On Bringer-Chabanne EPIR Protocol for Polynomial Evaluation

TL;DR

This paper critically examines the Bringer-Chabanne EPIR protocol for polynomial evaluation, revealing that it fails to meet correctness expectations under certain conditions involving polynomial coefficients.

Contribution

The paper demonstrates that the previously proposed EPIR protocol for polynomial evaluation does not satisfy correctness when specific coefficient conditions are met.

Findings

The protocol fails to produce the expected result with high probability under certain polynomial coefficient conditions.

The protocol's correctness is compromised when coefficients are primitive elements or belong to the prime subfield.

The analysis challenges the validity of the original protocol's claims about correctness.

Abstract

Extended private information retrieval (EPIR) was defined by \cite{BCPT07} at CANS'07 and generalized by \cite{BC09} at AFRICACRYPT'09. In the generalized setting, EPIR allows a user to evaluate a function on a database block such that the database can learn neither which function has been evaluated nor on which block the function has been evaluated and the user learns no more information on the database blocks except for the expected result. An EPIR protocol for evaluating polynomials over a finite field $L$ was proposed by Bringer and Chabanne in \cite{BC09}. We show that the protocol does not satisfy the correctness requirement as they have claimed. In particular, we show that it does not give the user the expected result with large probability if one of the coefficients of the polynomial to be evaluated is primitive in $L$ and the others belong to the prime subfield of $L$.