Private Information Retrieval with Access Control

Private Information Retrieval (PIR) allows a user to query for a record from a remote database without revealing the query to the database server. However, PIR does not provide access control guarantees, allowing any user access to any record. Moreover, the database server cannot check access permissions through conventional techniques as they are fundamentally incompatible with PIR. In this thesis, we present Pirac—a novel framework for access control in PIR. In Pirac, only users who have permission to access a specific database record can retrieve it. Our constructions make black-box use of the underlying PIR schemes and therefore apply to both single-server and multi-server PIR. We evaluate our open-source implementation of Pirac when applied to state-of-theart PIR schemes. For databases with roughly one million 4 KiB records, adding access control via Pirac incurs a 2.6× server-side computational overhead in single-server PIR and 3.1× in multi-server PIR, while keeping user processing and communication overheads at a minimum. We show that Pirac enables new applications of PIR, including privacy-preserving password breach lookups, multi-user databases with personal content, and private friend discovery, among others.