Oblivious Decision Programs from Oblivious Transfer: Efficient Reductions [chapter]

Payman Mohassel, Salman Niksefat
2012 Lecture Notes in Computer Science  
In this paper, we design efficient protocols for a number of private database query problems. Consider a general form of the problem where a client who holds a private input interacts with a server who holds a private decision program (e.g. a decision tree or a branching program) with the goal of evaluating his input on the decision program without learning any additional information. Many known private database queries such as Symmetric PIR, and Private Keyword Search can be formulated as
more » ... al cases of this problem. We design computationally efficient protocols for the above general problem, and a few of its special cases. In addition to being one-round and requiring a small amount of work by the client (in the RAM model), our protocols only require a small number of exponentiations (independent of the server's input) by both parties. Our constructions are, in essence, efficient and black-box reductions of the above problem to 1-out-of-2 oblivious transfer. We prove our protocols secure (private) against malicious adversaries in the standard ideal/real world simulation-based paradigm. The majority of the existing work on the same problems focus on optimizing communication. However, in some environments (supported by a few experimental studies), it is the computation and not the communication that may be the performance bottleneck. Our protocols are suitable alternatives for such scenarios. Currently a visiting PhD candidate at the University of Calgary, Canada community. A few notable examples include private information retrieval and its extensions [22, 12, 19] , or the more recent effort on securely outsourcing computation [14, 10] . Communication vs. Computation. Consider the problem of symmetric private information retrieval (SPIR) [22, 7, 24] . SPIR refers to a PIR scheme with the additional security requirement that the server's database also be kept private. The majority of the research on this problem is focused on improving the communication complexity, because communication between the client and the server is often considered to be the most expensive resource. Despite achieving this goal, other barriers continue to limit realistic deployment of SPIR schemes; the most limiting of which is computation. In particular, while servers often have higher computational resources, they also need to serve a large pool of clients; consequently, even a small increase in the computation of the server for a single run of the protocol, negatively effects its overall performance. Furthermore, a number of experimental studies [31, 29] conclude that, in many network setups where private database queries are likely to be deployed, it is the computation (and not the communication) that might be the performance bottleneck. 3 Unfortunately, given the security requirements for SPIR schemes (or even PIR), it is possible to show that the server's work has to be at least linear in the size of his database (e.g. see [5] ). Hence, there is no hope of achieving better asymptotic efficiency. Nevertheless, the type of operations (e.g. asymmetric vs. symmetric-key) the server performs has a significant effect on the efficiency of the resulting scheme. This is particularly important in real applications since based on existing benchmarks (e.g. http://bench.cr.yp.to) asymmetric operations (e.g. exponentiation) require several thousand times more cpu cycles compared to their symmetric-key counterparts. In all the constructions we are aware of for SPIR, except for one, the number of exponentiations the server has to perform is at least linear in the size of his database. The exception is the construction of Naor and Pinkas [26, 28] , who studied the problem under the different name of 1-out-of-N oblivious transfer (OT N 1 ). The situation, however, is not the same for most generalized variants of SPIR. A number of generalizations and extensions to SPIR have been studied in the literature. Examples include private keyword search [9, 12] , private element rank [11] , and even more generally, the problem of oblivious decision tree, and branching program evaluation [19, 6] . The existing solutions for these problems often require a number of public-key operations that is proportional to the server's input size and hence are not computationally efficient for use in practice. The only exception (with a small number of asymmetric operations) is Yao's garbled circuit protocol which is unsuitable for our applications due to its high computational cost for the client (see the related work section for a more detailed discussion).
doi:10.1007/978-3-642-32946-3_20 fatcat:e54jubylufc5vf3y47iqee6gqi