Paper 2020/1248

Random-index PIR and Applications

Craig Gentry, Shai Halevi, Bernardo Magri, Jesper Buus Nielsen, and Sophia Yakoubov


Private information retrieval (PIR) lets a client retrieve an entry from a database without the server learning which entry was retrieved. Here we study a weaker variant that we call \emph{random-index PIR} (RPIR), where the retrieved index is an \emph{output} rather than an input of the protocol, and is chosen at random. RPIR is clearly weaker than PIR, but it suffices for some interesting applications and may be realized more efficiently than full-blown PIR. We report here on two lines of work, both tied to RPIR but otherwise largely unrelated. The first line of work studies RPIR as a primitive on its own. Perhaps surprisingly, we show that RPIR is in fact equivalent to PIR when there are no restrictions on the number of communication rounds. On the other hand, RPIR can be implemented in a ``noninteractive'' setting (with pre-processing), which is clearly impossible for PIR. For two-server RPIR we even show a truly noninteractive solution, offering information-theoretic security without any pre-processing. The other line of work, which was the original motivation for our work, uses RPIR to improve on the recent work of Benhamouda \etal (TCC'20) for maintaining secret values on public blockchains. Their solution depends on a method for selecting many random public keys from a PKI while hiding most of the selected keys from an adversary. However, the method they proposed is vulnerable to a double-dipping attack, limiting its resilience. Here we observe that a RPIR protocol, where the client is implemented via secure MPC, can eliminate that vulnerability. We thus get a secrets-on-blockchain protocol (and more generally large-scale MPC), resilient to any fraction $f < 1/2$ of corrupted parties, resolving the main open problem left from the work of Benhamouda \etal As the client in this solution is implemented via secure MPC, it really brings home the need to make it as efficient as possible. We thus strive to explore whatever efficiency gains we can get by using RPIR rather than PIR. We achieve more gains by using \emph{batch RPIR} where multiple indexes are retrieved at once. Lastly, we observe that this application can make do with a weaker security guarantee than full RPIR, and show that this weaker variant can be realized even more efficiently. We discuss one protocol in particular, that may be attractive for practical implementations.

Note: Feb 2021: added multi-server RPIR, added PIR preprocessing as an application, improved presentation June 2021: added grant acknowledgements

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Private information retrievalBatch PIRRandom PIRLarge-scale MPCSecrets on blockchainRandom ORAM
Contact author(s)
craigbgentry @ gmail com
shaih @ alum mit edu
magri @ cs au dk
jbn @ cs au dk
sophia yakoubov @ gmail com
2021-06-12: last of 4 revisions
2020-10-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Craig Gentry and Shai Halevi and Bernardo Magri and Jesper Buus Nielsen and Sophia Yakoubov},
      title = {Random-index PIR and Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1248},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.