Transitive Transfer of Conndence: a Per- Fect Zero-knowledge Interactive Proto- Col for Sat and Beyond. 5.1 Additional Security for the User

our protocol requires O(n) bits of communication for arbitrary > 0, the resulting protocol also needs only O(n 0) communication. Suppose that the database contains n `-bit \strings" s 1 ; : : :; s n. The user has some string s and he wishes to nd an address i such that s i = s or to learn that such an address does not exist, without revealing to the database the value of s. This problem is a generalization of the PIR problem because, given x, the database can create a list of all entries j such that x j = 1 (each such entry is a string of length`= logn). Then, the user can retrieve the bit x i by checking if i is one of these strings. This problem can be solved by appropriately combining the use of perfect hash-functions to hash the strings into a hash table in a 1-1 manner and PIR schemes for reading values from this hash-table. In particular, note that the database can choose a hash function h that is 1-1 on the strings s 1 ; : : :; s n and send its name (which is \short") to the user. Now the strings can be stored indexed by their hash-value, hence reducing the problem to PIR. We remark that this problem, and some extensions of it, was also independently studied and solved (using the same techniques) by Chor, Gilboa and Naor CGN-97]. 6 Conclusions and Open Problems We have established that in the computational setting , replication of data is not necessary in order to retrieve, in a private and communication-eecient manner, information from a database. With the additional security for the database (i.e., where the user gets only one bit out of n bits) the PIR model can be re-formulated as one-out-of-n Oblivious Transfer protocol, a generalization of the well-known one-out-of-two Oblivious Transfer (? 2 1-OT) primitive R-81, EGL-85] which plays an important role in cryptographic protocol design. Hence, we hope that our single-database computational PIR will be useful for the design of other cryptographic protocols. Many problems remain open. How do we reduce the intractability assumptions? Impagliazzo and Rudich IR-89] show that implementing oblivious transfer based on general one-way functions (i.e. without trapdoor) is hard to do using black-box reductions. However, we do not know how to achieve communication-eecient cPIR even assuming general one-way trapdoor permutations (while standard …