On the Practicality of PIR - Radu Sion
On the Practicality of PIR - Radu Sion
On the Practicality of PIR - Radu Sion
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Network Security and Applied<br />
Cryptography Laboratory<br />
http://crypto.cs.stonybrook.edu<br />
<strong>On</strong> <strong>the</strong> <strong>Practicality</strong> <strong>of</strong> <strong>PIR</strong><br />
<strong>Radu</strong> <strong>Sion</strong><br />
Stony Brook NSAC Lab<br />
sion@cs.stonybrook.edu<br />
Carbunar Bogdan<br />
Motorola Labs<br />
carbunar@motorola.com<br />
ver. 2.1 (2/25/2007)<br />
© 2005-07. All Rights Reserved.
What is <strong>PIR</strong> ?<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
Initial concerns:<br />
communication<br />
complexity<br />
Today: is endto-end<br />
picture<br />
practical ?<br />
bit string d[n]<br />
x<br />
x<br />
1<br />
2<br />
3<br />
work<br />
interaction<br />
x<br />
x<br />
work<br />
Alice<br />
Question d[i]=?<br />
x<br />
x<br />
x<br />
n-2<br />
n-1<br />
n<br />
i<br />
Bob<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
2
What is “practical” ?<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
Many things.<br />
But <strong>of</strong>ten, in real life, <strong>the</strong>se are<br />
defined by execution time.<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
3
What is a practical <strong>PIR</strong> protocol ?<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
Baseline: a cheaper <strong>PIR</strong> protocol than<br />
trivial database transfer (for now !).<br />
What is cheaper ?<br />
Often, ”not slower”.<br />
Faster. Not always !<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
4
Time to “illustrate” …<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
… we choose: E. Kushilevitz and R. Ostrovsky,<br />
“Replication is not needed: single database,<br />
computationally-private information retrieval”, FOCS 1997.<br />
Why ?<br />
It is <strong>the</strong> least computationally expensive and arguably <strong>the</strong><br />
fastest <strong>of</strong> <strong>the</strong> bunch.<br />
The results can be applied to all 7+ single-server<br />
computational protocols we looked at (based on wellestablished<br />
intractability assumptions)<br />
They also apply to any protocol with a per-bit cost ><br />
fraction (e.g., 1/10) <strong>of</strong> <strong>the</strong> cost <strong>of</strong> a modular multiplication.<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
5
Protocol overview<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
bit string d[n]<br />
3<br />
Π(v[i]*d[i]) = QNR ?<br />
yes<br />
d[i]=1<br />
Question d[i]=?<br />
QR 1<br />
QR 2<br />
QR 3<br />
.<br />
QR i-1<br />
QNR<br />
QR i+1<br />
.<br />
QR n-2<br />
QR n-1<br />
QR n<br />
v[i] 1<br />
Π(v[i]*d[i])<br />
Perform same<br />
protocol per<br />
column and<br />
look at returned<br />
product <strong>of</strong><br />
interest<br />
2<br />
x<br />
x<br />
x<br />
x<br />
x<br />
x<br />
x<br />
1<br />
2<br />
3<br />
n-2<br />
n-1<br />
n<br />
escape O(n) costs<br />
i<br />
n<br />
x<br />
x<br />
x<br />
x<br />
x<br />
n<br />
x<br />
x<br />
Π 1 Π 2<br />
... Π 3<br />
client<br />
server<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
6
Execution time analysis<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
<strong>PIR</strong>-favorable simplification: we ignore anything else<br />
but <strong>the</strong> server-side modular multiplication costs.<br />
Conclusion: <strong>PIR</strong> is “practical” iff. per-bit serverside<br />
complexity is faster than bit transfer.<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
7
RSA Key Size Schedules<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
8
Past: MIPS Schedule<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
Note: 15MBps/5MBps costs $29.95/mo.<br />
9
Past: 1 bit multiplication vs. transfer<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
10
Present: Hardware<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
Illustrative baseline. Results hold within orders <strong>of</strong> magnitude<br />
(e.g., if chip would be ten times faster). Wide spread. Fast<br />
ALUs. Setup: 3.6GHz, 1GB RAM. 11000 MIPS (Intel).<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
11
Present: Benchmarks<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
1024 bit values: 273,000 mod. mul. / sec.<br />
<strong>PIR</strong>-processing one bit: >>3700 ns<br />
10MBps transfer: ~100-120 ns<br />
Trivial transfer is 35+ times faster than <strong>PIR</strong>.<br />
Question: But what about faster hardware ?<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
12
Present: Low bandwidth conditions<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
Conclusion: Today’s<br />
<strong>PIR</strong> protocols become<br />
usable for low (tens <strong>of</strong><br />
KBps) bandwidths.<br />
But: … at additional<br />
computation costs ☺<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
13
Future: Moore Says ☺ …<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
14
Future: CPU Speed follows Moore !<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
Source: “Gigascale Integration-Challenges and Opportunities”,<br />
Shekhar Borkar, Director, Circuit Research, Intel Corp.<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
15
Network Speed: Nielsen’s Law<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
“high end connection speed<br />
grows 50% per year”<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
16
Future: 1 bit multiplication vs. transfer<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
The wizard predicts …<br />
(logarithmic)<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
17
What about s<strong>PIR</strong> ?<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
Here do <strong>PIR</strong> instead: “Naor-<br />
Pinkas <strong>PIR</strong>-S<strong>PIR</strong> reduction”<br />
[56] M. Naor and B. Pinkas.<br />
Oblivious transfer and<br />
polynomial evaluation. In STOC<br />
’99: Proceedings <strong>of</strong> <strong>the</strong> thirtyfirst<br />
annual ACM symposium on<br />
Theory <strong>of</strong> computing, pages<br />
245–254, New York, NY, USA,<br />
1999. ACM Press.<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
18
What do we do ?<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
New <strong>PIR</strong> protocols<br />
Gasarch & Yerukhimovich protocol ?!<br />
Gentry & Ramzan ?<br />
Hardware <strong>PIR</strong> (Sean Smith @ Darthmouth)<br />
Weaker privacy metrics (statistical)<br />
Important: use correct baseline for “practical”<br />
compare with application requirements, not<br />
with trivial transfer (e.g., 4TB database –<br />
trivial transfer over 100MBps takes 22+ hrs)<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
19
Trusted Hardware<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
secure<br />
insert/update<br />
arbitrary<br />
private query<br />
Secure<br />
Memory<br />
encrypted query<br />
response<br />
data client<br />
Secure Co-<br />
Processor<br />
Host CPU<br />
Outsourced<br />
Data<br />
(encrypted)<br />
Server Storage<br />
encrypted item<br />
data management server<br />
A secure co-processor on <strong>the</strong> data<br />
management side may allow for significant<br />
leaps in expressivity for queries where privacy<br />
and completeness assurance are important.<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
20
IBM 4764<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
RSA1024 Sign: 848/sec<br />
RSA1024 Verify: 1157/sec<br />
3DES: 1-8MB/sec<br />
DES: 1-8MB/sec<br />
SHA1: 1-21MB/sec<br />
IBM 4764-001: 266MHz PowerPC. 64KB battery-backed<br />
SRAM storage. Crypto hardware engines: AES256, DES,<br />
TDES, DSS, SHA-1, MD5, RSA. FIPS 140-2 Level 4 certified.<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
21
IBM 4764 Architecture<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
22
Comparison: Pentium 4<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
Illustrative baseline.<br />
Pentium 4. 3.4GHz.<br />
1GB RAM. 11000 MIPS.<br />
OpenSSL 0.9.7f<br />
DES/CBC: 70MB/sec<br />
RC4: 138MB/sec<br />
MD5: 18-615MB/sec<br />
SHA1: 18-340MB/sec<br />
Modular MUL 1024: 273000/sec<br />
RSA1024 Sign: 261/sec<br />
RSA1024 Verify: 5324/sec<br />
3DES: 26MB/sec<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
23
Sample DON’T<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
queries<br />
crypto work<br />
client/server<br />
interaction<br />
Outsourced<br />
Data<br />
good idea ?<br />
not so sure !<br />
Server Storage<br />
data<br />
client<br />
Host CPU<br />
crypto work<br />
crypto work<br />
“client proxy”<br />
database server<br />
queries<br />
Secure Co-<br />
Processor<br />
data<br />
client<br />
“client-server”<br />
interaction<br />
Host CPU<br />
Outsourced<br />
Data<br />
Server Storage<br />
database server<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
24
in/yes > /dev/lunchtime<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
wet !?<br />
Thank you !<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
25
Protocol overview<br />
Stony Brook Network Security and Applied Cryptography Lab<br />
<strong>Practicality</strong> <strong>of</strong> Private Information Retrieval (NDSS, February 2006)<br />
26