Efficient Private Information Retrieval Protocol with Homomorphically Computing Univariate Polynomials

Private information retrieval (PIR) protocol is a powerful cryptographic tool and has received considerable attention in recent years as it can not only help users to retrieve the needed data from database servers but also protect them from being known by the servers. Although many PIR protocols have been proposed, it remains an open problem to design an efficient PIR protocol whose communication overhead is irrelevant to the database size N. In this paper, to answer this open problem, we present a new communication-efficient PIR protocol based on our proposed single-ciphertext fully homomorphic encryption (FHE) scheme, which supports unlimited computations with single variable over a single ciphertext even without access to the secret key. Specifically, our proposed PIR protocol is characterized by combining our single-ciphertext FHE with Lagrange interpolating polynomial technique to achieve better communication efficiency. Security analyses show that the proposed PIR protocol can efficiently protect the privacy of the user and the data in the database. In addition, both theoretical analyses and experimental evaluations are conducted, and the results indicate that our proposed PIR protocol is also more efficient and practical than previously reported ones. To the best of our knowledge, our proposed protocol is the first PIR protocol achieving O(1) communication efficiency on the user side, irrelevant to the database size N.


Introduction
Private information retrieval (PIR) protocol [1] is a cryptographic primitive run between database servers and a user. e salient feature of PIR is that it ensures the user can obtain some data from the database servers, while the database servers cannot learn anything about the queries of the user. To obtain the feature, a trivial solution for the user is to download all the data from the database servers and obtain the data he wants to ask at any time. However, this solution wastes plenty of time and storage space for the user since the database servers usually store a huge volume of items. In addition, considering that there are continuous interactions with multiservers at the price of communication costs for the user, many research studies have been focused on the singleserver PIR protocol that is composed of only one database server and one query user [1][2][3][4][5][6][7].
In 1997, the first single-server PIR protocol was proposed by Kushilevitz and Ostrovsky [2]. ey constructed a PIR protocol based on group homomorphism and the quadratic residuosity problem and achieved the communication complexity O(N ε log N) bits (the symbols O(·), Ω(·), and o(·) are commonly used asymptotic complexity notations. We denote an asymptotic upper bound, noncompact upper bound, and lower bound with O(·), o(·), and Ω(·), respectively) on the user side for database size N and any constant ε. After that, some single-server PIR protocols were also proposed [3][4][5]. Kushilevitz and Ostrovsky [3] applied the trapdoor permutation approach to the single-server PIR protocol with communication overhead N − cN/k + O(k 2 ) bits, where c is a constant and k is the security parameter of the one-way trapdoor permutation. Gentry and Ramzan [4] presented a single-server PIR protocol based on a slight variation of the computational difficulty of deciding whether a small prime divides Euler's totient function of any composite integer. e total communication cost of the protocol is 3 messages, each of the size of Ω(log 3− o(1) N) bits. A PIR protocol was proposed based on group homomorphism by Melchor et al. [5] of communication O( �� N √ ) bits. In recent years, with the development of fully homomorphic encryption (FHE) [8,9], many researchers have turned into utilizing the FHE schemes to construct the single-server PIR protocols [6,7,10,11]. Brakerski and Vaikuntanathan [10] proposed a brief PIR protocol based on learning with errors (LWE) by using FHE. e FHE DGHV [12] over the integers was applied to the PIR protocols by Yi et al. [6]. e communication overhead of the PIR protocol is O(log N) bits and also relies on the size of ciphertext O(λ 5 ) (the security parameter λ) in DGHV. Li et al. [7] modified Brakerski and Vaikuntanathan's PIR protocol [10] and united the HAO scheme in [13] to construct a PIR protocol. However, the main idea of the protocol is similar to invoking the decryption circuit homomorphically, which is expensive and of extremely low efficiency. Aiming at singleserver PIR protocols, we notice that all the aforementioned PIR protocols depend on the database size N in terms of communication cost. When the size N becomes larger, the communication will not be efficient. erefore, how to efficiently design a PIR protocol with communication overhead O(1), i.e., independent on the database size N, becomes an open problem.
In this paper, to address the above open problem, we propose a new FHE scheme with special properties and utilize it to design a new single-server PIR protocol with O(1) communication efficiency for any user. To the best of our knowledge, our single-server PIR protocol is the most efficient one in terms of the communication efficiency. In addition, our single-server PIR protocol also allows a user to retrieve positive integer data from the database server, instead of a single bit for every query. Specifically, the main contributions of this paper are threefold: (i) First, in order to achieve O(1) communication efficiency on the user side, we design a new kind of FHE scheme called single-ciphertext FHE, which supports unlimited computations with single variable over a single ciphertext without access to the secret key. Our proposed single-ciphertext FHE scheme is characterized with extremely efficient in terms of both encryption and decryption dependent on the truncated polynomial ring. Detailed security analysis illustrates that the proposed FHE scheme is one-way secure, which is exactly equivalent to the 3rd RSA problem. (ii) Second, we take the single-ciphertext FHE as a symmetric encryption scheme and the Lagrange interpolating polynomial technique to construct our single-server PIR protocol. Security analyses show that our proposed PIR protocol can efficiently protect the privacy of the user and the data in the database in our defined security model. (iii) ird, we conduct both theoretical analyses and experimental evaluations to demonstrate that our proposed PIR protocol is indeed efficient in terms of computational complexity and communication overhead. In particular, our proposed protocol is the first PIR protocol, which can achieve O(1) communication efficiency, irrelevant to the database size N.
e remainder of this paper is organized as follows. We describe some preliminaries in Section 2. en, in Section 3, we formalize our system model, security model, and design goal. In Section 4, we first present a new single-ciphertext FHE scheme, followed by our single-server communicationefficient PIR protocol. After that, the security analyses and the performance evaluation of our single-server PIR protocol are given in Sections 5 and 6, respectively. Some related works are also discussed in Section 7. Finally, we draw our conclusion in Section 8.

Preliminaries
In this section, we first give some notations that will be used throughout this paper and then describe the definitions of the truncated polynomial rings and our proposed singleciphertext FHE scheme.

Notations.
In this paper, we denote row vectors by bold letters (e.g., DB and c), and the symbol DB[i] represents the i-th data in DB. Some other notations that will be used in this work are listed in Table 1.

Truncated Polynomial Rings.
e truncated polynomial rings will be used as a building block for constructing a special FHE scheme in this work. Essentially, the concept of truncated polynomials is not quite complicated, e.g., an extension field is constructed from F [x] defined over a finite field F modulo a monic irreducible polynomial [14], and the NTRU public key cryptosystem [15] also utilizes a univariate truncated polynomial ring modulo X N − 1.
ough the above examples only involve univariate polynomials, we can extend the situations to the case of bivariate polynomials.
To be specific, we can set n � pq to be a standard RSA modulus, namely, n is the product of two large primes p and q. In order to make our proposal more efficient, we consider the RSA cryptosystem [16] with the encryption public key e � 3, from which we define two polynomials f(x) � x 3 − u(mod n) and g(y) � y 3 − v(modn) with u, v ∈ Z n . We also define a bivariate polynomial set and the additive and multiplicative operations on S. Given two bivariate polynomials e multiplication can also be defined as h * (x, y) ≡ h 1 (x, y)h 2 (x, y)(mod n, f(x), g(y)).
To perform the multiplication, we first carry out the standard polynomial multiplication Because the maximum degree with respect to x (y, respectively) is 2 in h 1 (x, y) (h 2 (x, y), respectively), the maximum degree of x (y, respectively) in the multiplication h 1 (x, y)h 2 (x, y) becomes 4. us, in the second step, we perform modulo f(x) � x 3 − u and g(y) � y 3 − v on the multiplication h 1 (x, y)h 2 (x, y) to truncate it back to the set S as follows: replace x 3 (y 3 , respectively) with u (v, respectively), and replace x 4 (y 4 , respectively) with ux (vy, respectively). From the definition, one can easily verify that Z n [x, y](mod f(x), g(y)) also forms a ring called truncated polynomial ring, and it is denoted as Z n [x, y]/〈f(x), g(y)〉.

Single-Ciphertext FHE Scheme.
In the following, we will formalize the definition of single-ciphertext FHE, together with its security notion. Before that, we first give some necessary descriptions of the special FHE. e proposed single-ciphertext FHE is a special kind of FHE, which supports unlimited computations with single variable over a single ciphertext without access to the secret key. Different from the general FHE, the evaluation algorithm of our single-ciphertext FHE is subject to performing upon a single ciphertext rather than any multiciphertexts. In other words, our single-ciphertext FHE skips (or aborts) any circuits with multivariables for the general FHE and allows any computations over any circuits with single variable. Compared with the general FHE, our single-ciphertext FHE possesses less functionality due to the single ciphertext, but it still permits any computations on any circuits with single variable. Hence, our single-ciphertext FHE, as a well-suitable cryptographic tool, is enough for the requirements of singleserver PIR protocols since the evaluation of the single-server PIR protocols can be regarded as univariate polynomials. Definition 1. (single-ciphertext FHE scheme). A singleciphertext FHE scheme consists of four probabilistic polynomial time (PPT) algorithms, namely, key generation, encryption, decryption, and homomorphic evaluation algorithm. e details are as follows: (i) Key generation (pk, evk, sk← KeyGen(λ)): take the security parameter λ as the input, and output a public key pk, an evaluation key evk, and a secret key sk (ii) Encryption (c← Enc(m, pk)): using the public key pk, encrypt a message m ∈ M into a ciphertext c, where M is the message space (iii) Decryption (m← Dec(c, sk)): using the secret key sk, decrypt a ciphertext c to recover the corresponding message m ∈ M (iv) Evaluation (c← Eval(C, c, evk)): given a circuit with single variable C and a ciphertext c with the underlying plaintext m, i.e., c � Enc(m, pk), the algorithm utilizes the evaluation key evk to compute a new ciphertext c � Eval(C, c, evk) Note that the correctness of decryption requires that the plaintext m can be correctly decrypted from the ciphertext, i.e., m � Dec(Enc(m, pk), sk). e correctness of the homomorphic evaluation requires that the ciphertext c can be correctly decrypted into the plaintext C(m), namely, Dec(c, sk) � C(m).
Actually, our proposal single-ciphertext FHE scheme performs no noises. Every time an evaluation on the ciphertext is performed, there is no noise to obscure the underlying plaintext. In terms of the noiseless FHE schemes, there is a main drawback: none can be strictly proved secure and feasible in the framework of provable security. For more introduction of noiseless FHE, one can refer to Section 7. Hence, we give the following security definition for our noiseless single-ciphertext FHE scheme.

Definition 2.
(the one-way security of single-ciphertext FHE). Given the security parameter λ, the public key pk, the evaluation key evk, and a ciphertext c with the underlying plaintext m, it should be difficult for any PPT adversary to find m ∈ M from the ciphertext c such that c � Enc(m, pk). Formally, we require that for any PPT adversary A, we have Pr[m ∈ M|pk, evk←KeyGen(λ), c � Enc(m, pk)] ≤ ε(λ), (2) where ε(λ) represents a negligible function.
Different from general security notions such as indistinguishability under chosen-plaintext attack (IND-CPA) and indistinguishability under chosen-ciphertext attack (IND-CCA1) of known FHE schemes [8-10, 12, 17-22] (FHE essentially supports malleability on ciphertexts and hence cannot obtain the highest security goal, namely, indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2)), we only consider the one-way security due to the following observations. Firstly, the security notion is tailored for the single-ciphertext FHE scenarios, where no distinguishability games are permitted on distinct plaintexts. Secondly, in the PIR scenario, the single-ciphertext FHE scheme is used as a symmetric encryption algorithm without considering the IND-CPA security in the public key encryption schemes.

System Model, Security Model, and Design Goal
In this section, we formalize our system model and security model and identify our design goal.

System
Model. In our system model, we consider a typical single-server PIR protocol, which includes two entities, namely, a user and a database (DB) server, as shown in Figure 1.
(i) DB server: the database server is powerful in both storing and computing data. In our system model, the database server stores and processes a database For simplicity of our PIR protocol discussed later, we assume the value of each item DB[i] is a positive integer, not just one bit. In addition, the server will offer a PIR response to a query user after the latter makes a PIR query with unbounded computations.
(ii) User: in our system model, we consider a query user can directly make a PIR query to the DB server and obtain the desirable result from the DB server. Meanwhile, the user does not want to reveal the queried value i to the DB server when asking the corresponding data DB[i] from DB and hopes the communication of PIR should be efficient.
Formally, a single-server PIR protocol in our system model comprises three phases as follows: (i) Query generation phase (Q(i)← QG(i)): taking the index i as the input, the user sends a query Q(i) to the server (ii) Response generation phase (R(i)← RG(Q(i), DB)): using the query Q(i) and the database DB, the server returns a response R(i) to the user (iii) Response retrieval phase (DB[i]← RR(R(i))): upon receiving a response R(i), the user outputs the data DB[i] corresponding to the index i A single-server PIR protocol is correct if for any database DB with any size N and any index i for 0

Security
Model. In our security model, we consider the DB server is honest but curious, and there is no collusion between the DB server and any other third parties. In other words, the DB server will faithfully follow the protocol; however, he is curious about the queried value of the user. Note that, in case the DB server is compromised by some attackers, the compromised DB server may launch other active attacks and return a response with errors to the user who is not able to verify. However, since we focus on the communication-efficient PIR protocol for the user in this paper, those active attacks from the compromised DB server are beyond the major work of this paper, though it is not difficult to apply some verifiable techniques to tackle these attacks. For details, one can refer to Remark 3 in Section 5.

Design Goal.
Our design goal is to present a communication-efficient PIR protocol on the user side to address the requirements mentioned in the above system model and security model. e communication-efficient PIR protocol is the center of our attention; hence, we assume the power of the server is unlimited, and the computation burden of the server is less important than the one of any user. Specifically, the following two objectives should be included: (i) e proposed PIR protocol should be privacy preserving: the queried index i should be private, and no one, except the query user, can determine the value of i. In addition, no one, except the query user, can retrieve the data DB[i] after receiving the response R(i) returned by the DB server. (ii) e proposed PIR protocol should be communication efficient: in order to achieve the above privacy requirement, additional communication costs will be incurred in the PIR protocols. erefore, in the proposed PIR protocol, we aim to make the query's communication efficient, i.e., achieving less communication costs for the user.

Our Proposed Scheme
In this section, we will describe our communication-efficient PIR protocol. Before delving into the details, we first present our new single-ciphertext FHE scheme based on the aforementioned truncated polynomial rings.

Our New Single-Ciphertext FHE Scheme.
Our new singleciphertext FHE scheme comprises four algorithms, namely, KeyGen, Enc, Dec, and Eval algorithms. e detailed descriptions are as follows: (i) KeyGen(λ): taking the security parameter λ (even for simplicity) as the input, randomly generate two λ/2-bit large primes p and q satisfying gcd ). e modulus n is set as the public key pk � n, the evaluation key is set as evk � n, and the integer d is set as the secret key, i.e., sk � d.
(ii) Enc(m, pk): given a plaintext m ∈ M � Z n , randomly choose a, b ∈ Z n and compute u ≡ a 3 (modn) and v ≡ b 3 (modn). Also, randomly choose 9 integers a ij ∈ Z n for i, j ∈ 0, 1, 2 { }, and construct a polyno- with the secret key d to obtain the two random numbers a, b. e plaintext can be recovered by substituting a, b into c(x, y), that is, , the evaluation algorithm is described in Algorithm 1. We remind that the involved addition and multiplication operations are performed over the truncated poly- Remark 1. Note that, in order to ensure the one-way security of our single-ciphertext FHE scheme, the length of the modulus n should be larger than 2048 bits, i.e., λ ≥ 2048.
Correctness: in order to demonstrate the correctness of the homomorphic evaluation algorithm, we need to show that Dec(c en, there must exist two bivariate polynomials c(a, b)) Security: in the following, we prove our proposed singleciphertext FHE scheme is one-way secure based on the hardness of the 3rd RSA problem.
Definition 3. (the 3rd RSA problem). e e-th RSA problem is defined as follows: given the RSA public key n � pq and e, and a ciphertext π, to find the plaintext μ such that π ≡ μ e (modn). e 3rd RSA problem is the special case with e � 3.

Theorem 1.
e one-way security of our proposed singleciphertext FHE scheme is polynomially equivalent to the 3rd RSA problem.
Proof. Both directions (⇔) need to be proven. e direction from the right to the left (⇐) is trivial. If an adversary can break the 3rd RSA problem, then given a ciphertext c � (u, v, c(x, y)) of the single-ciphertext FHE scheme, the adversary can solve two 3rd RSA problems a 3 ≡ u(mod n) and b 3 ≡ v(mod n) to derive two integers a, b ∈ Z n and finally breaks the one-way security by computing m ≡ c(a, b)(mod n).
In order to prove the direction from the left to the right (⇒), we assume there is a PPT adversary A which can break the one-way security of our scheme, i.e., m←A(c, n). en, we can construct another algorithm B which can utilize A to break the 3rd RSA problem, i.e., μ←B(π, n), as shown in Algorithm 2.
To prove the correctness of the reduction in Algorithm 2, we first note that u ≡ π ≡ μ 3 (mod n) and that m is the plaintext corresponding to c � (u, v, c(x, y)), so there must exist a bivariate polynomial . us, we can efficiently perform the Euclidean algorithm [23] to compute the greatest common divisor x − μ ≡ gcd(x 3 − u(mod n), c(x, b) − m(mod n)). So, the plaintext μ of the RSA problem is recovered, i.e., we can construct an algorithm B for solving the 3rd RSA problem.

Security and Communication Networks
Note that eorem 1 establishes an exact equivalence between the one-wayness of the proposed single-ciphertext FHE scheme and the 3rd RSA problem. One may doubt that choosing the RSA encryption key as 3 will produce serious threats on the security of the single-ciphertext FHE scheme. In fact, in many implementations, choosing a relatively small encryption key such as e � 3 or 2 17 + 1 is widely suggested to reduce the encryption costs.
Computational complexity: next, we analyze the computational costs of our single-ciphertext FHE scheme.
During the Enc phase, there are 2 modular multiplications to compute u (v, respectively). Computing the polynomial F(x, y) needs 18 modular multiplications and some modular additions since there are i + j modular multiplications to compute the monomial a ij x i y j for i, j � 0, 1, 2 in F(x, y). Compared with the calculation of the modular multiplication, the time cost of modular addition can be negligible. Hence, there are totally 22 modular multiplications and some negligible modular additions in the Enc phase. Considering the computational complexity of a multiplication modulo n � pq is O(λ 2 ), we conclude that the computational complexity of the Enc phase is O(λ 2 ).
During the Dec phase, the main operations are to output a, b from u, v by 2 modular exponentiation operations of exponentiation d. Considering that the computational complexity of a modular exponentiation is O(λ 3 ), the total computational complexity of the Dec phase is O(λ 3 ) when ignoring some modular additions.
During the Eval phase, the output c f (x, y) is actually a truncated bivariable polynomial. ere are α-iterations, and every iteration performs a modular multiplication besides a negligible modular addition. Hence, there are totally α-modular multiplications and some negligible modular additions. As a result, the computational complexity of the Eval phase is O(αλ 2 ) subject to the value of α in ciphertext evaluations.
In summary, the computational complexity is O(λ 2 ) for encryption, O(λ 3 ) for decryption, and O(αλ 2 ) for evaluation, respectively, where λ ≥ 2048 is the length of the RSA modulus n.
Comparisons of several noiseless FHE: comparisons of several noiseless FHE schemes among [24][25][26] with ours are shown in Table 2. Nuida utilized the commutator and an encoding scheme by a homomorphic mapping φ from noncommutative group G to noncommutative group G to construct the noiseless FHE. e ciphertext is composed of two elements from G and Ker (φ) which is a subset of G. However, the security is based on the open sampling of group G, and the assumption that judging whether an element is in the kernel Ker (φ) is difficult. Yagisawa [25] is an improved version of [26] with smaller ciphertext size; hence, we only discuss about [25]. e octonion ring over the finite field was used by Yagisawa to achieve 1: 8 length ratio of the plaintext and ciphertext. Yagisawa's noiseless FHE is immune from the Grobner basis attacks, which is weaker than our one-way security. With respect to ciphertext space and length ratio, our noiseless FHE is more efficient than [25] while less than [24]. Totally speaking, our single-ciphertext FHE scheme is more superior to [24][25][26], especially considering that the security is more important than other factors for noiseless FHE.

Description of Our Communication-Efficient PIR Protocol.
Before delving our communication-efficient PIR protocol, we first give a brief overview of how our single-ciphertext FHE scheme is utilized to construct the single-server PIR protocol.
(i) e single-server PIR protocol aims to help the user to obtain the ith data from the server possessing the whole database, without leaking the index i to the server. Obviously, the server performs an evaluation algorithm on a single ciphertext corresponding to y)).
Input: the public modulus n, and the RSA ciphertext π ∈ Z n . (1) Randomly choose an integer b ∈ Z n and compute v ≡ b 3 (mod n).
ALGORITHM 2: Algorithm B with access to A.
the queried index. So, our single-ciphertext FHE scheme is well suitable for the single-server PIR protocol.
(ii) In our protocol, the user can encrypt the index i with our single-ciphertext FHE scheme and then send the ciphertext to the server. For the consideration of efficiency, we directly encrypt the index with a symmetric encryption scheme. e parameters a, b connect the partial ciphertext c(x, y) and its corresponding plaintext. In particular, the parameters a, b invoke a polynomial, and the polynomial is used to encrypt the queried index; meanwhile, the polynomial ciphertext c(x, y) can be directly decrypted with the parameters a, b ignoring the parameters u, v as the auxiliary information. In turn, the server outputs a function about the ith data a i relative to the polynomial ciphertext.
en, the user decrypts the function using the parameters a, b, and he will exactly obtain the ith data a i corresponding to the index i. During the process, the server provides some computation and storage space and is unable to acquire the information of the index i. Consequently, our single-server PIR protocol achieves the goal as desired.
(iii) Moreover, we prefer the communication complexity on the user side rather than on the server side. Hence, in Section 6, the communication complexity on the user side is much more important than the overheads on the server side. In the future, we will delve the communication-efficient single-server PIR protocol which can attain the tradeoff overheads of the communication and the computation between the user and the server.
In the following, we employ the single-ciphertext FHE scheme proposed in Section 4.1 and the Lagrange interpolating polynomial to construct our communicationefficient single-server PIR protocol. e detailed three algorithms are described as follows: (i) Query generation phase: taking the index i(0 ≤ i ≤ N − 1) as the input, the user sends a query Q(i) to the DB server. e details are described in Algorithm 3. (ii) Response generation phase: upon receiving the query Q(i), the DB server outputs R(i) � g(x, y) to the user in Algorithm 4. Note that even if (u, v) are obtained in the query Q(i) � (n, u, v, c(x, y)), the DB server cannot recover the index i due to not knowing the symmetric key (a, b). (iii) Response retrieval phase: refer to Algorithm 5.
Upon receiving the response R(i) � g(x, y), the user retrieves the data DB[i] ≡ g(a, b)(modn) corresponding to the index i by using the symmetric key (a, b).
Correctness: now, we illustrate the correctness of our proposed single-server PIR protocol, namely, DB[i] � RR(DB, i, Q(i), R(i)), for any database DB � a 0 , a 1 , . . . , a N− 1 } with any size N and any index 0 ≤ i ≤ N − 1.
During the response generation phase, the response R(i) � g(x, y) is an evaluation of encryption of index i. Meanwhile, the response R(i) � g(x, y) is N numbers of addition operations about the whole data a l for 0 ≤ l ≤ N − 1. When decrypting the response R(i) correctly, the user will obtain that When we assume i � 1 for an example, it is obvious that the above items (6) in g(a, b) all equal 0 since there is an item i − 1 in the molecule, while item (6) in g(a, b) equals a 1 since the molecule is equal to the denominator. erefore, we can conclude that once decrypting the response R(i) correctly, the user will obtain that g(a, b) ≡ a i (modn) since c(a, b) ≡ i(modn). As a result, the correctness of our proposed singleserver PIR protocol holds, as desired.

Schemes
Algebraic structure Ciphertext space Length ratio a Security Nuida [24] Noncommutative group Vector of dimension 2 1 : 2|G| b Judgement of the kernel element Yagisawa [25] Octonion ring Octonion ring 1 : 8 Immune from the Grobner basis attacks Ours Truncated polynomial ring Vector of dimension 3 1 : 11 One-way security Length ratio a: the length ratio between the plaintext and ciphertext. |G| b : the number of elements in group G.

Security Analyses
In this section, we will discuss the security of our singleserver PIR protocol. We particularly focus on the privacy properties, i.e., the query index should be privacy preserving, and the response is also privacy preserving in the proposed single-server PIR protocol.
(i) e query index is privacy preserving in the proposed single-server PIR protocol: our design goal is to require that the queried index i should be private, and no one, except the query user, can determine the value of i. As we know, the query index is encrypted by our single-ciphertext FHE scheme, and only the query user can obtain the index. Because the security of our single-ciphertext FHE scheme can be reduced to the 3rd RSA problem, without knowing the private key, no one can retrieve the query index. As a result, the query index can be hidden, and the privacy-preserving requirement on the query index can be achieved in the proposed single-server PIR protocol. (ii) e response is also privacy preserving in the proposed single-server PIR protocol: since we consider there is no collusion on the DB server, the server will not forge the data in DB. Instead, the server will Now, we will present the security of our single-server PIR protocol by the simulation-based framework.

Theorem 2. Our single-server PIR protocol is secure against the adversaries
Proof. We will elaborate that there is a probabilistic polynomial time simulator S Server playing the role of the DB server such that the real view and the ideal one are computationally indistinguishable for User. e interactions between User and S Server are defined by the following steps: (1) Following Algorithm 3, User sends Q(i) of the index i to S Server (2) S Server sends the encryption of a i back to User (3) Decrypt the result from S Server with his own secret key, and User will obtain a i as desired e real view for User is (Q(i), R i , a i ), while the ideal view for User is (Q(i), Enc(a i ), a i ). Considering that R i and (1) Randomly generate λ/2-bit-long primes p, q subject to gcd (p − 1, 3) � 1 and gcd (q − 1, 3) � 1 and compute n � pq.

ALGORITHM 4: Response generation algorithm (DB server).
Input: the response R(i) � g(x, y) and the symmetric key (a, b).

Output: DB[i] ≡ g(a, b)(modn).
ALGORITHM 5: e response retrieval algorithm (user). 8 Security and Communication Networks Enc(a i ) are indistinguishable, we can conclude that the ideal view of User is indistinguishable from the real view. en, we can claim that User can learn nothing about the data from the database server except a i , which implies that the single-server PIR protocol is secure for the DB server. From the above analyses, we can see our proposed single-server PIR protocol is confidential and can protect the information of the index i and the corresponding data a i . Remark 3. In our security model, we consider the DB server is honest but curious. However, we cannot avoid the semimalicious DB servers. To prevent semimalicious servers from forging the data in DB as responses, we can add a verifiable procedure during the response generation phase. e following is a desirable attempt: we will use a hash function h to act on the data because of its one-wayness. During the response generation phase, we require the server should substitute a l with a l � � � �h(a l ) in Algorithm 4 and send a correct result in the response g(x, y) to the user, where .‖ represents concatenation. ere is no doubt that the length of a l � � � �h(a l ) is smaller than n,

y) is an encryption of the data DB[i]‖h(DB[i]).
erefore, the user can verify whether the server forges the data. After decrypting the response R(i) to obtain a i and h(a i ), the user can compute the hash value h(a i ) due to knowing a i . If it equals the value h(a i ) the server sends, the data a i are exactly corresponding to the index i without errors. If not, the server is dishonest. e details are omitted here.

Performance Evaluation
In this section, we evaluate the performance of our proposed single-server PIR protocol from two perspectives, i.e., the theoretical analyses and experimental evaluation by comparing it with two existing PIR protocols in [6,7].

eoretical Analyses of Our PIR Protocol on the User Side.
Here, we first illustrate that our single-server PIR protocol is much more efficient and practical than the PIR protocols in [6,7] in terms of the computational complexity, the extension ratio of the query (similar to the length ratio between the ciphertext and its underlying plaintext, denoted by |R(i)|/|DB[i]|), and the communication overhead (denoted by |Q(i)| + |R(i)|).
Our PIR protocol: in our proposed PIR protocol, since the query generation phase applies our single-ciphertext FHE scheme as the basic symmetric encryption scheme, from the computational complexity analysis in Section 4.1, we can see the computational complexity is O(λ 2 ) for both the query generation and the response retrieval. In addition, we can find that |Q(i)| � 12λ, |R(i)| � 9λ, and |DB[i]| � λ. Hence, the extension ratio of the query is |R(i)|/|DB[i]| � 9 in our single-server PIR protocol. e communication overhead represents the length sum of Q(i) and R(i), i.e., |Q(i)| + |R(i)|. Hence, the communication overhead is 21λ in our single-server PIR protocol.
Yi et al.'s PIR protocol [6]: in Yi et al.'s PIR protocol, the computational complexity depends on the modular addition operations, and thus, we consider the computational complexity is O (1). Since the data corresponding to the index are one bit and |R(i)| equals the length of the DGHV ciphertext [12], i.e., |R(i)| � O(λ 5 ) and |DB[i]| � 1, the extension ratio of the query is |R(i)|/|DB[i]| � O(λ 5 ). Finally, the communication overhead is O(c log N), where c is the size of the ciphertext and N is the size of DB. Again, because the DGHV scheme with the ciphertext length O(λ 5 ) is utilized to construct the PIR protocol, the communication overhead is O(λ 5 log N).
Li et al.'s PIR protocol [7]: the computational complexity of Li et al.'s PIR protocol mainly relies on the total λ 7 log 4 N modular multiplications of the matrix multiplication in the HAO scheme [13]. From the computational complexity of modular multiplication mentioned in Section 4.1 and the parameters in [7], we can easily see that the valid computational complexity of Li et al.'s PIR protocol is O(λ 9 log 4 N). On the contrary, the data underlying the index are one bit, e.g.,|DB[i]| � 1. e query user needs to send two ciphertexts to the DB server: one is an encryption of the query with communication overhead O(λ 2 log 2 N), and the other is an encryption of the key with communication overhead (log N + 1) 2 · λ 4 � O(λ 4 log 2 N), while the DB server needs to send back an encryption of DB[i] with communication overhead O(λ 4 log 2 N) to the user, i.e., |Q(i)| � |R(i)| � O(λ 4 log 2 N). As a result, both the extension ratio of the query and the communication overhead in [7] are O(λ 4 log 2 N). Table 3 summarizes the differences among the above three PIR protocols, where the second column "Batching" captures whether the PIR protocol can directly encrypt the index from Z n . If the PIR protocol can, we output "Yes" and "No," otherwise, and the symbol λ is the security parameter and N is the database size. It is obvious that our proposed single-server PIR protocol, which has access to the database DB composed of items from Z n , can directly encrypt the index from Z n and perform the processing batch, while the PIR protocols in [6,7] cannot. is fact makes our single-server PIR protocol more practical. In addition, from the table, we can see, in terms of the communication overhead, our single-server PIR protocol is far superior to [6,7] since ours is independent on the database size N.
When setting the security parameter λ � 2048 in our PIR protocol and λ � 128 in PIR protocols [6,7] for achieving certain security level, Figure 2 compares the communication overheads of the three PIR protocols varying with N from 2 1 to 2 20 . From the figure, we can see that our proposed single-server PIR protocol is much more efficient, especially for a larger N. Furthermore, no one can deny that when N is considered in the range  Figure 2. To the best of our knowledge, for a fixed security parameter λ, our proposed protocol is the first single-server PIR protocol, which can achieve O(1) communication efficiency.

eoretical Analyses of Our PIR Protocol on the Server
Side. Although we prefer the communication for the user than the computation complexity on the server to evaluate the efficiency of our single-server PIR protocol, the theoretical analysis on the server side is necessary to be illustrated in this section. In brief, we will present the computation burden on the server compared with the PIR protocols in [6,7].
Our PIR protocol: the server mainly performs operations upon the special bivariate polynomials, i.e., the degree of either variable x (or y) is no more than 2. Specifically, N number of additions upon the bivariate polynomials for the server are enough, where N is the number of databases. Meanwhile, every bivariate polynomial also includes operations of polynomials modulo n, x 3 − u, and y 3 − v. And N number of bivariate polynomials can be performed in parallel or in a preprocessing way. Quantitatively speaking, the computational complexity is near to O(N · λ 2 ), where λ ≥ 2048 bits.
Yi et al.'s PIR protocol [6]: Yi et al. encrypted the index with binary strings of length l � log N + 1. Every bit is protected with an FHE scheme called DGHV10 [12]. During the response generation in the PIR protocol, the server mainly computes 2l number of modulus additions and l − 1 Table 3: e theoretical performance analyses of PIR protocols.
number of modulus multiplications upon the integers of length O(λ 5 ). In addition, the server also provides l number of ciphertexts. In a nutshell, the computational burden of the server is O(log N · λ 10 ).
Li et al.'s PIR protocol [7]: after receiving the ciphertexts of queried index i and the secret key, the server performs a bootstrapping operation, i.e., homomorphically evaluate the decryption circuits, which is a very expensive process and occupies numerous overhead of computations for the server. e best result of bootstrapping at present is not exceeding 10 ms [27] when homomorphically implementing a single gate. It remains to be far from being practical to homomorphically evaluating a computing circuit. We will not describe the computation complexity of the bootstrapping but claim that the decryption circuit is of depth almost O(log λ) [20].
Totally speaking, the computational burden of our single-server PIR protocol is relatively less than [6,7]. However, the experimental performance of the server will not be analysed in the following Section 6.3 since we regard the server powerful and can provide unrestricted computations. Furthermore, the computation burden of the server in our single-server PIR can be relaxed in parallel or in a preprocessing way.

Experimental Evaluations of Our PIR Protocol.
In this section, we further present some experimental evaluations of our PIR protocol in comparison with the PIR protocols in [6,7]. It is obvious to see that there are two common factors for the PIR protocols in [6,7], i.e., the queried index is resolved into its binary presentation and the data in the database DB only consist of one bit 0 or 1, while in our PIR protocol, we can directly encrypt the index, not in its binary representation, and the data in DB belonging to Z n are more practical. e details of experimental settings are as follows.
Our PIR protocol: we implement our proposed protocol on a personal computer by utilizing the NTL [28] and the C++ language. e environment is listed as follows: (i) CPU: Intel(R) Core(TM) i3-7100 3.90 GHz (ii) RAM: 4.00 GB (iii) OS: Windows 10, 64 bits e length of the modulus of n in our experiment includes 2048 bits, 2560 bits, and 3072 bits. e size N of DB varies from 800, 1000, to 1200. Although the number of items in the database N seems a little small, the whole space of the database is not small at all. Considering that the response generation (RG) phase is performed by the DB server and the query generation (QG) phase and response retrieval (RR) phase are run at the user side, we test 100 instances on Z n for every phase. e average results are given in Tables 4-6. e first column called "|n|" represents the length of RSA modulus, and the data in DB are from Z n . e second column means the number of our tested instances. We use the time of the query generation phase, response retrieval phase, and response generation phase to illustrate the performance of our single-server PIR protocol.
From Tables 4 to 6, it is easy to see that the size N of DB has a little bit effect on the user side in our single-server PIR protocol, which can almost be ignored. We also see that the time in the query generation phase and response retrieval phase increases a little with the modulus growing under the same situations. On the contrary, the time cost on the DB server side largely depends on the size N. When the database size N is fixed, the DB server takes more time with n increasing. Similarly, when the modulus n is fixed, the DB server also takes more time with N increasing. In brief, it shows that our single-server PIR protocol is efficient. For example, even when the modulus is n � 3072 bits, the query generation phase only costs 5.4 μs, and the response retrieval phase costs 2.82 ms at most when all data in the database DB are drawn from Z n . e effects of database size N on the user and the DB server are readily comprehensible. eoretically speaking, there are just modular multiplications and some negligible modular additions for the user, all of which are irrelevant to the size N during the query generation phase, let alone the response retrieval phase. On the contrary, the response generation phase completely relies on all the data in database DB. Hence, the size N is the main factor for the time cost at the DB server side. Nevertheless, the server can perform parallel computations to reduce the computational complexity from O(N 2 log 2 n) to O(N log N log 2 n). Furthermore, when a powerful DB server is employed, the time costs at the DB server side should be reduced greatly.
Yi et al.'s PIR protocol [6]: Yi et al. [6] experimented on a PBR protocol (an extension of a PIR protocol) with 10,000 blocks instead of a PIR protocol. e query generation phase costs 10 μs when the modulus is of 882 bits. e overhead is obviously larger than our single-server PIR protocol. In addition, Yi et al.'s scheme did not discuss the time cost of the response retrieval phase. On this basis, our single-server PIR protocol has obvious advantages over [6]. Moreover, their PBR protocol cannot encrypt the index from Z n , let alone within a few milliseconds.
Li et al.'s PIR protocol [7]: Li et al. [7] proposed a PIR protocol based on the lattice assumption. However, they did not use simulation to evaluate their PIR protocol. Nevertheless, we can claim that our single-server PIR protocol is more efficient than [7] based on the aforementioned theoretic analyses of computational complexity, the extension ratio of the query, and the communication overhead. In addition, the performance of Li et al.'s PIR protocol [7] relies on the efficiency of the bootstrapping and the size of the secret key. e size of the secret key in [7] is O(λ log N), and by now, the best result for bootstrapping does not exceed 10 ms to evaluate a single gate in [27], which is impractical.
To sum up, our experimental evaluation further demonstrates that our single-server PIR protocol is more efficient and practical.

Related Work
In this section, we will briefly review some FHE schemes and some other existing single-server PIR protocols, which are closely related to our proposal.
Fully homomorphic encryption: FHE enables meaningful process over encrypted data without access to the original plaintext data. In the past years, many generic FHE constructions have been proposed [10,12,13,[18][19][20]. For example, the first generation is represented by the DGHV FHE scheme [12], which serves as a vital tool in building a PIR protocol in [6]. However, most of them turn out to be impractical. e main reason is that the noises are added to the ciphertexts for the consideration of the security. Later, a new class of FHE schemes without noises have naturally been exploited to avoid complicated noise management [24][25][26]29]. For example, Nuida [24] declared a beautiful public key FHE frame without noises, employing a commutator and an encoding scheme over two noncommutative groups. e security is based on an assumption that judging whether an element is in the kernel is difficult, which is not standard. Yagisawa [25,26] proposed noiseless FHE schemes with the underlying octonion ring over the finite field, which are immune from the Grobner basis attacks. Nevertheless, it remains an open problem to prove strictly secure and feasible in the framework of provable security. In this work, motivated by the noiseless FHE schemes, we define a special kind of algebraic structure called truncated polynomial rings to construct a single-ciphertext FHE scheme. Our proposed scheme is noiseless, and hence, it inherently supports fully homomorphic computations on any univariate polynomials, such as the single-server PIR protocols. In addition, there is a security reduction between the one-wayness of our single-ciphertext FHE scheme and the 3rd RSA problem we define. Compared with the FHE schemes in [6,7], our single-ciphertext FHE scheme is noiseless and of the smallest ciphertext size, which offer enormous convenience for the single-server PIR protocols.
Single-server PIR protocols: a single-server PIR protocol allows a user to retrieve the i-th data from a database server without revealing the index i. e past years have witnessed the development of the single-server PIR protocols, especially in communication cost [30][31][32][33]. For example, Cachin et al. [31] proposed a PIR protocol based on the φ-hiding assumption with communication complexity O(log 4 N). And the Damgard-Jurik scheme [34] was utilized by Lipmaa [32] to construct a PIR protocol, which achieved O(log 2 N) communication complexity. However, most of them are inefficient due to depending on the database size N, especially when N is million or even larger magnitude in real life. Hence, it will be a great work to construct a single-server PIR protocol with communication overhead O(1), which is irrelevant to the database size N. In this work, we devote ourselves to designing a single-server PIR protocol with communication efficiency O (1). First, on the basis of the single-server PIR protocols in [6,7], we tend to resort to the FHE schemes since the FHE schemes not only keep privacy preserving but also support direct computations on encrypted data. Second, the Lagrange interpolating polynomial is a suitable tool for the database DB � (i, DB[i])|0 ≤ i ≤ N − 1 { } owing to its property. Hence, an FHE scheme and the Lagrange interpolating polynomial technique are used to construct our single-server PIR protocol. Meanwhile, theoretical analyses and experimental evaluations are performed to demonstrate that our singleserver PIR protocol is efficient, which is the first one of communication overhead O(1).

Conclusions
In this paper, we have proposed a new communicationefficient PIR protocol by using homomorphically computing univariate polynomials. Specifically, we first propose a new cryptographic primitive called single-ciphertext FHE and instantiate the special kind of FHE supporting evaluations of a single ciphertext. en, we illustrate how the singleciphertext FHE scheme works in our single-server PIR protocol. eoretical analyses and experimental evaluations   are both conducted to demonstrate that it is more efficient and practical to apply our single-ciphertext FHE scheme to the PIR protocol. To the best of our knowledge, our proposed protocol is the first PIR protocol, which can achieve O(1) communication efficiency on the user side, irrelevant to the database size N. In future work, we will study other FHE techniques to exploit more efficient PIR protocols, which can achieve the tradeoff overheads of the communication and the computation between the user and the server.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.