Extended results on privacy against coalitions of users in user-private information retrieval protocols

In peer-to-peer user-private information retrieval, or P2P UPIR, the goal is to provide increased privacy for users querying a database. This is accomplished by leveraging a P2P network in which users forward each other’s queries to the database. That is, the database is trusted to serve correct answers to user queries, but not trusted to know the identity of the user who sent particular queries (or the source of the queries): users wish to maintain anonymity (relative to other users) with respect to the database. In this paper, we analyze protocols by Swanson and Stinson that are based on combinatorial designs; the use of combinatorial designs for P2P UPIR is a natural approach, because the “balance” properties of designs translate into desirable (and sometimes optimal) security properties in the resulting protocols. Our main contribution is to extend previous work by analyzing the privacy properties of suggested P2P UPIR protocols with respect to coalitions of honest-but-curious users. Previous work focuses on privacy properties achieved with respect to the database; as such, our work fills an important gap in the analysis of these protocols. We provide an analysis of the probabilistic advantage user coalitions have in guessing the source of a query. In particular, when a set of queries is linked by subject matter (i.e., the content of the queries reveals the fact that they have a common source), it is difficult to protect against user coalitions. We provide new results with respect to user attacks on linked queries, and we analyze the use of query hops as a mitigation technique, in which queries are probabilistically written to one or more memory spaces before forwarding to the database.