Tutorial on Coded Private Information Retrieval

Transcription

1 Tutorial on Coded Private Information Retrieval Camilla Hollanti Aalto University, Finland 5th ICMCTA, Vihula, August 2017 Based on joint work with Salim El Rouayheb, Ragnar Freij-Hollanti, Oliver Gnilke, David Karpuk, and Razan Tajeddine 1 / 44

2 Presentation Outline Background Private Information Retrieval (PIR) and Recent Results Construction: t-pir Codes from Star Products Improving Rates by Partial Collusion Open Problems References 2 / 44

3 Presentation Outline Background Private Information Retrieval (PIR) and Recent Results Construction: t-pir Codes from Star Products Improving Rates by Partial Collusion Open Problems References 3 / 44

4 Background During , PIR from replicated databases was a hot topic, but was dropped due to impracticality. Recently, a lot of renewed interest towards PIR from coded storage systems (Augot et al., Shah et al., Yaakobi et al.). Capacity results partially known, some explicit constructions. Assumptions on collusion typically either none or pessimistic: no collusion or all t-sets may collude. Still no truly practical constructions known. 4 / 44

5 Presentation Outline Background Private Information Retrieval (PIR) and Recent Results Construction: t-pir Codes from Star Products Improving Rates by Partial Collusion Open Problems References 5 / 44

6 Semantics 6 / 44

7 Semantics Anonymity 6 / 44

8 Semantics Security 6 / 44

9 Semantics? Privacy 6 / 44

10 Semantics? Computational privacy: Finding the file index i from the query q is computationally hard. 6 / 44

11 Semantics? Computational privacy: Finding the file index i from the query q is computationally hard. Information-theoretic privacy: The identity i and the query q have zero mutual information, i.e., finding i given the query q is impossible (amounts to guessing). 6 / 44

12 Semantics? Computational privacy: Finding the file index i from the query q is computationally hard. Information-theoretic privacy: The identity i and the query q have zero mutual information, i.e., finding i given the query q is impossible (amounts to guessing). 6 / 44

13 Information-theoretic preliminaries The entropy of a discrete random variable X is H(X ) = x log(p x )p x, where p x is the probability that X takes the value x. Intuitively: H(X ) is the average number of yes/no questions that you need to ask, before you correctly guess the value of X. In particular, if X is uniformly distributed over 2 n possible values, then H(X ) = n. 7 / 44

14 Information-theoretic preliminaries The mutual information between two random variables X and Y is I (X ; Y ) = H(X ) H(X Y ) = H(Y ) H(Y X ). In particular, I (X ; X ) = H(X ). Moreover, I (X ; Y ) = 0 if and only if X and Y are independent. 8 / 44

15 Achieving privacy Theorem If the data is stored on only one server (or equivalently, if all servers are colluding), then the only thing we can do to achieve perfect privacy is to download the entire database. 9 / 44

16 Achieving privacy Theorem If the data is stored on only one server (or equivalently, if all servers are colluding), then the only thing we can do to achieve perfect privacy is to download the entire database. Proof. Assume the database contains N information bits. 9 / 44

17 Achieving privacy Theorem If the data is stored on only one server (or equivalently, if all servers are colluding), then the only thing we can do to achieve perfect privacy is to download the entire database. Proof. Assume the database contains N information bits. If the user downloads b < N bits in order to retrieve file x i then there exists at least one information bit that cannot be computed from the downloaded bits. 9 / 44

18 Achieving privacy Theorem If the data is stored on only one server (or equivalently, if all servers are colluding), then the only thing we can do to achieve perfect privacy is to download the entire database. Proof. Assume the database contains N information bits. If the user downloads b < N bits in order to retrieve file x i then there exists at least one information bit that cannot be computed from the downloaded bits. Therefore, H(i q) < H(i), meaning the server gained information from this query, namely that the user s requested file is not one of the N b bits which he did not download. 9 / 44

19 Achieving privacy Theorem If the data is stored on only one server (or equivalently, if all servers are colluding), then the only thing we can do to achieve perfect privacy is to download the entire database. Proof. Assume the database contains N information bits. If the user downloads b < N bits in order to retrieve file x i then there exists at least one information bit that cannot be computed from the downloaded bits. Therefore, H(i q) < H(i), meaning the server gained information from this query, namely that the user s requested file is not one of the N b bits which he did not download. On the other hand, if the database is replicated on multiple servers that are not all communicating, then we can do better. 9 / 44

20 Achieving privacy Let us start with a toy example. x 1 = 1 x 2 = 1 x 3 = 0 x 1 = 1 x 2 = 1 x 3 = 0 Database x = (x 1, x 2, x 3 ) replicated on 2 servers. User wants x / 44

21 Achieving privacy Let us start with a toy example. x 1 = 1 x 2 = 1 x 3 = 0 x 1 = 1 x 2 = 1 x 3 = 0 Database x = (x 1, x 2, x 3 ) replicated on 2 servers. User wants x 1. Choose a random vector u = (1, 0, 1). 10 / 44

22 Achieving privacy Let us start with a toy example. x 1 = 1 x 2 = 1 x 3 = 0 (1, 0, 1) (0, 0, 1) x 1 = 1 x 2 = 1 x 3 = 0 Database x = (x 1, x 2, x 3 ) replicated on 2 servers. User wants x 1. Choose a random vector u = (1, 0, 1). Send u = (1, 0, 1) and u + e 1 = (0, 0, 1) to the servers, respectively. 10 / 44

23 Achieving privacy Let us start with a toy example. x 1 = 1 x 2 = 1 x 3 = 0 (1, 0, 1) (0, 0, 1) x 1 + x 3 = 1 x 1 = 1 x 2 = 1 x 3 = 0 x 3 = 0 Database x = (x 1, x 2, x 3 ) replicated on 2 servers. User wants x 1. Choose a random vector u = (1, 0, 1). Send u = (1, 0, 1) and u + e 1 = (0, 0, 1) to the servers, respectively. The servers respond with the inner product of the database and the request. 10 / 44

24 Achieving privacy Let us start with a toy example. x 1 = 1 x 2 = 1 x 3 = 0 (1, 0, 1) (0, 0, 1) x 1 + x 3 = 1 x 1 = 1 x 2 = 1 x 3 = 0 x 3 = 0 Database x = (x 1, x 2, x 3 ) replicated on 2 servers. User wants x 1. Choose a random vector u = (1, 0, 1). Send u = (1, 0, 1) and u + e 1 = (0, 0, 1) to the servers, respectively. The servers respond with the inner product of the database and the request. The entry x 1 is the sum of the responses. 10 / 44

25 Achieving privacy More generally: x 1 x 2. x m x 1 x 2. x m Database x = (x 1,..., x m ) replicated on 2 servers. User wants x i. 11 / 44

26 Achieving privacy More generally: x 1 x 2. x m u + e i u x 1 x 2. x m Database x = (x 1,..., x m ) replicated on 2 servers. User wants x i. Choose a random vector u. Send u and u + e i to the servers, respectively. 11 / 44

27 Achieving privacy More generally: x 1 x 2. x m u + e i u + e i, x u x 1 x 2. x m u, x Database x = (x 1,..., x m ) replicated on 2 servers. User wants x i. Choose a random vector u. Send u and u + e i to the servers, respectively. The servers respond with the inner product of the database and the request. 11 / 44

28 Achieving privacy More generally: x 1 x 2. x m u + e i u + e i, x u x 1 x 2. x m u, x Database x = (x 1,..., x m ) replicated on 2 servers. User wants x i. Choose a random vector u. Send u and u + e i to the servers, respectively. The servers respond with the inner product of the database and the request. x i = u + e i, x + u, x. 11 / 44

29 Achieving privacy More generally: x 1 x 2. x m u + e i u + e i, x u x 1 x 2. x m u, x Database x = (x 1,..., x m ) replicated on 2 servers. User wants x i. Choose a random vector u. Send u and u + e i to the servers, respectively. The servers respond with the inner product of the database and the request. x i = u + e i, x + u, x. Privacy holds as we send a random query to each server. 11 / 44

30 Ignoring upload cost The early papers considered the total communication cost (upload+download) required for privately retrieving one bit. A sequence of papers (refs in the end) reduced the complexity to be sub-linear in m while requiring only two non-colluding servers. More recently, the upload cost has typically been ignored, assuming that the number of bits in the files (download cost) is much bigger than the number of files on the servers (upload cost). For instance, if we want a file of size 1MB, and K servers are storing files, then the upload cost is 10 4 K bits, but the download cost is K bits. 12 / 44

31 Toy example for coded PIR x 1 1 = 1 x 2 1 = 1 x 3 1 = 0 x 1 2 = 0 x 2 2 = 1 x 3 2 = 1 x x 1 2 = 1 x x 2 2 = 0 x x 3 2 = 1 Want x 1 = (x 1 1, x 1 2 ). 13 / 44

32 Toy example for coded PIR x 1 1 = 1 x 2 1 = 1 x 3 1 = 0 x 1 2 = 0 x 2 2 = 1 x 3 2 = 1 x x 1 2 = 1 x x 2 2 = 0 x x 3 2 = 1 Want x 1 = (x 1 1, x 1 2 ). First round: Choose random u = (1, 0, 1). 13 / 44

33 Toy example for coded PIR x 1 1 = 1 x 2 1 = 1 x 3 1 = 0 (0, 0, 1) x 1 2 = 0 x 2 2 = 1 x 3 2 = 1 (1, 0, 1) x x 1 2 = 1 x x 2 2 = 0 x x 3 2 = 1 (1, 0, 1) Want x 1 = (x 1 1, x 1 2 ). First round: Choose random u = (1, 0, 1). Send u + e 1 = (0, 0, 1) to the first server, and u = (1, 0, 1) to the last two servers. 13 / 44

34 Toy example for coded PIR x 1 1 = 1 x 2 1 = 1 x 3 1 = 0 (0, 0, 1) x 3 1 x 1 2 = 0 x 2 2 = 1 x 3 2 = 1 (1, 0, 1) x2 1 + x 2 3 x x 1 2 = 1 x x 2 2 = 0 x x 3 2 = 1 x1 1 + x x x 2 3 (1, 0, 1) Want x 1 = (x 1 1, x 1 2 ). First round: Choose random u = (1, 0, 1). Send u + e 1 = (0, 0, 1) to the first server, and u = (1, 0, 1) to the last two servers. The entry x 1 1 = 1 is the sum of the responses. 13 / 44

35 Toy example for coded PIR x 1 1 = 1 x 2 1 = 1 x 3 1 = 0 x 1 2 = 0 x 2 2 = 1 x 3 2 = 1 x x 1 2 = 1 x x 2 2 = 0 x x 3 2 = 1 Want x 1 = (x 1 1, x 1 2 ). Second round: Choose random u = (1, 1, 0). 13 / 44

36 Toy example for coded PIR x 1 1 = 1 x 2 1 = 1 x 3 1 = 0 (1, 1, 0) x 1 2 = 0 x 2 2 = 1 x 3 2 = 1 (0, 1, 0) x x 1 2 = 1 x x 2 2 = 0 x x 3 2 = 1 (1, 1, 0) Want x 1 = (x 1 1, x 1 2 ). Second round: Choose random u = (1, 1, 0). Send u + e 1 = (0, 1, 0) to the second server, and u = (1, 1, 0) to the other servers. 13 / 44

37 Toy example for coded PIR x 1 1 = 1 x 2 1 = 1 x 3 1 = 0 x x 2 1 (1, 1, 0) x 1 2 = 0 x 2 2 = 1 x 3 2 = 1 (0, 1, 0) x 2 2 x x 1 2 = 1 x x 2 2 = 0 x x 3 2 = 1 x1 1 + x x x 2 2 (1, 1, 0) Want x 1 = (x 1 1, x 1 2 ). Second round: Choose random u = (1, 1, 0). Send u + e 1 = (0, 1, 0) to the second server, and u = (1, 1, 0) to the other servers. The entry x 1 2 = 0 is the sum of the responses. 13 / 44

38 Coded data and colluding servers User wants to retrieve x i from a (coded) storage system, distributed on servers. 14 / 44

39 Coded data and colluding servers User wants to retrieve x i from a (coded) storage system, distributed on servers. Servers can be non-colluding or colluding. 14 / 44

40 Coded data and colluding servers q 2 q q 3 1 User wants to retrieve x i from a (coded) storage system, distributed on servers. Servers can be non-colluding or colluding. User sends queries q j 14 / 44

41 Coded data and colluding servers q 2 r 2 q q 3 1 r 1 r 3 User wants to retrieve x i from a (coded) storage system, distributed on servers. Servers can be non-colluding or colluding. User sends queries q j and receives responses r j 14 / 44

42 Coded data and colluding servers q 2 r 2 q q 3 1 r 1 r 3 f (r j ) = x i User wants to retrieve x i from a (coded) storage system, distributed on servers. Servers can be non-colluding or colluding. User sends queries q j and receives responses r j from which he calculates the file x i. 14 / 44

43 Formal definition of t-pir Consider a probability space (Q i, µ i ) of queries for i [m]. If the user wishes to download x i, a query q i = (q i 1,..., qi n) which belongs to a probability space Q i for i [m] is selected randomly according to the probability measure µ i. 15 / 44

44 Formal definition of t-pir Consider a probability space (Q i, µ i ) of queries for i [m]. If the user wishes to download x i, a query q i = (q i 1,..., qi n) which belongs to a probability space Q i for i [m] is selected randomly according to the probability measure µ i. Each q i j F m q is sent to the j th server. 15 / 44

45 Formal definition of t-pir Consider a probability space (Q i, µ i ) of queries for i [m]. If the user wishes to download x i, a query q i = (q i 1,..., qi n) which belongs to a probability space Q i for i [m] is selected randomly according to the probability measure µ i. Each q i j F m q is sent to the j th server. Protects against the collusion set J [n] if there exists a probability distribution (Q J, µ J ) such that, for all i [m], the projection of (Q i, µ i ) to the coordinates in J is (Q J, µ J ). 15 / 44

46 Formal definition of t-pir The servers respond with rj i = y j, qj i. The user obtains from {rj i : i [n]} some c coordinates of the file x i. Obtaining the whole file may take more than one round, but the retrieval rate remains the same and is defined as c/n. Note: requirements on information sets! 16 / 44

47 Formal definition of t-pir The servers respond with rj i = y j, qj i. The user obtains from {rj i : i [n]} some c coordinates of the file x i. Obtaining the whole file may take more than one round, but the retrieval rate remains the same and is defined as c/n. Note: requirements on information sets! A PIR scheme is T -secure if it protects against J-collusion for all J T, where T [n] is a collection of colluding sets. 16 / 44

48 Formal definition of t-pir The servers respond with rj i = y j, qj i. The user obtains from {rj i : i [n]} some c coordinates of the file x i. Obtaining the whole file may take more than one round, but the retrieval rate remains the same and is defined as c/n. Note: requirements on information sets! A PIR scheme is T -secure if it protects against J-collusion for all J T, where T [n] is a collection of colluding sets. A t-pir scheme can protect against any T -collusion, where T t. 16 / 44

49 Capacity of PIR The rate R of a PIR scheme is defined as R = #desired symbols retrieved #symbols downloaded 17 / 44

50 Capacity of PIR The rate R of a PIR scheme is defined as R = #desired symbols retrieved #symbols downloaded The capacity C of PIR is the maximum possible rate for a given model. 17 / 44

51 Capacity of PIR The rate R of a PIR scheme is defined as R = #desired symbols retrieved #symbols downloaded The capacity C of PIR is the maximum possible rate for a given model. We call a scheme asymptotically capacity achieving if R = lim m C. 17 / 44

52 Capacity of PIR Storage system with m files has the following capacities: replication [n,k]-coded no collusion 1 1/n 1 (1/n) m m 1 1 n 1 k/n 1 (k/n) m m 1 k n t-collusion 1 t/n 1 (t/n) m m 1 t n 1 t+k 1 m n 1 ( t+k 1 n ) m 1 t+k 1 n Sun Jafar, IEEE TIT, Banawan Ulukus, arxiv: , Sun Jafar, arxiv: , Freij-Hollanti Gnilke Hollanti Karpuk, arxiv: , / 44

53 Capacity of PIR Storage system with m files has the following capacities: replication [n,k]-coded no collusion 1 1/n 1 (1/n) m m 1 1 n 1 k/n 1 (k/n) m m 1 k n t-collusion 1 t/n 1 (t/n) m m 1 t n 1 t+k 1 n 1 ( t+k 1 m n ) m 1 t+k 1 n Sun Jafar, IEEE TIT, Banawan Ulukus, arxiv: , Sun Jafar, arxiv: , Freij-Hollanti Gnilke Hollanti Karpuk, arxiv: , / 44

54 Capacity of PIR Storage system with m files has the following capacities: replication [n,k]-coded no collusion 1 1/n 1 (1/n) m m 1 1 n 1 k/n 1 (k/n) m m 1 k n t-collusion 1 t/n 1 (t/n) m m 1 t n?? Sun Jafar, IEEE TIT, Banawan Ulukus, arxiv: , Sun Jafar, arxiv: , / 44

55 Colluding case (k = 1, t > 1) Fast convergence as m! 19 / 44

56 Coded case (k > 1, t = 1) Fast Convergence as m! 20 / 44

57 Conjectures on asymptotic PIR capacity Conjecture 1: Coded PIR with t-collusion: lim C = 1 t + k 1. m n Conjecture 2: Coded symmetric PIR with t-collusion: lim C = 1 t + k 1. m n A PIR scheme whose rate does not depend on m can be made symmetric by giving the servers access to some joint randomness. Conjecture 2 recently became a Theorem by Wang Skoglund! 21 / 44

58 Our contributions and related work We recently proposed a fully general coded retrieval scheme protecting from t-collusion (reviewed later in this talk). The scheme is (asymptotically) capacity achieving at the known points, when employed with MDS generalized Reed-Solomon codes. It also achieves the capacity of Conjecture 1 (and 2). Recently, S. Kumar et al. showed that it is possible, at least in some cases, to achieve the asymptotic capacity even with non-mds codes when t = 1. When suboptimally using non-mds codes for our scheme, their scheme is better, but restricted to the case t = / 44

59 Our contributions and related work Sparse query vectors with linear storage overhead by Blackburn Etzion (ISIT 17/arxiv). PIR array codes and achievable upper bounds by Blackburn Etzion (ISIT 17/arxiv). Binary, shortened projective Reed-Muller codes for coded non-colluded PIR by Vajha Ramkumar PVJ Kumar (ISIT 17). (Binary) Reed-Muller codes for coded colluded PIR by Freij-Hollanti et al. (WCC Sep. 17). 23 / 44

60 Presentation Outline Background Private Information Retrieval (PIR) and Recent Results Construction: t-pir Codes from Star Products Improving Rates by Partial Collusion Open Problems References 24 / 44

61 Codes from star products For two vectors x, y F n, define the star product x y := (x 1 y 1,..., x n y n ). Let C and D be linear codes. Define the star product code Product-Singleton Bound: C D := {c d c C, d D}. d C D n dim(c) dim(d) + 2 Apart from pairs C, C and their products, the only pairs that achieve this bound are generalized Reed-Solomon codes. Mirandola Zémor, IEEE TIT, / 44

62 PIR codes from star products Consider m files x 1,..., x m. x 1 x m x xk x1 m... xk m 26 / 44

63 PIR codes from star products Consider m files x 1,..., x m. We encode this data using an [n, k, d C ] storage code C with generator matrix G C and store it on n servers. x 1 x m x xk x1 m... xk m G C = Server 1 Server n y yn y1 m... yn m 26 / 44

64 PIR codes from star products Consider m files x 1,..., x m. We encode this data using an [n, k, d C ] storage code C with generator matrix G C and store it on n servers. x 1 x m x xk x1 m... xk m G C = Server 1 Server n y yn y1 m... yn m Protects against failure of up to d C 1 servers. 26 / 44

65 PIR codes from star products To retrieve a file x i we would like to calculate y i e for some low weight vector e. 27 / 44

66 PIR codes from star products To retrieve a file x i we would like to calculate y i e for some low weight vector e. For example if we encode by then for e = (1, 0, 1) and we can recover x i. x i = (a, b) (a, b, a + b) = y i y i e = (a, 0, a + b) 27 / 44

67 PIR codes from star products To retrieve a file x i we would like to calculate y i e for some low weight vector e, where supp(e) covers an information set. 27 / 44

68 PIR codes from star products To retrieve a file x i we would like to calculate y i e for some low weight vector e, where supp(e) covers an information set. To hide the vector e we will use a retrieval code D as randomness to form our queries. 27 / 44

69 PIR codes from star products To retrieve a file x i we would like to calculate y i e for some low weight vector e, where supp(e) covers an information set. To hide the vector e we will use a retrieval code D as randomness to form our queries. The response vector will be the sum of two pieces: 1 r. = y l d l +y i e }{{} r n C D 27 / 44

70 PIR codes from star products To retrieve a file x i we would like to calculate y i e for some low weight vector e, where supp(e) covers an information set. To hide the vector e we will use a retrieval code D as randomness to form our queries. The response vector will be the sum of two pieces: 1 r. = y l d l +y i e }{{} r n C D Project C D off using its dual and retrieve the information. 27 / 44

71 On the download rate The retrieved information is π (C D) (y i e), so contains symbols if e is well chosen. It is known that dim(c D) = n dim(c D) dim(c D) min{n, dim(c) + dim(d) 1}, with equality if and only if C and D are generalized Reed-Solomon codes. The number of servers we need to confuse with the randomness is t = dim(d). 28 / 44

72 On the download rate Thus, we download n dim(c) dim(d) + 1 = n k t + 1 information symbols, with equality iff the storage code and the retrieval code are both generalized Reed-Solomon. The resulting rate is R = n k t + 1 n = 1 k + t 1 n which coincides with the known asymptotic capacity results (t = 1 or k = 1) as well as the conjectures (k > 1 and t > 1)., 29 / 44

73 Presentation Outline Background Private Information Retrieval (PIR) and Recent Results Construction: t-pir Codes from Star Products Improving Rates by Partial Collusion Open Problems References 30 / 44

74 Partial collusion Sometimes it is very unlikely for some servers to collude. 31 / 44

75 Partial collusion Sometimes it is very unlikely for some servers to collude. They might be geographically separated or split into different repair groups, or have some other reason for being less likely to collude. 31 / 44

76 Partial collusion Sometimes it is very unlikely for some servers to collude. They might be geographically separated or split into different repair groups, or have some other reason for being less likely to collude. This can be used to increase the rate of a PIR scheme. 31 / 44

77 How to increase rate If the support of the vector e is completely disjoint from what a group of servers see, then they have no chance to identify the requested file. 32 / 44

78 How to increase rate If the support of the vector e is completely disjoint from what a group of servers see, then they have no chance to identify the requested file. The basic idea is to pick e such that its support avoids large colluding sets. We only need to protect against the collusion sets that intersect the support of e. 32 / 44

79 Example Consider a [6, 2]-storage code. Let the collusion sets be given as T = {1, 2}, {2, 3}, {3, 4, 5, 6}. 33 / 44

80 Example Consider a [6, 2]-storage code. Let the collusion sets be given as T = {1, 2}, {2, 3}, {3, 4, 5, 6}. Protecting against 4-collusion we get R = = 1 6. Can be improved by using a 2-PIR scheme, where the information set is selected to be {1, 2}. 33 / 44

81 Example Consider a [6, 2]-storage code. Let the collusion sets be given as T = {1, 2}, {2, 3}, {3, 4, 5, 6}. Protecting against 4-collusion we get R = = 1 6. Can be improved by using a 2-PIR scheme, where the information set is selected to be {1, 2}. Set e = (1, 1, 0, 0, 0, 0). Now R = / 44

82 Example Consider a [6, 2]-storage code. Let the collusion sets be given as T = {1, 2}, {2, 3}, {3, 4, 5, 6}. Protecting against 4-collusion we get R = = 1 6. Can be improved by using a 2-PIR scheme, where the information set is selected to be {1, 2}. Set e = (1, 1, 0, 0, 0, 0). Now R = 2 6. For our 2-PIR, R = = 3 6, but we cannot increase the weight of e without having to protect against 4 collusion. 33 / 44

83 Example Consider a [6, 2]-storage code. Let the collusion sets be given as T = {1, 2}, {2, 3}, {3, 4, 5, 6}. Protecting against 4-collusion we get R = = 1 6. Can be improved by using a 2-PIR scheme, where the information set is selected to be {1, 2}. Can do better by ignoring the 6th server and using the 2-PIR scheme with a [5, 2] retrieval code. Then we get R = = 2 5 > / 44

84 Example Consider a [6, 2]-storage code. Let the collusion sets be given as T = {1, 2}, {2, 3}, {3, 4, 5, 6}. Protecting against 4-collusion we get R = = 1 6. Can be improved by using a 2-PIR scheme, where the information set is selected to be {1, 2}. Works because n k t + 1 = 3 2, and nodes in the support of e together contain the whole file. If n k t + 1 < k, need to perform our queries in several rounds. In each of these rounds, need an information set E that only intersects colluding sets of size t. 33 / 44

85 Avoiding large colluding sets For a collusion pattern T and a positive integer t, consider the set Ĩ t def = [n] \ T T, T >t of nodes not contained in any colluding set of size > t. Theorem (TGKFHE ISIT 17) Let C be an MDS storage code, and let T be a collusion pattern. Let t be a positive integer such that Ĩt k. Then, we can download files privately from C at rate { } Ĩ t min Ĩ t + k + t 1, n k t + 1. n T 34 / 44

86 Partitions of colluding sets If the collusion sets in T are disconnected (not necessarily all disjoint!) one can treat each disconnected set as one server. This allows to use a PIR scheme that does not protect against collusion. Theorem (TGKFHE ISIT 17) Let C be an MDS storage code, {T 1, T 2 } be a partition of [n], and T T 1, T 2 with T 1 T 2 = be a disconnected collusion pattern. Then there exists a PIR scheme with rate R = min{k, d C 1, T 1, T 2 } n that protects against T collusion. 35 / 44

87 Partitions of colluding sets The following result is an immediate corollary, and describes the important case where the coding rate of C is bigger than 1/2, i.e., k n k: Corollary (TGKFHE ISIT 17) Let T T 1, T 2 be a collusion pattern where T 1 and T 2 are disjoint sets, each of size k. Then there exists a PIR scheme with rate R = 1 k n. 36 / 44

88 Example: special cases Example Let n = 6 and k = 2 and T = {1, 2}, {3, 4}, {5, 6}. We retrieve 2 symbols from 2 different rows by using 2 different e vectors. y1 1 y2 1 y3 1 y4 1 y5 1 y6 1 y1 2 y2 2 y3 2 y4 2 y5 2 y / 44

89 Example: special cases Example Let n = 6 and k = 2 and T = {1, 2}, {3, 4}, {5, 6}. We retrieve 2 symbols from 2 different rows by using 2 different e vectors. Consider the system as a [3, 1] coded storage without collusion. y1 1 y2 1 y3 1 y4 1 y5 1 y6 1 y1 2 y2 2 y3 2 y4 2 y5 2 y This achieves rate n k n = 4 6 (= C no collusion, m!!!). 37 / 44

90 Collusion on adjacent sets A recent result shows the limits of this approach : Theorem (Sun, Jafar ) When the collusion pattern contains all t-sets of adjacent servers in a cyclic manner, the capacity of PIR is not increased compared to full t-collusion. Example Consider a setting with n = 5 servers. The capacity of T -PIR where T = {{1, 2, 3}, {2, 3, 4}, {3, 4, 5}, {4, 5, 1}, {5, 1, 2}} is equivalent to the capacity of (full) 3-PIR. Sun, H., Jafar, S. A. (2017). Private Information Retrieval from MDS Coded Data with Colluding Servers: Settling a Conjecture by Freij-Hollanti et al. arxiv: / 44

91 Presentation Outline Background Private Information Retrieval (PIR) and Recent Results Construction: t-pir Codes from Star Products Improving Rates by Partial Collusion Open Problems References 39 / 44

92 Open problems More practical schemes. Problems with current ones: computational complexity at the servers, or alternatively huge number of non-colluding servers. assuming that the user knows how the files are ordered, and what each server is storing. This can be partially circumvented by first performing private keyword search, but no practical schemes exist for that either. often assuming a perfect setting : all servers respond, no errors or malicious inputs. No eavesdropping on the channel. 40 / 44

93 Open problems Coded colluded capacity. Star product scheme as symmetric PIR. LRCs and batch codes. Non-responsive and byzantine servers. Interplay of codes (e.g. localities) and collusion patterns. Applications to edge caching. Partial privacy. Private keyword search. 41 / 44

94 Presentation Outline Background Private Information Retrieval (PIR) and Recent Results Construction: t-pir Codes from Star Products Improving Rates by Partial Collusion Open Problems References 42 / 44

95 References B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, Private information retrieval, in IEEE FOCS, A. Beimel, Y. Ishai, and T. Malkin, Reducing the servers computation in private information retrieval: PIR with preprocessing, in Advances in Cryptology CRYPTO, A. Beimel, Y. Ishai, E. Kushilevitz, and J.-F. Raymond, Breaking the O(n 1/(2k 1) ) barrier for information-theoretic private information retrieval, in IEEE FOCS, Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai, Batch codes and their applications, in ACM STOC, D. Augot, F. Levy-Dit-Vehel, and A. Shikfa, A storage-efficient and robust private information retrieval scheme allowing few servers, in Cryptology and Network Security, / 44

96 References N. Shah, K. Rashmi, and K. Ramchandran, One extra bit of download ensures perfectly private information retrieval, in 2014 IEEE ISIT, T. Chan, S.-W. Ho, and H. Yamamoto, Private information retrieval for coded storage, in 2015 IEEE ISIT, Z. Dvir and S. Gopi, 2-server PIR with sub-polynomial communication, in ACM STOC, A. Fazeli, A. Vardy, and E. Yaakobi, Codes for distributed PIR with low storage overhead, in 2015 IEEE ISIT, R. Tajeddine, O. Gnilke, S. El Rouayheb, Private Information Retrieval from MDS Coded data in Distributed Storage Systems (extended version), arxiv: , / 44

97 References H. Sun and S. A. Jafar, The capacity of private information retrieval, arxiv: , H. Sun and S. A. Jafar, The capacity of robust private information retrieval with colluding databases, arxiv: , S. Blackburn, T. Etzion, and M. Paterson, PIR schemes with small download complexity and low storage requirements, K. A. Banawan and S. Ulukus, The capacity of private information retrieval from coded databases, arxiv: , Q. Wang, and M. Skoglund. Symmetric private information retrieval for MDS coded distributed storage, arxiv: , / 44

98 References R. Freij-Hollanti, O. Gnilke, C. Hollanti, and D. Karpuk, Private information retrieval from coded databases with colluding servers, arxiv: , 2016, to appear in SIAM J. Applied Algebra and Geometry. S. Blackburn, and T. Etzion, PIR array codes with optimal PIR rate, in IEEE ISIT, S. Kumar, E. Rosnes, and A. G. i Amat, Private information retrieval in distributed storage systems using an arbitrary linear code, in IEEE ISIT, R. Tajeddine, and S. El Rouayheb, Robust private information retrieval on coded data, in IEEE ISIT, R. Tajeddine, O. Gnilke, D. Karpuk, R. Freij-Hollanti, C. Hollanti, and S. El Rouayheb, Private information retrieval schemes for coded data with arbitrary collusion patterns, in IEEE ISIT, / 44

99 References Cover, T. M., and Thomas, J. A., Elements of information theory. John Wiley and Sons, Van Lint, Jacobus Hendricus. Introduction to coding theory. Vol. 86. Springer Science and Business Media, / 44

100 K I I T O S T A N A N!!