The present application is a National Phase entry of PCT Application No. PCT/EP2015/058103, filed Apr. 14, 2015, which claims priority to EP14305549.9, filed Apr. 14, 2014 the contents of each being incorporated herein by reference in their entireties.
The invention relates to storage of information in data storage servers, queries made to databases, and privacy of such queries.
Many documents and databases are nowadays stored in outsourced data storage servers. This trend is stressed further with the cloudification of many services and companies' information systems. While such outsourced databases are cheap to maintain and efficient to retrieve up-to-date information they can pose significant risks from a security or privacy perspective. Some solutions have been proposed so as to secure outsourced data storage on multiple clouds but they do not tackle the issue of privacy. Indeed by accessing a database the entity storing the database learns the queries of the queriers or users which might be a problem if the user's intentions are to be kept secret. For example, investors querying a stock-market database for the current market value of certain stocks might prefer not to reveal their interest in the stocks because it could inadvertently influence their price. Alternatively, companies might want to search for certain patents without revealing the patents' identities.
Private information retrieval—PIR—schemes are cryptographic protocols that allow clients to retrieve records from outsourced databases or clouds while completely hiding the identity of the retrieved records from database owners. There are two flavors of PIR either information theoretic PIR or Computational PIR. The latter provides a weaker security guarantee and we thus focus on information theoretic PIR which provides absolute guarantee that the servers get no information about what the user wants. Information-theoretic PIR is only possible in a multi-server setting with some replication across these servers. There is an extensive body of work that provides solutions to this problem based on coding theory and more particularly locally decodable codes or LDCs. However current solutions require a lot of replication. Basically if/is the locality of the LDC then the whole database needs to be encoded first which results in a first factor of increase of the size of the database and then the whole encoded database needs to be replicated/times on/different servers.
Suppose we have a database composed of n elements for example E1, . . . , En. Current solutions encode the database in a codeword of N symbols S1, . . . , SN with N>n and then store I copies of the encoded database at I different servers where I is the locality of the code. To retrieve a symbol Si without revealing it, the user has to retrieve one symbol from each server, none of them being Si. The user thus gets I symbols and by local decoding can compute Si. The symbols retrieved are not random, they are chosen according to a decoding algorithm, which indicates that one has to retrieve symbols Sj1, . . . , SjI in order to be able to compute Si. To make sure that the given symbols can always be retrieved, the existing protocols store all symbols on all servers, which means that the whole codeword of length N is replicated I times.
The technical problem to solve is to allow storage of a collection of documents or of databases in a plurality of outsourced storage entities or clouds while offering the possibility for users to query a piece of information from the database without revealing their query and in particular without revealing the piece of information to the servers or clouds, and while reducing the storage overhead of current solutions.
This goal is achieved thanks to the invention by means of the subject matter of claim 1.
Other features goals and advantages of the invention will appear throughout the here-under detailed description which refers to the attached figures on which:
On the attached figure a database is represented which is composed of n elements E1, . . . , En.
In the present embodiment the symbols are thus organized and placed in such a way that only N/(I+1) symbols are stored at each server so in total the N symbols are stored and an additional small constraint is imposed on the decoding algorithm to make sure that it requires one symbol from each server. To be more precise, the codeword symbols or encoded database belong to a m-dimensional vector space over the finite field of cardinality I+1. A hyperplane in this space is an (m−1)−dimensional subspace. We arrange the symbols in (I+1) hyperplanes, and the user or client or querier or possibly broker will ask the symbols according to a line the direction of which is transversal, i.e. not parallel, to the direction of the hyperplanes. The benefit is of major importance: it reduces the storage overhead by a factor of I+1.
An (I,d)-locally decodable code allows to probilistically retrieve a particular symbol of a message by looking at only I randomly chosen coordinates of its possibly corrupted encoding, in such a way that the decoding still succeeds with probability greater that ⅔ even if a fraction of d symbols of the encoded data is corrupted. I is then the locality of the code.
On the attached figure clients or users or customers are represented under reference C. Storage providers e.g. cloud storage providers are represented under references SP1, SP2 . . . . Queriers Q want to access stored data. Brokers B1, B2 are represented. The role of such brokers, which are not necessary, is to facilitate some operations or perform them on behalf of C or Q. In the present example, the Clients C has outsourced data storage to SPs SP1, SP2, SP3 and SP4. Queriers Q want to access part of the stored data. For confidentiality reasons or to protect their privacy, Q do not want SPs to know which data or information it accessed. Once stored, SPs provides an API for Q to retrieve data based here on an identifier which is a concatenation of the name of the database in case there are several databases and of the index of the element in the database. SPs do not implement specific mechanisms to allow private information retrieval, they are classical storage providers. Brokers B1, B2 are either trusted, for example in the organisation of the entity which trusts them or an independent entity depending on the task that they perform. The storage of information is here implemented in the following manner. In a first step, client C encodes his database composed of n elements E1, . . . , En using an appropriate coding algorithm, a locally decodable code for example multiplicity codes. The database of n elements becomes encoded in N symbols S1, . . . , SN with N>n. This first step can be performed also by a first broker B1 which has to be trusted by C in that it does not reveal information to SPs. I being for example the value of the locality of the locally decodable code, the N symbols are divided in (I+1) groups, each group containing the symbols corresponding to one hyperplane of the total space, resulting in groups G1, . . . , GI+1. Optionally this operation could be performed by the same trusted broker B1. The output of this step whether implemented by client C or by broker B1 is a function or table T1 indicating in which group a symbol Si can be found. On the attached figure the locally decodable code has locality 3.
Then each group of symbols is stored at a service provider SP. The choice of SP can depend on many parameters such as cost, latency, reliability and so on. To take into account these aspects, the dispatching and storage can be taken care of by a second broker B2, which simply needs to return a map between a group index and a storage provider. This map is typically represented in a table T2 of I+1 rows where row number i indicates the storage provider corresponding to Gi, and so on. Broker B2 does not need to be strongly trusted by client C, it could even be a service offered by one of the service providers. Client C simply advantageously checks that all the service providers SPs in the table T2 are distinct to each other so as to avoid collusions in a later step.
The query of information is here carried out in the following manner. When a querier Q wants to retrieve a given symbol, it first needs to retrieve the name of the database. The name of the database is usually public knowledge but in case client C wants to control access to his information, client C could force queriers to request permission first by keeping this knowledge secret or delegating this task to the trusted broker B1.
The querier is interested in Si but he needs to express his query as a set of I+1 queries Sj1, . . . , Sj(I+1) determined by the decoding algorithm. More precisely it picks a direction at random but not parallel to the hyperplanes direction and then computes the points Sj1, . . . , Sj(I+1) that he has to query. This computation could be performed by a broker B3 trusted by querier Q.
The querier Q or the broker B3 needs then to obtain T1 to determine to which group each Sji belongs and T2 to know where each group is stored. The querier or the broker B3 then fetches the Sj1, . . . , Sj(I+1) from the corresponding SPs and locally decodes them to obtain Si. One advantage of this method is that the method works with any PIR scheme based on multiplicity codes and presumably any locally decodable code. The protocol ensures that every individual server gets no information about the identity of the element the querier is interested in. The method divides the global storage overhead compared to existing solutions at least by a factor of I+1 where I is the locality of the decoding method. By fine tuning the parameters, it is possible to allow recovery from the defect of a number of SPs, which means that the method features inherent error-correcting capabilities and failure resilience. Fine tuning parameters can also allow to take into account collusion of a number of SPs without compromising security, i.e. secrecy of the query in this case. The brokers B1 and B3 can perform computations on behalf of C and Q respectively as long as they do not give information to the servers. The broker B2 is interesting as it can decide on the selection of SPs without the need to be trusted from a security perspective.
From the symbols it is possible to get back original documents by specific decoding mechanisms.
In the query phase of the present example querier Q sends the query to broker B3, which expresses it as several symbols, requests table T1 from broker B1 and table T2 from broker B2, and then requests the symbols from the corresponding SPs, the correspondence being here possible thanks to the tables. After receiving the requested symbols, broker B3 locally decodes them and sends the requested symbol back to querier Q.
According to more precise aspects of the presently described embodiment of the invention,
A code in the ambient space encodes vectors of length k into codevectors, or codewords of length n>k. The problem of decoding is to find codewords close to an element y in the ambient space. Formally, given a code C⊂Σn, a distance d( ), for a given y=(y1, . . . , yn)∈ΣN, one has to find codewords c∈C such that d(c,y) is small. In our setting, the distance d(x,y) is the Hamming distance which is the number of indices i where xi≠yi.
Locally decodable codes, in short LDCs, allow efficient sublinear-time decoding. More precisely, an l-query LDC allows to probabilistically recover any symbol of a message by looking at only l<<k randomly chosen coordinates of its—possibly corrupted—encoding. Although LDCs appeared in the PCP literature in early 90s [?], their first formal definition is due to Katz and Trevisan in 2000 [5]. The number (of queried symbols is the query complexity, that we also call here locality. The oldest class of LDCs are the Reed-Muller codes over q, whose codewords are the evaluations of m-variate polynomials of total degree at most d over q on points of gm. Formally:
A code C: Δk→ΣN is (l,δ)-locally decodable if there exists a randomized decoding algorithm A such that
1. given x∈Δk and y∈Σn with d(C(x),y)<δn, we have, for all i∈[k],
Pr[Ay(i)=xi]≥⅔,
where the probability is taken over all the random coin tosses of A.
2. A makes at most l queries to y.
Here Ay means that A is given query access to y.
In the case when one wants to probabilistically recover any codeword symbol and not only information symbols, one has the following A code C: Δk→Σn is (l, δ)-locally self-correctable (LCC) if there exists a randomized decoding algorithm A such that
1. given a codeword c∈Σn and y∈Σn with d(c,y)<δn, we have, for all i ∈[k],
Pr[Ay(i)=ci]≥⅔,
where the probability is taken over all the random coin tosses of A.
2. A makes at most l queries to y.
Note that one can easily construct an LDC from a linear LCC [9].
No known constructions of LDCs or LCCs minimize both l and the length n simultaneously. The main issues are thus to minimize one parameter given that the other one is fixed. With this respect, constructions of subexponential length codes with constant query complexity l≥3 exist [8]. On the other side, constant rate LDCs feature an l which is known to lie between Ω (log k) and ⊖(k1), with explicit constructions for the latter bound. A major result is the construction of high-rate (i.e. >½) locally self-correctable codes with sublinear query complexity, in the presence of a constant (as a function of the distance of the code) fraction of errors. Those codes are known as Multiplicity Codes and were introduced by Kopparty, Saraf and Yekhanin in 2011 [6]. They generalize the Reed-Muller codes by evaluating high degree multivariate polynomials as well as their partial derivatives up to some order. Using high-degree polynomials improves on the rate, while evaluating their partial derivatives compensates for the loss in distance.
The problem of Private Information retrieval was introduced in 1995 by Chor, Goldreich, Kushilevitz and Sudan [2]. A PIR protocol is a cryptographic protocol the purpose of which is to protect the privacy of a user accessing a public database via a server, in the sense that it makes it possible for a user to query a particular record of the database without revealing to the server which record he wants to retrieve (a.k.a. query anonymity). We here deal with information theoretic PIR, as opposed to computationally secure PIR [7]. In an IT PIR setting, a server gets no information about the identity of the record of user interest even if it has unlimited computing power. In [2] it is shown that when accessing a single database, to completely guarantee the privacy of the user in an information theoretic sense, one needs to download the entire database, which results in a communication complexity of O(n), n being the bit length of the database. Thus they have introduced scenarios where the database is replicated across several, say l servers, and proposed schemes with communication complexity O , for l≥3. Such multiple-server settings have been investigated since then, and the best communication complexity to date is
Katz & Trevisan [5], introduced a notion very close to locally decodable codes: that of smooth codes. Smooth codes capture the idea that a decoder cannot read the same index too often: informally, for fixed l and c, in an (l, c)-smooth code, the decoder, querying at most l indices from a valid codeword, cannot query an index more than c/m times. In [5], it is shown that an (l, δ)-LDC is an (l, c=l/δ)-smooth code.
Uniform distribution of the queries among codeword (or received word) coordinates is just had we need in the PIR setting in order to achieve information theoretic privacy of the queries. The locality as a core feature of LDCs, together with the fact that in all known constructions of LDCs the queries made by the local decoding algorithm A are uniformly distributed, make the application of LDCs to PIR schemes quite natural. The lemma below describes how it formally works.
Note also that PIR schemes can be used to build LDCs with best asymptotic code-lengths. In fact, as quoted in [1], “any information-theoretic PIR protocol can be converted into an LDC of related efficiency”.
We model the database as a Δ-ary string x of length k. An l-server PIR scheme involves l servers S1, . . . , Sl, each holding the same database x, and a user who knows k and wants to retrieve some value xi, i∈[k] without revealing any information about i to the servers.
An l-server p-PIR protocol is a triple (Q, A, R) of algorithms running as follows:
Privacy: each server individually gets no information about i. In other words, ∀j∈[l] the distribution of the random variables Q(i,′)j are identical for all i∈[k].
Note that Yekhanin [8] considers that the triple of algorithms (Q, A, C) are non-uniform, so that the length k is given as an advice.
Suppose there exists an l-query locally decodable code C: Δk→Σn, in which each decoder's query is uniformly distributed over the set of codeword coordinates. Then there exists an l-server 1-PIR protocol with O(l log(n|Σ|)) communication to access a database x∈Δk.
Proof: given an LDC C: Δk→Σn as in the lemma, one constructs the following PIR protocol:
User applies the local decoding algorithm of C to recover xi.
This protocol has the communication complexity claimed in the lemma. Furthermore, as the user applies the local decoding algorithm with non corrupted inputs
he retrieves xi with probability 1. Uniformity of the distribution of the decoder's queries over [n] ensures the information-theoretic privacy of the protocol. We will use LDCs, namely multiplicity codes, in PIR scenarios.
Considering m indeterminate X1, . . . , Xm, and m positive integers i1, . . . , im, we use the short-hand notation
X=(X1, . . . ,Xm)
q[X]=q[x1, . . . ,xm]
i=(t1, . . . ,tm)∈n
P=(p1, . . . ,pm)∈qm
|i|=i1+ . . . +im
xii1i
i.e. we use bold symbols for vectors, points, etc, and standard symbols for uni-dimensional scalars, variables, etc. In general, we write polynomials Q ∈q[X]=q[X1, . . . , Xm] without parenthesis and without variables, and Q(X) (resp. Q(P)) when the evaluation on indeterminates (resp. points) has to be specified.
Given a multi-index i, and F∈q[x], the i-th Hasse derivative of F, noted by H(F, i) is the coefficient of zi in the polynomial F(x+z)∈q[x,z], where Z=(Z1, . . . , Zm). More specifically, let F(X)=fjXj, then
Considering a vector V∈qm\{0}, and a base point P, we consider the restriction of F to the line
D={P+tV:t∈}
which is a univariate polynomial that we denote FP,V(T)=F(P+TV)∈q[T]. This polynomial has Hasse derivatives on its own, and we have the following relations:
Considering the finite field q with q elements, we enumerate it as
q={a0=0,a1, . . . ,aq-1}.
We denote q[X]d the set of polynomials of degree less than or equal to d, which has dimension
We enumerate all the points in qm:
qm={P1, . . . ,Pn} (5)
Where Pi=(Pi,1, . . . , Pi,m)∈qm, is a m-tuple of q-symbols, and n=qm. We encode a polynomial F of degree less than d into a codeword c of length n using the evaluation map
ev: q[x]d→qn
F(F(P1), . . . ,F(Pn))
and the d-th order Reed-Muller code is
RMd=[ev(F)|F∈q[X]d].
The evaluation map ev encodes k symbols into n symbols, and the rate is R=k|n∈[0,1]. A codeword c∈RMd can be indexed by integers as
c=(c1, . . . ,c)
or by points as
Where ci=cp
Then, the points R1, . . . , Rq-1 are sent as queries, and the decoding algorithm receives the answer:
(yR
In the case of no errors, (yR
cR
where
FP,V=F(Pj+T·V)∈q[T] (6)
is the restriction of F to the line D, which is a univariate polynomial of degree less than or equal to d, i.e. (cR
The main drawback of these codes is the condition d<q, which imposes a dimension
For a fixed alphabet and thus a small locality, the rate R=k/qm<1/m! goes to zero very fast when the codes get longer.
To obtain codes with higher rates, we need a derivation order s>0 and an extended notion of evaluation. There are
Hass derivatives H(F,i) of a polynomial F for multi-indices i such that |i|<s. Denoting Σ=Qσ, we generalize the evaluation map at a point P:
ev3P:q[X]→qσ
F(H(F,i)(P))|i|<3
and, given an enumeration of the points as in Eq. (5), the total evaluation rule is
ev3:q[X]→Θn
F(evP13(F), . . . ,evP
As in the case of classical Reed-Muller codes, we denote by (c1, . . . , cn)=(cP
m−RNd3{ev3(F)|F∈q[X]d}
Using the language of locally decodable codes, we have a code m−RMds:Δk→Θn with Δ=q, and Σ=qσ. The code RMds, is a q-linear space, whose dimension over q is
Its rate is
with a locality of
queries, as follows. For simplicity, we only recall the decoding algorithm, in the error-free case. Suppose that cj=cP
Vi∈qm\{0}, i=1, . . . , σ. For each vi, i=1, . . . , σ, consider the line of direction Vi passing through Pj:
For each i, 1≤i≤σ, the algorithm output the queries corresponding to the points Ri,1, . . . , Ri,q-1, and gets the answers
(yP
In the case of no errors, we have
yP
and, cP
FP
Use a Reed-Solomon decoding algorithm adapted to the multiplicity case [3], that we recall in Appendix, one can recover:
FP
as a univariate polynomial, even when a large number of errors occurs. Now, from Eq. (2), for 0≤t≤s−1, the t-th coefficient of FP
For a given t as above, for a given direction, we have one linear equation vi,1≤i≤σ, in the indeterminates H (F, v)(Pj), |v|=t. Considering all the σ directions, we get a linear system of σ equations. Solving it gives all the Hasse derivatives of order t, H(F,v)(Pj),|v|=t. Doing that for each t=0, . . . , s−1 permits to recover evs(F, Pj)=cP
The decoding algorithm of [6] is actually much more elaborate, and deals with more erros. However, for our concerns, the simplified version is sufficient.
Considering m−RMds, we show how to equally share a codeword
c=ev3(f)=(evP13(f), . . . ,evPn3(f))
on l=q servers, using the geometry of zm. This is done as follows: consider H a q-linear subspace of qm of dimension m−1. It can be seen as the kernel of a linear map
for some (h1, . . . hm)∈qm\{0}. We write qm as disjoint union of affine hyperplanes
qm=H0∪H1Å . . . ∪Hq-1
where
Hi={P∈qm|fH(P)=αi},i=0, . . . ,q−1
Up to a permutation of the coordinates, we can write
c=(cH
where
cH
Now consider an affine line, which is transversal to all the hyperplanes. It is a line which can be given by any direction V passing and a point P, as long as fn(V)≠0:
D={P+t·v|t∈q}.
Then, since V∉H we have that
D∩Hi={Qi}, i=0, . . . ,q−1
for some points Q0, . . . , Qq-1, i.e. the line D is transversal to all the hyperplanes. Now, it is easy to see that Algorithm 1 works as long as the vector V picked in Step 2 of 1 does not belong to h. Algorithm 2 also, although it needs more details to be explained.
As an example, consider the q-linear hyperplane h of qm:
H={P=(x1, . . . , xm)|xm=0},
then we have
qn=H0∪H1∪ . . . ∪Hq-1
Where
Hi={P=(x1, . . . ,xm)∈qn|xm=αi}, i=0, . . . ,q−1
Assuming that qm is split as qm=H0∪H1∪ . . . ∪Hq-1, the PIR schemes can be built by requiring that clear, for i=1, . . . , q, each server Si will be given cH
Di, i=1, . . . σ, which passes through the point Pj which corresponds to the requested symbol, and query each server Si at the point D∩Hi. In algorithm 2 2, the main and only change is to make sure that all σ lines are indeed transversal to the chosen hyperplanes.
Note that the locality of the locality code does not map to the number of servers: while the codes have a locality of qσ, the number of requested servers is still q. Yet the number of queries is still qσ, each server receiving σ queries.
A difficulty occurs in the sense the code requires (q−1) queries along each line. In our context, when Pi is requested, all σ lines have to pass through Pi. The requests sent to the codeword corresponds to q−1 points different from Pi on each line. Using our example, assume Pj=(x1, . . . , xm) with xm=αi, for some i. Then, no queries has to be sent to the i-th server who stores the cH
Using the notation of Algorithm 2, a solution to this problem is to send σ random query xu,i, u=1, . . . , σ, to server Si. This is enough to obfuscate server Si (
The protocol described above can be summed up as follows:
Preprocessing Phase.
The user, or any trusted party
1. chooses q, m, d, s so that the original data x of bitlength k can be encoded using the multiplicity code of order s evaluations of polynomials of degree≤d in m variables over qm; namely choose the parameters so that;
The user wants to retrieve evPjs(F) for an index j∈[n]
User selects σ lines Di, 1≤i≤σ which are transversal to the hyperplanes and which pass through Pj;
to serve l. User sends σ random queries Xi,u, i=1, . . . σ, to server Su, u is being such that Di∩Hu=Pj, i=1, . . . , σ
Number | Date | Country | Kind |
---|---|---|---|
14305549 | Apr 2014 | EP | regional |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2015/058103 | 4/14/2015 | WO | 00 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2015/158733 | 10/22/2015 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
20120185437 | Pavlov | Jul 2012 | A1 |
20120246547 | Yekhanin | Sep 2012 | A1 |
20130336589 | Takahashi | Dec 2013 | A1 |
Entry |
---|
New Locally Decodable Codes and Private Information Retrieval Schemes|Sergey Yekhanin|2006|pp. 1-14. |
Woodruff et al., “A Geometric Approach to Information—Theoretic Private Information Retrieval”, Proceedings of the twentieth Annual IEEE Conference on Computational Complexity. Jun. 11, 2005. |
Barkol, et al., “On Locally Decodable Codes, Self-Correctable Codes, and t-Private PIR”, Algorithmica (2010). vol. 58., No. 4., Published online Jan. 27, 2009. |
Beimel et al., “Robust-Information—Theoretic Private Information Retrieval”, Journal of Cryptology. Jul. 1, 2007, 14 pages.DOI:10.1007/s00145-007-0424-2. |
Guo et al., “New Affine-Invariant Codes from Lifting”, Nov. 9, 2012. 27 pages. |
Devet et al., “Optimally Robust Private information Retrieval”, International Association for Cryptologic Research, vol. 20120622:115220. Jun. 22, 2012. 16 pages. |
Devet et al., “Optimally Robust Private Information Retrieval”, USENIX Apr. 11, 2013. 15 pages. |
International Search Report and Written Opinion for International Application No. PCT/EP2015/058103 dated Jul. 20, 2015. |
Biemel et al., “Breaking the nl (^K˜I) barrier for information-theoretic private information retrieval” Foundations of Computer Science, 2002. Proceedings, The 43rd Annual IEEE Symposium on, vol. 59, pp. 261-270, 2002. |
Chor et al., “Private Information Retrieval”, Journal of ACM 45(6):965-981. Apr. 21, 1998. |
Gemmell et al., “Highly Resilient Correctors for Polynomials” Information Processing Letters, 43(4):1 69-1 74, Sep. 1992. |
Guruswami et al., “Linear-algebraic list decoding for variants of reed-solomon codes. Information Theory”, IEEE Transactions on, 59(6) :3257- 3268, Jun. 2013. Abstract provided. |
Katz et al., “On the efficiency of local decoding procedures for error-correcting codes”, Proceedings of the Thirtysecond Annual ACM Symposium on Theory of Computing, ACM, (2000). |
Kopparty et al., “High-rate codes with sublinear-time decoding”, Proceedings of the Forty-third Annual ACM Symposium on Theory of Computing, STOC'11, pp. 167-176, New York, NY, USA, 2011 . ACM. |
Kushilevitz et al., “Replication is not needed: single database, computationally-private information retrieval”, Computer Science, 1997. Proceedings. 38th Annual Symposium on, pp. 364-373, Oct. 1997. |
Yekhanin, “Locally Decodable Codes and Private Information Retrieval Schemes”, Information security and cryptography. Springer, 2010. Abstract, Preface and Introduction provided. |
Yekhanin, “Locally Decodable, Codes, vol. 6 of Foundations and Trends in Theoretical Computer Science”. NOW publisher, 2012. Abstract and Introduction provided. |
Number | Date | Country | |
---|---|---|---|
20170032142 A1 | Feb 2017 | US |