Citation Context ... O(n1/3 ) per query, and its space and time requirements depend on the matrix multiplication algorithm being employed. Letting ω denote the exponent of matrix multiplication (Coppersmith and Winograd =-=[14]-=- prove that ω < 2.376), the amortized work can be as low as O(n1/3nω/3 )/n1/3 = O(nω/3 ), with batch size n1/3 . Theorem 7.1 There exists a 2-server amortized PIR protocol with batch size n 1/3 , amor... |

415 | Private information retrieval
- Chor, Goldreich, et al.
- 1995
(Show Context)
Citation Context ...ome index i and is interested in privately retrieving the value of xi. Since its introduction, PIR has been an area of active research, and various settings and extensions have been considered (e.g., =-=[1, 29, 12, 23, 19, 18, 15, 11, 8, 20, 16, 24]-=-). Most of the initial work on PIR has focused on the goal of minimizing the communication, which was considered the most expensive resource. However, despite considerable success in realizing this go... |

258 | Checking computations in polylogarithmic time
- Babai, Fortnow, et al.
- 1991
(Show Context)
Citation Context ...PIR protocols with polylogarithmic number of servers, logarithmic query length, and polylogarithmic answer length may be obtained from the following lemma (which optimizes previous constructions from =-=[13, 5, 2]-=-). Lemma 4.8 ([15, 6]) Let m and d be positive integers such that �m+d� d ≥ n. Then, there exists a (d + 1)-server PIR protocol with α = ⌈log(d + 2)⌉m query bits and a single answer bit per server. Su... |

256 | Introduction to Coding Theory - Lint - 1998 |

223 | Computationally private information retrieval with polylogarithmic communication
- Cachin, Micali, et al.
- 1999
(Show Context)
Citation Context ...ome index i and is interested in privately retrieving the value of xi. Since its introduction, PIR has been an area of active research, and various settings and extensions have been considered (e.g., =-=[1, 29, 12, 23, 19, 18, 15, 11, 8, 20, 16, 24]-=-). Most of the initial work on PIR has focused on the goal of minimizing the communication, which was considered the most expensive resource. However, despite considerable success in realizing this go... |

214 | Replication is NOT needed: SINGLE database, computationally-private information retrieval
- Kushilevitz, Ostrovsky
- 1997
(Show Context)
Citation Context ...ome index i and is interested in privately retrieving the value of xi. Since its introduction, PIR has been an area of active research, and various settings and extensions have been considered (e.g., =-=[1, 29, 12, 23, 19, 18, 15, 11, 8, 20, 16, 24]-=-). Most of the initial work on PIR has focused on the goal of minimizing the communication, which was considered the most expensive resource. However, despite considerable success in realizing this go... |

160 |
Hiding instances in multioracle queries
- Beaver, Feigenbaum
- 1990
(Show Context)
Citation Context ...> 1, with communication complexity of O(n 1/(2k−1) ) bits [1] (improving on [13], see also [20, 6]), and (3) a protocol with O(log n) servers and communication complexity of O(log 2 n log log n) bits =-=[4, 5, 13]-=-. In all these protocols it is assumed that the servers do not communicate with each other. Extensions to t-private protocols, 1 Gertner et al. [18] have used preprocessing in a different model, allow... |

137 | Should tables be sorted
- Yao
- 1981
(Show Context)
Citation Context ...captures our understanding of the usefulness of preprocessing in general), and by pointing the relation to communication lower bounds for PIR. Relation to the Cell-Probe Model. Yao’s cell-probe model =-=[32]-=- provides a general framework for studying time-space tradeoffs obtainable via preprocessing (see [27] for a recent survey). The general setting considers a data-structure that enables to answer some ... |

107 | Protecting Data Privacy in Private Information Retrieval Schemes
- Gertner, Ishai, et al.
- 1998
(Show Context)
Citation Context |

88 | Upper Bound on Communication Complexity of Private Information Retrieval
- Ambainis
(Show Context)
Citation Context |

84 | On data structures and asymmetric communication complexity
- Miltersen, Nisan, et al.
- 1998
(Show Context)
Citation Context ...a function f of the database x and the user’s query q) admits efficient solutions in the cell-probe model. Interestingly, the connection between cell-probe complexity and branching program complexity =-=[28]-=- provides evidence that proving strong lower bounds on the complexity of PIR with preprocessing (if they exist) should be difficult. Example 1.1 Assume that for some ɛ > 0 one can rule out the existen... |

48 | A random server model for private information retrieval
- Gertner, Goldweaesr, et al.
- 1998
(Show Context)
Citation Context |

44 | Private access to distributed information
- Mann
- 1998
(Show Context)
Citation Context ...ssumption they obtain, for every constant ɛ > 0, a single server protocol with communication complexity of O(nɛ ) bits. Essentially the same protocol can be based on any homomorphic encryption scheme =-=[26, 30, 31]-=-. Cachin, Micali, and Stadler [11] present a single server protocol with polylogarithmic communication complexity, based on a new number-theoretic intractability assumption called the Φ-hiding assumpt... |

42 | Robust Information-Theoretic Private Information Retrieval
- Beimel, Stahl
- 2002
(Show Context)
Citation Context ...r protocol with communication complexity of O(n 1/3 ) bits [13], (2) a k-server protocol, for any constant k > 1, with communication complexity of O(n 1/(2k−1) ) bits [1] (improving on [13], see also =-=[20, 6]-=-), and (3) a protocol with O(log n) servers and communication complexity of O(log 2 n log log n) bits [4, 5, 13]. In all these protocols it is assumed that the servers do not communicate with each oth... |

41 | A new and efficient all-or-nothing disclosure of secrets protocol
- Stern
- 1998
(Show Context)
Citation Context ...ssumption they obtain, for every constant ɛ > 0, a single server protocol with communication complexity of O(nɛ ) bits. Essentially the same protocol can be based on any homomorphic encryption scheme =-=[26, 30, 31]-=-. Cachin, Micali, and Stadler [11] present a single server protocol with polylogarithmic communication complexity, based on a new number-theoretic intractability assumption called the Φ-hiding assumpt... |

36 | Super-linear time-space tradeoff lower bounds for randomized computation
- Beame, Saks, et al.
(Show Context)
Citation Context ...ranching program, for r as large as n ɛ . This should be contrasted with the fact that the largest r for which a super-polynomial lower bound for read-r branching program is proven is roughly √ log n =-=[3]-=-. Relation to Communication in Standard PIR. In Section 4 we show a transformation from PIR with short communication to PIR with preprocessing, where in the preprocessing stage the server stores the a... |

34 | Locally random reductions: Improvements and applications
- Beaver, Feigenbaum, et al.
- 1997
(Show Context)
Citation Context ...> 1, with communication complexity of O(n 1/(2k−1) ) bits [1] (improving on [13], see also [20, 6]), and (3) a protocol with O(log n) servers and communication complexity of O(log 2 n log log n) bits =-=[4, 5, 13]-=-. In all these protocols it is assumed that the servers do not communicate with each other. Extensions to t-private protocols, 1 Gertner et al. [18] have used preprocessing in a different model, allow... |

34 |
Private information storage
- Ostrovsky, Shoup
- 1997
(Show Context)
Citation Context |

32 | Universal service-providers for database private information retrieval
- Di-Crescenzo, Ishai, et al.
- 1998
(Show Context)
Citation Context ...ome index i and is interested in privately retrieving the value of xi. Since its introduction, PIR has been an area of active research, and various settings and extensions have been considered (e.g., =-=[2, 25, 10, 20, 18, 17, 14, 9, 8, 19, 15, 21, 1]-=-). Most of the initial work on PIR has focused on the goal of minimizing the communication, which was considered the most expensive resource. However, despite considerable success in realizing this go... |

28 | Cell probe complexity - a survey - Miltersen - 1999 |

27 | Improved upper bounds on information-theoretic private information retrieval (extended abstract - Ishal, Kushilevitz |

27 | One-way functions are essential for singleserver private information retrieval
- Beimel, Ishai, et al.
- 1999
(Show Context)
Citation Context |

27 | Simultaneous messages vs. communication
- Babai, Kimmel, et al.
- 1995
(Show Context)
Citation Context ... a k-server PIR protocol with β work per server, α + β communication, and 2 α · β extra-bits. A 2-server PIR protocol with α = log n and sub-linear β is implied by communication complexity results of =-=[26, 4, 3]-=-. The most recent of those, due to Ambainis and Lokam [3], implies an upper bound of β = n 0.728...+o(1) . 7 We use similar techniques to construct a family of PIR protocols which provides a general t... |

27 | One-way trapdoor permutations are sufficient for non-trivial single-server private information retrieval
- Kushilevitz, Ostrovsky
- 2000
(Show Context)
Citation Context ...ome index i and is interested in privately retrieving the value of xi. Since its introduction, PIR has been an area of active research, and various settings and extensions have been considered (e.g., =-=[2, 25, 10, 20, 18, 17, 14, 9, 8, 19, 15, 21, 1]-=-). Most of the initial work on PIR has focused on the goal of minimizing the communication, which was considered the most expensive resource. However, despite considerable success in realizing this go... |

21 | Single-database private information retrieval implies oblivious transfer - Crescenzo, Malkin, et al. - 2000 |

16 | Batch Codes and Their Applications - Ishai, Kushilevitz, et al. - 2004 |

15 |
Modified ranks of tensors and the size of circuits
- Pudlák, Rödl
- 1993
(Show Context)
Citation Context ... a k-server PIR protocol with β work per server, α + β communication, and 2 α · β extra-bits. A 2-server PIR protocol with α = log n and sub-linear β is implied by communication complexity results of =-=[26, 4, 3]-=-. The most recent of those, due to Ambainis and Lokam [3], implies an upper bound of β = n 0.728...+o(1) . 7 We use similar techniques to construct a family of PIR protocols which provides a general t... |

13 | Efficient private information retrieval
- Itoh
- 1999
(Show Context)
Citation Context ... to shift most of the servers’ work to an off-line stage as well, at the expense of requiring additional off-line work for each future query. This application is discussed in Section 7. Finally, Itoh =-=[22]-=- presents protocols slightly improving the computation of the servers compared to the protocols of [13]; however the time complexity of his protocols is still higher than n. 1.2 Our Results As a start... |

13 |
Fast verification of any remote procedure call: Short witness-indistinguishable one-round proofs for NP
- Aiello, Bhatt, et al.
- 2000
(Show Context)
Citation Context ...ome index i and is interested in privately retrieving the value of xi. Since its introduction, PIR has been an area of active research, and various settings and extensions have been considered (e.g., =-=[2, 25, 10, 20, 18, 17, 14, 9, 8, 19, 15, 21, 1]-=-). Most of the initial work on PIR has focused on the goal of minimizing the communication, which was considered the most expensive resource. However, despite considerable success in realizing this go... |

11 |
Universal service-providers for private information retrieval
- Crescenzo, Ishai, et al.
(Show Context)
Citation Context |

10 |
Improved upper bounds on information theoretic private information retrieval
- Ishai, Kushilevitz
- 1999
(Show Context)
Citation Context |

9 | Space-Time Tradeoffs for Graph Properties
- Dodis
- 1998
(Show Context)
Citation Context ... n/(ɛ log n) 2k−2 ). ✷ 3.4 Can the Protocols be Improved? We now describe a combinatorial problem concerning spanning of cubes. This problem is a special case of a more general problem posed by Dodis =-=[17]-=-. Our protocols in Section 3.2 and Section 3.3 are based on constructions for this problem; better constructions will enable to further reduce the work in these protocols. We start with some notation ... |

9 | One-way trapdoor permutations are sufficient for single-database computationally-private information retrieval - Kushilevitz, Ostrovsky - 2000 |

7 | Private information retrieval based on subgroup membership problem - Yamamura, Saito - 2001 |

6 |
A Study of Secure Database Access and General Two-Party Computation
- Malkin
- 2000
(Show Context)
Citation Context ...utation, with communication complexity n 1 − polylog n . Other works in this setting are [29, 8, 16]. Gertner, Goldwasser, and Malkin [18] were the first to address the servers’ computation (see also =-=[25]-=-). They present a model for PIR utilizing special-purpose privacy servers, achieving stronger privacy guarantees and small computation for the original server holding the database. While their protoco... |

5 | One-way trapdoor permutations are su cient for non-trivial single-server private information retrieval - Kushilevitz, Ostrovsky - 2000 |

5 | A new and e#cient all-or-nothing disclosure of secrets protocol - Stern - 1998 |

3 | Improved upper bounds on the simultaneous messages complexity of thegeneralized addressing function
- Ambainis, Lokam
- 2003
(Show Context)
Citation Context ... a k-server PIR protocol with β work per server, α + β communication, and 2 α · β extra-bits. A 2-server PIR protocol with α = log n and sub-linear β is implied by communication complexity results of =-=[26, 4, 3]-=-. The most recent of those, due to Ambainis and Lokam [3], implies an upper bound of β = n 0.728...+o(1) . 7 We use similar techniques to construct a family of PIR protocols which provides a general t... |

3 | Modi Ranks of Tensors and the Size of Circuits - Pudlak, Rodl - 1993 |

2 | Space-Time Tradeo#s for Graph Properties - Dodis - 1998 |

1 |
Breaking the O(n 1 2k−1 ) barrier for inforamtion-theoretic private information retrieval
- Beimel, Ishai, et al.
- 2002
(Show Context)
Citation Context ...ult model, both of these alternatives may be applied in the single-server case as well. 4 As mentioned in Section 1.4, the same techniques can be used to save work also in the subsequent protocols of =-=[9]-=-, thus still allowing to achieve the best communication complexity known to date with reduced (sublinear) work. 4s1.3 On the Difficulty of Obtaining Strong Lower Bounds Our lower bounds on the work in... |

1 |
On private information retrieval and low-degree polynomials
- Beimel, Ishai
- 2000
(Show Context)
Citation Context ...se servers (though not reducing the total work). See more below. 2 Extensions to t-private PIR protocols, in which the user is protected against collusions of up to t servers, have been considered in =-=[11, 19, 7]-=-. 57s58 cols are called computational PIR protocols). Following a 2-server construction of Chor and Gilboa [10], Kushilevitz and Ostrovsky [20] proved that in this setting one server suffices; under a... |

1 | Fast veri of any remote procedure call: short witness-indistinguishable one-round proofs for NP - Aiello, Bhatt, et al. |