Private information retrieval schemes based on codes Julien - - PowerPoint PPT Presentation

Private information retrieval schemes based on codes

Julien Lavauzelle

IRMAR, Université de Rennes 1

Séminaire Mathématiques Discrètes, Codes et Cryptographie 20/02/2020

Cryptographic primitives based on codes

Best-known cryptographic primitive based on coding theory: McEliece public-key encryption scheme

(+ many variants) 1/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Cryptographic primitives based on codes

Best-known cryptographic primitive based on coding theory: McEliece public-key encryption scheme

(+ many variants)

But... many other ones: – signature (CFS, Wave), identification schemes (Stern), – secret sharing schemes (Shamir),

1/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Cryptographic primitives based on codes

Best-known cryptographic primitive based on coding theory: McEliece public-key encryption scheme

(+ many variants)

But... many other ones: – signature (CFS, Wave), identification schemes (Stern), – secret sharing schemes (Shamir), – proofs of retrievability,

1/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Cryptographic primitives based on codes

Best-known cryptographic primitive based on coding theory: McEliece public-key encryption scheme

(+ many variants)

But... many other ones: – signature (CFS, Wave), identification schemes (Stern), – secret sharing schemes (Shamir), – proofs of retrievability, – private information retrieval.

1/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

2/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

2/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Problem statement

Private information retrieval (PIR):

Given a remote database F = (F1, . . . , FM) ∈ ΣM and an index i ∈ [1, M], can we retrieve the entry/file Fi, without leaking any information on i?

3/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Problem statement

Private information retrieval (PIR):

Given a remote database F = (F1, . . . , FM) ∈ ΣM and an index i ∈ [1, M], can we retrieve the entry/file Fi, without leaking any information on i?

Application: private search, medical data, etc.

3/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Problem statement

Private information retrieval (PIR):

Given a remote database F = (F1, . . . , FM) ∈ ΣM and an index i ∈ [1, M], can we retrieve the entry/file Fi, without leaking any information on i?

Application: private search, medical data, etc. Trivial solution: full download.

3/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Definition of PIR

Introduced in:

Private Information Retrieval. Chor, Goldreich, Kushilevitz, Sudan. FOCS. 1995.

A database F = (F1, . . . , Fm) stored (in some way) on n servers S1, . . . , Sn. A user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

4/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Definition of PIR

Introduced in:

Private Information Retrieval. Chor, Goldreich, Kushilevitz, Sudan. FOCS. 1995.

A database F = (F1, . . . , Fm) stored (in some way) on n servers S1, . . . , Sn. A user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

• 1. U generates a query vector

q = (q1, . . . , qn) ← Q(i) and sends qj to server Sj

U . . .

S1 S2 Sn (q1, . . . , qn)

4/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Definition of PIR

Introduced in:

Private Information Retrieval. Chor, Goldreich, Kushilevitz, Sudan. FOCS. 1995.

A database F = (F1, . . . , Fm) stored (in some way) on n servers S1, . . . , Sn. A user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

• 1. U generates a query vector

q = (q1, . . . , qn) ← Q(i) and sends qj to server Sj

• 2. Each server Sj computes

rj = A(qj, F|Sj) and sends it back to U

U . . .

S1 S2 Sn (q1, . . . , qn) (r1, . . . , rn)

4/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Definition of PIR

Introduced in:

Private Information Retrieval. Chor, Goldreich, Kushilevitz, Sudan. FOCS. 1995.

A database F = (F1, . . . , Fm) stored (in some way) on n servers S1, . . . , Sn. A user U wants to recover Fi privately. A Private Information Retrieval protocol is a set of algorithms (Q, A, R):

• 1. U generates a query vector

q = (q1, . . . , qn) ← Q(i) and sends qj to server Sj

• 2. Each server Sj computes

rj = A(qj, F|Sj) and sends it back to U

• 3. U recovers Fi = R(q, r, i)

U . . .

S1 S2 Sn (q1, . . . , qn) (r1, . . . , rn)

4/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Privacy

A collusion of servers: set of servers {Sj : j ∈ T}, where T ⊂ [1, n], which exchange information about queries, data, etc. t := max{|T|, T ⊆ [1, n] is a collusion} ≥ 1

5/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Privacy

A collusion of servers: set of servers {Sj : j ∈ T}, where T ⊂ [1, n], which exchange information about queries, data, etc. t := max{|T|, T ⊆ [1, n] is a collusion} ≥ 1

• Information-theoretic privacy:

I(i; q|T) = 0, ∀T ⊆ [1, n], |T| ≤ t.

• Computational privacy: by varying the index i, distributions of queries

q|T = Q(i)|T are computationally indistinguishable.

5/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Privacy

A collusion of servers: set of servers {Sj : j ∈ T}, where T ⊂ [1, n], which exchange information about queries, data, etc. t := max{|T|, T ⊆ [1, n] is a collusion} ≥ 1

• Information-theoretic privacy:

I(i; q|T) = 0, ∀T ⊆ [1, n], |T| ≤ t.

• Computational privacy: by varying the index i, distributions of queries

q|T = Q(i)|T are computationally indistinguishable. Theorem [CGKS95, CG97]. If t = n (in particular if n = 1), then: ◮ for IT-privacy, no better solution than full download, ◮ computational privacy is possible (but remains expensive as of now).

5/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Main parameters of PIR schemes

We mostly focus on IT-privacy

(hence need n ≥ 2 servers)

6/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Main parameters of PIR schemes

We mostly focus on IT-privacy

(hence need n ≥ 2 servers)

Parameters to be taken into account: – communication complexity (upload and download) – computation complexity (client and servers) – server storage overhead – maximum size of collusions (t)

6/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Main parameters of PIR schemes

We mostly focus on IT-privacy

(hence need n ≥ 2 servers)

Parameters to be taken into account: – communication complexity (upload and download) – computation complexity (client and servers) – server storage overhead – maximum size of collusions (t) Several possible settings: – bounded vs. unbounded number of entries, – replicated database vs. coded database, – dynamic database vs. static database, – unresponsive or byzantine servers, etc.

6/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

6/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

6/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Transversal designs

A transversal design TD(n, s) = (X, B, G) is given by: ◮ X a set of points, |X| = N = ns, . . .

• 7/25
• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Transversal designs

A transversal design TD(n, s) = (X, B, G) is given by: ◮ X a set of points, |X| = N = ns, ◮ groups G = {Gj}1≤j≤n satisfying X =

n

∐

j=1

Gj and |Gj| = s , . . .

• G1 G2

Gn−1Gn

7/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Transversal designs

A transversal design TD(n, s) = (X, B, G) is given by: ◮ X a set of points, |X| = N = ns, ◮ groups G = {Gj}1≤j≤n satisfying X =

n

∐

j=1

Gj and |Gj| = s , ◮ blocks B ∈ B satisfying

– B ⊂ X and |B| = n; – for all {i, j} ⊂ X, {i, j} lie: either in a single group G ∈ G,

• r in a unique block B ∈ B
• G1 G2

Gn−1Gn

j i

• 7/25
• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Example: a TD(3,3)

– ns = 9 points – s = 3 groups G1, G2, G3 of size 3 – ns = 9 blocks of n = 3 points, partionned into 3 parallel classes B1, B2, B3

• G1 G2 G3

B =

• B1

∪

• B2

∪

• B3

8/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Codes from designs

Let T be a transversal design TD(n, s) = (X, B, G). Its incidence matrix M has size |B| × |X| = ns × ns, and is defined by: Mi,j = 1 if xj ∈ Bi

• therwise.

9/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Codes from designs

Let T be a transversal design TD(n, s) = (X, B, G). Its incidence matrix M has size |B| × |X| = ns × ns, and is defined by: Mi,j = 1 if xj ∈ Bi

• therwise.
• Definition. The code C based on T over Fq is the Fq-linear code admitting M

as a parity-check matrix (i.e. C⊥ is generated by M). – length(C) = |X| = ns, – dim(C) = dim(ker M), – every B ∈ B gives an h ∈ C⊥ such that wt(h|Gj) = 1, ∀j = 1, . . . , n.

9/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Example

The transversal design TD(3, 3) represented by:

• G1 G2 G3

B =

• B1

∪

• B2

∪

• B3

10/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Example

The transversal design TD(3, 3) represented by:

• G1 G2 G3

B =

• B1

∪

• B2

∪

• B3

gives an incidence matrix

M =             1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1            

10/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Example

The transversal design TD(3, 3) represented by:

• G1 G2 G3

B =

• B1

∪

• B2

∪

• B3

gives an incidence matrix

M =             1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1            

Its rank over F3 is 6 = ⇒ the associated code C is a [9, 3]3 code.

10/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

10/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

The PIR scheme

Private Information Retrieval from Transversal Designs. L.. IEEE-TIT. 2019.

Let C ⊆ FN

q be a code based on a TD(n, s), with N = ns.

11/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

The PIR scheme

Private Information Retrieval from Transversal Designs. L.. IEEE-TIT. 2019.

Let C ⊆ FN

q be a code based on a TD(n, s), with N = ns.

• Initialisation. User U encodes F → c ∈ C, and gives c|Gj to server Sj.

11/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

The PIR scheme

Private Information Retrieval from Transversal Designs. L.. IEEE-TIT. 2019.

Let C ⊆ FN

q be a code based on a TD(n, s), with N = ns.

• Initialisation. User U encodes F → c ∈ C, and gives c|Gj to server Sj.
• To recover Fi = ci, with i ∈ X:
• 1. User U randomly picks a block B ∈ B containing i.

Then U defines: qj = Q(i)j := unique ∈ B ∩ Gj if i / ∈ Gj a random point in Gj

• therwise.
• 2. Each server Sj sends back cqj
• 3. U recovers

ci = − ∑

j: i/ ∈Gj

cqj = − ∑

b∈B\{i}

cb

11/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Privacy and parameters

• Theorem. This PIR protocol is information-theoretically private.

Proof: – the only server which holds Fi received a random query; – for each other server Sj, query qj gives no information on the block B which has been picked ⇒ no information leaks on i.

12/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Privacy and parameters

• Theorem. This PIR protocol is information-theoretically private.

Proof: – the only server which holds Fi received a random query; – for each other server Sj, query qj gives no information on the block B which has been picked ⇒ no information leaks on i.

Features. ◮ communication complexity: n log s uploaded bits, n log q downloaded bits ◮ computational complexity:

◮ only 1 read for each server (optimal) ◮ ≤ n additions over Fq for the user

◮ storage overhead: (ns − k) log q bits, where k = dim(C)

12/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Privacy and parameters

• Theorem. This PIR protocol is information-theoretically private.

Proof: – the only server which holds Fi received a random query; – for each other server Sj, query qj gives no information on the block B which has been picked ⇒ no information leaks on i.

Features. ◮ communication complexity: n log s uploaded bits, n log q downloaded bits ◮ computational complexity:

◮ only 1 read for each server (optimal) ◮ ≤ n additions over Fq for the user

◮ storage overhead: (ns − k) log q bits, where k = dim(C) Question: transversal designs with good dim(C) depending on (n, s)?

12/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Instances with geometric designs

T q,m

A

, the classical affine transversal design: ◮ X = Fm

q for m ≥ 2,

◮ G a partition of X into q hyperplanes G1, . . . , Gq, ◮ B = {affine lines L secant to each Gj}. The code has: – length ns = qm, – “locality” n = q.

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 210 215 220 225 230 235 240 245 m=2 m=3 m=4 m=5

13/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Instances with geometric designs

T q,m

A

, the classical affine transversal design: ◮ X = Fm

q for m ≥ 2,

◮ G a partition of X into q hyperplanes G1, . . . , Gq, ◮ B = {affine lines L secant to each Gj}. The code has: – length ns = qm, – “locality” n = q. rate k/N

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 210 215 220 225 230 235 240 245 m=2 m=3 m=4 m=5

length N = ns = 2em

13/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Instances with geometric designs

T q,m

A

, the classical affine transversal design: ◮ X = Fm

q for m ≥ 2,

◮ G a partition of X into q hyperplanes G1, . . . , Gq, ◮ B = {affine lines L secant to each Gj}. The code has: – length ns = qm, – “locality” n = q. rate k/N

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 210 215 220 225 230 235 240 245 m=2 m=3 m=4 m=5

length N = ns = 2em Question: better instances?

13/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

13/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Orthogonal arrays

An orthogonal array OA(t, n, s) of strength t is a list A of words – of length n, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, n] of size t, A|I = St. Equivalently, an OA(t, n, s) is a code A ⊂ Sn with dual distance t + 1. S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a    

14/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Orthogonal arrays

An orthogonal array OA(t, n, s) of strength t is a list A of words – of length n, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, n] of size t, A|I = St. Equivalently, an OA(t, n, s) is a code A ⊂ Sn with dual distance t + 1. Construction OA → TD : ◮ X = S × [1, n] ◮ G = {S × {i}, 1 ≤ i ≤ n} S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a     (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)

14/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Orthogonal arrays

An orthogonal array OA(t, n, s) of strength t is a list A of words – of length n, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, n] of size t, A|I = St. Equivalently, an OA(t, n, s) is a code A ⊂ Sn with dual distance t + 1. Construction OA → TD : ◮ X = S × [1, n] ◮ G = {S × {i}, 1 ≤ i ≤ n} ◮ B = {{(ci, i), 1 ≤ i ≤ n}, c ∈ OA} S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a     (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)

14/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Orthogonal arrays

An orthogonal array OA(t, n, s) of strength t is a list A of words – of length n, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, n] of size t, A|I = St. Equivalently, an OA(t, n, s) is a code A ⊂ Sn with dual distance t + 1. Construction OA → TD : ◮ X = S × [1, n] ◮ G = {S × {i}, 1 ≤ i ≤ n} ◮ B = {{(ci, i), 1 ≤ i ≤ n}, c ∈ OA} S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a     (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)

14/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Orthogonal arrays

An orthogonal array OA(t, n, s) of strength t is a list A of words – of length n, – over a finite set S, |S| = s, – such that, for every I ⊂ [1, n] of size t, A|I = St. Equivalently, an OA(t, n, s) is a code A ⊂ Sn with dual distance t + 1. Construction OA → TD : ◮ X = S × [1, n] ◮ G = {S × {i}, 1 ≤ i ≤ n} ◮ B = {{(ci, i), 1 ≤ i ≤ n}, c ∈ OA} S = {a, b} OA(2, 3, 2) =     a b b b b a b a b a a a     (a, 1) (a, 2) (a, 3) (b, 1) (b, 2) (b, 3)

14/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Resisting collusions

• Proposition. For t = 2, an OA(t, n, s) gives a TD(n, s).

15/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Resisting collusions

• Proposition. For t = 2, an OA(t, n, s) gives a TD(n, s).

Experimentally, for t = 2 and small n and s, codes based on classical affine TDs have the largest dimension.

15/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Resisting collusions

• Proposition. For t = 2, an OA(t, n, s) gives a TD(n, s).

Experimentally, for t = 2 and small n and s, codes based on classical affine TDs have the largest dimension. For t ≥ 3, we get TDs such that: for every t-set T of points lying in t different groups, there exists a unique block B ∈ B such that T ⊂ B.

15/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Resisting collusions

• Proposition. For t = 2, an OA(t, n, s) gives a TD(n, s).

Experimentally, for t = 2 and small n and s, codes based on classical affine TDs have the largest dimension. For t ≥ 3, we get TDs such that: for every t-set T of points lying in t different groups, there exists a unique block B ∈ B such that T ⊂ B. ⇒ The PIR protocol resists t − 1 colluding servers.

15/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Resisting collusions

• Proposition. For t = 2, an OA(t, n, s) gives a TD(n, s).

Experimentally, for t = 2 and small n and s, codes based on classical affine TDs have the largest dimension. For t ≥ 3, we get TDs such that: for every t-set T of points lying in t different groups, there exists a unique block B ∈ B such that T ⊂ B. ⇒ The PIR protocol resists t − 1 colluding servers. ◮ OAs with t > 2 exist (e.g. from Reed-Solomon codes) ◮ But associated TDs lead to codes with poor rates (except for t ≪ n)

Private Information Retrieval from Transversal Designs. L.. IEEE-TIT. 2019.

15/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

15/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Lifted codes

• Definition. The (full-length) Reed-Solomon code of dimension k over Fq is:

RSq(k) := {evA1(f) := (f(x1), . . . , f(xq)) | deg(f) ≤ k − 1} . Reed-Muller codes = generalization to m-variate polynomials.

16/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Lifted codes

• Definition. The (full-length) Reed-Solomon code of dimension k over Fq is:

RSq(k) := {evA1(f) := (f(x1), . . . , f(xq)) | deg(f) ≤ k − 1} . Reed-Muller codes = generalization to m-variate polynomials.

• Definition. The m-th lifted Reed-Solomon code of degree r over Fq is:

Liftq(m, r) := {evAm(f) | f ∈ Fq[X] and ∀ affine line L ⊂ Am, deg(f|L) ≤ r} .

(where f|L is the lowest-degree univariate polynomial interpolating f over L)

16/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Lifted codes

• Definition. The (full-length) Reed-Solomon code of dimension k over Fq is:

RSq(k) := {evA1(f) := (f(x1), . . . , f(xq)) | deg(f) ≤ k − 1} . Reed-Muller codes = generalization to m-variate polynomials.

• Definition. The m-th lifted Reed-Solomon code of degree r over Fq is:

Liftq(m, r) := {evAm(f) | f ∈ Fq[X] and ∀ affine line L ⊂ Am, deg(f|L) ≤ r} .

(where f|L is the lowest-degree univariate polynomial interpolating f over L)

Lifted codes contain Reed-Muller codes, sometimes properly.

• Example. For q = 4, m = 2, r = 2.

ev(X2Y2) ∈ Lift4(2, 2) but ev(X2Y2) / ∈ RM4(2, 2)

16/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Weighted lifted codes

For convenience, here m = 2.

• Definition. A t-curve is:

L = {(x, g(x)) ∈ A2 | g ∈ Fq[X], deg(g) ≤ t}

17/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Weighted lifted codes

For convenience, here m = 2.

• Definition. A t-curve is:

L = {(x, g(x)) ∈ A2 | g ∈ Fq[X], deg(g) ≤ t}

• Definition. The weighted lifted Reed-Solomon code of degree r and weight

t over Fq is: WLiftq(t, r) := {evA2(f) | f ∈ Fq[X, Y] and ∀ t-curve L ⊂ A2, deg(f|L) ≤ r}

17/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Weighted lifted codes

For convenience, here m = 2.

• Definition. A t-curve is:

L = {(x, g(x)) ∈ A2 | g ∈ Fq[X], deg(g) ≤ t}

• Definition. The weighted lifted Reed-Solomon code of degree r and weight

t over Fq is: WLiftq(t, r) := {evA2(f) | f ∈ Fq[X, Y] and ∀ t-curve L ⊂ A2, deg(f|L) ≤ r} Consequence: for every c ∈ WLiftq(t, r) and every t-curve L, we have : c|L ∈ RSq(r)

17/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A PIR scheme based on weighted lifted codes

S1 S2 S3 S4 S5 S6 S7 S8

x

Database in encoded with WLiftq(t, r), then distributed across the servers

18/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A PIR scheme based on weighted lifted codes

S1 S2 S3 S4 S5 S6 S7 S8

x

L

Database in encoded with WLiftq(t, r), then distributed across the servers

18/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A PIR scheme based on weighted lifted codes

S1 S2 S3 S4 S5 S6 S7 S8

x

L

Database in encoded with WLiftq(t, r), then distributed across the servers

18/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A PIR scheme based on weighted lifted codes

S1 S2 S3 S4 S5 S6 S7 S8

x

L

received answer Database in encoded with WLiftq(t, r), then distributed across the servers

18/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A PIR scheme based on weighted lifted codes

S1 S2 S3 S4 S5 S6 S7 S8

x

L

received answer decoding Database in encoded with WLiftq(t, r), then distributed across the servers

18/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A PIR scheme based on weighted lifted codes

S1 S2 S3 S4 S5 S6 S7 S8

x

L

received answer decoding → output Fi Database in encoded with WLiftq(t, r), then distributed across the servers

18/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A PIR scheme based on weighted lifted codes

S1 S2 S3 S4 S5 S6 S7 S8

x

L

received answer decoding → output Fi

L is a t-curve = ⇒ no t-set of servers can find where is

18/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A PIR scheme based on weighted lifted codes

S1 S2 S3 S4 S5 S6 S7 S8

x

L

received answer decoding → output Fi

L is a t-curve = ⇒ no t-set of servers can find where is = ⇒ the PIR scheme is t-private

18/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Parameters

Weighted Lifted Codes: Local Correctabilities and Application to Robust Private Information

• Retrieval. L., Nardi. arXiv:1904.08696. 2019.
• Theorem. Let p be a prime number, t ≥ 1 and α ≥ 2 be fixed integers. Set Ce =

WLiftpe(t, pe − α). Then, the information rate Re of Ce grows to 1 when e → ∞.

Corollary: PIR scheme with relative storage overhead → 0, for a constant number of adversaries

19/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Parameters

Weighted Lifted Codes: Local Correctabilities and Application to Robust Private Information

• Retrieval. L., Nardi. arXiv:1904.08696. 2019.
• Theorem. Let p be a prime number, t ≥ 1 and α ≥ 2 be fixed integers. Set Ce =

WLiftpe(t, pe − α). Then, the information rate Re of Ce grows to 1 when e → ∞.

Corollary: PIR scheme with relative storage overhead → 0, for a constant number of adversaries

• Theorem. Let p be a prime number, t ≥ 1 and c ≥ 1 be fixed integers. Set γ = 1 − p−c

and C′

e = WLiftpe(t, γpe). Then, the information rate R′ e of C′ e satisfies:

lim

e→∞ R′ e = Kt,p,c > 0

Corollary: PIR scheme with constant relative storage overhead, for a constant number of adversaries and a constant fraction of errors

19/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

19/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A new PIR scheme on MBR codes

In previous schemes: low computation, but moderate communication. Given a family of storage codes, what is the lowest communication complexity we can hope for a PIR protocol?

20/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A new PIR scheme on MBR codes

In previous schemes: low computation, but moderate communication. Given a family of storage codes, what is the lowest communication complexity we can hope for a PIR protocol? Optimal constructions known for: – repetition and parity-check codes [e.g. Sun–Jafar] – any MDS code [e.g. Banawan–Ulukus] – many other linear codes (some cyclic codes, etc.)

20/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A new PIR scheme on MBR codes

In previous schemes: low computation, but moderate communication. Given a family of storage codes, what is the lowest communication complexity we can hope for a PIR protocol? Optimal constructions known for: – repetition and parity-check codes [e.g. Sun–Jafar] – any MDS code [e.g. Banawan–Ulukus] – many other linear codes (some cyclic codes, etc.) Regenerating codes: better storage systems for repairing node failures.

20/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

A new PIR scheme on MBR codes

In previous schemes: low computation, but moderate communication. Given a family of storage codes, what is the lowest communication complexity we can hope for a PIR protocol? Optimal constructions known for: – repetition and parity-check codes [e.g. Sun–Jafar] – any MDS code [e.g. Banawan–Ulukus] – many other linear codes (some cyclic codes, etc.) Regenerating codes: better storage systems for repairing node failures.

• Result. A new PIR protocol featuring low communication for storage systems

using MBR codes.

Private Information Retrieval Schemes with Product-Matrix MBR Codes. L., Tajeddine, Freij-Hollanti, Hollanti. submitted. 2019.

20/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Single server PIR schemes

Main assumption of previous schemes: n ≥ 2 servers, not all colluding

21/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Single server PIR schemes

Main assumption of previous schemes: n ≥ 2 servers, not all colluding Computational PIR: – only 1 server – distinguishing index i is computationally hard for the server.

21/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Single server PIR schemes

Main assumption of previous schemes: n ≥ 2 servers, not all colluding Computational PIR: – only 1 server – distinguishing index i is computationally hard for the server. Very recently:

Computational Code-Based Single-Server Private Information Retrieval. Holzbaur, Hollanti, Wachter-Zeh. arXiv:2001.07049. 2020.

21/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: model and query

System model. Entry Fj of the database F is an (L × δ) matrix over Fq. F1 F2 · · · Fm =: F

δ L

22/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: model and query

System model. Entry Fj of the database F is an (L × δ) matrix over Fq. F1 F2 · · · Fm =: F

δ L

Query generation. The user chooses at random:

– a code C ⊆ Fn

qs of dimension k,

– an information set I ⊂ [1, n] for C, – a basis {γ1, . . . , γs} of Fqs/Fq, and sets V := γ1, . . . , γvFq and W := γv+1, . . . , γsFq,

22/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: model and query

System model. Entry Fj of the database F is an (L × δ) matrix over Fq. F1 F2 · · · Fm =: F

δ L

Query generation. The user chooses at random:

– a code C ⊆ Fn

qs of dimension k,

– an information set I ⊂ [1, n] for C, – a basis {γ1, . . . , γs} of Fqs/Fq, and sets V := γ1, . . . , γvFq and W := γv+1, . . . , γsFq, – matrices D ∈ Fmδ×n

qs

, E ∈ Vmδ×n and Zi ∈ Wmδ×n as follows:

Qi = D

c ∈ C

I

mδ n

+ +

22/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: model and query

System model. Entry Fj of the database F is an (L × δ) matrix over Fq. F1 F2 · · · Fm =: F

δ L

Query generation. The user chooses at random:

– a code C ⊆ Fn

qs of dimension k,

– an information set I ⊂ [1, n] for C, – a basis {γ1, . . . , γs} of Fqs/Fq, and sets V := γ1, . . . , γvFq and W := γv+1, . . . , γsFq, – matrices D ∈ Fmδ×n

qs

, E ∈ Vmδ×n and Zi ∈ Wmδ×n as follows:

Qi = D

c ∈ C

I

mδ n

+ + E

in V

I

22/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: model and query

System model. Entry Fj of the database F is an (L × δ) matrix over Fq. F1 F2 · · · Fm =: F

δ L

Query generation. The user chooses at random:

– a code C ⊆ Fn

qs of dimension k,

– an information set I ⊂ [1, n] for C, – a basis {γ1, . . . , γs} of Fqs/Fq, and sets V := γ1, . . . , γvFq and W := γv+1, . . . , γsFq, – matrices D ∈ Fmδ×n

qs

, E ∈ Vmδ×n and Zi ∈ Wmδ×n as follows:

Qi = D

c ∈ C

I

mδ n

+ + E

in V

I Zi

in W

I

[iδ + 1, (i + 1)δ]

22/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: response and decoding

Response. The server computes Ai := F · Qi ∈ FL×n

qs

Qi = D

c ∈ C

I mδ n + + E in V I Zi in W I

F1 F2 · · · Fm =: F

δ L

23/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: response and decoding

Response. The server computes Ai := F · Qi ∈ FL×n

qs

Decoding. Ai =

m

∑

r=1

Fr · Qi

r = m

∑

r=1

Fr · Dr

• rows in C

+

m

∑

r=1

Fr · (Er + Zi

r)

• zero on I

.

Qi = D

c ∈ C

I mδ n + + E in V I Zi in W I

F1 F2 · · · Fm =: F

δ L

23/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: response and decoding

Response. The server computes Ai := F · Qi ∈ FL×n

qs

Decoding. Ai =

m

∑

r=1

Fr · Qi

r = m

∑

r=1

Fr · Dr

• rows in C

+

m

∑

r=1

Fr · (Er + Zi

r)

• zero on I

. One gets:

m

∑

r=1

Fr · (Er + Zi

r) =

• m

∑

r=1

Fr · Er

• rows in Vn

+ Fi · Zi

i rows in Wn

.

Qi = D

c ∈ C

I mδ n + + E in V I Zi in W I

F1 F2 · · · Fm =: F

δ L

23/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: attack

D E Zi Fqs = V ⊕ W, dimFq V = v + +

n

Qi =

c ∈ C

mδ

[iδ + 1, (i + 1)δ]

in V in W

24/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: attack

D E Zi Fqs = V ⊕ W, dimFq V = v + +

n

Qi[i] = rkFq(Qi[i]) ≤ ks + (n − k)v

in V

24/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Analysis of a code-based PIR scheme: attack

D E Zi Fqs = V ⊕ W, dimFq V = v + +

n

Qi[j] = rkFq(Qi[j]) = ns w.h.p. if m is large enough

in V in W

24/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Outline

• 1. Private information retrieval
• 2. PIR schemes with low computation

Transversal designs and codes A PIR scheme with transversal designs Towards collusion resistance PIR schemes with lifted codes

• 3. Other constructions of PIR schemes
• 4. Conclusion

24/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Conclusion

Private information retrieval: ◮ concentrated a lot of recent research, ◮ involves various mathematical tools, ◮ but there remains a lot of work (questionable assumptions, optimal constructions, other contexts)

25/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –

Conclusion

Private information retrieval: ◮ concentrated a lot of recent research, ◮ involves various mathematical tools, ◮ but there remains a lot of work (questionable assumptions, optimal constructions, other contexts)

Questions?

25/25

• J. Lavauzelle

Séminaire LAGA – Construction of PIR schemes based on codes –