Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk, and Qiang Tang FIT 2016, February 6, 2016 Construct optimal rate cryptographic protocol to privately retrieve a database element Construction: recursive, starts from a semi-good construction We use complicated techniques from algebra / analysis Galois theory, Newton-Puiseux algorithm Not really much crypto Getting good rate important in other areas of (T)(CS) but our techniques seem to be unique I am boooored I want to watch a movie Bob sells them! Yo, send me Teletubbies 0x ABCDEF Accompanied with a payment But Bob thinks I am a cool guy, I dont want him to know I watch Teletubbies Encrypt pk (index) Encrypt pk (movie[index]) index Generates pk, sk Uses sk to decrypt, obtains movie[index] n movies, each bits Encrypt pk (index) Encrypt pk (movie[index]) Correctness: Alice obtains movie[index] Bobs privacy: Alice obtains only movie[index] Alices privacy: Bob obtains no information about index Efficiency: It should be communication- wise and computation-wise efficient index {1,,n} movie[1]movie[n] = log 2 n + bits Achieve optimal rate 1 o (1) As close to 1 as possible So we get a good rate for practically relevant values of Some communication overhead inherent due to privacy Focus was on minimizing communication as a function of n Rate [Lipmaa, 2005]1 / (log 2 n + 1) o (1) [Gentry, Ramzan 2005]1 / 4 o (1) [Lipmaa, 2009]1 / 2 o (1) Rate [Lipmaa, 2005]1 / (log 2 n + 1) o (1) [Gentry, Ramzan 2005]1 / 4 o (1) [Lipmaa, 2009]1 / 2 o (1) This work1 o (1) Focus was on minimizing communication as a function of n Focus on minimizing communication as a function of Cryptosystem: encrypts messages Additively homomorphic: Enc s (m 1 ) Enc s (m 2 ) = Enc s (m 1 + m 2 ) Optimal rate: For any m, |Enc s (m)| = |m| + k, where s = / k k = log N security parameter (key length) - needed for privacy Enc s (m mod N s ; r) =(1+N) m r n^s mod N s+1 Only known optimal rate AH cryptosystems are DJ01, DJ03 Optimal rate non-homomorphic, homomorphic non-optimal rate: many candidates IND-CPA Security: Enc s (m 0 ) and Enc s (m 1 ) are computationally indistinguishable DJ01 is IND-CPA secure under the DCRA assumption Tautological but well-known assumption DJ01: Enc s (m mod N s ; r) =(1+N) m r N^s mod N s+1 DJ03: Enc s (m mod N s ; r) =(g r mod N,(1+N) m (h r mod N) N^s mod N s+1 ) Alice transfers C i = Enc s ([index = i]), i = 1 w 1 Bob does: C w = Enc s (1) / i 3 In practice m < 15 but still Abel-Ruffini: cannot solve degree-(m+1) polynomials in general. We use Galois theory to show that we cannot even do it for f 4 (x, 1) Analysis to the rescue! Newton-Puiseux series: i k c i X i/n for integer n Newton-Puiseux theorem: the solution in x, viewed as function of y, of any polynomial equation f (x, y) =0 can be expanded as Puiseux series that are convergent in some neighborhood of the origin Newton-Puiseux algorithm: given polynomial f (x, y), finds such series First finds c k, then c k+1, = (w 1) k / m = log w n Quinary decision trees?! In practice: Suffices to find an integer approximation of s Recall s = -1/2 + (m 1) / 2 + We show -1/2 < s < -1/2 + (m 1) / 2 We find optimal integer s by using Boolean search log 2 m log 2 log 2 n steps in practice up to 3 steps = (w 1) k / Integer srate 200 k = KB k = MB k = MB * 10 4 k = 142.3MB k = MB k = GB k = GB k = 2048 w = 5 n= 5 7 =78125 Getting an asymptotically good rate is important Getting o o o o o in 1 o (1) as small as possible is more important Rate > 0.9 for realistic movie sizes! Nice math is also important (w, )CPIR with rate-optimal output Rate-optimal (w m, )CPIR Rate-optimal additively homomorphic PKC Rate-optimal homomorphic PKC for poly-size decision diagrams Decision tree Decision diagram Horrible-rate general functionalities (FHE) Rate-1 linear functionalities New: Rate-1 poly-size decision diagram functionalities Simpler analysis? Even smaller o? Computation? Yet another million-dollar question in cryptography: Construct computationally efficient optimal rate (additively) homomorphic cryptosystem For at least the same complexity class