IVE: An Accelerator for Single-Server Private Information Retrieval Using Versatile Processing Elements

TL;DR

IVE tackles the practicality gap of single-server HE-based PIR by architecting a hardware accelerator that mitigates memory bandwidth bottlenecks through batching, a large on-chip scratchpad, and a versatile processing unit. It combines a hierarchical search scheduling, a unified sysNTTU that handles both NTT and GEMM, and a scalable memory system to enable near-linear scaling via scale-up and scale-out deployments. The result is up to 1,275× higher throughput than prior hardware solutions with favorable energy and latency characteristics, making PIR viable for large databases. The work also demonstrates broad applicability to other HE-based PIR protocols and provides a deployment framework that can adapt to database growth through heterogeneous memory and multi-system clustering.

Abstract

Private information retrieval (PIR) is an essential cryptographic protocol for privacy-preserving applications, enabling a client to retrieve a record from a server's database without revealing which record was requested. Single-server PIR based on homomorphic encryption has particularly gained immense attention for its ease of deployment and reduced trust assumptions. However, single-server PIR remains impractical due to its high computational and memory bandwidth demands. Specifically, reading the entirety of large databases from storage, such as SSDs, severely limits its performance. To address this, we propose IVE, an accelerator for single-server PIR with a systematic extension that enables practical retrieval from large databases using DRAM. Recent advances in DRAM capacity allow PIR for large databases to be served entirely from DRAM, removing its dependence on storage bandwidth. Although the memory bandwidth bottleneck still remains, multi-client batching effectively amortizes database access costs across concurrent requests to improve throughput. However, client-specific data remains a bottleneck, whose bandwidth requirements ultimately limits performance. IVE overcomes this by employing a large on-chip scratchpad with an operation scheduling algorithm that maximizes data reuse, further boosting throughput. Additionally, we introduce sysNTTU, a versatile functional unit that enhances area efficiency without sacrificing performance. We also propose a heterogeneous memory system architecture, which enables a linear scaling of database sizes without a throughput degradation. Consequently, IVE achieves up to 1,275x higher throughput compared to prior PIR hardware solutions.

Figures (14)

• Figure 1: Naïve PIR based on BFV encryption arxiv-2012-FVcrypto-2012-bfv when $D \!=\! N\!=\!4$.
• Figure 2: Server-side PIR computation process composed of (1) $\mathtt{ExpandQuery}$, (2) $\mathtt{RowSel}$, and (3) $\mathtt{ColTor}$.
• Figure 3: Computational flow of an external product ($\boxdot$).
• Figure 4: Computational complexity breakdown based on the number of integer mults required for PIR depending on (a) the $\mathtt{DB}$ size and (b) $D_0$.
• Figure 5: Computation of $\mathtt{RowSel}$ without (left) and with (right) batching expressed as matrix-matrix mults.