Useful article Moxie, thanks. There is a way to do practical PIR for the contacts use case, although nobody here will like it much.
You use the new SGX features in the Intel Skylake+ processors to create a trusted computing "enclave" that generates some encryption keys. Then your other servers do the same, and remotely attest to the first what software they're running. The first then gives them copies of the keys as well. Now you have a server farm with encryption keys you don't yourself know, and cannot extract without impractical time and expertise spend breaking the hardware security on the x86 chips. This isn't as good as mathematically unbreakable security that relies on heat-death-of-the-universe type arguments, but it's in practice nearly as good, and would actually be deployable. Once you have provisioned the keys, you can then use regular encrypted block storage to protect the database which can be stuffed onto regular sharded disk storage. Or you can store the whole thing in RAM on some of the lookup servers, if it fits (SGX encrypts RAM). Or get fancier and use one of the new ORAM algorithms. SGX isn't quite launched yet. There is a lot of technical documentation about it, but it's not quite clear when Intel will consider the tech production ready and release all their tools/SDKs publicly. Once it's out there, I think it'd be the next step for protection of contact lookups.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
