FrodoPIR：Simple, Scalable, Single-Server Private Information Retrieval - Alex Davidson.pdf

通讯员

212

42页

0次

2022-12-23

免费下载

FrodoPIR: Simple, Scalable, Single-Server Private

Information Retrieval

Alex Davidson, Gon¸calo Pestana, Sof´ıa Celi

Brave Software

Abstract. We design FrodoPIR — a highly conﬁgurable, stateful, single-

server Private Information Retrieval (PIR) scheme that involves an of-

ﬂine phase that is completely client-independent. Coupled with small

online overheads, it leads to much smaller amortized ﬁnancial costs on

the server-side than previous approaches. In terms of performance for a

database of 1 million 1KB elements, FrodoPIR requires < 1 second for

responding to a client query, has a server response size blow-up factor

of < 3.6×, and ﬁnancial costs are ∼ $1 for answering 100, 000 client

queries. Our experimental analysis is built upon a simple, non-optimized

Rust implementation, illustrating that FrodoPIR is particularly suitable

for deployments that involve large numbers of clients.

1 Introduction

A Private Information Retrieval (PIR) scheme provides the ability for clients to

retrieve items from an online database, without revealing anything about their

queries to the untrusted host server(s). Applications of practical PIR schemes

include: anonymous communication [7, 61], anonymous media streaming [47],

privacy-preserving ad-delivery [45, 68, 63], private location discovery [37], pri-

vate contact discovery [16], password-checking [3], and SafeBrowsing [54]. PIR

schemes are split into those that are information-theoretically secure, but require

the database to be shared between multiple non-colluding servers [5, 26, 9, 11,

31, 10, 12, 75, 36, 35, 28, 40, 72, 58]; and those that are computationally-secure

against a single untrusted server [3, 31, 6, 21, 24, 38, 55, 56, 1, 64, 65, 62, 59].

Multi-server PIR constructions are typically more eﬃcient than single-server

schemes. However, ﬁnding non-colluding servers to jointly fulﬁll the PIR func-

tionality can be unrealistic and burdensome. To avoid such problems, devel-

oping practical single-server PIR schemes is a desirable goal. The most eﬃ-

cient single-server PIR schemes are based on fully homomorphic encryption

(FHE), with security derived from the ring learning with errors (RLWE) as-

sumption [1, 6, 62, 3, 64, 59]. Unfortunately, these schemes incur computational,

bandwidth, and consequent ﬁnancial overheads for answering client queries on

standard, cloud-based infrastructure that would make them expensive to run at

scale. Even the most eﬃcient require several seconds to process a single query

on a database of 1 million 1KB elements.

To drive down online and ﬁnancial costs, a recent line of work of single-

server PIR moves large proportions of the expensive online computation and

communication to an oﬄine phase [62, 65, 30] (a technique that also applies in the

two-server model [31, 58]). In this model, the client and server prepare an oﬄine

internal state to be used for making online queries. Such schemes are referred

to as oﬄine-online or stateful, as opposed to online-only or stateless. Many

works [62, 65, 30] have focused on developing PIR schemes with eﬃcient online

phases. The recent work of Corrigan-Gibbs et al. [30], for example, produces a

stateful single-server PIR scheme with sublinear eﬃciency costs.

A key diﬃculty that has gone unsolved is that either the computation or

the communication costs induced during the oﬄine phase scale linearly in the

number of clients that will make queries [62, 30, 65]. Moreover, previous schemes

require each individual client to make large numbers of queries (e.g.

√

m for m

DB elements) to ensure that the amortized costs remain sublinear. Ultimately,

this still results in signiﬁcant ﬁnancial costs for any server that plans to run a PIR

service in standard cloud-based infrastructure and that will answer queries from

large numbers of clients. As a consequence, single-server PIR remains unusable

in many real-world applications.

Our results. We build FrodoPIR: a stateful PIR scheme that is built directly

upon the learning with errors (LWE) problem only, rather than using RLWE and

FHE-based technologies. Similarly to FrodoKEM with respect to lattice-based

key exchange [17], we show that — counter to accepted intuition — eschewing

ring lattice structures can lead to ﬂexible and practically eﬃcient PIR schemes.

The main beneﬁt of FrodoPIR is that the oﬄine phase of the protocol is performed

by the server alone, completely independent of the number of clients or queries

that will be made. This results in low amortized computation overheads, and an

oﬄine client download size that is a tiny fraction of the entire server database.

Our results highlight that the current bottleneck for deploying practical state-

ful PIR schemes is heavily related to the per-client scalability of the oﬄine

preprocessing phase. Previous schemes have optimized primarily for per-client

asymptotics, which we show do not necessarily translate into ﬁnancially cheap

real-world systems. To this end, FrodoPIR represents an initial exploration in de-

veloping stateful PIR schemes that are suitable for large, real-world deployments,

where lowering ﬁnancial costs for server-side operators is of paramount impor-

tance. On top of this, FrodoPIR is signiﬁcantly simpler than previous schemes,

making no use of FHE techniques and requiring only modular arithmetic that

can be implemented using standard 32-bit unsigned integer instructions. Our

formal contributions are as follows:

1. A stateful single-server PIR scheme, known as FrodoPIR, with security de-

rived from LWE.

2. A simple, open-source Rust implementation — containing only a few hundred

lines of code.

3. Experimental analysis that illustrates that FrodoPIR is cheaper to run in

large multi-client deployments than all previous single-server PIR schemes.

https://github.com/brave-experiments/frodo-pir

of 42

免费下载

frodopir

关注

评论