Lower Bounds for (Batch) PIR with Private Preprocessing

In this paper, we study (batch) private information retrieval with private preprocessing. Private information retrieval (PIR) is the problem where one or more servers hold a database of $n$ bits and a client wishes to retrieve the $i$-th bit in the database from the server(s). In PIR with private preprocessing (also known as offline-online PIR), the client is able to compute a private $r$-bit hint in an offline stage that may be leveraged to perform retrievals accessing at most $t$ entries. For privacy, the client wishes to hide index $i$ from an adversary that has compromised some of the servers. In the batch PIR setting, the client performs queries to retrieve the contents of multiple entries simultaneously. We present a tight characterization for the trade-offs between hint size $r$ and number of accessed entries $t$ during queries. For any PIR scheme that enables clients to perform batch retrievals of $k$ entries, we prove a lower bound of $tr = \Omega(nk)$ when $r \ge k$. When $r < k$, we prove that $t = \Omega(n)$. Our lower bounds hold when the scheme errs with probability at most $1/15$ and against PPT adversaries that only compromise one out of $\ell$ servers for any $\ell = O(1)$. Our work also closes the multiplicative logarithmic gap for the single query setting $(k = 1)$ as our lower bound matches known constructions. Our lower bounds hold in the model where each database entry is stored without modification but each entry may be replicated arbitrarily. Finally, we show connections between PIR and the online matrix-vector (OMV) conjecture from fine-grained complexity. We present barriers for proving lower bounds for two-server PIR schemes in general computational models as they would immediately imply the OMV conjecture

LDCs and PIRs

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2007.Includes bibliographical references (leaves 90-99).This thesis studies two closely related notions, namely Locally Decodable Codes (LDCs) and Private Information Retrieval Schemes (PIRs). Locally decodable codes are error-correcting codes that allow extremely efficient, "sublinear-time" decoding procedures. More formally, a k-query locally decodable code encodes n-bit messages x in such a way that one can probabilistically recover any bit xi of the message by querying only k bits of the (possibly corrupted) code-word, where k can be as small as 2. LDCs were initially introduced in complexity theory in the context of worst-case to average-case reductions and probabilistically checkable proofs. Later they have found applications in numerous other areas including information theory, cryptography and the theory of fault tolerant computation. The major goal of LDC related research is to establish the optimal trade-off between length N and query complexity k of such codes, for a given message length n. Private information retrieval schemes are cryptographic protocols developed in order to protect the privacy of the user's query, when accessing a public database. In such schemes a database (modelled by an n-bit string x) is replicated between k non-communicating servers. The user holds an index i and is interested in obtaining the value of the bit xi. To achieve this goal, the user queries each of the servers and gets replies from which the desired bit xi can be computed. The query to each server is distributed independently of i and therefore each server gets no information about what the user is after. The main parameter of interest in a PIR scheme is its communication complexity, namely the number of bits exchanged by the user accessing an n-bit database and the servers. In this thesis we provide a fresh algebraic look at the theory of locally decodable codes and private information retrieval schemes.(cont.) We obtain new families of LDCs and PIRs that have much better parameters than those of previously known constructions. We also prove limitations of two server PIRs in a restricted setting that covers all currently known schemes. Below is a more detailed summary of our contributions. * Our main result is a novel (point removal) approach to constructing locally decodable codes that yields vast improvements upon the earlier work. Specifically, given any Mersenne prime p = 2t - 1, we design three query LDCs of length N = exp (nl/t), for every n. Based on the largest known Mersenne prime, this translates to a length of less than exp (n10-7), compared to exp (n1/2) in the previous constructions. It has often been conjectured that there are infinitely many Mersenne primes. Under this conjecture, our constructions yield three query locally decodable codes of length N = exp n(oglog)) for infinitely many n. * We address a natural question regarding the limitations of the point-removal approach. We argue that further progress in the unconditional bounds via this method (under a fairly broad definition of the method) is tied to progress on an old number theory question regarding the size of the largest prime factors of Mersenne numbers. * Our improvements in the parameters of locally decodable codes yield analogous improvements for private information retrieval schemes. We give 3-server PIR schemes with communication complexity of O (n10-7) to access an n-bit database, compared to the previous best scheme with complexity 0(n1/5.25).(cont.) Assuming again that there are infinitely many Mersenne primes, we get 3-server PIR schemes of communication complexity n(1/ loglog n) for infinitely many n. * Our constructions yield tremendous improvements for private information retrieval schemes involving three or more servers, and provide no insights on the two server case. This raises a natural question regarding whether the two server case is truly intrinsically different. We argue that this may well be the case. We introduce a novel combinatorial approach to PIR and establish the optimality of the currently best known two server schemes a restricted although fairly broad modelby Sergey Yekhanin.Ph.D