Efficient Private Information Retrieval Protocol with Homomorphically Computing Univariate Polynomials
Private information retrieval (PIR) protocol is a powerful cryptographic tool and has received considerable attention in recent years as it can not only help users to retrieve the needed data from database servers but also protect them from being known by the servers. Although many PIR protocols have been proposed, it remains an open problem to design an efficient PIR protocol whose communication overhead is irrelevant to the database size . In this paper, to answer this open problem, we present a new communication-efficient PIR protocol based on our proposed single-ciphertext fully homomorphic encryption (FHE) scheme, which supports unlimited computations with single variable over a single ciphertext even without access to the secret key. Specifically, our proposed PIR protocol is characterized by combining our single-ciphertext FHE with Lagrange interpolating polynomial technique to achieve better communication efficiency. Security analyses show that the proposed PIR protocol can efficiently protect the privacy of the user and the data in the database. In addition, both theoretical analyses and experimental evaluations are conducted, and the results indicate that our proposed PIR protocol is also more efficient and practical than previously reported ones. To the best of our knowledge, our proposed protocol is the first PIR protocol achieving communication efficiency on the user side, irrelevant to the database size .
Private information retrieval (PIR) protocol  is a cryptographic primitive run between database servers and a user. The salient feature of PIR is that it ensures the user can obtain some data from the database servers, while the database servers cannot learn anything about the queries of the user. To obtain the feature, a trivial solution for the user is to download all the data from the database servers and obtain the data he wants to ask at any time. However, this solution wastes plenty of time and storage space for the user since the database servers usually store a huge volume of items. In addition, considering that there are continuous interactions with multiservers at the price of communication costs for the user, many research studies have been focused on the single-server PIR protocol that is composed of only one database server and one query user [1–7].
In 1997, the first single-server PIR protocol was proposed by Kushilevitz and Ostrovsky . They constructed a PIR protocol based on group homomorphism and the quadratic residuosity problem and achieved the communication complexity bits (the symbols are commonly used asymptotic complexity notations. We denote an asymptotic upper bound, noncompact upper bound, and lower bound with , and , respectively) on the user side for database size and any constant . After that, some single-server PIR protocols were also proposed [3–5]. Kushilevitz and Ostrovsky  applied the trapdoor permutation approach to the single-server PIR protocol with communication overhead bits, where is a constant and is the security parameter of the one-way trapdoor permutation. Gentry and Ramzan  presented a single-server PIR protocol based on a slight variation of the computational difficulty of deciding whether a small prime divides Euler’s totient function of any composite integer. The total communication cost of the protocol is 3 messages, each of the size of bits. A PIR protocol was proposed based on group homomorphism by Melchor et al.  of communication bits.
In recent years, with the development of fully homomorphic encryption (FHE) [8, 9], many researchers have turned into utilizing the FHE schemes to construct the single-server PIR protocols [6, 7, 10, 11]. Brakerski and Vaikuntanathan  proposed a brief PIR protocol based on learning with errors (LWE) by using FHE. The FHE DGHV  over the integers was applied to the PIR protocols by Yi et al. . The communication overhead of the PIR protocol is bits and also relies on the size of ciphertext (the security parameter ) in DGHV. Li et al.  modified Brakerski and Vaikuntanathan’s PIR protocol  and united the HAO scheme in  to construct a PIR protocol. However, the main idea of the protocol is similar to invoking the decryption circuit homomorphically, which is expensive and of extremely low efficiency. Aiming at single-server PIR protocols, we notice that all the aforementioned PIR protocols depend on the database size in terms of communication cost. When the size becomes larger, the communication will not be efficient. Therefore, how to efficiently design a PIR protocol with communication overhead , i.e., independent on the database size , becomes an open problem.
In this paper, to address the above open problem, we propose a new FHE scheme with special properties and utilize it to design a new single-server PIR protocol with communication efficiency for any user. To the best of our knowledge, our single-server PIR protocol is the most efficient one in terms of the communication efficiency. In addition, our single-server PIR protocol also allows a user to retrieve positive integer data from the database server, instead of a single bit for every query. Specifically, the main contributions of this paper are threefold:(i)First, in order to achieve communication efficiency on the user side, we design a new kind of FHE scheme called single-ciphertext FHE, which supports unlimited computations with single variable over a single ciphertext without access to the secret key. Our proposed single-ciphertext FHE scheme is characterized with extremely efficient in terms of both encryption and decryption dependent on the truncated polynomial ring. Detailed security analysis illustrates that the proposed FHE scheme is one-way secure, which is exactly equivalent to the 3rd RSA problem.(ii)Second, we take the single-ciphertext FHE as a symmetric encryption scheme and the Lagrange interpolating polynomial technique to construct our single-server PIR protocol. Security analyses show that our proposed PIR protocol can efficiently protect the privacy of the user and the data in the database in our defined security model.(iii)Third, we conduct both theoretical analyses and experimental evaluations to demonstrate that our proposed PIR protocol is indeed efficient in terms of computational complexity and communication overhead. In particular, our proposed protocol is the first PIR protocol, which can achieve communication efficiency, irrelevant to the database size .
The remainder of this paper is organized as follows. We describe some preliminaries in Section 2. Then, in Section 3, we formalize our system model, security model, and design goal. In Section 4, we first present a new single-ciphertext FHE scheme, followed by our single-server communication-efficient PIR protocol. After that, the security analyses and the performance evaluation of our single-server PIR protocol are given in Sections 5 and 6, respectively. Some related works are also discussed in Section 7. Finally, we draw our conclusion in Section 8.
In this section, we first give some notations that will be used throughout this paper and then describe the definitions of the truncated polynomial rings and our proposed single-ciphertext FHE scheme.
In this paper, we denote row vectors by bold letters (e.g., and ), and the symbol represents the -th data in . Some other notations that will be used in this work are listed in Table 1.
2.2. Truncated Polynomial Rings
The truncated polynomial rings will be used as a building block for constructing a special FHE scheme in this work. Essentially, the concept of truncated polynomials is not quite complicated, e.g., an extension field is constructed from defined over a finite field modulo a monic irreducible polynomial , and the NTRU public key cryptosystem  also utilizes a univariate truncated polynomial ring modulo . Though the above examples only involve univariate polynomials, we can extend the situations to the case of bivariate polynomials.
To be specific, we can set to be a standard RSA modulus, namely, is the product of two large primes and . In order to make our proposal more efficient, we consider the RSA cryptosystem  with the encryption public key , from which we define two polynomials and with . We also define a bivariate polynomial setand the additive and multiplicative operations on . Given two bivariate polynomials and , the sum of and is defined as , where . The multiplication can also be defined as . To perform the multiplication, we first carry out the standard polynomial multiplication on . Because the maximum degree with respect to (, respectively) is 2 in (, respectively), the maximum degree of (, respectively) in the multiplication becomes 4. Thus, in the second step, we perform modulo and on the multiplication to truncate it back to the set as follows: replace (, respectively) with (, respectively), and replace (, respectively) with (, respectively). From the definition, one can easily verify that also forms a ring called truncated polynomial ring, and it is denoted as .
2.3. Single-Ciphertext FHE Scheme
In the following, we will formalize the definition of single-ciphertext FHE, together with its security notion. Before that, we first give some necessary descriptions of the special FHE.
The proposed single-ciphertext FHE is a special kind of FHE, which supports unlimited computations with single variable over a single ciphertext without access to the secret key. Different from the general FHE, the evaluation algorithm of our single-ciphertext FHE is subject to performing upon a single ciphertext rather than any multiciphertexts. In other words, our single-ciphertext FHE skips (or aborts) any circuits with multivariables for the general FHE and allows any computations over any circuits with single variable. Compared with the general FHE, our single-ciphertext FHE possesses less functionality due to the single ciphertext, but it still permits any computations on any circuits with single variable. Hence, our single-ciphertext FHE, as a well-suitable cryptographic tool, is enough for the requirements of single-server PIR protocols since the evaluation of the single-server PIR protocols can be regarded as univariate polynomials.
Definition 1. (single-ciphertext FHE scheme). A single-ciphertext FHE scheme consists of four probabilistic polynomial time (PPT) algorithms, namely, key generation, encryption, decryption, and homomorphic evaluation algorithm. The details are as follows:(i)Key generation ( KeyGen()): take the security parameter as the input, and output a public key , an evaluation key , and a secret key (ii)Encryption ( Enc()): using the public key , encrypt a message into a ciphertext , where is the message space(iii)Decryption ( Dec()): using the secret key , decrypt a ciphertext to recover the corresponding message (iv)Evaluation ( Eval()): given a circuit with single variable and a ciphertext with the underlying plaintext , i.e., , the algorithm utilizes the evaluation key to compute a new ciphertext Note that the correctness of decryption requires that the plaintext can be correctly decrypted from the ciphertext, i.e., . The correctness of the homomorphic evaluation requires that the ciphertext can be correctly decrypted into the plaintext , namely, .
Actually, our proposal single-ciphertext FHE scheme performs no noises. Every time an evaluation on the ciphertext is performed, there is no noise to obscure the underlying plaintext. In terms of the noiseless FHE schemes, there is a main drawback: none can be strictly proved secure and feasible in the framework of provable security. For more introduction of noiseless FHE, one can refer to Section 7. Hence, we give the following security definition for our noiseless single-ciphertext FHE scheme.
Definition 2. (the one-way security of single-ciphertext FHE). Given the security parameter , the public key , the evaluation key , and a ciphertext with the underlying plaintext , it should be difficult for any PPT adversary to find from the ciphertext such that . Formally, we require that for any PPT adversary , we havewhere represents a negligible function.
Different from general security notions such as indistinguishability under chosen-plaintext attack (IND-CPA) and indistinguishability under chosen-ciphertext attack (IND-CCA1) of known FHE schemes [8–10, 12, 17–22] (FHE essentially supports malleability on ciphertexts and hence cannot obtain the highest security goal, namely, indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2)), we only consider the one-way security due to the following observations. Firstly, the security notion is tailored for the single-ciphertext FHE scenarios, where no distinguishability games are permitted on distinct plaintexts. Secondly, in the PIR scenario, the single-ciphertext FHE scheme is used as a symmetric encryption algorithm without considering the IND-CPA security in the public key encryption schemes.
3. System Model, Security Model, and Design Goal
In this section, we formalize our system model and security model and identify our design goal.
3.1. System Model
In our system model, we consider a typical single-server PIR protocol, which includes two entities, namely, a user and a database (DB) server, as shown in Figure 1.(i)DB server: the database server is powerful in both storing and computing data. In our system model, the database server stores and processes a database with totally items. For simplicity of our PIR protocol discussed later, we assume the value of each item is a positive integer, not just one bit. In addition, the server will offer a PIR response to a query user after the latter makes a PIR query with unbounded computations.(ii)User: in our system model, we consider a query user can directly make a PIR query to the DB server and obtain the desirable result from the DB server. Meanwhile, the user does not want to reveal the queried value to the DB server when asking the corresponding data from and hopes the communication of PIR should be efficient.
Formally, a single-server PIR protocol in our system model comprises three phases as follows:(i)Query generation phase ( QG()): taking the index as the input, the user sends a query to the server(ii)Response generation phase ( RG()): using the query and the database , the server returns a response to the user(iii)Response retrieval phase ( RR()): upon receiving a response , the user outputs the data corresponding to the index
A single-server PIR protocol is correct if for any database with any size and any index for , holds, where and .
3.2. Security Model
In our security model, we consider the DB server is honest but curious, and there is no collusion between the DB server and any other third parties. In other words, the DB server will faithfully follow the protocol; however, he is curious about the queried value of the user. Note that, in case the DB server is compromised by some attackers, the compromised DB server may launch other active attacks and return a response with errors to the user who is not able to verify. However, since we focus on the communication-efficient PIR protocol for the user in this paper, those active attacks from the compromised DB server are beyond the major work of this paper, though it is not difficult to apply some verifiable techniques to tackle these attacks. For details, one can refer to Remark 3 in Section 5.
3.3. Design Goal
Our design goal is to present a communication-efficient PIR protocol on the user side to address the requirements mentioned in the above system model and security model. The communication-efficient PIR protocol is the center of our attention; hence, we assume the power of the server is unlimited, and the computation burden of the server is less important than the one of any user. Specifically, the following two objectives should be included:(i)The proposed PIR protocol should be privacy preserving: the queried index should be private, and no one, except the query user, can determine the value of . In addition, no one, except the query user, can retrieve the data after receiving the response returned by the DB server.(ii)The proposed PIR protocol should be communication efficient: in order to achieve the above privacy requirement, additional communication costs will be incurred in the PIR protocols. Therefore, in the proposed PIR protocol, we aim to make the query’s communication efficient, i.e., achieving less communication costs for the user.
4. Our Proposed Scheme
In this section, we will describe our communication-efficient PIR protocol. Before delving into the details, we first present our new single-ciphertext FHE scheme based on the aforementioned truncated polynomial rings.
4.1. Our New Single-Ciphertext FHE Scheme
Our new single-ciphertext FHE scheme comprises four algorithms, namely, KeyGen, Enc, Dec, and Eval algorithms. The detailed descriptions are as follows:(i)KeyGen(): taking the security parameter (even for simplicity) as the input, randomly generate two -bit large primes and satisfying gcd and gcd , and compute and the inverse of 3 modulo , namely, . The modulus is set as the public key , the evaluation key is set as , and the integer is set as the secret key, i.e., .(ii)Enc(): given a plaintext , randomly choose and compute and . Also, randomly choose 9 integers for , and construct a polynomial . Set a polynomial , and compute . The ciphertext is .(iii)Dec(): upon the receipt of a ciphertext , compute and with the secret key to obtain the two random numbers . The plaintext can be recovered by substituting into , that is, due to .(iv)Eval()): given the ciphertext and a univariate polynomial , the evaluation algorithm is described in Algorithm 1. We remind that the involved addition and multiplication operations are performed over the truncated polynomial ring . Especially, for each iteration, will be truncated back to the truncated polynomial ring via the reduction operation modulo and . Hence, the final result of remains in the truncated polynomial ring , i.e., it remains a bivariate polynomial in .
Remark 1. Note that, in order to ensure the one-way security of our single-ciphertext FHE scheme, the length of the modulus should be larger than 2048 bits, i.e., .
Correctness: in order to demonstrate the correctness of the homomorphic evaluation algorithm, we need to show that . From Algorithm 1, one can easily verify thatThen, there must exist two bivariate polynomials such thatSince and , we haveRecall that , , and , and we immediately have as desired.
Security: in the following, we prove our proposed single-ciphertext FHE scheme is one-way secure based on the hardness of the 3rd RSA problem.
Definition 3. (the 3rd RSA problem). The -th RSA problem is defined as follows: given the RSA public key and , and a ciphertext , to find the plaintext such that . The 3rd RSA problem is the special case with .
Theorem 1. The one-way security of our proposed single-ciphertext FHE scheme is polynomially equivalent to the 3rd RSA problem.
Proof. Both directions () need to be proven. The direction from the right to the left () is trivial. If an adversary can break the 3rd RSA problem, then given a ciphertext of the single-ciphertext FHE scheme, the adversary can solve two 3rd RSA problems and to derive two integers and finally breaks the one-way security by computing .
In order to prove the direction from the left to the right (), we assume there is a PPT adversary which can break the one-way security of our scheme, i.e., . Then, we can construct another algorithm which can utilize to break the 3rd RSA problem, i.e., , as shown in Algorithm 2.
To prove the correctness of the reduction in Algorithm 2, we first note that and that is the plaintext corresponding to , so there must exist a bivariate polynomial such that and . So, is a common root for both congruences and . Thus, we can efficiently perform the Euclidean algorithm  to compute the greatest common divisor . So, the plaintext of the RSA problem is recovered, i.e., we can construct an algorithm for solving the 3rd RSA problem.
Note that Theorem 1 establishes an exact equivalence between the one-wayness of the proposed single-ciphertext FHE scheme and the 3rd RSA problem. One may doubt that choosing the RSA encryption key as 3 will produce serious threats on the security of the single-ciphertext FHE scheme. In fact, in many implementations, choosing a relatively small encryption key such as or is widely suggested to reduce the encryption costs.
Computational complexity: next, we analyze the computational costs of our single-ciphertext FHE scheme.
During the Enc phase, there are 2 modular multiplications to compute (, respectively). Computing the polynomial needs 18 modular multiplications and some modular additions since there are modular multiplications to compute the monomial for in . Compared with the calculation of the modular multiplication, the time cost of modular addition can be negligible. Hence, there are totally 22 modular multiplications and some negligible modular additions in the Enc phase. Considering the computational complexity of a multiplication modulo is , we conclude that the computational complexity of the Enc phase is .
During the Dec phase, the main operations are to output from by 2 modular exponentiation operations of exponentiation . Considering that the computational complexity of a modular exponentiation is , the total computational complexity of the Dec phase is when ignoring some modular additions.
During the Eval phase, the output is actually a truncated bivariable polynomial. There are -iterations, and every iteration performs a modular multiplication besides a negligible modular addition. Hence, there are totally -modular multiplications and some negligible modular additions. As a result, the computational complexity of the Eval phase is subject to the value of in ciphertext evaluations.
In summary, the computational complexity is for encryption, for decryption, and for evaluation, respectively, where is the length of the RSA modulus .
Comparisons of several noiseless FHE: comparisons of several noiseless FHE schemes among [24–26] with ours are shown in Table 2. Nuida utilized the commutator and an encoding scheme by a homomorphic mapping from noncommutative group to noncommutative group to construct the noiseless FHE. The ciphertext is composed of two elements from and Ker which is a subset of . However, the security is based on the open sampling of group , and the assumption that judging whether an element is in the kernel Ker is difficult. Yagisawa  is an improved version of  with smaller ciphertext size; hence, we only discuss about . The octonion ring over the finite field was used by Yagisawa to achieve length ratio of the plaintext and ciphertext. Yagisawa’s noiseless FHE is immune from the Grobner basis attacks, which is weaker than our one-way security. With respect to ciphertext space and length ratio, our noiseless FHE is more efficient than  while less than . Totally speaking, our single-ciphertext FHE scheme is more superior to [24–26], especially considering that the security is more important than other factors for noiseless FHE.
4.2. Description of Our Communication-Efficient PIR Protocol
Before delving our communication-efficient PIR protocol, we first give a brief overview of how our single-ciphertext FHE scheme is utilized to construct the single-server PIR protocol.(i)The single-server PIR protocol aims to help the user to obtain the th data from the server possessing the whole database, without leaking the index to the server. Obviously, the server performs an evaluation algorithm on a single ciphertext corresponding to the queried index. So, our single-ciphertext FHE scheme is well suitable for the single-server PIR protocol.(ii)In our protocol, the user can encrypt the index with our single-ciphertext FHE scheme and then send the ciphertext to the server. For the consideration of efficiency, we directly encrypt the index with a symmetric encryption scheme. The parameters connect the partial ciphertext and its corresponding plaintext. In particular, the parameters invoke a polynomial, and the polynomial is used to encrypt the queried index; meanwhile, the polynomial ciphertext can be directly decrypted with the parameters ignoring the parameters as the auxiliary information. In turn, the server outputs a function about the th data relative to the polynomial ciphertext. Then, the user decrypts the function using the parameters , and he will exactly obtain the th data corresponding to the index . During the process, the server provides some computation and storage space and is unable to acquire the information of the index . Consequently, our single-server PIR protocol achieves the goal as desired.(iii)Moreover, we prefer the communication complexity on the user side rather than on the server side. Hence, in Section 6, the communication complexity on the user side is much more important than the overheads on the server side. In the future, we will delve the communication-efficient single-server PIR protocol which can attain the tradeoff overheads of the communication and the computation between the user and the server.
In the following, we employ the single-ciphertext FHE scheme proposed in Section 4.1 and the Lagrange interpolating polynomial to construct our communication-efficient single-server PIR protocol. The detailed three algorithms are described as follows:(i)Query generation phase: taking the index as the input, the user sends a query to the DB server. The details are described in Algorithm 3.(ii)Response generation phase: upon receiving the query , the DB server outputs to the user in Algorithm 4. Note that even if are obtained in the query , the DB server cannot recover the index due to not knowing the symmetric key .(iii)Response retrieval phase: refer to Algorithm 5. Upon receiving the response , the user retrieves the data corresponding to the index by using the symmetric key .
Correctness: now, we illustrate the correctness of our proposed single-server PIR protocol, namely, , for any database with any size and any index .
During the response generation phase, the response is an evaluation of encryption of index . Meanwhile, the response is numbers of addition operations about the whole data for . When decrypting the response correctly, the user will obtain that
When we assume for an example, it is obvious that the above items (6) in all equal 0 since there is an item in the molecule, while item (6) in equals since the molecule is equal to the denominator. Therefore, we can conclude that once decrypting the response correctly, the user will obtain that since . As a result, the correctness of our proposed single-server PIR protocol holds, as desired.
Remark 2. Note that the length of each item , for any , in should be smaller than . Otherwise, what the user would obtain from the above response retrieval algorithm is not the value of as had been damaged by the operation of modulo .
5. Security Analyses
In this section, we will discuss the security of our single-server PIR protocol. We particularly focus on the privacy properties, i.e., the query index should be privacy preserving, and the response is also privacy preserving in the proposed single-server PIR protocol.(i)The query index is privacy preserving in the proposed single-server PIR protocol: our design goal is to require that the queried index should be private, and no one, except the query user, can determine the value of . As we know, the query index is encrypted by our single-ciphertext FHE scheme, and only the query user can obtain the index. Because the security of our single-ciphertext FHE scheme can be reduced to the 3rd RSA problem, without knowing the private key, no one can retrieve the query index. As a result, the query index can be hidden, and the privacy-preserving requirement on the query index can be achieved in the proposed single-server PIR protocol.(ii)The response is also privacy preserving in the proposed single-server PIR protocol: since we consider there is no collusion on the DB server, the server will not forge the data in . Instead, the server will follow Algorithm 4 and output correct responses. Moreover, according to the correctness in Section 4.2, it is easy to find that the response is a polynomial about the encryption of . Automatically, the data can be hidden in the response . No one, except the query user, can retrieve by correctly decrypting the response . Therefore, the response is privacy preserving in the proposed single-server PIR protocol (Algorithm 5).
Now, we will present the security of our single-server PIR protocol by the simulation-based framework.
Theorem 2. Our single-server PIR protocol is secure against the adversaries .
Proof. We will elaborate that there is a probabilistic polynomial time simulator playing the role of the DB server such that the real view and the ideal one are computationally indistinguishable for User. The interactions between User and are defined by the following steps:(1)Following Algorithm 3, User sends of the index to (2) sends the encryption of back to User(3)Decrypt the result from with his own secret key, and User will obtain as desiredThe real view for User is , while the ideal view for User is . Considering that and are indistinguishable, we can conclude that the ideal view of User is indistinguishable from the real view. Then, we can claim that User can learn nothing about the data from the database server except , which implies that the single-server PIR protocol is secure for the DB server.
From the above analyses, we can see our proposed single-server PIR protocol is confidential and can protect the information of the index and the corresponding data .
Remark 3. In our security model, we consider the DB server is honest but curious. However, we cannot avoid the semimalicious DB servers. To prevent semimalicious servers from forging the data in as responses, we can add a verifiable procedure during the response generation phase. The following is a desirable attempt: we will use a hash function to act on the data because of its one-wayness. During the response generation phase, we require the server should substitute with in Algorithm 4 and send a correct result in the response to the user, where represents concatenation. There is no doubt that the length of is smaller than , that is, . Then, the new response is an encryption of the data . Therefore, the user can verify whether the server forges the data. After decrypting the response to obtain and , the user can compute the hash value due to knowing . If it equals the value the server sends, the data are exactly corresponding to the index without errors. If not, the server is dishonest. The details are omitted here.
6. Performance Evaluation
In this section, we evaluate the performance of our proposed single-server PIR protocol from two perspectives, i.e., the theoretical analyses and experimental evaluation by comparing it with two existing PIR protocols in [6, 7].
6.1. Theoretical Analyses of Our PIR Protocol on the User Side
Here, we first illustrate that our single-server PIR protocol is much more efficient and practical than the PIR protocols in [6, 7] in terms of the computational complexity, the extension ratio of the query (similar to the length ratio between the ciphertext and its underlying plaintext, denoted by ), and the communication overhead (denoted by ).
Our PIR protocol: in our proposed PIR protocol, since the query generation phase applies our single-ciphertext FHE scheme as the basic symmetric encryption scheme, from the computational complexity analysis in Section 4.1, we can see the computational complexity is for both the query generation and the response retrieval. In addition, we can find that , and . Hence, the extension ratio of the query is in our single-server PIR protocol. The communication overhead represents the length sum of and , i.e., . Hence, the communication overhead is in our single-server PIR protocol.
Yi et al.’s PIR protocol : in Yi et al.’s PIR protocol, the computational complexity depends on the modular addition operations, and thus, we consider the computational complexity is . Since the data corresponding to the index are one bit and equals the length of the DGHV ciphertext , i.e., and , the extension ratio of the query is . Finally, the communication overhead is , where is the size of the ciphertext and is the size of . Again, because the DGHV scheme with the ciphertext length is utilized to construct the PIR protocol, the communication overhead is .
Li et al.’s PIR protocol : the computational complexity of Li et al.’s PIR protocol mainly relies on the total modular multiplications of the matrix multiplication in the HAO scheme . From the computational complexity of modular multiplication mentioned in Section 4.1 and the parameters in , we can easily see that the valid computational complexity of Li et al.’s PIR protocol is . On the contrary, the data underlying the index are one bit, e.g.,. The query user needs to send two ciphertexts to the DB server: one is an encryption of the query with communication overhead , and the other is an encryption of the key with communication overhead , while the DB server needs to send back an encryption of with communication overhead to the user, i.e., . As a result, both the extension ratio of the query and the communication overhead in  are .
Table 3 summarizes the differences among the above three PIR protocols, where the second column “Batching” captures whether the PIR protocol can directly encrypt the index from . If the PIR protocol can, we output “Yes” and “No,” otherwise, and the symbol is the security parameter and is the database size. It is obvious that our proposed single-server PIR protocol, which has access to the database composed of items from , can directly encrypt the index from and perform the processing batch, while the PIR protocols in [6, 7] cannot. This fact makes our single-server PIR protocol more practical. In addition, from the table, we can see, in terms of the communication overhead, our single-server PIR protocol is far superior to [6, 7] since ours is independent on the database size .
When setting the security parameter in our PIR protocol and in PIR protocols [6, 7] for achieving certain security level, Figure 2 compares the communication overheads of the three PIR protocols varying with from to . From the figure, we can see that our proposed single-server PIR protocol is much more efficient, especially for a larger . Furthermore, no one can deny that when is considered in the range , the communication overheads of the PIR protocols in Yi et al.  and Li et al.  are largely subject to the security parameter in comparison to the database size , and the communication overhead in Li et al.’s protocol is better than in Yi et al.’s protocol from Figure 2. To the best of our knowledge, for a fixed security parameter , our proposed protocol is the first single-server PIR protocol, which can achieve communication efficiency.
6.2. Theoretical Analyses of Our PIR Protocol on the Server Side
Although we prefer the communication for the user than the computation complexity on the server to evaluate the efficiency of our single-server PIR protocol, the theoretical analysis on the server side is necessary to be illustrated in this section. In brief, we will present the computation burden on the server compared with the PIR protocols in [6, 7].
Our PIR protocol: the server mainly performs operations upon the special bivariate polynomials, i.e., the degree of either variable (or ) is no more than 2. Specifically, number of additions upon the bivariate polynomials for the server are enough, where is the number of databases. Meanwhile, every bivariate polynomial also includes operations of polynomials modulo , and . And number of bivariate polynomials can be performed in parallel or in a preprocessing way. Quantitatively speaking, the computational complexity is near to , where bits.
Yi et al.’s PIR protocol : Yi et al. encrypted the index with binary strings of length . Every bit is protected with an FHE scheme called DGHV10 . During the response generation in the PIR protocol, the server mainly computes number of modulus additions and number of modulus multiplications upon the integers of length . In addition, the server also provides number of ciphertexts. In a nutshell, the computational burden of the server is .
Li et al.’s PIR protocol : after receiving the ciphertexts of queried index and the secret key, the server performs a bootstrapping operation, i.e., homomorphically evaluate the decryption circuits, which is a very expensive process and occupies numerous overhead of computations for the server. The best result of bootstrapping at present is not exceeding 10 ms  when homomorphically implementing a single gate. It remains to be far from being practical to homomorphically evaluating a computing circuit. We will not describe the computation complexity of the bootstrapping but claim that the decryption circuit is of depth almost .
Totally speaking, the computational burden of our single-server PIR protocol is relatively less than [6, 7]. However, the experimental performance of the server will not be analysed in the following Section 6.3 since we regard the server powerful and can provide unrestricted computations. Furthermore, the computation burden of the server in our single-server PIR can be relaxed in parallel or in a preprocessing way.
6.3. Experimental Evaluations of Our PIR Protocol
In this section, we further present some experimental evaluations of our PIR protocol in comparison with the PIR protocols in [6, 7]. It is obvious to see that there are two common factors for the PIR protocols in [6, 7], i.e., the queried index is resolved into its binary presentation and the data in the database only consist of one bit 0 or 1, while in our PIR protocol, we can directly encrypt the index, not in its binary representation, and the data in belonging to are more practical. The details of experimental settings are as follows.
Our PIR protocol: we implement our proposed protocol on a personal computer by utilizing the NTL  and the C++ language. The environment is listed as follows:(i)CPU: Intel(R) Core(TM) i3-7100 3.90 GHz(ii)RAM: 4.00 GB(iii)OS: Windows 10, 64 bits
The length of the modulus of in our experiment includes 2048 bits, 2560 bits, and 3072 bits. The size of varies from 800, 1000, to 1200. Although the number of items in the database seems a little small, the whole space of the database is not small at all. Considering that the response generation (RG) phase is performed by the DB server and the query generation (QG) phase and response retrieval (RR) phase are run at the user side, we test 100 instances on for every phase. The average results are given in Tables 4–6.
The first column called “” represents the length of RSA modulus, and the data in are from . The second column means the number of our tested instances. We use the time of the query generation phase, response retrieval phase, and response generation phase to illustrate the performance of our single-server PIR protocol.
From Tables 4 to 6, it is easy to see that the size of has a little bit effect on the user side in our single-server PIR protocol, which can almost be ignored. We also see that the time in the query generation phase and response retrieval phase increases a little with the modulus growing under the same situations. On the contrary, the time cost on the DB server side largely depends on the size . When the database size is fixed, the DB server takes more time with increasing. Similarly, when the modulus is fixed, the DB server also takes more time with increasing. In brief, it shows that our single-server PIR protocol is efficient. For example, even when the modulus is bits, the query generation phase only costs 5.4 s, and the response retrieval phase costs 2.82 ms at most when all data in the database are drawn from .
The effects of database size on the user and the DB server are readily comprehensible. Theoretically speaking, there are just modular multiplications and some negligible modular additions for the user, all of which are irrelevant to the size during the query generation phase, let alone the response retrieval phase. On the contrary, the response generation phase completely relies on all the data in database . Hence, the size is the main factor for the time cost at the DB server side. Nevertheless, the server can perform parallel computations to reduce the computational complexity from to . Furthermore, when a powerful DB server is employed, the time costs at the DB server side should be reduced greatly.
Yi et al.’s PIR protocol : Yi et al.  experimented on a PBR protocol (an extension of a PIR protocol) with 10,000 blocks instead of a PIR protocol. The query generation phase costs 10 s when the modulus is of 882 bits. The overhead is obviously larger than our single-server PIR protocol. In addition, Yi et al.’s scheme did not discuss the time cost of the response retrieval phase. On this basis, our single-server PIR protocol has obvious advantages over . Moreover, their PBR protocol cannot encrypt the index from , let alone within a few milliseconds.
Li et al.’s PIR protocol : Li et al.  proposed a PIR protocol based on the lattice assumption. However, they did not use simulation to evaluate their PIR protocol. Nevertheless, we can claim that our single-server PIR protocol is more efficient than  based on the aforementioned theoretic analyses of computational complexity, the extension ratio of the query, and the communication overhead. In addition, the performance of Li et al.’s PIR protocol  relies on the efficiency of the bootstrapping and the size of the secret key. The size of the secret key in  is , and by now, the best result for bootstrapping does not exceed 10 ms to evaluate a single gate in , which is impractical.
To sum up, our experimental evaluation further demonstrates that our single-server PIR protocol is more efficient and practical.
7. Related Work
In this section, we will briefly review some FHE schemes and some other existing single-server PIR protocols, which are closely related to our proposal.
Fully homomorphic encryption: FHE enables meaningful process over encrypted data without access to the original plaintext data. In the past years, many generic FHE constructions have been proposed [10, 12, 13, 18–20]. For example, the first generation is represented by the DGHV FHE scheme , which serves as a vital tool in building a PIR protocol in . However, most of them turn out to be impractical. The main reason is that the noises are added to the ciphertexts for the consideration of the security. Later, a new class of FHE schemes without noises have naturally been exploited to avoid complicated noise management [24–26, 29]. For example, Nuida  declared a beautiful public key FHE frame without noises, employing a commutator and an encoding scheme over two noncommutative groups. The security is based on an assumption that judging whether an element is in the kernel is difficult, which is not standard. Yagisawa [25, 26] proposed noiseless FHE schemes with the underlying octonion ring over the finite field, which are immune from the Grobner basis attacks. Nevertheless, it remains an open problem to prove strictly secure and feasible in the framework of provable security. In this work, motivated by the noiseless FHE schemes, we define a special kind of algebraic structure called truncated polynomial rings to construct a single-ciphertext FHE scheme. Our proposed scheme is noiseless, and hence, it inherently supports fully homomorphic computations on any univariate polynomials, such as the single-server PIR protocols. In addition, there is a security reduction between the one-wayness of our single-ciphertext FHE scheme and the 3rd RSA problem we define. Compared with the FHE schemes in [6, 7], our single-ciphertext FHE scheme is noiseless and of the smallest ciphertext size, which offer enormous convenience for the single-server PIR protocols.
Single-server PIR protocols: a single-server PIR protocol allows a user to retrieve the -th data from a database server without revealing the index . The past years have witnessed the development of the single-server PIR protocols, especially in communication cost [30–33]. For example, Cachin et al.  proposed a PIR protocol based on the -hiding assumption with communication complexity . And the Damgard–Jurik scheme  was utilized by Lipmaa  to construct a PIR protocol, which achieved communication complexity. However, most of them are inefficient due to depending on the database size , especially when is million or even larger magnitude in real life. Hence, it will be a great work to construct a single-server PIR protocol with communication overhead , which is irrelevant to the database size . In this work, we devote ourselves to designing a single-server PIR protocol with communication efficiency . First, on the basis of the single-server PIR protocols in [6, 7], we tend to resort to the FHE schemes since the FHE schemes not only keep privacy preserving but also support direct computations on encrypted data. Second, the Lagrange interpolating polynomial is a suitable tool for the database owing to its property. Hence, an FHE scheme and the Lagrange interpolating polynomial technique are used to construct our single-server PIR protocol. Meanwhile, theoretical analyses and experimental evaluations are performed to demonstrate that our single-server PIR protocol is efficient, which is the first one of communication overhead .
In this paper, we have proposed a new communication-efficient PIR protocol by using homomorphically computing univariate polynomials. Specifically, we first propose a new cryptographic primitive called single-ciphertext FHE and instantiate the special kind of FHE supporting evaluations of a single ciphertext. Then, we illustrate how the single-ciphertext FHE scheme works in our single-server PIR protocol. Theoretical analyses and experimental evaluations are both conducted to demonstrate that it is more efficient and practical to apply our single-ciphertext FHE scheme to the PIR protocol. To the best of our knowledge, our proposed protocol is the first PIR protocol, which can achieve communication efficiency on the user side, irrelevant to the database size . In future work, we will study other FHE techniques to exploit more efficient PIR protocols, which can achieve the tradeoff overheads of the communication and the computation between the user and the server.
No data were used to support this study.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This work was supported by the National Key R&D Program of China (Grant no. 2017YFB0802000), the National Natural Science Foundation of China (Grant nos. U19B2021 and 61972457), the National Cryptography Development Fund (Grant no. MMJJ20180111), and Key Research and Development Program of Shaanxi (Grant no. 2020ZDLGY08-04).
E. Skeith and R. Ostrovsky, “Replication is NOT needed: SINGLE database, computationally-private information retrieval,” in Proceedings of the 38th Annual Symposium On Foundations Of Computer Science, pp. 364–373, FOCS ’97, Miami Beach, FL, USA, October 1997.View at: Google Scholar
E. Skeith and R. Ostrovsky, “One-way trapdoor permutations are sufficient for non-trivial single-server private information retrieval,” in Proceedings of the Advances In Cryptology - EUROCRYPT 2000, International Conference On the Theory And Application Of Cryptographic Techniques, pp. 104–121, Bruges, Belgium, May 2000.View at: Google Scholar
C. A. Melchor, J. Barrier, L. Fousse, and M. Killijian, “Private information retrieval for everyone,” PoPETs, vol. 2, pp. 155–174, 2016.View at: Google Scholar
C. Gentry, ““Fully homomorphic encryption scheme”,” Stanford University, Kunnamangalam, India, 2009, PhD Thesis.View at: Google Scholar
C. Gentry, Fully Homomorphic Encryption Using Ideal Lattices, ACM, New York, NY, USA, 2009.
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science, pp. 97–106, Palm Springs, CA, USA, October 2011.View at: Google Scholar
M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully homomorphic encryption over the integers,” in Proceedings of the Advances In Cryptology - EUROCRYPT 2010, 29th Annual International Conference On the Theory And Applications Of Cryptographic Techniques, pp. 24–43, Monaco, Europe, May 2010.View at: Google Scholar
R. McEliece, “Finite fields for computer scientists and engineer,” in Kluwer International Series In Engineering And Computer Science,, Springer, New York, NY, USA, 1989.View at: Google Scholar
Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(leveled) fully homomorphic encryption without bootstrapping,” in Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 309–325, Santa Barbara, CA, USA, 2012.View at: Google Scholar
C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” in Proceedings of the Advances In Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, pp. 75–92, Santa Barbara, CA, USA, August 2013.View at: Google Scholar
Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical gapsvp,” in Proceedings of the Advances In Cryptology - CRYPTO 2012 - 32nd Annual Cryptology Conference, pp. 868–886, Santa Barbara, CA, USA, August 2012.View at: Google Scholar
J. Loftus, A. May, N. P. Smart, and F. Vercauteren, “on cca-secure somewhat homomorphic encryption,” in Proceedings of the Selected Areas In Cryptography - 18th International Workshop, pp. 55–72, Toronto, Canada, August 2011.View at: Google Scholar
R. Canetti, S. Raghuraman, S. Richelson, and V. Vaikuntanathan, “Chosen-ciphertext secure fully homomorphic encryption,” in Proceedings of the Public-Key Cryptography - PKC 2017 - 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, pp. 213–240, Amsterdam, The Netherlands, March 2017.View at: Publisher Site | Google Scholar
B. Yang and G. Xiao, Modern Cryptography, Tsinghua University Press, Beijing, China, 2015.
K. Nuida, “A simple framework for noise-free construction of fully homomorphic encryption from a special class of non-commutative groups,” IACR Cryptology ePrint Archive, vol. 97, 2014.View at: Google Scholar
M. Yagisawa, “Improved fully homomorphic public-key encryption with small ciphertext size,” IACR Cryptology ePrint Archive, vol. 232, 2018.View at: Google Scholar
M. Yagisawa, “Fully homomorphic encryption on octonion ring,” IACR Cryptology ePrint Archive, vol. 733, 2015.View at: Google Scholar
K. Nuida, “Candidate constructions of fully homomorphic encryption on finite simple groups without ciphertext noise,” IACR Cryptology ePrint Archive, vol. 97, 2015.View at: Google Scholar
J. P. Stern, “A new efficient all-or-nothing disclosure of secrets protocol,” in Advances In Cryptology, pp. 357–371, Beijing, China, 1998.View at: Google Scholar
C. Cachin, S. Micali, and M. Stadler, “Computationally private information retrieval with polylogarithmic communication,” in Proceedings of the Advances In Cryptology - EUROCRYPT ’99, International Conference On the Theory And Application Of Cryptographic Techniques, pp. 402–414, Prague, Czech Republic, May 1999.View at: Google Scholar
H. Lipmaa, “First CPIR protocol with data-dependent computation,” in Proceedings of the in Information, Security and Cryptology - ICISC 2009, 12th International Conference, pp. 193–210, Seoul, Korea, 2009.View at: Google Scholar
Y. Chang, “Single database private information retrieval with logarithmic communication,” in Proceedings of the In Information Security And Privacy: 9th Australasian Conference, ACISP 2004, pp. 50–61, Sydney, Australia, July 2004.View at: Google Scholar
J. M. Damgard, “A generalisation, a simplification and some applications of paillier’s probabilistic public-key system,” in Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptosystems, Seoul, Korea, 2001.View at: Google Scholar