Results 1  10
of
46
Exponential lower bound for 2query locally decodable codes via a quantum argument
 JOURNAL OF COMPUTER AND SYSTEM SCIENCES
, 2003
"... A locally decodable code encodes nbit strings x in mbit codewords C(x) in such a way that one can recover any bit xi from a corrupted codeword by querying only a few bits of that word. We use a quantum argument to prove that LDCs with 2 classical queries require exponential length: m = 2 \Omega ( ..."
Abstract

Cited by 134 (15 self)
 Add to MetaCart
A locally decodable code encodes nbit strings x in mbit codewords C(x) in such a way that one can recover any bit xi from a corrupted codeword by querying only a few bits of that word. We use a quantum argument to prove that LDCs with 2 classical queries require exponential length: m = 2 \Omega (n). Previously this was known only for linear codes (Goldreich et al. 02). The
Reducing the servers' computation in private information retrieval: Pir with preprocessing
 In CRYPTO 2000
, 2000
"... Abstract. Private information retrieval (PIR) enables a user to retrieve a specific data item from a database, replicated among one or more servers, while hiding from each server the identity of the retrieved item. This problem was suggested by Chor et al. [11], and since then efficient protocols wi ..."
Abstract

Cited by 56 (8 self)
 Add to MetaCart
(Show Context)
Abstract. Private information retrieval (PIR) enables a user to retrieve a specific data item from a database, replicated among one or more servers, while hiding from each server the identity of the retrieved item. This problem was suggested by Chor et al. [11], and since then efficient protocols with sublinear communication were suggested. However, in all these protocols the servers ’ computation for each retrieval is at least linear in the size of entire database, even if the user requires just one bit. In this paper, we study the computational complexity of PIR. We show that in the standard PIR model, where the servers hold only the database, linear computation cannot be avoided. To overcome this problem we propose the model of PIR with preprocessing: Before the execution of the protocol each server may compute and store polynomiallymany information bits regarding the database; later on, this information should enable the servers to answer each query of the user with more efficient computation. We demonstrate that preprocessing can save work. In particular, we construct, for any constant k ≥ 2, a kserver protocol with O(n 1/(2k−1)) communication and O(n / log 2k−2 n) work, and for any constants k ≥ 2 and ɛ> 0 a kserver protocol with O(n 1/k+ɛ) communication and work. We also prove some lower bounds on the work of the servers when they are only allowed to store a small number of extra bits. Finally, we present some alternative approaches to saving computation, by batching queries or by moving most of the computation to an offline stage. 1
Selective private function evaluation with applications to private statistics
 In Proceedings of Twentieth ACM Symposium on Principles of Distributed Computing (PODC
, 2001
"... Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , fo ..."
Abstract

Cited by 56 (9 self)
 Add to MetaCart
(Show Context)
Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , for some function f and indices i = it,...,i, ~ chosen by the client. Ideally, the client must learn nothing more about the database than f(zit,..., zi,,~), and the servers should learn nothing. Generic solutions for this problem, based on standard techniques for secure function evaluation, incur communication complexity that is at least linear in n, making them prohibitive for large databases even when f is relatively simple and m is small. We present various approaches for constructing sublinearcommunication $PFE protocols, both for the general problem and for special cases of interest. Our solutions not only offer sublinear communication complexity, but are also practical in many scenarios. 1.
Locally Decodable Codes with 2 queries and Polynomial Identity Testing for depth 3 circuits
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 44 (2005)
, 2005
"... In this work we study two, seemingly unrelated, notions. Locally Decodable Codes (LDCs) are codes that allow the recovery of each message bit from a constant number of entries of the codeword. Polynomial Identity Testing (PIT) is one of the fundamental problems of algebraic complexity: we are given ..."
Abstract

Cited by 47 (14 self)
 Add to MetaCart
In this work we study two, seemingly unrelated, notions. Locally Decodable Codes (LDCs) are codes that allow the recovery of each message bit from a constant number of entries of the codeword. Polynomial Identity Testing (PIT) is one of the fundamental problems of algebraic complexity: we are given a circuit computing a multivariate polynomial and we have to determine whether the polynomial is identically zero. We improve known results on locally decodable codes and on polynomial identity testing and show a relation between the two notions. In particular we obtain the following results: 1. We show that if E: F n ↦ → F m is a linear LDC with 2 queries then m = exp(Ω(n)). Previously this was only known for fields of size << 2 n [GKST01]. 2. We show that from every depth 3 arithmetic circuit (ΣΠΣ circuit), C, with a bounded (constant) top fanin that computes the zero polynomial, one can construct a locally decodeable code. More formally: Assume that C is minimal (no subset of the multiplication gates sums to zero) and simple (no linear function appears in all the multiplication gates). Denote by d the degree of the polynomial computed by C and by r the rank of the linear
Improving the Robustness of Private Information Retrieval
 In Proceedings of IEEE Security and Privacy Symposium
, 2007
"... Since 1995, much work has been done creating protocols for private information retrieval (PIR). Many variants of the basic PIR model have been proposed, including such modifications as computational vs. informationtheoretic privacy protection, correctness in the face of servers that fail to respond ..."
Abstract

Cited by 46 (16 self)
 Add to MetaCart
(Show Context)
Since 1995, much work has been done creating protocols for private information retrieval (PIR). Many variants of the basic PIR model have been proposed, including such modifications as computational vs. informationtheoretic privacy protection, correctness in the face of servers that fail to respond or that respond incorrectly, and protection of sensitive data against the database servers themselves. In this paper, we improve on the robustness of PIR in a number of ways. First, we present a Byzantinerobust PIR protocol which provides informationtheoretic privacy protection against coalitions of up to all but one of the responding servers, improving the previous result by a factor of 3. In addition, our protocol allows for more of the responding servers to return incorrect information while still enabling the user to compute the correct result. We then extend our protocol so that queries have informationtheoretic protection if a limited number of servers collude, as before, but still retain computational protection if they all collude. We also extend the protocol to provide informationtheoretic protection to the contents of the database against collusions of limited numbers of the database servers, at no additional communication cost or increase in the number of servers. All of our protocols retrieve a block of data with communication cost only O(ℓ) times the size of the block, where ℓ is the number of servers. Finally, we discuss our implementation of these protocols, and measure their performance in order to determine their practicality. 1
A survey on private information retrieval
 Bulletin of the EATCS
, 2004
"... Alice wants to query a database but she does not want the database to learn what she is querying. She can ask for the entire database. Can she get her query answered with less communication? One model of this problem is Private Information Retrieval, henceforth PIR. We survey results obtained about ..."
Abstract

Cited by 44 (1 self)
 Add to MetaCart
(Show Context)
Alice wants to query a database but she does not want the database to learn what she is querying. She can ask for the entire database. Can she get her query answered with less communication? One model of this problem is Private Information Retrieval, henceforth PIR. We survey results obtained about the PIR model including partial answers to the following questions. (1) What if there are k noncommunicating copies of the database but they are computationally unbounded? (2) What if there is only one copy of the database and it is computationally bounded? 1
Almost Optimal Private Information Retrieval
 In 2nd Workshop on Privacy Enhancing Technologies (PET2002
"... A private information retrieval (PIR) protocol allows a user to retrieve one of N records from a database while hiding the identity of the record from the database server. ..."
Abstract

Cited by 43 (2 self)
 Add to MetaCart
A private information retrieval (PIR) protocol allows a user to retrieve one of N records from a database while hiding the identity of the record from the database server.
Improved Lower Bounds for Locally Decodable Codes and Private Information Retrieval
, 2004
"... We prove new lower bounds for locally decodable codes and private information retrieval. We show that a 2query LDC encoding nbit strings over an ℓbit alphabet, where the decoder only uses b bits of each queried position of the codeword, needs code length m = exp Ω ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
We prove new lower bounds for locally decodable codes and private information retrieval. We show that a 2query LDC encoding nbit strings over an ℓbit alphabet, where the decoder only uses b bits of each queried position of the codeword, needs code length m = exp Ω
Revisiting the Computational Practicality of Private Information Retrieval
, 2010
"... The retrieval of information from a remote database server typically demands providing the server with some search terms to assist with the retrieval task. However, keeping the search terms private withoutunderminingtheserver’s ability to retrieve the desired information is a common requirement for ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
(Show Context)
The retrieval of information from a remote database server typically demands providing the server with some search terms to assist with the retrieval task. However, keeping the search terms private withoutunderminingtheserver’s ability to retrieve the desired information is a common requirement for many privacypreserving systems. Private information retrieval (PIR) provides a cryptographic means for retrieving data from a database without the database or database administrator learning any information about which particular item was retrieved. In 2007, Sion and Carbunarconsideredthe practicality of singleserver computationalPIR schemes andconcludedthatnoexisting construction isasefficientasthetrivialPIRscheme—theservertransferringitsentiredatabasetotheclient. While oftencitedasevidencethatPIRisimpractical, that paper did notexaminemultiserverinformationtheoretic PIRschemes,whichareordersofmagnitudemorecomputationally efficient; further, a singleserverlatticebased scheme by AguilarMelchor and Gaborit has recentlybeenintroduced, whichisalsomuchmorecomputationally efficient than the schemesexamined by Sion and Carbunar. In this paper, we report on a performance analysis of the above singleserver latticebased PIR scheme as well as two multiserver informationtheoreticPIR schemes by Chor et al. and by Goldberg. Usinganalyticalandexperimentaltechniques, we find the endtoendresponsetimesoftheseschemesto beonetothree orders ofmagnitude(10–1000times) smallerthanthetrivial schemeforrealisticcomputationpowersandnetworkbandwidths. Our result
General Constructions for InformationTheoretic Private Information Retrieval
, 2003
"... A Private Information Retrieval (PIR) protocol enables a user to retrieve a data item from a database while hiding the identity of the item being retrieved; specifically, in a tprivate, kserver PIR protocol the database is replicated among k servers, and the user's privacy is protected from a ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
A Private Information Retrieval (PIR) protocol enables a user to retrieve a data item from a database while hiding the identity of the item being retrieved; specifically, in a tprivate, kserver PIR protocol the database is replicated among k servers, and the user's privacy is protected from any collusion of up to t servers. The main costmeasure of such protocols is the communication complexity of retrieving asingle bit of data. This work addresses the informationtheoretic setting for PIR, where the user's privacy should be unconditionally protected against computationally unbounded servers. We present a general construction, whose abstract components can be instantiated to yield both old and new families of PIR protocols. Amain ingredient in the new protocols is a generalization of a solution by Babai, Kimmel, and Lokam for a communication complexity problem in the multiparty simultaneous messages model.Our protocols simplify and improve upon previous ones, and resolve some previous anomalies. In particular, we get: (1) 1private kserver PIR protocols with O(k3n1=(2k\Gamma 1)) communication bits, where n is the database size; (2) tprivate kserver protocols with O(n1=b(2k\Gamma 1)=tc) communication bits, for anyconstant integers k? t * 1; and (3) tprivate kserver protocols in which the user sends O(log n) bitsto each server and receives O(nt=k+ffl) bits in return, for any constant integers k? t * 1 and constant ffl? 0. The latter protocols have applications to the construction of efficient families of locally decodablecodes over large alphabets and to PIR protocols with reduced work by the servers.