8.6 KiB
CSE5313 Coding and information theory for data science (Lecture 20)
Review for Private Information Retrieval
PIR from replicated databases
For 2 replicated databases, we have the following protocol:
- User has
i \sim U_{m}. - User chooses
r_1, r_2 \sim U_{\mathbb{F}_2^m}. - Two queries to each server:
q_{1, 1} = r_1 + e_i,q_{1, 2} = r_2.q_{2, 1} = r_1,q_{2, 2} = r_2 + e_i.
- Server
jresponds withq_{j, 1} c_j^\topandq_{j, 2} c_j^\top. - Decoding?
q_{1, 1} c_1^\top + q_{2, 1} c_2^\top = r_1 c_1 + c_2 + e_i c_1^\top = r_1 \cdot 0^\top + x_{i, 1} = x_{i, 1}.q_{1, 2} c_1^\top + q_{2, 2} c_2^\top = r_2 c_1 + c_2 + e_i c_2^\top = x_{i, 2}.
PIR-rate is \frac{k}{2k} = \frac{1}{2}.
PIR from coded parity-check databases
For 3 coded parity-check databases, we have the following protocol:
- User has
i \sim U_{m}. - User chooses
r_1, r_2, r_3 \sim U_{\mathbb{F}_2^m}. - Three queries to each server:
q_{1, 1} = r_1 + e_i,q_{1, 2} = r_2,q_{1, 3} = r_3.q_{2, 1} = r_1,q_{2, 2} = r_2 + e_i,q_{2, 3} = r_3.q_{3, 1} = r_1,q_{3, 2} = r_2,q_{3, 3} = r_3 + e_i.
- Server
jresponds withq_{j, 1} c_j^\top, q_{j, 2} c_j^\top, q_{j, 3} c_j^\top. - Decoding?
q_{1, 1} c_1^\top + q_{2, 1} c_2^\top + q_{3, 1} c_3^\top = r_1 c_1 + c_2 + c_3 + e_i c_1^\top = r_1 \cdot 0^\top + x_{i, 1} = x_{i, 1}.q_{1, 2} c_1^\top + q_{2, 2} c_2^\top + q_{3, 2} c_3^\top = r_2 c_1 + c_2 + c_3 + e_i c_2^\top = x_{i, 2}.q_{1, 3} c_1^\top + q_{2, 3} c_2^\top + q_{3, 3} c_3^\top = r_3 c_1 + c_2 + c_3 + e_i c_3^\top = x_{i, 3}.
PIR-rate is \frac{k}{3k} = \frac{1}{3}.
Beyond z=1
Star-product theme
Given x=(x_1, \ldots, x_j)_{j\in [n]}, y=(y_1, \ldots, y_j)_{j\in [n]}, over \mathbb{F}_q, the star-product is defined as:
x \star y = (x_1 y_1, \ldots, x_n y_n)
Given two linear codes, C,D\subseteq \mathbb{F}_q^n, the star-product code is defined as:
C \star D = span_{\mathbb{F}_q} \{x \star y | x \in C, y \in D\}
Singleton bound for star-product:
d_{C \star D} \leq n-\dim C-\dim D+2
PIR form a database coded with any MDS code and z>1
To generalize the previous scheme to z > 1 need to encode multiple $r$'s together.
- As in the ramp scheme.
Recall from the ramp scheme, we use
r_1, \ldots, r_z \sim U_{\mathbb{F}_q^k}as our key vector to avoid occlusion of the servers.
In the star-product scheme:
- Files are coded with an MDS code
C. - The multiple $r$'s are coded with an MDS code
D. - The scheme is based on the minimum distance of
C \star D.
To code the data:
- Let
C \subseteq \mathbb{F}_q^nbe an MDS code of dimensionk. - For all
j \in m, encode filex_j = x_{j, 1}, \ldots, x_{j, k}usingG_C:
\begin{pmatrix}
x_{1, 1} & x_{1, 2} & \cdots & x_{1, k}\\
x_{2, 1} & x_{2, 2} & \cdots & x_{2, k}\\
\vdots & \vdots & \ddots & \vdots\\
x_{m, 1} & x_{m, 2} & \cdots & x_{m, k}
\end{pmatrix} \cdot G_C = \begin{pmatrix}
c_{1, 1} & c_{1, 2} & \cdots & c_{1, n}\\
c_{2, 1} & c_{2, 2} & \cdots & c_{2, n}\\
\vdots & \vdots & \ddots & \vdots\\
c_{m, 1} & c_{m, 2} & \cdots & c_{m, n}
\end{pmatrix}
- For all
j \in n, storec_j = c_{1, j}, c_{2, j}, \ldots, c_{m, j}(a column of the above matrix) in serverj.
Let r_1, \ldots, r_z \sim U_{\mathbb{F}_q^k}.
To code the queries:
- Let
D \subseteq \mathbb{F}_q^kbe an MDS code of dimensionz. - Encode the $r_j$'s using
G_D=[g_1^\top, \ldots, g_z^\top].
(r_1^\top, \ldots, r_z^\top) \cdot G_D = \begin{pmatrix}
r_{1, 1} & r_{2, 1} & \cdots & r_{z, 1}\\
r_{1, 2} & r_{2, 2} & \cdots & r_{z, 2}\\
\vdots & \vdots & \ddots & \vdots\\
r_{1, m} & r_{2, m} & \cdots & r_{z, m}
\end{pmatrix}
\cdot G_D=\left((r_1^\top,\ldots, r_z^\top)g_1^\top,\ldots, (r_1^\top,\ldots, r_z^\top)g_n^\top \right)
To introduce the "errors in known locations" to the encoded $r_j$'s:
- Let
W \in \{0, 1\}^{m \times n}with somed_{C \star D} - 1entries in its $i$-th row equal to 1. - These are the entries we will retrieve.
For every server j \in [n] send q_j = r_1^\top, \ldots, r_z^\top g_j^\top + w_j, where w_j is the $i$-th column of W.
- This is similar to ramp scheme, where
w_jis the "message". - Privacy against collusion of
zservers.
Response from server: a_j = q_j c_j^\top.
Decoding? Let Q \in \mathbb{F}_q^{m \times n} be a matrix whose columns are the $q_j$'s.
Q = \begin{pmatrix}
r_1^\top & \cdots & r_z^\top
\end{pmatrix} \cdot G_D + W
- The user has
\begin{aligned}
q_1 c_1^\top, \ldots, q_n c_n^\top &= \left(\sum_{j \in m} q_{1, j} c_{j, 1}, \ldots, \sum_{j \in m} q_{n, j} c_{j, n}\right) \\
&=\sum_{j \in m} (q_{1,j}c_{j, 1}, \ldots, q_{n,j}c_{j, n}) \\
&=\sum_{j \in m} q^j \star c^j
where q^j is a row of Q and c^j is a codeword in C (an n, k q MDS code).
We have:
Q=(r_1^\top, \ldots, r_z^\top) \cdot G_D + WW\in \{0, 1\}^{m \times n}with somed_{C \star D} - 1entries in its $i$-th row equal to 1.(q^j \star c^j)=sum_{j \in m} q^j \star c^j- Each
q^jis a row ofQ- For
j \neq i,q^jis a codeword inD q^i = d^i + w^i
- For
- Therefore:
\begin{aligned}
\sum_{j \in [m]} q^j \star c^j &= \sum_{j \neq i} (d^j \star c^j) + ((d^i + w^i) \star c^i) \\
&= \sum_{j \neq i} (d^j \star c^j) + w^i \star c^i
&= (\text{codeword in } C \star D )+( \text{noise of Hamming weight } \leq d_{C \star D} - 1)
\end{aligned}
Multiply by H_{C \star D} and get d_{C \star D} - 1 elements of c^i.
- Recall that
c^i = x_i \cdot G_C - Repeat
k^{d_{C \star D} - 1}times to obtainkelements ofc^i.- Suffices to obtain
x_i, sinceCisn, kqMDS code.
- Suffices to obtain
PIR-rate:
- =
\frac{k}{# \text{ downloaded elements}} = \frac{k}{\frac{k}{d_{C \star D} - 1} \cdot n} = \frac{d_{C \star D} - 1}{n} - Singleton bound for star-product:
d_{C \star D} \leq n - \dim C - \dim D + 2. - Achieved with equality if
CandDare Reed-Solomon codes. - PIR-rate =
\frac{n - \dim C - \dim D + 1}{n} = \frac{n - k - z + 1}{n}. - Intuition:
- "paying"
kfor "reconstruction from any $k$". - "paying"
zfor "protection against colluding sets of size $z$".
- "paying"
- Capacity unknown! (as of 2022).
- Known for special cases, e.g.,
k = 1, z = 1, certain types of schemes, etc.
- Known for special cases, e.g.,
PIR over graphs
Graph-based replication:
- Every file is replicated twice on two separate servers.
- Every two servers have at most one file in common.
- "file" = "granularity" of data, i.e., the smallest information unit shared by any two servers.
A server that stores (x_{i, j})_{j=1}^d receives (q_{i, j})_{j=1}^d, and replies with \sum_{j=1}^d q_{i, j} \cdot x_{i, j}.
The idea:
- Consider a 2-server replicated PIR and "split" the queries between the servers.
- Sum the responses, unwanted files "cancel out", while
x_idoes not.
Problem: Collusion.
Solution: Add per server randomness.
Good for any graph, and any q \geq 3 (for simplicity assume 2 | q).
The protocol:
- Choose random
\gamma \in \mathbb{F}_q^n,\nu \in \mathbb{F}_q^m, andh \in \mathbb{F} \setminus \{0, 1\}. - Queries:
- If node
jis incident with edge\ell, sendq_{j, \ell} = \gamma_j \cdot \nu_\ellto nodej. - I.e., if server
jstores file\ell.
- If node
- Except one node
j_0that storesx_i, which getsq_{j_0, i} = h \cdot \gamma_{j_0} \cdot \nu_i. - Server
jresponds witha_j = \sum_{j=1}^d q_{j, \ell} \cdot x_{i, \ell}.- Where $x_{i, 1}, \ldots,
x_{i, d}are the files adjacent with it.
- Where $x_{i, 1}, \ldots,
Example
- Consider the following graph.
n = 5, m = 7, and i = 3.q_3 = \gamma_3 \cdot v_2, v_3, v_6anda_3 = x_2 \cdot \gamma_3 v_2 + x_3 \cdot \gamma_3 v_3 + x_6 \cdot \gamma_3 v_6.q_2 = \gamma_2 \cdot v_1, h v_3, v_4anda_2 = x_1 \cdot \gamma_2 v_1 + x_3 \cdot h \gamma_2 v_3 + x_4 \cdot \gamma_2 v_4.
Correctness:
\sum_{j=1}^5 \gamma_j^{-1} a_j =( h + 1 )v_3 x_3h \neq 1, v_3 \neq 0 \impliesfindx_3.
Parameters:
- Storage overhead 2 (for any graph).
- Download
n \cdot k. - PIR rate 1/n.
Collusion resistance:
1-privacy: Each node sees an entirely random vector.
2-privacy:
- If no edge – as for 1-privacy.
- If edge exists – E.g.,
\gamma_3 v_6and\gamma_4 v_6are independent.\gamma_3 v_3andh \cdot \gamma_2 v_3are independent.
S-privacy:
- Let
S \subseteq n(e.g.,S = 2,3,5), and consider the query matrix of their mutual files:
Q_S = diag(\gamma_3, \gamma_2, \gamma_5) \begin{pmatrix} 1 &\\ h & 1 \\ & 1\end{pmatrix} diag(v_3, v_4)
- It can be shown that
Pr(Q_S)=\frac{1}{(q-1)^4}, regardless ofi \impliesperfect privacy.