Codes with locality: constructions and applications to - - PowerPoint PPT Presentation

Codes with locality: constructions and applications to cryptographic protocols

Julien Lavauzelle

École Polytechnique & INRIA Saclay, Université Paris-Saclay

PhD defense 30/11/2018

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

1/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

1/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

1/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Error-correcting codes

Original goal: transmit information in the presence of noise.

message

m ∈ Fk

q

→

codeword

c ∈ C ⊆ Fn

q

channel noisy codeword

c′ ∈ Fn

q

→

decoded message

m′(= m?)

errors (ci = c′

i ∈ Fq) or erasures (c′ j =⊥) 2/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Error-correcting codes

Original goal: transmit information in the presence of noise.

message

m ∈ Fk

q

→

codeword

c ∈ C ⊆ Fn

q

channel noisy codeword

c′ ∈ Fn

q

→

decoded message

m′(= m?)

errors (ci = c′

i ∈ Fq) or erasures (c′ j =⊥)

Hamming distance d(u, v) := |{i ∈ [1, n], ui = vi}|.

2/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Error-correcting codes

Original goal: transmit information in the presence of noise.

message

m ∈ Fk

q

→

codeword

c ∈ C ⊆ Fn

q

channel noisy codeword

c′ ∈ Fn

q

→

decoded message

m′(= m?)

errors (ci = c′

i ∈ Fq) or erasures (c′ j =⊥)

Hamming distance d(u, v) := |{i ∈ [1, n], ui = vi}|.

◮ d = dmin(C) := min{d(c, c′), c = c′, (c, c′) ∈ C2}, ◮ C linear over Fq, with k = dim(C).

dmin(C)

2/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Typical example: Reed-Solomon codes

Definition (Reed-Solomon code). Let x = (x1, . . . , xn) ∈ Fn

q, pairwise distinct.

RSq(r, x) := {(f(x1), . . . , f(xn)), f ∈ Fq[X], deg f ≤ r} xi ci = f(xi)

3/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Typical example: Reed-Solomon codes

Definition (Reed-Solomon code). Let x = (x1, . . . , xn) ∈ Fn

q, pairwise distinct.

RSq(r, x) := {(f(x1), . . . , f(xn)), f ∈ Fq[X], deg f ≤ r} xi ci = f(xi)

◮ Dimension k = r + 1 ◮ Minimum distance dmin = n − r ◮ Can decode any b errors and e

erasures → if e + 2b < dmin → in time Θ(n log3 n).

3/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Typical example: Reed-Solomon codes

Definition (Reed-Solomon code). Let x = (x1, . . . , xn) ∈ Fn

q, pairwise distinct.

RSq(r, x) := {(f(x1), . . . , f(xn)), f ∈ Fq[X], deg f ≤ r} xi ci = f(xi)

◮ Dimension k = r + 1 ◮ Minimum distance dmin = n − r ◮ Can decode any b errors and e

erasures → if e + 2b < dmin → in time Θ(n log3 n). In this talk, RSq(r) := RSq(r, Fq)

3/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Local correction [Katz, Trevisan ’00]

Goal: sublinear-time correction of some symbols of c ∈ C.

4/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Local correction [Katz, Trevisan ’00]

Goal: sublinear-time correction of some symbols of c ∈ C. Definition [KT00]. A code C ⊆ Fn

q is

locally correctable with – locality ℓ ≤ n, – failure probability ε ∈ (0, 1), – admissible fraction of errors δ ∈ (0, 1), if there exists a poly-time probabilistic algorithm D such that, for every y ∈ Fn

q

and c ∈ C satisfying d(y, c) ≤ δn and for every 1 ≤ i ≤ n: – Pr(D(y)(i) = ci) ≥ 1 − ε; – D(y)(i) makes at most ℓ queries to symbols of y.

(n = 16, ℓ = 3) = error = symbol to be corrected

y : i

4/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Local correction [Katz, Trevisan ’00]

Goal: sublinear-time correction of some symbols of c ∈ C. Definition [KT00]. A code C ⊆ Fn

q is

locally correctable with – locality ℓ ≤ n, – failure probability ε ∈ (0, 1), – admissible fraction of errors δ ∈ (0, 1), if there exists a poly-time probabilistic algorithm D such that, for every y ∈ Fn

q

and c ∈ C satisfying d(y, c) ≤ δn and for every 1 ≤ i ≤ n: – Pr(D(y)(i) = ci) ≥ 1 − ε; – D(y)(i) makes at most ℓ queries to symbols of y.

(n = 16, ℓ = 3) = error = symbol to be corrected

y : i

4/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Local correction [Katz, Trevisan ’00]

Goal: sublinear-time correction of some symbols of c ∈ C. Definition [KT00]. A code C ⊆ Fn

q is

locally correctable with – locality ℓ ≤ n, – failure probability ε ∈ (0, 1), – admissible fraction of errors δ ∈ (0, 1), if there exists a poly-time probabilistic algorithm D such that, for every y ∈ Fn

q

and c ∈ C satisfying d(y, c) ≤ δn and for every 1 ≤ i ≤ n: – Pr(D(y)(i) = ci) ≥ 1 − ε; – D(y)(i) makes at most ℓ queries to symbols of y.

(n = 16, ℓ = 3) = error = symbol to be corrected

y : i

4/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Local correction [Katz, Trevisan ’00]

Goal: sublinear-time correction of some symbols of c ∈ C. Definition [KT00]. A code C ⊆ Fn

q is

locally correctable with – locality ℓ ≤ n, – failure probability ε ∈ (0, 1), – admissible fraction of errors δ ∈ (0, 1), if there exists a poly-time probabilistic algorithm D such that, for every y ∈ Fn

q

and c ∈ C satisfying d(y, c) ≤ δn and for every 1 ≤ i ≤ n: – Pr(D(y)(i) = ci) ≥ 1 − ε; – D(y)(i) makes at most ℓ queries to symbols of y.

(n = 16, ℓ = 3) = error = symbol to be corrected

y : i

4/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

LCCs: goals and previous works

Goals: – failure probability ε ≤ f(ℓ) · δ, with f(ℓ) ≤ cste. – locality ℓ ≪ k – large dimension k

5/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

LCCs: goals and previous works

Goals: – failure probability ε ≤ f(ℓ) · δ, with f(ℓ) ≤ cste. – locality ℓ ≪ k – large dimension k Some existing constructions:

◮ constant locality ℓ:

◮ Hadamard code (folklore)

ℓ = 2 and k = log(n)

◮ Matching vector codes [Yek08]

k subexponential in log(n)

◮ constant rate R = k/n:

◮ Reed-Muller codes (folklore)

ℓ = n1/m and k ≤

1 m! · n

◮ Multiplicity codes [KSY14],

lifted codes [GKS13], expander codes [HOW14] ℓ ≤ nε and k ≥ α · n, ∀ε, α > 0, n → ∞

5/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Example: Reed-Muller codes

RMq(m, r) := {(f(x) : x ∈ Fm

q ), f ∈ Fq[X1, . . . , Xm], deg f ≤ r} cx = f (x)

c = ( f (x) : x ∈ F2

q)

F2

q

6/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Example: Reed-Muller codes

RMq(m, r) := {(f(x) : x ∈ Fm

q ), f ∈ Fq[X1, . . . , Xm], deg f ≤ r}

Assume r ≤ q − 2, and let: – c = (f(x) : x ∈ Fm

q ) ∈ RMq(m, r)

– φ : Fq → Fm

q affine and injective

⇒ affine line L := φ(Fq) ⊂ Fm

q

Then, the restriction of c to L (or to φ): c|L := ((f ◦ φ)(t) : t ∈ Fq) ∈ RSq(r)

cx = f (x)

c|L L

6/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Example: Reed-Muller codes

RMq(m, r) := {(f(x) : x ∈ Fm

q ), f ∈ Fq[X1, . . . , Xm], deg f ≤ r}

Assume r ≤ q − 2, and let: – c = (f(x) : x ∈ Fm

q ) ∈ RMq(m, r)

– φ : Fq → Fm

q affine and injective

⇒ affine line L := φ(Fq) ⊂ Fm

q

Then, the restriction of c to L (or to φ): c|L := ((f ◦ φ)(t) : t ∈ Fq) ∈ RSq(r)

cx = f (x)

c|L L Local correction of y ∈ F

Fm

q

q

at coordinate i ∈ Fm

q :

• 1. Pick at random a line L ⊂ Fm

q such that i ∈ L.

• 2. Correct y|L as a noisy RSq(r) codeword, and output ˜

yi.

6/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Example: Reed-Muller codes

RMq(m, r) := {(f(x) : x ∈ Fm

q ), f ∈ Fq[X1, . . . , Xm], deg f ≤ r}

Assume r ≤ q − 2, and let: – c = (f(x) : x ∈ Fm

q ) ∈ RMq(m, r)

– φ : Fq → Fm

q affine and injective

⇒ affine line L := φ(Fq) ⊂ Fm

q

Then, the restriction of c to L (or to φ): c|L := ((f ◦ φ)(t) : t ∈ Fq) ∈ RSq(r)

cx = f (x)

c|L L Local correction of y ∈ F

Fm

q

q

at coordinate i ∈ Fm

q :

• 1. Pick at random a line L ⊂ Fm

q such that i ∈ L.

• 2. Correct y|L as a noisy RSq(r) codeword, and output ˜

yi. RMq(m, r) is locally correctable with ℓ = n1/m and ε =

2 1−r/q · δ

6/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

High-rate construction: lifted codes (1)

Issue: if r ≤ q − 2, the rate of RMq(m, r) is ≃ (r/q)m

m!

.

7/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

High-rate construction: lifted codes (1)

Issue: if r ≤ q − 2, the rate of RMq(m, r) is ≃ (r/q)m

m!

. Idea: consider the set of all polynomials f satisfying the “restriction property”: for every affine line L given by φ, ((f ◦ φ)(t) : t ∈ Fq) ∈ RSq(r) Are there more polynomials than in RM codes?

7/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

High-rate construction: lifted codes (1)

Issue: if r ≤ q − 2, the rate of RMq(m, r) is ≃ (r/q)m

m!

. Idea: consider the set of all polynomials f satisfying the “restriction property”: for every affine line L given by φ, ((f ◦ φ)(t) : t ∈ Fq) ∈ RSq(r) Are there more polynomials than in RM codes? Example (q = 4, m = 2, r = 2). f(X, Y) = X2Y2 ∈ F4[X, Y], hence deg(f) = 4 > 2 Affine line L given by φ(T) = (aT + b, cT + d)

7/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

High-rate construction: lifted codes (1)

Issue: if r ≤ q − 2, the rate of RMq(m, r) is ≃ (r/q)m

m!

. Idea: consider the set of all polynomials f satisfying the “restriction property”: for every affine line L given by φ, ((f ◦ φ)(t) : t ∈ Fq) ∈ RSq(r) Are there more polynomials than in RM codes? Example (q = 4, m = 2, r = 2). f(X, Y) = X2Y2 ∈ F4[X, Y], hence deg(f) = 4 > 2 Affine line L given by φ(T) = (aT + b, cT + d)

(f ◦ φ)(T) = (aT + b)2(cT + d)2 = (a2T2 + b2)(c2T2 + d2) = (ac)2T4 + (ad + bc)2T2 + (bd)2

7/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

High-rate construction: lifted codes (1)

Issue: if r ≤ q − 2, the rate of RMq(m, r) is ≃ (r/q)m

m!

. Idea: consider the set of all polynomials f satisfying the “restriction property”: for every affine line L given by φ, ((f ◦ φ)(t) : t ∈ Fq) ∈ RSq(r) Are there more polynomials than in RM codes? Example (q = 4, m = 2, r = 2). f(X, Y) = X2Y2 ∈ F4[X, Y], hence deg(f) = 4 > 2 Affine line L given by φ(T) = (aT + b, cT + d)

(f ◦ φ)(T) = (aT + b)2(cT + d)2 = (a2T2 + b2)(c2T2 + d2) = (ac)2T4 + (ad + bc)2T2 + (bd)2 = (ad + bc)2T2 + (ac)2T + (bd)2 mod (T4 − T)

⇒ for every φ, the “restriction” (f ◦ φ)(T) can be interpolated as a univariate polynomial of degree ≤ 2

7/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

High-rate construction: lifted codes (2)

◮ Am := Fm

q

evAm(f) := (f(x) : x ∈ Fm

q ) ∈ FAm q

◮ EmbA(m) := {φ : Fq → Fm

q , injective and affine}

Definition (lifted Reed-Solomon code [GKS13] reformulated). Lift(RSq(r), m) := {evAm(f), f ∈ Fq[X] | ∀φ ∈ EmbA(m), evA1(f ◦ φ) ∈ RSq(r)}

8/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

High-rate construction: lifted codes (2)

◮ Am := Fm

q

evAm(f) := (f(x) : x ∈ Fm

q ) ∈ FAm q

◮ EmbA(m) := {φ : Fq → Fm

q , injective and affine}

Definition (lifted Reed-Solomon code [GKS13] reformulated). Lift(RSq(r), m) := {evAm(f), f ∈ Fq[X] | ∀φ ∈ EmbA(m), evA1(f ◦ φ) ∈ RSq(r)} Lift(RSq(r), m) is locally correctable with ℓ = n1/m and ε =

2 1−r/q · δ.

8/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

High-rate construction: lifted codes (2)

◮ Am := Fm

q

evAm(f) := (f(x) : x ∈ Fm

q ) ∈ FAm q

◮ EmbA(m) := {φ : Fq → Fm

q , injective and affine}

Definition (lifted Reed-Solomon code [GKS13] reformulated). Lift(RSq(r), m) := {evAm(f), f ∈ Fq[X] | ∀φ ∈ EmbA(m), evA1(f ◦ φ) ∈ RSq(r)} Lift(RSq(r), m) is locally correctable with ℓ = n1/m and ε =

2 1−r/q · δ.

What about the dimension/rate? Theorem (characteristic 2, simplified from [GKS13]). For every m ≥ 2 and 0 < R0 < 1, there exists q > 0 and r ≤ q − 2 such that Lift(RSq(r), m) is locally correctable with rate R ≥ R0.

8/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Rate of lifted codes

Bounds in [GKS13] are far from being tight.

◮ Ex: for m = 2 and R0 = 1/2, GKS theorem requires n = qm ≥ 264. 9/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Rate of lifted codes

Bounds in [GKS13] are far from being tight.

◮ Ex: for m = 2 and R0 = 1/2, GKS theorem requires n = qm ≥ 264.

Theorem [characteristic 2, finite length n = q2 = 22e]. For m = 2, q = 2e and r = (1 − 2−c)q − 1, R = 1 − 5 4 3 4 c + 1 4 1 4 c + 1 2e 3c − 1 2c+2

• .

◮ actually, n = q2 ≥ 26 = 64 is enough to achieve R ≥ 1/2. 9/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Degree sets

Lifted codes are monomial, i.e. generated by evaluations of monomials evAm(Xd1

1 . . . Xdm m ) = evAm(Xd)

Degree set of a monomial code [GKS13]: Deg(C) := {d ∈ [0, q − 1]m, evAm(Xd) ∈ C}

10/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Degree sets

Lifted codes are monomial, i.e. generated by evaluations of monomials evAm(Xd1

1 . . . Xdm m ) = evAm(Xd)

Degree set of a monomial code [GKS13]: Deg(C) := {d ∈ [0, q − 1]m, evAm(Xd) ∈ C} A representation for m = 2:

RM4(2, 4)

d1 d2

RM4(2, 2)

d1 d2

Lift(RS4(2), 2)

d1 d2

10/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

“Fractal” representation of degree sets

q = 16, r = 14 q = 8, r = 6 q = 4, r = 2

11/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

11/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Evaluation on projective spaces

Projective space Pm :=

• Am+1 \ {0}
• / ∼

where a ∼ b iff ∃λ ∈ F×

q , a = λb

Defining an evaluation map over Pm requires:

◮ homogeneous polynomials f ∈ Fq[X]H

v of fixed degree v,

◮ to choose a representative for every u ∈ Pm (see [Lac86]):

u = (0 : · · · : 0 : 1 : ∗ : · · · : ∗) ∈ Pm We get: f(u) := f(0, . . . , 0, 1, ∗, . . . , ∗) ∈ Fq evPm(f) := (f(u) : u ∈ Pm) ∈ FPm

q

12/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Projective lifted codes

• Example. Projective Reed-Solomon code:

PRSq(r) = {evP1(f) = (f(x) : x ∈ P1), f ∈ Fq[X, Y]H

r }

13/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Projective lifted codes

• Example. Projective Reed-Solomon code:

PRSq(r) = {evP1(f) = (f(x) : x ∈ P1), f ∈ Fq[X, Y]H

r }

Let EmbP(m) := {φ : F2

q → Fm+1 q

linear and injective}. Definition (lifted projective RS codes). Let v = r + (m − 1)(q − 1). Lift(PRSq(r), m) := {evPm(f), f ∈ Fq[X]H

v |

∀φ ∈ EmbP(m), evP1(f ◦ φ) ∈ PRSq(r)}

13/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Main results on projective lifted codes

Projective lifted codes...

◮ are locally correctable, with parameters (ℓ = q + 1, δ, ε = δ/τ), where τ is

the relative correction capability of the small PRS code

14/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Main results on projective lifted codes

Projective lifted codes...

◮ are locally correctable, with parameters (ℓ = q + 1, δ, ε = δ/τ), where τ is

the relative correction capability of the small PRS code

◮ are monomial, with an explicit bijection between the degree sets of

Lift(RSq(r − 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m − 1)

14/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Main results on projective lifted codes

Projective lifted codes...

◮ are locally correctable, with parameters (ℓ = q + 1, δ, ε = δ/τ), where τ is

the relative correction capability of the small PRS code

◮ are monomial, with an explicit bijection between the degree sets of

Lift(RSq(r − 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m − 1)

◮ satisfy the puncturing/shortening relation

0 → Lift(RSq(r − 1), m) → Lift(PRSq(r), m) π − → Lift(PRSq(r), m − 1) → 0 , where π is induced by Pm → Pm−1.

14/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Main results on projective lifted codes

Projective lifted codes...

◮ are locally correctable, with parameters (ℓ = q + 1, δ, ε = δ/τ), where τ is

the relative correction capability of the small PRS code

◮ are monomial, with an explicit bijection between the degree sets of

Lift(RSq(r − 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m − 1)

◮ satisfy the puncturing/shortening relation

0 → Lift(RSq(r − 1), m) → Lift(PRSq(r), m) π − → Lift(PRSq(r), m − 1) → 0 , where π is induced by Pm → Pm−1.

◮ are (up to equivalence)

cyclic codes if q − 1 and n = qm+1

q−1 are coprime

quasi-cyclic codes if q − 1 and

n gcd(n,q−1) are coprime

14/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Main results on projective lifted codes

Projective lifted codes...

◮ are locally correctable, with parameters (ℓ = q + 1, δ, ε = δ/τ), where τ is

the relative correction capability of the small PRS code

◮ are monomial, with an explicit bijection between the degree sets of

Lift(RSq(r − 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m − 1)

◮ satisfy the puncturing/shortening relation

0 → Lift(RSq(r − 1), m) → Lift(PRSq(r), m) π − → Lift(PRSq(r), m − 1) → 0 , where π is induced by Pm → Pm−1.

◮ are (up to equivalence)

cyclic codes if q − 1 and n = qm+1

q−1 are coprime

quasi-cyclic codes if q − 1 and

n gcd(n,q−1) are coprime

◮ admit many explicit and easily computable information sets 14/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Main results on projective lifted codes

Projective lifted codes...

◮ are locally correctable, with parameters (ℓ = q + 1, δ, ε = δ/τ), where τ is

the relative correction capability of the small PRS code

◮ are monomial, with an explicit bijection between the degree sets of

Lift(RSq(r − 1), m), Lift(PRSq(r), m) and Lift(PRSq(r), m − 1)

◮ satisfy the puncturing/shortening relation

0 → Lift(RSq(r − 1), m) → Lift(PRSq(r), m) π − → Lift(PRSq(r), m − 1) → 0 , where π is induced by Pm → Pm−1.

◮ are (up to equivalence)

cyclic codes if q − 1 and n = qm+1

q−1 are coprime

quasi-cyclic codes if q − 1 and

n gcd(n,q−1) are coprime

◮ admit many explicit and easily computable information sets

Details in: Lifted Projective Reed-Solomon Codes, L., DCC, to appear 10.1007/s10623-018-0552-8

14/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

14/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Lifted codes when r = q − 2

• Remark. Assume r = q − 2. Then, RSq(q − 2) is the parity-check code.

a ∈ RSq(q − 2) ⇐ ⇒

q

∑

i=1

ai = 0 c ∈ Lift(RSq(q − 2), m) ⇐ ⇒ ∀L ⊆ Fm

q , ∑ x∈L

cx = 0

15/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Lifted codes when r = q − 2

• Remark. Assume r = q − 2. Then, RSq(q − 2) is the parity-check code.

a ∈ RSq(q − 2) ⇐ ⇒

q

∑

i=1

ai = 0 c ∈ Lift(RSq(q − 2), m) ⇐ ⇒ ∀L ⊆ Fm

q , ∑ x∈L

cx = 0 A non-full-rank parity-check matrix for Lift(RSq(q − 2), m):

         ∗ · · · 1 · · · 1 · · · ∗         

                                                     

points in Fm

q

lines in Fm

q

indicator vector of line L

15/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Block designs

Point-line incidences in the affine space form the affine geometry 2-design.

16/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Block designs

Point-line incidences in the affine space form the affine geometry 2-design.

• Definition. A t-design of parameters (n, ℓ, λ) consists in:

◮ a set X of points, |X| = n, ◮ a set B of blocks B ⊂ X, |B| = ℓ

such that every t-set in X appears in exactly λ blocks.

16/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Block designs

Point-line incidences in the affine space form the affine geometry 2-design.

• Definition. A t-design of parameters (n, ℓ, λ) consists in:

◮ a set X of points, |X| = n, ◮ a set B of blocks B ⊂ X, |B| = ℓ

such that every t-set in X appears in exactly λ blocks. Incidence matrix of a design:

         ∗ · · · 1 · · · 1 · · · ∗         

                                                     

points in X blocks in B indicator vector of block B

16/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Codes based on designs, and generalisation

The code based on the design D = (X, B) is the code C = Code(D) ⊆ FX

q

admitting the incidence matrix of D as a parity-check matrix. Code(D) = {c ∈ FX

q | ∀B ∈ B, c|B ∈ Parity}

• Remark. The dimension of Code(D) is highly dependent on the field Fq

17/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Codes based on designs, and generalisation

The code based on the design D = (X, B) is the code C = Code(D) ⊆ FX

q

admitting the incidence matrix of D as a parity-check matrix. Code(D) = {c ∈ FX

q | ∀B ∈ B, c|B ∈ Parity}

• Remark. The dimension of Code(D) is highly dependent on the field Fq

Let F = (FB ⊆ FB

q : B ∈ B) be a family of codes indexed by blocks B ∈ B.

The generalised design-based code based on (D, F) is Code(D, F) := {c ∈ FX

q | ∀B ∈ B, c|B ∈ FB} .

17/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Design-based codes and LCCs

Generalised design-based code C = Code(D, F), where – D be a t-(n, ℓ + 1, λ)-design – τ ∈ (0, 1

2) is fixed

– F = (FB : B ∈ B) s.t. every code in F corrects a fraction τ of errors

• Algorithm. Local correction of y ∈ FX

q at i ∈ X

◮ Pick uniformly at random a block B ∈ B such that i ∈ B. ◮ Correct y|B as a noisy codeword from FB, and output ˜

yi. Proposition [t = 2]. For every δ < τ/2, Code(D, F) is a (ℓ, δ, ε)-LCC, where ε = δ/τ . Proposition [t = 3]. For every δ < τ − 1/ √ 2ℓ, Code(D, F) is a (ℓ, δ, ε)-LCC where ε = δ(1 − δ) (τ − δ)2 · 1 ℓ ≤ 1 τ2ℓ · δ .

18/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

18/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

18/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Problem statement

Given a remote database F ∈ Fk

q and 1 ≤ i ≤ k,

can we retrieve the entry Fi, without leaking information on the index i?

19/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Problem statement

Given a remote database F ∈ Fk

q and 1 ≤ i ≤ k,

can we retrieve the entry Fi, without leaking information on the index i?

Trivial solution: full download.

19/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Problem statement

Given a remote database F ∈ Fk

q and 1 ≤ i ≤ k,

can we retrieve the entry Fi, without leaking information on the index i?

Trivial solution: full download. Solutions with better communication complexity:

◮ With 1 server, only computational privacy is possible [CGKS95, CG97]. ◮ With ℓ ≥ 2 servers, one can achieve information-theoretic privacy

[CGKS95-98].

19/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Definition of PIR [CGKS95]

Given a file F and ℓ servers S1, . . . , Sℓ, user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

20/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Definition of PIR [CGKS95]

Given a file F and ℓ servers S1, . . . , Sℓ, user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

• 1. U generates a query vector

q = (q1, . . . , qℓ) ← Q(i) and sends qj to server Sj

U . . .

S1 S2 Sℓ (q1, . . . , qℓ)

20/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Definition of PIR [CGKS95]

Given a file F and ℓ servers S1, . . . , Sℓ, user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

• 1. U generates a query vector

q = (q1, . . . , qℓ) ← Q(i) and sends qj to server Sj

• 2. Each server Sj computes

aj = A(qj, F|Sj) and sends it back to U

U . . .

S1 S2 Sℓ (q1, . . . , qℓ) (a1, . . . , aℓ)

20/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Definition of PIR [CGKS95]

Given a file F and ℓ servers S1, . . . , Sℓ, user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

• 1. U generates a query vector

q = (q1, . . . , qℓ) ← Q(i) and sends qj to server Sj

• 2. Each server Sj computes

aj = A(qj, F|Sj) and sends it back to U

• 3. U recovers Fi = R(q, a, i)

U . . .

S1 S2 Sℓ (q1, . . . , qℓ) (a1, . . . , aℓ)

20/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Definition of PIR [CGKS95]

Given a file F and ℓ servers S1, . . . , Sℓ, user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

• 1. U generates a query vector

q = (q1, . . . , qℓ) ← Q(i) and sends qj to server Sj

• 2. Each server Sj computes

aj = A(qj, F|Sj) and sends it back to U

• 3. U recovers Fi = R(q, a, i)

U . . .

S1 S2 Sℓ (q1, . . . , qℓ) (a1, . . . , aℓ)

Information-theoretic privacy: I(i ; qj) = 0, ∀j = 1, . . . , ℓ.

20/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Motivation

Usual goals for PIR:

◮ Low communication complexity ◮ Low storage overhead for the servers ◮ Low computation complexity for algorithms A (server) and R (user) 21/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Motivation

Usual goals for PIR:

◮ Low communication complexity ◮ Low storage overhead for the servers ◮ Low computation complexity for algorithms A (server) and R (user)

Most constructions focus on the download communication complexity – up to the PIR capacity [SJ17] – but require Ω(k) computation complexity for each server

21/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Motivation

Usual goals for PIR:

◮ Low communication complexity ◮ Low storage overhead for the servers ◮ Low computation complexity for algorithms A (server) and R (user)

Most constructions focus on the download communication complexity – up to the PIR capacity [SJ17] – but require Ω(k) computation complexity for each server We here focus on the computation complexity, crucial for practicality [OG10].

21/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

21/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Transversal designs

A transversal design TD(ℓ, s) = (X, B, G) is given by:

◮ X a set of points, |X| = n = sℓ,

. . .

• 22/33
• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Transversal designs

A transversal design TD(ℓ, s) = (X, B, G) is given by:

◮ X a set of points, |X| = n = sℓ, ◮ groups G = {Gj}1≤j≤ℓ satisfying

X =

ℓ

∐

j=1

Gj and |Gj| = s , . . .

• G1 G2

Gℓ−1Gℓ

22/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Transversal designs

A transversal design TD(ℓ, s) = (X, B, G) is given by:

◮ X a set of points, |X| = n = sℓ, ◮ groups G = {Gj}1≤j≤ℓ satisfying

X =

ℓ

∐

j=1

Gj and |Gj| = s ,

◮ blocks B ∈ B satisfying

– B ⊂ X and |B| = ℓ; – for all {i, j} ⊂ X, {i, j} lie: either in a single group G ∈ G,

• r in a unique block B ∈ B
• G1 G2

Gℓ−1Gℓ

j i

• 22/33
• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Transversal designs

A transversal design TD(ℓ, s) = (X, B, G) is given by:

◮ X a set of points, |X| = n = sℓ, ◮ groups G = {Gj}1≤j≤ℓ satisfying

X =

ℓ

∐

j=1

Gj and |Gj| = s ,

◮ blocks B ∈ B satisfying

– B ⊂ X and |B| = ℓ; – for all {i, j} ⊂ X, {i, j} lie: either in a single group G ∈ G,

• r in a unique block B ∈ B
• G1 G2

Gℓ−1Gℓ

j i

• Its incidence matrix (between points and blocks) defines a code.

22/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Example

The transversal design TD(3, 3) represented by:

• G1 G2 G3

B =

• B1

∪

• B2

∪

• B3

gives an incidence matrix H =           

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

           Its rank over F3 is 6 = ⇒ the associated code C is a [9, 3]3 code.

23/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

23/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

The PIR scheme

Let C ⊆ Fn

q be a code based on a TD(ℓ, s).

24/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

The PIR scheme

Let C ⊆ Fn

q be a code based on a TD(ℓ, s).

• Initialisation. User U encodes F → c ∈ C, and gives c|Gj to server Sj.

24/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

The PIR scheme

Let C ⊆ Fn

q be a code based on a TD(ℓ, s).

• Initialisation. User U encodes F → c ∈ C, and gives c|Gj to server Sj.
• To recover Fi = ci, with i ∈ X:
• 1. User U randomly picks a block B ∈ B containing i.

Then U defines: qj = Q(i)j := unique ∈ B ∩ Gj if i / ∈ Gj a random point in Gj

• therwise.
• 2. Each server Sj sends back cqj
• 3. U recovers

ci = − ∑

j: i/ ∈Gj

cqj = − ∑

b∈B\{i}

cb

24/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Privacy and parameters

• Theorem. This PIR protocol is information-theoretically private.

Proof: – the only server which holds Fi received a random query; – for each other server Sj, query qj gives no information on the block B which has been picked ⇒ no information leaks on i.

25/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Privacy and parameters

• Theorem. This PIR protocol is information-theoretically private.

Proof: – the only server which holds Fi received a random query; – for each other server Sj, query qj gives no information on the block B which has been picked ⇒ no information leaks on i.

Features.

◮ communication complexity: ℓ log s uploaded bits, ℓ log q dowloaded bits ◮ computational complexity:

◮ only 1 read for each server (somewhat optimal) ◮ ≤ ℓ additions over Fq for the user

◮ storage overhead: (n − k) log q bits 25/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Privacy and parameters

• Theorem. This PIR protocol is information-theoretically private.

Proof: – the only server which holds Fi received a random query; – for each other server Sj, query qj gives no information on the block B which has been picked ⇒ no information leaks on i.

Features.

◮ communication complexity: ℓ log s uploaded bits, ℓ log q dowloaded bits ◮ computational complexity:

◮ only 1 read for each server (somewhat optimal) ◮ ≤ ℓ additions over Fq for the user

◮ storage overhead: (n − k) log q bits

Question: transversal designs with good k depending on (ℓ, s)?

25/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

25/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with geometric designs

TA, the classical affine transversal design:

◮ X = Fm

q , m ≥ 2,

◮ G a set of q disjoint hyperplanes partitionning X, ◮ B = {affine lines L secant to each group of G}. 26/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with geometric designs

TA, the classical affine transversal design:

◮ X = Fm

q , m ≥ 2,

◮ G a set of q disjoint hyperplanes partitionning X, ◮ B = {affine lines L secant to each group of G}.

• Proposition. The code based on TA is identical to the code based on the affine

geometry design (i.e. the lifted code with r = q − 2).

26/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with geometric designs

TA, the classical affine transversal design:

◮ X = Fm

q , m ≥ 2,

◮ G a set of q disjoint hyperplanes partitionning X, ◮ B = {affine lines L secant to each group of G}.

• Proposition. The code based on TA is identical to the code based on the affine

geometry design (i.e. the lifted code with r = q − 2). Instances: – 3.2% storage overhead if #entries ≤ (#servers)2 – 27% storage overhead if #entries ≤ (#servers)3

26/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with geometric designs

TA, the classical affine transversal design:

◮ X = Fm

q , m ≥ 2,

◮ G a set of q disjoint hyperplanes partitionning X, ◮ B = {affine lines L secant to each group of G}.

• Proposition. The code based on TA is identical to the code based on the affine

geometry design (i.e. the lifted code with r = q − 2). Instances: – 3.2% storage overhead if #entries ≤ (#servers)2 – 27% storage overhead if #entries ≤ (#servers)3 Question: better instances?

26/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with orthogonal arrays

An orthogonal array OA(t, ℓ, s) of strength t is a list A of words – of length ℓ, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, ℓ] of size t, A|I = St. Equivalently, an OA(t, ℓ, s) is a code A ⊂ Sℓ with dual distance t + 1. S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a    

27/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with orthogonal arrays

An orthogonal array OA(t, ℓ, s) of strength t is a list A of words – of length ℓ, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, ℓ] of size t, A|I = St. Equivalently, an OA(t, ℓ, s) is a code A ⊂ Sℓ with dual distance t + 1. Construction OA → TD :

◮ X = S × [1, ℓ] ◮ G = {S × {i}, 1 ≤ i ≤ ℓ}

S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a     (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)

27/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with orthogonal arrays

An orthogonal array OA(t, ℓ, s) of strength t is a list A of words – of length ℓ, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, ℓ] of size t, A|I = St. Equivalently, an OA(t, ℓ, s) is a code A ⊂ Sℓ with dual distance t + 1. Construction OA → TD :

◮ X = S × [1, ℓ] ◮ G = {S × {i}, 1 ≤ i ≤ ℓ} ◮ B = {{(ci, i), 1 ≤ i ≤ ℓ}, c ∈ OA}

S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a     (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)

27/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with orthogonal arrays

An orthogonal array OA(t, ℓ, s) of strength t is a list A of words – of length ℓ, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, ℓ] of size t, A|I = St. Equivalently, an OA(t, ℓ, s) is a code A ⊂ Sℓ with dual distance t + 1. Construction OA → TD :

◮ X = S × [1, ℓ] ◮ G = {S × {i}, 1 ≤ i ≤ ℓ} ◮ B = {{(ci, i), 1 ≤ i ≤ ℓ}, c ∈ OA}

S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a     (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)

27/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Instances with orthogonal arrays

An orthogonal array OA(t, ℓ, s) of strength t is a list A of words – of length ℓ, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, ℓ] of size t, A|I = St. Equivalently, an OA(t, ℓ, s) is a code A ⊂ Sℓ with dual distance t + 1. Construction OA → TD :

◮ X = S × [1, ℓ] ◮ G = {S × {i}, 1 ≤ i ≤ ℓ} ◮ B = {{(ci, i), 1 ≤ i ≤ ℓ}, c ∈ OA}

S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a     (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)

27/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Resisting collusions

• Proposition. For t = 2, an OA(t, ℓ, s) gives a TD(ℓ, s).

28/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Resisting collusions

• Proposition. For t = 2, an OA(t, ℓ, s) gives a TD(ℓ, s).

Experimentally, for t = 2 and small ℓ and s, codes based on classical affine TDs have the largest dimension.

28/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Resisting collusions

• Proposition. For t = 2, an OA(t, ℓ, s) gives a TD(ℓ, s).

Experimentally, for t = 2 and small ℓ and s, codes based on classical affine TDs have the largest dimension. For t ≥ 3, we get TDs such that: for every t-set T of points lying in t different groups, there exists a unique block B ∈ B such that T ⊂ B. ⇒ The PIR protocol resists t − 1 colluding servers.

28/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Resisting collusions

• Proposition. For t = 2, an OA(t, ℓ, s) gives a TD(ℓ, s).

Experimentally, for t = 2 and small ℓ and s, codes based on classical affine TDs have the largest dimension. For t ≥ 3, we get TDs such that: for every t-set T of points lying in t different groups, there exists a unique block B ∈ B such that T ⊂ B. ⇒ The PIR protocol resists t − 1 colluding servers.

◮ OAs with t > 2 exist (e.g. from Reed-Solomon codes) ◮ But associated TDs lead to codes with poor rates except for t ≪ ℓ 28/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Resisting collusions

• Proposition. For t = 2, an OA(t, ℓ, s) gives a TD(ℓ, s).

Experimentally, for t = 2 and small ℓ and s, codes based on classical affine TDs have the largest dimension. For t ≥ 3, we get TDs such that: for every t-set T of points lying in t different groups, there exists a unique block B ∈ B such that T ⊂ B. ⇒ The PIR protocol resists t − 1 colluding servers.

◮ OAs with t > 2 exist (e.g. from Reed-Solomon codes) ◮ But associated TDs lead to codes with poor rates except for t ≪ ℓ

Details in: Private Information Retrieval from Transversal Designs, L., IEEE TIT, to appear 10.1109/TIT.2018.2861747

28/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

28/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Proofs-of-retrievability [Juels, Kaliski ’07]

Issue: a client wants to verify if a file stored on a server is still retrievable, with a low communication challenge-response protocol

?

a few bits

“can I get my file?”

29/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Proofs-of-retrievability [Juels, Kaliski ’07]

Issue: a client wants to verify if a file stored on a server is still retrievable, with a low communication challenge-response protocol

?

a few bits

“can I get my file?”

Additional constraints: unbounded-use, low client storage, low computation

29/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

PoR with lifted codes

C = Lift(RSq(r), m) Assumption: one can compute independent pseudo-random permutations σ(κ)

i

∈ S(Fq), 1 ≤ i ≤ n, κ ∈ K Initialisation:

◮ User picks κ ∈ K at random ◮ File F is encoded and permuted as follows:

F → c ∈ C → w = σ(c) = (σ(κ)

1 (c1), . . . , σ(κ) n (cn)) ∈ Fn q

◮ User stores κ, server stores w

Verification:

◮ User picks a line L ⊂ Fm

q at random and sends it to the server

◮ Server reads w|L and sends it back to the user ◮ User accepts iff σ−1(w|L) ∈ RSq(r) 30/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Results

Informal result (for the lifted code with m = 2): For every ε ≤ ε0 ≃ 1, we have: if the server answers correctly to a fraction ≥ 1 − ε of the challenges, then with probability ≥ 1 − O

• 1

n(ε0−ε)2

• the file is extractable from the server.

31/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Results

Informal result (for the lifted code with m = 2): For every ε ≤ ε0 ≃ 1, we have: if the server answers correctly to a fraction ≥ 1 − ε of the challenges, then with probability ≥ 1 − O

• 1

n(ε0−ε)2

• the file is extractable from the server.

Details in: New Proofs of Retrievability using Locally Decodable Codes, L. & Levy-dit-Vehel IEEE International Symposium on Information Theory, 2016

31/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Results

Informal result (for the lifted code with m = 2): For every ε ≤ ε0 ≃ 1, we have: if the server answers correctly to a fraction ≥ 1 − ε of the challenges, then with probability ≥ 1 − O

• 1

n(ε0−ε)2

• the file is extractable from the server.

Details in: New Proofs of Retrievability using Locally Decodable Codes, L. & Levy-dit-Vehel IEEE International Symposium on Information Theory, 2016

This idea can be generalised to other codes such as design-based codes.

Details in: Generic Constructions of PoRs from Codes and Instantiations, L. & Levy-dit-Vehel submitted, 2018

31/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Outline

• 1. Codes with locality

Locality in coding theory, examples Lifted projective Reed-Solomon codes A combinatorial point of view

• 2. Private information retrieval from transversal designs

Private information retrieval (PIR) Transversal designs and codes A new PIR construction Instances

• 3. Proofs-of-retrievability
• 4. Conclusion

31/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Conclusion

◮ Analysis and generalisation of a family of high-rate locally

correctable codes, namely lifted Reed-Solomon codes

◮ Combinatorial formalism for the construction of locally correctable

codes, thanks to block designs

◮ Application to private information retrieval (PIR) ◮ Application to proofs of retrievability (PoR) 32/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –

Future works

◮ PIR with low server computation complexity

◮ 1 server read −

→ constant/sublinear number of server reads

◮ Extend the lifting process to other geometric varieties

◮ e.g. the Hermitian variety

◮ Design-based codes allow us to remove probabilistic decoders

from a definition of locally correctable codes

◮ “usual” combinatorial coding-theoretic version of LCCs ◮ new constructions? new bounds?

33/33

• J. Lavauzelle

PhD defense – Codes with locality: constructions and applications to cryptographic protocols –