Private Information Retrieval (PIR) is a cryptographic protocol that allows a client to retrieve a specific record from a database held by a server without the server learning which record was accessed. Unlike Oblivious Transfer (OT), PIR typically focuses on hiding the client's query index, not necessarily on limiting the client to a single record.
Glossary
Private Information Retrieval (PIR)

What is Private Information Retrieval (PIR)?
A cryptographic protocol enabling a client to query a database without revealing the accessed record to the server.
PIR protocols achieve this by having the client encode its query in a way that is computationally indistinguishable from a random query. The server processes this encoded query over the entire database, returning a result from which the client can extract the desired record. This guarantees information-theoretic or computational privacy for the client's access pattern.
Key Characteristics of PIR
Private Information Retrieval (PIR) is defined by a set of cryptographic properties that distinguish it from trivial database access. These characteristics define the security model, performance trade-offs, and deployment viability.
Information-Theoretic vs. Computational Privacy
PIR protocols are categorized by their underlying security assumptions. Information-theoretic PIR guarantees the server learns absolutely nothing about the query, even with infinite computing power, but requires multiple non-colluding server replicas. Computational PIR relies on hard mathematical problems (e.g., quadratic residuosity, lattice-based cryptography) to secure a query against a single server. If the underlying cryptographic assumption holds, the server cannot distinguish which record was accessed.
- Multi-server IT-PIR: Requires 2+ servers; zero failure probability.
- Single-server CPIR: More practical infrastructure; security reduces to a hardness assumption.
Sublinear Communication Complexity
A defining requirement of PIR is that the total communication between client and server must be strictly less than the size of the database (n). A trivial protocol where the server sends the entire database achieves perfect privacy but has O(n) communication. PIR protocols achieve sublinear communication, typically O(n^c) for some c < 1, or polylogarithmic in n.
- Naive download: O(n) communication, trivial privacy.
- PIR: O(log n) or O(n^c) communication, cryptographic privacy.
- This is the core efficiency metric that distinguishes PIR from a simple bulk transfer.
Query Privacy Guarantee
The fundamental security property of PIR is that the server's view of the protocol is computationally or statistically independent of the query index i. For any two indices i and j, the distribution of query messages sent by the client must be indistinguishable. This ensures the server cannot infer which record was retrieved, even by observing network traffic, query structure, or access timing.
- Indistinguishability: Query(i) ≈ Query(j) for all i, j.
- No trusted hardware required: Privacy is purely cryptographic.
- Protects access patterns: The server learns that some query occurred, but not which record.
Throughput via Batching and Amortization
Single-query PIR is computationally expensive. Modern deployments achieve practical throughput by amortizing the server's cost across batches of queries. Techniques like the XPIR protocol and SealPIR use homomorphic encryption to pack multiple queries into a single ciphertext, reducing the per-query cost by orders of magnitude.
- Single query: High latency, low throughput.
- Batch PIR: Amortized server work; throughput can reach gigabytes per second.
- Key technique: Query compression using fully homomorphic encryption (FHE) SIMD packing.
Database Representation: Bit vs. Block
PIR protocols operate on different logical views of the database, which impacts efficiency. Bit PIR treats the database as an array of individual bits, retrieving one bit per query. Block PIR retrieves a contiguous block of bits (e.g., a 256-byte record) in a single query. Block retrieval is significantly more efficient for real-world records.
- Bit PIR: Simple model; high overhead for multi-bit records.
- Block PIR: Retrieves a full record; amortizes cryptographic cost.
- Keyword PIR: An extension where the query is a keyword, not an index.
Byzantine-Robust PIR
Standard PIR assumes honest-but-curious servers that follow the protocol correctly. Byzantine-robust PIR extends the security model to servers that may actively deviate from the protocol—returning malformed or incorrect responses. This is critical for decentralized storage networks where servers cannot be trusted.
- Honest-but-curious: Server follows protocol, tries to learn query.
- Byzantine: Server may lie, send corrupt data, or collude.
- Defense: Verifiable computation or redundant queries across independent servers.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about how Private Information Retrieval protocols work, their computational trade-offs, and their role in privacy-preserving systems.
Private Information Retrieval (PIR) is a cryptographic protocol that allows a client to retrieve a specific record from a database held by one or more servers without revealing to any server which record was accessed. The fundamental guarantee is that the server learns nothing about the client's query index, providing access pattern privacy. PIR works by having the client encode its query as a cryptographic object that hides the target index. In the simplest single-server computational PIR scheme, the client encrypts a selection vector—a bitstring of length equal to the database size with a 1 at the desired index and 0 elsewhere—using a homomorphic encryption scheme. The server performs a linear operation over the entire encrypted database, computing the dot product of the encrypted selection vector with all records. The result is an encrypted version of the requested record, which only the client can decrypt. The server processes every record, ensuring it cannot distinguish the target from any other, but this imposes a linear computational cost on the database size.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
PIR vs. Related Privacy-Preserving Techniques
A technical comparison of Private Information Retrieval against other fundamental privacy-preserving protocols used in secure computation.
| Feature | Private Information Retrieval (PIR) | Oblivious Transfer (OT) | Private Set Intersection (PSI) | Secure Aggregation |
|---|---|---|---|---|
Primary Objective | Hide access pattern from database server | Hide selection from sender | Compute set overlap without revealing non-members | Sum client updates without inspecting individuals |
Data Output to Client | Single database record | One of n messages | Intersection of two sets | Aggregated sum or average |
Server Learns Client's Selection | ||||
Client Learns Server's Full Dataset | ||||
Typical Communication Complexity | Sublinear in database size | O(1) per transfer | Linear in set size | O(n) where n is number of clients |
Computational Overhead | High (homomorphic or multi-server) | Moderate (public-key per transfer) | Moderate to high | Low (additive secret sharing) |
Common Implementation Approach | Lattice-based homomorphic encryption | Diffie-Hellman-based OT extension | Cuckoo hashing + OT | Shamir secret sharing with dropouts |
Primary Use Case in ML | Private model weight lookup | Garbled circuit input selection | Private feature overlap discovery | Federated learning gradient aggregation |
Related Terms
Private Information Retrieval is built upon and closely related to several fundamental cryptographic protocols. These techniques share the common goal of enabling computation on private data without exposing the underlying information.
Function Secret Sharing (FSS)
A method for splitting a function into compact secret shares that can be evaluated independently by two or more non-colluding servers. In the context of PIR, Distributed Point Functions (DPFs)—a subclass of FSS—enable highly efficient two-server PIR schemes. Each server evaluates its function share on the database and returns a share of the result, which the client combines to recover the desired record.
- Enables sublinear communication complexity in two-server PIR
- DPF-based PIR avoids expensive public-key cryptography
- Each server learns nothing about the query index
Homomorphic Encryption (HE)
A cryptographic scheme that allows computation directly on encrypted data, producing an encrypted result that decrypts to the correct output. Fully Homomorphic Encryption (FHE) enables single-server PIR by allowing the client to encrypt the query index and the server to homomorphically evaluate a selection circuit over the entire database. The server never sees the plaintext index.
- Enables PIR with a single, non-replicated server
- Computational cost remains the primary practical bottleneck
- Lattice-based HE schemes provide post-quantum security
Oblivious RAM (ORAM)
A cryptographic technique that hides the access pattern—which memory locations are read or written—from an observer. While PIR protects the privacy of a single read operation, ORAM provides ongoing privacy across a sequence of reads and writes. ORAM is often used to compile a program to run obliviously on a remote server, preventing data leakage through memory access side-channels.
- Hides both read and write access patterns
- Typically requires logarithmic or polylogarithmic overhead
- Complements PIR for interactive database operations
Secure Multi-Party Computation (MPC)
A broad class of protocols that enable multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other. PIR is a specific instance of MPC where the function is a database lookup, the server's input is the database, and the client's input is the query index. General MPC frameworks like SPDZ and garbled circuits can implement PIR as a special case.
- PIR is a restricted, highly optimized form of MPC
- MPC provides stronger security against malicious adversaries
- General MPC incurs higher overhead than purpose-built PIR
Private Set Intersection (PSI)
A protocol that allows two parties to compute the intersection of their private datasets without revealing any elements outside the intersection. PSI and PIR share underlying cryptographic techniques, including oblivious transfer and homomorphic encryption. In fact, PIR can be used as a subroutine in PSI protocols to efficiently check membership without revealing the queried element.
- Both rely on OT and HE primitives
- PSI reveals the intersection size and contents to authorized parties
- Used in contact discovery, password monitoring, and ad conversion tracking

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us