PIR Array Codes with Optimal Virtual Server Rate

There has been much recent interest in Private information Retrieval (PIR) in models where a database is stored across several servers using coding techniques from distributed storage, rather than being simply replicated. In particular, a recent breakthrough result of Fazelli, Vardy and Yaakobi introduces the notion of a PIR code and a PIR array code, and uses this notion to produce efficient PIR protocols. In this paper we are interested in designing PIR array codes. We consider the case when we have $m$ servers, with each server storing a fraction $(1/s)$ of the bits of the database; here $s$ is a fixed rational number with $s > 1$. A PIR array code with the $k$-PIR property enables a $k$-server PIR protocol (with $k\leq m$) to be emulated on $m$ servers, with the overall storage requirements of the protocol being reduced. The communication complexity of a PIR protocol reduces as $k$ grows, so the virtual server rate, defined to be $k/m$, is an important parameter. We study the maximum virtual server rate of a PIR array code with the $k$-PIR property. We present upper bounds on the achievable virtual server rate, some constructions, and ideas how to obtain PIR array codes with the highest possible virtual server rate. In particular, we present constructions that asymptotically meet our upper bounds, and the exact largest virtual server rate is obtained when $1 < s \leq 2$. A $k$-PIR code (and similarly a $k$-PIR array code) is also a locally repairable code with symbol availability $k-1$. Such a code ensures $k$ parallel reads for each information symbol. So the virtual server rate is very closely related to the symbol availability of the code when used as a locally repairable code. The results of this paper are discussed also in this context, where subspace codes also have an important role

Simulating Private Information Retrieval on Amazon Web Services

As our modern lives have gradually moved more and more online, companies and state actors have taken it upon themselves to gather and analyze our behavior online, and as these actors have gradually shown just how much they know about a private user, or a group of users, a concern for privacy has grown accordingly. A virtual private network service could help anonymize a user, but the providers of services usually log what services they provide, which can provide identifying information. Research in privacy measures have thus become a larger topic in recent time. Private information retrieval allows a user to query a database without revealing to the server any information about the information queried, and if effective enough, could provide perfect privacy to everyone. In this thesis, we examine a state-of-the-art efficient private information retrieval scheme and study every step in the protocol in a simulation implemented on Amazon’s cloud computing services.Masteroppgave i informatikkINF399MAMN-PROGMAMN-IN

Private Information Retrieval Schemes With Product-Matrix MBR Codes

A private information retrieval (PIR) scheme allows a user to retrieve a file from a database without revealing any information on the file being requested. As of now, PIR schemes have been proposed for several kinds of storage systems, including replicated and MDS-coded systems. However, the problem of constructing PIR schemes on regenerating codes has been sparsely considered. A regenerating code is a storage code whose codewords are distributed among nodes, enabling efficient storage of files, as well as low-bandwidth retrieval of files and repair of nodes. Minimum-bandwidth regenerating (MBR) codes define a family of regenerating codes allowing a node repair with optimal bandwidth. Rashmi, Shah, and Kumar obtained a large family of MBR codes using the product-matrix (PM) construction. In this work, a new PIR scheme over PM-MBR codes is designed. The inherent redundancy of the PM structure is used to reduce the download communication complexity of the scheme. A lower bound on the PIR capacity of MBR-coded PIR schemes is derived, showing an interesting storage space vs. PIR rate trade-off compared to existing PIR schemes with the same reconstruction capability. The present scheme also outperforms a recent PM-MBR PIR construction of Dorkson and Ng.Peer reviewe

Sub-logarithmic Distributed Oblivious RAM with Small Block Size

Oblivious RAM (ORAM) is a cryptographic primitive that allows a client to securely execute RAM programs over data that is stored in an untrusted server. Distributed Oblivious RAM is a variant of ORAM, where the data is stored in $m>1$ servers. Extensive research over the last few decades have succeeded to reduce the bandwidth overhead of ORAM schemes, both in the single-server and the multi-server setting, from $O(\sqrt{N})$ to $O(1)$. However, all known protocols that achieve a sub-logarithmic overhead either require heavy server-side computation (e.g. homomorphic encryption), or a large block size of at least $\Omega(\log^3 N)$. In this paper, we present a family of distributed ORAM constructions that follow the hierarchical approach of Goldreich and Ostrovsky [GO96]. We enhance known techniques, and develop new ones, to take better advantage of the existence of multiple servers. By plugging efficient known hashing schemes in our constructions, we get the following results: 1. For any $m\geq 2$, we show an $m$-server ORAM scheme with $O(\log N/\log\log N)$ overhead, and block size $\Omega(\log^2 N)$. This scheme is private even against an $(m-1)$-server collusion. 2. A 3-server ORAM construction with $O(\omega(1)\log N/\log\log N)$ overhead and a block size almost logarithmic, i.e. $\Omega(\log^{1+\epsilon}N)$. We also investigate a model where the servers are allowed to perform a linear amount of light local computations, and show that constant overhead is achievable in this model, through a simple four-server ORAM protocol

Private information retrieval and function computation for noncolluding coded databases

The rapid development of information and communication technologies has motivated many data-centric paradigms such as big data and cloud computing. The resulting paradigmatic shift to cloud/network-centric applications and the accessibility of information over public networking platforms has brought information privacy to the focal point of current research challenges. Motivated by the emerging privacy concerns, the problem of private information retrieval (PIR), a standard problem of information privacy that originated in theoretical computer science, has recently attracted much attention in the information theory and coding communities. The goal of PIR is to allow a user to download a message from a dataset stored on multiple (public) databases without revealing the identity of the message to the databases and with the minimum communication cost. Thus, the primary performance metric for a PIR scheme is the PIR rate, which is defined as the ratio between the size of the desired message and the total amount of downloaded information. The first part of this dissertation focuses on a generalization of the PIR problem known as private computation (PC) from distributed storage system (DSS). In PC, a user wishes to compute a function of f variables (or messages) stored in n noncolluding coded databases, i.e., databases storing data encoded with an [n, k] linear storage code, while revealing no information about the desired function to the databases. Here, colluding databases refers to databases that communicate with each other in order to deduce the identity of the computed function. First, the problem of private linear computation (PLC) for linearly encoded DSS is considered. In PLC, a user wishes to privately compute a linear combination over the f messages. For the PLC problem, the PLC capacity, i.e., the maximum achievable PLC rate, is characterized. Next, the problem of private polynomial computation (PPC) for linearly encoded DSS is considered. In PPC, a user wishes to privately compute a multivariate polynomial of degree at most g over f messages. For the PPC problem an outer bound on the PPC rate is derived, and two novel PPC schemes are constructed. The first scheme considers Reed-Solomon coded databases with Lagrange encoding and leverages ideas from recently proposed star-product PIR and Lagrange coded computation. The second scheme considers databases coded with systematic Lagrange encoding. Both schemes yield improved rates compared to known PPC schemes. Finally, the general problem of PC for arbitrary nonlinear functions from a replicated DSS is considered. For this problem, upper and lower bounds on the achievable PC rate are derived and compared. In the second part of this dissertation, a new variant of the PIR problem, denoted as pliable private information retrieval (PPIR) is formulated. In PPIR, the user is pliable, i.e., interested in any message from a desired subset of the available dataset. In the considered setup, f messages are replicated in n noncolluding databases and classified into F classes. The user wishes to retrieve any one or more messages from multiple desired classes, while revealing no information about the identity of the desired classes to the databases. This problem is termed as multi-message PPIR (M-PPIR), and the single-message PPIR (PPIR) problem is introduced as an elementary special case of M-PPIR. In PPIR, the user wishes to retrieve any one message from one desired class. For the two considered scenarios, outer bounds on the M-PPIR rate are derived for arbitrary number of databases. Next, achievable schemes are designed for n replicated databases and arbitrary n. Interestingly, the capacity of PPIR, i.e., the maximum achievable PPIR rate, is shown to match the capacity of PIR from n replicated databases storing F messages. A similar insight is shown to hold for the general case of M-PPIR

PIR schemes with small download complexity and low storage requirements

Shah, Rashmi and Ramchandran recently considered a model for Private Information Retrieval (PIR) where a user wishes to retrieve one of several Ä-bit messages from a set of n non-colluding servers. Their security model is information-theoretic. Their paper is the first to consider a model for PIR in which the database is not necessarily replicated, so allowing distributed storage techniques to be used. Shah et al. show that at least Ä+1 bits must be downloaded from servers, and describe a scheme with linear total storage (in R) that downloads between 2R and 3R bits. For any positive e, we provide a construction with the same storage property, that requires at most (1 + e)R bits to be downloaded; moreover one variant of our scheme only requires each server to store a bounded number of bits (in the sense of being bounded by a function that is independent of R). We also provide variants of a scheme of Shah et al which downloads exactly R +1 bits and has quadratic total storage. Finally, we simplify and generalise a lower bound due to Shah et al. on the download complexity of a PIR scheme. In a natural model, we show that an n-server PIR scheme requires at least nR/(n - 1) download bits in many cases, and provide a scheme that meets this bound. This paper provides various bounds on the download complexity of a PIR scheme, generalising those of Shah et al.\ to the case when the number $n$ of servers is bounded, and providing links with classical techniques due to Chor et al. The paper also provides a range of constructions for PIR schemes that are either simpler or perform better than previously known schemes. These constructions include explicit schemes that achieve the best asymptotic download complexity of Sun and Jafar with significantly lower upload complexity, and general techniques for constructing a scheme with good worst case download complexity from a scheme with good download complexity on average

PIR schemes with small download complexity and low storage requirements

Shah, Rashmi and Ramchandran recently considered a model for Private Information Retrieval (PIR) where a user wishes to retrieve one of several Ä-bit messages from a set of n non-colluding servers. Their security model is information-theoretic. Their paper is the first to consider a model for PIR in which the database is not necessarily replicated, so allowing distributed storage techniques to be used. Shah et al. show that at least Ä+1 bits must be downloaded from servers, and describe a scheme with linear total storage (in R) that downloads between 2R and 3R bits. For any positive e, we provide a construction with the same storage property, that requires at most (1 + e)R bits to be downloaded; moreover one variant of our scheme only requires each server to store a bounded number of bits (in the sense of being bounded by a function that is independent of R). We also provide variants of a scheme of Shah et al which downloads exactly R +1 bits and has quadratic total storage. Finally, we simplify and generalise a lower bound due to Shah et al. on the download complexity of a PIR scheme. In a natural model, we show that an n-server PIR scheme requires at least nR/(n - 1) download bits in many cases, and provide a scheme that meets this bound. This paper provides various bounds on the download complexity of a PIR scheme, generalising those of Shah et al.\ to the case when the number $n$ of servers is bounded, and providing links with classical techniques due to Chor et al. The paper also provides a range of constructions for PIR schemes that are either simpler or perform better than previously known schemes. These constructions include explicit schemes that achieve the best asymptotic download complexity of Sun and Jafar with significantly lower upload complexity, and general techniques for constructing a scheme with good worst case download complexity from a scheme with good download complexity on average