On Locally Decodable Codes

Self Correctable Codes

t-private PIRand

Omer Barkol, Yuval Ishai and Enav Weinreb

Technion, Israel

On Locally Decodable Codes

Self Correctable Codesand

Omer Barkol, Yuval Ishai and Enav Weinreb

Technion, Israel

ServerClient

[CGKS95]

Want: Correctness and privacy for the client

Communication: Only the trivial Ω(n) solution

i∈[n]

i?xi

q

A(q,x) x∈{0,1}n

t-private PIRP IR

Private Information Retrieval

Client

i

xit servers

x

x∈{0,1}n

x

k servers

i?

[CGKS95]

Private Information Retrievalt-private

q1

A(q1,x)

q2

A(q2,x)

P I Rk-server PIR

PIRt-privateBest known

ServersPaper

K=2

K=3Const. k

CGKS95, BI01,WY05

n1/3n1/5n1/(2k-1)

BIKR02n1/3n1/5.25nloglogk/klogk

Yek07-n10-7

(or n1/loglogn)

t-private version

✔

?

?

Cmessage x encoding

C(x)i

C:{0,1}n→{0,1}m(

n)

is a k-LDC

Randomized Decoder D

k-query LDC

C:{0,1}n→{0,1}

m

k-server PIR

logm query bits

1 bit answer

[KT00]

xi

k

On Locally Decodable Codes

Self Correctable Codes

t-private PIRand

Omer Barkol, Yuval Ishai and Enav Weinreb

Technion, Israel

Best known LDCs

ProbesPaper

K=3Const. k

BF90, CGKS95, BI01

exp(n1/2)exp(n1/(k-1) )

BIKR02exp(n1/2

)exp(nloglogk/klogk )

Yek07exp(n10-7 )

(or exp( n1/loglogn ))

On Locally Decodable Codes

Self Correctable Codes

t-private PIRand

Cmessage x encoding C(x)

j

C:{0,1}n→{0,1}m(

n)

is a k-SCC

Randomized Corrector M

systematick-LDC

Omer Barkol, Yuval Ishai and Enav Weinreb

Technion, Israel

linear k-query SCC

C:{0,1}n→{0,1}

m

linear k-query LDC

C:{0,1}n→{0,1}

m

k

C(x)j

Is it SCC?

✔

?

?

SCC LDC ?

ProbesPaper

K=3Const. k

BF90, CGKS95, BI01

exp(n1/2)exp(n1/(k-1) )

BIKR02exp(n1/2

)exp(nloglogk/klogk )

Yek07exp(n10-7 )

(or exp( n1/loglogn ))

Reed-Muller based

Main Problems

Closing the gap between:• 1-private and t-private PIR• LDC and SCC

RM SCC upper bound

Yek07 LDC upper bound

LDC lower bound

Talk Outline

•Notions and current state

•Our contributions: highlights

•Our contributions: technical details

•Summary and open issues

Our Contributions (1)

1-private k-server

PIR

t-private kt-server

PIR

1-private k-server SRPIR

t-private kt-server

PIR

k-LD

Ck-

SCC

Communication preserving transformations

Best known t-private PIR

?

ServersPaper

K=2

K=3Const. k

CGKS95, BI01,WY05

n1/3n1/5n1/(2k-1)

BIKR02n1/3n1/5.25nloglogk/klogk

Yek07-n10-7

(or n1/loglogn)

t-private version

✔

?

kt

servers

Main Problems

Closing the gap between:• 1-private and t-private PIR• LDC and SCC

Closing the gap of

LDC vs. SCC

Closing the question on t-private PIR

RM SCC upper bound

Yek07 LDC upper bound

LDC lower bound

Linear SCC vs. Combinatorial designs

Based on Hamada’s Conjecture (1973):

Evidence for difficulty of progress on the LDC vs. SCC question

Our Contributions (2)

LDC vs. SCC

Is it SCC?

✔

?

?

ProbesPaper

K=3Const. k

BF90, CGKS95, BI01

exp(n1/2)exp(n1/(k-1) )

BIKR02exp(n1/2

)exp(nloglogk/klogk )

Yek07exp(n10-7 )

(or exp( n1/loglogn ))

?

Talk Outline

•Notions and current state

•Our contributions: highlights

•Our contributions: technical details

•Summary and open issues

1-private PIR t-private PIR

1-private k-server

PIR

t-private kt-server

PIR

k-LD

C

iX

S1,1 S1,2 S1,3

S2,1 S2,2 S2,3

S3,1 S3,2 S3,3

i ≡ i1 + i2

Xi1+i2=Xi

q1(i2)

q2(i2)

q3(i2)

X=X<<0X<

<1X<<2⋮

X<<i2⋮⋮

X<<n-1

i1

i

1-private 3-server PIR to

2-private 32-server PIR q1(i1) q2(i1) q3(i1)

A1 A2 A3A A A

i2? i?

i1? i?

A1 A2 A3

1-private k-server SRPIR

t-private kt-server

PIR

k-SC

C1-private PIR t-private PIR

t(k-1)+1

Xi

1-private 3-server SRPIR to

2-private 5-server PIR

q1 q2q3

A(q3,x)A(q2,x)A(q1,x)

S1 S2 S3q11q12 q13

S1 S2 S3

q23q12 q22q31 q32

q33

xi

S? S? S?S? S? S?S1 S4 S5 S2 S3 S5

Threshold 3-out-of-5 circuit using only Threshold 2-out-of-3 gates

NO

Xi

S1 S2 S3 S4 S5

Threshold3-out-of-5

1-private 3-server SRPIR to

2-private 2(3-1)+1=5-server PIR

Threshold 3-out-of-5 circuit using only Threshold 2-out-of-3 gatesThreshold (t+1)-out-of-t(k-1)+1 circuit using only Threshold 2-out-of-k gates

Combinatorial designs

2-(m,k,λ) design

m points

blocks: sets of k points

each 2 points appear together in λ blocks

1 1 1 11 1 1 1

1 1 1 11 1 1 1

1 1 111 1 1 1

1 1 1 11 1 1 1

1 1 1 11 1 1 1

1 1 1 1

1 1

2-(24,4,1) design

Example: lines in F172

design

Points: GF(17)2

=F172

Blocks: points on a line

2-(172,17,1) design

1 1 1 11 1 1 1

1 1 111 1 1 1

1 1 1 11 1 1 1

1 1 1 11 1 1 1

1 1 1 1

Low rank designs good SCC

1 1 1 11 1 1 1

C = span

2-(m,k,λ) design with p-rank r

C⊥:Fpm-r→Fp

m is a

(k-1)-SCC

Hamada’s Conjecture (‘73): The 2-

(pr,p,1) design that stems from the

lines in Fpr has the smallest p-rank of

all the designs with the same

parameters.

the support of the low-weight words of

the Reed-Muller code

Reed-Muller SCCs

are optimal

Hamada’s

conjecture

Generalization of the conjecture:

Relaxation in the following senses

• dimension (rather than rank)

• over different fields (i.e. q-dimension)

• almost designs

Reed-Muller SCCs

are “essentially

optimal”

Generalized

conjecture

Talk Outline

•Notions and current state

•Our contributions: highlights

•Our contributions: technical details

•Summary and open issues

Summary•Substantial improvement of best t-private PIR

1-private PIR ⇨ t-private PIR

• t-private version of Yekhanin’s protocol

•Interesting connection: SCC and t-private PIR

Better SCC ⇨ better t-private PIR

• SCC=LDC ⇨ 1-private=t-private PIR

•Intriguing connection: SCC and p-rank designs

Prove known SCC optimal ⇨ Hamada’s conjecture

RM SCC upper bound

Yek07 LDC upper bound

LDC lower bound

• Better t-private PIR

• Extend Yek07 to 2-private 5-server PIR? … or even 2-private 8-server PIR?

• LDC vs. SCC• Better SCC than Reed-Muller based

e.g. 3-SCC of length 2o(√n) const. size alphabet

• Better Lower bounds on SCC

separate SCC from LDC

or even super-polynomial lower bounds on SCC

Open Issues

SCC lower bound

thank you