arxiv: v1 [cs.it] 23 Jan 2019

Transcription

1 Single-Server Single-Message Online Private Information Retrieval with Side Information Fatemeh azemi, Esmaeil arimi, Anoosheh Heidarzadeh, and Alex Sprintson arxiv: v [cs.it] 3 Jan 09 Abstract In many practical settings, the user needs to retrieve information from a server in a periodic manner, over multiple rounds of communication. In this paper, we discuss the setting in which this information needs to be retrieved privately, such that the identity of all the information retrieved until the current round is protected. This setting can occur in practical situations in which the user needs to retrieve items from the server or a periodic basis, such that the privacy needs to be guaranteed for all the items been retrieved until the current round. We refer to this setting as an online private information retrieval as the user does not know the identities of the future items that need to be retrieved from the server. Following the previous line of work by adhe et al. we assume that the user knows a random subset of M messages in the database as a side information which are unknown to the server. Focusing on scalar-linear settings, we characterize the per-round capacity, i.e., the maximum achievable download rate at each round, and present a coding scheme that achieves this capacity. The key idea of our scheme is to utilize the data downloaded during the current round as a side information for the subsequent rounds. We show for the setting with messages stored at the server, the per-round capacity of the scalar-linear setting is C = (M +)/ for round i = and C i = ( i (M +))/M for round i, provided that /(M +) is a power of. I. INTRODUCTION The goal of the Private Information Retrieval (PIR) schemes [] is to enable a user to privately download, with minimum cost, a message belonging to a database with copies stored on a single or multiple remote servers, without revealing which message it is requesting. In a single server scenario, the entire database needs to be downloaded to preserve the privacy of the requested message. However, when the user has some side information about the database [] [8], the information-theoretic privacy can be achieved more efficiently than downloading the whole database. In the PIR with side information setting, the user has access to a random subset of the messages in the database as a side information, which are unknown to the server. This side information could have been obtained from other trusted users or through previous interactions with the server. In this setting, the savings in the download cost depend on whether the user wants to protect only the privacy of the requested message, or the privacy of both the requested message and the messages in the side information. To the best of our knowledge, all of the prior works on the private information retrieval focus on the single message The authors are with the Department of Electrical and Computer Engineering, Texas A&M University, College Station, TX USA ( {fatemeh.kazemi, esmaeil.karimi, anoosheh, spalex}@tamu.edu). request. However, in many practical settings, the user needs to retrieve multiple messages periodically, over a period of time. For example, a user might retrieve a news item or the stock market information on a daily basis. The key requirement in such scenarios is to protect the identity of all the requested messages up to the current round. By leveraging previously downloaded messages, the user can significantly reduce the number of bits that need to be downloaded. Accordingly, in this paper we analyze both the fundamental limits as well as the achievability schemes for the multi-round PIR schemes. We refer to this setting as an online private information retrieval as the user does not know the identities of the future items that need to be retrieved from the server. A. Main Contributions In this paper, we study the problem of single-server online PIR with side information. In this problem, a user wishes to download a sequence of messages X W = {X W,X W,,X Wt } from a database X of messages, stored on a single server. The communication is performed in rounds, such that at round i, the user wishes to retrieve a message X Wi for some W i []. We assume that the user decides on which message W i to request at round i and that the identity of the future messagesw j, j > i are not known at round i. We also assume that the user has access to M messages which are selected uniformly at random and whose identity are not known to the server. We focus on the scenario where at roundi, the user wishes to protect the privacy of all the requested messages up to round i, {W,,W i } for i t. That is, after the user makes a request to the server at roundi, the server cannot decide which of the messages is more likely to get requested at that round and at the previous rounds. Focusing on scalarlinear settings, we characterize the per-round capacity, i.e., the maximum achievable download rate at each round. We also present a scalar-linear coding scheme that achieves this capacity. The key idea of our scheme is to utilize the data downloaded during the current round as a side information for subsequent rounds. We show for the setting with messages stored at the server and a random subset of M messages available to the user at the first round, the per-round capacity of the scalar-linear scheme is C = (M +)/ for roundi=and C i = ( i (M +))/M for roundi, provided that /(M +) = l for some l.

2 B. Related Work The classical PIR problem with multiple servers each of which stores the full copy of the database, has been extensively studied [9] []. The most relevant to our paper is the line of work that focuses on setting with multiple retrieved messages [8], [], [3] as well as settings in which the user access to certain files as side information before the information retrieval process begins. The side information settings have been studied in [], [3] for the single server setting and in [4] [8] for the multi-server setting. adhe et al. [] have initiated the study of the singleserver single-message PIR with side information. The multiserver single-message and the multi-server multi-message PIR with side information problems, in the scenario where the user wants to protect the privacy of both the requested message(s) and the messages in the side information, are studied in [7] and [8], respectively. Heidarzadeh et al. [3] focused on a setting in which the side information is random linear combination of a subset of messages. To the best our knowledge, none of the prior works on the private information retrieval focused on the online settings in which the requests are issued one at a time such that the identity of future requests are unknown. II. PROBLEM FORMULATION AND MAIN RESULTS For a positive integer i, denote [i] {,...,i}. Let F q be a finite field of size q and F q m be an extension field of F q of size q m for some prime q and m. We assume that there is a server storing a set X of messages, X {X,...,X }, with each message X i being independently and uniformly distributed over F q m, i.e., H(X ) = = H(X ) = L and H(X,...,X ) = L, where L mlog q. We assume that there is a user that wishes to retrieve a sequence of messages X W = {X W,X W,,X Wt } from the server so that at round i, the user wishes to retrieve the message X Wi for some W i []. We assume that the identity of the index W i of the message retrieved at round i is not known to the user before round i. We also assume that initially the user knows a random subsetx S ofx that includesm messages for somes [], S = M. We refer to W i as the demand index at round i, X Wi as the demand at round i, and refer to S as the side information index set, X S as the side information and M as the size of the side information set. Let S and W i be random variables corresponding to S and W i, respectively. Denote the probability mass function (pmf) of S by p S ( ), and the conditional pmf of W i given S by p Wi S( ). We assume that S is uniformly distributed over all subsets of [] of size M, i.e., p S (S) = ( M), S [], S = M and W i s are independent and uniformly distributed over []\S, i.e., p Wi S(W i S) = { M, W i / S 0, otherwise. Also, we assume that the server knows the size of S (i.e., M), the pmf p S (.) and p Wi S(..), but the realizations S and W i are unknown to the server a priori. At roundi, for anys andw i, in order to retrievex Wi, the user sends to the server a query Q [Wi,S], and upon receiving Q [Wi,S], the server sends to the user an answer A [Wi,S]. We define Q [W:i,S] {Q [W,S],Q [W,S],,Q [Wi,S] } and A [W:i,S] {A [W,S],A [W,S],,A [Wi,S] } as the set of all queries and answers up to the round i, respectively. Note that the query at round i, Q [Wi,S] is a (potentially stochastic) function of W i,s,x S,Q [W:i,S], and A [W:i,S]. Similarly, the answer at round i, A [Wi,S] is a (deterministic) function of Q [W:i,S] and the messages in X, i.e., H(A [Wi,S] Q [W:i,S],X) = 0. The queries from the first round up to round i all together, Q [W:i,S] must protect the individual privacy for all the user s demand indices up to round i from the server, i.e., P(W j = W Q [W:i,S],X) = for all W [] and all j [i]. This means that some correlations between the demands in different rounds can be revealed to the server, but all the demands up to roundi must be protected to be individually private at each round. This condition is referred to as the privacy condition. All the answers from the first round up to round i, A [W:i,S] along with the side informationx S must enable the user to retrieve the demand X Wi. This condition is referred to as the recoverability condition, as follows: H(X Wi A [W:i,S],Q [W:i,S],X S ) = 0. The problem of the single-server Online Private Information Retrieval (OPIR) is to design a query Q [Wi,S] and an answer A [Wi,S] for any given S and W i at round i, that satisfy the privacy and recoverability conditions. The per-round rate of an OPIR algoirhtm at round i denoted by R i, is defined as the ratio of the entropy of a message, i.e., L, to the maximum entropy of the answer at round i, i.e., R i = min W :i,s L H(A [Wi,S] ). The per-round capacity of OPIR at round i denoted by C i, is defined as the supremum of rates over all OPIR algorithms that achieve the capacity up to round i. We focus on scalar-linear capacity, which corresponds to the maximum rate that can be achieved by scalar-linear protocols. The goal of this paper is to establish the scalar-linear perround capability of the OPIR and present an algorithm that achieves this capacity. Theorem characterizes the capacity of scalar-linear OPIR problem for the case when for some l. M+ = l

3 Theorem. For the OPIR problem with messages, and side information of size M, when /(M +) = l for some l, the scalar-linear per-round capacity at round i is given by: { M+ i = C i = () i (M+) M i III. CONVERSE PROOF In this section, we prove the converse part of Theorem. Suppose that the user wishes to retrieve a sequence of messages X W = {X W,X W,,X Wt } from the server so that at round i, the user wants to download the message X Wi for some W i [], and knows X S for a given S [] \ W, S = M. By assumption, /(M +) = l for some l. At round i, for any S and W i, in order to retrieve X Wi, the user sends to the server a query Q [Wi,S], and the server responds to the user by an answer A [Wi,S]. The answer A [Wi,S] at round i is a set of m i messages, i.e., A [Wi,S] {y i,,...,y i,mi }. In linear OPIR schemes each message y i,j for j m i is a linear combination of the original messages in X, i.e. y i,j = γi,j m X m, m [] where γi,j m F q are the encoding coefficients of y i,j. We refer to the vector γ i,j = [γi,j,γ i,j,,γ i,j ] as the encoding vector of y i,j. The i-th unit encoding vector that corresponds to the original packet X i is denoted by u i = [u i,u i,,u i ], where ui i = and u j i = 0 for i j. Consider the set of linearly independent unit vectors {u,u,,u } as a basis for a vector space V of dimension. Thus, the encoding vector of y i,j, i.e., γ i,j, is a vector in the vector space V. Define the answer matrix at round i, A i, of dimension (m i ) with γ ij being the j-th row of A i. Note that the number of messages in A [Wi,S], or equivalently, the number of rows of matrix A i is the download cost at round i. For the first round (i = ), the proof of converse follows from the prior results for PIR with side information (see [, Lemma ]). It is easy to verify that at round, any optimal scalar-linear scheme can be converted to the partition-based scheme of [] by row operations. The answer matrix A corresponding to the optimal scheme has exactly k/(m + ) rows. Followed by a column permutation, the matrix A can be represented as: A = M + M +... M + M+ where s indicate non-zero entries in matrixa and all other entries in matrix A are zero. Each row of A corresponds to one of the messages in the answer. For instance, the first row corresponds to X + +X M+, the second row corresponds to X M+ + +X M+, and so on. The support set of each message in the answer is called a partition. Thus, the optimal scheme in the first round has n = /(M +) number of partitions, denoted by {P,P,,P n }. For the second round and after that (i ), in Theorem we prove that the maximum entropy of the answer, i.e., H(A [Wi,S] ), where the maximum is taken over all W i and S, is lower bounded by M/( i (M +)). Theorem. The maximum entropy of the answer H(A [Wi,S] ) at round i over all W i and S, is lower bounded by M/( i (M +)). Proof: For linear schemes it is sufficient to prove that the maximum number of rows of matrix A i for i is lower bounded by M/( i (M +)). The proof is based on an inductive argument and uses a simple yet powerful observation, formally stated in Lemma. Lemma. For any i, W :i, S, and any W [], there must exist S P j, S = M and W P j for some j [n] such that H(X W A [W:i,S],Q [W:i,S],X S ) = 0. Proof: The proof is given in Appendix. Lemma. At round i for i, in the vector space spanned by the rows of matrices A,A,,A i, corresponding to any W [], there must exist a vector which is a linear combination of at most M+ messages includingx W itself and at most M other messages which are a subset of X S, a potential side information for X W defined in Lemma. Proof: The proof is based on contradiction. Assume that at round i, for i, in the vector space spanned by the rows of matrices A,A,,A i, for a given W [], there does not exist such a vector described in Lemma. This means that X W is not recoverable from A [W:i,S] and X S, which contradicts the result of Lemma. In fact, in the vector space spanned by the rows of A,A,,A i, there must exist of such vectors, one for each potential value of W []. Define matrix Γ with these vectors being as the rows of Γ. An instance of matrix Γ would be as follows: R { Γ = L { W S... Lemma 3. The rank of matrix Γ is lower bounded by /. 3

4 Proof: Since by Lemma,S P j for somej [n] and W P j, then S is either in the left side of W, or in the right side of W in each row of matrix Γ. Accordingly, the rows of matrix Γ can be classified into two types: L and R, based on the criteria that S is in the left side of W, or in the right side of W, respectively. Let z and z denote the number of rows of type L and the number of rows of type R, respectively. It is easy to verify that the maximum of z and z is greater than or equal to /, i.e., max(z,z ) /. Without loss of generality, assume max(z,z ) = z. Then, z /. By removing z rows of type R from matrix Γ, we are left with z / rows of type L that constitute a matrix of size z, in which there exists a lower triangular submatrix of size z z and rank z /. Thus, the rank of matrix Γ is at least z which is lower bounded by /. For the second round (i = ), we need to show that the number of rows of matrix A is lower bounded by M/((M +)). Based on Lemma, in the vector space spanned by the rows of matrices A and A, there must exist all rows of matrix Γ which based on Lemma 3 is of rank greater than or equal to /. On the other hand, as mentioned earlier, the optimal scheme in the first round is partitioning where each row of A corresponds to a linear combination of M + messages. One can readily confirm that corresponding to any M + number of linearly independent rows of matrix Γ, there exists at most one linear combination of these rows in the rows of matrixa. Thus, there must exist at least M linearly independent combinations of these rows in the rows of matrix A. Then, we have: rank(a ) M M + rank(s) M M + = M (M +) In other words, matrix Γ has at least / number of linearly independent rows. Thus, there exist at most /((M + )) linearly independent combinations of these rows in the rows of matrix A. Therefore, there must exist at least / /((M +)) = M/((M +)) linearly independent combinations of these rows in the rows of matrix A, which indicates that the number of rows of matrix A is lower bounded by M/((M +)). The optimal scheme achieves the lower bound. Thus, in the optimal scheme, the number of rows of matrix A is exactly M/((M +)). For the third round (i = 3), we need to show that the number of rows of matrix A 3 is lower bounded by M/(4(M +)). Based on the Lemma, in the vector space spanned by the rows of matrices A, A and A 3, there must exist all rows of matrix Γ which based on Lemma 3 is of rank greater than or equal to /. By the same reasoning as in the case of i =, corresponding to any (M +) number of linearly independent rows of matrix Γ, there exist at most two linearly independent combinations of these rows in the rows of matrix A. On the other hand, we showed that A in the optimal scheme is of rank M/((M +)), which shows that corresponding to any (M + ) number of linearly independent rows of matrix Γ, there exist at most M linearly independent combinations of these rows in the rows of matrix A. Thus, there must exist at least (M +) M = M linearly independent combinations of these rows in the rows of matrix A 3. Then, we have: rank(a 3 ) M M rank(s) (M +) 4(M +) In other words, matrix Γ has at least / number of linearly independent rows. Thus, there exist at most /((M + )) linearly independent combinations of these rows in the rows of matrix A, and M/(4(M + )) linearly independent combinations of these rows in the rows of matrix A. Therefore, there must exist at least / /((M +)) M/(4(M +)) = M/(4(M + )) linearly independent combinations of these rows in the rows of matrix A 3, which indicates that the number of rows of matrix A 3 is lower bounded by M/(4(M +)). Using the same proof technique and similar reasoning as in the cases of i = and i = 3, it can be shown that the number of rows of A i for i is lower bounded by M/( i (M+)). By the result of Lemma, in the vector space spanned by the rows of matrices A,A,,A i, there must exist all rows of matrix Γ, which is of rank greater than or equal to / (by Lemma 3). Again, similarly as in the cases of i = and i = 3, it follows that corresponding to any i (M+) number of linearly independent rows of matrix Γ, there exist at most i, i 3 M, i 4 M,,M, linearly independent combinations of these rows in the rows of matrix A,A,A 3,,A i, respectively. Thus, there must exist at least i (M +) ( i ) ( i 3 j=0 j )M = M linearly independent combinations of these rows in the rows of matrix A i. Then, we have: rank(a i ) M i (M +) = M i (M +) which shows that the number of rows of matrix A i is lower bounded by M/( i (M +)). IV. ACHIEVABILITY SCHEME In this section, we propose an OPIR protocol for arbitrary and M where /(M + ) = l for some l, which achieves the rate (M +)/ in the first round and ( i (M +))/M at roundsi. The proposed scheme, referred to as the Online Partitioning (OP) Protocol, is described in the following. Each round of the OP protocol consists of four steps: Round i = : Step : The user creates a partition of the messages into n /(M +) sets. The first partition, P is formed by combining the demand and the side information set S: P {W } S. The user randomly partitions the set of messages [] \ P into n sets, each of size M +, denoted as P,,P n. 4

5 Step : The user sends to the server a uniform random permutation of the partition {P,,P n }, i.e., it sends {P,,P n } in a random order. Step 3: The server picks an arbitrary Cauchy matrix of size (Ml+) denoted by C [c i,j ] with parameters from F q, where q +Ml+. For a subset P [], let V P denote the characteristic vector of the set P, which is a vector of length such that for all i [], its i-th entry is c i, if i P, otherwise it is 0. The server computes the answer A [W,S] as a set of n inner products given by A [W,S] = {A P,,A P n }, where A P = [X,,X ] V P for all P {P,P,,P n }. Step 4: Upon receiving the answer from the server, the user decodes X W by subtracting off the contributions of its side information X S from A P for some P {P,P,,P n } such that W P. Round i : Step : Based on the OP protocol at round i, the user sends to the server a uniform random permutation of a partition of the messages into n i number of sets as the query, i.e., Q [Wi,S] = {P i,p i,,pn i i }. Given the query at round i, i.e., Q [Wi,S] and given W i and S, the user creates a partition of messages into n i = ni sets {P i,pi,,pi n i }. It should be noted that n i is always divisible by based on the assumption that /(M +) is a power of. It is easy to confirm that W i and S belong to two different partitions at round i. Assume, without loss of generality, that W i P i and S P i. Then, the user constructsp i = Pi P i. For constructing each P i {P,,P i n i i }, the user chooses two partitions from the remaining partitions at round i uniformly at random (without replacement) and unions them. Step : The user sends to the server a uniform random permutation of the partition {P,P i,,p i n i i }, i.e., it sends Q [Wi,S] = {P i,pi,,pi n i } in a random order. Step 3: The server extracts a submatrix H = [h ij ] M of the Cauchy matrix C which contains all rows and j-th column of the matrix C, where (i )M + j (i )M +. For a subset P [], let G P = [g ij ] M denotes the characteristic matrix of the set P, which is a matrix of size M such that for each j [M], for all i [], g ij = h ij if i P, otherwise it is zero, i.e., g ij = 0 for i / P. The server computes A P = [X,,X ] G P for all P {P i,pi,,pi n i }. In fact, A P = [(A P ),,(A P ) M ] is a row vector of length M that gives M linearly independent combinations of the messages X i for i [P]. Finally, the server computes the answer A [Wi,S] as a set of n i M linearly independent combinations of the messages, i.e., A [Wi,S] = {(A P i ),,(A P i ) M,,(A P i ni ),,(A P i ni ) M }. Step 4: Upon receiving the answer from the server, the user retrieves X Wi by subtracting off the contributions of its side information X S from A [W:i,S] and solving a set of i (M +) linearly independent equations with i (M +) unknowns. It should be noted that every submatrix of a Cauchy matrix is itself a Cauchy matrix, which guarantees the existence of i (M +) linearly independent equations. Lemma 4. The OP protocol satisfies the recoverability and individual privacy conditions, while achieving the rate (M +)/ at first round, and the rate ( i (M+))/M at round i. Proof: The OP protocol for the first round is based the Partition and Code PIR Scheme which satisfies the recoverability and the privacy conditions and achieves the rate (M + )/ []. It should be noted that in the first round, the coefficients of the messages in the answer which are chosen according to a Cauchy matrix, have no effect on the recoverability and the privacy proofs. In the OP protocol at round i, the answer A [Wi,S] consists of n i M = M/( i (M +)) linear combinations of the messages in X, i.e., A [Wi,S] = {(A P i ),,(A P i ni ) M }. Since the messages in X are uniformly and independently distributed over F q m, and {(A P i ),,(A P i ni ) M } are linearly independent combinations of the messages, then {(A P i ),,(A P i ni ) M } are uniformly and independently distributed over F q m, i.e., H((A P i ) ) = = H((A P i ni ) M ) = mlog q = L, and H(A [Wi,S] ) = H((A P i ) )+ +H((A P i ni ) M ) = n i ML. Therefore, the rate of the OP protocol at round i is equal to L/H(A [Wi,S] ) = ( i (M +))/M. From the step 4 of the OP protocol for round i, it can be easily verified that the recoverability condition is satisfied because of choosing the coefficients from a Cauchy matrix. To prove that the OP protocol satisfies the privacy condition at round i, we need to show that P(W j = W Q [W:i,S],X) = for all W [] and all j [i]. Since the OP protocol does not depend on the contents of the messages in X, then it is sufficient to prove that P(W j = W Q [W:i,S] ) = for all W [] and all j [i]. Thus, for j = i, we have: P(W i = W Q [W:i,S] ) = S (P(W i = W Q [W:i,S],S ) P(S Q [W:i,S] ) where the sum is over all possible S of size M, a potential side information for W i = W. Let assume W is located in the k th partition of round i, i.e. Pk i. As mentioned earlier, at round i, each partition is a union of two partitions at round i. Without loss of generality assume that, k th partition of round i (of size i (M + )), is a union of w th and v th partitions of round i (each of size i (M + )), i.e., Pk i = Pi w Pv i, and W is located in the Pw i. A possible potential side information S for W i = W, would be a subset of Pv i of size M which is completely located in one of the partitions of the first round. Pv i of size i (M + ), is a union of i partitions of the first round. From each partition of the first round, all subsets of size M, i.e., ( ) M+ M, can be considered as possible S. Thus, one can consider i ( ) M+ M number 5

6 of possible potential side information S for W i = W. For a specific S = Ŝ, given that S = Ŝ belongs to Pi v, each of the elements in Pw i (of size i (M + )) can be user s demand index with the same probability. In other words, P(W i = W Q [W:i,S],S = Ŝ) = i (M+). The probability of a specific S = Ŝ given Q[W:i,S], can be computed by the application of the total probability theorem and chain rule, we have: P(S = Ŝ Q[W:i,S] ) = j [ M+ ] P(S = Ŝ Q[W:i,S],S P j ) P(S P j Q [W:i,S] ) C = where the potential side information S belongs to each of the partitions of the first round with the same probability, i.e., P(S Pj Q[W:i,S] ) = M+ for all j [ M+ ]. In each partition of the first round, there are ( M+ ) M subsets of size M, each of which can be the potential side information S with the same probability. Thus, P(S = Ŝ Q[W:i,S],S Pj ) = M+, for one j [ M+ ] and zero for others. Thus, we have: P(S Q [W:i,S] ) = M + M + Finally, P(W i = W Q [W:i,S] ) is obtained as follows: P(W i = W Q [W:i,S] ) = S (P(W i = W Q [W:i,S],S ) P(S Q [W:i,S] ) = i (M +) i (M +) M + M + =. We proved that P(W i = W Q [W:i,S] ) = for all W []. Using the same proof technique, for j [i ], it can be shown that P(W j = W Q [W:i,S] ) = for all W []. Example. (OP Protocol) Assume that the server has = messages {X,X,,X }, and the user has M = messages X and X 3 as side information, i.e., S = {,3}. Consider a scenario as follows: First round: The user demands the message X, i.e., W =. Thus, the user labels 4 sets of size 3 as P,,P 4. Next, the user constructs P = {W,S} = {,,3} and randomly partitions the set of remaining messages into P,P 3,P 4 sets. Assume the user has chosen P = {4,5,6}, P3 = {7,8,9}, P 4 = {0,,}. Then, the user sends to the server a random permutation of {P,,P 4}. The server picks an arbitrary Cauchy matrix C = [c ij ] 5 with parameters over F 7 as follows: The server sends back to the user four coded packets as: Y = 7X +3X +5X 3, Y = 5X 4 +X 5 +X 6, Y 3 = 4X 7 +0X 8 +4X 9, Y 4 = X 0 +8X +6X, The user can retrieve X by replacing the values of X and X 3 iny. From the server s perspective, the user s demand is in one of the four partitions {P,,P 4 } with probability 4, and in each partition, each of the indices is the user s demand index with probability 3. Thus, the probability that each of the indices i [] being as a demand index would be the same, i.e., P(W = i Q [W=,{,3}] ) = = P W (i). Second round: The user demands the message X 4, i.e., W = 4. Based on the OP protocol, the user labels sets of size 6 as P,P. Since W = 4 P and S P, the user constructs P = P P = {,,3,4,5,6}. For constructing P, the user chooses the remaining two partitions of round, i.e., P3 and P4, and unions them, i.e., P = P 3 P 4 = {7,8,9,0,,}. Then, the user sends to the server a random permutation of {P,P }. Based on the extracted submatrix H of the selected Cauchy matrix C, the server constructs linearly independent combinations of the messages with indices in each partition {P,P }, and sends back to the user four coded packets as follows: Z = 3X +7X +3X 3 +5X 4 +5X 5 +X 6, Z = 6X +3X +7X 3 +3X 4 +5X 5 +5X 6, Z 3 = X 7 +4X 8 +0X 9 +4X 0 +X +8X, Z 4 = X 7 +X 8 +4X 9 +0X 0 +4X +X. The user has already downloaded X from the first round. Thus, from the answers of the first and second rounds, the user can retrieve X 4 by solving a set of three linearly independent equations with three unknown as follows: 5X 4 +X 5 +X 6 = Y, 5X 4 +5X 5 +X 6 = Z 3X 7X 3X 3, 3X 4 +5X 5 +5X 6 = Z 6X 3X 7X 3. From the server s perspective, given the queries Q [W:,S] and all the packets, the probability that each of the indices i [] being as a user s demand index in the second round would be the same and can be calculated as follows: 6

7 P(W = i Q [W:,S],X) = S (P(W = i Q [W:,S],X,S ) P(S Q [W:,S],X)) = 3 3 ( 3 ) 4 =. Also, from the server s perspective, given the queries Q [W:,S] and all the packets, the probability that each of the indices i [] being as a user s demand index in the first round is the same, i.e., P(W = i Q [W:,S],X) =. This means that the scheme is individually private and from the server s perspective, the user s demand index in the first round will remain private after round. Third round: The user demands the message X 7, i.e., W 3 = 7. Based on the OP protocol, the user labels set of size as P 3. Since W 3 = 7 P and S P, the user constructs P 3 = P P = {,,,}. Based on the selected Cauchy matrix C, the server constructs linearly independent combinations of all the messages, and sends back to the user the following two coded packets: T = i= c i4x i, T = i= c i5x i. The user has already downloaded X from the first round and X 4, X 5, and X 6 from the second round. Thus, from the answers of the first, second and third rounds, the user can retrieve X 7 by solving a set of six linearly independent equations with six unknown as follows: 4X 7 +0X 8 +4X 9 = Y 3, X 0 +8X +6X = Y 4, X 7 +4X 8 +0X 9 +4X 0 +X +8X = Z 3, X 7 +X 8 +4X 9 +0X 0 +4X +X = Z 4, i=7 c i4x i = T 6 i= c i4x i, i=7 c i5x i = T 6 i= c i5x i. From the server s perspective, given the queries Q [W:3,S] and all the packets, the probability that each of the indices i [] being as a user s demand index would be the same and can be calculated as follows: P(W 3 = i Q [W:3,S],X) = S (P(W 3 = i Q [W:3,S],X,S ) P(S Q [W:3,S],X)) APPENDIX PROOF OF LEMMA If there does not exist anys such thatx W is recoverable from A [W:i,S] and X S, then the server knows that W cannot be the user s demand index, and this violates the privacy condition. Given the optimal scheme in the first round, if there exists a S P j for some j [n], such that X W is recoverable from A [W:i,S], Q [W:i,S] and X S, then the server knows that S cannot be the user s side information index set. Thus,W cannot be the user s demand index, and this violates the privacy condition. REFERENCES [] B. Chor, O. Goldreich, E. ushilevitz, and M. Sudan, Private information retrieval, in Foundations of Computer Science, 995. Proceedings., 36th Annual Symposium on. IEEE, 995, pp [] S. adhe, B. Garcia, A. Heidarzadeh, S. El Rouayheb, and A. Sprintson, Private information retrieval with side information: The single server case, in Communication, Control, and Computing (Allerton), 07 55th Annual Allerton Conference on. IEEE, 07, pp [3] A. Heidarzadeh, F. azemi, and A. Sprintson, Capacity of singleserver single-message private information retrieval with coded side information, arxiv preprint arxiv: , 08. [4] R. Tandon, The capacity of cache aided private information retrieval, in Communication, Control, and Computing (Allerton), 07 55th Annual Allerton Conference on. IEEE, 07, pp [5] Y.-P. Wei,. Banawan, and S. Ulukus, Fundamental limits of cache-aided private information retrieval with unknown and uncoded prefetching, arxiv preprint arxiv: , 07. [6], Cache-aided private information retrieval with partially known uncoded prefetching: Fundamental limits, IEEE Journal on Selected Areas in Communications, 08. [7] Z. Chen, Z. Wang, and S. Jafar, The capacity of private information retrieval with private side information, arxiv preprint arxiv: , 07. [8] S. P. Shariatpanahi, M. J. Siavoshani, and M. A. Maddah-Ali, Multimessage private information retrieval with private side information, arxiv preprint arxiv:805.89, 08. [9] H. Sun and S. A. Jafar, The capacity of private information retrieval, in Global Communications Conference (GLOBECOM), 06 IEEE. IEEE, 06, pp. 6. [0], The capacity of robust private information retrieval with colluding databases, IEEE Transactions on Information Theory, vol. 64, no. 4, pp , 08. []. Banawan and S. Ulukus, The capacity of private information retrieval from coded databases, IEEE Transactions on Information Theory, vol. 64, no. 3, pp , 08. [], Multi-message private information retrieval: Capacity results and near-optimal schemes, IEEE Transactions on Information Theory, 08. [3] A. Heidarzadeh, B. Garcia, S. adhe, S. E. Rouayheb, and A. Sprintson, On the capacity of single-server multi-message private information retrieval with side information, arxiv preprint arxiv: , 08. = 6 6 ( 3 ) 4 =. Also, from the server s perspective, in the second round the demand of the first round and the demand of the second round remains private, i.e., P(W = i Q [W:3,S],X) = and P(W = i Q [W:3,S],X) =. 7