This paper presents Popcorn, a media delivery system designed to provide privacy for users' media consumption. Unlike traditional systems, Popcorn ensures that neither the content distributor nor any network eavesdropper can determine what media a user is consuming. The system leverages Private Information Retrieval (PIR) protocols to achieve this privacy while maintaining scalability and affordability at a level comparable to non-private systems like Netflix.
Popcorn introduces an innovative approach to combining different types of PIR protocols—Computational PIR (CPIR) and Information-Theoretic PIR (ITPIR)—to balance the trade-offs between computational overhead and privacy. This combination allows Popcorn to scale to large media libraries and maintain privacy without prohibitive costs.
Privacy Protection: Comprehensive and provable privacy for media consumption.
Scalability: Capable of handling large libraries and numerous concurrent users.
Cost Efficiency: The system's cost is within a small multiple (3.87×) of non-private systems.
Non-Colluding Servers Requirement: The system relies on the assumption that servers do not collude, which may be unrealistic in certain scenarios.
No Support for Forward Seeking: Users cannot seek forward during media playback without potentially compromising privacy.
Limited Library Size: The system's overhead grows with the library size, limiting its applicability to very large libraries like YouTube's.
Popcorn's design involves:
CPIR for Key Retrieval: Small cryptographic keys are retrieved using CPIR from a single server.
ITPIR for Media Retrieval: Encrypted media objects are retrieved using ITPIR from multiple non-colluding servers.
Batching: Requests are batched to amortize the cost of PIR operations, leveraging the properties of media streaming to reduce overhead.
Encoding Adjustments: Media objects are encoded in fixed-size segments to meet PIR requirements, using techniques like compression and padding to handle variable object sizes.
Popcorn was evaluated with a workload modeled after Netflix. Key findings include:
Resource Overheads: Popcorn's per-request computational and I/O overheads are significantly reduced through batching.
Cost Analysis: For workloads with 10,000 concurrent clients, Popcorn's dollar cost is 3.87× that of a non-private system, making it a viable solution for privacy-preserving media consumption.
Client Compatibility: Popcorn can be integrated with modern web technologies and DRM schemes, ensuring compatibility with existing media delivery ecosystems.
Private Information Retrieval (PIR): A cryptographic protocol that allows a client to retrieve data from a server without revealing which data is being retrieved.
Computational PIR (CPIR): A type of PIR that relies on computational hardness assumptions and requires a single server.
Information-Theoretic PIR (ITPIR): A type of PIR that provides information-theoretic security and requires multiple non-colluding servers.
Batching: Grouping multiple requests together to reduce the overall computational and I/O overhead.
Conference: NSDI '16
Keywords: Private Information Retrieval, Media Streaming, Privacy
Generated by GPT-4o