## Single Database Private Information Retrieval with Logarithmic Communication (2004)

Citations: | 37 - 0 self |

### BibTeX

@TECHREPORT{Chang04singledatabase,

author = {Yan-cheng Chang},

title = {Single Database Private Information Retrieval with Logarithmic Communication},

institution = {},

year = {2004}

}

### Years of Citing Articles

### OpenURL

### Abstract

In this paper, we study the problem of single database private information retrieval, and present schemes with only logarithmic server-side communication complexity. Previously the best result could only achieve polylogarithmic communication, and was based on certain less well-studied assumptions in number theory [CMS99]. On the contrary, our construction is based on Paillier's cryptosystem [P99], which along with its variants have drawn extensive studies in recent cryptographic researches [PP99, G00, CGGN01, DJ01, CGG02, CNS02, ST02, GMMV03, KT03], and have many important applications (e.g., the Cramer-Shoup CCA2 encryption scheme in the standard model [CS02]).

### Citations

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...s all partial information of the input, or equivalently, if it is polynomial time indistinguishable, i.e. there is no adversary can find even two messages which encryptions he can distinguish between =-=[GM84]-=-. We state them formally as follows. Definition 1. A probabilistic encryption scheme E with security parameter k, input domain M(k) and randomness domain R(k) is said to be semantically secure if for ... |

624 | Public Key Cryptosystems based on CompositeDegree Residue Classes
- Paillier
- 1999
(Show Context)
Citation Context ...ould only achieve polylogarithmic communication, and was based on certain less well-studied assumptions in number theory [CMS99]. On the contrary, our construction is based on Paillier's cryptosystem =-=[P99]-=-, which along with its variants have drawn extensive studies in recent cryptographic researches [PP99, G00, CGGN01, DJ01, CGG02, CNS02, ST02, GMMV03, KT03], and have many important applications (e.g.,... |

604 |
How to generate cryptographically strong sequences of pseudorandom bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...e, i.e. each instance of the problem is an average case [P99]. Specifically, all instances of a random-self-reducible problem are either uniformly intractable or uniformly solvable in polynomial time =-=[BM84]-=-. Definition 6. Composite Residuosity Assumption (CRA): If the factorization of n is unknown, there is no PPT distinguisher for n-th residues modulo n 2 [P99]. 1 Note due to the random-self-reducibili... |

301 | How to exchange secrets by oblivious transfer - Rabin - 1981 |

233 |
Founding cryptography on oblivious transfer
- Kilian
- 1988
(Show Context)
Citation Context ...1dPIR is a very strong cryptographic primitive in the sense that it can be used to construct oblivious transfer [CMO00], a cryptographic primitive that is known to be complete for secure computations =-=[K88]-=-. Historically, the first 1dPIR scheme was proposed in [KO97], with its security based on the hardness of the quadratic residuosity problem and with O(N # ) server-side communication complexity for an... |

223 | Computationally private information retrieval with polylogarithmic communication
- Cachin, Micali, et al.
- 1999
(Show Context)
Citation Context ... logarithmic server-side communication complexity. Previously the best result could only achieve polylogarithmic communication, and was based on certain less well-studied assumptions in number theory =-=[CMS99]-=-. On the contrary, our construction is based on Paillier's cryptosystem [P99], which along with its variants have drawn extensive studies in recent cryptographic researches [PP99, G00, CGGN01, DJ01, C... |

214 | Replication is NOT needed: SINGLE database, computationally-private information retrieval
- Kushilevitz, Ostrovsky
- 1997
(Show Context)
Citation Context ...that it can be used to construct oblivious transfer [CMO00], a cryptographic primitive that is known to be complete for secure computations [K88]. Historically, the first 1dPIR scheme was proposed in =-=[KO97]-=-, with its security based on the hardness of the quadratic residuosity problem and with O(N # ) server-side communication complexity for any constant #. After that, in fact, only a few implementations... |

152 |
Efficient oblivious transfer protocols
- Naor, Pinkas
- 2001
(Show Context)
Citation Context ...ge can be thought as a commitment from Receiver. By applying both extensions (of Scheme1 and Scheme2), we obtain the desired one-round implementation. 4.3 Discussions In [AIR01] (and independently in =-=[NP01]-=-), a method to construct oblivious transfer protocols against malicious players using any additive homomorphic encryption scheme was proposed, with a constraint that the mathematical structure underli... |

150 | A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system - Damg˚ard, Jurik - 2001 |

140 | Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption
- Cramer, Shoup
(Show Context)
Citation Context ... recent cryptographic researches [PP99, G00, CGGN01, DJ01, CGG02, CNS02, ST02, GMMV03, KT03], and have many important applications (e.g., the Cramer-Shoup CCA2 encryption scheme in the standard model =-=[CS02]-=-). Actually, our schemes can be directly used to implement 1-out-of-N #-bit string oblivious transfer with O(#) sender-side communication complexity (against semi-honest receivers and malicious sender... |

94 | Priced oblivious transfer: How to sell digital goods
- Aiello, Ishai, et al.
- 2001
(Show Context)
Citation Context ...ver. In fact, the reused message can be thought as a commitment from Receiver. By applying both extensions (of Scheme1 and Scheme2), we obtain the desired one-round implementation. 4.3 Discussions In =-=[AIR01]-=- (and independently in [NP01]), a method to construct oblivious transfer protocols against malicious players using any additive homomorphic encryption scheme was proposed, with a constraint that the m... |

71 | Secure Multi-Party Computation
- Goldreich
- 2002
(Show Context)
Citation Context ...}. For an N-bit string x, let x[i] i#[N ] denote its i-th bit. A semi-honest player always follows the protocol properly with the exception that it keeps a record of all its intermediate computations =-=[G98]-=-. On the other hand, we put no restriction on the behavior of a malicious player. We use the notation a R # A to denote choosing an element a uniformly at random from the set A, and use PPT to denote ... |

46 | Single database private information retrieval implies oblivious transfer
- Crescenzo, Malkin, et al.
(Show Context)
Citation Context ...otherwise the problem becomes trivial). In addition to its numerous applications [A01], 1dPIR is a very strong cryptographic primitive in the sense that it can be used to construct oblivious transfer =-=[CMO00]-=-, a cryptographic primitive that is known to be complete for secure computations [K88]. Historically, the first 1dPIR scheme was proposed in [KO97], with its security based on the hardness of the quad... |

29 | Paillier’s cryptosystem revisited - Catalano, Gennaro, et al. - 2001 |

27 | One-way trapdoor permutations are sufficient for non-trivial single-server private information retrieval
- Kushilevitz, Ostrovsky
- 2000
(Show Context)
Citation Context ...e less well-studied assumptions in number theory, i.e. the hardness of Φ-Hiding and the existence of Φ-Sampling. Besides, there is a result showing that 1dPIR can be built using trapdoor permutations =-=[KO00]-=-. But since the result of [KO00] is reduction-oriented, it actually requires more server-side communication than the previous ones. 1sIn this paper, we present schemes for 1dPIR with only logarithmic ... |

25 |
Efficinet Oblivious Transfer Protocols
- Naor, Pinkas
(Show Context)
Citation Context ...ge can be thought as a commitment from Receiver. By applying both extensions (of Scheme1 and Scheme2), we obtain the desired one-round implementation. 4.3 Discussions In [AIR01] (and independently in =-=[NP01]-=-), a method to construct oblivious transfer protocols against malicious players using any additive homomorphic encryption scheme was proposed, with a constraint that the mathematical structure underli... |

16 | Elliptic curve paillier schemes - Galbraith |

15 | Efficient public key cryptosystems provably secure against active adversaries - Paillier, Pointcheval - 1999 |

9 | Private Information Retrieval: An Overview and Current Trends
- Asonov
- 2001
(Show Context)
Citation Context ...earn the i-th bit of x without revealing his index while the database server can send less than N bits to the user (as otherwise the problem becomes trivial). In addition to its numerous applications =-=[A01]-=-, 1dPIR is a very strong cryptographic primitive in the sense that it can be used to construct oblivious transfer [CMO00], a cryptographic primitive that is known to be complete for secure computation... |

9 | New semantically secure public-key cryptosystems from the RSA-primitive - Sakurai, Takagi - 2002 |

8 | The hardness of Hensel lifting: The case of RSA and discrete logarithm - Catalano, Nguyen, et al. - 2002 |

7 | Paillier’s trapdoor function hides up to O(n) bits - Catalano, Gennaro, et al. - 2002 |

5 |
One-way trapdoor permutations are su cient for non-trivial single-server private information retrieval
- Kushilevitz, Ostrovsky
- 2000
(Show Context)
Citation Context ...e less well-studied assumptions in number theory, i.e. the hardness of #-Hiding and the existence of #-Sampling. Besides, there is a result showing that 1dPIR can be built using trapdoor permutations =-=[KO00]-=-. But since the result of [KO00] is reduction-oriented, it actually requires more server-side communication than the previous ones. 1 In this paper, we present schemes for 1dPIR with only logarithmic ... |

5 | Some RSA-Based Encryption Schemes with Tight Security Reduction - Kurosawa, Takagi - 2003 |

5 |
Extending oblivious transfers efficiently. CRYPTO
- Ishai, Kilian, et al.
- 2003
(Show Context)
Citation Context ...of a pseudo-random function, and we especially want our schemes to be self-contained within CRA. So we abandon the usage of a pseudo-random function, which, however, is a good alternative in practice =-=[IKNP03]-=-. Finally, we mention there are oblivious transfer protocols against malicious players even without any zero-knowledge setup [AIR01, NP01], whose security are based on the hardness of decisional Diffi... |

4 | A practical public key cryptosystem from Paillier and Rabin schemes - Galindo, Martin, et al. - 2003 |

4 | D.: Deficient Public-Key Cryptosystems Provably Secure Against Active Adversaries - Paillier, Pointcheval - 1999 |

4 |
Oblivious transfer and polynomial evaluation. STOC
- Naor, Pinkas
- 1999
(Show Context)
Citation Context ...against semi-honest Receiver and malicious Sender, we can design a communication-efficient � � log n N 1 OT⌊ 2 ⌋ scheme against malicious Receiver and malicious Sender using the technique proposed in =-=[NP99]-=- with the exception that no pseudo-random function is involved in our construction. Details are as follows. W.l.o.g. we assume N = 2t for some t ∈ N, and assume Receiver’s choice is σ ∈ {0, 1, · · · ,... |

2 |
Oblivious transfer and Polynomial Evaluation(extended abstract
- Naor, Pinkas
(Show Context)
Citation Context ... against semi-honest Receiver and malicious Sender, we can design a communication-e#cient # N 1 # OT # log n 2 # scheme against malicious Receiver and malicious Sender using the technique proposed in =-=[NP99]-=- with the exception that no pseudo-random function is involved in our construction. Details are as follows. W.l.o.g. we assume N = 2 t for some t # N, and assume Receiver's choice is # # {0, 1, , N-1}... |

1 |
Extending oblivious transfers e#ciently," CRYPTO
- Ishai, Kilian, et al.
- 2003
(Show Context)
Citation Context ...of a pseudo-random function, and we especially want our schemes to be self-contained within CRA. So we abandon the usage of a pseudo-random function, which, however, is a good alternative in practice =-=[IKNP03]-=-. Finally, we mention there are oblivious transfer protocols against malicious players even without any zero-knowledge setup [AIR01, NP01], whose security are based on the hardness of decisional Di#e-... |

1 |
Short proofs of knowledge for factoring," Public Key Cryptography 2000
- Poupard, Stern
(Show Context)
Citation Context ...h is inevitable for any cryptosystem based on the hardness of factoring (e.g. RSA). Besides that, CRA is su#cient to guarantee the security of our construction against malicious players. According to =-=[PS00]-=-, we can prove the validity of n in a zero-knowledge manner e#ciently with communication complexity and computational complexity being O(k + log n) and O(k(k + log n)), respectively, where k is the se... |

1 |
Short proofs of knowledge for factoring,” Public Key Cryptography 2000
- Poupard, Stern
(Show Context)
Citation Context ...is inevitable for any cryptosystem based on the hardness of factoring (e.g. RSA). Besides that, CRA is sufficient to guarantee the security of our construction against malicious players. According to =-=[PS00]-=-, we can prove the validity of n in a zero-knowledge manner efficiently with communication complexity and computational complexity being O(k + log n) and O(k(k + log n)), respectively, where k is the ... |