Private Information Retrieval Based on the Subgroup Membership Problem

Many algorithmic problems, which are used to prove the security of a cryptographic system, are shown to be characterized as the subgroup membership problem. We then apply the subgroup membership problem to private information retrieval schemes following the method by Kushilevitz and Ostrovsky. The resulting scheme has the same communication complexity as that of Kushilevitz and Ostrovsky. 1 Private Information Retrieval Chor, Goldreich, Kushilevitz and Sudan [3] introduced the private information retrieval scheme for remote database access, in which the user can retrieve the data of user’s choice without revealing it. Their scheme attains information theoretic security, however, the database must be replicated in several locations where the managers are not allowed to communicate each other. The computational private information retrieval scheme was introduced by Chor and Gilboa [4]. Their scheme attains more efficient communication than Chor, Goldreich, Kushilevitz and Sudan’s model by sacrificing the information theoretic security, nevertheless, their scheme enjoys computational security by assuming the existence of pseudorandom generators. However, their scheme still needs replication of the database. Kushilevitz and Ostrovsky [6] introduced a computational private information retrieval scheme in which only one database is needed. Their scheme depends on the intractability of the quadratic residue problem. More efficiency, polylogarithmic communication complexity, is attained by Cachin, Micali and Stadler [2]. They assume a number theoretic hypothesis, which they call the Φ assumption, and sacrifice one-round communication and then obtain polylogarithmic communication complexity. However, a rigorous proof of the intractability of the Φ assumption or its equivalence to a widely used assumption like the quadratic residue assumption or the integer factorization is not given in [2]. We summarize the known results on private information retrievals in Table 1 below. We briefly review the general scheme of a private information retrieval (PIR for short) scheme. A computational PIR scheme with a single database is a V. Varadharajan and Y. Mu (Eds.): ACISP 2001, LNCS 2119, pp. 206–220, 2001. c © Springer-Verlag Berlin Heidelberg 2001 Private Information Retrieval Based on the Subgroup Membership Problem 207 protocol for two players, a user U and a database manager DB. Both are able to perform only probabilistic polynomial time computation. The database manager DB maintains a database, which is a binary sequence X = x0x1x2 · · ·xn−1. The goal of the protocol is to allow U to obtain the ith bit xi+1 of X without leaking any information on xi to DB. The protocol runs as follows: Step 1 U computes a query Query(i) using his random tape (coin toss), which U keeps secret. Then he sends Query(i) to DB. Step 2 DB receives Query(i). He performs a polynomial-time computation for the input X , Query(i) and his random tape. The computation yields the answer Answer(Query(i)). He sends Answer(Query(i)) back to U . Step 3 U receives Answer(Query(i)). He performs a polynomial-time computation using the answer Answer(Query(i)) and his private information (his random tape). The computation yields the ith bit xi+1 of the database. Correctness For any database sequence X and for any query Query(i) for ith bit of X , U obtains xi at the end. Privacy DB cannot distinguish a query for the ith bit and a query for the jth bit for all i and j by a polynomial-time (probabilistic) computation with non-negligible probability. Formally, for all constants c, for all database of length n, for any two 1 ≤ i, j ≤ n, and all polynomial-size family of circuits Ck, there exists an integer K such that for all k > K we have |Prob(Ck(Query(i)) = 1)−Prob(Ck(Query(j)) = 1)| < σ , (1.1) where k is the security parameter of the protocol and σ = 1 (Max(k,n))c . Computation Computations of both DB and U are bounded above by a polynomial in the size n of the database and the security parameter k. 2 Subgroup Membership Problem The quadratic residue (QR for short) problem and the decision Diffie-Hellman (DDH for short) problem have numerous applications in cryptography, and hence, they have been studied in detail. Our aim of this paper is to generalize and formalize them as the subgroup membership problem and to show many other algorithmic problems, which are used in public key cryptography, are characterized as the subgroup membership problem as well. Such a unification of algorithmic problems used in cryptography has not been appeared up to date as far as the authors are concerned. Widely used assumptions in cryptography are divided into two groups: the algorithmic assumptions related to the integer factoring (and the QR) and the algorithmic assumptions related to the discrete logarithm problem (and the DDH). The first is originated from the RSA cryptosystem and 208 Akihiro Yamamura and Taiichi Saito Table 1. Several Private Information Retrieval Schemes Scheme Round Security Assumption Communication Number Number Complexity of DBs