Practical PIR for Electronic Commerce

Transcription

1 Practcal PIR for Electronc Commerce Ryan Henry Cherton School of Computer Scence Unversty of Waterloo Waterloo ON Canada N2L 3G1 Fem Olumofn Cherton School of Computer Scence Unversty of Waterloo Waterloo ON Canada N2L 3G1 Ian Goldberg Cherton School of Computer Scence Unversty of Waterloo Waterloo ON Canada N2L 3G1 ABSTRACT We extend Goldberg s mult-server nformaton-theoretc prvate nformaton retreval (PIR) wth a sute of protocols for prvacypreservng e-commerce. Our frst protocol adds support for snglepayee tered prcng, wheren users purchase database records wthout revealng the ndces or prces of those records. Tered prcng lets the seller set prces based on each user s status wthn the system; e.g., non-members may pay full prce whle members may receve a dscounted rate. We then extend tered prcng to support group-based access control lsts wth record-level granularty; ths allows the servers to set access rghts based on users prce ters. Next, we show how to do some basc bookkeepng to mplement a novel top-k replcaton strategy that enables the servers to construct bestsellers lsts, whch facltate faster retreval for these most popular records. Fnally, we buld on our bookkeepng functonalty to support multple payees, thus enablng several sellers to offer ther dgtal goods through a common database whle enablng the database servers to determne to what porton of revenues each seller s enttled. Our protocols mantan user anonymty n addton to query prvacy; that s, queres do not leak nformaton about the ndex or prce of the record a user purchases, the prce ter accordng to whch the user pays, the user s remanng balance, or even whether the user has ever quered the database before. No other prced PIR or oblvous transfer protocol supports tered prcng, access control lsts, multple payees, or top-k replcaton, whereas ours supports all of these features whle preservng PIR s sublnear communcaton complexty. We have mplemented our protocols as an add-on to Percy++, an open source mplementaton of Goldberg s PIR scheme. Measurements ndcate that our protocols are practcal for deployment n real-world e-commerce applcatons. Categores and Subject Descrptors D.4.6 [Operatng Systems]: Securty and Protecton cryptographc controls; H.2.4 [Database Management]: Systems dstrbuted databases, query processng. General Terms Prvate Informaton Retreval Keywords Prvate nformaton retreval, PIR, e-commerce, access control, zero-knowledge proofs, prvacy-enhancng technologes, PETs. Pror to 06/05/2011, ths paper was ttled Pay-per-PIR and PIR- ACL: Symmetrc Prvate Informaton Retreval wth Per-Record Prcng and Access Control Lsts. 1. INTRODUCTION Prvate nformaton retreval (PIR) provdes a means of queryng a database wthout the database beng able to learn any nformaton about the query [22]. In mult-server PIR, l database servers each possess a replca of the database and a user submts hs query to some sze-k (or larger) subset of these servers n such a way that no server (or coalton of servers up to some threshold t) can learn the user s query. One can vew the database X as consstng of n bts organzed nto r records, each of sze b = n /r bts. We follow the usual conventon of specfyng a PIR query by the ndex of nterest. Thus, n a PIR query, the user retreves the record at ndex wthout the servers learnng any nformaton about. We note, however, that exstng approaches allow one to buld queres that are more expressve on top of ths basc setup; for example, keyword-based lookups [21] or smple SQL queres [47]. Exstng mult-server PIR schemes offer nformaton-theoretc prvacy protecton for the user s query, but they allow a dshonest user to obtan addtonal nformaton, such as the record at ndex j, or the exclusve-or of some subset of records n the database [31]. However, for many real-world applcatons, protectng database prvacy by preventng dshonest users from learnng extra nformaton about the database s advantageous. Examples abound n onlne sales of dgtal goods, such as a pay-per-download musc store [1] where users must pay for each song they download, a pay-per-retreval DNA database [17], a stock-nformaton database [31], or a patent database [2]. In all of these practcal stuatons, t s necessary to guarantee the seller of these dgtal goods that users learn exactly the database record of nterest and nothng more. In some scenaros t may even be desrable to sell database records accordng to a tered prcng plan whereby dfferent users pay dfferent prces for each record dependng on, e.g., ther membershp status or geographc locaton. Symmetrc prvate nformaton retreval (SPIR) [31] adds an addtonal restrcton to PIR that prevents the user from learnng nformaton about any records except for the one he requested, thus addressng the need for smultaneous user and database prvacy; however, no exstng SPIR scheme supports both (tered) recordlevel prcng and access control lsts. Some oblvous transfer (OT) schemes [1, 17 19] offer one or the other of these functons, but no scheme n the lterature provdes them both. Moreover, OT schemes generally have no requrement for sublnear communcaton complexty, whch renders them useless for onlne sales of some types of dgtal goods, such as multmeda data, where the bandwdth requrement s hgh. Some schemes even requre the user to download an encrypted copy of the entre database (e.g., [17 19]) and later purchase decrypton keys for ndvdual encrypted records. Ths allows one to amortze the cost of many transactons, but renders the scheme unsutable for applcatons n whch 1

2 the contents of the database change frequently. Storng the database n an encrypted format also lmts the usefulness of the database for other applcatons that need ready access to the cleartext data. Other OT-based schemes [1] requre the database servers to store state nformaton, such as the number of purchases made by a user, or hs remanng balance, whch mght leak nformaton about the user s queres or enable the server to lnk hs purchases. In ths paper, we present a protocol that extends the open-source PIR scheme by Goldberg [33] to a prced symmetrc prvate nformaton retreval (PSPIR) scheme offerng tered prcng wth record-level granularty. Our ntal PSPIR constructon s a smple sngle payee scheme wheren a sngle content provder (CP) sells dgtal goods through a dstrbuted database and collects all proceeds from these sales. We then extend ths smple scheme n three mportant ways. Frst, we ntroduce a slght modfcaton to the protocol that enables the database servers to control access to ndvdual records by mplementng group-centrc access control lsts. Next, we propose a novel top-k replcaton strategy that makes t possble for the database servers to perodcally dentfy and replcate the K most popular records to a smaller database.e., to construct a bestsellers lst thus facltatng more effcent retreval for these most popular tems. Fnally, we show how to adapt the sngle-payee scheme to scenaros n whch multple (possbly competng) CPs sell ther own dgtal goods through a common database and, usng a dstrbuted bookkeepng protocol, determne to what porton of the proceeds from these sales each seller s enttled. These enhancements provde a stronger and more realstc model of prvate nformaton retreval that enables e-commerce to coexst happly wth strong prvacy protecton. In our model, users belong to dfferent prcng ters and pay (perhaps dfferent amounts) for each record; moreover, the database may requre users to have explct authorzaton to access some or all of the records n the database. In partcular, tered prcng logcally groups users nto dfferent prce ters and allows the database to set the prce and avalablty of each record wth respect to each ter (a prce ter s then roughly analogous wth a group n the context of access control). Our approach enforces these constrants wthout revealng the user s prce ter to the servers durng a protocol run. Thus, when combned wth an anonymous communcatons channel, our protocols mantan user anonymty n addton to query prvacy; that s, the database servers do not learn any nformaton about the dentty nor the query of the user. More specfcally, queres do not leak nformaton about the ndex or prce of the purchased record, the prce ter accordng to whch the user pays, the user s remanng balance, or even whether the user has ever quered the database before. Outlne. We organze the remander of ths paper as follows: 2 ntroduces our system model, ncludng our desgn goals and threat model, and an example use case for our scheme. 3 presents our notaton and the basc buldng blocks we use n our protocols. Our man contrbuton follows n 4, where we descrbe each of our constructons n depth. In 5, we dscuss our mplementaton and the results of some emprcal performance evaluatons we ran on t. We then proceed to dfferentate our approach from related solutons n 6, and fnally conclude the paper wth a summary n SYSTEM MODEL Our basc scenaro conssts of three partes: the user nterested n purchasng dgtal goods, the server havng a database contanng potentally tens or hundreds of ggabytes of data that s dvded nto r records (or fles), and the bank, an ndependent ssuer of dgtal wallets (see below). We buld our scheme from mult-server nformaton-theoretc PIR; thus, the server s actually comprsed of l ndependent PIR servers that each hosts a complete replca of the database. Users submt ther queres to any subset of at least k > l /2 servers of ther choosng. We assocate one or more prce lsts p 1,..., p T wth the database, where there are T ters and each prce lst specfes a prce for each of the r ndvdual records. For smplcty, we represent prce lsts by length-r vectors of nonnegatve ntegers (or to ndcate that a record s unavalable n ths prce plan), although representatons that are more effcent are typcally possble and usng one of these representatons changes the protocols only superfcally. Users wallets are kept wth any nonrerandomzable (one-show) anonymous credental scheme, such as that of Brands [10] or that of Au et al. [3]; the wallet encodes as attrbutes a balance and the ndex π of the prce lst accordng to whch the owner of that wallet must pay, called that user s prce ter or smply hs ter. (For example, one prce ter mght apply to members whle another prce ter mght apply to non-members; n general, any number of ters may exst, although a large number of ters may adversely affect system performance.) The ter π s encoded n the credental n a specal way: each wallet encodes a collecton of T attrbutes x 1,..., x T such that x = 1 f = π and x = 0 otherwse. The bank ntally ssues each user wth a wallet encodng the balance 0; users may charge ther wallets at any tme usng, e.g., a prepad credt card obtaned va cash transacton from a grocery store. We make no assumptons regardng noncolluson between the bank and the database servers; ndeed, t s not even requred that the bank and database servers be dfferent enttes, although synchronzaton challenges may emerge n the case of a dstrbuted bank. We do not dscuss the full semantcs of the bank, snce ths s not our focus n ths paper and such detals depend on the chosen credental system. To query for the record at ndex β, the user must frst prove that hs wallet encodes suffcent funds to purchase that partcular record accordng to hs ter. To do so, the user must send hs current wallet to each of at least k servers, whch makes the task of detectng double spendng partcularly easy (va the pgeonhole prncple) snce the wallet s not rerandomzable and k > l /2. Along wth hs query response, the user receves a cryptographcally sgned recept encodng the prce pad for the query and the wallet used to make the payment. The user then uses ths recept to refresh hs wallet wth the bank;.e., to obtan a new wallet (whch s unlnkable to hs old wallet) encodng hs new remanng balance. Ths refreshng step does not reveal any nformaton to the bank about the user s (old or new) balance, hs ter, or the prce encoded n the recept. Before dscussng our constructons n further detal, we frst present our hgh-level desgn goals and our threat model, as well as some motvaton by way of a smple example use case that uses our full sute of protocols. 2.1 Desgn goals We are nterested n enhancng Goldberg s PIR protocol to yeld a scheme wth the followng propertes. Utlty. In addton to PIR s standard functonalty, we seek to provde the database servers wth the followng capabltes. Tered prcng: Users pay predetermned amounts for each retreved record. The system assgns each user to a prce ter and the prces they pay depend on both ths ter and the partcular records they purchase. Access control: The database servers may set the avalablty of each record wth respect to users of each prce ter. 2

3 Bookkeepng: A common database may sell records from multple CPs whle ensurng that each CP receves the correct share of profts based on sales of ts own records. Replcaton: The database servers can dynamcally learn whch records are most popular wthout revealng nformaton about ndvdual users query patterns. Ths allows popular records to be accessed at a lower computaton and communcaton cost than ther less popular counterparts. Securty and prvacy. Tradtonal databases can already offer all of the above functonalty, and more. What makes our stuaton unque s that we wsh to provde ths functonalty whle offerng strong prvacy protecton, both for users and for CPs. Correctness: Users wth suffcent funds and prvleges can always retreve a consstent copy of ther desred record. Query prvacy: The database servers and bank learn no nontrval nformaton about the records accessed by a user. User anonymty: The database servers and the bank learn only that some user wth suffcent funds and prvleges retreved some record ;.e., they learn no other nformaton about a user s dentty (ncludng whether or not ths user has prevously quered the database), the prce he pays for a record, or the past or present balance encoded n hs wallet. Database prvacy: Dshonest users cannot learn any extra nformaton about database records that they do not purchase. Practcalty. Computatonal cost: Any ncrease n the computatonal cost of the underlyng PIR scheme should be small and scale sublnearly n n and at most lnearly n r. Query sze: The sze of users queres should ncrease by no more than a small multplcatve factor as compared to the underlyng PIR scheme. Furthermore, the sze of the query response should ncrease by no more than a small addtve constant. Round complexty: The protocols should add at most one addtonal round of nteracton to the PIR protocol, per query. 2.2 Threat model We consder a threat model n whch users of the system are potentally malcous, whle database servers and CPs (as well as the bank) are honest-but-curous (.e., sem-honest); however, Goldberg s PIR scheme and by extenson, our own proposed scheme s robust aganst some threshold of malcous database servers as well. Users of our system have obvous ncentves for beng malcous; for example, they may wsh to learn about records that they cannot afford (or smply do not wsh to pay), or to retreve records for whch they do not have authorzaton. Moreover, n e- commerce stuatons, unscrupulous compettors may try to subvert the bookkeepng and replcaton functonalty by actng as users and submttng specally crafted, malformed queres. The system must provde the database servers wth strong securty guarantees aganst all such attacks. Honest-but-curous database servers may collude among themselves (and the bank) to try to reveal the dentty of a user, the prce ter or balance encoded n hs wallet, or the content of hs queres. The system should be secure aganst attacks on user anonymty regardless of who may be colludng wth whom, and should be secure aganst attacks on query prvacy provded an honest majorty exsts among the database servers. 1 Malcous database servers may also 1 Of course, f suffcently many database servers collude to reveal the content of a user s query, they may learn some nformaton about that user s dentty; for example, by notng f the user retry to compromse the ntegrty of the system by refusng to respond to user queres or by returnng ncorrect results n an effort to prevent a user from obtanng hs desred record or a vald recept. The system should be robust to some number of malcous database servers and should allow affected users to learn the dentty of whchever servers msbehave. We do not consder the case of an actvely malcous bank, but we do note that a far exchange protocol such as the one proposed by Camensch et al. [18] can also mtgate threats assocated wth a malcous bank. We argue that our assumpton of sem-honest database servers s realstc for many practcal e-commerce scenaros, partcularly n the multple-payee varant of our protocol where the CPs themselves may host some or all of the database servers. In ths settng, several dstnct and possbly competng CPs cooperate to provde a value-added servce to ther customers (.e., a prvacy-preservng way to purchase ther dgtal goods). On the one hand, the CPs have a vested nterest n cooperatng, snce provdng ths servce to ther customers would otherwse be nfeasble. On the other hand, competng CPs have an ncentve not to dvulge addtonal nformaton about customer spendng to one another, lest ths nformaton help the other CPs gan a compettve advantage over them. 2.3 A hypothetcal use case As a hypothetcal use case to motvate our protocols, we consder an onlne seller of e-books akn to Amazon s Kndle Store. Suppose a number of ndependent publshers wsh to team up to form a prvacy-preservng alternatve to the Kndle Store, wheren users can purchase electronc copes of these publshers books wthout revealng ther denttes or facltatng the constructon of prvacy-nvasve dossers detalng ther purchasng habts. 2 We choose the example of a bookstore because e-books are an ncreasngly popular dgtal good that s the deal sze for dstrbuton va SPIR queres; however, we note that much of the dscusson below could easly apply to sellers of other types of goods such as audo fles, academc papers, or real-tme stock quotes. Each publsher hosts a database server contanng a replca of the entre e-book catalogue and users purchase e-books from ths database usng PSPIR. Perodcally, (for example, weekly) the publshers cooperate to learn to what porton of the profts each s enttled. They also use ths opportunty to determne the top-k best sellers, whch they subsequently replcate to a smaller database to facltate faster purchases of these books. Much lke Amazon does wth the Kndle Store [26], the publshers can sell the same e-book to users that are regstered n dfferent geographcal locatons for dfferent prces, thus enablng them to recoup costs assocated wth, e.g., servce fees ncurred by offerng customers free 3G servce to purchase ther books from a moble devce. 3. BUILDING BLOCKS Ths secton ntroduces our notaton and the cryptographc prmtves that we use n our constructon. For notatonal convenence, we use δ j to denote the well-known Kronecker delta functon; that s, δ j = 1 f = j, and δ j = 0 otherwse. We also defne the complementary Kronecker delta functon, δ j = (1 δ j). We use Z m to denote the rng of ntegers modulo m (or the fnte feld of order m when m s prme); we wll treves a record that s only avalable to certan ters of users, or by makng nferences based on external knowledge. We cannot protect aganst such attacks, so n these cases we am only to mnmze the nformaton made avalable to the adversary. 2 If the publshers desre an Amazon-style recommendaton system, exstng approaches to prvacy-preservng targeted advertsng [34, 38, 55] may apply. 3

4 represent elements of Z m by elements of {0,..., m 1}. Z m[x] denotes the rng of polynomals wth coeffcents n Z m, and (Z m) r the set of length-r vectors over Z m (and smlarly for (Z m[x]) r ). We wrte a R Z m to mean that a s selected unformly at random from {0,..., m 1}. The notaton a b denotes concatenaton (as strngs) of values a and b. κ N s a parameter used to tune the soundness versus performance of certan zero-knowledge proofs. Let G 1, G 2 and G T be cyclc groups of prme order q (whch we shall express multplcatvely). We assume throughout the exstence of a blnear parng functon e : G 1 G 2 G T ; we also assume that g, h G 1, ĝ G 2 and g T, h T G T are known generators of ther respectve groups, where g T = e(g, ĝ) and h T = e(h, ĝ). The crucal property of e s that of blnearty: e(g a, ĝ b ) = e(g, ĝ) ab for all a, b Z q. If G 1 = G 2, the parng s called symmetrc; otherwse t s asymmetrc. Elements of G 1 n asymmetrc parngs are shorter than n symmetrc parngs. The parng e we assume n ths work s asymmetrc. 3.1 Shamr secret sharng We make extensve use of Shamr s polynomal secret sharng scheme [53] to share feld elements among the servers. An element a Z q s shared by choosng a polynomal f a(x) = a tx t + + a 1x + a Z q[x] wth each non-constant coeffcent a R Z q and the constant term equal to the shared value; server j s share of a s then f a(j) Z q. Any subset of at least t + 1 servers can cooperate to reconstruct a usng Lagrange nterpolaton [44, Ch. 12]; however, t or fewer colludng servers cannot deduce any nontrval nformaton about a. Such a scheme s called a (t + 1, l)- threshold secret sharng scheme, snce a threshold of at least t + 1 out of l servers must cooperate to recover the secret value. In general, any choce of 0 < t < l wll suffce, however our top-k replcaton protocol requres that t (l 1) /2. We recommend t = (l 1) /2, whch ensures that the protocols are secure whenever an honest majorty exsts among the servers. We wrte [a] q to denote a Shamr secret sharng of a Z q among the l servers; that s, [a] q = f a(1),..., f a(l) where the j th component of ths vector s known only to server j. For completeness, we show how to recover a from [a] q usng Lagrange nterpolaton at the pont x = 0. Gven a set of at least t + 1 ndces Q {1,..., l} and an ndex I j Q, we can compute the j th Lagrange coeffcent as λ Q,j = I j (I j I ) 1 mod q, (1) I Q {I j } and recover a from [a] q by computng a = λ Q,j f a(i j). (2) I j Q Note that, for a fxed set of servers, the Lagrange coeffcents can easly be precomputed. If one or more servers s offlne or not partcpatng n share reconstructon, the share can stll be reconstructed as long as at least t + 1 servers partcpate; however, we must compute new Lagrange coeffcents that consder only the ndces correspondng to partcpatng servers. We also remark that standard technques exst [35] to facltate the reconstructon of shared values n the presence of malcous or Byzantne servers that report ncorrect shares, but for ease of presentaton, we descrbe our protocols n the honest-but-curous model and wthout consderaton for Byzantne falure. Computng wth Shamr secret shares. Suppose [a] q and [b] q are two shared secrets and c Z q s a publc scalar. We wrte [a] q [b] q, [a] q [b] q and [a] q [b] q to denote the component-wse sum, dfference and product, respectvely, of [a] q and [b] q (and smlarly for [a] q c, [a] q c and [a] q c). Observe that [a] q [b] q = [a + b] q and [a] q [b] q = [a b] q (and smlarly for [a] q c and [a] q c), and that c [a] q = [c a] q. Moreover, the product [a] q [b] q yelds a (2t+1, l)-threshold sharng of a b; thus, when t (l 1) /2 as we requre above, the servers can stll nterpolate to recover ths product. It s possble to construct algorthms for more complex operatons usng the above facts; e.g., dstrbuted pseudorandom number generaton [4], testng equalty [25], or evaluatng order predcates [45]. Indeed, we mplctly use these more complex operatons for top-k replcaton, but do not dscuss them n depth. The nterested reader can consult Nshde and Ohta s paper [45] for further detals on how to mplement them. 3.2 Goldberg s PIR scheme Goldberg s PIR scheme [33] s a mult-server nformaton-theoretc scheme wth good support for query robustness aganst colludng servers. It provdes a t-prvate v-byzantne-robust k-out-of- l scheme for 0 < t < k l and v < k kt protecton. In other words, users submt ther queres to at least k out of the l servers, and the system can tolerate up to v servers beng Byzantne (.e., respondng ncorrectly) wthout nhbtng the ablty of users to retreve the correct record, and t servers colludng wthout compromsng users query prvacy. The scheme also optonally supports τ-ndependence [30], a property that prevents the database servers from learnng the contents of the database wth nformatontheoretc protecton aganst coaltons of up to τ servers. The scheme structures the n-bt database X as an r s matrx D over Z q, where r s the number of records, b s the sze of each record (n bts), w = lg q s the word sze, and s = b/w s the number of words per record. For mnmal communcaton, b = wn. The user s query s a standard bass vector 1 β (Z q) r, whch has all elements 0 except for ndex β where t s 1. The scheme uses Shamr secret sharng to splt 1 β nto k parts ρ 1,..., ρ k, whch the user sends to the respectve PIR servers. A user queres for the record at ndex β by choosng a vector of r polynomals, f = f 1,..., f r, each of degree (at most) t, wth unformly random coeffcents from Z q for the non-constant terms. The constant term of f s δ β. In addton, the user chooses k dstnct server ndces I 1,..., I k and forms k vectors of Z q elements by evaluatng f component-wse at the k respectve ndces; that s ρ j = f 1(I j),..., f r(i j). The user forwards ρ j to server I j, whle each server I j computes an s-element vector R j = ρ j D and returns t back to the user. Fnally, the user computes the record at ndex β from the R j by usng Lagrange nterpolaton (and also Guruswam-Sudan lst decodng [35] f some servers are Byzantne or malcous). 3.3 Threshold BLS sgnatures The BLS sgnature scheme [8] s a short sgnature scheme that uses a parng functon for sgnature verfcaton. The sgner s prvate sgnng key s a random nteger x Z q, and the correspondng publc verfcaton key s (ĝ, ĝ x ) (recall that ĝ s a generator of G 2). Gven the sgnng key x and a message m, the sgnature s computed va σ = h x where h = hash(m) s a cryptographc hash of m; the verfcaton equaton s e(σ, ĝ)? = e(h, ĝ x ). We use the (k, l)-threshold varant (and also the (k, k)-threshold varant) of BLS sgnatures; n both cases, the sgnng keys are evaluatons of a polynomal of degree k 1 and the master secret s the constant term of ths polynomal. The user recombnes sgnature shares va Lagrange nterpolaton n the exponent. Note that by publshng the ndvdual verfcaton key shares of each sgner, threshold BLS sgnatures provde some level of robustness aganst 4

5 Byzantne sgners snce each sgnature share can also be verfed ndependently by usng the sgner s publc verfcaton key share. 3.4 Polynomal commtments Polynomal commtments [40] allow a prover to form constantszed commtments to polynomals n such a way that a verfer can later use these commtments to confrm evaluatons of the commtted polynomals wthout revealng any addtonal nformaton about them. We use the PolyCommt DL constructon of Kate et al. [40], whch provdes uncondtonal hdng f the commtment s opened to at most t 1 evaluatons (for a degree-t polynomal) and computatonal hdng under the dscrete log (DL) assumpton f the polynomal s opened at a t th pont (t + 1 or more openngs s suffcent to nterpolate and thus recover the commtted polynomal), as well as ther PolyCommt Ped constructon, whch offers uncondtonal hdng even when t evaluatons are revealed. Ther constructons are based on the polynomal remander theorem: f f s a polynomal, then the remander obtaned by dvdng f(x) by x r equals f(r); n other words, x r dvdes f(x) f(r). We descrbe how PolyCommt DL works, and refer the reader to [40] for detals on the smlar PolyCommt Ped constructon. A commtment to the polynomal f(x) = a tx t + + a 1x + a 0 n PolyCommt DL has the form C f = (g αt ) at (g α ) a 1 g a 0 = g f(α), where α s secret, g G 1 s a generator, and all bases (as well as ĝ and ĝ α ) are part of the commtment scheme s publc key. If PolyCommt Ped commtments are used, then the publc key ncludes the addtonal values h αt,..., h α, h, where h G 1 s a generator whose dscrete logarthm wth respect to g s unknown. To open an evaluaton of f at x = r, the prover nvokes CreateWtness (f, r), whch outputs a polynomal commtment w to the quotent obtaned upon dvson of f(x) f(r) by x r; the commtment w s called a wtness. The verfer can confrm [ the clamed evaluaton by checkng f Ver (C f, r, f(r), w) = e(c f, ĝ) =? e(w, ĝ α /ĝ r ) e(g, ĝ) f(r)] s true. Note that n [40], polynomal commtments are constructed over a symmetrc parng, whereas n ths work we construct our polynomal commtments over an asymmetrc parng, snce we wsh to reuse ths parng for short threshold BLS sgnatures. Much lke tradtonal dscrete logarthm commtments [27] and Pedersen commtments [50], polynomal commtments are addtvely homomorphc and scalar multplcaton of commtted values can be computed by exponentatng the commtment by the scalar. We explot both of these facts extensvely n our protocols. 3.5 Zero-knowledge proofs Our protocols employ several standard zero-knowledge proofs (ZKPs) from the lterature: proofs of knowledge of a commtted value [52], range proofs [9] to prove that a commtted value s nonnegatve, proofs of knowledge of a dscrete log representaton of a number [11], and proofs that a commtment opens to the product of the openngs of two other commtments [20]. We refer the nterested reader to the respectve papers for more detals on each of these proofs, or to [16] for a self-contaned treatment of all of the aforementoned proofs. We also use some effcent batch proof technques [6,7] to acheve practcalty n our protocols; the rest of ths secton descrbes these batch proofs Provng equalty of 1-out-of-r dscrete logs. We combne the batch verfcaton technques of Bellare et al. [6, 7] wth Cramer et al. s [24] technque for provng the dsjuncton of two or more propostons to yeld effcently verfable proofs of equalty of 1-out-of-r dscrete logarthms. That s, gven bases g and h and two sets of nputs g 1, g 2,..., g r and h 1, h 2,..., h r, to prove the predcate r ( logg (g ) = log h (h ) ) wthout revealng whch partcular statements are true and whch are false. Let g and h be (known) generators of a group G (of order q) wth log g (h) unknown to the verfer, and let g 1, g 2,..., g r and h 1, h 2,..., h r be gven. The proof works as follows: Prover knows: x = log g g j = log h h j and ndex j Verfer learns: that log g g j = log h h j for at least one j 1. The prover chooses γ 1,..., γ r R Z q and c 1,..., c r Z 2 κ, then computes and sends the commtments η = g γ g c δ j and ζ = h γ h c δ j to the verfer, for 1 r. 2. The verfer chooses and sends c R Z 2 κ to the prover. 3. The prover sets c = c and υ = γ for [1, r] {j} and computes c j = c r c δ j mod 2 κ and υ j = γ j c jx mod q, then sends the par ( c, υ) to the verfer, where c = c 1,..., c r and υ = υ 1,..., υ r. 4. The verfer chooses b = b 1,..., b r R (Z 2 κ) r and computes υ = υ b. The verfer accepts f and only f r ηb ( g υ r ) gb c, ( r ζb? = h υ r ) hb c and c? r c mod 2κ all hold. Note that the above batch verfcaton equaton s more effcent than checkng each of the r verfcaton equatons ndependently, snce both b and c are short exponents; moreover, n our own applcaton (see 3.5.2), we take advantage of some propertes of the specal case we are provng to further reduce verfcaton costs. Theorem 1. Batch proof of equalty of 1-out-of-r dscrete logarthms s correct and s sound wth overwhelmng probablty (n the soundness parameter κ). Ths theorem s proved by Bellare et al. n [7, Theorem 2.2] Provng that a vector of commtments opens to a standard bass vector. We ntroduce a new proof that allows one to effcently prove that a vector of r commtments opens to an r-dmensonal standard bass vector (.e., a length-r vector contanng a sngle 1 and the rest 0). Our proof uses a specal case of the batch proof of equalty of 1-out-of-r dscrete logarthms from the prevous secton as a subroutne. In partcular, we use the specal case n whch g 1 = g 2 = = g r and the h are all dfferent, but log h γ (h ) = a s known to the verfer, where γ s randomly chosen by the prover and unknown to the verfer. In our protocol, the prover actually wshes to prove to the verfer that the vector of polynomals commtted to by a vector of polynomal commtments evaluate to a standard bass vector at x = 0. However, modfyng our approach as descrbed here to handle other types of commtments (e.g., Pedersen commtments) s straghtforward and modfyng t to handle dfferent evaluaton ponts s trval. Let a = a 1,..., a r R (Z 2 κ) r. The key observaton behnd our approach s as follows: f v s a standard bass vector, then v a = a for some 1 r; conversely, f v s not a standard bass vector, then wth hgh probablty v a a for any 1 r. The proof works as follows: Prover knows: a length-r vector of polynomals f (Z q[x]) r Verfer learns: a length-r vector C of component-wse commtments to polynomals n f and that f evaluates component-wse to a standard bass vector at x = 0 1. The prover computes and sends C to the verfer.? = 5

6 2. The verfer chooses a vector of challenges a R (Z 2 κ) r and sends t to the prover; meanwhle, the verfer computes C a = r Ca, where C and a are the th components of C and a, respectvely. Note that C a s a commtment to the dot product f a = f a. 3. The prover computes the dot product f a = f a and engages n a zero-knowledge proof of knowledge of the evaluaton of f a at x = 0 wth the verfer, such as by usng the technque descrbed n [41, Appendx D]. 4. Let Y = g γ y T be the (blnded) commtment to y = f a(0) from ths last proof of knowledge. The prover sends ν = h γ together wth proof that γ s the same randomness used to blnd Y, and engages n a batch proof of equalty of 1-out-ofr dscrete logarthms to prove r ( loggt Y = log h ν ) a. Remark. Because we are dealng wth the specal case of the batch proof of equalty of 1-out-of-r dscrete logarthms n whch g 1 = g 2 = = g r = Y and log ν (h ) = a s known to the verfer, the followng optmzatons apply: nstead of checkng ) η d ζ d? = g υ ( g c d? = h υ ( h c d ) and n the verfcaton equaton, the verfer computes w 1 = c d mod q and w 2 = r acd mod q and checks f η d ζ d? = g υ Y w 1 and? = h υ ν w 2. Ths reduces the cost of verfcaton from 2 full length exponentatons and 6r short exponentatons (.e., exponentatons wth κ-bt exponents) to 4 full length exponentatons and 2r short exponentatons. Theorem 2. Proof that a vector of commtments opens to a standard bass vector s correct and s sound wth overwhelmng probablty (n the soundness parameter κ). The proof of ths theorem s n Appendx A Batch verfcaton of evaluatons of polynomal commtments at a common pont. In [40], Kate et al. show how to open a sngle polynomal commtment to a set of evaluatons at the same tme wth a sngle wtness element, a technque they call batch openng. We flp ths proof around and show how to verfy the evaluatons of a set of polynomal commtments at a sngle pont, a technque we call batch verfcaton. Batch verfcaton can be ether cooperatve or noncooperatve. The cooperatve form of the protocol s nteractve (though t can be made nonnteractve usng the Fat-Shamr heurstc [28]), and uses only a sngle wtness element, whle the noncooperatve form s nonnteractve and uses one wtness element per commtment. As the name mples, the noncooperatve form of batch verfcaton does not requre the prover s cooperaton;.e., only the verfer changes. In partcular, the verfer combnes all of the wtnesses (and commtments) nto a sngle wtness (and commtment) at verfcaton tme to sgnfcantly reduce verfcaton tme at the cost of a neglgble decrease n soundness. We state here the cooperatve form of batch verfcaton. Prover knows: a length-r vector of polynomals f (Z q[x]) r Verfer learns: a length-r vector C of component-wse commtments to polynomals n f, a component-wse evaluaton ρ of f at x = x 0, and the evaluaton pont x 0 1. The prover computes and sends C and ρ to the verfer. 2. The verfer chooses a = a 1,..., a r R (Z 2 κ) r and sends t to the prover; meanwhle, the verfer computes the dot product ρ a = ρ a and the commtment C a = r Ca. 3. The prover computes the dot product f a = f a and the wtness w a = CreateWtness (f a, x 0), then sends w a to the verfer. 4. The verfer checks f Ver (C a, x 0, ρ a, w a)? = true. The nonnteractve form of batch verfcaton works smlarly, except the prover computes and sends a vector of wtnesses to the verfer (one for each polynomal commtment), and the verfer combnes the wtnesses locally by computng w a = r wa ; n partcular, the vector a s local to the verfer and the prover never sees t. Theorem 3. Batch verfcaton of evaluatons of polynomal commtments at a common pont s correct and s sound wth overwhelmng probablty (n the soundness parameter κ). The proof of ths theorem s n Appendx B. 4. CONSTRUCTIONS We now descrbe the full detals of our constructons. We develop our scheme ncrementally n three steps. Frst, we descrbe how to convert Goldberg s mult-server PIR nto SPIR. We then descrbe the basc sngle-payee PSPIR constructon and show how to extend t to support access control lsts. Fnally, we dscuss our approach to bookkeepng and use ths to add support for top-k replcaton and to construct multple-payee PSPIR. 4.1 Symmetrc PIR constructon The frst step n our constructon s to convert Goldberg s PIR scheme nto SPIR; that s, we augment the scheme to enforce the addtonal property that no query wll ever reveal nformaton about more than a sngle record, under some mld computatonal assumptons. Ths property mples that no coalton of users can use knowledge obtaned from one or more PIR queres to learn any nformaton about a record that they dd not purchase n one of those queres. We accomplsh ths wth the aforementoned proof that a vector of commtments opens to a standard bass vector. In partcular, the user (queryng servers wth ndces I 1,..., I k for the record at ndex β usng hs current wallet, wallet) does the followng: 1. chooses f = f 1,..., f r R (Z q[x]) r such that deg(f ) t and f (0) = δ β, 2. computes a vector C of component-wse PolyCommt DL commtments to the polynomals n f, 3. computes k vectors ρ j = f 1(I j),..., f r(i j) of evaluatons of the polynomals n f, and k wtnesses w j that attest to the fact that the r evaluatons n ρ j are correct usng cooperatve batch verfcaton (made non-nonnteractve va Fat-Shamr), for 1 j k, 6

7 4. computes the set S of commtment values from the proof that the polynomals commtted to n C open to a standard bass vector at x = 0, and 5. sends ( C, S, wallet, ρ j, w j), to server I j for 1 j k. Note that each server receves dfferent vectors of evaluaton ponts and wtnesses, but the same wallet and sets of commtments. Upon recevng these values, each server I j 6. ensures that t has not seen wallet n an earler query, 7. verfes that the evaluatons n ρ j are correct usng cooperatve batch verfcaton (wth wtness w j), 8. computes a (k, l)-threshold BLS sgnature share σ j on the value C S wallet, and 9. sends σ j to the user. After recevng sgnature shares from each server, the user 10. combnes σ 1,..., σ k nto a sgnature σ on C S wallet, 11. computes the challenge c = hash(σ) and uses ths challenge to compute the set V of responses to complete the aforementoned proof that the polynomals commtted to n C open to a standard bass vector at x = 0, and 12. sends (σ, V ) to server I j for 1 j k. Upon recept of ths response, each server I j 13. verfes that σ s a vald sgnature on C S wallet, and 14. computes c = hash(σ) and checks f the responses n V are vald responses for ths challenge. Recall that n Goldberg s PIR scheme, the user recovers the record by Lagrange nterpolaton at the pont x = 0. It s apparent that the above proof convnces the database servers that the query only reveals nformaton about a sngle record when the responses are nterpolated at the pont x = 0, but we must also consder a clever user that chooses the polynomals n hs query non-randomly. In ths case, the polynomals mght be chosen such that nterpolatng at some other pont x = a reveals nformaton about some other database record. Ths s unsurprsng, snce t s known that nformaton-theoretc SPIR s mpossble to acheve wthout some nteracton between the servers, or a shared secret among them [31]. We thus ntroduce a shared secret key sk, known to all the servers but unknown to the users. (Note that the servers must already share a copy of the database, so requrng them to share an addtonal secret key s reasonable.) To prevent the above attack, server I j 15. seeds a pseudorandom generator (PRG) wth sk and C, 16. uses the PRG to generate a common pseudorandom nonce and appends t to the database as an ephemeral (r+1) th database record for ths query, uses the PRG to generate t 1 random Z q elements from whch t forms a common pseudorandom polynomal g Z q[x] of degree (at most) t wth g(0) = 0, 18. computes and appends g(i j) to ρ j, and 3 It s mportant that no other values are used to seed the PRG, snce the user mght otherwse replay C to retreve a dfferent nonce and potentally leak some nformaton about other database records. 19. encodes the query response exactly as n Goldberg s orgnal constructon. Note that when encodng the response, the servers nclude the ephemeral (r + 1) th record n the database, and also nclude ther respectve evaluatons of the pseudorandom polynomal g n the query as f the user had submtted t as part of hs orgnal query. Ths last set of steps effectvely rerandomzes the user s query. The user decodes the responses to hs rerandomzed query n the usual way (see 3.2). Note that ths SPIR constructon preserves the t-prvacy and v- Byzantne-robustness propertes of the underlyng PIR protocol; however, our approach to rerandomzng user queres prevents us from nhertng the scheme s optonal τ-ndependence property. Theorem 4. The above modfcatons convert Goldberg s multserver nformaton-theoretc PIR nto mult-server SPIR. Query prvacy s provded nformaton theoretcally aganst up to t 1, and computatonally aganst t (under the DL assumpton), colludng servers; the database s prvacy s protected computatonally (under the t-sdh assumpton [40]). We sketch the proof of ths theorem n Appendx C. 4.2 Sngle-payee PSPIR Next, we extend the above SPIR constructon to sngle-payee PSPIR. To do ths, we augment the protocol as follows. Frst, we have the user compute a commtment, called a recept, that encodes the prce of the requested record under the prce ter encoded n hs wallet. The user proves n zero-knowledge that the recept s wellformed (.e., that t encodes the correct prce) and that the balance n hs wallet s suffcent to purchase the record at that prce; once convnced by ths proof, the database servers ssue a threshold BLS sgnature on the user s recept and wallet. The user can later exchange hs wallet and ths sgned recept wth the bank to retreve a new wallet for use n a future transacton. We also dscuss how a user can recharge the balance n hs wallet, and then pont out a smple trck that enables the servers to enforce access control lsts wth only a slght modfcaton to the PSPIR protocol. Provng suffcent funds and computng the recept. To compute the recept, the user and each database server ndependently compute a commtment to the prce of the record encoded n the user s query for each prce ter. Ths s done by takng advantage of the homomorphc propertes of polynomal commtments: each party computes the T polynomal commtments P = r j=1 Cp j j for 1 T, where p j s the j th component of p. (Recall that p s the ter prce lst.) Note that P s a commtment to a polynomal f P = f p whose constant coeffcent s equal to the prce of record β n p (.e., f P (0) = p π). Next, the user 1. chooses γ 0, γ 1 R Z q and computes the PolyCommt Ped commtment C P = P π(h α ) γ 1 h γ 0, where π s the prce ter encoded n wallet, 2. computes a Pedersen commtment Recept P = g p πβ T h γ 0 T and the wtness w P = g φ(α) h γ 1 where φ(x) s the quotent upon dvson of f Pπ (x) f Pπ (0) by x 0, 3. computes Π P, a ZKP of knowledge of (x 1,..., x T, b) and (γ 0, γ 1, p) such that C P = P x 1 1 P x T T (hα ) γ 1 h γ 0 (recall that x = δ π), Recept P = g p T h γ 0 T, b p 0, and wallet encodes attrbutes x 1,..., x T and balance b, and 4. sends the tuple (C P, w P, Recept P, Π P ) to server I j for 1 j k. 7

8 Upon recevng these values, each server I j 5. verfes that the proof Π P s correct, 6. checks f e(c P, ĝ)? = e(w P, ĝ α ) Recept P, 7. computes a (k, l)-threshold BLS sgnature share ς j on the value wallet Recept P, and 8. sends ς j to the user. If any verfcaton step above fals, then the servers abort mmedately; otherwse, the servers proceeds to process the user s query as usual. The user recombnes the sgnature shares ς j, 1 j k, to recover the sgnature ς on wallet Recept P. Remark. To mprove performance, our mplementaton of the above protocols (as descrbed n [36, Appendx D]) dverges somewhat from the above descrptons. In partcular, each of the ZKPs used n the SPIR constructon are computed nonnteractvely usng Fat- Shamr, and the commtments and responses from ths proof are transmtted to each server as early as possble, thus allowng the servers to begn verfcaton before the user completes the proof. Then, nstead of computng Recept P nonnteractvely, each server ssues a threshold BLS sgnature share on wallet, all common values from ths proof, and all commtment values from the proof that Recept P s vald; the user recombnes these sgnature shares to produce a challenge value for ths latter proof, then transmts the recombned sgnature and hs responses to each server. Ths convnces the servers that they each saw the same wallet and query n the earler SPIR proof. 4 Refreshng the wallet. Before performng subsequent queres, the user must refresh hs wallet wth the bank. To do so, the user sends the tuple of values (ς, Recept P, wallet) to the bank, who verfes that ς s a vald sgnature on wallet Recept P. If so, the user and the bank run the credental ssung protocol for the credental system (see 2) that represents the wallet. At the end of ths protocol, the user has a new unlnkable (even to the bank) wallet wallet encodng the same ter as wallet and a balance equal to the prce commtted to n Recept P subtracted from the balance encoded n wallet. The user may smlarly recharge hs wallet wth addtonal funds by frst purchasng a recept that encodes a negatve prce usng, for example, a prepad credt card. Note that n ths procedure, the bank does not learn the balance n the new or the old wallet, or the prce encoded n the recept; n fact, the bank cannot even dstngush between a user that s refreshng hs wallet and one who s rechargng t. Supportng access control lsts. We now descrbe a smple modfcaton to mplement access control lsts atop our PSPIR constructon. The dea s to mpose a maxmum balance b max on users wallets, and then requre all users to prove that ther new balance does not exceed b max each tme they refresh or recharge ther wallets wth the bank. The bank wll refuse to ssue any wallet wthout such a proof, thus ensurng that no user s balance ever exceeds b max. The remander of the protocol remans unchanged, except that a prce of n p π s treated as a prce of b max + 1, whch, by our restrcton above, no user can afford. Thus, ths smple modfcaton effectvely prevents users n prce ter π from purchasng any record marked as n p π. 4 The reason we descrbe the protocols as above s to make the SPIR constructon secure on ts own. In our mplementaton, the securty of the SPIR reles on successful verfcaton of the subsequent recept proof (whch s acceptable, snce the servers do not respond to the query untl they have verfed both proofs). 4.3 Bookkeepng Ths secton dscusses our approach to bookkeepng. At a hgh level, our dea uses the addtve and multplcatve homomorphc propertes of Shamr secret shares to mantan and compute on shares of aggregate counts of the number of tmes each database record s retreved (and at what prce). In Goldberg s orgnal PIR constructon, the database servers do not mantan any state nformaton the only nformaton they store s the actual database contents. We augment the database wth two addtonal columns of state nformaton;.e., we requre the database servers to store two w-bt words of state (Shamr secret shares) per database record, whch are the length-r vectors of shares c j = [c 1] q,..., [c r] q and d j = [d 1] q,..., [d r] q. Our ntal dea was for servers to mantan a runnng sum of all queres they wtness between successve bookkeepng operatons. Unfortunately, ths nave soluton requres all servers to be nvolved n all queres, snce f server j aggregates a query but server j does not, ther shares wll be nconsstent and nterpolate to an unpredctable value that does not reflect the actual number of queres per record. However, requrng all servers to partcpate n all queres hurts avalablty snce the falure of a sngle database server would render the system noperable. (It also hurts effcency by requrng addtonal bandwdth and computatonal power be devoted to each query.) Moreover, even f all servers aggregate all queres, ths only enables them to track the number of tmes each record s retreved, but not the prces pad for them. We solve the frst problem by havng the user reveal whch subset Q of database servers are nvolved n each query, and then use ths knowledge to convert the Shamr secret shares nto addtve shares; therefore, all servers must be onlne to compute on the shared bookkeepng data, but they do not need to be onlne durng every query. To solve the second problem, we have the user (queryng for record β under prce ter π) nclude the addtonal vector of shares ϱ j of (p πβ 1 β ) along wth hs query. 5 The servers convert both vectors nto addtve shares and aggregate them nto c j and d j, whch are then vectors of shares of the number of tmes each record was retreved, and the total prce pad for those retrevals, respectvely. After each bookkeepng operaton, database server j rentalzes the auxlary vectors c j and d j back to the length-r zero vector, chooses a new prvate sgnng key x j for BLS sgnature generaton, and publshes the correspondng verfcaton key (ĝ, ĝ x j ). By havng each server choose ts sgnng key ndependently, every subset Q of k servers has a unque publc verfcaton key pk Q for (k, k)-threshold BLS sgnatures; ths key s easly computable usng Q va the expresson pk Q = I j Q (ĝx Ij ) λq,j mod q where λ Q,j = I Q {I j } Ij (Ij I) 1 mod q. Users then reveal Q durng each query, and the servers append an unambguous strng representaton of Q to the message resultng n the sgnature σ. The servers accept the sgnature as vald f and only f verfcaton succeeds usng verfcaton key pk Q, where Q s the set of servers encoded n the message. Smlarly, the servers encode Q nto the sgnature ς on the user s recept, and the user transmts Q along wth the recept to the bank. Ths ensures that each server nvolved n a query sees a consstent set Q of other servers; however, a malcous user may stll dsrupt the bookkeepng process by neglectng to send the tuple (σ, V ) to any nontrval subset of Q on Step 12 of the SPIR protocol. The ser- 5 Note that ϱ j p πβ ρ j mod q, whch would reveal the prce p πp to the servers; rather, ϱ j s an ndependently chosen vector of shares. Of course, ϱ j p πβ ρ j yelds shares of the length-r zero vector, whch s the property we explot to let the user prove the well-formedness of ϱ j. 8

9 vers that do receve (σ, V ) wll aggregate the user s query nto c j and d j, whle those that do not wll not (thus resultng n nconsstent shares among the servers n Q). We therefore rely on the bank to facltate atomcty to the query aggregaton process. Instead of returnng the regular query response ρ j D, the servers use the PRG (seeded wth ther shared secret and the user s wallet) to produce a common Z q element for blndng, Γ, and return ρ j D + Γ. When the user sends (ς, Q, wallet, Recept P ) to the bank, the bank 1) verfes that ς s a vald sgnature on wallet Recept P Q usng pk Q, 2) computes and sends Γ to the user, and 3) notfes each server n Q that the transacton nvolvng wallet s complete. At ths pont, all servers can safely update ther aggregate shares. Top-K replcaton. Gven the above modfcatons, supportng top-k replcaton s straghtforward. When a query ( C, S, wallet, ρ j, w j, Q) arrves at server I j, t temporarly stores ρ j. Upon notfcaton of the query s success from the bank, server I j accumulates the query by computng c j = c j + λ Q,j ρ j. 6 Computng the top-k records from these shares s then a straghtforward applcaton of Burkhart and Dmtropoulos [14] prvacy-preservng top-k (PPTK) algorthm. The algorthm outputs the top-k largest shares n c j wthout revealng any addtonal nformaton about the value of any share. After the top K are revealed, the servers replcate these to a smaller database and rentalze c j to the length-r zero vector. Multple-payee PSPIR. Supportng multple payees n the tered prcng model s slghtly more nvolved than s supportng top-k replcaton. To hghlght the ntuton behnd our general multple payee PSPIR constructon, we frst address the smpler case of supportng multple payees n a sngle-tered prcng scheme. The sngle-ter case smplfes the constructon n two mportant ways: frst, the user need not send or prove statements about the addtonal vector of shares ϱ j as above and, second, the servers only need to store a sngle addtonal column of auxlary nformaton. Consder the above PSPIR constructon wth a sngle prce lst p = p 1,..., p r for all users, and a set of m CPs CP = {CP 1,..., CP m}. For ease of presentaton, we defne r 1 = 0 and r m+1 = r, and assume that CP (1 m) owns the records at ndces r + 1 through r +1. The amount payable to CP s then computed by summng the addtve shares r+1 =r +1 p [c]q. Wth tered prcng, the computaton s conceptually smlar but requres cooperaton from the user. The user chooses a vector of polynomals g = g 1,..., g r R (Z q[x]) r such that deg(g ) t and g (0) = p πβ f = β and g (0) = 0 otherwse. Next, the user computes k vectors ϱ j = g 1(I j),..., g r(i j) of component-wse evaluatons of the polynomals n g for ndces I j Q. Suppose that a (Z 2 κ) r s the vector of challenges from the earler (nonnteractve) cooperatve batch verfcatons that ρ j s a componentwse evaluaton of C, then the user also computes a polynomal commtment C g to the dot product g a, and k wtnesses W j where W j attests to the fact that the commtted polynomal evaluates to ϱ j a at x = I j, for 1 j k. Furthermore, the user computes T PolyCommt DL commtments D, 1 T, to ( f p g) c 1,..., c r where c k = hash(k C g) mod q and denotes component-wse multplcaton of two vectors, and a 6 If one or more servers n Q s offlne when the query succeeds, the remanng servers can stll complete ths step as long as t + 1 or more servers from Q are stll onlne. To do ths, the bank just notfes each server of the largest subset Q Q of onlne servers, and each server replaces λ Q,j wth λ Q,j n the computaton. PolyCommt Ped commtment D = D π(h α ) γ 1 h γ 0, plus wtnesses W j1,..., W jt to prove that D 1,..., D T open to ( ρ j p ϱ j) c 1,..., c r at x = I j, and a wtness W to prove that D opens to 0 at x = 0. Fnally, the user constructs a ZKP of knowledge of (x 1,..., x T ) and (γ 1, γ 0) such that D = D x 1 1 Dx T T (hα ) γ 1 h γ 0 and wallet encodes attrbutes x 1,..., x T. Ths latter proof of knowledge s denoted by Π D. The user then ncludes the addtonal tuple of values ( ϱ j, C g, D 1,..., D T, D, W j1,..., W jt, Π D) as part of hs query to server I j. Before ssung sgnature shares σ j n the PSPIR protocol, each server I j does the followng. They check f ϱ j a s an evaluaton of the polynomal commtted to n C d usng W j. Next, they compute c as above, and use ths vector to compute the T dot products ( ρ j p ϱ j) c for 1 T. They then check that these dot products result n vald evaluatons of D 1,..., D T usng wtness W j1,..., W jt, respectvely. Fnally, they verfy the ZKP Π D and ensure that D opens to 0 at x = 0 usng W. If any verfcaton fals, they abort; otherwse, they append C d D 1... D T to the message used for sgnature σ, whch ensures that all servers see consstent commtments at ths step. Ths proves that the ϱ j s a vector of shares of 0,..., p πβ,..., 0 and that the shares are consstent among all servers. Upon recevng notfcaton from the bank that the transacton has succeeded, the servers accumulate ϱ j nto d j by computng d j = d j + λ Q,j ϱ j. Bookkeepng frequency. Bookkeepng necessarly leaks some nformaton about user queres. In the extreme case, where only a sngle user queres the database between bookkeepng operatons, bookkeepng may completely reveal that user s query. At the other end of the spectrum, when every record s accessed hundreds or thousands of tmes between bookkeepng operatons, the nformaton leakage s mnmal and lkely not at all nvasve to any user s prvacy. However, prolongng the perod between bookkeepng lmts ts usefulness n the case of top-k replcaton, and may be economcally unacceptable n the case of multple-payee PSPIR. Thus, a great deal of dscreton s necessary on the part of the database servers n determnng how often to run the bookkeepng protocols. For databases wth consstently hgh usage, a smple bookkeepng schedule such as once per week or once per month may suffce, whereas those databases wth lower usage may need to wat untl the servers answer some threshold number of queres. In general, the bookkeepng polcy s hghly dependent both on the characterstcs of the database and the busness logc of ts operators. We leave an n-depth nvestgaton of ths prvacy-utlty tradeoff as an mportant area for future work. 5. IMPLEMENTATION & EVALUATION We mplemented the protocols descrbed n ths paper usng Ben Lynn s Parng-Based Cryptography (PBC) [39] lbrary wth Anket Kate s PBCWrapper [43] package for C++ Wrapper classes, Vctor Shoup s NTL [54] wth the GNU Mult-Precson Arthmetc Lbrary [29] for mult-precson arthmetc, and OpenSSL [48] for hash functons (we use SHA-256). All experments use a value of κ = 40 for the soundness parameter. Our PSPIR mplementaton s bult atop Ian Goldberg s mplementaton of hs PIR protocols, Percy++ [32]. For our evaluaton, we mplemented the protocol as a standalone add-on to Percy++, but we wll later ntegrate t wth the Percy++ lbrary. We used the BgInteger-based verson of Martn Burkhart s SEPIA lbrary [13] and hs PPTK [14] protocol for our top-k replcaton benchmarks. All measurements were taken n Ubuntu Lnux LTS runnng on a machne wth Dual Intel Xeon E GHz CPUs and 32 GB memory. The value of q (the order of the parng groups and the modulus for the polynomal 9

10 Compute tme (s) Percy++ vs. Percy++ w/ PSPIR Percy++ wth PSPIR (w = 160) Percy++ only (w = 160) Percy++ only (w = 8) Database sze (GB) Fgure 1: Query executon tme for Percy++ wth and wthout PSPIR (k = 4, t = 2). The percent compute tme attrbutable to the PSPIR enhancements decreases monotoncally from 87% for a 1 GB database down to 36% for a 44 GB database. Percy++ starts carryng the extra overhead of dsk reads after a 28 GB database, whch exceeds avalable RAM. The w = 8 plot shows the executon tme for Percy++ usng ts performance-optmal parameter choces, whereas the w = 160 plot shows Percy++ wth parameters needed to ensure the securty of PSPIR. The Percy++ wth PSPIR plot shows the combned cost of Percy++ wth w = 160 and the PSPIR enhancements. Error bars are plotted for all data ponts, but are small and may therefore be dffcult to see. operatons) was 160 bts long. 5.1 Experments We measured the performance of the PSPIR and top-k replcaton protocols for varous values of the PIR parameters n (the sze of the database), b (the sze of each record n the database), k (the number of servers partcpatng n each query), and t (the number of servers that can collude wthout affectng query prvacy). Our frst experment measures the computatonal overhead added to Percy++ by the PSPIR enhancements. We generated databases of szes rangng from 1 GB to 44 GB contanng random data, and took measurements for both Percy++ and the Percy++ wth PSPIR. We set k = 4, t = 2, and b = 160n, whch s the communcaton-optmal record sze for ths PIR scheme. Fgure 1 shows the plots of the measurements for Percy++ wth and wthout PSPIR. We observe that PSPIR results n a moderate ncrease n compute tmes, wth the percent compute tme attrbutable to the PSPIR enhancements decreasng monotoncally from about 87% for a 1 GB database down to just 36% for a 44 GB database. The upward bump just before 30 GB marks the pont after whch the database no longer fts n avalable memory. From that pont on, every query bears more overhead from dsk reads. In terms of communcaton overhead, PSPIR ncreases Percy++ s query sze, whch s tself just k tmes the sze of the retreved record, by a multplcatve factor of about 5. However, t ncreases each server s response by only 46 bytes, whch corresponds to two G 1 elements (BLS sgnature shares). We observe, however, that the use of 160-bt words n the database to guarantee securty for the commtments used n PSPIR slghtly degrades Percy++ s performance from ts optmal settng of 8-bt words. Our orgnal experments ndcated a fold decrease n Percy++ s performance for w = 160, dependng on the sze of the database; however, wth some careful optmzatons n the Percy++ code, we managed to decrease ths performance ht to the moderate levels observed n Fgure 1. Our next experment evaluates the mpact of top-k replcaton;.e., t studes the performance gans for the users when all queres for the K most popular records go to the smaller replcated database. In ths experment, we assume that all records are physcally replcated to a second set of database servers, thus ncreasng the maxmum database sze for whch both the top-k and non-top-k records ft n physcal memory. Alternatvely, the database servers could smply publsh a lst of ndces for the top-k records and allow users to perform PIR on just ths subset of the database; ths would result n dentcal performance when the entre database fts n physcal memory and somewhat lower performance otherwse. All trals of the top-k experment used a query dstrbuton that we generated at random usng a bounded Pareto dstrbuton that satsfes the 80/20 rule;.e., about 80% of queres are for just 20% of the database records, wth the number of queres per record bounded between 0 and 10,000. As such, we use K = r /5. We chose an 80/20 dstrbuton because such dstrbutons are commonly observed n the wld, but we emphasze that the actual performance gans that a database can expect from top-k replcaton s hghly dependent on the underlyng query dstrbuton. Fgure 2 plots the mean query executon tme for top-k and non-top-k queres, as well as the average (amortzed) cost per query when 80% of queres are top-k queres and 20% are not. Note that the average query executon tme s well below that of Percy++ wthout PSPIR functonalty (cf. Fgure 1). We also measured the cost to the servers of actually computng the top-k usng the SEPIA lbrary. We found that usng 160-bt secret shares results n poor performance compared to the benchmarks presented by Burkhart et al. [15]. Fortunately, n our case we can assert that all shared secrets are much smaller than q /2, whch enables us to elmnate two-thrds of the computaton n the bottleneck less than computaton. Furthermore, about 86% of the remanng computaton tme s spent generatng random bt-wse secret shares modulo q. These random shares can be precomputed between top-k computatons, resultng n a respectable 57 lessthan operatons per second n our tests. Ths stll leads to sgnfcant computaton tmes to solate the top-k usng Burkhart et al. s PPTK algorthm [14] when the database sze s large; thus, we further optmze the algorthm by relaxng PPTK to a top-k-sh algorthm. Ths reduces computaton tmes qute sgnfcantly. For example, wth a 1 GB database (r = 7328 records) and a bounded 80/20 Pareto dstrbuton our modfed PPTK takes an average of about 9700 comparsons ( 2.8 mnutes) to fnd the top 19 21% of records, whereas standard PPTK takes about comparsons ( 4.2 mnutes); for a 20 GB database (r = records) ths fgure s about comparsons ( 11.0 mnutes) for our relaxed PPTK versus comparsons ( 40.2 mnutes) for standard 10

11 PPTK, and for a 44 GB database (r = records) t s about comparsons ( 14.2 mnutes) for our relaxed PPTK versus comparsons ( 57.7 mnutes) for standard PPTK. Moreover, a large fracton of trals wth standard PPTK had no soluton (.e., no unque top-k) and the algorthm therefore returned only the top-k-sh anyhow. Note that we generated our test sets usng a bounded 80/20 Pareto dstrbuton and then used the CDF for ths dstrbuton as an ntal guess n the PPTK algorthm. In practce, such an accurate guess wll typcally not be avalable and the actual number of comparsons wll be greater than our predctons. Nonetheless, we feel confdent n concludng that even for large databases wth mperfect knowledge of the underlyng query dstrbuton, the cost of computng the top-k wll be qute reasonable. 6. RELATED WORK The related bodes of work are symmetrc prvate nformaton retreval (SPIR), oblvous transfer (OT), OT wth access control (OTAC), and prced OT (POT). OT schemes allow a database X consstng of two records and a user holdng an ndex {0, 1} to run a protocol that results n the user learnng the th record and no nformaton the (1 ) th record, whle the database learns nothng about. Unlke PIR and SPIR, however, OT schemes have no sublnear communcaton requrements. Brassard et al. [12] consdered the more general noton of 1-out-of-n OT, where the database holds n records and the user learns the record at ndex, and learns nothng about the remanng n 1 records [49]; the database stll learns nothng about. SPIR schemes [31] address the honest-user assumpton of PIR by addtonally preservng database prvacy so that dshonest users cannot learn any nformaton about other database records beyond the record retreved. All exstng communcaton-effcent 1-out-ofn OT schemes are essentally sngle-server SPIR, whereas all exstng communcaton-effcent dstrbuted OT schemes [31] (.e., two or more servers) of 1-out-of-n OT schemes are essentally mult-server SPIR. The frst work on preservng database prvacy aganst dshonest users n a mult-server PIR settng was by Gertner et al. [31]. They propose a sngle-round l-server SPIR scheme wth communcaton complexty O(log n n 1/(2l 1) ) for l 2 and a O(log n)-server scheme wth communcaton complexty O(log 2 n log log n). Kushlevtz and Ostrovsky [42] brefly dscuss how to convert ther sngle-server PIR nto SPIR usng general zero-knowledge proof technques, however they propose no concrete constructons. No exstng SPIR scheme smultaneously provdes support for both access control and tered prcng. Several OTAC schemes [17, 23, 56] were recently proposed. As wth our approach, these schemes typcally consst of three partes: user, database, and ssuer. The ssuer provdes users needng access to the database wth credentals encodng the access rghts of users as an attrbute set. The database encrypts ts content under an access polcy specfc to each record and makes the encrypted contents avalable to users for download. A user wth a vald credental can run the OTAC protocol wth the database to obtan a decrypton key for a partcular record. After the protocol, the database learns that a user wth a vald credental has obtaned a key, but learns nothng about the user s credental or the decrypton key ssued. User s download the entre encrypted database and use the key obtaned to decrypt the desred record. Zhang et al. [56] used attrbute-based encrypton to specfy record-level access polces n dsjunctve form wthout requrng duplcaton of database records. However, these schemes do not consder an economc model where users pay for each record and ther hgh communcaton overhead makes them consderably more costly than SPIR. POT schemes [1, 18] were orgnally ntroduced by Aello et al. [1] to explore the dfference between physcal goods requrng close montorng of nventory level and dgtal goods that are essentally of unlmted supply. In ther model, users frst depost some money wth the database and then proceed to buy multple dgtal goods from the database, such that the total prce of purchased goods does not exceed the user s depost/balance. The database does not learn whch dgtal goods the user has purchased. However, snce the database tracks the users accounts, all queres by a sngle user are lnkable; thus, the approach lacks the anonymty propertes that we seek. Ths enables the database server to deduce the number of dgtal goods a partcular user has purchased, the average prce of those purchases, and the user s spendng pattern [18]. Furthermore, the scheme provdes no way for users to recharge ther balance, whch means that when a user s balance becomes lower than the prce of any record, the remanng balance s rendered useless. Camensch et al. [18] address these problems by encodng users wallets n an anonymous credental so that the database s no longer requred to mantan user-specfc state nformaton; as a result, user purchases become unlnkable. They also lay out an extenson that makes use of a trusted thrd party to facltate a far purchase protocol;.e., an optmstc far exchange protocol to prevent the database server from cheatng by not sendng the correct decrypton key (or wallet) to the user. All of the above prced and access-control-capable OT and SPIR schemes lack some ngredents necessary for deployment n a practcal settng. The foremost mssng ngredent s the rght combnaton of functonaltes for access control, tered prcng, support for multple payees, sublnear communcaton complexty, and avalablty of practcal mplementatons. The SPIR schemes [31, 42] provde no prcng or access control functons. OT schemes (.e., 1-out-of-n) have prohbtvely expensve communcaton costs and requre a statc encrypted database, whch potentally breaks other applcatons usng the same database. In partcular, exstng OTAC schemes [17, 23, 56] do not provde prcng functons, whle the POT schemes [1, 18], on the other hand, provde no access control functons. Note that one cannot smply adopt our approach of settng the prce of a record hgher than the maxmum wallet balance, snce all users n these schemes pay accordng to the same prce lst (and thus would automatcally have the same access prvleges). Moreover, no exstng POT scheme supports multple payees sellng goods through a common database. Much lke our top-k replcaton strategy, a few research efforts have also focused on ncreasng the practcalty of PIR by fndng ways around PIR s lnear computatonal requrements. Bemel et al. [5] propose preprocessng, whch enables PIR servers to answer queres wth only sublnear computaton by precomputng and storng some extra nformaton (the sze of whch s polynomal n the database sze n). Isha et al. [37] propose a dfferent approach called batch codng that whle stll requrng lnear computaton enables the servers to process several PIR queres by the same user smultaneously, thus provdng an amortzed cost per query that s strctly smaller than n. Nearest to our own work, Olumofn and Goldberg [46] recently proposed an approach to ndexng and parttonng large databases nto hghly dverse bucket portons that users can query ndependently. Ths approach makes queryng such large databases wth PIR practcal, and smplfes the tradeoff between prvacy and runtme; however, t does not nclude any way for the database servers to dynamcally learn about and explot the relatve populartes of ndvdual records to mprove performance, as does the top-k approach taken n ths work. 7. CONCLUSION We have extended Goldberg s mult-server nformaton-theoretc 11

12 Compute tme (s) Non-Top-K query Average query Top-K query Impact of Top-K Replcaton Database sze (GB) Fgure 2: Query executon tme for Percy++ wth PSPIR and top-k replcaton (k = 4, t = 2, K = r /5 ). Queres follow a bounded Pareto dstrbuton that satsfes the 80/20 rule; thus, 80% of queres are for the top-k entres and 20% are for the remanng r K entres (labelled Non- Top-K on the plot). The average query cost for the top-k replcated database ranges from just 51% that of an equvalent non-replcated database for a 1 GB database down to 36% for a 44 GB database. Error bars are plotted for all data ponts, but are small and may therefore be dffcult to see. PIR wth a sute of protocols for prvacy-preservng e-commerce. Our protocols add support for tered prcng wth multple payees, group-based access control lsts wth record-level granularty, and dynamc top-k replcaton, whle preservng the sublnear communcaton complexty of PIR; no other scheme for prced retreval usng PIR or OT supports tered prcng, multple payees, access control, or dynamc replcaton. We have mplemented the snglepayee varant of our PSPIR protocol atop Percy++, an open-source mplementaton of Goldberg s PIR scheme, and evaluated ts performance emprcally. We also evaluated the cost and mpact of top-k replcaton. Our measurements ndcate that ths combnaton of protocols results n performance that s acceptable for deployment n real-world e-commerce applcatons. Furthermore, the extensve functonalty of our protocols, SPIR s sublnear communcaton costs, and the ablty to operate on an unencrypted database, makes our approach more practcal than competng OT-based approaches. For future work, we ntend to optmze our mplementaton and add full support for multple payees (whch we do not expect to sgnfcantly alter the runtme), and to ncorporate our protocols nto Percy++. Acknowledgements. We are extremely thankful to Martn Burkhart for hs assstance wth SEPIA. Ths research s supported by NSERC, OGS, MITACS and a Cherton Graduate Scholarshp. REFERENCES [1] W. Aello, Y. Isha, and O. Rengold. Prced Oblvous Transfer: How to Sell Dgtal Goods. In Proceedngs of EURO- CRYPT 2001, Innsbruck, Austra, May [2] D. Asonov. Queryng Databases Prvately: A New Approach To Prvate Informaton Retreval, volume 3128 of LNCS. Sprnger, [3] M. H. Au, W. Suslo, and Y. Mu. Constant-Sze Dynamc k- TAA. In Proceedngs of SCN 2006, Maor, Italy, September [4] J. Bar-Ilan and D. Beaver. Non-Cryptographc Fault-Tolerant Computng n Constant Number of Rounds of Interacton. In Proceedngs of PODC 1989, Edmonton, AB, August [5] A. Bemel, Y. Isha, and T. Malkn. Reducng the Servers Computaton n Prvate Informaton Retreval: PIR wth Preprocessng. In Proceedngs of CRYPTO 2000, Santa Barbara, CA, August [6] M. Bellare, J. A. Garay, and T. Rabn. Batch Verfcaton wth Applcatons to Cryptography and Checkng. In Proceedngs of LATIN 1998, Campnas, Brazl, Aprl [7] M. Bellare, J. A. Garay, and T. Rabn. Fast Batch Verfcaton for Modular Exponentaton and Dgtal Sgnatures. In Proceedngs of EUROCRYPT 1998, Espoo, Fnland, May [8] D. Boneh, B. Lynn, and H. Shacham. Short Sgnatures from the Wel Parng. Journal of Cryptology, 17(4): , January [9] F. Boudot. Effcent Proofs that a Commtted Number Les n an Interval. In Proceedngs of EUROCRYPT 2000, Bruges, Belgum, May [10] S. Brands. Restrctve Blndng of Secret-Key Certfcates. In Proceedngs of EUROCRYPT 1995, Sant-Malo, France, May [11] S. A. Brands. Rethnkng Publc Key Infrastructures and Dgtal Certfcates: Buldng n Prvacy. MIT Press, [12] G. Brassard, C. Crépeau, and J.-M. Robert. All-or-Nothng Dsclosure of Secrets. In Proceedngs of CRYPTO 1986, Santa Barbara, CA, [13] M. Burkhart. SEPIA: Securty through Prvate Informaton Aggregaton. Verson [14] M. Burkhart and X. Dmtropoulos. Fast Prvacy-Preservng Top-k Queres usng Secret Sharng. In Proceedngs of IC- CCN 2010, Zurch, Swtzerland, August [15] M. Burkhart, M. Strasser, D. Many, and X. A. Dmtropoulos. SEPIA: Prvacy-Preservng Aggregaton of Mult-Doman Network Events and Statstcs. In Proceedngs of USENIX Securty 2010, Washngton, DC, August [16] J. Camensch. Group Sgnature Schemes and Payment Systems Based on the Dscrete Logarthm Problem. PhD thess, ETH Zurch, Reprnt as vol. 2 of ETH Seres n Informaton Securty and Cryptography, Hartung-Gorre Verlag, Konstanz, [17] J. Camensch, M. Dubovtskaya, and G. Neven. Oblvous Transfer wth Access Control. In Proceedngs of ACM CCS 2009, Chcago, IL, November [18] J. Camensch, M. Dubovtskaya, and G. Neven. Unlnkable Prced Oblvous Transfer wth Rechargeable Wallets. In Proceedngs of FC 2010, Tenerfe, Canary Islands, January [19] J. Camensch, M. Dubovtskaya, G. Neven, and G. M. Zaverucha. Oblvous Transfer wth Hdden Access Control Lsts. In Proceedngs of PKC 2011, Taormna, Italy, March [20] J. Camensch and M. Mchels. Provng n Zero-Knowledge that a Number Is the Product of Two Safe Prmes. In Proceedngs of EUROCRYPT 1999, Prague, Czech Republc, May [21] B. Chor, N. Glboa, and M. Naor. Prvate Informaton Retreval by Keywords. Cryptology eprnt Archve, Report 1998/003,

13 [22] B. Chor, O. Goldrech, E. Kushlevtz, and M. Sudan. Prvate Informaton Retreval. In Proceedngs of FOCS 1995, Mlwaukee, WI, October [23] S. E. Coull, M. Green, and S. Hohenberger. Controllng Access to an Oblvous Database Usng Stateful Anonymous Credentals. In Proceedngs of PKC 2009, Irvne, CA, March [24] R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of Partal Knowledge and Smplfed Desgn of Wtness Hdng Protocols. In Proceedngs of CRYPTO 1994, Santa Barbara, CA, August [25] I. Damgård, M. Ftz, E. Kltz, J. B. Nelsen, and T. Toft. Uncondtonally Secure Constant-Rounds Mult-party Computaton for Equalty, Comparson, Bts and Exponentaton. In Proceedngs of TCC 2006, New York, NY, March [26] B. Doe. The Kndle n Australa, October [27] P. Feldman. A Practcal Scheme for Non-nteractve Verfable Secret Sharng. In Proceedngs of FOCS 1987, Los Angeles, CA, October [28] A. Fat and A. Shamr. How to Prove Yourself: Practcal Solutons to Identfcaton and Sgnature Problems. In Proceedngs of CRYPTO 1986, Santa Barbara, CA, [29] Free Software Foundaton. The GNU Multple Precson (GMP) Arthmetc Lbrary. Verson [30] Y. Gertner, S. Goldwasser, and T. Malkn. A Random Server Model for Prvate Informaton Retreval. In Proceedngs of RANDOM 1998, Barcelona, Span, October [31] Y. Gertner, Y. Isha, E. Kushlevtz, and T. Malkn. Protectng Data Prvacy n Prvate Informaton Retreval Schemes. In Proceedngs of STOC 1998, Dallas, TX, May [32] I. Goldberg. Percy++ / PIR n C++. Verson [33] I. Goldberg. Improvng the Robustness of Prvate Informaton Retreval. In Proceedngs of IEEE S&P 2007, Oakland, CA, May [34] S. Guha, B. Cheng, and P. Francs. Prvad: Practcal Prvacy n Onlne Advertsng. In Proceedngs of NSDI 2011, Boston, MA, March [35] V. Guruswam and M. Sudan. Improved Decodng of Reed- Solomon and Algebrac-Geometrc Codes. In Proceedngs of FOCS 1998, Palo Alto, CA, November [36] R. Henry, F. Olumofn, and I. Goldberg. Practcal PIR for Electronc Commerce. Tech. Report CACR , Unversty of Waterloo, [37] Y. Isha, E. Kushlevtz, R. Ostrovsky, and A. Saha. Batch Codes and Ther Applcatons. In Proceedngs of STOC 2004, Chcago, IL, June [38] A. Juels. Targeted Advertsng... And Prvacy Too. In CT- RSA, San Francsco, CA, Aprl [39] A. Kate. PBCWrapper: C++ Wrapper Classes for the Parng- Based Cryptography Lbrary. Verson [40] A. Kate, G. M. Zaverucha, and I. Goldberg. Constant-Sze Commtments to Polynomals and Ther Applcatons. In Proceedngs of ASIACRYPT 2010, Sngapore, December [41] A. Kate, G. M. Zaverucha, and I. Goldberg. Polynomal Commtments. Tech. Report CACR , Unversty of Waterloo, [42] E. Kushlevtz and R. Ostrovsky. Replcaton Is Not Needed: Sngle Database, Computatonally-Prvate Informaton Retreval. In Proceedngs of FOCS 1997, Mam Beach, FL, October [43] B. Lynn. PBC Lbrary: The Parng-Based Cryptography Lbrary. Verson [44] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Appled Cryptography. CRC Press, [45] T. Nshde and K. Ohta. Constant-Round Multparty Computaton for Interval Test, Equalty Test, and Comparson. IE- ICE Transactons, 90-A(5): , [46] F. Olumofn and I. Goldberg. Preservng Access Prvacy Over Large Databases. Tech. Report CACR , Unversty of Waterloo, [47] F. G. Olumofn and I. Goldberg. Prvacy-Preservng Queres over Relatonal Databases. In Prvacy Enhancng Technologes, Berln, Germany, July [48] OpenSSL Project. OpenSSL: The Open Source toolkt for SSL/TLS. Verson [49] R. Ostrovsky and W. E. Sketh III. A Survey of Sngle- Database Prvate Informaton Retreval: Technques and Applcatons. In Proceedngs of PKC 2007, Bejng, Chna, Aprl [50] T. P. Pedersen. Non-Interactve and Informaton-Theoretc Secure Verfable Secret Sharng. In Proceedngs of CRYPTO 1991, Santa Barbara, CA, August [51] K. Peng, C. Boyd, and E. Dawson. Batch Zero-Knowledge Proof and Verfcaton and Its Applcatons. ACM Transactons on Informaton and System Securty (TISSEC), 10(2), May Artcle No. 2. [52] C.-P. Schnorr. Effcent Identfcaton and Sgnatures for Smart Cards. In Proceedngs of CRYPTO 1989, Santa Barbara, CA, August [53] A. Shamr. How to Share a Secret. Communcatons of the ACM, 22(11): , November [54] V. Shoup. NTL: A Lbrary for dong Number Theory. Verson [55] V. Toubana, H. Nssenbaum, A. Narayanan, S. Barocas, and D. Boneh. Adnostc: Prvacy Preservng Targeted Advertsng. In Proceedngs of NDSS 2010, San Dego, CA, February [56] Y. Zhang, M. H. Au, D. S. Wong, Q. Huang, N. Mamouls, D. W. Cheung, and S.-M. Yu. Oblvous Transfer wth Access Control : Realzng Dsjuncton wthout Duplcaton. In Proceedngs of Parng 2010, Yamanaka Hot Sprng, Japan, December

14 APPENDIX A. PROOF OF THEOREM 2 Theorem 5. Let f = f 1,..., f r (Z q) r and let a = a 1,..., a r where a R {0,..., 2 κ 1} for 1 r. Defne f d = f d mod q. Then Pr [f d = a j for some 1 j r] = 1 f f s a standard bass vector, and (3) Pr [f d = a j for some 1 j r] r /2 κ otherwse. (4) Proof. We frst prove (3). Suppose that f s the j th standard bass vector of (Z q) r ;.e., f s the length-r vector wth 1 n the j th coordnate and 0 elsewhere. Then Ths establshes (3). To prove (4), we consder the followng three cases. f d 0 a a j a r = a j. Case 1: f s the zero vector. In ths case, f d = 0. Snce each a s chosen unformly at random from {0,..., 2 κ 1}, t follows, for a fxed choce of, that Pr [a = 0] s 1 /2 κ ; furthermore, snce each choce s ndependent, Pr [a = 0 for some 1 r] s r /2 κ. Case 2: f has one nonzero entry, whch s not equal to 1. Suppose the j th entry of f s z (where 1 < z < 2 κ ). Then, f d (0) 0 a z a j a r = z a j mod q. If a j = 0, then f d (0) = z a j = a j; ths happens wth probablty 1 /2 κ, snce a j s chosen unformly at random from {0,..., 2 κ 1}. Otherwse, f a j 0, then f d (0) = z a j a j. We now consder the case where f d (0) = a for some j. Snce each a s chosen unformly at random from {0,..., 2 κ 1}, for a fxed choce of j, t follows that Pr [a = z a j mod q] s at most 1 /2 κ ; hence, Pr [a = z a j mod q for some 1 r wth j] s at most (r 1) /2 κ. Snce these two cases are ndependent, we thus have that Pr [f d (0) = a for some 1 r] s at most r /2 κ. Case 3: f has two or more nonzero entres. For 1 k r, defne the weghted sum A k = r δ j f (0) a so that f d (0) = A k + f k (0) a k. Choose j such that 1 j r and f j(0) 0; then f d (0) = a f and only f a = A j + f j(0) a j. If a j = 0, then f d (0) = a s thus equvalent to A j = a ; on the other hand, f a j 0, then f d (0) = a s equvalent to a j = (a A j)/f j(0). In both nstances, the probablty of such an event s at most 1 /2 κ ; thus, Pr [f d (0) = a for some 1 r] s at most r /2 κ. Ths completes the proof of (4). Note that the nequalty Pr [f d (0) = a j f and only f q = 2 κ. for some 1 j r] r /2 κ when f s nether a standard bass vector nor the zero vector s strct Corollary 1 (Correctness and Soundness). Proof that a vector of commtments opens to a standard bass vector, as descrbed n 3.5.2, s correct and s sound wth overwhelmng probablty (n the soundness parameter κ). B. PROOF OF THEOREM 3 Theorem 6. Let f = f 1,..., f r (Z q[x]) r and ρ = ρ 1,..., ρ r (Z q) r be gven. Choose a = a 1,..., a r where a R {0,..., 2 κ 1} for 1 r. If C = C 1,..., C r s a component-wse vector of PolyCommt DL polynomal commtments to the polynomals n f, w = w 1,..., w r s a component-wse vector of wtnesses to the evaluaton of these polynomals at x = x 0 and P = ( r a ) ρ mod q, then [ ] Pr e(c a, ĝ) = e( w a, ĝα /ĝ x 0 ) e(g, ĝ) P = 1 (5) f f (x 0) = ρ for all 1 r, and otherwse. Pr [ e(c a, ĝ) = e( w a, ĝα /ĝ x 0 ) e(g, ĝ) P ] 1 /2 κ (6) Proof. We frst prove (5). Ths follows mmedately from the correctness of PolyCommt DL polynomal commtments and the basc propertes of blnear parngs;.e., we can rewrte e( C a, ĝ) = e(c, ĝ) a 14

15 and e( w a, ĝα /ĝ x 0 ) e(g, ĝ) P = [e(w, ĝα /ĝ x 0 ) e(g, ĝ) ρ ] a. If f (x 0) = ρ for all 1 r, then e(c, ĝ) = e(w, ĝα /ĝ x 0) e(g, ĝ) ρ for all 1 r and therefore e(c a e(g, ĝ) a ρ for all 1 r and these two products are equal. Ths completes the proof of (5). and To prove (6), wrte e(c, ĝ) a = g a and [e(w, ĝα /ĝ x 0) e(g, ĝ) ρ ] a = h a g a = h a = e(c, ĝ) a so that [e(w, ĝα /ĝ x 0 ) e(g, ĝ) ρ ] a and suppose, wthout loss of generalty, that f j(x 0) ρ j. Then, by [51, Theorem 1], t follows that r at most 1 /2 κ. ga, ĝ) = e(w a, ĝα /ĝ x 0) = r ha wth probablty Corollary 2 (Correctness and Soundness). Batch verfcaton of evaluatons of polynomal commtments at a common pont, as descrbed n 3.5.3, s correct and s sound wth overwhelmng probablty (n the soundness parameter κ). C. PROOF OF THEOREM 4 Consder the Symmetrc PIR constructon proposed n 4. Let L be the set of database servers, let K L be the sze-k or larger set of database servers nvolved n a user s query for block β and let T K be the largest subset of colludng servers n K. Lemma 1 (Uncondtonal query prvacy). If T < t, then the query ndex β s nformaton-theoretcally hdden. Proof. Ths follows from the nformaton-theoretc securty of (t + 1)-out-of-l Shamr secret sharng when fewer than t + 1 shares are revealed [53], and the nformaton-theoretc hdng of PolyCommt DL polynomal commtments for polynomals of degree t when fewer than t evaluatons are revealed [40]. Lemma 2 (Computatonal query prvacy). If T = t, then the query ndex β s computatonally hdden under the DL assumpton. Proof. Ths follows from Lemma 1 and the computatonal hdng (under the DL assumpton) of PolyCommt DL polynomal commtments for polynomals of degree t when up to t evaluatons are revealed [40]. Lemma 3 (Database prvacy). Let U be a set of colludng users that makes a total of m of queres to the database. Then, wth overwhelmng probablty (n the soundness parameter κ), the users n U learn about at most m dfferent database records from these m queres (under the t-sdh assumpton). Sketch. Users recover database records from a query response va Lagrange nterpolaton at a specfed x-coordnate, typcally x = 0, to recover a pont on a polynomal. (The y-coordnate of ths pont s one word of the record.) Theorem 5 mples that nterpolatng at the pont x = 0 reveals nformaton about only a sngle record, wth overwhelmng probablty n the soundness parameter. We consder two addtonal cases: Case 1: A query response s nterpolated at x 0 0. For smplcty, we examne the specal case n whch the users chosen polynomals pass through a standard bass vector at x 0, thus potentally allowng the clent to retreve a second database record from hs query. We remark that our argument naturally generalzes to address cases n whch the polynomals pass through some other vector at x 0 and would nstead yeld some other lnear functon of two or more records. In ths case, the pseudorandom ephemeral database record and pseudorandom polynomal added to the query by each database server hdes the record. In partcular, upon nterpolatng at x 0, the clent receves the result r g(x 0) + y 0 where y 0 s the record of nterest and r g(x 0) s random (and unknown to the user). To recover y 0 from ths result, the user may attempt to learn r g(x) by usng a pror knowledge to recover suffcently many ponts on ths polynomal to nterpolate. However, ths s mpossble snce the degree of the polynomal commtments s lmted to t under the t-sdh assumpton [40] (.e., by the PolyCommt DL publc key), and the user can therefore specfy at most t other known ponts on each polynomal, whch yelds at most t known ponts on r g(x) and s therefore nsuffcent to nterpolate. 15

16 Case 2: Two or more query responses are combned and nterpolated at x 0. By the same argument as Case 1, the user s unable to nterpolate to yeld the pseudorandom polynomals r g(x). Clearly the user can not nterpolate at x 0 = 0 to yeld nformaton about another record. Moreover, the r g(x) added to each other share s random and ndependently chosen, thus mplyng that the result yelded by nterpolatng at x 0 0 s random as well. In partcular, to recover a record new from ths result the user would be requred to solve a system of m equatons n at least m + 1 unknowns (.e., the random factors and at least one unknown record), whch s clearly mpossble Corollary 3 (Symmetrc PIR). The symmetrc PIR constructon proposed n 3.2 converts Goldberg s mult-server nformaton-theoretc PIR nto mult-server SPIR. Query prvacy s provded nformaton theoretcally aganst up to t 1, and computatonally aganst t (under the DL assumpton), colludng servers; the database s prvacy s protected computatonally (under the t-sdh assumpton). 16

17 D. SINGLE-PAYEE PSPIR PROTOCOL DIAGRAM User Server I j (queryng for block β) (for each 1 j k) Query generaton phase: f f 1,..., f r R (Z q[x]) r s.t. deg(f ) t and f (0) = δ β ρ j ρ 1j,..., ρ rj (Z q) r s.t. ρ j = f (I j) C C 1,..., C r (G 1) r s.t. C = PolyCommt DL (f ) a a 1,..., a r {0,..., 2 κ 1} r s.t. a hash(c 1 C ) mod 2 κ C a PolyCommt DL ( f a) w j CreateWtness( f a, I j) Query proof phase: (η 1, η 2, η 3) (h γ 0, h γ 1, C γ 1 a ) s.t. γ 0, γ 1 R Z q C a C γ 0 a [ w CreateWtness( f a, 0) Y e(c a, ĝ) /e(w, ĝ α ) (D, D ) (g a β T h γ 2 T, D γ 0 ) s.t. γ 2 R Z q (η 4, η 5, η 6) (g γ 3 T h γ 4 T, D γ 1, h γ 5 T ) s.t. γ 3, γ 4, γ 5 R Z q ζ hash(y η 1 η 6) mod q v 0 γ 1 γ 0ζ mod q v 1 a β γ 3ζ mod q v 2 γ 2 γ 4ζ mod q v 3 γ 5 γ 0γ 2ζ mod q ] γ0 (µ, ν ) (h ω +a c γ 0, g ω +a β c γ 0 T ), [1, r]\{β} s.t. ω R Z q and c R {0,..., 2 κ 1} (µ β, ν β ) (h ω β, g ω β T ) s.t. ω β R Z q c c 1,..., c r s.t. c β c r c δ β mod 2 κ and c hash(µ 1 ν 1 µ r ν r) χ ω a c γ 0δ β mod q, 1 r ( C, ρ j,w j ) (η 1,...,η 6,v 0,...,v 3 ) (C a,w,d,d ) Query verfcaton phase: a a 1,..., a r {0,..., 2 κ 1} r s.t. a hash(c 1 C ) mod 2 κ C a r Ca z Ver(C a, I j, ρ j a, w j) f (z s false) then abort Y e(c a, ĝ) /e(w, ĝ α ) ζ hash(y η 1 η 6) mod q η 2 =? h v 0 η ζ 1 η? 3 = C v 0 a (C a) ζ z D =? g v 1 T h v 2 T η ζ 4 η? 5 = D v 0 (D ) ζ η? 6 = h v 3 T ( D /Y ) ζ f (z s false) then abort 17

18 User Server I j (queryng for block β) (for each 1 j k) (µ 1,ν 1,χ 1,...,µ r,ν r,χ r, c) Recept generaton phase: P P 1,..., P T (G 1) T s.t. P = PolyCommt DL ( f p ) P π (P π) (h α ) d 1 (h) d 0 s.t. d 0, d 1 R Z q w π CreateWtness( f p π, 0)h d 1 Q π g p πβ T h d 0 T Commt P set of commtments from the ZKP Π P (see 4.2) (P π,w π,qπ,wallet) Commt P b b1,..., b r R {0,..., 2 κ 1} r c hash(µ 1 ν 1 µ r ν r) r z µb? = h r χ b η r νb? r χ = g b T? c r f (z s false) then abort Challenge phase: r a b c 1 Y r b c c mod 2κ Response phase: σ BLSRecombne(σ 1,..., σ k ) ς hash(σ) mod q Response P the set of responses to the ZKP Π P usng challenge ς (see 4.2) σ j (σ,response P ) z e(p π, ĝ) =? e(w π, ĝ α )Q π f (z s false) then abort x C P π w π Q π Commt P wallet σ j BLSSgn(x) Recept verfcaton phase: P P 1,..., P T (G 1) T s.t. P = PolyCommt DL ( f p ) ς hash(σ) mod q [ BLSVerfy(x) z Response P s vald response for ς f (z s false) then abort else process query ] 18